1、BSI Standards Publication BS ISO/IEC 17960:2015 Information technology Programming languages, their environments and system software interfaces Code signing for source codeBS ISO/IEC 17960:2015 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 17960:2015. T
2、he UK participation in its preparation was entrusted to Technical Committee IST/5, Programming languages, their environments and system software interfaces. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include
3、 all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 82023 6 ICS 35.060 Compliance with a British Standard cannot confer immunity from legal obligations. This Bri
4、tish Standard was published under the authority of the Standards Policy and Strategy Committee on 30 September 2015. Amendments/corrigenda issued since publication Date T e x t a f f e c t e dBS ISO/IEC 17960:2015 Information technology Programming languages, their environments and system software i
5、nterfaces Code signing for source code Technologies de linformation Langages de programmation, leur environnement et interfaces des logiciels de systmes Signature numrique pour le code source INTERNATIONAL STANDARD ISO/IEC 17960 Reference number ISO/IEC 17960:2015(E) First edition 2015-09-01 ISO/IEC
6、 2015 BS ISO/IEC 17960:2015ii ISO/IEC 2015 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2015, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanica
7、l, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switz
8、erland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 17960:2015(E)BS ISO/IEC 17960:2015ISO/IEC 17960:2015(E)Foreword iv Introduction v 1 Scope . 1 2 Conformance . 1 3 Normative references 1 4 T erms and definitions . 2 5 Concepts 3 6 Requirements 4 6.1 General . 4 6
9、.2 Certificates 4 6.3 Hash code. 5 6.4 Initial code signing. 5 6.5 Modifying signed previous versions . 5 6.6 Revision format 5 Annex A (informative) Notional code signing process 6 Bibliography 7 ISO/IEC 2015 All rights reserved iii Contents PageBS ISO/IEC 17960:2015ISO/IEC 17960:2015(E) Foreword I
10、SO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical c
11、ommittee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electr
12、otechnical standardization. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was dr
13、afted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent
14、rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not con
15、stitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information ISO
16、/IEC 17960, was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 22, Programming languages, their environments and system software interfaces.iv ISO/IEC 2015 All rights reservedBS ISO/IEC 17960:2015ISO/IEC 17960:2015(E) Introduction Source code is written
17、and is used in many critical applications. Knowing that the source code being relied upon is the same as that which was used in testing is vital to ensuring the safety and security of a particular application. Given the ease with which source code can be modified, some method of protecting the integ
18、rity and authenticity of the source code is necessary. Sequestration of the source code throughout the supply chain is one possible method, but ensuring protection in that way is impractical and unreliable. Virtual protection through the use of a digital signature offers a practical solution and pro
19、vides integrity and authentication even though the source code may traverse an insecure supply chain. Source code may be modified for legitimate reasons as it moves through the supply chain or over time. Modifications to source code may be made to correct the software or to adapt it for other purpos
20、es. Modifications may only involve changes to a few lines of code and in most cases is not made by the original author or team of authors. Revision control software facilitates tracking of the software changes, but such tracking can easily be spoofed. The use of a digital signature provides a means
21、to restrict the ability to spoof. Digital code signing assigns a responsible party to each revision of the source code and thus can demonstrate the authenticity of the responsible party, the source code and the software changes that have been made between revisions. By doing this, an electronic pedi
22、gree for the source code can be established. This standard specifies the process for signing source code in order to ensure the integrity and authenticity of the source code and a means for rolling back the source code to signed previous versions. Clause 5 provides an overview of the concepts of cod
23、e signing. Conformance requirements for this standard are specified in Clause 6. Annex A is informative and provides a step by step description of a typical application for the standard specified in Clause 6 to assist in understanding code signing. The bibliography lists documents that were referenc
24、ed during preparation of this standard. ISO/IEC 2015 All rights reserved vBS ISO/IEC 17960:2015BS ISO/IEC 17960:2015Information technology Programming languages, their environments and system software interfaces Code signing for source code 1 Scope This International Standard specifies a language-ne
25、utral and environment-neutral description to define the methodology needed to support the signing of software source code, to enable it to be uniquely identified, and to enable roll-back to signed previous versions. It is intended to be used by originators of software source code and the recipients
26、of their signed source code. This International Standard is designed for transfers of source code among disparate entities. The following areas are outside the scope of this International Standard: Determination of the trust level of a certification authority; Format used to track revisions of sourc
27、e code files; Digital signing of object or binary code; System configuration and resource availability; Metadata This is partially addressed by ISO/IEC 19770-2; Transmission and representation issues Though this could be an issue in implementation, there are techniques such as Portable Document Form
28、at (PDF) 1)that can be used to mitigate these issues. This applies in particular to the transmission of digital signatures. 2 Conformance An implementation of code signing conforms to this International Standard if it meets the requirements specified in Clause 6. 3 Normative references The following
