Re: [MirageOS-devel] OCaml bindings for EC2 API

[Jyotsna Prakash <jyotsna.prakash@xxxxxxxxx>]

Hello,

I've written a blog post about the EC2 image bundling process, and what I have left to do. The short of it is:

- There is something wrong with the method I am using to turn xen kernels into images. The script, which I originally obtained from the mirage docs (http://openmirage.org/docs/xen-boot), was working earlier this summer. I may have accidentally deleted the line that generates an initrd. The original script

- I am running shell command with OCaml's `Unix.open_process_in`. I need to figure out why the command is not giving consistent results... about 1 out of 10 times it will produce the correct digest. (A SHA1 digest of the input image after it is compressed and encrypted.)
The shell command is
 openssl sha1 < /tmp/ec2-bundle-image-digest-pipe-10174 & tar -c -h -S --owner 0 --group 0 -C /tmp mymirage.img | tee /tmp/ec2-bundle-image-digest-pipe-10174 | gzip -9 | openssl enc -e -aes-128-cbc -K aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa -iv bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb > ec2_tmp/mymirage.img.tar.gz.enc

And Hannes, thanks for your help! I was able to use nocrypto and ocaml-x509 to extract RSA keys and encrypt. I will look into replacing cryptokit with ocaml-sha.

Best,

Jyotsna

On Thu, Jul 17, 2014 at 11:59 AM, Hannes Mehnert <hannes@xxxxxxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Hi Jyotsna,

On 07/17/2014 19:48, Jyotsna Prakash wrote:
> For my GSoC project I've been working on OCaml bindings to the EC2
> API. The code is at https://github.com/moonlightdrive/ocaml-ec2

Awesome!

> I've yet to launch a Mirage-backed VM without using the Amazon's
> CLI tools. The process involves producing an xml manifest
> describing an image; the manifest contains fields of RSA encrypted
> data. Problem is, I don't have any way to take my public keys (pem
> files) and turn them into `Cryptokit.RSA.key`s.

AFAICS you're only using SHA256 from Cryptokit so far -- you might
want to use ocaml-sha (https://github.com/vincenthz/ocaml-sha) for that.

Also, David wrote ocaml-nocrypto
(https://github.com/mirleft/ocaml-nocrypto) and we further developed
ocaml-x509 (https://github.com/mirleft/ocaml-x509/) where you can
parse pem to get a certificate
(https://github.com/mirleft/ocaml-x509/blob/master/lib/x509.mli#L18)
or a private key (RSA)
https://github.com/mirleft/ocaml-x509/blob/master/lib/x509.mli#L30
(example usage:
https://github.com/mirleft/ocaml-tls/blob/master/lwt/x509_lwt.ml#L49)

What do you need to do with the RSA key? The nocrypto API is at
https://github.com/mirleft/ocaml-nocrypto/blob/master/src/rsa.mli


Cheers,

Hannes

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iQIcBAEBCQAGBQJTyB0eAAoJELyJZYjffCjuns8P/AnRdjFMIcs0PA0tdvUVuNDI
JbViUzCvhyQbDQYdVpLLoub/BZAz6A2WrVbHOuJ3DpaqB+qPLESB094hS9Fqds1/
xy20RthXkZwKOFYRKJ8flHBaRqaZV/ffXCb3qpEOpo8RrN4NutcV1OTBRi9ysOVM
eXD2qbLUq6CqAzenks3r8G7Rkk1uzKcu2pxixDygx60EU8JPBw0m50j3ZrOXpJYU
7iq6fsNuLYV4NyvZYizkLROL/6G0sfYTLjnPWmR5hAXypjqt1Ad5n1VYhq3oEt8d
PMSoQQtWTEGrfGyxKDQQfo0feQ2r5/lsqDVXcuCZhWDrguBDId08zc1tnmCej7EW
Eq9vw2pZ2tDbOkwDcIHtb/ACuNjXSP1XmP/1VcWSCHly8mSnLkbCKE6Nkz4e345k
pJoENKXAcap9ktW996QAPdhKgck/sVVQOxEZ3BkFMThL2pjrw6v6RRCJq3nNCroG
AP6SUCU6JzhJfoloTnfCDGao/JGBaG+2vq1fTArXhc7WHPd1OLuC+lAlxScoLJ4p
XHakfCuiMjAvk8WPBjhZXMi9ce0O4bv5CSFLYUlT5+H1XcXTpmibc5M3KxKdk25s
8WreBAVLdshBaOaOOcr8GOqgTxMrgIb6uipjChuYKmebl0EpsAN+h+p7S5YoQJYz
pgdhpVDaP3Ocu+kRpFEB
=zzgd
-----END PGP SIGNATURE-----

_______________________________________________
MirageOS-devel mailing list
MirageOS-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel

_______________________________________________
MirageOS-devel mailing list
MirageOS-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel