Under Construction
Adding certificate and public key to dsc_key and/or dsc_keystore
To verify the digital signature of a fileset, only the public key is actually required. However, since the DSC stores the ID of the certificate to be used, not the public key ID, the public key can only be found indirectly via the certificate (see Verifying the Digital Signature of a Fileset). A keystore is only used if the certificate is missing.
When Trusted Installation is initialized, the following certificates, public keys, and keystores are created:
- PKCS12 keystore: dsc_keystore and /etc/security/pkgverify/keystore/aixpublic_73.p12
- Certificte: dsc_key and /etc/security/pkgverify/certfile/aixpublic_73.pem
- Public key: dsc_key and /etc/security/pkgverify/key/aixpublic_73.key
In principle, the keystore would be sufficient, since the certificate can be extracted from it and the public key can then be extracted from the certificate.
All objects in dsc_key and dsc_keystore have an ID. The certificate and the associated keystore must have the same ID!
We start with the previously created certificate cert.pem and create a keystore under /etc/security/pkgverify/keystore with this certificate.
# /usr/java8_64/jre/bin/keytool -importcert -alias mypublic -file cert.pem -storetype pkcs12 -keystore /etc/security/pkgverify/keystore/mypublic.p12 -noprompt
Enter keystore password: XXXXXXXXX
Re-enter new password: XXXXXXXXX
Certificate was added to keystore
#
We chose mypublic.p12 as the file name. We assigned the certificate the alias name mypublic. The keystore type is pkcs12.
For Trusted Installation to find this keystore, it must be referenced via an ODM entry in dsc_keystore. An entry in this ODM has the following fields:
# ODMDIR=/usr/lib/objrepos odmshow dsc_keystore
class dsc_keystore {
long id; /* offset: 0xc ( 12) */
char type[32]; /* offset: 0x10 ( 16) */
char alias[256]; /* offset: 0x30 ( 48) */
char location[256]; /* offset: 0x130 ( 304) */
};
/*
descriptors: 4
structure size: 0x230 (560) bytes
data offset: 0x20c
population: 2 objects (2 active, 0 deleted)
*/
#
The type field has the value pkcs12, for alias we specify the alias name mypublic from above, and for location the absolute path of the keystore. An ID already used in dsc_key or dsc_keystore must not be used as the id. Therefore, before adding a keystore to the ODM dsc_keystore, you should list the IDs already used and then select an ID that is not yet in use:
# ( ODMDIR=/usr/lib/objrepos odmget dsc_keystore; ODMDIR=/usr/lib/objrepos odmget dsc_key ) | grep -w id | sort -u
id = 1
id = 3
#
So far, only IDs 1 and 3 are used. The existing keystore entry has ID 3, we use the next higher ID 4 and create the entry for our keystore with odmadd:
# ODMDIR=/usr/lib/objrepos odmadd <<EOF
> dsc_keystore:
> id = 4
> type = "pkcs12"
> alias = "mypublic"
> location = "/etc/security/pkgverify/keystore/mypublic.p12"
>
> EOF
#
Next, we extract the included certificate and save it in /etc/security/pkgverify/certfile under the name mypublic.pem:
# /usr/java8_64/jre/bin/keytool -exportcert -alias mypublic -file /etc/security/pkgverify/certfile/mypublic.pem -storetype pkcs12 -keystore /etc/security/pkgverify/keystore/mypublic.p12
Enter keystore password: XXXXXXXXX
Certificate stored in file </etc/security/pkgverify/certfile/mypublic.pem>
#
To find the certificate, an entry in dsc_key of type certfile is needed, with the following additional fields:
# ODMDIR=/usr/lib/objrepos odmshow dsc_key
class dsc_key {
long id; /* offset: 0xc ( 12) */
char type[32]; /* offset: 0x10 ( 16) */
char alias[256]; /* offset: 0x30 ( 48) */
char location[256]; /* offset: 0x130 ( 304) */
vchar modulus[128]; /* offset: 0x230 ( 560) */
vchar hash[32]; /* offset: 0x234 ( 564) */
link dsc_keystore dsc_keystore id keystore[11];/* offset: 0x238 ( 568) */
};
/*
descriptors: 7
structure size: 0x24c (588) bytes
data offset: 0x2a8
population: 4 objects (4 active, 0 deleted)
*/
#
The id must be the ID of the associated keystore (in our case, ID 04). The type (type field) is “certificate,” the alias name is used again for alias, the location field specifies the path to the certificate (/etc/security/pkgverify/certfile/mypublic.pem), and the keystore field specifies the ID of the associated keystore (in this case, 04). The hash field specifies the hash algorithm used for digital signatures; typically, this is “sha256“. The certificate’s modulus can be determined as follows:
# openssl x509 -in /etc/security/pkgverify/certfile/mypublic.pem -noout -modulus | openssl md5
MD5(stdin)= c65cc3a747241b647576b7b10db166aa
#
This allows the following entry to be added to the ODM dsc_key for the certificate:
# ODMDIR=/usr/lib/objrepos odmadd <<EOF
> dsc_key:
> id = 4
> type = "certificate"
> alias = "mypublic"
> location = "/etc/security/pkgverify/certfile/mypublic.pem"
> modulus = "c65cc3a747241b647576b7b10db166aa"
> hash = "sha256"
> keystore = "4"
>
> EOF
#
Finally, we extract the public key from the certificate and save it under /etc/security/pkgverify/key/mypublic.key:
# openssl x509 -in /etc/security/pkgverify/certfile/mypublic.pem -noout -pubkey -out /etc/security/pkgverify/key/mypublic.key
#
Here, too, an entry must be created in dsc_key, this time of type “key“. The modulus for a public key can be determined using csum:
# csum -h MD5 /etc/security/pkgverify/key/mypublic.key
5e2a18f999c86a51df869586d4396689 /etc/security/pkgverify/key/mypublic.key
#
The entry must again have its own unique ID. We’ll use the next available ID, 05. The associated keystore is again our keystore with ID 04. This allows us to create the following ODM entry for the public key:
# ODMDIR=/usr/lib/objrepos odmadd <<EOF
> dsc_key:
> id = 5
> type = "key"
> alias = "mypublic"
> location = "/etc/security/pkgverify/key/mypublic.key"
> modulus = "5e2a18f999c86a51df869586d4396689"
> hash = "sha256"
> keystore = "4"
>
> EOF
#
The above steps must be repeated for each new certificate. In most cases, however, you won’t have any additional certificates besides the IBM certificate and your own.