1、BSI Standards PublicationBS ISO/IEC 17960:2015Information technology Programming languages, their environments and system software interfaces Code signing for source codeBS ISO/IEC 17960:2015 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of ISO/IEC 17960:2015.The UK
2、 participation in its preparation was entrusted to Technical Committee IST/5, Programming languages, their environments and system software interfaces.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all th
3、e necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015ISBN 978 0 580 82023 6 ICS 35.060 Compliance with a British Standard cannot confer immunity from legal obligations.This British Stan
4、dard was published under the authority of the Standards Policy and Strategy Committee on 30 September 2015.Amendments/corrigenda issued since publicationDate T e x t a f f e c t e dBS ISO/IEC 17960:2015Information technology Programming languages, their environments and system software interfaces Co
5、de signing for source codeTechnologies de linformation Langages de programmation, leur environnement et interfaces des logiciels de systmes Signature numrique pour le code sourceINTERNATIONAL STANDARDISO/IEC17960Reference numberISO/IEC 17960:2015(E)First edition2015-09-01 ISO/IEC 2015BS ISO/IEC 1796
6、0:2015ii ISO/IEC 2015 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO/IEC 2015, Published in SwitzerlandAll rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopyi
7、ng, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCh. de Blandonnet 8 CP 401CH-1214 Vernier, Geneva, SwitzerlandTel. +41 22 749 01 1
8、1Fax +41 22 749 09 47copyrightiso.orgwww.iso.orgISO/IEC 17960:2015(E)BS ISO/IEC 17960:2015ISO/IEC 17960:2015(E)Foreword ivIntroduction v1 Scope . 12 Conformance . 13 Normative references 14 Terms and definitions . 25 Concepts 36 Requirements 46.1 General . 46.2 Certificates 46.3 Hash code. 56.4 Init
9、ial code signing. 56.5 Modifying signed previous versions . 56.6 Revision format 5Annex A (informative) Notional code signing process 6Bibliography 7 ISO/IEC 2015 All rights reserved iiiContents PageBS ISO/IEC 17960:2015ISO/IEC 17960:2015(E)ForewordISO (the International Organization for Standardiza
10、tion) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be
11、represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures used to
12、develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
13、 ISO/IEC Directives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified duri
14、ng the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the mean
15、ing of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary informationISO/IEC 17960, was prepared by Joint Technical Committee I
16、SO/IEC JTC 1, Information technology, Subcommittee SC 22, Programming languages, their environments and system software interfaces.iv ISO/IEC 2015 All rights reservedBS ISO/IEC 17960:2015ISO/IEC 17960:2015(E)IntroductionSource code is written and is used in many critical applications. Knowing that t
17、he source code being relied upon is the same as that which was used in testing is vital to ensuring the safety and security of a particular application. Given the ease with which source code can be modified, some method of protecting the integrity and authenticity of the source code is necessary. Se
18、questration of the source code throughout the supply chain is one possible method, but ensuring protection in that way is impractical and unreliable. Virtual protection through the use of a digital signature offers a practical solution and provides integrity and authentication even though the source
19、 code may traverse an insecure supply chain.Source code may be modified for legitimate reasons as it moves through the supply chain or over time. Modifications to source code may be made to correct the software or to adapt it for other purposes. Modifications may only involve changes to a few lines
20、of code and in most cases is not made by the original author or team of authors. Revision control software facilitates tracking of the software changes, but such tracking can easily be spoofed. The use of a digital signature provides a means to restrict the ability to spoof. Digital code signing ass
21、igns a responsible party to each revision of the source code and thus can demonstrate the authenticity of the responsible party, the source code and the software changes that have been made between revisions. By doing this, an electronic pedigree for the source code can be established.This standard
22、specifies the process for signing source code in order to ensure the integrity and authenticity of the source code and a means for rolling back the source code to signed previous versions. Clause 5 provides an overview of the concepts of code signing. Conformance requirements for this standard are s
23、pecified in Clause 6. Annex A is informative and provides a step by step description of a typical application for the standard specified in Clause 6 to assist in understanding code signing. The bibliography lists documents that were referenced during preparation of this standard. ISO/IEC 2015 All ri
24、ghts reserved vBS ISO/IEC 17960:2015BS ISO/IEC 17960:2015Information technology Programming languages, their environments and system software interfaces Code signing for source code1 ScopeThis International Standard specifies a language-neutral and environment-neutral description to define the metho
25、dology needed to support the signing of software source code, to enable it to be uniquely identified, and to enable roll-back to signed previous versions. It is intended to be used by originators of software source code and the recipients of their signed source code. This International Standard is d
26、esigned for transfers of source code among disparate entities.The following areas are outside the scope of this International Standard: Determination of the trust level of a certification authority; Format used to track revisions of source code files; Digital signing of object or binary code; System
27、 configuration and resource availability; Metadata This is partially addressed by ISO/IEC 19770-2; Transmission and representation issues Though this could be an issue in implementation, there are techniques such as Portable Document Format (PDF)1)that can be used to mitigate these issues. This appl
28、ies in particular to the transmission of digital signatures.2 ConformanceAn implementation of code signing conforms to this International Standard if it meets the requirements specified in Clause 6.3 Normative referencesThe following documents, in whole or in part, are normatively referenced in this
