tinc - Jan 2016 - Sign/verify data with ed25519 keys of a tinc 1.1 host

My intention was to sign the content of export-all with the nodes' public
key, which would require the corresponding private key to verify.

Does this make sense ?

@
> Le 26 janv. 2016 ? 20:19, Guus Sliepen <guus at tinc-vpn.org> a ?crit
:
> 
>> On Tue, Jan 26, 2016 at 07:35:10PM +0100, Anton Voyl wrote:
>> 
>> Is it possible to sign/verify data with the ed25519 keys of a tinc 1.1
host?
> 
> In principle yes, but tinc does not offer a way to do that. Also,
> reusing a key for another purpose is not recommended. What do you want
> to do exactly?
> 
>> More specifically, is it possible to sign a file with these keys using
openssl? If so, how? If not, what program could be used, and how?
> 
> No, because OpenSSL does not support Ed25519 keys. I don't know which
> tool can.
> 
> Also, even though it looks like PEM encoding, the ed25519.priv file
> is actually just a base64 encoded dump of the raw key, there's no ASN.1
> involved.  I don't know if there is a standard for Ed25519 key formats.
> Even OpenSSH's id_ed25519 files don't contain valid ASN.1.
> 
> -- 
> Met vriendelijke groet / with kind regards,
>     Guus Sliepen <guus at tinc-vpn.org>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

On Tue, Jan 26, 2016 at 08:35:15PM +0100, Anton Voyl wrote:
> My intention was to sign the content of export-all with the nodes'
public key, which would require the corresponding private key to verify.
> 
> Does this make sense ?
Yes, that does make a lot of sense. I'll see if I can add a safe way to
sign/verify arbitrary data with the tinc command.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20160126/3aae795c/attachment.sig>

Superb! Looking forward to that!
@

> Le 26 janv. 2016 ? 20:52, Guus Sliepen <guus at tinc-vpn.org> a ?crit
:
> 
>> On Tue, Jan 26, 2016 at 08:35:15PM +0100, Anton Voyl wrote:
>> 
>> My intention was to sign the content of export-all with the nodes'
public key, which would require the corresponding private key to verify.
>> 
>> Does this make sense ?
> 
> Yes, that does make a lot of sense. I'll see if I can add a safe way to
> sign/verify arbitrary data with the tinc command.
> 
> -- 
> Met vriendelijke groet / with kind regards,
>     Guus Sliepen <guus at tinc-vpn.org>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

On Tue, Jan 26, 2016 at 08:52:29PM +0100, Guus Sliepen wrote:
> > My intention was to sign the content of export-all with the nodes'
public key, which would require the corresponding private key to verify.
> > 
> > Does this make sense ?
> 
> Yes, that does make a lot of sense. I'll see if I can add a safe way to
> sign/verify arbitrary data with the tinc command.
I totally should've spent my time on other things on the TODO list for
tinc 1.1, but I've just added this functionality (it's in the git
repository). You can now do:

Server: tinc export-all | tinc sign > all.signed

Client: tinc verify server all.signed | tinc import

You have to specify a node name when verifying data ("server" in the
example above), only a signature made by that node will be accepted, or
you have to specify "*" to allow signatures by any known node. Also,
"."
is shorthand for the local node. Let me know if this is what you wanted.

-- 
Met vriendelijke groet / with kind regards,
     Guus Sliepen <guus at tinc-vpn.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL:
<http://www.tinc-vpn.org/pipermail/tinc/attachments/20160127/7d4823ba/attachment.sig>