From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
To: Stefan Berger <stefanb@linux.ibm.com>
Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
"open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@vger.kernel.org>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
David Howells <dhowells@redhat.com>,
"open list:KEYS-TRUSTED" <keyrings@vger.kernel.org>,
"davem@davemloft.net" <davem@davemloft.net>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: [PATCH v9 2/9] x509: Detect sm2 keys by their parameters OID
Date: Fri, 5 Mar 2021 15:37:21 +0800 [thread overview]
Message-ID: <4e584fe5-966f-a0e8-3542-8ef01d647101@linux.alibaba.com> (raw)
In-Reply-To: <048e22c7-45e3-022c-cd5b-a6bc127958d3@linux.ibm.com>
Hi,
On 3/4/21 7:46 AM, Stefan Berger wrote:
> Tianjia,
>
> can you say whether SM2 support works for you before and after
> applying this patch? I cannot verify it with an sm2 key I have created
> using a sequence of commands like this:
>
> > modprobe sm2_generic
> > id=$(keyctl newring test @u)
> > keyctl padd asymmetric "" $id < sm2.der
> add_key: Key was rejected by service
> > keyctl padd asymmetric "" $id < eckeys/cert-prime192v1-0.der
> 88506426
>
> The sm2 key is reject but the pime192v1 key works just fine. SM2 support
> neither worked for me before nor after this patch here. The difference
> is that before it returned 'add_key: Package not installed'.
>
> This is my sm2 cert:
>
> > base64 < sm2.der
> MIIBbzCCARWgAwIBAgIUfqwndeAy7reymWLwvCHOgYPU2YUwCgYIKoZIzj0EAwIwDTELMAkGA1UE
>
> AwwCbWUwHhcNMjEwMTI0MTgwNjQ3WhcNMjIwMTI0MTgwNjQ3WjANMQswCQYDVQQDDAJtZTBZMBMG
>
> ByqGSM49AgEGCCqBHM9VAYItA0IABEtiMaczdk46MEugmOsY/u+puf5qoi7JdLd/w3VpdixvDd26
>
> vrxLKL7lCTVn5w3a07G7QB1dgdMDpzIRgWrVXC6jUzBRMB0GA1UdDgQWBBSxOVnE7ihvTb6Nczb4
>
> /mow+HIc9TAfBgNVHSMEGDAWgBSxOVnE7ihvTb6Nczb4/mow+HIc9TAPBgNVHRMBAf8EBTADAQH/
>
> MAoGCCqGSM49BAMCA0gAMEUCIE1kiji2ABUy663NANe0iCPjCeeqg02Yk4b3K+Ci/Qh4AiEA/cFB
>
> eJEVklyveRMvuTP7BN7FG4U8iRdtedjiX+YrNio=
>
> Regards,
> Stefan
>
Yes, it works fine here. Your test method may be wrong. First of all,
the certificate looks wrong, I don’t know if it is not sent completely.
Secondly, the SM2 algorithm must be compiled with builtin. There will be
a problem when it is compiled into a module. This is a restriction for
SM2 signature with Za. you may refer to this discussion:
https://lkml.org/lkml/2021/1/12/1736
In addition, give you a self-signed root certificate for my test:
-----BEGIN CERTIFICATE-----
MIICLjCCAdWgAwIBAgIUEoozP6LzMYWh4gCpcWlzsUyfgsIwCgYIKoEcz1UBg3Uw
bTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdTMQswCQYDVQQHDAJHdDENMAsGA1UE
CgwEYmFiYTELMAkGA1UECwwCT1MxCzAJBgNVBAMMAmNhMRswGQYJKoZIhvcNAQkB
FgxjYUB3b3JsZC5jb20wHhcNMjAwNDE1MTE1NDA3WhcNMzAwNDEzMTE1NDA3WjBt
MQswCQYDVQQGEwJDTjELMAkGA1UECAwCR1MxCzAJBgNVBAcMAkd0MQ0wCwYDVQQK
DARiYWJhMQswCQYDVQQLDAJPUzELMAkGA1UEAwwCY2ExGzAZBgkqhkiG9w0BCQEW
DGNhQHdvcmxkLmNvbTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABMTGRiHezKm5
MiKHlyfa5Bv5jLxge/WRRG0nLNsZx1yf0XQTQBR/tFFjPGePEr7+Fa1CPgYpXExx
i44coYMmQT6jUzBRMB0GA1UdDgQWBBSjd9GWIe98Ll9J0dquxgCktp9DrTAfBgNV
HSMEGDAWgBSjd9GWIe98Ll9J0dquxgCktp9DrTAPBgNVHRMBAf8EBTADAQH/MAoG
CCqBHM9VAYN1A0cAMEQCIAvLWIfGFq85u/vVMLc5H1D/DnrNS0VhSkQA4daRO4tc
AiABbeWENcQZDZLWTuqG9P2KDPOoNqV/QV/+0XjMAVblhg==
-----END CERTIFICATE-----
If you can, please add:
Tested-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
good luck!
Tianjia
next prev parent reply other threads:[~2021-03-05 7:37 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-25 16:07 [PATCH v9 0/9] Add support for x509 certs with NIST P384/256/192 keys Stefan Berger
2021-02-25 16:07 ` [PATCH v9 1/9] crypto: Add support for ECDSA signature verification Stefan Berger
2021-02-25 16:07 ` [PATCH v9 2/9] x509: Detect sm2 keys by their parameters OID Stefan Berger
2021-03-03 23:46 ` Stefan Berger
2021-03-05 7:37 ` Tianjia Zhang [this message]
2021-03-05 15:04 ` Stefan Berger
2021-03-08 6:58 ` Tianjia Zhang
2021-02-25 16:07 ` [PATCH v9 3/9] x509: Add support for parsing x509 certs with ECDSA keys Stefan Berger
2021-02-25 16:07 ` [PATCH v9 4/9] ima: Support EC keys for signature verification Stefan Berger
2021-02-25 16:07 ` [PATCH v9 5/9] x509: Add OID for NIST P384 and extend parser for it Stefan Berger
2021-02-25 16:07 ` [PATCH v9 6/9] crypto: Add NIST P384 curve parameters Stefan Berger
2021-03-04 5:28 ` Herbert Xu
2021-03-04 13:59 ` Stefan Berger
2021-03-04 22:31 ` Herbert Xu
2021-02-25 16:08 ` [PATCH v9 7/9] crypto: Add math to support fast NIST P384 Stefan Berger
2021-02-25 16:08 ` [PATCH v9 8/9] ecdsa: Register NIST P384 and extend test suite Stefan Berger
2021-02-25 16:08 ` [PATCH v9 9/9] certs: Add support for using elliptic curve keys for signing modules Stefan Berger
2021-02-27 3:35 ` yumeng
2021-03-01 13:11 ` Mimi Zohar
2021-03-02 1:04 ` yumeng
2021-03-01 21:19 ` Stefan Berger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4e584fe5-966f-a0e8-3542-8ef01d647101@linux.alibaba.com \
--to=tianjia.zhang@linux.alibaba.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).