From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: [PATCH v3 3/3] ima-evm-utils: Read keyid from the cert appended to the key file
Date: Wed, 5 May 2021 06:48:29 +0300 [thread overview]
Message-ID: <20210505034829.80698-4-vt@altlinux.org> (raw)
In-Reply-To: <20210505034829.80698-1-vt@altlinux.org>
Allow to have certificate appended to the private key of `--key'
specified (PEM) file (for v2 signing) to facilitate reading of keyid
from the associated cert. This will allow users to have private and
public key as a single file. There is no check that public key form the
cert matches associated private key.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
README | 3 +++
src/libimaevm.c | 8 +++++---
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/README b/README
index 0e1f6ba..ea11bde 100644
--- a/README
+++ b/README
@@ -127,6 +127,9 @@ for signing and importing the key.
Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
+For v2 signatures x509 certificate with the public key could be appended to the private
+key (both are in PEM format) to properly determine its Subject Key Identifier (SKID).
+
Integrity keyrings
----------------
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 17d1c26..95b30f5 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -994,10 +994,12 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
return -1;
}
- if (imaevm_params.keyid)
+ if (imaevm_params.keyid) {
hdr->keyid = htonl(imaevm_params.keyid);
- else
- calc_keyid_v2(&hdr->keyid, name, pkey);
+ } else {
+ if (ima_read_keyid(keyfile, &hdr->keyid) == ULONG_MAX)
+ calc_keyid_v2(&hdr->keyid, name, pkey);
+ }
st = "EVP_PKEY_CTX_new";
if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
--
2.11.0
prev parent reply other threads:[~2021-05-05 3:49 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-05 3:48 [PATCH v3 0/3] ima-evm-utils: Add --keyid option Vitaly Chikunov
2021-05-05 3:48 ` [PATCH v3 1/3] ima-evm-utils: Allow manual setting keyid for signing Vitaly Chikunov
2021-05-05 3:48 ` [PATCH v3 2/3] ima-evm-utils: Allow manual setting keyid from a cert file Vitaly Chikunov
2021-05-05 3:48 ` Vitaly Chikunov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210505034829.80698-4-vt@altlinux.org \
--to=vt@altlinux.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.