From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: [PATCH ima-evm-utils v8 3/3] Read keyid from the cert appended to the key file
Date: Mon, 12 Jul 2021 08:44:48 +0300 [thread overview]
Message-ID: <20210712054448.2471236-4-vt@altlinux.org> (raw)
In-Reply-To: <20210712054448.2471236-1-vt@altlinux.org>
Allow to have certificate appended to the private key of `--key'
specified (PEM) file (for v2 signing) to facilitate reading of keyid
from the associated cert. This will allow users to have private and
public key as a single file and avoid the need of manually specifying
keyid. There is no check that public key form the cert matches
associated private key.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
README | 3 +++
src/libimaevm.c | 8 ++++++--
tests/gen-keys.sh | 25 +++++++++++++++++++++----
tests/sign_verify.test | 1 +
4 files changed, 31 insertions(+), 6 deletions(-)
diff --git README README
index a130519..23e7d17 100644
--- README
+++ README
@@ -128,6 +128,9 @@ for signing and importing the key.
Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
+For v2 signatures x509 certificate (containing the public key) could be appended to the
+private key (they both are in PEM format) to automatically extract keyid from its Subject
+Key Identifier (SKID).
Integrity keyrings
----------------
diff --git src/libimaevm.c src/libimaevm.c
index ce1e276..7d5cbe0 100644
--- src/libimaevm.c
+++ src/libimaevm.c
@@ -1046,8 +1046,12 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
if (imaevm_params.keyid)
keyid = htonl(imaevm_params.keyid);
- else
- calc_keyid_v2(&keyid, name, pkey);
+ else {
+ int keyid_read_failed = read_keyid_from_cert(&keyid, keyfile, false);
+
+ if (keyid_read_failed)
+ calc_keyid_v2(&keyid, name, pkey);
+ }
hdr->keyid = keyid;
st = "EVP_PKEY_CTX_new";
diff --git tests/gen-keys.sh tests/gen-keys.sh
index 46130cf..d604c96 100755
--- tests/gen-keys.sh
+++ tests/gen-keys.sh
@@ -20,7 +20,7 @@ PATH=../src:$PATH
type openssl
log() {
- echo - "$*"
+ echo >&2 - "$*"
eval "$@"
}
@@ -43,26 +43,43 @@ cat > test-ca.conf <<- EOF
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
+
+ [ skid ]
+ basicConstraints=CA:TRUE
+ subjectKeyIdentifier=12345678
+ authorityKeyIdentifier=keyid:always,issuer
EOF
fi
# RSA
# Second key will be used for wrong key tests.
-for m in 1024 2048; do
+for m in 1024 1024_skid 2048; do
if [ "$1" = clean ] || [ "$1" = force ]; then
rm -f test-rsa$m.cer test-rsa$m.key test-rsa$m.pub
fi
if [ "$1" = clean ]; then
continue
fi
+ if [ -z "${m%%*_*}" ]; then
+ # Add named extension.
+ bits=${m%_*}
+ ext="-extensions ${m#*_}"
+ else
+ bits=$m
+ ext=
+ fi
if [ ! -e test-rsa$m.key ]; then
- log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
+ log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 $ext \
-config test-ca.conf \
- -newkey rsa:$m \
+ -newkey rsa:$bits \
-out test-rsa$m.cer -outform DER \
-keyout test-rsa$m.key
# for v1 signatures
log openssl pkey -in test-rsa$m.key -out test-rsa$m.pub -pubout
+ if [ $m = 1024_skid ]; then
+ # Create combined key+cert.
+ log openssl x509 -inform DER -in test-rsa$m.cer >> test-rsa$m.key
+ fi
fi
done
diff --git tests/sign_verify.test tests/sign_verify.test
index 1fdd786..df4304a 100755
--- tests/sign_verify.test
+++ tests/sign_verify.test
@@ -367,6 +367,7 @@ sign_verify rsa1024 sha1 0x030202:K:0080
sign_verify rsa1024 sha224 0x030207:K:0080
expect_pass check_sign TYPE=ima KEY=rsa1024 ALG=sha256 PREFIX=0x030204aabbccdd0080 OPTS=--keyid=aabbccdd
expect_pass check_sign TYPE=ima KEY=rsa1024 ALG=sha256 PREFIX=0x030204:K:0080 OPTS=--keyid-from-cert=test-rsa1024.cer
+expect_pass check_sign TYPE=ima KEY=rsa1024_skid ALG=sha256 PREFIX=0x030204123456780080
sign_verify rsa1024 sha256 0x030204:K:0080
try_different_keys
try_different_sigs
--
2.29.3
next prev parent reply other threads:[~2021-07-12 5:45 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-12 5:44 [PATCH ima-evm-utils v8 0/3] ima-evm-utils: Add --keyid option Vitaly Chikunov
2021-07-12 5:44 ` [PATCH ima-evm-utils v8 1/3] Allow manual setting keyid for signing Vitaly Chikunov
2021-07-12 5:44 ` [PATCH ima-evm-utils v8 2/3] Allow manual setting keyid from a cert file Vitaly Chikunov
2021-07-12 5:44 ` Vitaly Chikunov [this message]
2021-07-14 16:16 ` [PATCH ima-evm-utils v8 3/3] Read keyid from the cert appended to the key file Mimi Zohar
2021-07-14 18:13 ` Vitaly Chikunov
2021-07-14 19:20 ` Mimi Zohar
2021-07-16 13:25 ` Vitaly Chikunov
2021-07-16 13:50 ` Vitaly Chikunov
2021-07-16 14:07 ` Vitaly Chikunov
2021-07-16 14:46 ` Mimi Zohar
2021-07-12 20:04 ` [PATCH ima-evm-utils v8 0/3] ima-evm-utils: Add --keyid option Mimi Zohar
2021-07-13 5:47 ` Vitaly Chikunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210712054448.2471236-4-vt@altlinux.org \
--to=vt@altlinux.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).