[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] STIX JSON Signing working group
Hi Christian, et al.,
To sign JSON data, you must be able to canonicalize it. This is now possible via RFC 8785 [1]. It is also important to note that traditional JWS will not work for things like STIX or CACAO. Since JWS requires that the data is to be put in the signature, and what we need is the signature to be put into the data. JWS is really designed for the authorization token use case. There is an entire presentation of why JWS will not work for our use case.
To solve this, I worked on RFC 8785 and JWS-CT (that is in the editors queue to become an RFC) [2]. The follow on step from JWS-CT is what we did in CACAO and what is also done in some of the FinTech world. The work that was done for CACAO is generic enough that could be adapted to STIX with zero changes. I have even thought about releasing the signature stuff has a standalone spec to make it easier for other groups to use it. I have even thought about starting up a short-lived TC to just release the JSON signing stuff (if any of you are willing to help sponsor such a TC, I would be game).
I also have working code for RFC8785 and for JSON signatures. Below is a full examples of how you sign JSON data. This is a copy and paste from the CACAO specificationâs appendix. To use this for STIX, you would basically had a single property to the common properties table for all objects that was called âsignaturesâ and it would be of type list of signature type.
[1] - https://datatracker.ietf.org/doc/html/rfc8785
[2] - https://datatracker.ietf.org/doc/html/draft-jordan-jws-ct-07
#### BEGIN
A.2 Playbook Signature
------------------------------------------------------------------------------------------------------------
Step 0: Given the following public and private keys
------------------------------------------------------------------------------------------------------------
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCm0pnIU9K2+Y6VvRaKE4GGUdSv
rAUMcL61buEkC519NDmYdlCkHw+gzPTu51kD50bx2FQg+SZeWnVOBER5hMd2HGG5/TL8aFulm/kk
9gfHfBq074dY7apiSNEwRytaE8x1pWRL9d7+WJoxyjDiNihZoWbxWht5izJUPZtZZ3KXiOhMQROb
VnjtGed9HXmRWFW51WsPMQWYziddX/p2YiDXzhEkTiG23AEXFHypkJALBOImayjInF9RHQazh48p
zmwHQ1OSYVlzmSVBKK13rtEmfaV2FuoTsSkOXheUi35TIsmbWC4IGW2JrwCCR7t1e6GkHuFDosnB
jgSPO2GQnwg/AgMBAAECggEAKT6KTNAEmb5rdTPxvaOC832J0wD5opDBZcQLH8lLX6go0Tv3Rgxz
5bKmn+ZMyL1GegadDiXrSYqd0/MUJuMgGWB8/OnP0D3Q4soEOBIn7DcPt0o9MUxZQsF0DraZzkR0
2WVRvcIFJucrAEJYAaWYJkjUVbmMb2ltwQwWO21rFHGbpE73nsfr/oAWsZEvKsQZoYm4fh5jVI5+
wKyRnKaN1uqAcNgj75cdywCHBVwgEefEgOPM77CDMH0+JumSirQiBfR35+HWRwHwpm09wI6Aqtvg
y5bzxvLDDRgrhX4LCPtUHGrUXNJHRKYiHQX6P6bIVuBrHV6VFpyS+5weu0w6kQKBgQDQo4QeLtO7
S3KH8UL3lX4lhH1K7/Q99uBHmvLXdiDkHjLbBbh0JfrHgHtnK9bvJ2GvVcwhI9fTiO1p1o5RM5jb
iVUSCS91sLcTPFv8X83sExBZnrvlSlb/va+4yW+Lzvr6ZiDlZYsVRNvNAHUTojHRCOH2P4eX1+ql
5P4FMdfvSQKBgQDMsQ4LBpxjD9KdDzJzw9a0xbL47QdCeZBqNUy6MvwLE0+KsF+prvoigNZCaTcJ
2FfoPxpE3/o0A/byCTuDkfddrd/hcAO0gd1R9CYJDXJfnIbZfheUmHW7ShbXyqhpqQKVjzH+jnLq
VjbGD6tz3dN+AwNgULD/vvwXM2TWpu9TRwKBgGkPPdMZD2NLzaNouKkFbR0lRxY6GEovi6Zi/w/C
GzPjhQZHLifGjC5zozBDohqRQR5SXNT/QInzdGGMOePn0HwT/nNzjqN71eRoy4UdFQtgWiZWyRTf
x0lGUjsBrBrBoh3+2WfKJywRnYDwTwQQ83boOyiNuxCaGD1rPwKMo8iJAoGAPIePE4uc615edbts
u/cJouNjjWDqaKnyHrYsPlOdXNkVCHonj9ICffmDYpgignLLbA5dAkkJgCA8Ak7gnoOnlrg4ID4z
mklc3UNJjBvB2qw65E35QyPijMPYBXAUZUppTTjPG+ub59ge0msH1Hegdv8FHJJABSDBA0tbYm5z
DzkCgYA9/0KtWKFMhF3v01L54AXF5b15RroBhZAfzI1U0wPO4J6Tz+1KqmtrwHTBPI36nzITIhlM
