linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	linux-integrity@vger.kernel.org,
	"Dmitry V. Levin" <ldv@altlinux.org>
Subject: Re: [PATCH v6 1/3] ima-evm-utils: Allow manual setting keyid for signing
Date: Thu, 1 Jul 2021 00:10:48 +0300	[thread overview]
Message-ID: <20210630211048.yx5vwneymszr5ssj@altlinux.org> (raw)
In-Reply-To: <3aa852febc49d159783597b0de56060cf5efb269.camel@linux.ibm.com>

Mimi,

On Wed, Jun 30, 2021 at 04:47:53PM -0400, Mimi Zohar wrote:
> On Wed, 2021-06-30 at 22:44 +0300, Vitaly Chikunov wrote:
> > On Wed, Jun 30, 2021 at 12:39:02PM -0400, Mimi Zohar wrote:
> > > On Tue, 2021-06-29 at 04:32 +0300, Vitaly Chikunov wrote:
> > > > On Mon, Jun 28, 2021 at 04:50:42PM -0400, Mimi Zohar wrote:
> > > > > 
> > > > > Thank you for the detailed explanation.
> > > > > 
> > > > > On Sat, 2021-06-26 at 03:42 +0300, Vitaly Chikunov wrote:
> > > > > 
> > > > > > > Requiring the optarg value to be prefixed with "0x" would
> > > > > > > simplify the strlen test.
> > > > > > > (The subsequent patch wouldn't need a contrived prefix.)
> > > > > > 
> > > > > > (I do not understand this remark at the moment.)
> > > > > > 
> > > > > > Base 16 will let user pass keyid just as a string, copy-pasting from
> > > > > > somewhere else.
> > > > > 
> > > > > strtoul() supports prefixing the ascii-hex string with "0x".  To
> > > > > differentiate between a keyid and pathname, why not require the keyid
> > > > > be prefixed with "0x", as opposed to requiring the pathname to be
> > > > > prefixed with '@', like "--keyid @/path/to/cert.pem".
> > > > 
> > > > I wanted to avoid (filename vs keyid) ambiguity of the argument to
> > > > `--keyid' - if user have file named "0x00112233" they would have hard
> > > > time passing it to `--keyid'. But, it's impossible to have keyid string
> > > > starting with "@". So, "@" perfectly distinguish type of `--keyid'
> > > > argument but "0x" isn't.
> > > > 
> > > > Also, in some software (zip, rar) "@" is common prefix meaning value
> > > > should be taken from the specified file. But, yes, "@" is not common
> > > > in Unix environments. Do you want me to create separate option like
> > > > `--keyid-from-file'?
> > > 
> > > It's highly unlikely that both the filename and pathname would be
> > > prefixed with "0x".  Defining a new option might be a good idea. 
> > > Possibly naming it --extract-cert-keyid,  ---cert-keyid, or --keyid-
> > > from-cert.  
> > 
> > It's not unlikely, because people may want to keep cert files named or
> > symlinked by keyid. (For example, local cert database keep cert files
> > symlinked like `f30dd6ad.0'.)
> > 
> > I will add an option, most understandable, perhaps, is `--keyid-from-cert'.
> > 
> > Also, I will remove base 16 from --keyid argument.
> 
> I must be missing something.  "openssl x509", "keyctl show
> %keyring:<keyring name>", and "getfattr -m security.ima -e hex --dump"  
> all display the skid in hex.  Why would anyone provide the skid as
> something other than in hex?

Ah, I thought you want '0x' prefix mandatory. Will not remove base 16
then. Also, /proc/keys shows keyid without '0x' prefix.

Thanks,


> 
> thanks,
> 
> Mimi 
> 

  reply	other threads:[~2021-06-30 21:11 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-11 11:56 [PATCH v6 0/3] ima-evm-utils: Add --keyid option Vitaly Chikunov
2021-05-11 11:56 ` [PATCH v6 1/3] ima-evm-utils: Allow manual setting keyid for signing Vitaly Chikunov
2021-06-25 12:21   ` Mimi Zohar
2021-06-26  0:42     ` Vitaly Chikunov
2021-06-28 20:50       ` Mimi Zohar
2021-06-29  1:32         ` Vitaly Chikunov
2021-06-30 16:39           ` Mimi Zohar
2021-06-30 19:44             ` Vitaly Chikunov
2021-06-30 20:47               ` Mimi Zohar
2021-06-30 21:10                 ` Vitaly Chikunov [this message]
2021-06-30 21:32                   ` Mimi Zohar
2021-05-11 11:56 ` [PATCH v6 2/3] ima-evm-utils: Allow manual setting keyid from a cert file Vitaly Chikunov
2021-06-25 12:22   ` Mimi Zohar
2021-06-26  0:27     ` Vitaly Chikunov
2021-06-30 16:39       ` Mimi Zohar
2021-05-11 11:56 ` [PATCH v6 3/3] ima-evm-utils: Read keyid from the cert appended to the key file Vitaly Chikunov
2021-06-25 12:22   ` Mimi Zohar
2021-06-26  0:21     ` Vitaly Chikunov
2021-06-30 17:38   ` Mimi Zohar
2021-06-30 19:10     ` Vitaly Chikunov
2021-06-30 19:26       ` Vitaly Chikunov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210630211048.yx5vwneymszr5ssj@altlinux.org \
    --to=vt@altlinux.org \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=ldv@altlinux.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=zohar@linux.ibm.com \
    --cc=zohar@linux.vnet.ibm.com \
    --subject='Re: [PATCH v6 1/3] ima-evm-utils: Allow manual setting keyid for signing' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).