README

RSA-PSS Signing
===============

**THIS SIGNER IS DEPRECATED, USE THE `genericrsa` SIGNER INSTEAD**

.. sectnum::
.. contents:: Table of Contents

This signer implements RSA-PSS signing for Widevine and possibly other
signature types in the future. It accepts 20-byte SHA1 hashes on
`/sign/hash` and data to be hashed on `/sign/data`. Both endpoints
return base64-encoded RSA-PSS signatures of the hashed data using
`rsa.PSSSaltLengthEqualsHash` padding.

Example Usage:

.. code:: bash

    # hash your input data into a separate file
    $ echo foo | sha1sum -b | cut -d ' ' -f 1 | xxd -r -p > /tmp/inputhash.bin

    # request a signature using the autograph client
    $ go run client.go -D -wa $(cat /tmp/inputhash.bin | base64) \
      -k dummyrsapss -o /tmp/sig.bin -ko /tmp/pub.key

    # format /tmp/pub.key to PEM (fold lines to 64 and add header and footer)
    $ (echo '-----BEGIN PUBLIC KEY-----'; cat /tmp/pub.key |fold -w 64; echo;echo '-----END PUBLIC KEY-----') > /tmp/pub.pem

    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtEM/Vdfd4Vl9wmeVdCYu
    WYnQl0Zc9RW5hLE4hFA+c277qanE8XCK+ap/c5so87XngLLfacB3zZhGxIOut/4S
    lEBOAUmVNCfnTO+YkRk3A8OyJ4XNqdn+/ov78ZbssGf+0zws2BcwZYwhtuTvro3y
    i62FQ7T1TpT5VjljH7sHW/iZnS/RKiY4DwqAN799gkB+Gwovtroabh2w5OX0P+PY
    yUbJLFQeo5uiAQ8cAXTlHqCkj11GYgU4ttVDuFGotKRyaRn1F+yKxE4LQcAULx7s
    0KzvS35mNU+MoywLWjy9a4TcjK0nq+BjspKX4UkNwVstvH18hQWun7E+dxTi59cR
    mwIDAQAB
    -----END PUBLIC KEY-----

    # verify the signature with openssl
    $ openssl pkeyutl -verify \
    -in /tmp/inputhash.bin \
    -sigfile /tmp/sig.bin \
    -inkey /tmp/pub.pem -pubin -keyform PEM \
    -pkeyopt rsa_padding_mode:pss -pkeyopt rsa_pss_saltlen:-1 -pkeyopt digest:sha1

    Signature Verified Successfully

Configuration
-------------

Requires PEM encoded public and private RSA keys.

NB: if the publickey does not match the private key the monitor will
break.

For example:

.. code:: yaml

    signers:
    - id: some-rsa-key
      type: rsapss
      privatekey: |
        -----BEGIN RSA PRIVATE KEY-----
        MIIEpAIBAAKCAQEAtEM/Vdfd4Vl9wmeVdCYuWYnQl0Zc9RW5hLE4hFA+c277qanE
        ...
        TDd4Me4PP+sTZeJ3RKvArDiMzEncDeMGZZnd4dBdi3LjzCNGTANAGw==
        -----END RSA PRIVATE KEY-----
      publickey: |
        -----BEGIN PUBLIC KEY-----
        MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtEM/Vdfd4Vl9wmeVdCYu
        ...
        mwIDAQAB
        -----END PUBLIC KEY-----

Signature response
------------------

Returns base64-encoded public key (DER) and signature (hex). The
public key is from the config.

.. code:: json

    [
      {
        "ref": "29cfra8jxug9r3mzjapmlbjlp5",
        "type": "rsapss",
        "mode": "",
        "signer_id": "dummy-rsapss",
        "public_key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtEM/Vdfd4Vl9wmeVdCYuWYnQl0Zc9RW5hLE4hFA+c277qanE8XCK+ap/c5so87XngLLfacB3zZhGxIOut/4SlEBOAUmVNCfnTO+YkRk3A8OyJ4XNqdn+/ov78ZbssGf+0zws2BcwZYwhtuTvro3yi62FQ7T1TpT5VjljH7sHW/iZnS/RKiY4DwqAN799gkB+Gwovtroabh2w5OX0P+PYyUbJLFQeo5uiAQ8cAXTlHqCkj11GYgU4ttVDuFGotKRyaRn1F+yKxE4LQcAULx7s0KzvS35mNU+MoywLWjy9a4TcjK0nq+BjspKX4UkNwVstvH18hQWun7E+dxTi59cRmwIDAQAB",
        "signature": "S81qc/poBLToOIXVd8eOS6/CxXdhdsM/0Uz0q4cJWdmSKf9Iv8Eboz94xfuMgl81ybtPrEWDuZRLgY1qr4GxhShwa1Yb7rBtGxyJlseYfstnf24T7B6s4aeW3Zo5lfF2SCONbI0hLSHHyFzPPsnCHxvA2Ji5F+vDeBLpSrXhFn+mn14AGhz6smtU4k/iLPrfhocvBGscZv+7h7PI0vPs3MEckVZeSP8i0CkK4ev1QV88wrIa8estHCbiT4STu5zBHYb0LkkowEyCMW0KrQu5M2HO8yL4SSK9LHNR4WOS8BxBvKIXjmG5bjcH+g0gEK0RFSuJ3sLCNoRETGhRykufJA=="
      }
    ]
Expand ▾ Collapse ▴

Documentation

Index

Constants

View Source
const (
	// Type of this signer is "rsapss"
	Type = "rsapss"
)

Variables

This section is empty.

Functions

func Unmarshal

func Unmarshal(sigstr string) (signer.Signature, error)

    Unmarshal decodes a base64 signature string into a Signature

    func VerifySignature

    func VerifySignature(pubKey *rsa.PublicKey, digest, sigBytes []byte) error

      VerifySignature verifies a rsapss signature for the given SHA1 digest for the given RSA public and signature bytes

      func VerifySignatureFromB64

      func VerifySignatureFromB64(b64Digest, b64Signature, b64PubKey string) error

        VerifySignatureFromB64 verifies a signature from base64 encoded digest, signature, and public key as autograph returns from its API used in the client and monitor

        Types

        type Options

        type Options struct {
        }

          Options are not implemented for this signer

          type RSAPSSSigner

          type RSAPSSSigner struct {
          	signer.Configuration
          	// contains filtered or unexported fields
          }

            RSAPSSSigner holds the configuration of the signer

            func New

            func New(conf signer.Configuration) (s *RSAPSSSigner, err error)

              New initializes a rsapss signer using a configuration

              func (*RSAPSSSigner) Config

              func (s *RSAPSSSigner) Config() signer.Configuration

                Config returns the configuration of the current signer

                func (*RSAPSSSigner) GetDefaultOptions

                func (s *RSAPSSSigner) GetDefaultOptions() interface{}

                  GetDefaultOptions returns default options of the signer

                  func (*RSAPSSSigner) SignData

                  func (s *RSAPSSSigner) SignData(data []byte, options interface{}) (signer.Signature, error)

                    SignData takes data, hashes it and returns a signed base64 encoded hash

                    func (*RSAPSSSigner) SignHash

                    func (s *RSAPSSSigner) SignHash(digest []byte, options interface{}) (signer.Signature, error)

                      SignHash takes an input hash and returns a signed base64 encoded hash

                      type Signature

                      type Signature struct {
                      	Data []byte
                      }

                        Signature is a rsapss signature

                        func (*Signature) Marshal

                        func (sig *Signature) Marshal() (string, error)

                          Marshal returns the base64 representation of a signature

                          Source Files