* [PATCH v2 0/2] ima_evm_utils: Add tests for ECDSA signature checking
@ 2021-02-02 15:56 Stefan Berger
2021-02-02 15:56 ` [PATCH v2 1/2] ima_evm_utils: Fix calculation of keyid for older distros Stefan Berger
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Stefan Berger @ 2021-02-02 15:56 UTC (permalink / raw)
To: zohar, vt, linux-integrity; +Cc: Stefan Berger
This series of patches fixes the calculation of the keyid in the
sign_verify.sh script when it runs on older distros, such as CentoOS 7
or Ubuntu Xenial, and then adds ECDSA signature checking using elliptic
curve keys.
Stefan
Stefan Berger (2):
ima_evm_utils: Fix calculation of keyid for older distros
ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1
tests/gen-keys.sh | 20 ++++++++++++++++++++
tests/sign_verify.test | 16 ++++++++++++++++
2 files changed, 36 insertions(+)
--
2.26.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2 1/2] ima_evm_utils: Fix calculation of keyid for older distros
2021-02-02 15:56 [PATCH v2 0/2] ima_evm_utils: Add tests for ECDSA signature checking Stefan Berger
@ 2021-02-02 15:56 ` Stefan Berger
2021-02-02 15:56 ` [PATCH v2 2/2] ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1 Stefan Berger
2021-02-02 17:42 ` [PATCH v2 0/2] ima_evm_utils: Add tests for ECDSA signature checking Stefan Berger
2 siblings, 0 replies; 5+ messages in thread
From: Stefan Berger @ 2021-02-02 15:56 UTC (permalink / raw)
To: zohar, vt, linux-integrity; +Cc: Stefan Berger
Older distros, such as Ubuntu Xenial or Centos 7, fail to calculate the
keyid properly in the bash script. Adding 'tail -n1' into the pipe fixes
the issue since we otherwise have two numbers in 'id' due to two
'BIT STRING's.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
tests/sign_verify.test | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index 288e133..2477b34 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@@ -43,6 +43,7 @@ _keyid_from_cert() {
id=$($cmd 2>/dev/null \
| openssl asn1parse \
| grep BIT.STRING \
+ | tail -n1 \
| cut -d: -f1)
if [ -z "$id" ]; then
echo - "$cmd" >&2
--
2.26.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v2 2/2] ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1
2021-02-02 15:56 [PATCH v2 0/2] ima_evm_utils: Add tests for ECDSA signature checking Stefan Berger
2021-02-02 15:56 ` [PATCH v2 1/2] ima_evm_utils: Fix calculation of keyid for older distros Stefan Berger
@ 2021-02-02 15:56 ` Stefan Berger
2021-02-02 17:42 ` [PATCH v2 0/2] ima_evm_utils: Add tests for ECDSA signature checking Stefan Berger
2 siblings, 0 replies; 5+ messages in thread
From: Stefan Berger @ 2021-02-02 15:56 UTC (permalink / raw)
To: zohar, vt, linux-integrity; +Cc: Stefan Berger
Add test cases that test the signing and signature verification with the
elliptic curves prime192v1 and prime256v1, also known as NIST P192 and
P256. These curves will soon be supported by Linux. If OpenSSL cannot
generate prime192v1 keys, as is the case on Fedora, where this curve is
not supported, the respective tests will be skipped automatically.
The r and s integer components of the signature can have varying size.
Therefore we do the size checks for the entire signature with a regular
expression that accounts for the varying size. The most typical cases
are supported following hours of running the tests with varying keys.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
tests/gen-keys.sh | 20 ++++++++++++++++++++
tests/sign_verify.test | 15 +++++++++++++++
2 files changed, 35 insertions(+)
diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh
index 407876b..46130cf 100755
--- a/tests/gen-keys.sh
+++ b/tests/gen-keys.sh
@@ -66,6 +66,26 @@ for m in 1024 2048; do
fi
done
+for curve in prime192v1 prime256v1; do
+ if [ "$1" = clean ] || [ "$1" = force ]; then
+ rm -f test-$curve.cer test-$curve.key test-$curve.pub
+ fi
+ if [ "$1" = clean ]; then
+ continue
+ fi
+ if [ ! -e test-$curve.key ]; then
+ log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
+ -config test-ca.conf \
+ -newkey ec \
+ -pkeyopt ec_paramgen_curve:$curve \
+ -out test-$curve.cer -outform DER \
+ -keyout test-$curve.key
+ if [ -s test-$curve.key ]; then
+ log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
+ fi
+ fi
+done
+
# EC-RDSA
for m in \
gost2012_256:A \
diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index 2477b34..4f2caaa 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@@ -367,6 +367,21 @@ sign_verify rsa1024 sha384 0x030205:K:0080
sign_verify rsa1024 sha512 0x030206:K:0080
sign_verify rsa1024 rmd160 0x030203:K:0080
+# Test v2 signatures with ECDSA
+# Signature length is typically 0x34-0x38 bytes long, very rarely 0x33
+sign_verify prime192v1 sha1 0x030202:K:003[345678]
+sign_verify prime192v1 sha224 0x030207:K:003[345678]
+sign_verify prime192v1 sha256 0x030204:K:003[345678]
+sign_verify prime192v1 sha384 0x030205:K:003[345678]
+sign_verify prime192v1 sha512 0x030206:K:003[345678]
+
+# Signature length is typically 0x44-0x48 bytes long, very rarely 0x43
+sign_verify prime256v1 sha1 0x030202:K:004[345678]
+sign_verify prime256v1 sha224 0x030207:K:004[345678]
+sign_verify prime256v1 sha256 0x030204:K:004[345678]
+sign_verify prime256v1 sha384 0x030205:K:004[345678]
+sign_verify prime256v1 sha512 0x030206:K:004[345678]
+
# Test v2 signatures with EC-RDSA
_enable_gost_engine
sign_verify gost2012_256-A md_gost12_256 0x030212:K:0040
--
2.26.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2 0/2] ima_evm_utils: Add tests for ECDSA signature checking
2021-02-02 15:56 [PATCH v2 0/2] ima_evm_utils: Add tests for ECDSA signature checking Stefan Berger
2021-02-02 15:56 ` [PATCH v2 1/2] ima_evm_utils: Fix calculation of keyid for older distros Stefan Berger
2021-02-02 15:56 ` [PATCH v2 2/2] ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1 Stefan Berger
@ 2021-02-02 17:42 ` Stefan Berger
2021-02-04 13:08 ` Mimi Zohar
2 siblings, 1 reply; 5+ messages in thread
From: Stefan Berger @ 2021-02-02 17:42 UTC (permalink / raw)
To: zohar, vt, linux-integrity
On 2/2/21 10:56 AM, Stefan Berger wrote:
> This series of patches fixes the calculation of the keyid in the
> sign_verify.sh script when it runs on older distros, such as CentoOS 7
> or Ubuntu Xenial, and then adds ECDSA signature checking using elliptic
> curve keys.
This series passes all relevant Travis tests. Te one failure seems
unrelated to the modifications in this series.
https://travis-ci.com/github/stefanberger/ima-evm-utils/builds/215764182
>
> Stefan
>
> Stefan Berger (2):
> ima_evm_utils: Fix calculation of keyid for older distros
> ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1
>
> tests/gen-keys.sh | 20 ++++++++++++++++++++
> tests/sign_verify.test | 16 ++++++++++++++++
> 2 files changed, 36 insertions(+)
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2 0/2] ima_evm_utils: Add tests for ECDSA signature checking
2021-02-02 17:42 ` [PATCH v2 0/2] ima_evm_utils: Add tests for ECDSA signature checking Stefan Berger
@ 2021-02-04 13:08 ` Mimi Zohar
0 siblings, 0 replies; 5+ messages in thread
From: Mimi Zohar @ 2021-02-04 13:08 UTC (permalink / raw)
To: Stefan Berger, vt, linux-integrity
On Tue, 2021-02-02 at 12:42 -0500, Stefan Berger wrote:
> On 2/2/21 10:56 AM, Stefan Berger wrote:
> > This series of patches fixes the calculation of the keyid in the
> > sign_verify.sh script when it runs on older distros, such as CentoOS 7
> > or Ubuntu Xenial, and then adds ECDSA signature checking using elliptic
> > curve keys.
>
> This series passes all relevant Travis tests. Te one failure seems
> unrelated to the modifications in this series.
>
> https://travis-ci.com/github/stefanberger/ima-evm-utils/builds/215764182
Yes, this is a known failure. The tip of the next-testing branch
changes "eoan" to "groovy" - 056a7d284c15 ("travis: Use Ubuntu 20.10
groovy").
thanks,
Mimi
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-02-04 13:08 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-02 15:56 [PATCH v2 0/2] ima_evm_utils: Add tests for ECDSA signature checking Stefan Berger
2021-02-02 15:56 ` [PATCH v2 1/2] ima_evm_utils: Fix calculation of keyid for older distros Stefan Berger
2021-02-02 15:56 ` [PATCH v2 2/2] ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1 Stefan Berger
2021-02-02 17:42 ` [PATCH v2 0/2] ima_evm_utils: Add tests for ECDSA signature checking Stefan Berger
2021-02-04 13:08 ` Mimi Zohar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).