From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: Re: [PATCH ima-evm-utils v8 3/3] Read keyid from the cert appended to the key file
Date: Fri, 16 Jul 2021 17:07:43 +0300 [thread overview]
Message-ID: <20210716140743.ct3sxyi5luhqechz@altlinux.org> (raw)
In-Reply-To: <20210716135030.tc3fe3rmjmci2e4x@altlinux.org>
On Fri, Jul 16, 2021 at 04:50:30PM +0300, Vitaly Chikunov wrote:
> Mimi,
>
> On Wed, Jul 14, 2021 at 12:16:57PM -0400, Mimi Zohar wrote:
> > On Mon, 2021-07-12 at 08:44 +0300, Vitaly Chikunov wrote:
> > >
> > > @@ -43,26 +43,43 @@ cat > test-ca.conf <<- EOF
> > > basicConstraints=CA:TRUE
> > > subjectKeyIdentifier=hash
> > > authorityKeyIdentifier=keyid:always,issuer
> > > +
> > > + [ skid ]
> > > + basicConstraints=CA:TRUE
> > > + subjectKeyIdentifier=12345678
> > > + authorityKeyIdentifier=keyid:always,issuer
> > > EOF
> > > fi
> >
> > On my system:
> > $ openssl version
> > OpenSSL 1.1.1g FIPS 21 Apr 2020
> >
> > Not sure this has anything to do with the reason that "skid" is not
> > supported. The resulting files are empty.
> >
> > ls -lat *skid*
> > -rw-rw-r--. 1 mimi mimi 0 Jul 14 12:02 test-rsa1024_skid.key
> > -rw-rw-r--. 1 mimi mimi 0 Jul 14 12:02 test-rsa1024_skid.pub
> >
> > - openssl pkey -in test-rsa1024.key -out test-rsa1024.pub -pubout
> > - openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509
> > -extensions skid -config test-ca.conf -newkey rsa:1024 -out test-
> > rsa1024_skid.cer -outform DER -keyout test-rsa1024_skid.key
> > Using configuration from test-ca.conf
> > Error Loading extension section skid <===
>
> How `test-ca.conf' looked like? Maybe it's not updated?
> Try to run ./gen-keys.sh clean (which is called from make distclean).
Perhaps, this is the case. I will add `test -nt' check in
gen-keys.sh, so that test-ca.conf and keys are regenerated when
gen-keys.sh is updated. This should solve that problem for users.
diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh
index d604c96..d2c2f80 100755
--- a/tests/gen-keys.sh
+++ b/tests/gen-keys.sh
@@ -26,7 +26,8 @@ log() {
if [ "$1" = clean ]; then
rm -f test-ca.conf
-elif [ "$1" = force ] || [ ! -e test-ca.conf ]; then
+elif [ "$1" = force ] || [ ! -e test-ca.conf ] \
+ || [ gen-keys.sh -nt test-ca.conf ]; then
cat > test-ca.conf <<- EOF
[ req ]
distinguished_name = req_distinguished_name
@@ -54,7 +55,8 @@ fi
# RSA
# Second key will be used for wrong key tests.
for m in 1024 1024_skid 2048; do
- if [ "$1" = clean ] || [ "$1" = force ]; then
+ if [ "$1" = clean ] || [ "$1" = force ] \
+ || [ gen-keys.sh -nt test-rsa$m.key ]; then
rm -f test-rsa$m.cer test-rsa$m.key test-rsa$m.pub
fi
if [ "$1" = clean ]; then
Thanks,
next prev parent reply other threads:[~2021-07-16 14:07 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-12 5:44 [PATCH ima-evm-utils v8 0/3] ima-evm-utils: Add --keyid option Vitaly Chikunov
2021-07-12 5:44 ` [PATCH ima-evm-utils v8 1/3] Allow manual setting keyid for signing Vitaly Chikunov
2021-07-12 5:44 ` [PATCH ima-evm-utils v8 2/3] Allow manual setting keyid from a cert file Vitaly Chikunov
2021-07-12 5:44 ` [PATCH ima-evm-utils v8 3/3] Read keyid from the cert appended to the key file Vitaly Chikunov
2021-07-14 16:16 ` Mimi Zohar
2021-07-14 18:13 ` Vitaly Chikunov
2021-07-14 19:20 ` Mimi Zohar
2021-07-16 13:25 ` Vitaly Chikunov
2021-07-16 13:50 ` Vitaly Chikunov
2021-07-16 14:07 ` Vitaly Chikunov [this message]
2021-07-16 14:46 ` Mimi Zohar
2021-07-12 20:04 ` [PATCH ima-evm-utils v8 0/3] ima-evm-utils: Add --keyid option Mimi Zohar
2021-07-13 5:47 ` Vitaly Chikunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210716140743.ct3sxyi5luhqechz@altlinux.org \
--to=vt@altlinux.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.