Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(fdo-manufacturing-client): Support command line option for DI_SIGN_KEY_PATH and DI_HMAC_KEY_PATH #476

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(fdo-manufacturing-client): Support command line option for DI_SIGN_KEY_PATH and DI_HMAC_KEY_PATH #476

wants to merge 2 commits into from

Conversation

nak3
Copy link
Contributor

@nak3 nak3 commented Apr 14, 2023

As fdo-manufacturing-client plain-di does not have the option for DI_SIGN_KEY_PATH and DI_HMAC_KEY_PATH, we need to specify them via env variable.

This patch support the command line option.

@nak3 nak3 force-pushed the add-key-path-option branch from 9c5923d to 4e73d0c Compare April 14, 2023 13:01
@7flying
Copy link
Contributor

7flying commented Apr 14, 2023

I did not add those options since I'm usure of the values that they should take. Can you provide an example?

@nak3
Copy link
Contributor Author

nak3 commented Apr 17, 2023

Sorry if you already might know but these values (keys) are stored in device credential. You can follow the code perform_di() -> save_to_credential().

The device credential stores the keys at last as:

https://github.com/fedora-iot/fido-device-onboard-rs/blob/69fec227de04d98c51a5b5d8eb218bdc264f0a3f/data-formats/src/devicecredential/file.rs#L24-L27

You can dump the secrets by fdo-owner-tool dump-device-credential, though you need to tweak the code to print the secret.

@7flying
Copy link
Contributor

7flying commented Apr 17, 2023

Sorry if you already might know but these values (keys) are stored in device credential. You can follow the code perform_di() -> save_to_credential().

The device credential stores the keys at last as:

https://github.com/fedora-iot/fido-device-onboard-rs/blob/69fec227de04d98c51a5b5d8eb218bdc264f0a3f/data-formats/src/devicecredential/file.rs#L24-L27

You can dump the secrets by fdo-owner-tool dump-device-credential, though you need to tweak the code to print the secret.

Yes, my question is about how a user would generate those secrets. What type of keys are they? How do I generate them?

@nak3
Copy link
Contributor Author

nak3 commented Apr 18, 2023

Oh, I see. Sorry for my misreading. I hope below answers your question.

hmac_key_path:

  • It is a plain file contains a random value. (if you don't concern about security, any value is fine and there is no restrictions for 32 byte.)
  • Example command to generate:
$ head --bytes 32 /dev/urandom  > /path/to/hmac/secret

sign_key_path

  • The private key which is a DER format.
  • Example command to generate:
$ openssl ecparam -name secp384r1 -genkey -noout -outform der -out /path/to/sign_key/key.der

@7flying
Copy link
Contributor

7flying commented Apr 25, 2023

I'm just going to see what we can do for #477 before I merge this.
We need some documentation/guidelines on how to generate the keys and were to put them before this goes in.

@nak3 nak3 force-pushed the add-key-path-option branch 3 times, most recently from b9dd88a to ed1ccc7 Compare April 26, 2023 11:12
@nak3
Copy link
Contributor Author

nak3 commented Apr 26, 2023

Alright, I updated the docs https://github.com/nak3/fido-device-onboard-rs/blob/add-key-path-option/HOWTO.md#plain-di
Is it alright? Or do we need a doc somewhere else?

nak3 added 2 commits May 29, 2023 16:58
@nak3
feat(manufacturing-client): support command line option for key path
aae0dd2 
As `fdo-manufacturing-client plain-di` does not have the option for
`DI_SIGN_KEY_PATH` and `DI_HMAC_KEY_PATH`, we need to specify it via
env variable.

This patch support the command line option.
@nak3
chore(docs): add docs how to generate keys
14d6692 
This patch updates HOWTO docs with how to generate the private keys.

Signed-off-by: Kenjiro Nakayama <[email protected]>
@nak3 nak3 force-pushed the add-key-path-option branch from ed1ccc7 to 14d6692 Compare May 29, 2023 07:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nak3 @7flying