Skip to content
Snippets Groups Projects
Select Git revision
  • main default protected
  • bugfix/totp-auth
  • validation_rules_for_procedure_type
  • customize_pdf
  • new-key-submit-interface
  • issues/issue4_Document_how_to_run_your_own_issuer_in_more_detail
  • branch_with_example_configs
  • feature/multiple-baercode-response-formats
  • csv-issuing
  • feature/keyset-unmarshal
  • dfranke-temporary
  • dfranke/temporary
  • feature/wasm-issue-function
  • v0.4.2
  • v0.4.1
  • v0.4.0
  • v0.3.0
  • v0.2.7
  • v0.2.6
  • v0.2.5
  • v0.2.4
  • v0.2.3
  • v0.2.2
  • v0.2.1
  • v0.2.0
25 results

keys.go

  • Daniël Franke's avatar
    fb5648e0
    Split up data hashing and hash signing. · fb5648e0
    Daniël Franke authored
    As we're working on a web based verifier, it needs to be able to sign a
    COSE SignMessage, but sending the private keys to a web client outside
    of our control is not responsible. To do this in a secure way, where no
    PMI is being sent to our servers, we need to implement hashing on the
    client side and signing on the server side. This way we only get the
    SHA-512 hash sent to our server, which we can then sign with a private
    key, and send the signature back to the client. This way no sensitive
    data is sent over the wire.
    
    This refactors and adds a few new functions so that this is possible.
    Verified
    fb5648e0
    History
    Split up data hashing and hash signing.
    Daniël Franke authored
    As we're working on a web based verifier, it needs to be able to sign a
    COSE SignMessage, but sending the private keys to a web client outside
    of our control is not responsible. To do this in a secure way, where no
    PMI is being sent to our servers, we need to implement hashing on the
    client side and signing on the server side. This way we only get the
    SHA-512 hash sent to our server, which we can then sign with a private
    key, and send the signature back to the client. This way no sensitive
    data is sent over the wire.
    
    This refactors and adds a few new functions so that this is possible.