From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: Re: [PATCH ima-evm-utils v8 3/3] Read keyid from the cert appended to the key file
Date: Fri, 16 Jul 2021 16:25:21 +0300 [thread overview]
Message-ID: <20210716132521.2rot6q5ubux3trfl@altlinux.org> (raw)
In-Reply-To: <46cba7f404f09c13a5a80606ee934b185660e567.camel@linux.ibm.com>
Mimi,
On Wed, Jul 14, 2021 at 03:20:50PM -0400, Mimi Zohar wrote:
> On Wed, 2021-07-14 at 21:13 +0300, Vitaly Chikunov wrote:
> > On Wed, Jul 14, 2021 at 12:16:57PM -0400, Mimi Zohar wrote:
> > > On Mon, 2021-07-12 at 08:44 +0300, Vitaly Chikunov wrote:
> > > >
> > > > @@ -43,26 +43,43 @@ cat > test-ca.conf <<- EOF
> > > > basicConstraints=CA:TRUE
> > > > subjectKeyIdentifier=hash
> > > > authorityKeyIdentifier=keyid:always,issuer
> > > > +
> > > > + [ skid ]
> > > > + basicConstraints=CA:TRUE
> > > > + subjectKeyIdentifier=12345678
> > > > + authorityKeyIdentifier=keyid:always,issuer
> > > > EOF
> > > > fi
> > >
> > > On my system:
> > > $ openssl version
> > > OpenSSL 1.1.1g FIPS 21 Apr 2020
> > >
> > > Not sure this has anything to do with the reason that "skid" is not
> > > supported. The resulting files are empty.
> > >
> > > ls -lat *skid*
> > > -rw-rw-r--. 1 mimi mimi 0 Jul 14 12:02 test-rsa1024_skid.key
> > > -rw-rw-r--. 1 mimi mimi 0 Jul 14 12:02 test-rsa1024_skid.pub
> > >
> > > - openssl pkey -in test-rsa1024.key -out test-rsa1024.pub -pubout
> > > - openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509
> > > -extensions skid -config test-ca.conf -newkey rsa:1024 -out test-
> > > rsa1024_skid.cer -outform DER -keyout test-rsa1024_skid.key
> > > Using configuration from test-ca.conf
> > > Error Loading extension section skid <===
> >
> > Is it reproducible? Since multiple-distributions CI passed, I wonder
> > what distro it is.
>
> I'm running the tests locally on RHEL 8.4 and Fedora 34 rawhide
> systems. When generating the keys, the output is redirected to
> /dev/null. The end result is that the test is simply skipped.
Cannot reproduce this in Docker on centos:8 and fedora:34 with this
Dockerfile (for fedora):
FROM fedora:34
RUN dnf install -y \
asciidoc \
attr \
autoconf \
automake \
diffutils \
docbook-xsl \
git \
gzip \
keyutils-libs-devel \
libattr-devel \
libtool \
libxslt \
make \
openssl \
openssl-devel \
pkg-config \
procps \
sudo \
vim-common \
wget \
which
WORKDIR /src
COPY . .
RUN git clean -dxf \
&& autoreconf -fisv
RUN ./configure
RUN make
RUN make check
Log:
- openssl pkey -in test-rsa1024.key -out test-rsa1024.pub -pubout
- openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 -extensions skid -config test-ca.conf -newkey rsa:1024 -out test-rsa1024_skid.cer -outform DER -keyout test-rsa1024_skid.key
Using configuration from test-ca.conf
Generating a RSA private key
..............+++++
..............+++++
writing new private key to 'test-rsa1024_skid.key'
...
[root@45a7d2cfe41e tests]# find -ls |grep skid
26608693 4 -rw-r--r-- 1 root root 272 Jul 16 13:19 ./test-rsa1024_skid.pub
26608692 4 -rw-r--r-- 1 root root 615 Jul 16 13:19 ./test-rsa1024_skid.cer
26608691 4 -rw------- 1 root root 1803 Jul 16 13:19 ./test-rsa1024_skid.key
>
> sign_verify.test:
> ./gen-keys.sh >/dev/null 2>&1
>
> [On Fedora:
> $ openssl version
> OpenSSL 1.1.1k FIPS 25 Mar 2021]
>
> Mimi
next prev parent reply other threads:[~2021-07-16 13:25 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-12 5:44 [PATCH ima-evm-utils v8 0/3] ima-evm-utils: Add --keyid option Vitaly Chikunov
2021-07-12 5:44 ` [PATCH ima-evm-utils v8 1/3] Allow manual setting keyid for signing Vitaly Chikunov
2021-07-12 5:44 ` [PATCH ima-evm-utils v8 2/3] Allow manual setting keyid from a cert file Vitaly Chikunov
2021-07-12 5:44 ` [PATCH ima-evm-utils v8 3/3] Read keyid from the cert appended to the key file Vitaly Chikunov
2021-07-14 16:16 ` Mimi Zohar
2021-07-14 18:13 ` Vitaly Chikunov
2021-07-14 19:20 ` Mimi Zohar
2021-07-16 13:25 ` Vitaly Chikunov [this message]
2021-07-16 13:50 ` Vitaly Chikunov
2021-07-16 14:07 ` Vitaly Chikunov
2021-07-16 14:46 ` Mimi Zohar
2021-07-12 20:04 ` [PATCH ima-evm-utils v8 0/3] ima-evm-utils: Add --keyid option Mimi Zohar
2021-07-13 5:47 ` Vitaly Chikunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210716132521.2rot6q5ubux3trfl@altlinux.org \
--to=vt@altlinux.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.