Signing data applet (dropbearsign)

Arne Bernin arne at alamut.de
Sun Oct 3 22:38:30 WST 2004


Hi,

i just finished my patch for dropbear. It adds a tool called
dropbearsign which can be used to create a signature on
data provided via stdin. So it can be used to verify file
content in an embedded environment without having to use
large tools as gnupg etc. This could be easily used
to verify lists of md5sums (something i think we
definetly need for bering-uclibc).
 
This patch should add the needed code to compile it,
although the Makefile(.in) is not patched to compile
it out of the box , compile it with (after running configure of course):

make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert dropbearsign"

(make PROGRAMS="..." MULTI=1 should also work).

using it:
------------------------------------------------------------
1. generate a dropbearkey pair:
./dropbearkey -t dss -s 1600 -f dssseckey

2. Extract the public key (base64 encoded):
./dropbearkey -y -f dsskey  | grep "ssh-" > dsspubkey

3. make a signature:
echo "Take me as data" | ./dropbearsign dssseckey

it sould output something like:

----- begin DSS hash -----
AAAAB3NzaC1kc3MAAAAoJazvcQ1yTJrs/CNEA2+TiDqwWpsyhXbGlCzx6VITPgd/JsF+UmW95w==
----- end DSS hash -----
data length: 6, signature length: 76

4. verify signature: You can verify that the signature on the data is correct
by 
echo "Take me as data" | ./dropbearsign -c dsspubkey 'HASH'
in our example:
echo "Take me as data" | ./dropbearsign -c dsspubkey 'AAAAB3NzaC1kc3MAAAAoJazvcQ1yTJrs/CNEA2+TiDqwWpsyhXbGlCzx6VITPgd/JsF+UmW95w=='

it should output:

"signature is valid!"

and return with an 0 (hopefully 1 in case of an error, try this and change one single character in the Hash above).

You can of course use it, to create a signature of binary data.

------------------------------------------------------------

Unfortunatly the signature is just a base64 encoded signature buffer from
dropbear, so it is not compatible to anything else out there (I did not
have the time to look deeply how gpg creates it signatures , not even
sure there "asci armor" in nothing completly different than base64 encoding).

I am not sure if this tool will ever be included in standard dropbear, but
i hope so (of course) to make maintainance easier (Matt ??). I am sure
that this code is not perfect and will need a review before even thinking
about to include it...And if not, well a review would be nice, too.
Anyway i am interested in what you think,
                      
--arne





-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-dbsign-0.44test4.diff
Type: text/x-patch
Size: 13629 bytes
Desc: not available
Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20041003/151fca21/patch-dbsign-0.44test4-0001.bin


More information about the Dropbear mailing list