From 6e1b9b15216a3b28299bda059b340b4e1ba898b2 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 26 Apr 2023 18:35:56 -0400 Subject: [PATCH 1/4] Update default key sizes and hash to up-to-date values Update the documentation and example scripts to use 2048 bit RSA keys and sha256. Signed-off-by: Stefan Berger Signed-off-by: Mimi Zohar --- README | 14 +++++++------- examples/ima-gen-local-ca.sh | 2 +- examples/ima-genkey-self.sh | 4 ++-- examples/ima-genkey.sh | 4 ++-- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/README b/README index 75e4fd2..ae92f95 100644 --- a/README +++ b/README @@ -200,11 +200,11 @@ Generate signing and verification keys Generate private key in plain text format: - openssl genrsa -out privkey_evm.pem 1024 + openssl genrsa -out privkey_evm.pem 2048 Generate encrypted private key: - openssl genrsa -des3 -out privkey_evm.pem 1024 + openssl genrsa -des3 -out privkey_evm.pem 2048 Make encrypted private key from unencrypted: @@ -213,7 +213,7 @@ Make encrypted private key from unencrypted: Generate self-signed X509 public key certificate and private key for using kernel asymmetric keys support: - openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ + openssl req -new -nodes -utf8 -sha256 -days 36500 -batch \ -x509 -config x509_evm.genkey \ -outform DER -out x509_evm.der -keyout privkey_evm.pem @@ -221,7 +221,7 @@ Configuration file x509_evm.genkey: # Beginning of the file [ req ] - default_bits = 1024 + default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -292,7 +292,7 @@ Configuration file ima-local-ca.genkey: Generate private key and X509 public key certificate: - openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ + openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \ -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv Produce X509 in DER format for using while building the kernel: @@ -303,7 +303,7 @@ Configuration file ima.genkey: # Beginning of the file [ req ] - default_bits = 1024 + default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -327,7 +327,7 @@ Configuration file ima.genkey: Generate private key and X509 public key certificate signing request: - openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ + openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \ -out csr_ima.pem -keyout privkey_ima.pem Sign X509 public key certificate signing request with local IMA CA private key: diff --git a/examples/ima-gen-local-ca.sh b/examples/ima-gen-local-ca.sh index 1f24949..055463c 100755 --- a/examples/ima-gen-local-ca.sh +++ b/examples/ima-gen-local-ca.sh @@ -22,7 +22,7 @@ authorityKeyIdentifier=keyid:always,issuer # keyUsage = cRLSign, keyCertSign __EOF__ -openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ +openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \ -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem diff --git a/examples/ima-genkey-self.sh b/examples/ima-genkey-self.sh index e293b94..c04df37 100755 --- a/examples/ima-genkey-self.sh +++ b/examples/ima-genkey-self.sh @@ -4,7 +4,7 @@ GENKEY=x509_evm.genkey cat << __EOF__ >$GENKEY [ req ] -default_bits = 1024 +default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -22,7 +22,7 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid __EOF__ -openssl req -x509 -new -nodes -utf8 -sha1 -days 3650 -batch -config $GENKEY \ +openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \ -outform DER -out x509_evm.der -keyout privkey_evm.pem openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem diff --git a/examples/ima-genkey.sh b/examples/ima-genkey.sh index b08778f..c09205a 100755 --- a/examples/ima-genkey.sh +++ b/examples/ima-genkey.sh @@ -4,7 +4,7 @@ GENKEY=ima.genkey cat << __EOF__ >$GENKEY [ req ] -default_bits = 1024 +default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -25,7 +25,7 @@ authorityKeyIdentifier=keyid #authorityKeyIdentifier=keyid,issuer __EOF__ -openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ +openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \ -out csr_ima.pem -keyout privkey_ima.pem openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \ From 9f669a6b38997e1299480bf88c97521aa1557dc5 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 26 Apr 2023 18:35:57 -0400 Subject: [PATCH 2/4] Update OpenSSL config files for support for .machine keyring Update the OpenSSL config files for support for loading certs onto the .machine keyring where certain key usage flags must be set. Also update the OpenSSL config files shown in the README. Signed-off-by: Stefan Berger Signed-off-by: Mimi Zohar --- README | 3 ++- examples/ima-gen-local-ca.sh | 2 +- examples/ima-genkey.sh | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/README b/README index ae92f95..9e47eaf 100644 --- a/README +++ b/README @@ -235,6 +235,7 @@ Configuration file x509_evm.genkey: [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature + extendedKeyUsage=critical,codeSigning subjectKeyIdentifier=hash authorityKeyIdentifier=keyid # EOF @@ -287,7 +288,7 @@ Configuration file ima-local-ca.genkey: basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer - # keyUsage = cRLSign, keyCertSign + keyUsage = cRLSign, keyCertSign # EOF Generate private key and X509 public key certificate: diff --git a/examples/ima-gen-local-ca.sh b/examples/ima-gen-local-ca.sh index 055463c..6fd4997 100755 --- a/examples/ima-gen-local-ca.sh +++ b/examples/ima-gen-local-ca.sh @@ -19,7 +19,7 @@ emailAddress = ca@ima-ca basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer -# keyUsage = cRLSign, keyCertSign +keyUsage = cRLSign, keyCertSign __EOF__ openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \ diff --git a/examples/ima-genkey.sh b/examples/ima-genkey.sh index c09205a..00fa648 100755 --- a/examples/ima-genkey.sh +++ b/examples/ima-genkey.sh @@ -20,6 +20,7 @@ basicConstraints=critical,CA:FALSE #basicConstraints=CA:FALSE keyUsage=digitalSignature #keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage=critical,codeSigning subjectKeyIdentifier=hash authorityKeyIdentifier=keyid #authorityKeyIdentifier=keyid,issuer From ce9bfdd091dc5df5e9898c4cb747d2d474baa0a5 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 26 Apr 2023 18:35:58 -0400 Subject: [PATCH 3/4] Add openssl command line examples for creation of EC keys Add openssl command line examples for creation of EC keys for EVM and IMA CA and signing key. Signed-off-by: Stefan Berger Signed-off-by: Mimi Zohar --- README | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README b/README index 9e47eaf..d631eb7 100644 --- a/README +++ b/README @@ -217,6 +217,18 @@ asymmetric keys support: -x509 -config x509_evm.genkey \ -outform DER -out x509_evm.der -keyout privkey_evm.pem +Create an elliptic curve (EC) key (supported since Linux v5.13) + + openssl ecparam -name prime256v1 -genkey -out privkey_evm.pem + +Generate self-signed x509 EC public key certificate and private key for using +kernel asymmetric key support (supported since Linux v5.13): + + openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ + -x509 -config x509_evm.genkey \ + -outform DER -out x509_evm.der -keyout privkey_evm.pem \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 + Configuration file x509_evm.genkey: # Beginning of the file @@ -245,6 +257,9 @@ Generate public key for using RSA key format: openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem +Similarly generate public EC key: + + openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem Copy keys to /etc/keys: @@ -291,6 +306,12 @@ Configuration file ima-local-ca.genkey: keyUsage = cRLSign, keyCertSign # EOF +Note: To generated elliptic curve keys add the following parameters to + the 'req' commands below (supported since Linux v5.13): + + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 + + Generate private key and X509 public key certificate: openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \ From 14bce8a97cf069a48e15acf9eb059a33882e8837 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 26 Apr 2023 18:35:59 -0400 Subject: [PATCH 4/4] Add example scripts for EC key and certs generation Add example scripts for EC key and certificate creation and reference them from the README and Makefile.am. Signed-off-by: