From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
To: Stefan Berger <stefanb@linux.ibm.com>,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, patrick@puiterwijk.org,
linux-integrity@vger.kernel.org,
Vitaly Chikunov <vt@altlinux.org>,
Mimi Zohar <zohar@linux.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
David Howells <dhowells@redhat.com>
Subject: Re: [PATCH v6 4/4] ima: Support EC keys for signature verification
Date: Mon, 1 Feb 2021 18:36:10 +0800 [thread overview]
Message-ID: <a2657484-95e6-843c-7864-dd3b28557ce2@linux.alibaba.com> (raw)
In-Reply-To: <20210131233301.1301787-5-stefanb@linux.ibm.com>
On 2/1/21 7:33 AM, Stefan Berger wrote:
> Add support for IMA signature verification for EC keys. Since SHA type
> of hashes can be used by RSA and ECDSA signature schemes we need to
> look at the key and derive from the key which signature scheme to use.
> Since this can be applied to all types of keys, we change the selection
> of the encoding type to be driven by the key's signature scheme rather
> than by the hash type.
>
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
> Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
> Cc: Mimi Zohar <zohar@linux.ibm.com>
> Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
> Cc: linux-integrity@vger.kernel.org
> Cc: Vitaly Chikunov <vt@altlinux.org>
> Cc: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
> Cc: David Howells <dhowells@redhat.com>
> Cc: keyrings@vger.kernel.org
> ---
> include/keys/asymmetric-type.h | 6 ++++++
> security/integrity/digsig_asymmetric.c | 29 ++++++++++++--------------
> 2 files changed, 19 insertions(+), 16 deletions(-)
>
> diff --git a/include/keys/asymmetric-type.h b/include/keys/asymmetric-type.h
> index a29d3ff2e7e8..c432fdb8547f 100644
> --- a/include/keys/asymmetric-type.h
> +++ b/include/keys/asymmetric-type.h
> @@ -72,6 +72,12 @@ const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key)
> return key->payload.data[asym_key_ids];
> }
>
> +static inline
> +const struct public_key *asymmetric_key_public_key(const struct key *key)
> +{
> + return key->payload.data[asym_crypto];
> +}
> +
> extern struct key *find_asymmetric_key(struct key *keyring,
> const struct asymmetric_key_id *id_0,
> const struct asymmetric_key_id *id_1,
> diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
> index a662024b4c70..29002d016607 100644
> --- a/security/integrity/digsig_asymmetric.c
> +++ b/security/integrity/digsig_asymmetric.c
> @@ -84,6 +84,7 @@ int asymmetric_verify(struct key *keyring, const char *sig,
> {
> struct public_key_signature pks;
> struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
> + const struct public_key *pk;
> struct key *key;
> int ret;
>
> @@ -105,23 +106,19 @@ int asymmetric_verify(struct key *keyring, const char *sig,
> memset(&pks, 0, sizeof(pks));
>
> pks.hash_algo = hash_algo_name[hdr->hash_algo];
> - switch (hdr->hash_algo) {
> - case HASH_ALGO_STREEBOG_256:
> - case HASH_ALGO_STREEBOG_512:
> - /* EC-RDSA and Streebog should go together. */
> - pks.pkey_algo = "ecrdsa";
> - pks.encoding = "raw";
> - break;
> - case HASH_ALGO_SM3_256:
> - /* SM2 and SM3 should go together. */
> - pks.pkey_algo = "sm2";
> - pks.encoding = "raw";
> - break;
> - default:
> - pks.pkey_algo = "rsa";
> +
> + pk = asymmetric_key_public_key(key);
> + pks.pkey_algo = pk->pkey_algo;
> + if (!strcmp(pk->pkey_algo, "rsa"))
> pks.encoding = "pkcs1";
> - break;
> - }
> + else if (!strcmp(pk->pkey_algo, "ecdsa"))
> + pks.encoding = "x962";
> + else if (!strcmp(pk->pkey_algo, "ecrdsa") ||
> + !strcmp(pk->pkey_algo, "sm2"))
> + pks.encoding = "raw";
> + else
> + return -ENOPKG;
> +
> pks.digest = (u8 *)data;
> pks.digest_size = datalen;
> pks.s = hdr->sig;
>
Looks good to me, so
Reviewed-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Thanks,
Tianjia
prev parent reply other threads:[~2021-02-01 10:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-31 23:32 [PATCH v6 0/4] Add support for x509 certs with NIST p256 and p192 keys Stefan Berger
2021-01-31 23:32 ` [PATCH v6 1/4] crypto: Add support for ECDSA signature verification Stefan Berger
2021-02-01 7:24 ` yumeng
2021-02-01 13:04 ` Stefan Berger
2021-01-31 23:32 ` [PATCH v6 2/4] x509: Detect sm2 keys by their parameters OID Stefan Berger
2021-02-01 10:39 ` Tianjia Zhang
2021-02-01 13:02 ` Stefan Berger
2021-01-31 23:33 ` [PATCH v6 3/4] x509: Add support for parsing x509 certs with ECDSA keys Stefan Berger
2021-01-31 23:33 ` [PATCH v6 4/4] ima: Support EC keys for signature verification Stefan Berger
2021-02-01 10:36 ` Tianjia Zhang [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a2657484-95e6-843c-7864-dd3b28557ce2@linux.alibaba.com \
--to=tianjia.zhang@linux.alibaba.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=patrick@puiterwijk.org \
--cc=stefanb@linux.ibm.com \
--cc=vt@altlinux.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).