mirror of
https://git.code.sf.net/p/linux-ima/ima-evm-utils
synced 2025-07-01 05:11:13 +02:00
Read keyid from the cert appended to the key file
Allow to have certificate appended to the private key of `--key' specified (PEM) file (for v2 signing) to facilitate reading of keyid from the associated cert. This will allow users to have private and public key as a single file and avoid the need of manually specifying keyid. There is no check that public key form the cert matches associated private key. Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:

committed by
Mimi Zohar

parent
0e7a00e26b
commit
40621b2259
3
README
3
README
@ -128,6 +128,9 @@ for signing and importing the key.
|
||||
Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
|
||||
in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
|
||||
|
||||
For v2 signatures x509 certificate (containing the public key) could be appended to the
|
||||
private key (they both are in PEM format) to automatically extract keyid from its Subject
|
||||
Key Identifier (SKID).
|
||||
|
||||
Integrity keyrings
|
||||
----------------
|
||||
|
@ -976,8 +976,12 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
|
||||
|
||||
if (imaevm_params.keyid)
|
||||
keyid = htonl(imaevm_params.keyid);
|
||||
else
|
||||
calc_keyid_v2(&keyid, name, pkey);
|
||||
else {
|
||||
int keyid_read_failed = read_keyid_from_cert(&keyid, keyfile, false);
|
||||
|
||||
if (keyid_read_failed)
|
||||
calc_keyid_v2(&keyid, name, pkey);
|
||||
}
|
||||
hdr->keyid = keyid;
|
||||
|
||||
st = "EVP_PKEY_CTX_new";
|
||||
|
@ -20,13 +20,14 @@ PATH=../src:$PATH
|
||||
type openssl
|
||||
|
||||
log() {
|
||||
echo - "$*"
|
||||
echo >&2 - "$*"
|
||||
eval "$@"
|
||||
}
|
||||
|
||||
if [ "$1" = clean ]; then
|
||||
rm -f test-ca.conf
|
||||
elif [ "$1" = force ] || [ ! -e test-ca.conf ]; then
|
||||
elif [ "$1" = force ] || [ ! -e test-ca.conf ] \
|
||||
|| [ gen-keys.sh -nt test-ca.conf ]; then
|
||||
cat > test-ca.conf <<- EOF
|
||||
[ req ]
|
||||
distinguished_name = req_distinguished_name
|
||||
@ -43,26 +44,44 @@ cat > test-ca.conf <<- EOF
|
||||
basicConstraints=CA:TRUE
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid:always,issuer
|
||||
|
||||
[ skid ]
|
||||
basicConstraints=CA:TRUE
|
||||
subjectKeyIdentifier=12345678
|
||||
authorityKeyIdentifier=keyid:always,issuer
|
||||
EOF
|
||||
fi
|
||||
|
||||
# RSA
|
||||
# Second key will be used for wrong key tests.
|
||||
for m in 1024 2048; do
|
||||
if [ "$1" = clean ] || [ "$1" = force ]; then
|
||||
for m in 1024 1024_skid 2048; do
|
||||
if [ "$1" = clean ] || [ "$1" = force ] \
|
||||
|| [ gen-keys.sh -nt test-rsa$m.key ]; then
|
||||
rm -f test-rsa$m.cer test-rsa$m.key test-rsa$m.pub
|
||||
fi
|
||||
if [ "$1" = clean ]; then
|
||||
continue
|
||||
fi
|
||||
if [ -z "${m%%*_*}" ]; then
|
||||
# Add named extension.
|
||||
bits=${m%_*}
|
||||
ext="-extensions ${m#*_}"
|
||||
else
|
||||
bits=$m
|
||||
ext=
|
||||
fi
|
||||
if [ ! -e test-rsa$m.key ]; then
|
||||
log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
|
||||
log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 $ext \
|
||||
-config test-ca.conf \
|
||||
-newkey rsa:$m \
|
||||
-newkey rsa:$bits \
|
||||
-out test-rsa$m.cer -outform DER \
|
||||
-keyout test-rsa$m.key
|
||||
# for v1 signatures
|
||||
log openssl pkey -in test-rsa$m.key -out test-rsa$m.pub -pubout
|
||||
if [ $m = 1024_skid ]; then
|
||||
# Create combined key+cert.
|
||||
log openssl x509 -inform DER -in test-rsa$m.cer >> test-rsa$m.key
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
|
@ -367,6 +367,7 @@ sign_verify rsa1024 sha1 0x030202:K:0080
|
||||
sign_verify rsa1024 sha224 0x030207:K:0080
|
||||
expect_pass check_sign TYPE=ima KEY=rsa1024 ALG=sha256 PREFIX=0x030204aabbccdd0080 OPTS=--keyid=aabbccdd
|
||||
expect_pass check_sign TYPE=ima KEY=rsa1024 ALG=sha256 PREFIX=0x030204:K:0080 OPTS=--keyid-from-cert=test-rsa1024.cer
|
||||
expect_pass check_sign TYPE=ima KEY=rsa1024_skid ALG=sha256 PREFIX=0x030204123456780080
|
||||
sign_verify rsa1024 sha256 0x030204:K:0080
|
||||
try_different_keys
|
||||
try_different_sigs
|
||||
|
Reference in New Issue
Block a user