All of lore.kernel.org
 help / color / mirror / Atom feed
From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	linux-integrity@vger.kernel.org
Subject: Re: [PATCH ima-evm-utils v8 3/3] Read keyid from the cert appended to the key file
Date: Fri, 16 Jul 2021 16:25:21 +0300	[thread overview]
Message-ID: <20210716132521.2rot6q5ubux3trfl@altlinux.org> (raw)
In-Reply-To: <46cba7f404f09c13a5a80606ee934b185660e567.camel@linux.ibm.com>

Mimi,

On Wed, Jul 14, 2021 at 03:20:50PM -0400, Mimi Zohar wrote:
> On Wed, 2021-07-14 at 21:13 +0300, Vitaly Chikunov wrote:
> > On Wed, Jul 14, 2021 at 12:16:57PM -0400, Mimi Zohar wrote:
> > > On Mon, 2021-07-12 at 08:44 +0300, Vitaly Chikunov wrote:
> > > > 
> > > > @@ -43,26 +43,43 @@ cat > test-ca.conf <<- EOF
> > > >  	basicConstraints=CA:TRUE
> > > >  	subjectKeyIdentifier=hash
> > > >  	authorityKeyIdentifier=keyid:always,issuer
> > > > +
> > > > +	[ skid ]
> > > > +	basicConstraints=CA:TRUE
> > > > +	subjectKeyIdentifier=12345678
> > > > +	authorityKeyIdentifier=keyid:always,issuer
> > > >  EOF
> > > >  fi
> > > 
> > > On my system:
> > > $ openssl version
> > > OpenSSL 1.1.1g FIPS  21 Apr 2020
> > > 
> > > Not sure this has anything to do with the reason that "skid" is not
> > > supported.   The resulting files are empty.
> > > 
> > > ls -lat *skid*
> > > -rw-rw-r--. 1 mimi mimi 0 Jul 14 12:02 test-rsa1024_skid.key
> > > -rw-rw-r--. 1 mimi mimi 0 Jul 14 12:02 test-rsa1024_skid.pub
> > > 
> > > - openssl pkey -in test-rsa1024.key -out test-rsa1024.pub -pubout
> > > - openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509
> > > -extensions skid -config test-ca.conf -newkey rsa:1024 -out test-
> > > rsa1024_skid.cer -outform DER -keyout test-rsa1024_skid.key
> > > Using configuration from test-ca.conf
> > > Error Loading extension section skid   <===
> > 
> > Is it reproducible? Since multiple-distributions CI passed, I wonder
> > what distro it is.
> 
> I'm running the tests locally on RHEL 8.4 and Fedora 34 rawhide
> systems.  When generating the keys, the output is redirected to
> /dev/null.   The end result is that the test is simply skipped.

Cannot reproduce this in Docker on centos:8 and fedora:34 with this
Dockerfile (for fedora):

  FROM fedora:34
  RUN dnf install -y \
	  asciidoc \
	  attr \
	  autoconf \
	  automake \
	  diffutils \
	  docbook-xsl \
	  git \
	  gzip \
	  keyutils-libs-devel \
	  libattr-devel \
	  libtool \
	  libxslt \
	  make \
	  openssl \
	  openssl-devel \
	  pkg-config \
	  procps \
	  sudo \
	  vim-common \
	  wget \
	  which
  WORKDIR /src
  COPY . .
  RUN git clean -dxf \
	  && autoreconf -fisv
  RUN ./configure
  RUN make
  RUN make check

Log:

  - openssl pkey -in test-rsa1024.key -out test-rsa1024.pub -pubout
  - openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 -extensions skid -config test-ca.conf -newkey rsa:1024 -out test-rsa1024_skid.cer -outform DER -keyout test-rsa1024_skid.key
  Using configuration from test-ca.conf
  Generating a RSA private key
  ..............+++++
  ..............+++++
  writing new private key to 'test-rsa1024_skid.key'
  ...

  [root@45a7d2cfe41e tests]# find -ls |grep skid
   26608693      4 -rw-r--r--   1 root     root          272 Jul 16 13:19 ./test-rsa1024_skid.pub
   26608692      4 -rw-r--r--   1 root     root          615 Jul 16 13:19 ./test-rsa1024_skid.cer
   26608691      4 -rw-------   1 root     root         1803 Jul 16 13:19 ./test-rsa1024_skid.key


> 
> sign_verify.test:
> ./gen-keys.sh >/dev/null 2>&1
> 
> [On Fedora:
> $ openssl version
> OpenSSL 1.1.1k  FIPS 25 Mar 2021]
> 
> Mimi

  reply	other threads:[~2021-07-16 13:25 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-12  5:44 [PATCH ima-evm-utils v8 0/3] ima-evm-utils: Add --keyid option Vitaly Chikunov
2021-07-12  5:44 ` [PATCH ima-evm-utils v8 1/3] Allow manual setting keyid for signing Vitaly Chikunov
2021-07-12  5:44 ` [PATCH ima-evm-utils v8 2/3] Allow manual setting keyid from a cert file Vitaly Chikunov
2021-07-12  5:44 ` [PATCH ima-evm-utils v8 3/3] Read keyid from the cert appended to the key file Vitaly Chikunov
2021-07-14 16:16   ` Mimi Zohar
2021-07-14 18:13     ` Vitaly Chikunov
2021-07-14 19:20       ` Mimi Zohar
2021-07-16 13:25         ` Vitaly Chikunov [this message]
2021-07-16 13:50     ` Vitaly Chikunov
2021-07-16 14:07       ` Vitaly Chikunov
2021-07-16 14:46       ` Mimi Zohar
2021-07-12 20:04 ` [PATCH ima-evm-utils v8 0/3] ima-evm-utils: Add --keyid option Mimi Zohar
2021-07-13  5:47   ` Vitaly Chikunov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210716132521.2rot6q5ubux3trfl@altlinux.org \
    --to=vt@altlinux.org \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=zohar@linux.ibm.com \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.