From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org,
Vitaly Chikunov <vt@altlinux.org>
Subject: Re: [PATCH v7] ima-evm-utils: Add some tests for evmctl
Date: Thu, 19 Mar 2020 14:57:22 -0700 [thread overview]
Message-ID: <62502cc8-c861-0227-cdce-4bbea6b05f3e@linux.microsoft.com> (raw)
In-Reply-To: <a8b77ade-58bf-88ac-542b-b8fbdd651db4@linux.microsoft.com>
Hi Vitaly,
When I run the tests, all ima_hash tests pass.
But most of sign_verify tests fail.
I am not sure if I am missing anything in the test setup. Please let me
know.
In the file sign_verify.test, I commented out all the tests except the
following:
sign_verify rsa1024 sha1 0x0301 --rsa
The text file sha1.txt created by the test is signed fine. But the
signature verification fails.
Please see the log at the end of the mail for more detail.
evmctl fails to decode the key file when using the public key
"test-rsa1024.pub"
evmctl -v ima_verify --key test-rsa1024.pub --xattr-user --rsa sha1.txt
>>> Failed to d2i_X509_fp key file: test-rsa1024.pub
But if I pass the certificate file, the file is decoded fine, but
signature verification fails.
evmctl -v ima_verify --key test-rsa1024.cer --xattr-user --rsa sha1.txt
>>> key 1: d33cbeb0 test-rsa1024.cer
Test log
--------
evmctl is ../src/evmctl
openssl is /usr/bin/openssl
xxd is /usr/bin/xxd
getfattr is /usr/bin/getfattr
- openssl dgst -sha1 sha1.txt
- openssl dgst -sha1 -sign test-rsa1024.key -hex sha1.txt
+ evmctl -v ima_sign --rsa --sigfile --hashalgo sha1 --key
test-rsa1024.key --xattr-user sha1.txt
hash(sha1): da39a3ee5e6b4b0d3255bfef95601890afd80709
sighash: 52d14dacbdb7e7b4195f302357f2324aba026af5
evm/ima signature-v1: 146 bytes
Writing to sha1.txt.sig
030130ca735e0000502a83d5a17c171e01040034d161431091513a700f0f9c92c43aee09b59e48a66123afcc4fc8ca6ab9993aa61df9a5d3e38fdaed2e091c6c24b85a3418c1229417d4f3aedb230fd018e7658a6b785de56d3f8e5c029601d77b303f9100b547b5db4adf7e53877874d807811d47eac9ecefcebe6bd5ef49e345671ac87b5fb27e51ea8565dd19a4b93a4a80
+ evmctl -v ima_verify --key test-rsa1024.pub --xattr-user --rsa sha1.txt
evmctl ima_verify failed with (1)
Failed to d2i_X509_fp key file: test-rsa1024.pub
openssl: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
openssl: error:0D07803A:asn1 encoding
routines:asn1_item_embed_d2i:nested asn1 error
hash-v1: da39a3ee5e6b4b0d3255bfef95601890afd80709
thanks,
-lakshmi
next prev parent reply other threads:[~2020-03-19 21:57 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-17 23:33 [PATCH v7] ima-evm-utils: Add some tests for evmctl Vitaly Chikunov
2020-03-19 15:18 ` Lakshmi Ramasubramanian
2020-03-19 15:49 ` Vitaly Chikunov
2020-03-19 16:36 ` Lakshmi Ramasubramanian
2020-03-19 21:57 ` Lakshmi Ramasubramanian [this message]
2020-03-22 22:10 ` Vitaly Chikunov
2020-03-23 15:48 ` Lakshmi Ramasubramanian
2020-03-23 14:23 Mimi Zohar
2020-03-23 16:17 ` Vitaly Chikunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=62502cc8-c861-0227-cdce-4bbea6b05f3e@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=vt@altlinux.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).