All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH ima-evm-utils v2] ima-evm-utils: Support SM2 algorithm for sign and verify
@ 2021-02-11  5:22 Tianjia Zhang
  2021-02-18 14:06 ` Mimi Zohar
  0 siblings, 1 reply; 3+ messages in thread
From: Tianjia Zhang @ 2021-02-11  5:22 UTC (permalink / raw)
  To: Mimi Zohar, Vitaly Chikunov, linux-integrity, Jia Zhang; +Cc: tianjia.zhang

The combination of SM2 and SM3 algorithms has been implemented in the
kernel. At present, the ima-evm-utils signature tool does not support
this combination of algorithms. Because in the current version of
OpenSSL 1.1.1, the SM2 algorithm and the public key using the EC
algorithm share the same ID 'EVP_PKEY_EC', and the specific algorithm
can only be distinguished by the curve name used. This patch supports
this feature.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
---
 src/libimaevm.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index fa6c278..589dd09 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -518,6 +518,16 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
 		return -1;
 	}
 
+#ifdef EVP_PKEY_SM2
+	/* If EC key are used, check whether it is SM2 key */
+	if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
+		EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
+		int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+		if (curve == NID_sm2)
+			EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
+	}
+#endif
+
 	st = "EVP_PKEY_CTX_new";
 	if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
 		goto err;
@@ -932,6 +942,16 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
 		return -1;
 	}
 
+#ifdef EVP_PKEY_SM2
+	/* If EC key are used, check whether it is SM2 key */
+	if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
+		EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
+		int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+		if (curve == NID_sm2)
+			EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
+	}
+#endif
+
 	calc_keyid_v2(&keyid, name, pkey);
 	hdr->keyid = keyid;
 
-- 
2.19.1.3.ge56e4f7


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH ima-evm-utils v2] ima-evm-utils: Support SM2 algorithm for sign and verify
  2021-02-11  5:22 [PATCH ima-evm-utils v2] ima-evm-utils: Support SM2 algorithm for sign and verify Tianjia Zhang
@ 2021-02-18 14:06 ` Mimi Zohar
  2021-05-26  8:34   ` Tianjia Zhang
  0 siblings, 1 reply; 3+ messages in thread
From: Mimi Zohar @ 2021-02-18 14:06 UTC (permalink / raw)
  To: Tianjia Zhang, Vitaly Chikunov, linux-integrity, Jia Zhang

Hi Tianjia,

On Thu, 2021-02-11 at 13:22 +0800, Tianjia Zhang wrote:
> The combination of SM2 and SM3 algorithms has been implemented in the
> kernel. At present, the ima-evm-utils signature tool does not support
> this combination of algorithms. Because in the current version of
> OpenSSL 1.1.1, the SM2 algorithm and the public key using the EC
> algorithm share the same ID 'EVP_PKEY_EC', and the specific algorithm
> can only be distinguished by the curve name used. This patch supports
> this feature.
> 
> Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
> ---
>  src/libimaevm.c | 20 ++++++++++++++++++++
>  1 file changed, 20 insertions(+)
> 
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index fa6c278..589dd09 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -518,6 +518,16 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
>  		return -1;
>  	}
>  
> +#ifdef EVP_PKEY_SM2
> +	/* If EC key are used, check whether it is SM2 key */
> +	if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
> +		EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
> +		int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
> +		if (curve == NID_sm2)
> +			EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
> +	}
> +#endif
> +

Suppose a file is signed on one system and verified on another.  What
happens if EVP_PKEY_SM2 is defined on one system, but not the other? 
Since the signing/verifying code do exactly the same thing, a
sign_verify test wouldn't detect the problem.   In anycase, please
define a sign_verify test.

thanks,

Mimi


>  	st = "EVP_PKEY_CTX_new";
>  	if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
>  		goto err;
> @@ -932,6 +942,16 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
>  		return -1;
>  	}
>  
> +#ifdef EVP_PKEY_SM2
> +	/* If EC key are used, check whether it is SM2 key */
> +	if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
> +		EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
> +		int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
> +		if (curve == NID_sm2)
> +			EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
> +	}
> +#endif
> +
>  	calc_keyid_v2(&keyid, name, pkey);
>  	hdr->keyid = keyid;
>  



^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH ima-evm-utils v2] ima-evm-utils: Support SM2 algorithm for sign and verify
  2021-02-18 14:06 ` Mimi Zohar
@ 2021-05-26  8:34   ` Tianjia Zhang
  0 siblings, 0 replies; 3+ messages in thread
From: Tianjia Zhang @ 2021-05-26  8:34 UTC (permalink / raw)
  To: Mimi Zohar, Vitaly Chikunov, linux-integrity, Jia Zhang



On 2/18/21 10:06 PM, Mimi Zohar wrote:
> Hi Tianjia,
> 
> On Thu, 2021-02-11 at 13:22 +0800, Tianjia Zhang wrote:
>> The combination of SM2 and SM3 algorithms has been implemented in the
>> kernel. At present, the ima-evm-utils signature tool does not support
>> this combination of algorithms. Because in the current version of
>> OpenSSL 1.1.1, the SM2 algorithm and the public key using the EC
>> algorithm share the same ID 'EVP_PKEY_EC', and the specific algorithm
>> can only be distinguished by the curve name used. This patch supports
>> this feature.
>>
>> Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
>> ---
>>   src/libimaevm.c | 20 ++++++++++++++++++++
>>   1 file changed, 20 insertions(+)
>>
>> diff --git a/src/libimaevm.c b/src/libimaevm.c
>> index fa6c278..589dd09 100644
>> --- a/src/libimaevm.c
>> +++ b/src/libimaevm.c
>> @@ -518,6 +518,16 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
>>   		return -1;
>>   	}
>>   
>> +#ifdef EVP_PKEY_SM2
>> +	/* If EC key are used, check whether it is SM2 key */
>> +	if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
>> +		EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
>> +		int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
>> +		if (curve == NID_sm2)
>> +			EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
>> +	}
>> +#endif
>> +
> 
> Suppose a file is signed on one system and verified on another.  What
> happens if EVP_PKEY_SM2 is defined on one system, but not the other?
> Since the signing/verifying code do exactly the same thing, a
> sign_verify test wouldn't detect the problem.   In anycase, please
> define a sign_verify test.
> 
> thanks,
> 
> Mimi
> 
> 

Sorry for the late reply.

This will cause verify to fail, I will add some sm2 tests in the next patch.

Best regards,
Tianjia

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-05-26  8:34 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-11  5:22 [PATCH ima-evm-utils v2] ima-evm-utils: Support SM2 algorithm for sign and verify Tianjia Zhang
2021-02-18 14:06 ` Mimi Zohar
2021-05-26  8:34   ` Tianjia Zhang

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.