hcoTsMRMgnv0NHzxlcQQmAy3foFBFOyHXql3hPtWbEViB5jQs4cP5ts1oivVhrEtrrE51TG4V/Ef
fD1JKiHl7MECYEMyBz31PsRCuw==
-----END PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAptKZyFPStvmOlb0WihOBhlHUr6wFDHC+
tW7hJAudfTQ5mHZQpB8PoMz07udZA+dG8dhUIPkmXlp1TgREeYTHdhxhuf0y/GhbpZv5JPYHx3wa
tO+HWO2qYkjRMEcrWhPMdaVkS/Xe/liaMcow4jYoWaFm8VobeYsyVD2bWWdyl4joTEETm1Z47Rnn
fR15kVhVudVrDzEFmM4nXV/6dmIg184RJE4httwBFxR8qZCQCwTiJmsoyJxfUR0Gs4ePKc5sB0NT
kmFZc5klQSitd67RJn2ldhbqE7EpDl4XlIt+UyLJm1guCBltia8Agke7dXuhpB7hQ6LJwY4Ejzth
kJ8IPwIDAQAB
-----END PUBLIC KEY-----
A.2.1 Signing a Playbook
------------------------------------------------------------------------------------------------------------
Step 1.0: Create or receive a JSON playbook object to sign
------------------------------------------------------------------------------------------------------------
{
"type": "playbook",
"spec_version": "1.1",
"id": "playbook--a0777575-5c4c-4710-9f01-15776103837f",
"name": "Playbook 1",
"created": "2021-01-25T20:31:31.319Z",
"modified": "2021-01-25T20:31:31.319Z",
"signatures": [
{
"type": "signature",
"spec_version": "1.1",
"id": "signature--af4b4bf3-677a-411d-887a-1f6fa5090c05",
"created_by": "identity--be59c641-b2d5-4930-94fc-6fd583524fc6",
"created": "2021-01-25T20:31:31.319516Z",
"modified": "2021-01-25T20:31:31.319516Z",
"signee": "Existing Example Company",
"valid_from": "2021-01-25T20:31:31.319516Z",
"valid_until": "2022-01-01T12:12:12.123456Z",
"related_to": "playbook--a0777575-5c4c-4710-9f01-15776103837f",
"related_version": "2021-01-25T20:31:31.319Z",
"sha256": "hHuhBwKscfqvLC3y2FfZtHi3DNkzE0o8kE8eE6x50pM",
"algorithm": "RS256",
"public_keys": [
"some public key"
],
"value": "some signature"
}
]
}
------------------------------------------------------------------------------------------------------------
Step 1.1: Remove existing signature objects contained in the playbook's signatures property before computing the hash
------------------------------------------------------------------------------------------------------------
{
"type": "playbook",
"spec_version": "1.1",
"id": "playbook--a0777575-5c4c-4710-9f01-15776103837f",
"name": "Playbook 1",
"created": "2021-01-25T20:31:31.319Z",
"modified": "2021-01-25T20:31:31.319Z"
}
------------------------------------------------------------------------------------------------------------
Step 1.2: Create JCS [RFC8785] canonical version of the playbook from step 1.1
------------------------------------------------------------------------------------------------------------
{"created":"2021-01-25T20:31:31.319Z","id":"playbook--a0777575-5c4c-4710-9f01-15776103837f","modified":"2021-01-25T20:31:31.319Z","name":"Playbook 1","spec_version":"1.1","type":"playbook"}
------------------------------------------------------------------------------------------------------------
Step 1.3: Create SHA256 (in hex) of canonical version of playbook from step 1.2
------------------------------------------------------------------------------------------------------------
5e46bd48ddcc91e4546eba35f83e5c87791d2e4f9ac25812879226b5389f3e83
------------------------------------------------------------------------------------------------------------
Step 1.4: Create base64URL.encoded version of the SHA256 hash from step 1.3 and remove any padding
------------------------------------------------------------------------------------------------------------
Xka9SN3MkeRUbro1-D5ch3kdLk-awlgSh5ImtTifPoM