29、 documents, in whole or in part, are normatively referenced in this standard and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 9594-8:2014,
30、 Information technology Open Systems Interconnection The Directory Part 8: Public-key and attribute certificate frameworks 2) ISO/IEC 10118-3:2004, Information technology Security techniques Hash-functions Part 3: Dedicated hash functions 1) ISO 32000-1:2008 Document management Portable document for
31、mat Part 1: PDF 1 specifies a digital form for representing electronic documents to enable users to exchange and view electronic documents independent of the environment in which they were created or the environment in which they are viewed or printed. 2) This is equivalent to ITU-T Recommendation X
32、.509: 2005, “Information Technology Open Systems Interconnection The Directory: Public-Key and attribute certificate frameworks” INTERNATIONAL ST ANDARD ISO/IEC 17960:2015(E) ISO/IEC 2015 All rights reserved 1BS ISO/IEC 17960:2015ISO/IEC 17960:2015(E) ISO/IEC 13888-1:2009, Information technology Sec
33、urity techniques Non-repudiation Part 1: General 4 T erms a nd definiti ons For the purposes of this document, the following terms and definitions apply. 4.1 c e r t i f ic at e entitys data rendered unforgeable with the private or secret key of a certification authority SOURCE: ISO/IEC 13888-1:2009
34、 4.2 c er t i f i c a t i o n a ut h o r it y authority trusted by one or more users to create and assign certificates SOURCE: ISO/IEC 13888-1:2009 4.3 changeset set of all changes that are applied to a configuration to derive a new configuration 4.4 digital signature data appended to, or a cryptogr
35、aphic transformation of, a data unit that allows the recipient of the data unit to prove the source and integrity of the data unit and protect against forgery, e.g. by the recipient SOURCE: ISO/IEC 13888-1:2009 4.5 hash code string of bits that is the output of a hash-function SOURCE: ISO/IEC 13888-
36、1:2009 4.6 hash-function function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties: 1) it is computationally infeasible to find for a given output an input which maps to this output; 2) it is computationally infeasible to find for a given input a se
37、cond input which maps to the same output SOURCE: ISO/IEC 13888-1:2009 4.7 originator entity that sends a message to the recipient or makes available a message for which non-repudiation services are to be provided SOURCE: ISO/IEC 13888-1:2009 4.8 private key key of an entitys asymmetric key pair whic
38、h should only be used by that entity SOURCE: ISO/IEC 13888-1:20092 ISO/IEC 2015 All rights reservedBS ISO/IEC 17960:2015ISO/IEC 17960:2015(E) 4.9 public key key of an entitys asymmetric key pair which can be made public SOURCE: ISO/IEC 13888-1:2009 4.10 p u b l i c k e y c e r t i f i c a t e public
39、 key information of an entity signed by the certification authority and thereby rendered unforgeable SOURCE: ISO/IEC 13888-1:2009 4.11 recipient entity that gets (receives or fetches) a message for which non-repudiation services are to be provided SOURCE: ISO/IEC 13888-1:2009 4.12 snapshot complete
40、copy of a configuration 5 Concepts This clause provides an overview of the concepts of code signing. Code signing is a technique for providing a digital signature for source code to support a verification of the originator and a verification that the code has not been altered since it was signed. Co
41、de signing can provide several valuable functions such as: knowledge of the history of the source code confidence that the source code has not been accidentally or maliciously altered verification of the identity of the responsible party for the source code accountability for the source code non-rep
42、udiation of the originator of the source code Code signing identifies to customers the responsible party for the source code and confirms that it has not been modified since the signature was applied. Verification of the originator of the source code of the software is extremely important since the
43、security and integrity of the receiving systems can be compromised by faulty or malicious code. In addition to protecting the security and integrity of the software, code signing provides authentication of the author, originator or distributor of the source code, and protects the brand and the intel
44、lectual property of the developer of the software by making applications uniquely identifiable and more difficult to falsify or alter maliciously. When source code is associated with an originators unique signature, distributing source code on the Internet is no longer an anonymous activity. Digital
45、 signatures ensure accountability, just as a manufacturers brand name ensures accountability with packaged software. Distributions on the Internet lack this accountability and code signing provides a means to offer the needed accountability. Accountability can be a strong deterrent to the distributi
46、on of harmful code. Even though software may be acquired or distributed from an untrusted site or a site that is unfamiliar, the fact that it is signed by a known and trusted entity allows the software to be used with confidence that it has not been changed as compared to the most recently signed ve
47、rsion. ISO/IEC 2015 All rights reserved 3BS ISO/IEC 17960:2015ISO/IEC 17960:2015(E) In addition to the valuable functions that code signing offers, this International Standard will specifically facilitate the following capabilities: a mechanism to show what has been altered in the source code and th
48、e responsible party for such changes; multiple signatures to allow for an audit trail of the signed source code; versioning information; storage of other metadata about the source code. The capability for a tracking mechanism and multiple signatures for one piece of source code is needed in some cas
49、es in order to create a digital trail through the history of the source code. Consider a signed piece of source code. Someone should be able to modify a portion of the source code, even if just one line or even one character, without assuming responsibility for the remainder of the source code. A recipient of the source code should be able to identify the responsible party for each portion of the source code. For inst
