A Go web service that digitally signs device assertion details.
Go get it:
$ go get github.com/ubuntu-core/identity-vault
Configure it:
- Install PostgreSQL and create a database.
- Set up the config file, using
settings.yaml
as a guide. - Create the database tables:
$ cd identity-vault $ go run tools/createdb.go
Run it:
$ cd identity-vault
$ go run server.go -config=/path/to/settings.yaml -mode=signing
The application has an admin service that can be run by using mode=admin.
$ git clone https://github.com/ubuntu-core/identity-vault
$ cd identity-vault/
$ docker-compose up
# remove containers after try
$ docker-compose rm
Follow the instructions to install Go.
- Install the build packages
sudo apt-get install build-essential libssl-dev
# For TPM2.0
sudo apt-get install tpm2-tools
-
Install NVM Install the Node Version Manager that will allow a specific version of Node.js to be installed. Follow the installation instructions.
-
Install the latest stable Node.js and npm The latest stable (LTS) version of Node can be found on the Node website.
# Overview of available commands
nvm help
# Install the latest stable version
nvm install v4.4.3
# Select the version to use
nvm ls
nvm use v4.4.3
# Install gulp globally
npm install -g gulp
- Install the nodejs dependencies
cd identity-vault
npm install
# Select the version to use
nvm ls
nvm use v4.4.3
gulp
npm test
Return the version of the serial vault service.
{
"version":"0.1.0",
}
- version: the version of the serial vault service (string)
Returns a nonce that is needed for the signing request.
{
"nonce": "abc123456",
"success": true,
"message": ""
}
- success: whether the request was successful (bool)
- message: error message from the request (string)
- nonce: unique string that is needed for signing requests (string)
The nonce can only be used once and must be used before it expires (typically 600 seconds).
Clear-sign the device identity details.
Takes the details from the device, formats the data and clear-signs it.
The message must be the serial-request assertion format and is best generated using the snapd libraries.
type: serial-request
brand-id: System
model: Router 3400
device-key:
WkUDQbqFCKZBPvKbwR...
request-id: abc123456
body-length: 10
sign-key-sha3-384: UytTqTvREVhx...
revision: 12
serial: A1228ML
HW-DETAILS
AcLBUgQAAQoABgUCV7R2C...
- brand-id: the Account ID of the manufacturer (string)
- model: the name of the device (string)
- device-key: the encoded type and public key of the device (string)
- request-id: the nonce returned from the /1.0/nonce method (string)
- signature: the signed data
- serial: serial number of the device (string)
- revision: the revision of the device (integer)
Though the 'serial' and 'revision' headers are not strictly a part of a serial request, they are needed to return a signed serial assertion.
The method returns a signed serial assertion using the key from the vault.