| 6935 |
dpurdie |
1 |
Notes on Signature Generation
|
|
|
2 |
|
|
|
3 |
The process is to generate a signature for every file in the manifest and the manifest itself.
|
|
|
4 |
The signature is held in a .sig file.
|
|
|
5 |
The format of the .sig file is Vix's.
|
|
|
6 |
The format is:
|
|
|
7 |
Line-1: The name of the certificate to verify the signature
|
|
|
8 |
Line-2: Base64 signature of the file
|
|
|
9 |
|
|
|
10 |
Security features involve:
|
|
|
11 |
* The device is provided with the certificate used to verify the siganuture
|
|
|
12 |
It will be in the manifest
|
|
|
13 |
|
|
|
14 |
* The device MUST verify the certificate
|
|
|
15 |
|
|
|
16 |
* The Root CA MUST be placed onthe device during Day-0
|
|
|
17 |
|
|
|
18 |
* The signature MUST be generated on a specail machine.
|
|
|
19 |
Its special because it has the privite key for the certificate
|
|
|
20 |
|
|
|
21 |
|
|
|
22 |
There are for files involved in the process:
|
|
|
23 |
|
|
|
24 |
VixPulseManifestRootCA.key
|
|
|
25 |
Super super secret key used to generate the Root CA
|
|
|
26 |
Only every used to create VixPulseManifestRootCA.key.crt
|
|
|
27 |
Only every used to create VixPulseManifest.crt and other certificates of the same class
|
|
|
28 |
Held in 1Password
|
|
|
29 |
|
|
|
30 |
VixPulseManifestRootCA.crt
|
|
|
31 |
Super super secret certificate used to generate the Root CA
|
|
|
32 |
Used to create VixPulseManifest.crt and other certificates of the same class
|
|
|
33 |
Used to verify VixPulseManifest.crt and other certificates of the same class
|
|
|
34 |
Installed on devices as a part of Day-0
|
|
|
35 |
Held in the package - manifest-certificates
|
|
|
36 |
Held in 1Password
|
|
|
37 |
|
|
|
38 |
VixPulseManifest.key
|
|
|
39 |
Secret key used to generate signatures over all files in the manifest and the manifest itself
|
|
|
40 |
Held in 1Password
|
|
|
41 |
Installed (manually) on a controlled build machine
|
|
|
42 |
|
|
|
43 |
VixPulseManifest.crt
|
|
|
44 |
Pulic certificate used to verify signatures created with VixPulseManifest.key
|
|
|
45 |
Installed on the devices as a part of the manifest.
|
|
|
46 |
The security involves verifying the certificate against a RootCA that was installed on the device
|
|
|
47 |
during commisioning.
|
|
|
48 |
Held in 1Password
|
|
|
49 |
Held in the package - manifest-certificates
|
|
|
50 |
|
|
|
51 |
-------------------------------------------------------------------------------
|
|
|
52 |
Generation of the RootCA and other key/certificate key pairs
|
|
|
53 |
|
|
|
54 |
The RootCA should only be generated once.
|
|
|
55 |
Other key/certificate pairs can be generated as needed.
|
|
|
56 |
|
|
|
57 |
The process for generating the RootCa is scripted - see genCerts/genRoot.sh
|
|
|
58 |
The process for generating one key/cert is scripted - see genCerts/genCert.sh
|
|
|
59 |
These scripts are provided for future reference
|
|
|
60 |
|
|
|
61 |
Process for creating another manifest certificate:
|
|
|
62 |
* Get VixPulseManifestRootCA.key / VixPulseManifestRootCA.crt from 1password
|
|
|
63 |
|
|
|
64 |
* Place in the same directory as the genCert.sh script
|
|
|
65 |
|
|
|
66 |
* Edit the genCert.sh and change the value for CLIENT_FQDN
|
|
|
67 |
It must be different to all others generated from the same CA so that
|
|
|
68 |
multiple certs can be placed in the same directory.
|
|
|
69 |
|
|
|
70 |
* Place the generated .crt file in the directory 'src/etc/manifest'
|
|
|
71 |
Place the file under version control
|
|
|
72 |
|