Skip to content

Commit 5a0ac2f

Browse files
committed
sign: Support x509 signature type
The current "ed25519" signing type assumes raw Ed25519 key format for both public and private keys. That requires custom processing of keys after generated with openssl tools, and also lacks cryptographic agility[1]; when Ed25519 becomes vulnerable, it would not be straightforward to migrate to other algorithms. This patch adds a new signature type "x509" to use the key formats natively supported by OpenSSL (PKCS#8 and SubjectPublicKeyInfo) and capable of embedding algorithm identifier in an X.509 format, while the support for the original key format is preserved for backward compatibility. As a PoC of the feature, this adds a couple of new tests using Ed448, instead of Ed25519, in tests/test-signed-commit.sh. 1. https://en.wikipedia.org/wiki/Cryptographic_agility Signed-off-by: Daiki Ueno <dueno@redhat.com>
1 parent 97fdd9c commit 5a0ac2f

16 files changed

+1112
-59
lines changed

Makefile-libostree.am

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -262,6 +262,8 @@ libostree_1_la_SOURCES += \
262262
src/libostree/ostree-sign-ed25519.c \
263263
src/libostree/ostree-sign-ed25519.h \
264264
src/libostree/ostree-sign-private.h \
265+
src/libostree/ostree-sign-x509.c \
266+
src/libostree/ostree-sign-x509.h \
265267
$(NULL)
266268

267269
if USE_COMPOSEFS

Makefile-otcore.am

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ libotcore_la_SOURCES = \
1919
src/libotcore/otcore.h \
2020
src/libotcore/otcore-ed25519-verify.c \
2121
src/libotcore/otcore-prepare-root.c \
22+
src/libotcore/otcore-x509-verify.c \
2223
$(NULL)
2324

2425
libotcore_la_CFLAGS = $(AM_CFLAGS) -I$(srcdir)/libglnx -I$(srcdir)/src/libotutil -DLOCALEDIR=\"$(datadir)/locale\" $(OT_INTERNAL_GIO_UNIX_CFLAGS) $(OT_INTERNAL_GPGME_CFLAGS) $(OT_DEP_CRYPTO_LIBS) $(LIBSYSTEMD_CFLAGS)

Makefile-tests.am

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -155,12 +155,24 @@ _installed_or_uninstalled_test_scripts = \
155155
tests/test-summary-collections.sh \
156156
tests/test-pull-collections.sh \
157157
tests/test-config.sh \
158-
tests/test-signed-commit.sh \
158+
tests/test-signed-commit-dummy.sh \
159159
tests/test-signed-pull.sh \
160160
tests/test-pre-signed-pull.sh \
161161
tests/test-signed-pull-summary.sh \
162162
$(NULL)
163163

164+
if HAVE_ED25519
165+
_installed_or_uninstalled_test_scripts += \
166+
tests/test-signed-commit-ed25519.sh \
167+
$(NULL)
168+
endif
169+
170+
if HAVE_X509
171+
_installed_or_uninstalled_test_scripts += \
172+
tests/test-signed-commit-x509.sh \
173+
$(NULL)
174+
endif
175+
164176
if USE_GPGME
165177
_installed_or_uninstalled_test_scripts += \
166178
tests/test-remote-gpg-import.sh \

configure.ac

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -452,10 +452,19 @@ if test x$with_openssl != xno; then OSTREE_FEATURES="$OSTREE_FEATURES openssl";
452452
AM_CONDITIONAL(USE_OPENSSL, test $with_openssl != no)
453453
dnl end openssl
454454

455-
if test x$with_openssl != xno || test x$with_ed25519_libsodium != xno; then
455+
AM_CONDITIONAL([HAVE_ED25519], [test x$with_openssl != xno || test x$with_ed25519_libsodium != xno])
456+
457+
AM_COND_IF([HAVE_ED25519], [
456458
AC_DEFINE([HAVE_ED25519], 1, [Define if ed25519 is supported ])
457459
OSTREE_FEATURES="$OSTREE_FEATURES sign-ed25519"
458-
fi
460+
])
461+
462+
AM_CONDITIONAL([HAVE_X509], [test x$with_openssl != xno])
463+
464+
AM_COND_IF([HAVE_X509], [
465+
AC_DEFINE([HAVE_X509], 1, [Define if x509 is supported ])
466+
OSTREE_FEATURES="$OSTREE_FEATURES sign-x509"
467+
])
459468

460469
dnl begin gnutls; in contrast to openssl this one only
461470
dnl supports --with-crypto=gnutls
@@ -697,7 +706,7 @@ echo "
697706
systemd: $with_libsystemd
698707
libmount: $with_libmount
699708
libsodium (ed25519 signatures): $with_ed25519_libsodium
700-
openssl (ed25519 signatures): $with_openssl
709+
openssl (ed25519 and x509 signatures): $with_openssl
701710
libarchive (parse tar files directly): $with_libarchive
702711
static deltas: yes (always enabled now)
703712
O_TMPFILE: $enable_otmpfile

man/ostree-sign.xml

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -64,24 +64,24 @@ License along with this library. If not, see <https://www.gnu.org/licenses/>.
6464
</para>
6565

