IETF Logo Mail Archive

Re: [Anima-bootstrap] [Anima] Voucher signing method

Kent Watsen <kwatsen@juniper.net> Mon, 24 April 2017 18:36 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B57B12778D; Mon, 24 Apr 2017 11:36:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.802
X-Spam-Level:
X-Spam-Status: No, score=-4.802 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b8ev-GiohGZU; Mon, 24 Apr 2017 11:36:05 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0093.outbound.protection.outlook.com [104.47.33.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C46C8131929; Mon, 24 Apr 2017 11:36:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=RMn+ae+5SfKbpbvGU2L02Zunsx/UfKAM7+dSg/Ioyho=; b=U2OHAJIaJQvEeqAy+35XWJMI5qCjtSu8unBbbqkA2EJtokoBAqPavxdGHQcEJBBPDfZPvbUxWXE6iwE+H7yF3U87kwI3KXR8+h1uNvTW1rb6RR6kGp3iYlsc7TIu7fDzg9J0nROKgd9JXFjQQx4MCl4y+YwGxFoKAox5/2QsJT4=
Received: from CY1PR0501MB1450.namprd05.prod.outlook.com (10.160.149.11) by CY1PR0501MB1452.namprd05.prod.outlook.com (10.160.149.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1061.6; Mon, 24 Apr 2017 18:36:01 +0000
Received: from CY1PR0501MB1450.namprd05.prod.outlook.com ([10.160.149.11]) by CY1PR0501MB1450.namprd05.prod.outlook.com ([10.160.149.11]) with mapi id 15.01.1061.010; Mon, 24 Apr 2017 18:36:01 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "Max Pritikin (pritikin)" <pritikin@cisco.com>
CC: "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima-bootstrap] [Anima] Voucher signing method
Thread-Index: AQHSushaLflt5Dzuq0O3hYb8BQB+XaHP+FEAgAB1pICAABFCgIAEG22A
Date: Mon, 24 Apr 2017 18:36:01 +0000
Message-ID: <1E542C9F-7F05-4DE8-869D-0A796771C581@juniper.net>
References: <4F1BE153-1A2E-4DC2-9E51-520A8538B84E@juniper.net> <2BCEB682-357B-43E5-9794-3B84F69E3C71@cisco.com> <882BF9A1-8827-4E88-AAE0-EE14EAE5EDDC@cisco.com> <1F01B33F-E514-4737-B32A-18035BE52BD0@juniper.net> <88DEE1BF-A907-4870-A118-617103A768CD@cisco.com> <2C2AB1B4-73C9-47A3-A9DB-BC8596217EB0@cisco.com>
In-Reply-To: <2C2AB1B4-73C9-47A3-A9DB-BC8596217EB0@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [66.129.241.13]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY1PR0501MB1452; 7:5R7XbYsfy/R1eP51+EtZY//awoyShr9jJkW7GjrQGN9n8CfLqzjddljPxxzNTaCEy7+PHF+HSa9empzBZYA/JZmtoEhY7WhW/w9Dxmg81TgMm/gKpva4EuD76wCPcpWphmjjd/dQFIWTfSNsMg9PdPGDNFHsxU6je7Hm785LXPabrleyPY79dZq9cLcQANtDoyZ7zNSbZ9x43wuDZkkqnmet+wBQQBrSs5jzK06VADxF58isiqO1p/K8TnJO3PzmXcGe4K4RHX/+e9kqCpr8kUdo6fol+jjiZtfV26xjjinf6FzDcYlDdUZaecEKoR/p2HMshwH7CzQo4HLGJEM25A==
x-ms-office365-filtering-correlation-id: 1a5f6fd3-8a37-4f8d-14c5-08d48b40c210
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081)(201702281549075); SRVR:CY1PR0501MB1452;
x-microsoft-antispam-prvs: <CY1PR0501MB145296A8F900CE0D7D2B5803A51F0@CY1PR0501MB1452.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(10201501046)(6055026)(6041248)(20161123560025)(20161123562025)(20161123564025)(20161123555025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148); SRVR:CY1PR0501MB1452; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0501MB1452;
x-forefront-prvs: 0287BBA78D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(6009001)(39410400002)(39850400002)(39860400002)(39840400002)(39450400003)(39400400002)(66066001)(6246003)(6436002)(110136004)(3280700002)(38730400002)(99286003)(6512007)(33656002)(77096006)(6486002)(5660300001)(575784001)(2950100002)(86362001)(6916009)(6506006)(25786009)(83506001)(54356999)(50986999)(76176999)(81166006)(8676002)(54906002)(83716003)(2900100001)(82746002)(53936002)(8936002)(305945005)(4326008)(3660700001)(4001350100001)(189998001)(229853002)(122556002)(36756003)(93886004)(7736002)(6116002)(3846002)(2906002)(102836003)(414714003)(473944003)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0501MB1452; H:CY1PR0501MB1450.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <04B10AF6F3448C4CB45C11F6FAFBA203@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Apr 2017 18:36:01.5302 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1452
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-bootstrap/4Gy09NxutWjERtOUcgNSBu4cl0Y>
Subject: Re: [Anima-bootstrap] [Anima] Voucher signing method
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Apr 2017 18:36:09 -0000


> You can see this by exploding the output from openssl dgst via asn1parse: 
> pritikin@ubuntu:~/tmp/jwt$ openssl asn1parse -in signature.sign -inform DER
>     0:d=0  hl=2 l=  69 cons: SEQUENCE          
>     2:d=1  hl=2 l=  32 prim: INTEGER           :1EF9060ADA81C288C4FE2E3585BFF6379FF03467EB0D7D848D568604A1C53864
>    36:d=1  hl=2 l=  33 prim: INTEGER           :EAD5AD3F8FB7092D14903C8B08D0D83EE91E898EA8D3A5944F13F8B6652372D1
>
> So to do everything in script-land with openssl tools you need to extract
> the r and s values and format them correctly as specified in JWA [RFC7518,
> section 3.4 step 2 and 3). I’ll have to think about how you could do this
> from a shell script. 


Your signature.sign file is probably 66 bytes, right?   Assuming 'R' and 'S' are in order, I think you can snip 2-bytes off the front of the file and have the signature.


> Its interesting to note here that we have almost the simplest example of
> ASN1 possible and it still sounds hard to work with. :) Shrug, it isn’t
> like the JWA 64-octet sequence is actually that much easier from shell
> commands. 

But all we need to do is compute the encoded signature value BASE64URL(JWS Signature), we can use the script I found before for this part...


Kent

v2.23.0 | Report a Bug | By Email