[guardian-dev] Improving the APK Signing Procedure
Hans-Christoph Steiner
hans at guardianproject.info
Tue Apr 1 08:57:38 EDT 2014
On 04/01/2014 05:18 AM, Abel Luck wrote:
> On Friday 28 March 2014 16:58:46 Hans-Christoph Steiner wrote:
>> Ok, the blog post is up, this is the first HSM I got working with the whole
>> procedure of generating a key using openssl then ultimately signing an APK
>> using the HSM:
>>
>> https://guardianproject.info/2014/03/28/security-in-a-thumb-drive-the-promis
>> e-and-pain-of-hardware-security-modules-take-one/
>>
>
> Woah. Sweet work Hans, this is good stuff.
>
> The MyEID PKI Card has a PKCS#15 applet on it right? But is it possible to
> simultaneously run an OpenPGP applet on it too? Or is that asking for too much
> hah!
>
> ~abel
I'll leave that project to you. ;) I have not seen any reference to running
the OpenPGP applet on generic cards. My guess is that the world of smartcards
is such a minefield that the OpenPGP applet just targets a very narrow subset
of the possibilities so that they can have something working easily and reliably.
.hc
>> .hc
>>
>> On 03/28/2014 02:06 PM, Hans-Christoph Steiner wrote:
>>> I've been working on developing a procedure for signing Android APKs (and
>>> Jars for that matter) based on modern best practices and the use of a
>>> Hardware Security Module (HSM). I think I've nailed down the key
>>> generation procedure, so I'd like to run it by everyone here for
>>> comments, suggestions, flames, etc.>
>>> Also, there is a blog post in the works that is a HOWTO for putting this
>>> key>
>>> onto a HSM.
>>>
>>> https://dev.guardianproject.info/projects/bazaar/wiki/Improving_the_APK_Si
>>> gning_Procedure
>>>
>>> Here's the key excerpt:
>>>
>>> When it comes to generating, openssl has a better security track record
>>> than Java. Also, using openssl with Java is a less common combination so
>>> that exploits that might work with Java/keytool/jarsigner might not work
>>> with a key generated with openssl then imported using keytool. The
>>> downside is that there might also be weaknesses exposed by this trick,
>>> but that seems less likely than Java/keytool having problems.
>>> Additionally, I recommend generating your key using /dev/random because
>>> this is a long-lived key and therefore more sensitive. This does make
>>> generating the key take a lot longer.
>>>
>>> openssl genrsa -out secretkey.pem -aes128 -rand /dev/random 4096
>>> openssl req -new -key secretkey.pem -out request.pem
>>> openssl x509 -req -days 9999 -in request.pem -signkey secretkey.pem \
>>>
>>> -out certificate.pem
>>>
>>> openssl pkcs12 -export -out certificate.p12 -in certificate.pem \
>>>
>>> -inkey secretkey.pem
>>>
>>> keytool -importkeystore \
>>>
>>> -srckeystore certificate.p12 -srcstoretype PKCS12 \
>>> -destkeystore certificate.jkr -deststoretype JKS
>>>
>>> You can follow the progress of all this work in our git repo:
>>> https://github.com/guardianproject/smartcard-apk-signing
>>>
>>> .hc
>>>
>>>
>>> _______________________________________________
>>> Guardian-dev mailing list
>>>
>>> Post: Guardian-dev at lists.mayfirst.org
>>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>
>>> To Unsubscribe
>>> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
>>> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>
>>> You are subscribed as: hans at guardianproject.info
--
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 969 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mayfirst.org/pipermail/guardian-dev/attachments/20140401/e03fe96d/attachment.pgp>
More information about the Guardian-dev
mailing list