* [PATCH] ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1
@ 2021-02-02 1:50 Stefan Berger
2021-02-02 2:52 ` Stefan Berger
0 siblings, 1 reply; 2+ messages in thread
From: Stefan Berger @ 2021-02-02 1:50 UTC (permalink / raw)
To: zohar, vt, linux-integrity; +Cc: Stefan Berger
Add test cases that test the signing and signature verification with the
elliptic curves prime192v1 and prime256v1, also known as NIST P192 and
P256. These curves will soon be supported by Linux. If OpenSSL cannot
generate prime192v1 keys, as is the case on Fedora, where this curve is
not supported, the respective tests will be skipped automatically.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
tests/gen-keys.sh | 20 ++++++++++++++++++++
tests/sign_verify.test | 15 +++++++++++++++
2 files changed, 35 insertions(+)
diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh
index 407876b..46130cf 100755
--- a/tests/gen-keys.sh
+++ b/tests/gen-keys.sh
@@ -66,6 +66,26 @@ for m in 1024 2048; do
fi
done
+for curve in prime192v1 prime256v1; do
+ if [ "$1" = clean ] || [ "$1" = force ]; then
+ rm -f test-$curve.cer test-$curve.key test-$curve.pub
+ fi
+ if [ "$1" = clean ]; then
+ continue
+ fi
+ if [ ! -e test-$curve.key ]; then
+ log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
+ -config test-ca.conf \
+ -newkey ec \
+ -pkeyopt ec_paramgen_curve:$curve \
+ -out test-$curve.cer -outform DER \
+ -keyout test-$curve.key
+ if [ -s test-$curve.key ]; then
+ log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
+ fi
+ fi
+done
+
# EC-RDSA
for m in \
gost2012_256:A \
diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index 288e133..b4fffda 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@@ -366,6 +366,21 @@ sign_verify rsa1024 sha384 0x030205:K:0080
sign_verify rsa1024 sha512 0x030206:K:0080
sign_verify rsa1024 rmd160 0x030203:K:0080
+# Test v2 signatures with ECDSA
+# Signature length can be 0x36-0x38 bytes long
+sign_verify prime192v1 sha1 0x030202:K:003[678]
+sign_verify prime192v1 sha224 0x030207:K:003[678]
+sign_verify prime192v1 sha256 0x030204:K:003[678]
+sign_verify prime192v1 sha384 0x030205:K:003[678]
+sign_verify prime192v1 sha512 0x030206:K:003[678]
+
+# Signature length can be 0x46-0x48 bytes long
+sign_verify prime256v1 sha1 0x030202:K:004[678]
+sign_verify prime256v1 sha224 0x030207:K:004[678]
+sign_verify prime256v1 sha256 0x030204:K:004[678]
+sign_verify prime256v1 sha384 0x030205:K:004[678]
+sign_verify prime256v1 sha512 0x030206:K:004[678]
+
# Test v2 signatures with EC-RDSA
_enable_gost_engine
sign_verify gost2012_256-A md_gost12_256 0x030212:K:0040
--
2.26.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1
2021-02-02 1:50 [PATCH] ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1 Stefan Berger
@ 2021-02-02 2:52 ` Stefan Berger
0 siblings, 0 replies; 2+ messages in thread
From: Stefan Berger @ 2021-02-02 2:52 UTC (permalink / raw)
To: zohar, vt, linux-integrity
On 2/1/21 8:50 PM, Stefan Berger wrote:
> Add test cases that test the signing and signature verification with the
> elliptic curves prime192v1 and prime256v1, also known as NIST P192 and
> P256. These curves will soon be supported by Linux. If OpenSSL cannot
> generate prime192v1 keys, as is the case on Fedora, where this curve is
> not supported, the respective tests will be skipped automatically.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> ---
> tests/gen-keys.sh | 20 ++++++++++++++++++++
> tests/sign_verify.test | 15 +++++++++++++++
> 2 files changed, 35 insertions(+)
>
> diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh
> index 407876b..46130cf 100755
> --- a/tests/gen-keys.sh
> +++ b/tests/gen-keys.sh
> @@ -66,6 +66,26 @@ for m in 1024 2048; do
> fi
> done
>
> +for curve in prime192v1 prime256v1; do
> + if [ "$1" = clean ] || [ "$1" = force ]; then
> + rm -f test-$curve.cer test-$curve.key test-$curve.pub
> + fi
> + if [ "$1" = clean ]; then
> + continue
> + fi
> + if [ ! -e test-$curve.key ]; then
> + log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
> + -config test-ca.conf \
> + -newkey ec \
> + -pkeyopt ec_paramgen_curve:$curve \
> + -out test-$curve.cer -outform DER \
> + -keyout test-$curve.key
> + if [ -s test-$curve.key ]; then
> + log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
> + fi
> + fi
> +done
> +
> # EC-RDSA
> for m in \
> gost2012_256:A \
> diff --git a/tests/sign_verify.test b/tests/sign_verify.test
> index 288e133..b4fffda 100755
> --- a/tests/sign_verify.test
> +++ b/tests/sign_verify.test
> @@ -366,6 +366,21 @@ sign_verify rsa1024 sha384 0x030205:K:0080
> sign_verify rsa1024 sha512 0x030206:K:0080
> sign_verify rsa1024 rmd160 0x030203:K:0080
>
> +# Test v2 signatures with ECDSA
> +# Signature length can be 0x36-0x38 bytes long
> +sign_verify prime192v1 sha1 0x030202:K:003[678]
Actually valid sizes are also 0x35 and 0x45 below. Smaller ones seems to
be rather rare, though, but I will leave my tests running. It depends on
the r and s components of the signature and whether they have leading
zeros, which will be cut away.
So I need to send a v2 for this.
Stefan
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-02-02 2:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-02 1:50 [PATCH] ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1 Stefan Berger
2021-02-02 2:52 ` Stefan Berger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).