On 21.06.2011 11:33, Tomasz Kojm wrote: > On Tue, 21 Jun 2011 04:48:44 +0200 Fritz Elfert <fr...@fritz-elfert.de> > wrote: >> Hi, >> >> In a completely isolated network environment, I want to setup my own >> CVD-Database server and create my own special signatures. If looking at >> the source of sigtool, it connects to some "signing"-server using >> manually supplied credentials, then sends several sign requests and >> retrieves the results. >> >> What I can't figure out: Where is the source of that "signing"-server >> resp. which algorithm does it use for signing? >> >> Hopefully somebody can shed some light on that... > > Hi Fritz, > > you can't create digitally signed CVD files, this can only be done by > the ClamAV team.
Why not? If I use my own PKI and build custom clamav binaries using its public keys (From a quick look, I guess the CLI_NSTR and CLI_ESTR defines), I can sign a database and clamav would then accept it as "official". Of course. the real offial DBs then would be recognized as invalid by those clamav binaries. I don't care. - As I said, this is a completely isolated environment and the whole thing is not even about virus/malware detection but what I want to achieve with this is to exploit clamav's ability to quickly scan over data (recursively unpacking of archives etc.), then "quarantining" the desired fragments of data for later processing. I specifically *do* need signed CVD however in order to assure, that only the proper internal authority can change the sigs. (The data to be detected and "quarantined" are selected certificates and CSRs in various forms). All I need for that is either the signing server source or at least an exact description of the signing process (what exactly is hashed, which algorithm/format, what exactly goes into the compiled-in constants of the clamav binary). I could reverse engineer those, but I'm currently in the process of a *quick* evaluation so I'm in a hurry. From looking at sigtool I guess, it's pretty simple (perhaps just some perl script using a little bit of openssl stuff). After all, clamav is OSS, so security by obscurity isn't really an option - is it? > > However, with the development version of ClamAV you can create unsigned > containers (*.cud files). Unsigned containers are *not* what I want. > Hope this helps, > Unfortunately not ... Thanks for your time -Fritz
signature.asc
Description: OpenPGP digital signature
_______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net