------------------------------------------------------------------------------------------------------------
Step 2.0: Create a signature object and set the SHA256 string property to the string value of the b64 hash of the playbook from step 1.4
------------------------------------------------------------------------------------------------------------
{
"type": "signature",
"spec_version": "1.1",
"id": "signature--af892292-c4b4-47eb-9be6-4897ff4b9388",
"created_by": "identity--6639020f-9054-413f-b95e-d5d9577bc251",
"created": "2021-01-25T20:31:31.319516Z",
"modified": "2021-01-25T20:31:31.319516Z",
"signee": "ACME Cyber Company",
"valid_from": "2021-01-25T20:31:31.319516Z",
"valid_until": "2022-01-01T12:12:12.123456Z",
"related_to": "playbook--a0777575-5c4c-4710-9f01-15776103837f",
"related_version": "2021-01-25T20:31:31.319Z",
"sha256": "Xka9SN3MkeRUbro1-D5ch3kdLk-awlgSh5ImtTifPoM",
"algorithm": "RS256",
"public_keys": [
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAptKZyFPStvmOlb0WihOBhlHUr6wFDHC+tW7hJAudfTQ5mHZQpB8PoMz07udZA+dG8dhUIPkmXlp1TgREeYTHdhxhuf0y/GhbpZv5JPYHx3watO+HWO2qYkjRMEcrWhPMdaVkS/Xe/liaMcow4jYoWaFm8VobeYsyVD2bWWdyl4joTEETm1Z47RnnfR15kVhVudVrDzEFmM4nXV/6dmIg184RJE4httwBFxR8qZCQCwTiJmsoyJxfUR0Gs4ePKc5sB0NTkmFZc5klQSitd67RJn2ldhbqE7EpDl4XlIt+UyLJm1guCBltia8Agke7dXuhpB7hQ6LJwY4EjzthkJ8IPwIDAQAB"
]
}
------------------------------------------------------------------------------------------------------------
Step 2.1: Create JCS canonical version of signature from step 2.0
------------------------------------------------------------------------------------------------------------
{"algorithm":"RS256","created":"2021-01-25T20:31:31.319516Z","created_by":"identity--6639020f-9054-413f-b95e-d5d9577bc251","id":"signature--af892292-c4b4-47eb-9be6-4897ff4b9388","modified":"2021-01-25T20:31:31.319516Z","public_keys":["MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAptKZyFPStvmOlb0WihOBhlHUr6wFDHC+tW7hJAudfTQ5mHZQpB8PoMz07udZA+dG8dhUIPkmXlp1TgREeYTHdhxhuf0y/GhbpZv5JPYHx3watO+HWO2qYkjRMEcrWhPMdaVkS/Xe/liaMcow4jYoWaFm8VobeYsyVD2bWWdyl4joTEETm1Z47RnnfR15kVhVudVrDzEFmM4nXV/6dmIg184RJE4httwBFxR8qZCQCwTiJmsoyJxfUR0Gs4ePKc5sB0NTkmFZc5klQSitd67RJn2ldhbqE7EpDl4XlIt+UyLJm1guCBltia8Agke7dXuhpB7hQ6LJwY4EjzthkJ8IPwIDAQAB"],"related_to":"playbook--a0777575-5c4c-4710-9f01-15776103837f","related_version":"2021-01-25T20:31:31.319Z","sha256":"Xka9SN3MkeRUbro1-D5ch3kdLk-awlgSh5ImtTifPoM","signee":"ACME Cyber Company","spec_version":"1.1","type":"signature","valid_from":"2021-01-25T20:31:31.319516Z","valid_until":"2022-01-01T12:12:12.123456Z"}
------------------------------------------------------------------------------------------------------------
Step 2.2: Create base64URL.encoded version of the JCS signature from step 2.1
------------------------------------------------------------------------------------------------------------
eyJhbGdvcml0aG0iOiJSUzI1NiIsImNyZWF0ZWQiOiIyMDIxLTAxLTI1VDIwOjMxOjMxLjMxOTUxNloiLCJjcmVhdGVkX2J5IjoiaWRlbnRpdHktLTY2MzkwMjBmLTkwNTQtNDEzZi1iOTVlLWQ1ZDk1NzdiYzI1MSIsImlkIjoic2lnbmF0dXJlLS1hZjg5MjI5Mi1jNGI0LTQ3ZWItOWJlNi00ODk3ZmY0YjkzODgiLCJtb2RpZmllZCI6IjIwMjEtMDEtMjVUMjA6MzE6MzEuMzE5NTE2WiIsInB1YmxpY19rZXlzIjpbIk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBcHRLWnlGUFN0dm1PbGIwV2loT0JobEhVcjZ3RkRIQyt0VzdoSkF1ZGZUUTVtSFpRcEI4UG9NejA3dWRaQStkRzhkaFVJUGttWGxwMVRnUkVlWVRIZGh4aHVmMHkvR2hicFp2NUpQWUh4M3dhdE8rSFdPMnFZa2pSTUVjcldoUE1kYVZrUy9YZS9saWFNY293NGpZb1dhRm04Vm9iZVlzeVZEMmJXV2R5bDRqb1RFRVRtMVo0N1JubmZSMTVrVmhWdWRWckR6RUZtTTRuWFYvNmRtSWcxODRSSkU0aHR