Hi - this webrev implements Certificate Management and Signature policy
support for PM. I have also attached the latest design notes that
describe what has been implemented.
Certificate Management support is found under:
File-> Manage Publishers: <select pub> Modify button: Modify
Publisher: Certificates tab
Signature Policy support for both Publishers and Image can be found under:
File-> Manage Publishers: <select pub> Modify button: Modify
Publisher: Signature Policy tab
Edit-> Preferences: Signature Policy tab
webrev:
http://cr.opensolaris.org/~jmr/pm_16993_16992_cert_sig_support_wip_may06_345pm/
16993: packagemanger should provide a way to manipulate and see
publisher certs
https://defect.opensolaris.org/bz/show_bug.cgi?id=16993
16992: package manager should provide a way to change signature-policy
https://defect.opensolaris.org/bz/show_bug.cgi?id=16992
In order to see the Publisher Signature Policy settings I have the
following small webrev to update the output from pkg for:
pkg publisher <pub name>
webrev:
http://cr.opensolaris.org/~jmr/cli_18269_pub_sig_policy_may6_4pm/
18269 - CLI should provide a way to view a publishers signature policy
https://defect.opensolaris.org/bz/show_bug.cgi?id=18269
This lists the Signature policy settings for the publisher as below:
pkg -R /var/tmp/testrepos publisher local
Publisher: local
Alias: test
Origin URI: http://localhost:10000/
SSL Key: None
SSL Cert: None
Client UUID: d9e5edae-7709-11e0-9f94-88002028054a
Catalog Updated: 6 May 2011 07:35:08
Approved CAs: 8b0b3c6ed19e0a83fdbc29e934b62d94f249856c
: 155ff493b6e227f002574d40984253b2aefd1a22
: 2af27a673e684a29ec25d9f6e410be2e481d1a44
: 021620ddec8dc520ea9fc04d13d7f88ca6c50a95
: 2efe987c0f0f6c401e7e8cb1f06dd831de8e6580
: 47f96ed517b74fd4445d2456f0714b406d795b01
Revoked CAs: 0302345bd5b2b0dceca4e2b6a53612f9355ddf6d
Enabled: Yes
Signature Policy: ignore
Sig Required Names: ['foo', 'booo']
JR
PM Certificate and Signature Design Notes
===========================================
Rev 14: 6th May 2011
Set of notes taken from discussion with Calum Benson (UI), John Rice (Eng),
using current IPS CLI support and older wireframes from xDesign (Jenya Gestrin)
as a starting point.
[http://sxdesign.us.oracle.com/projects/solaris/subprojects/package_mngt/wireframes/current/v5_repositories/600_main1.htm]
31st March: Review input from Brock.
4th April: Feedback from Brock on Validty and names. Also updated Fingerprint
info.
5th April: Updates after review of initial Glade Modify Publisher dialog with
Calum.
6th April: Moinor updates on Signature Policy Certificate names.
9th April: Certificates tab updates after implementation and further UI review
with Calum
22nd April: Update after initial implementation, changes to Certificate
support, Status.
28th April: Feedback from review by Padraig
2nd May: Feedback from review by Padraig
6th May: Feedback from functional review and string check
RFE
=====
16993: packagemanger should provide a way to manipulate and see publisher certs
https://defect.opensolaris.org/bz/show_bug.cgi?id=16993
16992: package manager should provide a way to change signature-policy
https://defect.opensolaris.org/bz/show_bug.cgi?id=16992
Certificate Support and IPS
=============================
Currently the CLI supports the assigning, revoking and unseting of certificates
for a publisher:
--approve-ca-cert, add the given certificate as a CA certificate that is
trusted.
--revoked-ca-cert, treat the certificate with the given hash as revoked.
--unset-ca-cert, remove the certificate with the given hash from the list of
approved and the list of revoked certificates.
These certificates are then used to verify that packages have been
appropriately signed before being allowed to be installed, depending on the
Signature Policy for the Image or for the Publisher if this is more restrictive.
Image properties set using the set-property command:
signature-policy
ignore
Ignore signatures for all manifests.
verify
Verify that all manifests with signatures are validly
signed, but do not require all installed packages to be
signed.
require-signatures
Require that all newly installed packages have at least
one valid signature. 'pkg fix' and 'pkg verify' will also
warn if an installed package does not have a valid
signature.
require-names
Follow the same requirements as 'require-signatures' but
also require that the strings listed in the
'signature-required-names' property appear as a common
name of the certificates used to verifiy the chains
of trust of the signatures.
Design Notes:
=============
Certificate Management and Signature Policy Support in PM
Modify Publisher: Certificates tab and Signature Policy tab
=============================================================
Modify Publisher: <Publisher Name>
[Tabs]: "General", "Certificates", "Signature Policy"
Change the Modify Publisher dialog, accessed from:
- File->Manage Publishers: <select Publisher from list>: Modify Button: Modify
Publisher dialog
- All the current modify options will be placed in a "Modify Publisher":
"General" tab and two new tabs will be added "Modify Publisher": "Certificates"
and "Signature Policy" tabs, as described below.
