Skip to content

Latest commit

 

History

History
101 lines (82 loc) · 3.42 KB

README.md

File metadata and controls

101 lines (82 loc) · 3.42 KB
Raw

RSA Signing

This signer implements RSA PSS and PKCS1.5 signing. It accepts SHA1 and SHA256 hashes on /sign/hash and data to be hashed on /sign/data.

Example Usage:

# hash your input data
$ echo foo | sha256sum -b | cut -d ' ' -f 1 | xxd -r -p | base64
tbudgBSg+bHWHiHnlteNzN8TUvI80ygS9IULh4rklEw=

# request a signature using the autograph client
$ go run client.go -D -a "tbudgBSg+bHWHiHnlteNzN8TUvI80ygS9IULh4rklEw=" \
  -k dummyrsa -o /tmp/sig.bin -ko /tmp/pub.key

# format /tmp/pub.key to PEM (fold lines to 64 and add header and footer)
$ (echo '-----BEGIN PUBLIC KEY-----'; cat /tmp/pub.key |fold -w 64; echo;echo '-----END PUBLIC KEY-----') > /tmp/pub.pem

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtEM/Vdfd4Vl9wmeVdCYu
WYnQl0Zc9RW5hLE4hFA+c277qanE8XCK+ap/c5so87XngLLfacB3zZhGxIOut/4S
lEBOAUmVNCfnTO+YkRk3A8OyJ4XNqdn+/ov78ZbssGf+0zws2BcwZYwhtuTvro3y
i62FQ7T1TpT5VjljH7sHW/iZnS/RKiY4DwqAN799gkB+Gwovtroabh2w5OX0P+PY
yUbJLFQeo5uiAQ8cAXTlHqCkj11GYgU4ttVDuFGotKRyaRn1F+yKxE4LQcAULx7s
0KzvS35mNU+MoywLWjy9a4TcjK0nq+BjspKX4UkNwVstvH18hQWun7E+dxTi59cR
mwIDAQAB
-----END PUBLIC KEY-----

# verify the signature with openssl
$ openssl pkeyutl -verify \
-in /tmp/inputhash.bin \
-sigfile /tmp/sig.bin \
-inkey /tmp/pub.pem -pubin -keyform PEM \
-pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:-1 -pkeyopt digest:sha1

Signature Verified Successfully

Configuration

Requires PEM encoded public and private RSA keys.

NB: if the publickey does not match the private key the monitor will break.

For example:

signers:
- id: some-rsa-key
  type: genericrsa
  mode: pss
  hash: sha256
  saltlength: -1
  privatekey: |
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEAtEM/Vdfd4Vl9wmeVdCYuWYnQl0Zc9RW5hLE4hFA+c277qanE
    ...
    TDd4Me4PP+sTZeJ3RKvArDiMzEncDeMGZZnd4dBdi3LjzCNGTANAGw==
    -----END RSA PRIVATE KEY-----
  publickey: |
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtEM/Vdfd4Vl9wmeVdCYu
    ...
    mwIDAQAB
    -----END PUBLIC KEY-----

Where:

Both Hash and SaltLength are returned in the signature response so clients know how signing was performed and can pass those options to their verification logic.

Signature response

Returns base64-encoded public key (DER) and signature (hex). The public key is from the config.

[
  {
    "ref": "29cfra8jxug9r3mzjapmlbjlp5",
    "type": "genericrsa",
    "mode": "pss",
    "signer_id": "dummy-rsa",
    "public_key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtEM/Vdfd4Vl9wmeVdCYuWYnQl0Zc9RW5hLE4hFA+c277qanE8XCK+ap/c5so87XngLLfacB3zZhGxIOut/4SlEBOAUmVNCfnTO+YkRk3A8OyJ4XNqdn+/ov78ZbssGf+0zws2BcwZYwhtuTvro3yi62FQ7T1TpT5VjljH7sHW/iZnS/RKiY4DwqAN799gkB+Gwovtroabh2w5OX0P+PYyUbJLFQeo5uiAQ8cAXTlHqCkj11GYgU4ttVDuFGotKRyaRn1F+yKxE4LQcAULx7s0KzvS35mNU+MoywLWjy9a4TcjK0nq+BjspKX4UkNwVstvH18hQWun7E+dxTi59cRmwIDAQAB",
    "signature": "S81qc/poBLToOIXVd8eOS6/CxXdhdsM/0Uz0q4cJWdmSKf9Iv8Eboz94xfuMgl81ybtPrEWDuZRLgY1qr4GxhShwa1Yb7rBtGxyJlseYfstnf24T7B6s4aeW3Zo5lfF2SCONbI0hLSHHyFzPPsnCHxvA2Ji5F+vDeBLpSrXhFn+mn14AGhz6smtU4k/iLPrfhocvBGscZv+7h7PI0vPs3MEckVZeSP8i0CkK4ev1QV88wrIa8estHCbiT4STu5zBHYb0LkkowEyCMW0KrQu5M2HO8yL4SSK9LHNR4WOS8BxBvKIXjmG5bjcH+g0gEK0RFSuJ3sLCNoRETGhRykufJA==",
    "signer_opts": {
      "SaltLength": -1,
      "Hash": 5
    }
  }
]