29、 standard and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO/IEC 9594-8:2014, Information technology Open Systems Interconnection The Directory P
30、art 8: Public-key and attribute certificate frameworks2)ISO/IEC 10118-3:2004, Information technology Security techniques Hash-functions Part 3: Dedicated hash functions1) ISO 32000-1:2008 Document management Portable document format Part 1: PDF 1 specifies a digital form for representing electronic
31、documents to enable users to exchange and view electronic documents independent of the environment in which they were created or the environment in which they are viewed or printed.2) This is equivalent to ITU-T Recommendation X.509: 2005, “Information Technology Open Systems Interconnection The Dir
32、ectory: Public-Key and attribute certificate frameworks ”INTERNATIONAL STANDARD ISO/IEC 17960:2015(E) ISO/IEC 2015 All rights reserved 1BS ISO/IEC 17960:2015ISO/IEC 17960:2015(E)ISO/IEC 13888-1:2009, Information technology Security techniques Non-repudiation Part 1: General4 Terms and definitionsFor
33、 the purposes of this document, the following terms and definitions apply.4.1certificateentitys data rendered unforgeable with the private or secret key of a certification authoritySOURCE: ISO/IEC 13888-1:20094.2certification authorityauthority trusted by one or more users to create and assign certi
34、ficatesSOURCE: ISO/IEC 13888-1:20094.3changesetset of all changes that are applied to a configuration to derive a new configuration4.4digital signaturedata appended to, or a cryptographic transformation of, a data unit that allows the recipient of the data unit to prove the source and integrity of t
35、he data unit and protect against forgery, e.g. by the recipientSOURCE: ISO/IEC 13888-1:20094.5hash codestring of bits that is the output of a hash-functionSOURCE: ISO/IEC 13888-1:20094.6hash-functionfunction which maps strings of bits to fixed-length strings of bits, satisfying the following two pro
36、perties: 1) it is computationally infeasible to find for a given output an input which maps to this output; 2) it is computationally infeasible to find for a given input a second input which maps to the same outputSOURCE: ISO/IEC 13888-1:20094.7originatorentity that sends a message to the recipient
37、or makes available a message for which non-repudiation services are to be providedSOURCE: ISO/IEC 13888-1:20094.8private keykey of an entitys asymmetric key pair which should only be used by that entitySOURCE: ISO/IEC 13888-1:20092 ISO/IEC 2015 All rights reservedBS ISO/IEC 17960:2015ISO/IEC 17960:2
38、015(E)4.9public keykey of an entitys asymmetric key pair which can be made publicSOURCE: ISO/IEC 13888-1:20094.10public key certificatepublic key information of an entity signed by the certification authority and thereby rendered unforgeableSOURCE: ISO/IEC 13888-1:20094.11recipiententity that gets (
39、receives or fetches) a message for which non-repudiation services are to be providedSOURCE: ISO/IEC 13888-1:20094.12snapshotcomplete copy of a configuration5 ConceptsThis clause provides an overview of the concepts of code signing.Code signing is a technique for providing a digital signature for sou
40、rce code to support a verification of the originator and a verification that the code has not been altered since it was signed.Code signing can provide several valuable functions such as: knowledge of the history of the source code confidence that the source code has not been accidentally or malicio
41、usly altered verification of the identity of the responsible party for the source code accountability for the source code non-repudiation of the originator of the source codeCode signing identifies to customers the responsible party for the source code and confirms that it has not been modified sinc
42、e the signature was applied. Verification of the originator of the source code of the software is extremely important since the security and integrity of the receiving systems can be compromised by faulty or malicious code. In addition to protecting the security and integrity of the software, code s
43、igning provides authentication of the author, originator or distributor of the source code, and protects the brand and the intellectual property of the developer of the software by making applications uniquely identifiable and more difficult to falsify or alter maliciously.When source code is associ
44、ated with an originators unique signature, distributing source code on the Internet is no longer an anonymous activity. Digital signatures ensure accountability, just as a manufacturers brand name ensures accountability with packaged software. Distributions on the Internet lack this accountability a
45、nd code signing provides a means to offer the needed accountability. Accountability can be a strong deterrent to the distribution of harmful code. Even though software may be acquired or distributed from an untrusted site or a site that is unfamiliar, the fact that it is signed by a known and truste
46、d entity allows the software to be used with confidence that it has not been changed as compared to the most recently signed version. ISO/IEC 2015 All rights reserved 3BS ISO/IEC 17960:2015ISO/IEC 17960:2015(E)In addition to the valuable functions that code signing offers, this International Standar
47、d will specifically facilitate the following capabilities: a mechanism to show what has been altered in the source code and the responsible party for such changes; multiple signatures to allow for an audit trail of the signed source code; versioning information; storage of other metadata about the s
48、ource code.The capability for a tracking mechanism and multiple signatures for one piece of source code is needed in some cases in order to create a digital trail through the history of the source code. Consider a signed piece of source code. Someone should be able to modify a portion of the source
49、code, even if just one line or even one character, without assuming responsibility for the remainder of the source code. A recipient of the source code should be able to identify the responsible party for each portion of the source code. For instance, a very trustworthy company A produces source code for a driver. Company B modifies company As source code for a particular use. Company B is not as trusted or has an unknown reputation. The recipient should be able to determine e
