Poco::OSP

namespace BundleSign

Overview

Functions: BundleSigner, BundleVerifier, SignatureFile, computeDigest, computeDigests, isSignatureFile

Enumerations

VerificationResult

BUNDLE_VERIFICATION_OK

Bundle verification was successful.

BUNDLE_VERIFICATION_NO_SIGNATURE

No signature was found for the given signer.

BUNDLE_VERIFICATION_INVALID_SIGNATURE

The signature files found in the bundle are not valid.

BUNDLE_VERIFICATION_FAILED

Bundle verification failed.

Functions

BundleSigner

BundleSigner(
    const std::string & signer,
    const Poco::Crypto::RSAKey & rsaKey,
    const std::string & digestAlgorithm
);

The BundleSigner class is used sign an existing bundle, using a digital signature algorithm based on the RSA and SHA1/SHA2 message digest algorithms.

A signed bundle contains two additional files:

  • META-INF/<signer>.sf contains message digests (SHA1 or SHA2) for every file stored in the bundle. See the SignatureFile class for a description of the file format.
  • META-INF/<signer>.rsa contains a cryptographic signature, based on the RSA algorithm and the SHA1/SHA2 digest algorithm, of the signature file. Optionally, this file also contains the X509 certificate of the signer in PEM format. The public key contained in this certificate can be used to verify the integrity of the signed bundle.

Creates a BundleSigner for signing bundles using the given RSA private/public key pair and the SHA1 digest algorithm.

This constructor is provided for backwards compatibility only. New code should use the three-argument constructor accepting the name of a digest algorithm and specify a stronger digest algorithm. Creates a BundleSigner for signing bundles using the given RSA private/public key pair and digest algorithm, which should be on of:

  • "SHA1" (for backwards compatibility, no longer recommended)
  • "SHA256" (SHA2-256, recommended)
  • "SHA224" (SHA2-224)
  • "SHA384" (SHA2-384)
  • "SHA512" (SHA2-512)

Note: it is actually possible to specify any of the digest algorithms supported by the Poco::Crypto::DigestEngine class. However, the BundleVerifier class only supports the listed SHA1 and SHA2 algorithms.

BundleVerifier

explicit BundleVerifier(
    const std::string & bundlePath
);

Creates a BundleVerifier for verifying the bundle given by bundlePath. The given path can either refer to a bundle file (in ZIP file format), or a bundle directory.

SignatureFile

SignatureFile();

Creates a SignatureFile object for reading an existing signature file from a stream.

SignatureFile

SignatureFile(
    const std::string & version,
    const std::string & creator,
    const std::string & digestType
);

Creates a SignatureFile object for writing a new signature file to a stream.

The given creator string can be empty — in this case, no Created-By entry will be written to the file.

computeDigest static

static std::string computeDigest(
    std::istream & istr,
    Poco::DigestEngine & engine
);

Computes a digest for the contents of the given stream, using the given digest engine.

computeDigest

private :static void computeDigest(
    Poco::OSP::BundleStorage::Ptr pBundleStorage,
    const std::string & path,
    Poco::DigestEngine & engine,
    Digests & digests
);

computeDigest static

static void computeDigest(
    Poco::SharedPtr < std::istream > pStream,
    const std::string & path,
    Poco::DigestEngine & engine,
    Digests & digests
);

computeDigests static

static void computeDigests(
    const std::string & bundlePath,
    Poco::DigestEngine & engine,
    Digests & digests
);

Compute digests, using the given digest engine, for all files stored in the bundle given by bundlePath.

The given bundlePath can be either refer to a bundle file (ZIP archive), or directory.

computeDigests static

static void computeDigests(
    Poco::OSP::BundleStorage::Ptr pBundleStorage,
    Poco::DigestEngine & engine,
    Digests & digests
);

Compute digests, using the given digest engine, for all files stored in the bundle given by pBundleStorage.

isSignatureFile static

static bool isSignatureFile(
    const std::string & path
);

Returns true if and only if the given path references a signature file (META-INF/*.sf or META-INF/*.rsa).

Variables

CertificatePtr

class OSPBundleSign_API BundleVerifier { public :typedef Poco::SharedPtr < Poco::Crypto::X509Certificate > CertificatePtr;

The BundleVerifier class is used to verify the signature of a signed bundle.

Digests

class OSPBundleSign_API SignUtility { public :typedef std::map < std::string, std::string > Digests;

This class is used to compute hash digests for the files in a bundle. Maps file names (paths) in a bundle to hash values of their contents.

Signatures

class OSPBundleSign_API SignatureFile { public :typedef std::map < std::string, std::string > Signatures;

This class is used to compute hash digests for the files in a bundle.

The signatures file has the following format:

Signature-Version: <version>
Created-By: <creator>

Name: <path1>
<digestType>: <digest1>

Name: <path2>
<digestType>: <digest2>

...	 

Name: <pathN>
<digestType>: <digestN>

Optionally, the signature file can also contain an X509 certificate in PEM format at the end:

X509-Certificate: <common-name>
-----BEGIN CERTIFICATE-----
MIIEFjCCAv6gAwIBAgIBAjALBgkqhkiG9w0BAQUwgdMxEzARBgNVBAMMCmFwcGlu
Zi5jb20xNjA0BgNVBAoMLUFwcGxpZWQgSW5mb3JtYXRpY3MgU29mdHdhcmUgRW5n
...
-----END CERTIFICATE-----