Bacula Encryption Update: ASN.1 Signing Syntax

25 Sep 2005, 10:40 PDT

Introduction

After spending last weekend studying the PKCS #7 and CMS (RFC 3852) specifications, I dedicated this weekend to assembling a Bacula ASN.1 syntax for signing file data and implementing the requisite changes in the backup, verification , and digest handling code paths.

While I would have liked to make use of either PKCS #7 or RFC 3852, OpenSSL's current BER encoder and PKCS #7 API are not capable of handling streaming encoding and decoding. As such, I've designed an ASN.1 syntax inspired by RFC 3852, working around the lack of streaming support by using detached signatures and session key information.

Additionally, I've added support for SHA-256 and SHA-512 digests when using OpenSSL 0.9.8 or greater and completed a great deal of code cleanup. You can find the full ChangeLog below.

Next Up:

The latest patchset is available here: bacula-crypto-3.diff.gz

bacula-crypto-3 Change Log

Bacula ASN.1 Syntax

BaculaCrypto { iso(1) identified-organization(3) usdod(6)
               internet(1) private(4) enterprises(1) three-rings(22054)
               external(500) bacula(2) published(1) bacula-encryption(1)
               asn1-modules(1) bacula-crypto(1) }
 
DEFINITIONS AUTOMATIC TAGS ::=
BEGIN
 
SignatureData ::= SEQUENCE {
    version         Version DEFAULT v0,
    signerInfos     SingerInfos }
 
SignerInfos ::= SET OF SignerInfo
Version ::= INTEGER { v0(0) }
 
SignerInfo ::= SEQUENCE {
    version                 Version,
    subjectKeyIdentifier    SubjectKeyIdentifier,
    digestAlgorithm         DigestAlgorithmIdentifier,
    signatureAlgorithm      SignatureAlgorithmIdentifier,
    signature               SignatureValue }
 
SubjectKeyIdentifier ::= OCTET STRING
DigestAlgorithmIdentifier ::= AlgorithmIdentifier
SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
SignatureValue ::= OCTET STRING
AlgorithmIdentifier ::= OBJECT IDENTIFIER
 
END