Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extending remote signer feature for platform certificate #114

Open
223086379 opened this issue Jan 9, 2024 · 1 comment
Open

Extending remote signer feature for platform certificate #114

223086379 opened this issue Jan 9, 2024 · 1 comment

Comments

@223086379
Copy link

In current design, PACCOR signs the platform certificates internally using supplied keys. Since the storage and operation with private key is security sensitive, typically an HSM or HSM services are used. There are already services that provide secure key operation.

PACCOR can benefit from allowing a trusted external signer as it would focus on generating TCG compliant platform certificate while external services protecting/operation/maintenance of keys. Since key management services are well established in the market, this can also help drive more adoption of PACCOR (and platform certificate).
@223086379
Copy link
Author

223086379 commented Jan 9, 2024
edited
Loading

we should be able to implement this with minimal change/addition to existing codebase.

We can implement new contentsigner class which makes call to get platform certificate signed remotely. This is in SigningCli.java
Remote_ContentSigner remote_signer; ach = pcf.build(remote_signer);

The pcf (instance of platformcertificatebuilder classs) pass the remote_signer directly to BouncyCastle X509AttributeCertificateBuilder).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@223086379