6666
<para>
67-
There are several "well-known" system places for `ed25519` trusted and revoked public keys -- expected single <literal>base64</literal>-encoded key per line.
67+
For `ed25519` and `x509`, there are several "well-known" system places trusted and revoked public keys -- expected single <literal>base64</literal>-encoded key per line.
6868
</para>
6969

7070
<para>Files:
7171
<itemizedlist>
72-
<listitem><para><filename>/etc/ostree/trusted.ed25519</filename></para></listitem>
73-
<listitem><para><filename>/etc/ostree/revoked.ed25519</filename></para></listitem>
74-
<listitem><para><filename>/usr/share/ostree/trusted.ed25519</filename></para></listitem>
75-
<listitem><para><filename>/usr/share/ostree/revoked.ed25519</filename></para></listitem>
72+
<listitem><para><filename>/etc/ostree/trusted.<replaceable>SIGN-TYPE</replaceable></filename></para></listitem>
73+
<listitem><para><filename>/etc/ostree/revoked.<replaceable>SIGN-TYPE</replaceable></filename></para></listitem>
74+
<listitem><para><filename>/usr/share/ostree/trusted.<replaceable>SIGN-TYPE</replaceable></filename></para></listitem>
75+
<listitem><para><filename>/usr/share/ostree/revoked.<replaceable>SIGN-TYPE</replaceable></filename></para></listitem>
7676
</itemizedlist>
7777
</para>
7878

7979
<para>Directories containing files with keys:
8080
<itemizedlist>
81-
<listitem><para><filename>/etc/ostree/trusted.ed25519.d</filename></para></listitem>
82-
<listitem><para><filename>/etc/ostree/revoked.ed25519.d</filename></para></listitem>
83-
<listitem><para><filename>/usr/share/ostree/trusted.ed25519.d</filename></para></listitem>
84-
<listitem><para><filename>/usr/share/ostree/rvokeded.ed25519.d</filename></para></listitem>
81+
<listitem><para><filename>/etc/ostree/trusted.<replaceable>SIGN-TYPE</replaceable>.d</filename></para></listitem>
82+
<listitem><para><filename>/etc/ostree/revoked.<replaceable>SIGN-TYPE</replaceable>.d</filename></para></listitem>
83+
<listitem><para><filename>/usr/share/ostree/trusted.<replaceable>SIGN-TYPE</replaceable>.d</filename></para></listitem>
84+
<listitem><para><filename>/usr/share/ostree/revoked.<replaceable>SIGN-TYPE</replaceable>.d</filename></para></listitem>
8585
</itemizedlist>
8686
</para>
8787
</refsect1>
@@ -95,7 +95,7 @@ License along with this library. If not, see <https://www.gnu.org/licenses/>.
9595
<listitem><para>
9696
<variablelist>
9797
<varlistentry>
98-
<term><option>for ed25519:</option></term>
98+
<term><option>for ed25519 and x509:</option></term>
9999
<listitem><para>
100100
<literal>base64</literal>-encoded secret (for signing) or public key (for verifying).
101101
</para></listitem>
@@ -120,7 +120,7 @@ License along with this library. If not, see <https://www.gnu.org/licenses/>.
120120
<term><option>-s, --sign-type</option></term>
121121
<listitem><para>
122122
Use particular signature mechanism. Currently
123-
available <arg choice="plain">ed25519</arg> and <arg choice="plain">dummy</arg>
123+
available <arg choice="plain">ed25519</arg>, <arg choice="plain">x509</arg>, and <arg choice="plain">dummy</arg>
124124
signature types.
125125

126126
The default is <arg choice="plain">ed25519</arg>.
@@ -133,8 +133,8 @@ License along with this library. If not, see <https://www.gnu.org/licenses/>.
133133
</para></listitem>
134134

135135
<listitem><para>
136-
Valid for <literal>ed25519</literal> signature type.
137-
For <literal>ed25519</literal> this file must contain <literal>base64</literal>-encoded
136+
Valid for <literal>ed25519</literal> and <literal>x509</literal> signature types.
137+
This file must contain <literal>base64</literal>-encoded
138138
secret key(s) (for signing) or public key(s) (for verifying) per line.
139139
</para></listitem>
140140
</varlistentry>

rust-bindings/sys/tests/constant.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -157,6 +157,7 @@ main ()
157157
PRINT_CONSTANT (OSTREE_SHA256_DIGEST_LEN);
158158
PRINT_CONSTANT (OSTREE_SHA256_STRING_LEN);
159159
PRINT_CONSTANT (OSTREE_SIGN_NAME_ED25519);
160+
PRINT_CONSTANT (OSTREE_SIGN_NAME_X509);
160161
PRINT_CONSTANT ((gint)OSTREE_STATIC_DELTA_GENERATE_OPT_LOWLATENCY);
161162
PRINT_CONSTANT ((gint)OSTREE_STATIC_DELTA_GENERATE_OPT_MAJOR);
162163
PRINT_CONSTANT ((gint)OSTREE_STATIC_DELTA_INDEX_FLAGS_NONE);

0 commit comments

Comments
 (0)