From patchwork Tue Feb 13 02:46:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitri Toubelis X-Patchwork-Id: 872550 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=googlegroups.com (client-ip=2607:f8b0:400c:c08::23e; helo=mail-ua0-x23e.google.com; envelope-from=swupdate+bncbd4pvvhhcqik5i4j2qcrubadtsekm@googlegroups.com; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=googlegroups.com header.i=@googlegroups.com header.b="SW2C3imt"; dkim-atps=neutral Received: from mail-ua0-x23e.google.com (mail-ua0-x23e.google.com [IPv6:2607:f8b0:400c:c08::23e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3zgRlQ4KwSz9ryT for ; Tue, 13 Feb 2018 13:47:13 +1100 (AEDT) Received: by mail-ua0-x23e.google.com with SMTP id k4sf11836406uad.13 for ; Mon, 12 Feb 2018 18:47:13 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1518490031; cv=pass; d=google.com; s=arc-20160816; b=QEtFs7AUUU9qmyBQc2U7KyUtoAxP9Gm/xUul9XGDTzg/q5LdwJmNmKbZ4O+9uXKL4P BDwaD6zLm1OzAe5Y7ITvwakDBedEw70+fDJXhX6kJcM96tx/TNmMzPdhc+VW8S/5OeXo QBAijjUWK5/jJrJOG2WLMiSclzN0ePISbCB+aFg8W1capUmkm6VNp6nghE/WhLwzjDW9 urIGGQpFvdbWwwFM6M+qivN77Ilj6oajf4wMxil0+WIYt8pOcrLuPpll6mPLEVwDa9To PXzsoobfpuMyJA7mTc82J/NemRmb5ZZ16Tmhev4FSW7iz+u1VlfB+FzGY8FpdvQQrdO2 W5TA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:message-id:date:subject:cc:to:from :arc-authentication-results:arc-message-signature:mime-version :sender:dkim-signature:arc-authentication-results; bh=ahWgjfvHdmqjRfDil3poipLJOPWxrE4DfqUwlncWsNo=; b=n80DJNYJCfGcg0S6kvqmUPARgnejxfAdbkWNzeXMCulNXg53r3OJajXi4ii1GuSj4w LTWWegzibGna4M03AAA4y4h5VBAOy0X5iD0HB7Bgaoj9ERKRAIlFZq07IaTHQzS0onVw EPJxKNvK3tBqoIMVbaDEAxWbXMifQvuMgclwDZbcbY1W+LEvkZneGaOhu+jqPBiVIW/3 C5vozBBRn8N1K3aKS6WhTYaXswRHXFTGOCYA+jaWhmjyebP3121rqdiTnLP8QH9tsd1+ SKnVjmbaM9a748Dk3VOfu7PK0hqiolvqziD+o2qgwyjhA3RlBkn+g4r1nc/EMlDnWG33 8omA== ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of dmitri@toubelis.org designates 2620:18:6000:aaa2::130 as permitted sender) smtp.mailfrom=dmitri@toubelis.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=litmusautomation.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:mime-version:from:to:cc:subject:date:message-id :x-original-sender:x-original-authentication-results:precedence :mailing-list:list-id:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=ahWgjfvHdmqjRfDil3poipLJOPWxrE4DfqUwlncWsNo=; b=SW2C3imtIU2KAg5i82QqD5lzMApA4+MxMNiZjUMxEABAcIF3uTUPn+honPk8e58kDf SFeKGVz/SeajqL2/T/Cw4QYUatMCo4zMzEH8z71V8zESEGz0QivliNNU9lC+SvGyhjaA pG5SCju7Omg4xxP86tvHB8bCTyjxVpA51KMUmATnKm042hgBjOC9YVZPNbjMk8SbTjuD Q36qnCz+iqzWQA0SJ2wY2JYrFTDKkaeDAi3yqnx5A04jgleU8oGIaThV+ZzhKbwwngEF voc9ovoGPMc2Sk7z5myfiT6zH6NRZFezTgY/Mfr12+cUHJO2I17v9vOfyOORt5avH+7/ lBkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=sender:x-gm-message-state:mime-version:from:to:cc:subject:date :message-id:x-original-sender:x-original-authentication-results :precedence:mailing-list:list-id:x-spam-checked-in-group:list-post :list-help:list-archive:list-subscribe:list-unsubscribe; bh=ahWgjfvHdmqjRfDil3poipLJOPWxrE4DfqUwlncWsNo=; b=lQ8lreB0NWsJeFmoQXprZIzEO0RvDCBj8cAYbVq4EeSHsG35LEEVPoWMphNvDDjfsE +p0Ego9NWRDaZCfgx2IqB+49Ui4oO216hC9zVrvGajYF6o8IBFuJVuakM+8Bp3CohS1+ 6oUt4/AzkxZXuPu2FlhKsu1ie7zGa7DgK7O2YnH1gONEB5M/mkImTJoqx3ayPa56lD6b TObtscZw044JAn3SGWUAOPYmcjSLxb5Rrh59iQM1C7CE6rWUwFaX2ozme8nHSrp5sgSY AuMIejBCihnhtMKFRYTgJSO/odwimv226BAhIXuEcSJkOVeZNTxCzpQcUrG1OXFMBUrj CjFg== Sender: swupdate@googlegroups.com X-Gm-Message-State: APf1xPBI0BhW72RsQNQiUmTh1XJuIgK96VbMe2UdsQQvv4LJ0a8eCZ8m 7VmgaJtTV1J4gdLnjqYzPDs= X-Google-Smtp-Source: AH8x2259WGO7yj17vmXVlFTofBKAJcRX+ANBmBbxIgFT230oe+1EsaayTM+wnJVYeFoXMrwkPFdN2A== X-Received: by 10.31.54.205 with SMTP id d196mr1239425vka.14.1518490031193; Mon, 12 Feb 2018 18:47:11 -0800 (PST) MIME-Version: 1.0 X-BeenThere: swupdate@googlegroups.com Received: by 10.37.111.70 with SMTP id k67ls1186324ybc.0.gmail; Mon, 12 Feb 2018 18:47:10 -0800 (PST) X-Received: by 10.37.163.73 with SMTP id d67mr7301737ybi.84.1518490030571; Mon, 12 Feb 2018 18:47:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518490030; cv=none; d=google.com; s=arc-20160816; b=c3hxK/Z00zBIfHTlUiLNAD5qI8TbSWI16Jheg7BlMcDrKK30n5HEyMT7a7T79XWpNM oOpoyAAkVZUMbFtTjbFrrX9v/bRWndMMK6YY7HhVHSLLT5/9neryloDrcvT1NltAX5yP 51RByX6GvcIDkPSeKVwZ1dEEhoMpkBtGtA1i2Hzl/+gandJZFchgoRH0lYSR0tGzBB0j i0Q4Sx5PXWnC0lKcHAThatTK3bqAK8dljhrZZbGt4IXMR/34ESQLsfrHGAPxaK1wPT2I hcfs9HOzO/MCSatCJrha0s6tM3hdFV+Y3CZ/iFsgCtRewXCjRVlPBcIiZUhGFzsWBJb6 5z/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:date:subject:cc:to:from:arc-authentication-results; bh=9Ki/XXaKMarQhoQnrf001LJCwAC+nYthWT2mWKD2wPI=; b=GsyUMo3tid3QqlSG53tLROjhR8EREKgllr3K93gR9hAZLqHtpRVrA+GQ0efsWsAaIo zY+ScpaBT816yq0jmsXwG9M5iudOoiO2QkkNoip7kN/qgHOQXxSf+qIIN7x76aDFeeDo bEfkU7Cn7J+bI2hZx/4K/lcBC7ixJjfDDZUDE3F7w/hku5XZDjb/Zr/ezb48/KUHEZv8 JmdvLMPdnIzjzeoPM5hvQ46jhe5GWPczscSgi676sYGzbXB8++E9ys97IwNVVo+h0MBh 4GfynsBMaYyFUwEEeHEbYe1APPrqpT71G/SpItzEA9Q+n0CBiF1jd+D7Yr76sx3u4ZeA JnlQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of dmitri@toubelis.org designates 2620:18:6000:aaa2::130 as permitted sender) smtp.mailfrom=dmitri@toubelis.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=litmusautomation.com Received: from mail.alkeron.com (mail.alkeron.com. [2620:18:6000:aaa2::130]) by gmr-mx.google.com with ESMTPS id y2si108083ywf.1.2018.02.12.18.47.10 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Feb 2018 18:47:10 -0800 (PST) Received-SPF: pass (google.com: domain of dmitri@toubelis.org designates 2620:18:6000:aaa2::130 as permitted sender) client-ip=2620:18:6000:aaa2::130; Received: from localhost (localhost [IPv6:::1]) by mail.alkeron.com (Postfix) with ESMTP id 7B03E12239E; Mon, 12 Feb 2018 21:47:09 -0500 (EST) Received: from mail.alkeron.com ([IPv6:::1]) by localhost (mail.alkeron.com [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id QfhYWQSm3rDq; Mon, 12 Feb 2018 21:47:08 -0500 (EST) Received: from localhost (localhost [IPv6:::1]) by mail.alkeron.com (Postfix) with ESMTP id 7AEC11229BE; Mon, 12 Feb 2018 21:47:08 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.alkeron.com Received: from mail.alkeron.com ([IPv6:::1]) by localhost (mail.alkeron.com [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id kkyALBae9YAZ; Mon, 12 Feb 2018 21:47:08 -0500 (EST) Received: from ubuntu.int.alkeron.com (unknown [IPv6:2620:18:6000:aa00:340f:b2d:85c6:1116]) by mail.alkeron.com (Postfix) with ESMTP id 5E5B812239E; Mon, 12 Feb 2018 21:47:08 -0500 (EST) From: Dmitri Toubelis To: swupdate@googlegroups.com Cc: Dmitri Toubelis Subject: [swupdate][PATCH] Add PKI certificate usage info to the docs Date: Mon, 12 Feb 2018 21:46:57 -0500 Message-Id: <1518490017-112789-1-git-send-email-dmitri.toubelis@litmusautomation.com> X-Mailer: git-send-email 2.7.4 X-Original-Sender: dmitri.toubelis@litmusautomation.com X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of dmitri@toubelis.org designates 2620:18:6000:aaa2::130 as permitted sender) smtp.mailfrom=dmitri@toubelis.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=litmusautomation.com Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: swupdate@googlegroups.com X-Google-Group-Id: 605343134186 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , Signed-off-by: Dmitri Toubelis --- doc/source/signed_images.rst | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/doc/source/signed_images.rst b/doc/source/signed_images.rst index debbb7f..a4c0b8e 100644 --- a/doc/source/signed_images.rst +++ b/doc/source/signed_images.rst @@ -100,12 +100,13 @@ Signing the image is very simple: openssl dgst -sha256 -sign priv.pem sw-description > sw-description.sig + Usage with certificates and CMS ------------------------------- -Generating certificates -....................... +Generating self-signed certificates +................................... :: @@ -118,6 +119,24 @@ the private key and it is used for signing. It is *not* delivered on the target. The target must have "mycert.cert.pem" installed - this is used by SWUpdate for verification. + +Using PKI issued certificates +............................. + +It is also possible to use PKI issued code signing certificates. However, +SWUpdate uses OpenSSL library for handling CMS signatures and the library +requires the following attributes to be set on the signing certificate: + +:: + + keyUsage=digitalSignature + extendedKeyUsage=emailProtection + +It is also possible to completelly disable signing certificate key usage +checking if this requirement cannot be satisfied. This is controlled by +`CONFIG_CMS_IGNORE_CERTIFICATE_PURPOSE` configuration option. + + How to sign with CMS .....................