From a6ab8e497da7e6b705ef5149343c0063a58fa219 Mon Sep 17 00:00:00 2001 From: zoracon Date: Thu, 1 Jul 2021 11:33:42 -0700 Subject: [PATCH 1/5] Smart card signing with RSA 2048 Certificate - generated on Slot 9c (digital signature) - Hash SHA256 --- utils/sign-rulesets/smartcard-sign.sh | 41 +++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100755 utils/sign-rulesets/smartcard-sign.sh diff --git a/utils/sign-rulesets/smartcard-sign.sh b/utils/sign-rulesets/smartcard-sign.sh new file mode 100755 index 000000000000..ad895b720ab1 --- /dev/null +++ b/utils/sign-rulesets/smartcard-sign.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# For PIV-Compliant Smart Card Distributed Signing + # AppImage for Yubikey Manager + # `sudo apt install opensc` + # `sudo apt-get install ykcs11` +# Change the default PIN and PUK. +# Once configured, you can now generate a public / private key pair. +# Generate the pair on slot 9c (Digital Signature) and export pem file +# To generate public key file: +# openssl x509 -in cert.pem -pubkey -noout > pubkey.pem +# ./utils/sign-rulesets/smartcard.sh pubkey.pem ~/[...]/https-rulesets/app/files/v1 + +set -e + +if [ $# -ne 2 ]; then + echo "Usage: $0 public_key_file output_path" + exit +fi + +RULESETS_FILE=rules/default.rulesets + +mkdir -p $2 +TIMESTAMP=`date +%s` +REFERENCE=`git rev-parse HEAD` +echo "{ \"timestamp\": $TIMESTAMP, \"reference\": \"$REFERENCE\", \"rulesets\":" "`cat $RULESETS_FILE`" "}" | tr -d '\n' | gzip -nc > $2/default.rulesets.$TIMESTAMP.gz + +echo 'Hash for signing: ' +sha256sum $2/default.rulesets.$TIMESTAMP.gz | cut -f1 -d' ' + +openssl dgst -sha256 -binary $2/default.rulesets.$TIMESTAMP.gz > $2/default.rulesets.$TIMESTAMP.sha256 + +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libykcs11.so --sign --id 2 -m RSA-PKCS-PSS --mgf MGF1-SHA256 --hash-algorithm SHA256 --salt-len 32 -i $2/default.rulesets.$TIMESTAMP.sha256 -o $2/rulesets-signature.$TIMESTAMP.sha256 + +openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -verify pubkey.pem -signature $2/rulesets-signature.$TIMESTAMP.sha256 $2/default.rulesets.$TIMESTAMP.gz + +echo $TIMESTAMP > $2/latest-rulesets-timestamp + +echo "Rulesets signed and verified" + +rm $2/default.rulesets.$TIMESTAMP.sha256 \ No newline at end of file From 201209725af4a905589936d64e3eee138cbafe1c Mon Sep 17 00:00:00 2001 From: Alexis Date: Fri, 6 Aug 2021 13:58:33 -0700 Subject: [PATCH 2/5] Update smartcard-sign.sh --- utils/sign-rulesets/smartcard-sign.sh | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/utils/sign-rulesets/smartcard-sign.sh b/utils/sign-rulesets/smartcard-sign.sh index ad895b720ab1..5510e8262db2 100755 --- a/utils/sign-rulesets/smartcard-sign.sh +++ b/utils/sign-rulesets/smartcard-sign.sh @@ -9,33 +9,34 @@ # Generate the pair on slot 9c (Digital Signature) and export pem file # To generate public key file: # openssl x509 -in cert.pem -pubkey -noout > pubkey.pem -# ./utils/sign-rulesets/smartcard.sh pubkey.pem ~/[...]/https-rulesets/app/files/v1 +# Usage +# ./utils/sign-rulesets/smartcard.sh ~/[...]/https-rulesets/app/files/v1 set -e if [ $# -ne 2 ]; then - echo "Usage: $0 public_key_file output_path" + echo "Usage: $0 output_path" exit fi RULESETS_FILE=rules/default.rulesets -mkdir -p $2 +mkdir -p $1 TIMESTAMP=`date +%s` REFERENCE=`git rev-parse HEAD` -echo "{ \"timestamp\": $TIMESTAMP, \"reference\": \"$REFERENCE\", \"rulesets\":" "`cat $RULESETS_FILE`" "}" | tr -d '\n' | gzip -nc > $2/default.rulesets.$TIMESTAMP.gz +echo "{ \"timestamp\": $TIMESTAMP, \"reference\": \"$REFERENCE\", \"rulesets\":" "`cat $RULESETS_FILE`" "}" | tr -d '\n' | gzip -nc > $1/default.rulesets.$TIMESTAMP.gz echo 'Hash for signing: ' -sha256sum $2/default.rulesets.$TIMESTAMP.gz | cut -f1 -d' ' +sha256sum $1/default.rulesets.$TIMESTAMP.gz | cut -f1 -d' ' -openssl dgst -sha256 -binary $2/default.rulesets.$TIMESTAMP.gz > $2/default.rulesets.$TIMESTAMP.sha256 +openssl dgst -sha256 -binary $2/default.rulesets.$TIMESTAMP.gz > $1/default.rulesets.