Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

- Add external FIPS 140-2 / 140-3 compliant signatures for the Clam Databases. #1344

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Commits on Aug 19, 2024

  1. - Add external FIPS 140-2 / 140-3 compliant signatures for the Clam D…

    …atabases.
    
    - Added tools to extract the public exponent and modulus of generated keys so that they internal defines holding the hard coded key validation can be updated by the signing authority.
    - Added the script sigext/cvd_hash_sha256_sign.sh which uses a private RSA key and openssl to sign ClamAV Databases and produces an external signature file which can then be used to validate the contents of the ClamAV database updates.
    mark-carey-sap committed Aug 19, 2024
    Configuration menu
    Copy the full SHA
    d233429 View commit details
    Browse the repository at this point in the history

Commits on Aug 20, 2024

  1. Configuration menu
    Copy the full SHA
    d64161d View commit details
    Browse the repository at this point in the history

Commits on Aug 22, 2024

  1. Added cryptographic method flexibility to external signatures. This i…

    …ncludes a demo of post-quantum encryption using the open-quantum-safe project providers for OpenSSL v3 and later.
    
    You must have liboqs (https://github.com/open-quantum-safe/liboqs) installed, and the oqsprovider for OpenSSL v3 and later (https://github.com/open-quantum-safe/oqs-provider).  Please note that you will also need to have altered the openssl.cnf file to include the oqsprovider in your configuration.  Instructions are on the oqsprovider page.
    
    I have tested dilithium2 quantum resistant signatures and have included the source in a way that it will not cause faults if the provider is not installed.
    
    It should be noted that at the present time NIST has NOT approved dilithium2 for use in FIPS systems.  I have put hard blockers on MD5 and SHA1 when running in FIPS mode to prevent mishaps.
    
    The signing bash script will now hash and sign files in a flexible manner.  Algorithms support for SHA256 and SHA3-256 have been added to the existing hashing functions of the library.
    
    I have validated functionality and ran valgrind against this commit.  I can find no bugs, but would always love to have a second or third set of eyes to help spot what I missed.
    
    Shell script name changed to be more generic in the spirit of supporting arbitrary hashing and signing algorithms.  Script is now called:
    clamav/sigext/cvd_ext_sigh.sh
    
    If needed, I can add Elliptical Curve keys and signatures, as well, but it should be fairly elementary for anyone to do so now.
    mark-carey-sap committed Aug 22, 2024
    Configuration menu
    Copy the full SHA
    e6d93ef View commit details
    Browse the repository at this point in the history

Commits on Aug 29, 2024

  1. Configuration menu
    Copy the full SHA
    bc057fe View commit details
    Browse the repository at this point in the history