From: Stefan Berger <stefanb@linux.ibm.com>
To: zohar@linux.ibm.com, vt@altlinux.org, linux-integrity@vger.kernel.org
Subject: Re: [PATCH] ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1
Date: Mon, 1 Feb 2021 21:52:17 -0500 [thread overview]
Message-ID: <98a96c4e-6751-2496-9697-d78d583b3799@linux.ibm.com> (raw)
In-Reply-To: <20210202015055.1506308-1-stefanb@linux.ibm.com>
On 2/1/21 8:50 PM, Stefan Berger wrote:
> Add test cases that test the signing and signature verification with the
> elliptic curves prime192v1 and prime256v1, also known as NIST P192 and
> P256. These curves will soon be supported by Linux. If OpenSSL cannot
> generate prime192v1 keys, as is the case on Fedora, where this curve is
> not supported, the respective tests will be skipped automatically.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
> tests/gen-keys.sh | 20 ++++++++++++++++++++
> tests/sign_verify.test | 15 +++++++++++++++
> 2 files changed, 35 insertions(+)
>
> diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh
> index 407876b..46130cf 100755
> --- a/tests/gen-keys.sh
> +++ b/tests/gen-keys.sh
> @@ -66,6 +66,26 @@ for m in 1024 2048; do
> fi
> done
>
> +for curve in prime192v1 prime256v1; do
> + if [ "$1" = clean ] || [ "$1" = force ]; then
> + rm -f test-$curve.cer test-$curve.key test-$curve.pub
> + fi
> + if [ "$1" = clean ]; then
> + continue
> + fi
> + if [ ! -e test-$curve.key ]; then
> + log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
> + -config test-ca.conf \
> + -newkey ec \
> + -pkeyopt ec_paramgen_curve:$curve \
> + -out test-$curve.cer -outform DER \
> + -keyout test-$curve.key
> + if [ -s test-$curve.key ]; then
> + log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
> + fi
> + fi
> +done
> +
> # EC-RDSA
> for m in \
> gost2012_256:A \
> diff --git a/tests/sign_verify.test b/tests/sign_verify.test
> index 288e133..b4fffda 100755
> --- a/tests/sign_verify.test
> +++ b/tests/sign_verify.test
> @@ -366,6 +366,21 @@ sign_verify rsa1024 sha384 0x030205:K:0080
> sign_verify rsa1024 sha512 0x030206:K:0080
> sign_verify rsa1024 rmd160 0x030203:K:0080
>
> +# Test v2 signatures with ECDSA
> +# Signature length can be 0x36-0x38 bytes long
> +sign_verify prime192v1 sha1 0x030202:K:003[678]
Actually valid sizes are also 0x35 and 0x45 below. Smaller ones seems to
be rather rare, though, but I will leave my tests running. It depends on
the r and s components of the signature and whether they have leading
zeros, which will be cut away.
So I need to send a v2 for this.
Stefan
prev parent reply other threads:[~2021-02-02 2:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-02 1:50 [PATCH] ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1 Stefan Berger
2021-02-02 2:52 ` Stefan Berger [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=98a96c4e-6751-2496-9697-d78d583b3799@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=vt@altlinux.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).