Normalisation and Signing of Component Descriptor

gardener-attic / component-spec

component descriptor specification and language bindings

2 stars 15 forks source link

Normalisation and Signing of Component Descriptor #47

Closed enrico-kaack-comp closed 2 years ago

enrico-kaack-comp commented 2 years ago

What this PR does / why we need it: Introduces normalisation and signing. Only implements Private Key based signing right now.

Which issue(s) this PR fixes: Fixes #

Special notes for your reviewer:

To generate private and public key:

openssl genrsa -out private 4096
openssl rsa -in private -outform PEM -pubout -out public

Release note:

enrico-kaack-comp commented 2 years ago

Open Questions:

support more Hash Algorithms other than sha256 (SHA512, SHA3_256, SHA3_512)?
Signing standard RSASSA-PKCS1-V1_5-SIGN suitable or should RSASSA-PSS be used?

schrodit commented 2 years ago

Open Questions:

support more Hash Algorithms other than sha256 (SHA512, SHA3_256, SHA3_512)?

Signing standard RSASSA-PKCS1-V1_5-SIGN suitable or should RSASSA-PSS be used?

I think we should at least support sha512. But on the otherhand everyone is free to use other algorithms as they can create their own Hasher struct.

Signing standard RSASSA-PKCS1-V1_5-SIGN suitable or should RSASSA-PSS be used?

I'm no security expert so i will forward that question to @ThormaehlenFred

gardener-robot commented 2 years ago

@jschicktanz You have pull request review open invite, please check

enrico-kaack-comp commented 2 years ago

Sugestion: change Digest.Algorithm and Digest.Value to Digest.Digest = sha256:asd @mandelsoft for consistency. DONE: As discussed, leave it as two separat values.

enrico-kaack-comp commented 2 years ago

DONE: write digest algorithm e.g. sha256 always lowercase

enrico-kaack-comp commented 2 years ago

Consider changing rsa test key generation. Otherwise, merge on monday.