summaryrefslogtreecommitdiffstats
path: root/ui
diff options
context:
space:
mode:
authorBrett Grandbois <brett.grandbois@opengear.com>2018-05-15 10:55:49 +1000
committerSamuel Mendoza-Jonas <sam@mendozajonas.com>2018-05-30 14:23:39 +1000
commit8b214b9d1c51f49d977e93b66378ed4f73790c8b (patch)
tree94bdcbd19c82e7d45a970e7cf6c80a2b20627f8d /ui
parentb1234ac9dd09c9ceaf929c9d4d738fd556525291 (diff)
downloadtalos-petitboot-8b214b9d1c51f49d977e93b66378ed4f73790c8b.tar.gz
talos-petitboot-8b214b9d1c51f49d977e93b66378ed4f73790c8b.zip
lib/security: add in openssl support
Refactor to export a generic API rather than specific gpg_ prefixes by changing gpg.h to security.h and renaming some of the exports. Break out the common and specific functionality into common.c and none.c/gpg.c/openssl.c for no/gpgme/openssl modes respectively. gpgme should work as before OpenSSL support works like this: The pb-lockdown file is a PKCS12 file or X509 certificate or PEM-encoded raw public key. To follow the current conventions the presence of a PKCS12 file as a lockdown signals decrypt mode because of the presence of the private key, anything else signals signature verification mode. The keyring path is currently ignored but in the future could be used to point to an X509 certificate chain for validity checking. Because of this self-signed certificates are currently supported and really just used as a public key container. Signature verification mode supports: * Cryptographic Message Syntax (CMS) as detached S/MIME, this is really more for consistency for the encryption mode (see below). This mode requires the lockdown file to be an X509 certificate. A sample creation command would be: openssl cms -sign -in (infile) -out (outfile) -binary -nocerts \ -inkey (private key) -signer (recipient certificate) * Raw signature digest as output from openssl dgst -sign command. This mode can have the lockdown file be an X509 certificate or a PEM raw public key but the digest algorithm must be pre-defined by the VERIFY_DIGEST configure argument. The default is SHA256. A sample creation command would be: openssl dgst -sign (private key) -out (outfile) -(digest mode) \ (infile) Decryption mode supports: * CMS signed-envelope as attached S/MIME. This is for consistency with the current expectation of no external file for decryption. Some future enhancement could be to come up with some proprietary external file format containing the cipher used, the encrypted cipher key, and the IV (if necessary). A sample creation command would be: openssl cms -sign -in (infile) -signer (recipient certificate) \ -binary -nocerts -nodetach -inkey (private key) | \ openssl cms -encrypt -(cipher mode) -out (outfile) \ (recipient certificate) The PKCS12 file is expecting the private key to have password of NULL or "" as there is currently no mechanism to supply a custom one. Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com> Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Diffstat (limited to 'ui')
0 files changed, 0 insertions, 0 deletions
OpenPOWER on IntegriCloud