Comments on the module-file format
mr at sun.com
Wed Feb 10 13:38:19 PST 2010
> Date: Fri, 05 Feb 2010 12:15:09 -0500
> From: sean.mullan at sun.com
> Mark Reinhold wrote:
>> Sean Mullan wrote:
>>> - as for the signature itself, one possible suggestion is to consider reusing
>>> the existing PKCS#7 format that we use for JAR signatures. PKCS#7 already
>>> defines a format for holding the necessary certificates and is extensible to
>>> support various signature algorithms. And of course there is already PKCS#7
>>> support in the JRE. PKCS#7 is also designed to support single-pass processing.
>> I'm not an expert in this area, but that makes sense to me. Are there
>> other formats we should consider?
> The other well known standard format is XML Signature. We should consider it
> but I would lean towards PKCS#7 since it is already being used for signed JARs.
On small devices I don't think we'll be able to afford the time and space
overhead of an XML parser during signature validation, so PKCS 7 wins.
>> Do PGP/GPG somehow map into PKCS 7?
> Hmm, I'm not sure. Support for X.509 certificates is essential and I don't
> think PGP and X.509 work well together.
A little web research of my own suggests that you're right. Some will
want PGP/GPG, however, so the module format should allow for different
signature types even if we only define and implement PKCS 7.
>> Where should signatures reside -- in a module file, or alongside it in a
>> separate file? JAR files do the former, but some OS packaging systems
>> (e.g., Debian) do the latter.
> Not sure, but here's an initial idea of how this might work:
> The signature is a signature over all of the hashes in the module. It also may
> contain other security attributes, such as the permissions needed by the
Good point -- I hadn't thought about signing required permissions, but
that is of course necessary.
> - get the signature first
> - validate the certificate chain
> - verify the signature with the public key
> - optionally, prompt user with security dialog
> - get the module(s)
> - verify the module/section hashes and check that they each match what is
> inside the signature.
Makes sense to me. Now we just need to fill in the details ...
More information about the jigsaw-dev