0d0JGeFI4cVpDUUN3VGlKbXNveUp4ZlVSMEdzNGVQS2M1c0IwTlRrbUZaYzVrbFFTaXRkNjdSSm4ybGRoYnFFN0VwRGw0WGxJdCtVeUxKbTFndUNCbHRpYThBZ2tlN2RYdWhwQjdoUTZMSndZNEVqenRoa0o4SVB3SURBUUFCIl0sInJlbGF0ZWRfdG8iOiJwbGF5Ym9vay0tYTA3Nzc1NzUtNWM0Yy00NzEwLTlmMDEtMTU3NzYxMDM4MzdmIiwicmVsYXRlZF92ZXJzaW9uIjoiMjAyMS0wMS0yNVQyMDozMTozMS4zMTlaIiwic2hhMjU2IjoiWGthOVNOM01rZVJVYnJvMS1ENWNoM2tkTGstYXdsZ1NoNUltdFRpZlBvTSIsInNpZ25lZSI6IkFDTUUgQ3liZXIgQ29tcGFueSIsInNwZWNfdmVyc2lvbiI6IjEuMSIsInR5cGUiOiJzaWduYXR1cmUiLCJ2YWxpZF9mcm9tIjoiMjAyMS0wMS0yNVQyMDozMTozMS4zMTk1MTZaIiwidmFsaWRfdW50aWwiOiIyMDIyLTAxLTAxVDEyOjEyOjEyLjEyMzQ1NloifQ
------------------------------------------------------------------------------------------------------------
Step 3.0: Sign the data from step 2.2 using the algorithm defined in the signature object and base64URL.encode it (RS256)
------------------------------------------------------------------------------------------------------------
Signature: U-AaG_bvV8nwqVgXjKVZeO0Uz4gNssEAnTB8Y8v3iI4MEByZKNOXlDI7uU-xx7APpaboNA8vr02KnW4lsAYi4jlu1hlRRbZGfqSCOnx19dVefmbMsH4AP7ycuAJJmCc38x9FDMU9p03Fzi1cKv3sc3bQWctKvV3wrB440BMAWNooa8J99h0oTwWMECFM4lz_u06p3KjdMuERRIWhF8b0_5Jl2_YPui23A28jkAdUgLofaEm_GsA_Le3Aj6HN0xdevDFyw6hS_8JRNNRN0N4sP0NgZc1mjj2-rVbyu8zlGnW496I6ZcDbejHEZoNXvSWB4N3ujaU6sPKUad-2OIlw7w
------------------------------------------------------------------------------------------------------------
Step 4.0: Append the new b64 digital signature from step 3.0 to the signatures property (with existing signatures, if any) of the playbook itself. As stated in section 3.1 the modified property on the playbook does not change when adding a signature. Meaning, adding a signature does not constitute a revision of the object.
------------------------------------------------------------------------------------------------------------
{
"type": "playbook",
"spec_version": "1.1",
"id": "playbook--a0777575-5c4c-4710-9f01-15776103837f",
"name": "Playbook 1",
"created": "2021-01-25T20:31:31.319Z",
"modified": "2021-01-25T20:31:31.319Z",
"signatures": [
{
"type": "signature",
"spec_version": "1.1",
"id": "signature--af4b4bf3-677a-411d-887a-1f6fa5090c05",
"created_by": "identity--be59c641-b2d5-4930-94fc-6fd583524fc6",
"created": "2021-01-25T20:31:31.319516Z",
"modified": "2021-01-25T20:31:31.319516Z",
"signee": "Existing Example Company",
"valid_from": "2021-01-25T20:31:31.319516Z",
"valid_until": "2022-01-01T12:12:12.123456Z",
"related_to": "playbook--a0777575-5c4c-4710-9f01-15776103837f",
"related_version": "2021-01-25T20:31:31.319Z",
"sha256": "hHuhBwKscfqvLC3y2FfZtHi3DNkzE0o8kE8eE6x50pM",
"algorithm": "RS256",
"public_keys": [
"some public key"
],
"value": "some signature"
},
{
"type": "signature",
"spec_version": "1.1",
"id": "signature--af892292-c4b4-47eb-9be6-4897ff4b9388",
"created_by": "identity--6639020f-9054-413f-b95e-d5d9577bc251",
"created": "2021-01-25T20:31:31.319516Z",
"modified": "2021-01-25T20:31:31.319516Z",
"signee": "ACME Cyber Company",
"valid_from": "2021-01-25T20:31:31.319516Z",
"valid_until": "2022-01-01T12:12:12.123456Z",
"related_to": "playbook--a0777575-5c4c-4710-9f01-15776103837f",
"related_version": "2021-01-25T20:31:31.319Z",
"sha256": "Xka9SN3MkeRUbro1-D5ch3kdLk-awlgSh5ImtTifPoM",
"algorithm": "RS256",
"public_keys": [
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAptKZyFPStvmOlb0WihOBhlHUr6wFDHC+tW7hJAudfTQ5mHZQpB8PoMz07udZA+dG8dhUIPkmXlp1TgREeYTHdhxhuf0y/GhbpZv5JPYHx3watO+HWO2qYkjRMEcrWhPMdaVkS/Xe/liaMcow4jYoWaFm8VobeYsyVD2bWWdyl4joTEETm1Z47RnnfR15kVhVudVrDzEFmM4nXV/6dmIg184RJE4httwBFxR8qZCQCwTiJmsoyJxfUR0Gs4ePKc5sB0NTkmFZc5klQSitd67RJn2ldhbqE7EpDl4XlIt+UyLJm1guCBltia8Agke7dXuhpB7hQ6LJwY4EjzthkJ8IPwIDAQAB"
