Comments on the module-file format

Mark Reinhold mr at sun.com
Wed Feb 10 13:38:19 PST 2010


> Date: Fri, 05 Feb 2010 12:15:09 -0500
> From: sean.mullan at sun.com

> Mark Reinhold wrote:
>> Sean Mullan wrote:
>>> - as for the signature itself, one possible suggestion is to consider reusing
>>> the existing PKCS#7 format that we use for JAR signatures. PKCS#7 already
>>> defines a format for holding the necessary certificates and is extensible to
>>> support various signature algorithms. And of course there is already PKCS#7
>>> support in the JRE. PKCS#7 is also designed to support single-pass processing.
>> 
>> I'm not an expert in this area, but that makes sense to me.  Are there
>> other formats we should consider?
> 
> The other well known standard format is XML Signature. We should consider it
> but I would lean towards PKCS#7 since it is already being used for signed JARs.

On small devices I don't think we'll be able to afford the time and space
overhead of an XML parser during signature validation, so PKCS 7 wins.

>> Do PGP/GPG somehow map into PKCS 7?
> 
> Hmm, I'm not sure. Support for X.509 certificates is essential and I don't
> think PGP and X.509 work well together.

A little web research of my own suggests that you're right.  Some will
want PGP/GPG, however, so the module format should allow for different
signature types even if we only define and implement PKCS 7.

>> Where should signatures reside -- in a module file, or alongside it in a
>> separate file?  JAR files do the former, but some OS packaging systems
>> (e.g., Debian) do the latter.
> 
> Not sure, but here's an initial idea of how this might work:
> 
> The signature is a signature over all of the hashes in the module. It also may
> contain other security attributes, such as the permissions needed by the
> modules.

Good point -- I hadn't thought about signing required permissions, but
that is of course necessary.

> - get the signature first
> - validate the certificate chain
> - verify the signature with the public key
> - optionally, prompt user with security dialog
> - get the module(s)
> - verify the module/section hashes and check that they each match what is
>   inside the signature.

Makes sense to me.  Now we just need to fill in the details ...

- Mark



More information about the jigsaw-dev mailing list