| CPC G06F 21/52 (2013.01) [G06F 2221/033 (2013.01)] | 15 Claims |
|
1. A method, performed by at least one processor of a trust broker, for establishing trust of vendor-supplied Open Radio Access Network (O-RAN) software, the method comprising:
receiving a plurality of O-RAN software from a plurality of O-RAN software vendors, the plurality of O-RAN software respectively signed by the plurality of O-RAN software vendors;
for a software, among the plurality of O-RAN software, verifying a signature included with the software using a vendor certificate issued by a certificate authority (CA) of the corresponding vendor;
based on successful verification of the signature, performing a software attestation with respect to the software using a digital certificate issued by a CA of the trust broker; and
providing the attested software to an operator corresponding to an O-RAN system and with which the trust broker has a trust relationship,
wherein the performing the software attestation comprises:
submitting a certificate signing request (CSR) to the CA of the trust broker, the CSR including a public key of the trust broker;
obtaining the digital certificate issued by the CA of the trust broker, based on the certificate signing request, the digital certificate including the public key of the trust broker; and
generating at least one trust broker signature corresponding to the software, using a private key corresponding to the public key of the trust broker,
wherein the generating the at least one trust broker signature comprises:
generating a first trust broker signature by generating and encrypting, using the private key, a signature of the software;
generating a second trust broker signature by generating and encrypting, using the private key, a signature of a scan result corresponding to a vulnerability scan of the software; and
generating a third trust broker signature by generating and encrypting, using the private key, an SBOM of the software.
|