$TIMESTAMP.sha256 -pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libykcs11.so --sign --id 2 -m RSA-PKCS-PSS --mgf MGF1-SHA256 --hash-algorithm SHA256 --salt-len 32 -i $2/default.rulesets.$TIMESTAMP.sha256 -o $2/rulesets-signature.$TIMESTAMP.sha256 +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libykcs11.so --sign --id 2 -m RSA-PKCS-PSS --mgf MGF1-SHA256 --hash-algorithm SHA256 --salt-len 32 -i $1/default.rulesets.$TIMESTAMP.sha256 -o $2/rulesets-signature.$TIMESTAMP.sha256 -openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -verify pubkey.pem -signature $2/rulesets-signature.$TIMESTAMP.sha256 $2/default.rulesets.$TIMESTAMP.gz +openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -verify pubkey.pem -signature $1/rulesets-signature.$TIMESTAMP.sha256 $1/default.rulesets.$TIMESTAMP.gz -echo $TIMESTAMP > $2/latest-rulesets-timestamp +echo $TIMESTAMP > $1/latest-rulesets-timestamp echo "Rulesets signed and verified" -rm $2/default.rulesets.$TIMESTAMP.sha256 \ No newline at end of file +rm $1/default.rulesets.$TIMESTAMP.sha256 From a27b984f43f223b3dc56cdddbfbd69517daa8c76 Mon Sep 17 00:00:00 2001 From: Alexis Date: Fri, 6 Aug 2021 13:59:20 -0700 Subject: [PATCH 3/5] Update smartcard-sign.sh --- utils/sign-rulesets/smartcard-sign.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/sign-rulesets/smartcard-sign.sh b/utils/sign-rulesets/smartcard-sign.sh index 5510e8262db2..61d437974601 100755 --- a/utils/sign-rulesets/smartcard-sign.sh +++ b/utils/sign-rulesets/smartcard-sign.sh @@ -14,7 +14,7 @@ set -e -if [ $# -ne 2 ]; then +if [ $# -ne 1 ]; then echo "Usage: $0 output_path" exit fi From 4ac57968958e3096bc0760b7511548ce0c07e31d Mon Sep 17 00:00:00 2001 From: Alexis Date: Fri, 6 Aug 2021 14:00:21 -0700 Subject: [PATCH 4/5] Update smartcard-sign.sh --- utils/sign-rulesets/smartcard-sign.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/sign-rulesets/smartcard-sign.sh b/utils/sign-rulesets/smartcard-sign.sh index 61d437974601..f324bba0de12 100755 --- a/utils/sign-rulesets/smartcard-sign.sh +++ b/utils/sign-rulesets/smartcard-sign.sh @@ -31,7 +31,7 @@ sha256sum $1/default.rulesets.$TIMESTAMP.gz | cut -f1 -d' ' openssl dgst -sha256 -binary $2/default.rulesets.$TIMESTAMP.gz > $1/default.rulesets.$TIMESTAMP.sha256 -pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libykcs11.so --sign --id 2 -m RSA-PKCS-PSS --mgf MGF1-SHA256 --hash-algorithm SHA256 --salt-len 32 -i $1/default.rulesets.$TIMESTAMP.sha256 -o $2/rulesets-signature.$TIMESTAMP.sha256 +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libykcs11.so --sign --id 2 -m RSA-PKCS-PSS --mgf MGF1-SHA256 --hash-algorithm SHA256 --salt-len 32 -i $1/default.rulesets.$TIMESTAMP.sha256 -o $1/rulesets-signature.$TIMESTAMP.sha256 openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -verify pubkey.pem -signature $1/rulesets-signature.$TIMESTAMP.sha256 $1/default.rulesets.$TIMESTAMP.gz From adb9a14397a38d1bea73c26574b57c0c3744e634 Mon Sep 17 00:00:00 2001 From: Alexis Date: Sun, 29 Aug 2021 12:12:39 -0700 Subject: [PATCH 5/5] Update smartcard-sign.sh --- utils/sign-rulesets/smartcard-sign.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/sign-rulesets/smartcard-sign.sh b/utils/sign-rulesets/smartcard-sign.sh index f324bba0de12..40dd039258ee 100755 --- a/utils/sign-rulesets/smartcard-sign.sh +++ b/utils/sign-rulesets/smartcard-sign.sh @@ -29,7 +29,7 @@ echo "{ \"timestamp\": $TIMESTAMP, \"reference\": \"$REFERENCE\", \"rulesets\":" echo 'Hash for signing: ' sha256sum $1/default.rulesets.$TIMESTAMP.gz | cut -f1 -d' ' -openssl dgst -sha256 -binary $2/default.rulesets.$TIMESTAMP.gz > $1/default.rulesets.$TIMESTAMP.sha256 +openssl dgst -sha256 -binary $1/default.rulesets.$TIMESTAMP.gz > $1/default.rulesets.$TIMESTAMP.sha256 pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libykcs11.so --sign --id 2 -m RSA-PKCS-PSS --mgf MGF1-SHA256 --hash-algorithm SHA256 --salt-len 32 -i $1/default.rulesets.$TIMESTAMP.sha256 -o $1/rulesets-signature.$TIMESTAMP.sha256