Skip to content

Policy bundle JWS detached payload signing

Lyuben Penkovski requested to merge 37-signed-policy-bundle into main

Closes #37 (closed)

Implementation details

The policy bundle is a ZIP file archive containing all policy related files and metadata.

To sign the bundle, we use the signer service to produce the signature on the policy bundle zip file, by making a small adapter that satisfies the jws.Signer interface of the lestrrat jws library. The signing is done using the unencoded payload option (detached payload) from the JWS RFC7797.

The signature is kept as a separate file which is not inserted inside the policy_bundle.zip file, because that would change the file itself. Instead both the original zip file + signature file are wrapped in another ZIP archive which is sent to the client making the policy export. That means the client will receive a ZIP file containing the policy bundle ZIP and a JWS signature file.

Edited by Lyuben Penkovski

Merge request reports