],
"value": "U-AaG_bvV8nwqVgXjKVZeO0Uz4gNssEAnTB8Y8v3iI4MEByZKNOXlDI7uU-xx7APpaboNA8vr02KnW4lsAYi4jlu1hlRRbZGfqSCOnx19dVefmbMsH4AP7ycuAJJmCc38x9FDMU9p03Fzi1cKv3sc3bQWctKvV3wrB440BMAWNooa8J99h0oTwWMECFM4lz_u06p3KjdMuERRIWhF8b0_5Jl2_YPui23A28jkAdUgLofaEm_GsA_Le3Aj6HN0xdevDFyw6hS_8JRNNRN0N4sP0NgZc1mjj2-rVbyu8zlGnW496I6ZcDbejHEZoNXvSWB4N3ujaU6sPKUad-2OIlw7w"
}
]
}
A.2.2 Verifying a Playbook
------------------------------------------------------------------------------------------------------------
Step 1.0: Receive a JSON playbook object to verify
------------------------------------------------------------------------------------------------------------
{
"type": "playbook",
"spec_version": "1.1",
"id": "playbook--a0777575-5c4c-4710-9f01-15776103837f",
"name": "Playbook 1",
"created": "2021-01-25T20:31:31.319Z",
"modified": "2021-01-25T20:31:31.319Z",
"signatures": [
{
"type": "signature",
"spec_version": "1.1",
"id": "signature--af892292-c4b4-47eb-9be6-4897ff4b9388",
"created_by": "identity--6639020f-9054-413f-b95e-d5d9577bc251",
"created": "2021-01-25T20:31:31.319516Z",
"modified": "2021-01-25T20:31:31.319516Z",
"signee": "ACME Cyber Company",
"valid_from": "2021-01-25T20:31:31.319516Z",
"valid_until": "2022-01-01T12:12:12.123456Z",
"related_to": "playbook--a0777575-5c4c-4710-9f01-15776103837f",
"related_version": "2021-01-25T20:31:31.319Z",
"sha256": "Xka9SN3MkeRUbro1-D5ch3kdLk-awlgSh5ImtTifPoM",
"algorithm": "RS256",
"public_keys": [
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAptKZyFPStvmOlb0WihOBhlHUr6wFDHC+tW7hJAudfTQ5mHZQpB8PoMz07udZA+dG8dhUIPkmXlp1TgREeYTHdhxhuf0y/GhbpZv5JPYHx3watO+HWO2qYkjRMEcrWhPMdaVkS/Xe/liaMcow4jYoWaFm8VobeYsyVD2bWWdyl4joTEETm1Z47RnnfR15kVhVudVrDzEFmM4nXV/6dmIg184RJE4httwBFxR8qZCQCwTiJmsoyJxfUR0Gs4ePKc5sB0NTkmFZc5klQSitd67RJn2ldhbqE7EpDl4XlIt+UyLJm1guCBltia8Agke7dXuhpB7hQ6LJwY4EjzthkJ8IPwIDAQAB"
],
"value": "U-AaG_bvV8nwqVgXjKVZeO0Uz4gNssEAnTB8Y8v3iI4MEByZKNOXlDI7uU-xx7APpaboNA8vr02KnW4lsAYi4jlu1hlRRbZGfqSCOnx19dVefmbMsH4AP7ycuAJJmCc38x9FDMU9p03Fzi1cKv3sc3bQWctKvV3wrB440BMAWNooa8J99h0oTwWMECFM4lz_u06p3KjdMuERRIWhF8b0_5Jl2_YPui23A28jkAdUgLofaEm_GsA_Le3Aj6HN0xdevDFyw6hS_8JRNNRN0N4sP0NgZc1mjj2-rVbyu8zlGnW496I6ZcDbejHEZoNXvSWB4N3ujaU6sPKUad-2OIlw7w"
}
]
}
------------------------------------------------------------------------------------------------------------
Step 1.1: Capture the signature object from step 1.0
------------------------------------------------------------------------------------------------------------
{
"type": "signature",
"spec_version": "1.1",
"id": "signature--af892292-c4b4-47eb-9be6-4897ff4b9388",
"created_by": "identity--6639020f-9054-413f-b95e-d5d9577bc251",
"created": "2021-01-25T20:31:31.319516Z",
"modified": "2021-01-25T20:31:31.319516Z",
"signee": "ACME Cyber Company",
"valid_from": "2021-01-25T20:31:31.319516Z",
"valid_until": "2022-01-01T12:12:12.123456Z",
"related_to": "playbook--a0777575-5c4c-4710-9f01-15776103837f",
"related_version": "2021-01-25T20:31:31.319Z",
"sha256": "Xka9SN3MkeRUbro1-D5ch3kdLk-awlgSh5ImtTifPoM",
"algorithm": "RS256",
"public_keys": [
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAptKZyFPStvmOlb0WihOBhlHUr6wFDHC+tW7hJAudfTQ5mHZQpB8PoMz07udZA+dG8dhUIPkmXlp1TgREeYTHdhxhuf0y/GhbpZv5JPYHx3watO+HWO2qYkjRMEcrWhPMdaVkS/Xe/liaMcow4jYoWaFm8VobeYsyVD2bWWdyl4joTEETm1Z47RnnfR15kVhVudVrDzEFmM4nXV/6dmIg184RJE4httwBFxR8qZCQCwTiJmsoyJxfUR0Gs4ePKc5sB0NTkmFZc5klQSitd67RJn2ldhbqE7EpDl4XlIt+UyLJm1guCBltia8Agke7dXuhpB7hQ6LJwY4EjzthkJ8IPwIDAQAB"
