use ed25519

master
Volker Birk 7 months ago
parent 123a25b48f
commit b5bbad4b55
  1. 8
      format.md
  2. 2
      src/unpack.cc
  3. 14
      test/gen_testdata.sh
  4. 9
      test/test_unpack.cc
  5. 6
      utils/encrypt_distribution_archive.py

@ -5,6 +5,7 @@ files in its main directory:
- distribution archive in a file named DIST.A
- distribution key in a file named DIST.KEY
- distribution signature in a file named DIST.SIG
To use a signedpkg the user needs:
@ -39,9 +40,14 @@ The distribution key is the AES<256> key, with which the distribution archive
is encrypted using GCM<AES>. DIST.KEY contains the distribution key encrypted
with the provisioning key using RSA-OAEP.
## distribution signature
The distribution signature is the ed25519 detached signature of the
distribution archive file DIST.A using the deployment key.
## deployment key
The deployment key is an RSA keypair stored in a private key part and a BER
The deployment key is an ed25519 keypair stored in a private key part and a BER
encoded public key part.
The private key is used by the factory. The public key is used by the

@ -10,6 +10,7 @@
#include <cryptopp/oaep.h>
#include <cryptopp/osrng.h>
#include <cryptopp/eax.h>
#include <cryptopp/xed25519.h>
#ifdef WIN32
// FIXME: name collision possible
@ -182,6 +183,7 @@ namespace SignedPackage {
std::filesystem::path target_path = mktempdir();
extract_archive(pkg_path, target_path);
decrypt_distribution_archive(target_path / "DIST.A",
target_path / "DIST.KEY", provisioning_key);

@ -1,6 +1,6 @@
#!/bin/bash
gen_keypair()
gen_rsa_keypair()
{
openssl genrsa -out $1.pem 3072
openssl pkcs8 -nocrypt -in $1.pem -inform PEM -topk8 -outform DER -out $1.der
@ -8,10 +8,16 @@ gen_keypair()
openssl rsa -in $1.pem -pubout -outform DER -out $1-pub.der
}
gen_ed25519_keypair()
{
openssl genpkey -algorithm ED25519 -outform DER -out $1.der
openssl pkey -in $1.der -inform DER -pubout -outform DER -out $1-pub.der
}
# generate deployment key and provisioning key
gen_keypair deployment_key
gen_keypair provisioning_key
gen_ed25519_keypair deployment_key
gen_rsa_keypair provisioning_key
# generate archive with test data
@ -27,4 +33,4 @@ zip -r DIST.AD PER_USER_DIRECTORY
# gen sample package
zip pEp.ppk DIST.A DIST.KEY
zip pEp.ppk DIST.A DIST.KEY DIST.SIG

@ -1,6 +1,7 @@
#include <iostream>
#include "../src/unpack.hh"
#include <cryptopp/files.h>
#include <cryptopp/xed25519.h>
void Load(const std::string& filename, CryptoPP::BufferedTransformation& bt)
{
@ -10,7 +11,7 @@ void Load(const std::string& filename, CryptoPP::BufferedTransformation& bt)
bt.MessageEnd();
}
void LoadPublicKey(const std::string& filename, CryptoPP::PublicKey& key)
void LoadPrivateKey(const std::string& filename, CryptoPP::PrivateKey& key)
{
CryptoPP::ByteQueue queue;
Load(filename, queue);
@ -18,7 +19,7 @@ void LoadPublicKey(const std::string& filename, CryptoPP::PublicKey& key)
key.Load(queue);
}
void LoadPrivateKey(const std::string& filename, CryptoPP::PrivateKey& key)
void LoadPublicKey(const std::string& filename, CryptoPP::PublicKey& key)
{
CryptoPP::ByteQueue queue;
Load(filename, queue);
@ -78,7 +79,7 @@ void test_extract_deployment_archive()
{
std::cout << "\n*** test: extract_deployment_archive()\n\n";
CryptoPP::RSA::PublicKey deployment_key;
CryptoPP::ed25519PublicKey deployment_key;
LoadPublicKey("deployment_key-pub.der", deployment_key);
CryptoPP::RSA::PrivateKey provisioning_key;
@ -96,7 +97,7 @@ void test_install_if_location_empty()
{
std::cout << "\n*** test: install_if_location_empty()\n\n";
CryptoPP::RSA::PublicKey deployment_key;
CryptoPP::ed25519PublicKey deployment_key;
LoadPublicKey("deployment_key-pub.der", deployment_key);
CryptoPP::RSA::PrivateKey provisioning_key;

@ -8,6 +8,7 @@ from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
parser = argparse.ArgumentParser(description='encrypt distribution archive'
' using provisioning key to encrypt and deployment key to sign')
@ -52,3 +53,8 @@ distribution_archive = None
with open('DIST.A', 'wb') as encrypted_archive_file:
encrypted_archive_file.write(nonce)
encrypted_archive_file.write(encrypted_archive)
signature = deployment_key.sign(encrypted_archive)
with open('DIST.SIG', 'wb') as signature_file:
signature_file.write(signature)

Loading…
Cancel
Save