From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A0DDC433ED for ; Tue, 11 May 2021 11:57:08 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6B5A5613BC for ; Tue, 11 May 2021 11:57:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231493AbhEKL6N (ORCPT ); Tue, 11 May 2021 07:58:13 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:59106 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231336AbhEKL6N (ORCPT ); Tue, 11 May 2021 07:58:13 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id D41F872C8B4; Tue, 11 May 2021 14:57:05 +0300 (MSK) Received: from beacon.altlinux.org (unknown [193.43.10.250]) by imap.altlinux.org (Postfix) with ESMTPSA id 922734A46E8; Tue, 11 May 2021 14:57:05 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: [PATCH v6 3/3] ima-evm-utils: Read keyid from the cert appended to the key file Date: Tue, 11 May 2021 14:56:30 +0300 Message-Id: <20210511115630.795208-4-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20210511115630.795208-1-vt@altlinux.org> References: <20210511115630.795208-1-vt@altlinux.org> Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Allow to have certificate appended to the private key of `--key' specified (PEM) file (for v2 signing) to facilitate reading of keyid from the associated cert. This will allow users to have private and public key as a single file. There is no check that public key form the cert matches associated private key. Signed-off-by: Vitaly Chikunov --- README | 3 +++ src/libimaevm.c | 8 +++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/README b/README index 0e1f6ba..ea11bde 100644 --- a/README +++ b/README @@ -127,6 +127,9 @@ for signing and importing the key. Second key format uses X509 DER encoded public key certificates and uses asymmetric key support in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default). +For v2 signatures x509 certificate with the public key could be appended to the private +key (both are in PEM format) to properly determine its Subject Key Identifier (SKID). + Integrity keyrings ---------------- diff --git a/src/libimaevm.c b/src/libimaevm.c index 1c03768..bfce7ef 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -1021,10 +1021,12 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash, return -1; } - if (imaevm_params.keyid) + if (imaevm_params.keyid) { hdr->keyid = htonl(imaevm_params.keyid); - else - calc_keyid_v2(&hdr->keyid, name, pkey); + } else { + if (__read_keyid(&hdr->keyid, keyfile, KEYID_FILE_PEM_KEY)) + calc_keyid_v2(&hdr->keyid, name, pkey); + } st = "EVP_PKEY_CTX_new"; if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL))) -- 2.11.0