I have created one efi and signed with pesign using the docs -
UEFI secure boot :
https://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO
https://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm
https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
https://wiki.ubuntu.com/SecurityTeam/SecureBoot
http://tomsblog.gschwinds.net/2014/08/uefi-secure-boot-hands-on-experience/
And booted with :
sudo qemu-system-x86_64 -L . -pflash /usr/share/qemu/OVMF.fd -hda fat:uefi_disk
uefi disk contains signed efi file
But to secure boot I need to have
DB
DBX
KEK
PK
so that I can enroll in OVMF secure boot
But in the tutorials, never got these how to generate.
Please suggest
In addition to generating keys for secure boot, one need to take care of signing the keys.
procedure for generating keys, signing and storing them to keystore is defined in detail here https://www.rodsbooks.com/efi-bootloaders/secureboot.html
Security keys can be categorised in 2 ways Private and Public and secure boot follow chain of root of trust for key addition PK=>KEK=>DB. Any changes in DB needs to be signed using KEK private key, changes in KEK needs to be signed by PK private key and changes in PK requires key to be signed by previous PK publik key's private key.
Generate PK pair and sign PK public key with private key. PK is a self signed key.
Generate KEK pair and sign KEK public key using PK private key
Generate DB key pair and sign DB public key using KEK private key
Generate DBX key pair and sign DBX key pair using KEK private key
Note : for replacing previous PK from BIOS, you will require an empty key signed by platform owner. Most BIOSs allow changing keys without verifying but ideally it should not be allowed. Whole purpose of secure boot is that things can be traced to root of trust and verified.
Apart from generating completely new set of keys, you can also use Machine Owner's Key MOK for registering a new key with secure boot.
Generate a key pair
sign your utility using private key(using sbsign)
add public key to MOK utility (using mokutility)
also described in link mentioned above
Related
Correct me if I am wrong, but if a byte of an app is changed then the signature of the app changes too. But in this library https://github.com/javiersantos/PiracyChecker in section verify signature there is written that we shoud save the signature in a variable and check if it is correct. I tried it and it works. But if we save signature inside a variable that means the app is changed which means the signatue is changed also and then it can't pass the check wright? So how is that possible?
how does a signature check works?
I now understand it. When a private key creates a certificate, then that certificate can be checked using the public key. But the piracy check included is using the public key or hash of the public key and NOT the whole apk digital signature. When any part of the app is changed there is a high probability that the app digital signature changes. On the other hand, using a public key or hash of a public key inside the piracy check enables us to sign the app using our private key. The piracy check verifies if the app is signed with the equal public key or hash of the public key that is stored inside the code.
I am actually reading about certificates and certificate chains. I understand that a certificate is a piece of data which is signed by the private key of an entity and can only be decrypted by using the public key of the given entity (e.g. the root CA).
However, I came across several places where it reads that a "certificate signs another certificate" (example: Microsoft Iot Edge: https://learn.microsoft.com/en-us/azure/iot-edge/iot-edge-certs?view=iotedge-2018-06)
I struggle to understand what this exactly means technically. What happens when I "sign a certificate with another certificate"? For example, if I create a intermediate certificate and sign it with the root CA's certificate, which private key is used? Is this key somehow part of the root CA's certificate (don't think so)? So what private / public keys are used if one says "this certificate signs another certificate"?
When a piece of text says signing with a certificate, it actually means signing with the private key associated with the public key stored in the certificate. The latter is rather a mouthful though, so the former is used.
So in your case, the intermediate CA's certificate is signed by the private key of the Root CA. This Root CA private key was generated along with the Root CA public key when CA was stood up. The private key is kept (extremely) private, while the public key is shared within the Root CA's certificate.
I am working on a basic-network project on Hyperledeger Fabric V-1.4.1. I have enrolled an admin and created a user using enrollAdmin.js and registerUser.js. A public Key and a private key is generated for user1. Now I want to use that private key to sign simple data and later verify using the public Key. I have tried using URSA node module which works fine with RSA keys generated through OpenSSL but isn't working with these two keys. Probably because these keys are not RSA, they are ECDSA keys. I have also read the documentation of the Crypto node module and it seems I need to have .pem files as keys to use in Crypto module. But In fabric, I have key files as -priv and -pub format.
Is there any node module that can encrypt decrypt using ECDSA keys?
Is there any specific way in hyperledger fabric to do this?
Or is there any other way I can do this thing? Please ask any questions if necessary.
Thank you.
The two formats you see
priv
pub
Are wallet formate of filestorage
Try to register an identity and enroll with fabric-CA by importing identity service then you will receive certificate and private key just put it in a file and mark the extension as pem and it will work
How do I verify a user's extended public key file's integrity (when downloading through a connection that lacks confidentiality and authentication) when I have their previous (now expired) public key in my keyring? Is their expired key sufficient information to verify the extended key? Consider the below scenario:
I have Bob's trusted public key in my keyring.
Bob's key expired yesterday, so he extended his keypair and uploaded a new ascii-armoured public key to his website.
I downloaded Bob's new public key file over http, and I want to verify it.
Is the new public key file signed with his old key in a verifiable way? How would I verify the integrity of the new key file utilizing his existing (expired) key in my keyring?
For a general scenario with a new key pair: If either the key itself is signed by his old key (this is the usual way to do such key changes) and/or the key file you downloaded is signed by his old key, you can verify and validate the signature anyway: all that happens is GnuPG indicating that the key already expired.
But you wrote
Bob's key expired yesterday, so he extended his keypair and uploaded a new ascii-armoured public key to his website
Extending the key's validity does not produce a different key. They key is identified by the tuple of public key and creation timestamp, which is hashed together to the fingerprint of the key. Short and long key IDs are derived from that. If all he did is indeed extend the validity of the key, simply import the key. The signature and trust you issued on that key are still valid.
If you wish you can compare at least the long key ID before importing, run
gpg --keyid-format 0xlong [key-file]
and compare with the key already in your key chain.
Anyway: don't simply trust keys in your key chain, but use signatures and trust instead. Lots of mail clients automatically fetch keys to verify signatures, you might have fetched some (unvalidated) keys for reading signatures issued on other keys, ...
I'm trying to perform pgp encryption/decryption operations via Camel / Bouncy Castle PGP where I store the used keys in a JKS files and generate PGP keyrings on the fly from the public/private keys in the JKS stores (Camel only works with keyrings - it can't use keys direclty).
The problem comes when I need to perform an PGP encrypt operation where I only get a public key with which I should do the encryption and I don't have/need a private key. I checked the Bouncy Castle PGP API at http://www.bouncycastle.org/docs/pgdocs1.5on/index.html and found no way to generate a PGP public keyring without having at least one private key.
To be more specific - the only way to create a PGP keyring is to use the org.bouncycastle.openpgp.PGPKeyRingGenerator class but all its constructors need a (non null) PGPKeyPair argument which needs a PGP Public Key.
Is it possible at all to have a PGP public key ring without having a private key?
Thank you