],
"value": "U-AaG_bvV8nwqVgXjKVZeO0Uz4gNssEAnTB8Y8v3iI4MEByZKNOXlDI7uU-xx7APpaboNA8vr02KnW4lsAYi4jlu1hlRRbZGfqSCOnx19dVefmbMsH4AP7ycuAJJmCc38x9FDMU9p03Fzi1cKv3sc3bQWctKvV3wrB440BMAWNooa8J99h0oTwWMECFM4lz_u06p3KjdMuERRIWhF8b0_5Jl2_YPui23A28jkAdUgLofaEm_GsA_Le3Aj6HN0xdevDFyw6hS_8JRNNRN0N4sP0NgZc1mjj2-rVbyu8zlGnW496I6ZcDbejHEZoNXvSWB4N3ujaU6sPKUad-2OIlw7w"
}
------------------------------------------------------------------------------------------------------------
Step 1.2: Parse the public key from step 1.1
------------------------------------------------------------------------------------------------------------
public key is of type RSA: &{21059409706530871027159923152575226016100491304035079351263921833442741931451740146712071913128794323145066705509880772966898802951179542662416048514009100169204319582186431003855440031712504682027007873576875878900968461609481876517068958782007364480404972357715060302084902771376501469371170875499194864831981063610546010391567296668298595547190243490360742271883347302484090862191539604535968402460061731217265463678666809460993311474732287058055878491599597361095237978376986522365495265225580650629373211602244516038322865322531398087185749308509197225776569239178517866302894223184683331023672630700008907147327 65537}
Public RSA Key E: 65537
Public RSA Key N: 21059409706530871027159923152575226016100491304035079351263921833442741931451740146712071913128794323145066705509880772966898802951179542662416048514009100169204319582186431003855440031712504682027007873576875878900968461609481876517068958782007364480404972357715060302084902771376501469371170875499194864831981063610546010391567296668298595547190243490360742271883347302484090862191539604535968402460061731217265463678666809460993311474732287058055878491599597361095237978376986522365495265225580650629373211602244516038322865322531398087185749308509197225776569239178517866302894223184683331023672630700008907147327
------------------------------------------------------------------------------------------------------------
Step 1.3: Remove the digital signature from the signature object from step 1.1
------------------------------------------------------------------------------------------------------------
{
"type": "signature",
"spec_version": "1.1",
"id": "signature--af892292-c4b4-47eb-9be6-4897ff4b9388",
"created_by": "identity--6639020f-9054-413f-b95e-d5d9577bc251",
"created": "2021-01-25T20:31:31.319516Z",
"modified": "2021-01-25T20:31:31.319516Z",
"signee": "ACME Cyber Company",
"valid_from": "2021-01-25T20:31:31.319516Z",
"valid_until": "2022-01-01T12:12:12.123456Z",
"related_to": "playbook--a0777575-5c4c-4710-9f01-15776103837f",
"related_version": "2021-01-25T20:31:31.319Z",
"sha256": "Xka9SN3MkeRUbro1-D5ch3kdLk-awlgSh5ImtTifPoM",
"algorithm": "RS256",
"public_keys": [
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAptKZyFPStvmOlb0WihOBhlHUr6wFDHC+tW7hJAudfTQ5mHZQpB8PoMz07udZA+dG8dhUIPkmXlp1TgREeYTHdhxhuf0y/GhbpZv5JPYHx3watO+HWO2qYkjRMEcrWhPMdaVkS/Xe/liaMcow4jYoWaFm8VobeYsyVD2bWWdyl4joTEETm1Z47RnnfR15kVhVudVrDzEFmM4nXV/6dmIg184RJE4httwBFxR8qZCQCwTiJmsoyJxfUR0Gs4ePKc5sB0NTkmFZc5klQSitd67RJn2ldhbqE7EpDl4XlIt+UyLJm1guCBltia8Agke7dXuhpB7hQ6LJwY4EjzthkJ8IPwIDAQAB"
]
}
Full Signature: U-AaG_bvV8nwqVgXjKVZeO0Uz4gNssEAnTB8Y8v3iI4MEByZKNOXlDI7uU-xx7APpaboNA8vr02KnW4lsAYi4jlu1hlRRbZGfqSCOnx19dVefmbMsH4AP7ycuAJJmCc38x9FDMU9p03Fzi1cKv3sc3bQWctKvV3wrB440BMAWNooa8J99h0oTwWMECFM4lz_u06p3KjdMuERRIWhF8b0_5Jl2_YPui23A28jkAdUgLofaEm_GsA_Le3Aj6HN0xdevDFyw6hS_8JRNNRN0N4sP0NgZc1mjj2-rVbyu8zlGnW496I6ZcDbejHEZoNXvSWB4N3ujaU6sPKUad-2OIlw7w
------------------------------------------------------------------------------------------------------------
Step 1.4: Create canonical version of signature object from step 1.3
------------------------------------------------------------------------------------------------------------
{"algorithm":"RS256","created":"2021-01-25T20:31:31.319516Z","created_by":"identity--6639020f-9054-413f-b95e-d5d9577bc251","id":"signature--af892292-c4b4-47eb-9be6-4897ff4b9388","modified":"2021-01-25T20:31:31.319516Z","public_keys":["MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAptKZyFPStvmOlb0WihOBhlHUr6wFDHC+tW7hJAudfTQ5mHZQpB8PoMz07udZA+dG8dhUIPkmXlp1TgREeYTHdhxhuf0y/GhbpZv5JPYHx3watO+HWO2qYkjRMEcrWhPMdaVkS/Xe/liaMcow4jYoWaFm8VobeYsyVD2bWWdyl4joTEETm1Z47RnnfR15kVhVudVrDzEFmM4nXV/6dmIg184RJE4httwBFxR8qZCQCwTiJmsoyJxfUR0Gs4ePKc5sB0NTkmFZc5klQSitd67RJn2ldhbqE7EpDl4XlIt+UyLJm1guCBltia8Agke7dXuhpB7hQ6LJwY4EjzthkJ8IPwIDAQAB"],"related_to":"playbook--a0777575-5c4c-4710-9f01-15776103837f","related_version":"2021-01-25T20:31:31.319Z","sha256":"Xka9SN3MkeRUbro1-D5ch3kdLk-awlgSh5ImtTifPoM","signee":"ACME Cyber Company","spec_version":"1.1","type":"signature","valid_from":"2021-01-25T20:31:31.319516Z","valid_until":"2022-01-01T12:12:12.123456Z"}
------------------------------------------------------------------------------------------------------------
Step 1.5: Create base64URL.encoded version of the JCS signature from step 1.4
------------------------------------------------------------------------------------------------------------
eyJhbGdvcml0aG0iOiJSUzI1NiIsImNyZWF0ZWQiOiIyMDIxLTAxLTI1VDIwOjMxOjMxLjMxOTUxNloiLCJjcmVhdGVkX2J5IjoiaWRlbnRpdHktLTY2MzkwMjBmLTkwNTQtNDEzZi1iOTVlLWQ1ZDk1NzdiYzI1MSIsImlkIjoic2lnbmF0dXJlLS1hZjg5MjI5Mi1jNGI0LTQ3ZWItOWJlNi00ODk3ZmY0YjkzODgiLCJtb2RpZmllZCI6IjIwMjEtMDEtMjVUMjA6MzE6MzEuMzE5NTE2WiIsInB1YmxpY19rZXlzIjpbIk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBcHRLWnlGUFN0dm1PbGIwV2loT0JobEhVcjZ3RkRIQyt0VzdoSkF1ZGZUUTVtSFpRcEI4UG9NejA3dWRaQStkRzhkaFVJUGttWGxwMVRnUkVlWVRIZGh4aHVmMHkvR2hicFp2NUpQWUh4M3dhdE8rSFdPMnFZa2pSTUVjcldoUE1kYVZrUy9YZS9saWFNY293NGpZb1dhRm04Vm9iZVlzeVZEMmJXV2R5bDRqb1RFRVRtMVo0N1JubmZSMTVrVmhWdWRWckR6RUZtTTRuWFYvNmRtSWcxODRSSkU0aHR0d0JGeFI4cVpDUUN3VGlKbXNveUp4ZlVSMEdzNGVQS2M1c0IwTlRrbUZaYzVrbFFTaXRkNjdSSm4ybGRoYnFFN0VwRGw0WGxJdCtVeUxKbTFndUNCbHRpYThBZ2tlN2RYdWhwQjdoUTZMSndZNEVqenRoa0o4SVB3SURBUUFCIl0sInJlbGF0ZWRfdG8iOiJwbGF5Ym9vay0tYTA3Nzc1NzUtNWM0Yy00NzEwLTlmMDEtMTU3NzYxMDM4MzdmIiwicmVsYXRlZF92ZXJzaW9uIjoiMjAyMS0wMS0yNVQyMDozMTozMS4zMTlaIiwic2hhMjU2IjoiWGthOVNOM01rZVJVYnJvMS1ENWNoM2tkTGstYXdsZ1NoNUltdFRpZlBvTSIsInNpZ25lZSI6IkFDTUUgQ3liZXIgQ29tcGFueSIsInNwZWNfdmVyc2lvbiI6IjEuMSIsInR5cGUiOiJzaWduYXR1cmUiLCJ2YWxpZF9mcm9tIjoiMjAyMS0wMS0yNVQyMDozMTozMS4zMTk1MTZaIiwidmFsaWRfdW50aWwiOiIyMDIyLTAxLTAxVDEyOjEyOjEyLjEyMzQ1NloifQ
------------------------------------------------------------------------------------------------------------
Step 2.0: Verify the signature received in step 1.3 of the B64JCS data from step 1.5 using the public key form 1.2 and using the algorithm from the signature object RS256
------------------------------------------------------------------------------------------------------------
Signature is valid
