...
Excerpt |
---|
Describes how messages requesting operation on a collection is are checked against the permission model. |
Child pages (Children Display) | ||||||||
---|---|---|---|---|---|---|---|---|
|
Permissions
The permissions are defined on a pr. user/role certificate based for each operation or set of operations. See Collection settings for See RepositorySettings for detailes model.
Signing messages
...
The hash algorithm for the generation of the message hash is SHA512. The signing certificate is excluded from the signature to reduce the size.
The message signature is calculated on the message xml interpreted as a utf-8-encoded byte stream and transmitted, base 64-encoded, in the message header org.bitrepository.messages.signature
Signature generation and verification
To generate a signature openssl can be used:
Code Block |
---|
openssl smime -sign -md sha512 -binary -nocerts -noattr -in message -out new.sig -outform der -inkey pkey.pem -signer cert.pem |
Where:
- message is a file with the message to create a signature for
- new.sig is a file containing the signature
- pkey.pem is a file containing the signers private key
- cert.pem is a file containing the signers certificate
To verify a signature with openssl the following can be used:
Code Block |
---|
openssl smime -verify -in new.sig -inform der -noverify -content message -certfile cert.pem |
Where:
- message is a file with the message to create a signature for
- new.sig is a file containing the signature (binary data, not base64 encoded)
- cert.pem is a file containing the signers certificate (ID of the certificate used for signing can be extracted from the signature it self. This can be used to obtain the signing certificate from the components trust).