Context Navigation

source: flexoentity/org/certificates.org@ d7499ca

Last change on this file since d7499ca was d7499ca, checked in by Enrico Schwass <ennoausberlin@…>, 7 weeks ago
Signature support for Linux and MacOS added
Property mode set to `100644`
File size: 4.3 KB

Line
1	* Flex-O Cross-Platform Signing System
2
3	This document defines how Flex-O performs cryptographic signing across Linux, Windows, and macOS using a single interoperable workflow.
4
5	** Requirements
6
7	- PKCS#7 / CMS signatures
8	- RSA-4096
9	- DER output format (Windows/macOS native)
10	- No Python crypto libraries
11	- OS-native signing tooling
12
13	* 1. Key and Certificate Creation (Universal)
14
15	** 1.1 Generate a private key (recommended: RSA-4096)
16
17	#+begin_src bash
18	openssl genrsa -out mykey.pem 4096
19	#+end_src
20
21	** 1.2 Generate an X.509 certificate
22
23	#+begin_src bash
24	openssl req -new -x509 -key mykey.pem -out mycert.pem -days 3650 -sha256
25	#+end_src
26
27	Result:
28	- mykey.pem → private key
29	- mycert.pem → certificate (public key)
30
31	* 2. Import Certificates into Each Platform
32
33	** 2.1 Linux
34
35	No import required. Use PEM files directly.
36
37	** 2.2 Windows (PKCS#12 required)
38
39	Create PKCS#12 bundle:
40
41	#+begin_src bash
42	openssl pkcs12 -export -out flexo.pfx -inkey mykey.pem -in mycert.pem
43	#+end_src
44
45	Import into user certificate store:
46
47	#+begin_src bash
48	certutil -user -p PASSWORD -importpfx flexo.pfx
49	#+end_src
50
51	** 2.3 macOS (PKCS#12)
52
53	#+begin_src bash
54	openssl pkcs12 -export -out flexo.p12 -inkey mykey.pem -in mycert.pem
55	#+end_src
56
57	Import:
58
59	#+begin_src bash
60	security import flexo.p12 -k ~/Library/Keychains/login.keychain-db
61	#+end_src
62
63
64	* 3. Cross-Platform Signing Commands
65
66	** 3.1 Linux (OpenSSL CMS / DER)
67
68	#+begin_src bash
69	openssl cms -sign \
70	-binary \
71	-in data.txt \
72	-signer mycert.pem \
73	-inkey mykey.pem \
74	-outform DER \
75	-out signature.p7s
76	#+end_src
77
78	** 3.2 Windows (certutil)
79
80	#+begin_src bash
81	certutil -sign data.txt signature.p7s
82	#+end_src
83
84	** 3.3 macOS (`security cms`)
85
86	#+begin_src bash
87	security cms -S \
88	-N "Common Name of Cert" \
89	-i data.txt \
90	-o signature.p7s
91	#+end_src
92
93	All three platforms produce binary DER PKCS#7 signatures.
94
95	* 4. Cross-Platform Verification
96
97	** 4.1 Linux (OpenSSL)
98
99	#+begin_src bash
100	openssl cms -verify \
101	-in signature.p7s \
102	-inform DER \
103	-content data.txt \
104	-CAfile mycert.pem \
105	-purpose any \
106	-out /dev/null
107	#+end_src
108
109	** 4.2 Windows
110
111	#+begin_src bash
112	certutil -verify signature.p7s data.txt
113	#+end_src
114
115	** 4.3 macOS
116
117	#+begin_src bash
118	security cms -D -i signature.p7s > verified.txt
119	#+end_src
120
121	* 5. Flex-O Signing Specification
122
123	** 5.1 Key Requirements
124	- RSA-4096
125	- X.509 certificate
126	- Valid for ≥ 10 years
127
128	** 5.2 Signature Format Requirements
129	- PKCS#7/CMS
130	- Binary DER form
131	- Signing certificate must be embedded
132
133	** 5.3 Verification Requirements
134	- Must work with OpenSSL CMS
135	- No dependency on OS certificate stores
136	- Must accept DER PKCS#7 signatures
137
138	** 5.4 Flex-O Signature Entity Schema
139	Required fields:
140	- signed_entity: FlexOID
141	- signer_id: UUID
142	- signature_data: base64(PKCS7 DER blob)
143	- signature_type: "PKCS7-DER"
144	- certificate_thumbprint: SHA-1 thumbprint
145	- comment: optional
146
147	** 5.5 Security Assumptions
148	- Flex-O never stores private keys
149	- OS handles private key protection
150	- Only public certificates embedded in signatures
151
152	* 6. Refer to certificates
153
154	** Linux
155
156	#+BEGIN_SRC python
157	cert_ref = CertificateReference(
158	platform="LINUX",
159	identifier="/etc/flexo/certs/mycert.pem",
160	private_key_path="$HOME/.flexo/mykey.pem",
161	public_cert_path="/etc/flexo/certs/mycert.pem",
162	)
163	backend = create_backend(cert_ref)
164	signature_bytes = backend.sign(b"hello world")
165	#+END_SRC
166
167
168	** Windows
169
170	#+BEGIN_SRC python
171	cert_ref = CertificateReference(
172	platform="WINDOWS",
173	identifier="E1A2B3C4D5F6A7B8C9D0E1F2A3B4C5D6E7F8A9B", # Thumbprint
174	)
175
176	backend = create_backend(cert_ref)
177	signature_bytes = backend.sign(b"hello world")
178	#+END_SRC
179
180	** MacOS
181
182	#+BEGIN_SRC python
183	cert_ref = CertificateReference(
184	platform="MACOS",
185	identifier="FlexOSigner", # Common Name (CN)
186	public_cert_path="/Users/enno/certs/FlexOSigner.pem"
187	)
188
189	backend = create_backend(cert_ref)
190	signature_bytes = backend.sign(b"hello world")
191	#+END_SRC
192
193	* 8. Flex-O Signature Entity
194
195	#+begin_src python
196	@dataclass
197	class Signature(FlexoEntity):
198	ENTITY_TYPE = EntityType.OUTPUT
199
200	signed_entity: Optional[FlexOID] = None
201	signer_id: Optional[UUID] = None
202	signature_data: str = "" # Base64 of PKCS#7 DER
203	signature_type: str = "PKCS7-DER"
204	certificate_thumbprint: str = ""
205	comment: Optional[str] = None
206
207	@property
208	def text_seed(self) -> str:
209	return f"{self.signed_entity}:{self.signer_id}:{self.certificate_thumbprint}"
210	#+end_src

Note: See TracBrowser for help on using the repository browser.

Download in other formats: