[PATCH v2 0/2] ima_evm_utils: Add tests for ECDSA signature checking

[PATCH v2 0/2] ima_evm_utils: Add tests for ECDSA signature checking

[Stefan Berger]

This series of patches fixes the calculation of the keyid in the
sign_verify.sh script when it runs on older distros, such as CentoOS 7
or Ubuntu Xenial, and then adds ECDSA signature checking using elliptic
curve keys.

   Stefan

Stefan Berger (2):
  ima_evm_utils: Fix calculation of keyid for older distros
  ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1

 tests/gen-keys.sh      | 20 ++++++++++++++++++++
 tests/sign_verify.test | 16 ++++++++++++++++
 2 files changed, 36 insertions(+)

-- 
2.26.2

[PATCH v2 1/2] ima_evm_utils: Fix calculation of keyid for older distros

[Stefan Berger]

Older distros, such as Ubuntu Xenial or Centos 7, fail to calculate the
keyid properly in the bash script. Adding 'tail -n1' into the pipe fixes
the issue since we otherwise have two numbers in 'id' due to two
'BIT STRING's.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 tests/sign_verify.test | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index 288e133..2477b34 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@@ -43,6 +43,7 @@ _keyid_from_cert() {
   id=$($cmd 2>/dev/null \
     | openssl asn1parse \
     | grep BIT.STRING \
+    | tail -n1 \
     | cut -d: -f1)
   if [ -z "$id" ]; then
     echo - "$cmd" >&2
-- 
2.26.2

[PATCH v2 2/2] ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1

[Stefan Berger]

Add test cases that test the signing and signature verification with the
elliptic curves prime192v1 and prime256v1, also known as NIST P192 and
P256. These curves will soon be supported by Linux. If OpenSSL cannot
generate prime192v1 keys, as is the case on Fedora, where this curve is
not supported, the respective tests will be skipped automatically.

The r and s integer components of the signature can have varying size.
Therefore we do the size checks for the entire signature with a regular
expression that accounts for the varying size. The most typical cases
are supported following hours of running the tests with varying keys.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 tests/gen-keys.sh      | 20 ++++++++++++++++++++
 tests/sign_verify.test | 15 +++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh
index 407876b..46130cf 100755
--- a/tests/gen-keys.sh
+++ b/tests/gen-keys.sh
@@ -66,6 +66,26 @@ for m in 1024 2048; do
   fi
 done
 
+for curve in prime192v1 prime256v1; do
+  if [ "$1" = clean ] || [ "$1" = force ]; then
+    rm -f test-$curve.cer test-$curve.key test-$curve.pub
+  fi
+  if [ "$1" = clean ]; then
+    continue
+  fi
+  if [ ! -e test-$curve.key ]; then
+    log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
+      -config test-ca.conf \
+      -newkey ec \
+      -pkeyopt ec_paramgen_curve:$curve \
+      -out test-$curve.cer -outform DER \
+      -keyout test-$curve.key
+    if [ -s test-$curve.key ]; then
+      log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
+    fi
+  fi
+done
+
 # EC-RDSA
 for m in \
   gost2012_256:A \
diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index 2477b34..4f2caaa 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@@ -367,6 +367,21 @@ sign_verify  rsa1024  sha384  0x030205:K:0080
 sign_verify  rsa1024  sha512  0x030206:K:0080
 sign_verify  rsa1024  rmd160  0x030203:K:0080
 
+# Test v2 signatures with ECDSA
+# Signature length is typically 0x34-0x38 bytes long, very rarely 0x33
+sign_verify  prime192v1 sha1   0x030202:K:003[345678]
+sign_verify  prime192v1 sha224 0x030207:K:003[345678]
+sign_verify  prime192v1 sha256 0x030204:K:003[345678]
+sign_verify  prime192v1 sha384 0x030205:K:003[345678]
+sign_verify  prime192v1 sha512 0x030206:K:003[345678]
+
+# Signature length is typically 0x44-0x48 bytes long, very rarely 0x43
+sign_verify  prime256v1 sha1   0x030202:K:004[345678]
+sign_verify  prime256v1 sha224 0x030207:K:004[345678]
+sign_verify  prime256v1 sha256 0x030204:K:004[345678]
+sign_verify  prime256v1 sha384 0x030205:K:004[345678]
+sign_verify  prime256v1 sha512 0x030206:K:004[345678]
+
 # Test v2 signatures with EC-RDSA
 _enable_gost_engine
 sign_verify  gost2012_256-A md_gost12_256 0x030212:K:0040
-- 
2.26.2

Re: [PATCH v2 0/2] ima_evm_utils: Add tests for ECDSA signature checking

[Stefan Berger]

On 2/2/21 10:56 AM, Stefan Berger wrote:
> This series of patches fixes the calculation of the keyid in the
> sign_verify.sh script when it runs on older distros, such as CentoOS 7
> or Ubuntu Xenial, and then adds ECDSA signature checking using elliptic
> curve keys.

This series passes all relevant Travis tests. Te one failure seems 
unrelated to the modifications in this series.

https://travis-ci.com/github/stefanberger/ima-evm-utils/builds/215764182


>
>     Stefan
>
> Stefan Berger (2):
>    ima_evm_utils: Fix calculation of keyid for older distros
>    ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1
>
>   tests/gen-keys.sh      | 20 ++++++++++++++++++++
>   tests/sign_verify.test | 16 ++++++++++++++++
>   2 files changed, 36 insertions(+)
>

Re: [PATCH v2 0/2] ima_evm_utils: Add tests for ECDSA signature checking

[Mimi Zohar]

On Tue, 2021-02-02 at 12:42 -0500, Stefan Berger wrote:
> On 2/2/21 10:56 AM, Stefan Berger wrote:
> > This series of patches fixes the calculation of the keyid in the
> > sign_verify.sh script when it runs on older distros, such as CentoOS 7
> > or Ubuntu Xenial, and then adds ECDSA signature checking using elliptic
> > curve keys.
> 
> This series passes all relevant Travis tests. Te one failure seems 
> unrelated to the modifications in this series.
> 
> https://travis-ci.com/github/stefanberger/ima-evm-utils/builds/215764182

Yes, this is a known failure.  The tip of the next-testing branch
changes "eoan" to "groovy" - 056a7d284c15 ("travis: Use Ubuntu 20.10
groovy").

thanks,

Mimi