search

balena-os / balena-sign

Service used to sign data over the network and retrieve the respective public keys
Apache License 2.0
3 stars 0 forks source link

Add support for RPI signing #47

Closed alexgg closed 6 months ago

alexgg commented 10 months ago

Manual testing

export SIGN_API="https://<uuid>.balena-devices.com/"
export SIGN_API_KEY=<API KEY>

Bootstrapping

curl "${SIGN_API}/bootstrap" -X POST -H "X-API-Key: ${SIGN_API_KEY}" -H "Content-type: application/json" -d '{         
  "gpg": {"name_real": "balenaOS GRUB GPG key", "name_email": "security@balena.io"},
  "rpi": {},
  "certificates": {                                                                
    "pk": {"cert_id": "balenaos-pk", "subject": "/CN=balenaOS PK/"},               
    "kek": {"cert_id": "balenaos-kek", "subject": "/CN=balenaOS KEK/"},            
    "db": {"cert_id": "balenaos-db", "subject": "/CN=balenaOS db/"},               
    "kmod": {"cert_id": "balenaos-kmod", "subject": "/CN=key for signing 3rd party balenaOS kernel modules/", "key_length": 4096}
  }                                                                                
}'

Listing keys

curl --fail "${SIGN_API}/rpi/keys"
export SIGN_RPI_KEY_ID=<key fingerprint from above>
curl --fail "${SIGN_API}/rpi/key/${SIGN_RPI_KEY_ID}"

Signing

export REQUEST_FILE=$(mktemp)
export SIGNING_ARTIFACT=balenasign.svg
echo "{\"key_id\": \"${SIGN_RPI_KEY_ID}\", \"payload\": \"$(base64 -w 0 ${SIGNING_ARTIFACT})\"}" > "${REQUEST_FILE}"
curl --fail "${SIGN_API}/rpi/sign" -X POST -H "Content-Type: application/json" -H "X-API-Key: ${SIGN_API_KEY}" -d "@${REQUEST_FILE}"
alexgg commented 6 months ago

Manual testing

export SIGN_API="https://<uuid>.balena-devices.com/"
export SIGN_API_KEY=<API KEY>

Bootstrapping

curl "${SIGN_API}/bootstrap" -X POST -H "X-API-Key: ${SIGN_API_KEY}" -H "Content-type: application/json" -d '{         
  "gpg": {"name_real": "balenaOS GRUB GPG key", "name_email": "security@balena.io"},
  "rsa": {},
  "certificates": {                                                                
    "pk": {"cert_id": "balenaos-pk", "subject": "/CN=balenaOS PK/"},               
    "kek": {"cert_id": "balenaos-kek", "subject": "/CN=balenaOS KEK/"},            
    "db": {"cert_id": "balenaos-db", "subject": "/CN=balenaOS db/"},               
    "kmod": {"cert_id": "balenaos-kmod", "subject": "/CN=key for signing 3rd party balenaOS kernel modules/", "key_length": 4096}
  }                                                                                
}'

Listing keys

curl --fail "${SIGN_API}/rsa/keys"
export SIGN_RSA_KEY_ID=<key fingerprint from above>
curl --fail "${SIGN_API}/rsa/key/${SIGN_RSA_KEY_ID}"

Signing

export REQUEST_FILE=$(mktemp)
export SIGNING_ARTIFACT=balenasign.svg
echo "{\"key_id\": \"${SIGN_RSA_KEY_ID}\", \"payload\": \"$(base64 -w 0 ${SIGNING_ARTIFACT})\"}" > "${REQUEST_FILE}"
curl --fail "${SIGN_API}/rsa/sign" -X POST -H "Content-Type: application/json" -H "X-API-Key: ${SIGN_API_KEY}" -d "@${REQUEST_FILE}"

Importing keys

export REQUEST_FILE="/tmp/request"
echo '{         
  "key": "<omitted>",
  "data": "<omitted>",
  "salt": "<omitted>"
}' > "${REQUEST_FILE}"
curl "${SIGN_API}/import" -X POST -H "Content-Type: application/json" -H "X-API-Key: ${SIGN_API_KEY}" -d "@${REQUEST_FILE}"

Exporting keys

export REQUEST_FILE="/tmp/request"
echo '{         
  "key": "<omitted>"                                                                         
}' > "${REQUEST_FILE}"
curl "${SIGN_API}/export" -X POST -H "Content-Type: application/json" -H "X-API-Key: ${SIGN_API_KEY}" -d "@${REQUEST_FILE}"
mtoman commented 6 months ago

lgtm