ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1

Add test cases that test the signing and signature verification with the elliptic curves prime192v1 and prime256v1, also known as NIST P192 and P256. These curves will soon be supported by Linux. If OpenSSL cannot generate prime192v1 keys, as is the case on Fedora, where this curve is not supported, the respective tests will be skipped automatically. The r and s integer components of the signature can have varying size. Therefore we do the size checks for the entire signature with a regular expression that accounts for the varying size. The most typical cases are supported following hours of running the tests with varying keys. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2025-04-27 22:32:31 +02:00 · 2021-02-02 10:56:25 -05:00 · 2021-02-02 10:56:25 -05:00 · 9473e3c887
commit 9473e3c887
parent cbbe31e1ca
2 changed files with 35 additions and 0 deletions
--- a/tests/gen-keys.sh
+++ b/tests/gen-keys.sh
@ -66,6 +66,26 @@ for m in 1024 2048; do
  fi
 done

+for curve in prime192v1 prime256v1; do
+  if [ "$1" = clean ] || [ "$1" = force ]; then
+    rm -f test-$curve.cer test-$curve.key test-$curve.pub
+  fi
+  if [ "$1" = clean ]; then
+    continue
+  fi
+  if [ ! -e test-$curve.key ]; then
+    log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
+      -config test-ca.conf \
+      -newkey ec \
+      -pkeyopt ec_paramgen_curve:$curve \
+      -out test-$curve.cer -outform DER \
+      -keyout test-$curve.key
+    if [ -s test-$curve.key ]; then
+      log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
+    fi
+  fi
+done
+
 # EC-RDSA
 for m in \
  gost2012_256:A \
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@ -372,6 +372,21 @@ sign_verify  rsa1024  sha384  0x030205:K:0080
 sign_verify  rsa1024  sha512  0x030206:K:0080
 sign_verify  rsa1024  rmd160  0x030203:K:0080

+# Test v2 signatures with ECDSA
+# Signature length is typically 0x34-0x38 bytes long, very rarely 0x33
+sign_verify  prime192v1 sha1   0x030202:K:003[345678]
+sign_verify  prime192v1 sha224 0x030207:K:003[345678]
+sign_verify  prime192v1 sha256 0x030204:K:003[345678]
+sign_verify  prime192v1 sha384 0x030205:K:003[345678]
+sign_verify  prime192v1 sha512 0x030206:K:003[345678]
+
+# Signature length is typically 0x44-0x48 bytes long, very rarely 0x43
+sign_verify  prime256v1 sha1   0x030202:K:004[345678]
+sign_verify  prime256v1 sha224 0x030207:K:004[345678]
+sign_verify  prime256v1 sha256 0x030204:K:004[345678]
+sign_verify  prime256v1 sha384 0x030205:K:004[345678]
+sign_verify  prime256v1 sha512 0x030206:K:004[345678]
+
 # Test v2 signatures with EC-RDSA
 _enable_gost_engine
 sign_verify  gost2012_256-A md_gost12_256 0x030212:K:0040