How to create the certs?

contentauth / c2patool

Command line tool for displaying and adding C2PA manifests

Apache License 2.0

94 stars 30 forks source link

How to create the certs? #114

Closed polavishnu4444 closed 2 weeks ago

polavishnu4444 commented 1 year ago

Self-Signed certs or general SSL certs seems to be not working. It would be helpful if there is any literature pointed out on how to get the ES256 signed certs and what is needed to get them.

Created ECC certificate as well, but still keep getting invalid COSE

polavishnu4444 commented 1 year ago

@mauricefisher64 - Any help here please? Not able to find any documentation or steps to get the certificates.

Infinitely keep getting this error, any pointers how I can debug or see more to proceed any further.

Signature that was just generated does not validate: CoseInvalidCert

matteocargnelutti commented 1 year ago

Adding an example of an openssl command in README.md that shows how to generate a self-signed certificate that works with c2patool would be great.

In addition, getting more information than CoseInvalidCert when passing invalid certs to c2patool would also be helpful: I see that c2pa-rs logs precise information about what went wrong, it would be great to be able to access that information in c2patool with a flag.

I haven't been able to generate a cert + key combination that passes c2pa-rs checks following the "Signing manifests" guide currently published on your website, which might need to be updated?

Thanks in advance,

matteocargnelutti commented 1 year ago

Older versions of this repo's README.md feature a code snippet for that specific purpose:

openssl req -new -newkey rsa:4096 
   -sigopt rsa_padding_mode:pss \ 
   -days 180 \
   -extensions v3_ca \
   -addext "keyUsage = digitalSignature" \
   -addext "extendedKeyUsage = emailProtection" \
   -nodes -x509 -keyout private.key -out certs.pem -sha256

Which works.

My understanding is that this was removed to clarify that c2patool comes with a built-in cert / key for testing purposes.

I think this would still be great to have for reference. If not here, maybe on the "Signing Manifests" page of opensource.contentauthenticity.org.

PS: The v3_ca extension is sometimes not available out-of-the-box on Mac OS, but specific instructions could be given for that case.

leszko commented 8 months ago

I've tried with both self-signed certified certificates (created with the command above ☝️ ) and also with the certificates signed by root CA, but always getting the following error when using RSA key and "alg": "PS512":

[2023-10-16T09:32:11Z ERROR c2pa::store] Signature that was just generated does not validate: CoseInvalidCert
Error: embedding manifest

Caused by:
    COSE error parsing certificate

Any thoughts?

CC: @mauricefisher64

leszko commented 8 months ago

Ok, I've dug into the code and it seems that the C2PA SDK internationally forbids the self-signed certificates:

https://github.com/contentauth/c2pa-rs/blob/d9b077c8790e172d5bc9f23dc17f13df343160f1/sdk/src/cose_validator.rs#L350

I wonder, does it mean that the C2PA Spec does not allow the self-signed certificates? Or the spec does not forbid it, but the SDK does not allow it because it does not make sense in practice?

crandmck commented 2 weeks ago

According to the C2PA spec, Self-Signed certs or SSL certs are not supported.