Note: The title of the Modify Publisher dialog should include the publisher
name, now that it's not always visible inside the dialog itself, depending on
which tab you're looking at.
1) "Certificates" tab - in the Modify Publisher dialog that includes:
Note: this is not a general certificate viewer, we will not be displaying any
intermedidate certificates, nor the chain of trust. If a certificate is
approved then its valid as far as the user is concerned, there will be no
certificate validity check, nor will the user be offered this option.
* [Label]: "Certificates for publisher <publisher name> (<alias>)"
* A three column list:
[Organization] : [Name] : [Status]
- All columns will be sortable, initial sort will be on Organization and then
followed by Name.
If truncation of Organization is a problem we can add tooltips to each cell
that display the full contents.
- Organization and Name Columns are resizeable.
- Status column: can have values Approved or Revoked.
Note: a cert that is Expired can still be Approved and used to validate signed
packages, which is why Expired is not a Sate here along with Approved and
Revoked.
* Buttons to Add, Remove, Revoke and Reinstate certificates.
Buttons:
- "Add..." = --approve-ca-cert (Always enabled)
- "Remove" = --unset-ca-cert
- "Revoke" = --revoked-ca-cert
- "Reinstate" = --approve-ca-cert, reapprove a revoked cert
The button states are enabled and disabled as appropriate (see
pm_cert_sig_support spreadsheet)
* A Details text field that shows more information about the selected
certificate.
Initial investigation has shown that I can get all the required info from the
M2Crypto.X509.X509 certificate returned by the <Publisher>.get_cert_by_hash(h)
api.
Details will contain the following:
- Issued To:
-- Common Name (CN):
-- Organisation (O):
-- Organisation Unit (OU):
- Issued By:
-- Common Name (CN):
-- Organisation (O):
-- Organisation Unit (OU):
- Validity: [EXPIRED] (If "Expires On" < Today's Date EXPIRED will be
dispalyed)
-- Issued To: <date> Expires On: <date>
- Fingerprint:
-- SHA1:
-- MD5:
-- IPS: (hash displayed by the CLI)
Note: When adding or reinstating a Pub Cert there is no IPS Hash available
until it has been added after OK is clicked. The Details in this case are
altered and the "IPS:" hash is replaced with an appropriate note:
Add: "Note: Certificate is marked to be added"
Reinstate: "Note: Certificate is marked to be reinstated"
* Behaviour:
Refer to "pm_cert_sig_support" spreadsheet which details when buttons are
enabled/ disabled, what happens when certain actions are taken in the dialog
and what happens when OK is clicked.
* OK and Cancel:
The dialog manipulates an im memory copy of the certs and only when OK is
clicked are any changes applied using the IPS API to the Pub Certs on the
system.
Cancel: all changes made in the dialog are canceled without effecting the Pub
Certs.
2) "Signature Policy" tab - in the Modify Publisher dialog that includes:
* [Label]: "When installing packages from this publisher:"
* Four radio buttons corresponding to the pkg command line Signature Policy
options:
[Radio button] "Signatures are ignored":
- [CLI signature-policy: ignore]
[Radio button] "Signatures are optional, but must be valid if provided":
- [CLI signature-policy: verify]
[Radio button] "One or more valid signatures are required":
- [CLI signature-policy: require-signatures]
[Radio button] "Signatures are required and certificate names must include:":
- [CLI signature-policy: require-names -> using signature-required-names]
[Text Entry field]
[Label] "Example: oracle, opensolaris"
These two elements are only enabled when the "Signatures are required and
certificate names must include:" radio button is selected. The text field uses
commas to separate names, if you want to include a comma in a name just quote
the name: so foo and "foo, bar" are valid single names.
Note: there had been some discussion on Auto Completion for the certificate
names, where as the user typed suggestions would be made from the list of
available publisher names. As these names would not include the list of trust
anchors for the certs in the chain of trust it is unclear how much value this
would give. Think it should be added as an RFE.
* A static warning message that whatever policy you specify here may be
overridden by the gloabl policy set under Edit->Preferences: Signature Policy.
[Warning Label Icon]:
"Note: This signature policy may be overriden by stricter settings in the
global signature policy"
[Button]: "View Global Policy..." with tooltip "Edit->Preferences: Signature
Policy"
The button will bring up the Preferences Dialog on the Signature Policy tab. As
it is modal there is no need to hide the Modify Publisher dialog and it is
useful to be able to view them side by side to compare the Signature Policies.
Edit-> Preferences: Signature Policy tab
=========================================
Preferences
[General] [Optional Components] [Signature Policy]
1) A new "Signature Policy" tab in which the global signature policy is
specified in the Preferences dialog (Edit->Prefrences: Signature Policy tab).
* The same radio button/checkbox/textbox group as in the Modify Publisher:
Signature Policy tab (but with a slightly different header label).
* [Label]: "When installing packages from any publisher:"
* A similar warning message about the policy potentially being overridden by
individual publisher policy.
[Warning Label Icon]:
"Note: This global signature policy may be overriden by stricter settings in an
individual publisher signature policy"
Note: there is no button to bring up the Modify Publishers dialog as it is not
possible to determine which Publisher to go to.
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