Stefan Berger Signed-off-by: Mimi Zohar --- Makefile.am | 8 +++++++- README | 3 +++ examples/ima-gen-local-ca-ecc.sh | 28 +++++++++++++++++++++++++++ examples/ima-genkey-ecc.sh | 33 ++++++++++++++++++++++++++++++++ examples/ima-genkey-self-ecc.sh | 28 +++++++++++++++++++++++++++ 5 files changed, 99 insertions(+), 1 deletion(-) create mode 100755 examples/ima-gen-local-ca-ecc.sh create mode 100755 examples/ima-genkey-ecc.sh create mode 100755 examples/ima-genkey-self-ecc.sh diff --git a/Makefile.am b/Makefile.am index e686d65..9ec5681 100644 --- a/Makefile.am +++ b/Makefile.am @@ -7,7 +7,13 @@ if MANPAGE_DOCBOOK_XSL dist_man_MANS = evmctl.1 endif -doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh +doc_DATA = \ + examples/ima-genkey-self.sh \ + examples/ima-genkey.sh \ + examples/ima-gen-local-ca.sh \ + examples/ima-genkey-self-ecc.sh \ + examples/ima-genkey-ecc.sh \ + examples/ima-gen-local-ca-ecc.sh EXTRA_DIST = autogen.sh $(doc_DATA) CLEANFILES = *.html *.xsl diff --git a/README b/README index d631eb7..40a61f9 100644 --- a/README +++ b/README @@ -470,6 +470,9 @@ Examples of scripts to generate X509 public key certificates: /usr/share/doc/ima-evm-utils/ima-genkey-self.sh /usr/share/doc/ima-evm-utils/ima-genkey.sh /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh + /usr/share/doc/ima-evm-utils/ima-genkey-self-ecc.sh + /usr/share/doc/ima-evm-utils/ima-genkey-ecc.sh + /usr/share/doc/ima-evm-utils/ima-gen-local-ca-ecc.sh AUTHOR diff --git a/examples/ima-gen-local-ca-ecc.sh b/examples/ima-gen-local-ca-ecc.sh new file mode 100755 index 0000000..d5ab6e7 --- /dev/null +++ b/examples/ima-gen-local-ca-ecc.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +GENKEY=ima-local-ca.genkey + +cat << __EOF__ >$GENKEY +[ req ] +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_ca + +[ req_distinguished_name ] +O = IMA-CA +CN = IMA/EVM certificate signing key +emailAddress = ca@ima-ca + +[ v3_ca ] +basicConstraints=CA:TRUE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +keyUsage = cRLSign, keyCertSign +__EOF__ + +openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \ + -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 + +openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem diff --git a/examples/ima-genkey-ecc.sh b/examples/ima-genkey-ecc.sh new file mode 100755 index 0000000..e6301a6 --- /dev/null +++ b/examples/ima-genkey-ecc.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +GENKEY=ima.genkey + +cat << __EOF__ >$GENKEY +[ req ] +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_usr + +[ req_distinguished_name ] +O = `hostname` +CN = `whoami` signing key +emailAddress = `whoami`@`hostname` + +[ v3_usr ] +basicConstraints=critical,CA:FALSE +#basicConstraints=CA:FALSE +keyUsage=digitalSignature +#keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage=critical,codeSigning +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +#authorityKeyIdentifier=keyid,issuer +__EOF__ + +openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \ + -out csr_ima.pem -keyout privkey_ima.pem \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 +openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ + -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \ + -outform DER -out x509_ima.der diff --git a/examples/ima-genkey-self-ecc.sh b/examples/ima-genkey-self-ecc.sh new file mode 100755 index 0000000..f4ef49f --- /dev/null +++ b/examples/ima-genkey-self-ecc.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +GENKEY=x509_evm.genkey + +cat << __EOF__ >$GENKEY +[ req ] +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = myexts + +[ req_distinguished_name ] +O = `hostname` +CN = `whoami` signing key +emailAddress = `whoami`@`hostname` + +[ myexts ] +basicConstraints=critical,CA:FALSE +keyUsage=digitalSignature +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +__EOF__ + +openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \ + -outform DER -out x509_evm.der -keyout privkey_evm.pem \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 + +openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem