linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
	Vitaly Chikunov <vt@altlinux.org>,
	linux-integrity@vger.kernel.org,
	Jia Zhang <zhang.jia@linux.alibaba.com>
Subject: Re: [PATCH ima-evm-utils v3] ima-evm-utils: Support SM2 algorithm for sign and verify
Date: Fri, 2 Jul 2021 11:18:11 +0800	[thread overview]
Message-ID: <d7526f84-f7c9-cbc6-c4a5-3e8b8d78fb60@linux.alibaba.com> (raw)
In-Reply-To: <20210526084455.56705-1-tianjia.zhang@linux.alibaba.com>

Hi,

Any comment?

Cheers,
Tianjia

On 5/26/21 4:44 PM, Tianjia Zhang wrote:
> The combination of SM2 and SM3 algorithms has been implemented in the
> kernel. At present, the ima-evm-utils signature tool does not support
> this combination of algorithms. Because in the current version of
> OpenSSL 1.1.1, the SM2 algorithm and the public key using the EC
> algorithm share the same ID 'EVP_PKEY_EC', and the specific algorithm
> can only be distinguished by the curve name used. This patch supports
> this feature.
> 
> Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
> ---
>   src/libimaevm.c        | 20 ++++++++++++++++++++
>   tests/gen-keys.sh      | 22 ++++++++++++++++++++++
>   tests/ima_hash.test    |  3 +--
>   tests/sign_verify.test |  2 ++
>   4 files changed, 45 insertions(+), 2 deletions(-)
> 
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index fa6c278..589dd09 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -518,6 +518,16 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
>   		return -1;
>   	}
>   
> +#ifdef EVP_PKEY_SM2
> +	/* If EC key are used, check whether it is SM2 key */
> +	if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
> +		EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
> +		int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
> +		if (curve == NID_sm2)
> +			EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
> +	}
> +#endif
> +
>   	st = "EVP_PKEY_CTX_new";
>   	if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
>   		goto err;
> @@ -932,6 +942,16 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
>   		return -1;
>   	}
>   
> +#ifdef EVP_PKEY_SM2
> +	/* If EC key are used, check whether it is SM2 key */
> +	if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
> +		EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
> +		int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
> +		if (curve == NID_sm2)
> +			EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
> +	}
> +#endif
> +
>   	calc_keyid_v2(&keyid, name, pkey);
>   	hdr->keyid = keyid;
>   
> diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh
> index 46130cf..a75dc2e 100755
> --- a/tests/gen-keys.sh
> +++ b/tests/gen-keys.sh
> @@ -112,6 +112,28 @@ for m in \
>       fi
>   done
>   
> +# SM2
> +for curve in sm2; do
> +  if [ "$1" = clean ] || [ "$1" = force ]; then
> +    rm -f test-$curve.cer test-$curve.key test-$curve.pub
> +  fi
> +  if [ "$1" = clean ]; then
> +    continue
> +  fi
> +  if [ ! -e test-$curve.key ]; then
> +    log openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 \
> +      -sm3 -sigopt "distid:1234567812345678" \
> +      -config test-ca.conf \
> +      -copy_extensions copyall \
> +      -newkey $curve \
> +      -out test-$curve.cer -outform DER \
> +      -keyout test-$curve.key
> +    if [ -s test-$curve.key ]; then
> +      log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
> +    fi
> +  fi
> +done
> +
>   # This script leaves test-ca.conf, *.cer, *.pub, *.key files for sing/verify tests.
>   # They are never deleted except by `make distclean'.
>   
> diff --git a/tests/ima_hash.test b/tests/ima_hash.test
> index 8d66e59..46de4c9 100755
> --- a/tests/ima_hash.test
> +++ b/tests/ima_hash.test
> @@ -70,8 +70,7 @@ expect_pass check  sha256     0x0404 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649
>   expect_pass check  sha384     0x0405 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b
>   expect_pass check  sha512     0x0406 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
>   expect_pass check  rmd160     0x0403 9c1185a5c5e9fc54612808977ee8f548b2258d31
> -expect_fail check  sm3        0x01
> -expect_fail check  sm3-256    0x01
> +expect_pass check  sm3        0x01 1ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b
>   _enable_gost_engine
>   expect_pass check  md_gost12_256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
>   expect_pass check  streebog256   0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
> diff --git a/tests/sign_verify.test b/tests/sign_verify.test
> index 3d7aa51..7ad2d96 100755
> --- a/tests/sign_verify.test
> +++ b/tests/sign_verify.test
> @@ -387,6 +387,8 @@ sign_verify  prime256v1 sha256 0x030204:K:004[345678]
>   sign_verify  prime256v1 sha384 0x030205:K:004[345678]
>   sign_verify  prime256v1 sha512 0x030206:K:004[345678]
>   
> +sign_verify  sm2        sm3    0x030211:K:004[345678]
> +
>   # Test v2 signatures with EC-RDSA
>   _enable_gost_engine
>   sign_verify  gost2012_256-A md_gost12_256 0x030212:K:0040
> 

  reply	other threads:[~2021-07-02  3:18 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-26  8:44 [PATCH ima-evm-utils v3] ima-evm-utils: Support SM2 algorithm for sign and verify Tianjia Zhang
2021-07-02  3:18 ` Tianjia Zhang [this message]
2021-07-07  2:28   ` Mimi Zohar
2021-07-09  9:06     ` Tianjia Zhang
2021-07-09 12:05       ` Mimi Zohar
2021-07-12 12:12         ` Tianjia Zhang
2021-07-12 12:35           ` Mimi Zohar
2021-07-12 12:45             ` Tianjia Zhang
2021-07-12 20:27               ` Petr Vorel
2021-07-12 22:44                 ` Mimi Zohar
2021-07-14 13:07                 ` Tianjia Zhang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d7526f84-f7c9-cbc6-c4a5-3e8b8d78fb60@linux.alibaba.com \
    --to=tianjia.zhang@linux.alibaba.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=vt@altlinux.org \
    --cc=zhang.jia@linux.alibaba.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).