------------------------------------------------------------------------------------------------------------
Step 3.0: Compute the hash of the playbook and make sure it matches the hash in the signed signature
------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------
Step 3.1: Remove existing signatures before computing hash
------------------------------------------------------------------------------------------------------------
{
"type": "playbook",
"spec_version": "1.1",
"id": "playbook--a0777575-5c4c-4710-9f01-15776103837f",
"name": "Playbook 1",
"created": "2021-01-25T20:31:31.319Z",
"modified": "2021-01-25T20:31:31.319Z"
}
------------------------------------------------------------------------------------------------------------
Step 3.2: Create JCS canonical version of the playbook from step 3.1
------------------------------------------------------------------------------------------------------------
{"created":"2021-01-25T20:31:31.319Z","id":"playbook--a0777575-5c4c-4710-9f01-15776103837f","modified":"2021-01-25T20:31:31.319Z","name":"Playbook 1","spec_version":"1.1","type":"playbook"}
------------------------------------------------------------------------------------------------------------
Step 3.3: Create SHA256 (in hex) of canonical version of playbook from step 3.2
------------------------------------------------------------------------------------------------------------
5e46bd48ddcc91e4546eba35f83e5c87791d2e4f9ac25812879226b5389f3e83
------------------------------------------------------------------------------------------------------------
Step 3.4: Create base64URL.encoded version of the SHA256 hash from step 1.3 and remove any padding
------------------------------------------------------------------------------------------------------------
Xka9SN3MkeRUbro1-D5ch3kdLk-awlgSh5ImtTifPoM
------------------------------------------------------------------------------------------------------------
Step 4.0: Compare computed hash with hash found in signed signature
------------------------------------------------------------------------------------------------------------
Computed Hash: Xka9SN3MkeRUbro1-D5ch3kdLk-awlgSh5ImtTifPoM
Signed Hash: Xka9SN3MkeRUbro1-D5ch3kdLk-awlgSh5ImtTifPoM
Hashes match and content is valid
#### END
> On Jan 25, 2022, at 1:45 PM, Christian Hunt <cvoid@copado.com> wrote:
>
> Greetings folks. We are in the process of spinning up a JSON Signing
> working group. The following links point to historical information
> about this effort over the last bunch of years. Moving forward we plan
> on basing this work on some of the existing and/or proposed solutions.
> If any other relevant information is available, feel free to add to
> this list of links.
>
> If interested, please review the following and we will discuss at next
> week's STIX meeting.
>
> JMG proposal (2018)
> https://github.com/jmgnc/cti-sep-repository/blob/digitalsig/seps/draft/extensions/x-newcontext-signing-ext/x-newcontext-signing-ext.md
>
> CACAO Signing
> https://docs.oasis-open.org/cacao/security-playbooks/v1.0/cs02/security-playbooks-v1.0-cs02.html#_bweas66qn4pi
>
> Listserv Discussion (2018)
> https://lists.oasis-open.org/archives/cti-stix/201810/msg00021.html
>
> JSON Canonicalization
> https://github.com/gowebpki/jcs
>
> Questions, comments, please let me know.
>
> --
> christian o. hunt
> principal security engineer - strategic services research team
> cvoid@copado.com
> gpg key available upon request
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]