Using HSM for signing

[maxpain]

Hello. Is it possible use HSM (for example Google Cloud KMS/HSM) for signing Windows executables?

[jet2jet]

No, currently resedit-js does not support any HSMs. I think it is good to support, but it may take some time to implement (also it may not be fully tested).

[maxpain]

I am looking for signing my electron application in GitLab CI with our EV certificate on Google Cloud KMS. I could use jsign, but it requires to build our own docker image with gcloud-sdk, jsign itself and electron-builder rather than using pure electron-builder image.

So it will be cool to use this npm module to do that right in the electron-builder config.

Can I implement HSM signing utilizing current API of this package?

[jet2jet]

Sounds good. If you use @google-cloud/kms, please set it as optional dependency because this feature would be an optional feature.

[maxpain]

So, can I implement HSM signing utilizing current API of this package? Honestly, I'm not very familiar with crypto stuff

[jet2jet]

It's OK. I think it's not so easy, but I think all we need is implement ResEdit.SignerObject, especially three methods: getEncryptionAlgorithm, getCertificateData, and encryptData (other methods would be the same implementations as MySignerObject: https://github.com/jet2jet/resedit-js-cli/blob/main/src/main/signing/index.ts#L20).

• encryptData implementation would be to call asymmetric sign process as followings:
  • @google-cloud/kms package: client.asymmetricSign()
  • REST API: https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/asymmetricSign#google.cloud.kms.v1.KeyManagementService.AsymmetricSign
• getCertificateData implementation would be to return public keys with DER-format binary.
  • You can convert PEM to DER by using getCertificatesFromPem (https://github.com/jet2jet/resedit-js-cli/blob/main/src/main/signing/signUtil.ts#L168)
  • Retrieving public key:
    • @google-cloud/kms package: client.getPublicKey()
    • REST API: https://cloud.google.com/kms/docs/reference/rest/v1/projects.locations.keyRings.cryptoKeys.cryptoKeyVersions/getPublicKey
  • getCertificateData is not an async method, so it's necessary to retrieve certificates before calling ResEdit.generateExecutableWithSign.
• getEncryptionAlgorithm would be to return 'rsa' (?)

The asymmetric-sign sample may help you to understand and implement this: https://github.com/googleapis/nodejs-kms/blob/HEAD/samples/signAsymmetric.js
(More information about signature creation: https://cloud.google.com/kms/docs/create-validate-signatures )

[maxpain]

encryptData implementation would be to call asymmetric sign process as followings:

• @google-cloud/kms package: client.asymmetricSign()

asymmetricSign just returns digital signature of provided payload, but encryptData method of ResEdit.SignerObject class must return whole encrypted payload, right? If so, ResEdit.SignerObject must let me provide some signData method.

[jet2jet]

Yes, you are right (I missed it). I'll work to add signData-like method to SignerObject.

[jet2jet]

I updated resedit package and resedit-js-cli repository.
Now signData method is to be used during signing process, so please implement signData method in SignerObject.

[maxpain]

Thank you! Will try it today.

[maxpain]

@jet2jet Is it possible to use returned value of digestData and pass it as an argument in signData?

[jet2jet]

Is it possible to use returned value of digestData and pass it as an argument in signData?

No. But for asymmetricSign, digest parameter should be the digest data calculated from the parameter dataIterator of signData.
Pseudo code would be:

  d = createDigest(algorithm);
  d.update(...dataIterator);
  digest = d.digest();
  asymmetricSign(digest := digest, ...<other parameters>);