c2patool icon indicating copy to clipboard operation
c2patool copied to clipboard

Published 20 hours ago verified publisher icon contentauth

How to create the certs?

Open polavishnu4444 opened this issue 1 year ago • 5 comments

Self-Signed certs or general SSL certs seems to be not working. It would be helpful if there is any literature pointed out on how to get the ES256 signed certs and what is needed to get them.

Created ECC certificate as well, but still keep getting invalid COSE

polavishnu4444 avatar Apr 05 '23 04:04 polavishnu4444

@mauricefisher64 - Any help here please? Not able to find any documentation or steps to get the certificates.

Infinitely keep getting this error, any pointers how I can debug or see more to proceed any further.

Signature that was just generated does not validate: CoseInvalidCert

polavishnu4444 avatar Apr 05 '23 06:04 polavishnu4444

Adding an example of an openssl command in README.md that shows how to generate a self-signed certificate that works with c2patool would be great.

In addition, getting more information than CoseInvalidCert when passing invalid certs to c2patool would also be helpful: I see that c2pa-rs logs precise information about what went wrong, it would be great to be able to access that information in c2patool with a flag.

I haven't been able to generate a cert + key combination that passes c2pa-rs checks following the "Signing manifests" guide currently published on your website, which might need to be updated?

Thanks in advance,

matteocargnelutti avatar Apr 15 '23 17:04 matteocargnelutti

Older versions of this repo's README.md feature a code snippet for that specific purpose:

openssl req -new -newkey rsa:4096 
   -sigopt rsa_padding_mode:pss \ 
   -days 180 \
   -extensions v3_ca \
   -addext "keyUsage = digitalSignature" \
   -addext "extendedKeyUsage = emailProtection" \
   -nodes -x509 -keyout private.key -out certs.pem -sha256

Which works.

My understanding is that this was removed to clarify that c2patool comes with a built-in cert / key for testing purposes.

I think this would still be great to have for reference. If not here, maybe on the "Signing Manifests" page of opensource.contentauthenticity.org.

PS: The v3_ca extension is sometimes not available out-of-the-box on Mac OS, but specific instructions could be given for that case.

matteocargnelutti avatar Apr 22 '23 16:04 matteocargnelutti

I've tried with both self-signed certified certificates (created with the command above ☝️ ) and also with the certificates signed by root CA, but always getting the following error when using RSA key and "alg": "PS512":

[2023-10-16T09:32:11Z ERROR c2pa::store] Signature that was just generated does not validate: CoseInvalidCert
Error: embedding manifest

Caused by:
    COSE error parsing certificate

Any thoughts?

CC: @mauricefisher64

leszko avatar Oct 16 '23 09:10 leszko

Ok, I've dug into the code and it seems that the C2PA SDK internationally forbids the self-signed certificates:

https://github.com/contentauth/c2pa-rs/blob/d9b077c8790e172d5bc9f23dc17f13df343160f1/sdk/src/cose_validator.rs#L350

I wonder, does it mean that the C2PA Spec does not allow the self-signed certificates? Or the spec does not forbid it, but the SDK does not allow it because it does not make sense in practice?

leszko avatar Oct 16 '23 12:10 leszko

According to the C2PA spec, Self-Signed certs or SSL certs are not supported.

crandmck avatar Jun 20 '24 18:06 crandmck