cacert
/
cacert-codedocs
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'cff7cc6779'
${ noResults }
cacert-codedocs/source/signer.rst

223 lines
6.0 KiB
ReStructuredText
Raw Blame History

===================
The Signer Protocol
===================
Communication with the signer is performed via a serial connection. That has
to be established by the client before speaking the protocol defined here.
.. _signer-request-data-format:
Signer request data format specification
========================================
Protocol data is encoded with the following format:
.. table:: signer request message format
======= ==============================================================
Byte Data
======= ==============================================================
0-2 length of header + data in network byte order
3-12 action specific header
13-15 length of first action specific content in network byte order
15-N fist action specific content string
N+1-N+3 length of second action specific content in network byte order
N+4-M second action specific content string
M+1-M+3 lenght of third action specific content in network byte order
M+4-End third action specific content string
======= ==============================================================
Due to the length encoding in 3 bytes the messages can have a maximum length
of 8\ :sup:`3` = 2\ :sup:`24` Bytes which is around 16 MiB.
General header format
---------------------
Every protocol header (bytes 3-12 of protocol message) follows the same 8 byte
structure. The content of bits 3-8 are protocol action specific.
.. table:: general request header format
==== =============================================================
Byte Value
==== =============================================================
0 Version (``0x01``)
1 Action
2 System (``0x01`` for :ref:`client.pl <commmodule-client-pl>`)
3 8 bits root
4 8 bits configuration
5 8 bits parameter
6-7 16 bits parameter
8 8 bits parameter
==== =============================================================
.. _signer-nul-request-format:
Format of NUL Requests
----------------------
NUL requests are sent at the end of each iteration in
:ref:`client.pl <commmodule-client-pl>`'s main loop.
.. table:: NUL request header format
==== =========================================================
Byte Value
==== =========================================================
0 Version (``0x01``)
1 Action ``0x00``
2 System (``0x01`` for :ref:`client.pl <commmodule-client-pl>`)
3 ``0x00``
4 ``0x00``
5 ``0x00``
6-7 ``0x0000``
8 ``0x00``
==== =========================================================
**NUL Request Payload:**
- GMT timestamp in %m%d%H%M%Y.%S format
- ""
- ""
Format of X.509 signing request messages
----------------------------------------
X.509 signing request messages are sent in
:ref:`client.pl <commmodule-client-pl>`'s main loop for each requested
certificate.
.. table:: X.509 certificate signing request header format
==== =========================================================
Byte Value
==== =========================================================
0 Version (0x01)
1 Action 0x01
2 System (0x01 for :ref:`client.pl <commmodule-client-pl>`)
3 Root
4 Profile (see table :ref:`table-cert-profiles`)
5 Message Digest Id (see table :ref:`table-md-ids`)
6-7 Days in big-endian format
8 Key type (``0x01`` for 'NS', ``0x00`` for others)
==== =========================================================
.. todo:: describe which root is identified by which root id
The key type is stored in the column *keytype* of the certificate request
table which is one of
- *domaincerts*
- *emailcerts*
- *orgdomaincerts*
- *orgemailcerts*
.. todo:: describe what 'NS' means for key type
**X.509 Signing Request Payload:**
- "$content"
- "$SAN"
- "$subject"
.. _table-cert-profiles:
.. table:: Certificate profile ids
== ======================
Id Profile
== ======================
0 Client (personal)
1 Client (Organization)
2 Client (Codesigning)
3 Client (Machine)
4 Client (ADS)
5 Server (personal)
6 Server (Organization)
7 Server (Jabber)
8 Server (OCSP)
9 Server (Timestamp)
10 Proxy
11 SubCA
== ======================
.. note::
:ref:`client.pl <commmodule-client-pl>` supports profiles 0, 1, 2, 4,
5, 6, 8 and 9 only.
.. _table-md-ids:
.. table:: Message digest ids
== ==========
Id Algorithm
== ==========
1 MD5
2 SHA-1
3 RIPE-MD160
8 SHA-256
9 SHA-384
10 SHA-512
== ==========
.. todo:: describe other request types
.. _signer-response-data-format:
Signer response data format specification
=========================================
.. todo:: describe signer response
Protocol messages
=================
.. _signer-message-handshake:
Handshake
---------
#. client sends 1 byte ``0x02`` to serial port
#. client reads 1 byte from serial port (with a 20 second timeout)
#. client checks whether the byte is ``0x10``
.. seqdiag::
seqdiag handhake {
client -> server [label = "0x02"];
client <-- server [label = "0x10"];
}
If anything different is received there was a protocol error and no further
messages should be sent over the serial connection.
Send data
---------
:Preconditions:
successful :ref:`Handshake <signer-message-handshake>`,
data is encoded according to the :ref:`signer-request-data-format`
#. client builds byte wise xor of all data bytes into 1 byte $xor
#. client sends concatenated $data string + xor-Byte + "rie4Ech7"
#. client reads 1 byte (with a 5 second timeout)
#. if received byte is ``0x11`` try again
#. if received byte is ``0x10`` the message has been sent successfully
.. seqdiag::
seqdiag with_retry {
client -> client [label = "xor $data"];
client -> server [label = "$data . $xor . \"rie4Ech7\""];
client <-- server [label = "0x11"];
client -> server [label = "$data . $xor . \"rie4Ech7\""];
client <-- server [label = "0x10"];
}
If anything different is received there was a protocol error and no further
messages should be sent over the serial connection.
Reference in New Issue View Git Blame Copy Permalink