Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [ease-dev] [EASE-dev] Introduction
Hello sir,

I have researched a bit and have come up with following results.

In order to implement code signing, we can do it in several ways:
  1. Signing using the keys generated at runtime by some pseudo random generators. Using such keys require no need of certificate. Just the private key and public key for signing and verifying respectively. We can easily implement that in java using security classes.
  2. Next method is signing using the keys currently stored in keystore. keystore is easily available with java security API. Certificate is automatically generated when user is creating his private-public key pair. Also foreign certificates can also be imported in keystore for later use. We can import the certificate currently in keystore which is user generated for sending it to other user whom we are sending signed content. We can also import certificate which is from external sources for verifying signature. These can be done in java and complete content of certificate can be shown to user. CertificateFactory is of great help. In reply to your previous message, thus it is easy to import certificate within UI at runtime during verifying or store within eclipse when certificate arrives. For these steps, it is assumed that
    • User has previously generated keys using keytool command available with java and has set up his own keystore if he is signing scripts
    • User knows the location of keystore
  3. Third method is using jar file for signing for which jarsigner library can be helpful. Main advantage of signing with jar files is that we can sign multiple codes or classes together. Steps for signing and verifying with jar are quite different as it involves using MANIFEST.MF file for recording and signing classes.

All the above methods are for self-signed certificate. I am working on how to make a CSR(Certificate Signing Request) from within eclipse for authenticating public key and how to verify and keep track of certified roots for verification of public key.

I have implemented first two steps in java which are available on GitHub.

Hope this helps the project EASE!


On Wed, Feb 24, 2016 at 11:20 PM Christian Pontesegger <christian.pontesegger@xxxxxx> wrote:
Hi Varun,

good first commit, so you passed the entry test!

Regarding signing eclipse does not provide any certificate storage plugins or similar - at least not to my knowledge. One option would be to provide signing support with the available registered Java certificates. It would be great if the tooling would allow to create (self signed) certificates and to import given certificates within some UI. Preferrably somewhere in the preferences. BouncyCastle would also be an option as it is supported and provided by eclipse.

The proposal from my side is quite rough. You should think about it and try to come up with useful ideas how to implement it. What we expect is a useful addition to EASE, so a proof of concept would not be sufficient. If you like we can discuss your ideas on this list, but having some extra ideas would also be a benefit for your proposal in case you have to battle with other interested students.

cheers

Christian


Am 24.02.2016 um 07:10 schrieb Varun Raval:
Hi Christian,

As you have guided, I have fetched the source code of EASE, have added a JavaDoc and pushed the change on gerrit. Click Here to see the change.

I am interested in project EASE: Add Support to sign and verify scripts for GSOC 2016.

I know cryptography, am familiar with java security API, and signing and verification. I am also familiar with running scripts with EASE.

Also, I wanted to know, what support are we going to provide to sign scripts? Will signing be through OpenPGP or user can sign using certificates that he is having.

If we are going to use OpenPGP, then there is nice library BouncyCastle which we can use.

Thanks for helping!

On Wed, Feb 17, 2016 at 9:32 PM Christian Pontesegger <christian.pontesegger@xxxxxx> wrote:
Hi Varun,

glad you are interested in applying for GSoC. As there might be some
competition among students I suggest you start digging around a bit in
the mainling list archives. I posted some guidelines a few weeks past.
For your application to be considered you need to commit a very simple
patch as explained on the mailing list. This is just to prove that you
are able to fetch the source code and start working with bugzilla/gerrit.

regards
Christian

_______________________________________________
ease-dev mailing list
ease-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/ease-dev
--
Varun Raval 

_______________________________________________
ease-dev mailing list
ease-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/ease-dev

_______________________________________________
ease-dev mailing list
ease-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/ease-dev
--
Varun Raval

Back to the top