From: Hongbo Li <herbert.tencent@gmail.com>
To: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
herbert@gondor.apana.org.au, dhowells@redhat.com,
zohar@linux.ibm.com, jarkko@kernel.org, herberthbli@tencent.com
Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
Hongbo Li <herbert.tencent@gmail.com>
Subject: [PATCH v3 0/4] crypto: add rsa pss support for x509
Date: Wed, 7 Apr 2021 11:49:14 +0800 [thread overview]
Message-ID: <1617767358-25279-1-git-send-email-herbert.tencent@gmail.com> (raw)
From: Hongbo Li <herberthbli@tencent.com>
This series of patches adds support for x509 cert signed by RSA
with PSS encoding method. RSA PSS is described in rfc8017.
Patch1 make x509 support rsa pss encoding and parse hash parameter.
Patch2 add rsa pss template.
Patch3 add test vector for rsa pss.
Patch4 is the rsa-pss's ima patch.
Test by the following script, it tests different saltlen, hash, mgfhash.
keyctl newring test @u
while :; do
for modbits in 1024 2048 4096; do
if [ $modbits -eq 1024 ]; then
saltlen=(-1 -2 0 20 32 48 64 94)
elif [ $modbits -eq 2048 ]; then
saltlen=(-1 -2 0 20 32 48 64 222)
else
saltlen=(-1 -2 0 20 32 48 64 478)
fi
for slen in ${saltlen[@]}; do
for hash in sha1 sha224 sha256 sha384 sha512; do
for mgfhash in sha1 sha224 sha256 sha384 sha512; do
certfile="cert.der"
echo slen $slen
openssl req \
-x509 \
-${hash} \
-newkey rsa:$modbits \
-keyout key.pem \
-days 365 \
-subj '/CN=test' \
-nodes \
-sigopt rsa_padding_mode:pss \
-sigopt rsa_mgf1_md:$mgfhash \
-sigopt rsa_pss_saltlen:${slen} \
-outform der \
-out ${certfile} 2>/dev/null
exp=0
id=$(keyctl padd asymmetric testkey %keyring:test < "${certfile}")
rc=$?
if [ $rc -ne $exp ]; then
case "$exp" in
0) echo "Error: Could not load rsa-pss certificate!";;
esac
echo "modbits $modbits sha: $hash mgfhash $mgfhash saltlen: $slen"
exit 1
else
case "$rc" in
0) echo "load cert: keyid: $id modbits $modbits hash: $hash mgfhash $mgfhash saltlen $slen"
esac
fi
done
done
done
done
done
Best Regards
Hongbo
v2-v3:
-add the crypto/rsa-psspad.c which is missed in previous patch
v1->v2:
-rebase patches to cryptodev/master to fix the issues that
reported-by: kernel test robot <lkp@intel.com>
Hongbo Li (4):
x509: add support for rsa-pss
crypto: support rsa-pss encoding
crypto: add rsa pss test vector
ima: add support for rsa pss verification
crypto/Makefile | 7 +-
crypto/asymmetric_keys/Makefile | 7 +-
crypto/asymmetric_keys/public_key.c | 5 +
crypto/asymmetric_keys/x509_cert_parser.c | 71 ++++-
crypto/asymmetric_keys/x509_rsapss_params.asn1 | 19 ++
crypto/rsa-psspad.c | 398 +++++++++++++++++++++++++
crypto/rsa.c | 14 +-
crypto/rsa_helper.c | 127 ++++++++
crypto/testmgr.c | 7 +
crypto/testmgr.h | 90 ++++++
include/crypto/internal/rsa.h | 25 +-
include/linux/oid_registry.h | 2 +
security/integrity/digsig_asymmetric.c | 18 +-
13 files changed, 770 insertions(+), 20 deletions(-)
create mode 100644 crypto/asymmetric_keys/x509_rsapss_params.asn1
create mode 100644 crypto/rsa-psspad.c
--
1.8.3.1
next reply other threads:[~2021-04-07 3:49 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-07 3:49 Hongbo Li [this message]
2021-04-07 3:49 ` [PATCH v3 1/4] x509: add support for rsa-pss Hongbo Li
2021-04-07 3:49 ` [PATCH v3 2/4] crypto: support rsa-pss encoding Hongbo Li
2021-04-07 8:40 ` kernel test robot
2021-04-07 3:49 ` [PATCH v3 3/4] crypto: add rsa pss test vector Hongbo Li
2021-04-07 3:49 ` [PATCH v3 4/4] ima: add support for rsa pss verification Hongbo Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1617767358-25279-1-git-send-email-herbert.tencent@gmail.com \
--to=herbert.tencent@gmail.com \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=herberthbli@tencent.com \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).