From: Stefan Berger <stefanb@linux.ibm.com>
To: dhowells@redhat.com
Cc: kbuild-all@lists.01.org, linux-kernel@vger.kernel.org,
patrick@puiterwijk.org, linux-integrity@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
"davem@davemloft.net" <davem@davemloft.net>,
"open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@vger.kernel.org>,
Mimi Zohar <zohar@linux.vnet.ibm.com>
Subject: Re: [PATCH v7 3/4] x509: Add support for parsing x509 certs with ECDSA keys
Date: Thu, 11 Feb 2021 13:18:46 -0500 [thread overview]
Message-ID: <58a980d7-ce90-2333-d5ae-014919e6c5d0@linux.ibm.com> (raw)
In-Reply-To: <b72f396e-fafa-cff3-cee2-a47ac5274dc4@linux.ibm.com>
On 2/11/21 12:30 PM, Stefan Berger wrote:
> On 2/11/21 3:03 AM, kernel test robot wrote:
>> Hi Stefan,
>>
>> Thank you for the patch! Yet something to improve:
>>
>>>> crypto/asymmetric_keys/public_key.c:97: undefined reference to
>>>> `parse_OID'
>
>
> So the issue is that only ASYMMETRIC_PUBLIC_KEY_SUBTYPE is selected
> in this config and the selection of OID_REGISTRY is missing. I am not
> sure whether ASYMMETRIC_PUBLIC_KEY_SUBTYPE should/could select
> OID_REGISTRY or whether that would be wrong... ?
David,
if the above is not desired then the following change would let us
get rid of the offending parse_OID(). The below change is only for NIST
p192 in this experiment but shows that we need to add additional
strcmp() cases in x509_check_for_self_signed() since
cert->sig->pkey_algo is set to "ecdsa". I am not sure whether we should
derive from the signature which curve was used to create the signature
so that cert->sig->pkey_algo could be more specific and the simple
existing strcmp() would pass. So two possible ways to go forward. Which
way should we go?
Stefan
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c
b/crypto/asymmetric_keys/x509_cert_parser.c
index 0aff4e584b11..71d83bb345c4 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -505,6 +505,8 @@ int x509_extract_key_data(void *context, size_t hdrlen,
ctx->cert->pub->pkey_algo = "sm2";
break;
case OID_id_prime192v1:
+ ctx->cert->pub->pkey_algo = "ecdsa-nist-p192";
+ break;
case OID_id_prime256v1:
ctx->cert->pub->pkey_algo = "ecdsa";
break;
diff --git a/crypto/asymmetric_keys/x509_public_key.c
b/crypto/asymmetric_keys/x509_public_key.c
index ae450eb8be14..3ebeed195b61 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -129,7 +129,10 @@ int x509_check_for_self_signed(struct
x509_certificate *cert)
}
ret = -EKEYREJECTED;
- if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0)
+printk(KERN_INFO "%s: %s ==? %s\n", __func__, cert->pub->pkey_algo,
cert->sig->pkey_algo);
+ if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0 &&
+ strncmp(cert->pub->pkey_algo, "ecdsa-nist-p", 12) != 0 &&
+ strcmp(cert->sig->pkey_algo, "ecdsa") != 0)
goto out;
ret = public_key_verify_signature(cert->pub, cert->sig);
>
>
> Stefan
>
next prev parent reply other threads:[~2021-02-11 18:34 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-01 15:19 [PATCH v7 0/4] Add support for x509 certs with NIST p256 and p192 keys Stefan Berger
2021-02-01 15:19 ` [PATCH v7 1/4] crypto: Add support for ECDSA signature verification Stefan Berger
2021-02-04 5:27 ` Herbert Xu
2021-02-04 5:43 ` Stefan Berger
2021-02-04 14:58 ` Jarkko Sakkinen
2021-02-01 15:19 ` [PATCH v7 2/4] x509: Detect sm2 keys by their parameters OID Stefan Berger
2021-02-01 15:19 ` [PATCH v7 3/4] x509: Add support for parsing x509 certs with ECDSA keys Stefan Berger
2021-02-11 8:03 ` kernel test robot
2021-02-11 8:03 ` kernel test robot
2021-02-11 17:30 ` Stefan Berger
2021-02-11 18:18 ` Stefan Berger [this message]
2021-02-01 15:19 ` [PATCH v7 4/4] ima: Support EC keys for signature verification Stefan Berger
2021-02-05 12:24 ` Mimi Zohar
2021-02-01 16:13 ` [PATCH v7 0/4] Add support for x509 certs with NIST p256 and p192 keys David Howells
2021-02-01 16:28 ` Stefan Berger
2021-02-01 16:36 ` David Howells
2021-02-01 16:45 ` Stefan Berger
2021-02-02 3:59 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=58a980d7-ce90-2333-d5ae-014919e6c5d0@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=kbuild-all@lists.01.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=patrick@puiterwijk.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.