We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Raised by Katta from Juniper:
From bootz.proto
===============
// This is a signature of the serialized_bootstrap_data field,
// using the ownership_certificate.
// This should not be set if the device does not check for ownership
// voucher, which is indicated by the device not setting the nonce field
// in the GetBootstrapDataRequest message.
string response_signature = 103;
Specification and code assume that signature will be done with RSA key and with
PKCS#1 signature. Also, I see key should be in PKCS#1 PEM format. PKCS#8 format is
not accepted.
A standard should be accommodative to use any type of keys and signing schemes.
One could use ECDSA for signing. With RSA, one could use PKCS#1.5 or PSS signing.
Also the hash used for signing is assumed to be sha-256. Specification should allow any
hash like sha-512.
Then signature field should carry all of it (hash algo used, signature algo used, signer info etc.).
For this, I suggest to encode signature as CMS signed data (RFC 5652) and sending entire CMS
message in “response_signature” as bytes data. It adds about 700 bytes extra data which
is not significant for non-telemetry data.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Raised by Katta from Juniper:
From bootz.proto
===============
// This is a signature of the serialized_bootstrap_data field,
// using the ownership_certificate.
// This should not be set if the device does not check for ownership
// voucher, which is indicated by the device not setting the nonce field
// in the GetBootstrapDataRequest message.
string response_signature = 103;
Specification and code assume that signature will be done with RSA key and with
PKCS#1 signature. Also, I see key should be in PKCS#1 PEM format. PKCS#8 format is
not accepted.
A standard should be accommodative to use any type of keys and signing schemes.
One could use ECDSA for signing. With RSA, one could use PKCS#1.5 or PSS signing.
Also the hash used for signing is assumed to be sha-256. Specification should allow any
hash like sha-512.
Then signature field should carry all of it (hash algo used, signature algo used, signer info etc.).
For this, I suggest to encode signature as CMS signed data (RFC 5652) and sending entire CMS
message in “response_signature” as bytes data. It adds about 700 bytes extra data which
is not significant for non-telemetry data.
The text was updated successfully, but these errors were encountered: