Policy bundle JWS detached payload signing (!38) · Merge requests · Eclipse Projects / xfsc / Trust Services / policy

Lyuben Penkovski requested to merge 37-signed-policy-bundle into main Nov 18, 2023

Implementation details

The policy bundle is a ZIP file archive containing all policy related files and metadata.

To sign the bundle, we use the signer service to produce the signature on the policy bundle zip file, by making a small adapter that satisfies the jws.Signer interface of the lestrrat jws library. The signing is done using the unencoded payload option (detached payload) from the JWS RFC7797.

The signature is kept as a separate file which is not inserted inside the policy_bundle.zip file, because that would change the file itself. Instead both the original zip file + signature file are wrapped in another ZIP archive which is sent to the client making the policy export. That means the client will receive a ZIP file containing the policy bundle ZIP and a JWS signature file.

Edited Nov 18, 2023 by Lyuben Penkovski

Policy bundle JWS detached payload signing

Implementation details

Merge request reports