1

I currently generate code signatures for my open source package by using openssl.

The way I do it is :

  1. Generate RSA private-public key pair (E.g. openssl genrsa)

  2. During packaging , I create a signature by generating a sha-512 digest for the package and encrypting the digest using the private key ( E.g. openssl dgst -sign)

  3. I give my public key to the person downloading the package , and they verify the package using my public key and the signature (E.g. openssl dgst -verify)

I am considering using a HSM server for storing my private key for increased security , but I want to keep the verification workflow the same for my users.

For example , I want my users to be able to verify the signature by using openssl without having to access the HSM device.

Would this workflow be possible with HSM type devices (E.g. CloudHSM from AWS)?

Thanks for your help.

jdoe
  • 13
  • 2

1 Answers1

1

Yes. Of course the users do not need any access to the HSM at all. They only need the public key.

This is what is done with a smartcard and an x.509 certificate. The certificate is handed to other users. They get the certificate as a file. It contains the public key. Usually they do not know anything about the private key.

The private key could be generated on a smartcard or HSM.

cornelinux
  • 1,993
  • 8
  • 11
  • Thanks for the response. I assumed I could generate the keypair (private/public) on the HSM device , export the public key , and give the public key to the user. However , after looking through documentation for various HSM providers , its not clear if you can export the public key from the HSM. Instead , I see vendors mention specific APIS which should be used for decryption and most of these APIS require interaction with the HSM. Thus , I wanted to make sure it is possible to export the public key so I can distribute it – jdoe Nov 02 '16 at 23:18
  • 1
    You can export the public key from an HSM! If the HSM is located at some provider, the question is, if this provider gives you the public key. If not, drop the provider, take another one or run your own HSM. Since not giving the pulic key would be absolute bulls***. The public key is ment to be **public** ;-) – cornelinux Nov 03 '16 at 06:26
  • The only difference between using a hsm and not using it is the place the private key is stored and the fact that you cannot access it directly. All the other workflows are not impacted. – zr_ifrit Nov 03 '16 at 07:32