dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-04-27 14:22:31 +02:00
Code Releases Activity

Merge branch 'update-ecc-doc-examples' into next

Browse Source 
From the cover letter:
Update the README and add example scripts for RSA keys to use more
up-to-date values for key sizes and hash being used and adjust the
OpenSSL config files so that the created keys can be used with the
.machine keyring. Add EC key and cert support scripts and describe
EC key and certificate generation in the README.
This commit is contained in:
Mimi Zohar 2023-04-27 09:59:18 -04:00
commit dc0cbaea42
8 changed files with 136 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Makefile.am
View File

@ -7,7 +7,13 @@ if MANPAGE_DOCBOOK_XSL
dist_man_MANS = evmctl.1 dist_man_MANS = evmctl.1
endif endif
doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh doc_DATA = \
examples/ima-genkey-self.sh \
examples/ima-genkey.sh \
examples/ima-gen-local-ca.sh \
examples/ima-genkey-self-ecc.sh \
examples/ima-genkey-ecc.sh \
examples/ima-gen-local-ca-ecc.sh
EXTRA_DIST = autogen.sh $(doc_DATA) EXTRA_DIST = autogen.sh $(doc_DATA)
CLEANFILES = *.html *.xsl CLEANFILES = *.html *.xsl

41
README
View File

@ -200,11 +200,11 @@ Generate signing and verification keys
Generate private key in plain text format: Generate private key in plain text format:
openssl genrsa -out privkey_evm.pem 1024 openssl genrsa -out privkey_evm.pem 2048
Generate encrypted private key: Generate encrypted private key:
openssl genrsa -des3 -out privkey_evm.pem 1024 openssl genrsa -des3 -out privkey_evm.pem 2048
Make encrypted private key from unencrypted: Make encrypted private key from unencrypted:
@ -213,15 +213,27 @@ Make encrypted private key from unencrypted:
Generate self-signed X509 public key certificate and private key for using kernel Generate self-signed X509 public key certificate and private key for using kernel
asymmetric keys support: asymmetric keys support:
openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ openssl req -new -nodes -utf8 -sha256 -days 36500 -batch \
-x509 -config x509_evm.genkey \ -x509 -config x509_evm.genkey \
-outform DER -out x509_evm.der -keyout privkey_evm.pem -outform DER -out x509_evm.der -keyout privkey_evm.pem
Create an elliptic curve (EC) key (supported since Linux v5.13)
openssl ecparam -name prime256v1 -genkey -out privkey_evm.pem
Generate self-signed x509 EC public key certificate and private key for using
kernel asymmetric key support (supported since Linux v5.13):
openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
-x509 -config x509_evm.genkey \
-outform DER -out x509_evm.der -keyout privkey_evm.pem \
-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
Configuration file x509_evm.genkey: Configuration file x509_evm.genkey:
# Beginning of the file # Beginning of the file
[ req ] [ req ]
default_bits = 1024 default_bits = 2048
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
prompt = no prompt = no
string_mask = utf8only string_mask = utf8only
@ -235,6 +247,7 @@ Configuration file x509_evm.genkey:
[ myexts ] [ myexts ]
basicConstraints=critical,CA:FALSE basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature keyUsage=digitalSignature
extendedKeyUsage=critical,codeSigning
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid authorityKeyIdentifier=keyid
# EOF # EOF
@ -244,6 +257,9 @@ Generate public key for using RSA key format:
openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
Similarly generate public EC key:
openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem
Copy keys to /etc/keys: Copy keys to /etc/keys:
@ -287,12 +303,18 @@ Configuration file ima-local-ca.genkey:
basicConstraints=CA:TRUE basicConstraints=CA:TRUE
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer authorityKeyIdentifier=keyid:always,issuer
# keyUsage = cRLSign, keyCertSign keyUsage = cRLSign, keyCertSign
# EOF # EOF
Note: To generated elliptic curve keys add the following parameters to
the 'req' commands below (supported since Linux v5.13):
-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
Generate private key and X509 public key certificate: Generate private key and X509 public key certificate:
openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
Produce X509 in DER format for using while building the kernel: Produce X509 in DER format for using while building the kernel:
@ -303,7 +325,7 @@ Configuration file ima.genkey:
# Beginning of the file # Beginning of the file
[ req ] [ req ]
default_bits = 1024 default_bits = 2048
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
prompt = no prompt = no
string_mask = utf8only string_mask = utf8only
@ -327,7 +349,7 @@ Configuration file ima.genkey:
Generate private key and X509 public key certificate signing request: Generate private key and X509 public key certificate signing request:
openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \
-out csr_ima.pem -keyout privkey_ima.pem -out csr_ima.pem -keyout privkey_ima.pem
Sign X509 public key certificate signing request with local IMA CA private key: Sign X509 public key certificate signing request with local IMA CA private key:
@ -448,6 +470,9 @@ Examples of scripts to generate X509 public key certificates:
/usr/share/doc/ima-evm-utils/ima-genkey-self.sh /usr/share/doc/ima-evm-utils/ima-genkey-self.sh
/usr/share/doc/ima-evm-utils/ima-genkey.sh /usr/share/doc/ima-evm-utils/ima-genkey.sh
/usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
/usr/share/doc/ima-evm-utils/ima-genkey-self-ecc.sh
/usr/share/doc/ima-evm-utils/ima-genkey-ecc.sh
/usr/share/doc/ima-evm-utils/ima-gen-local-ca-ecc.sh
AUTHOR AUTHOR

28
examples/ima-gen-local-ca-ecc.sh Executable file
View File

@ -0,0 +1,28 @@
#!/bin/sh
GENKEY=ima-local-ca.genkey
cat << __EOF__ >$GENKEY
[ req ]
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = v3_ca
[ req_distinguished_name ]
O = IMA-CA
CN = IMA/EVM certificate signing key
emailAddress = ca@ima-ca
[ v3_ca ]
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
keyUsage = cRLSign, keyCertSign
__EOF__
openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \
-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem

4
examples/ima-gen-local-ca.sh
View File

@ -19,10 +19,10 @@ emailAddress = ca@ima-ca
basicConstraints=CA:TRUE basicConstraints=CA:TRUE
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer authorityKeyIdentifier=keyid:always,issuer
# keyUsage = cRLSign, keyCertSign keyUsage = cRLSign, keyCertSign
__EOF__ __EOF__
openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem

33
examples/ima-genkey-ecc.sh Executable file
View File

@ -0,0 +1,33 @@
#!/bin/sh
GENKEY=ima.genkey
cat << __EOF__ >$GENKEY
[ req ]
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = v3_usr
[ req_distinguished_name ]
O = `hostname`
CN = `whoami` signing key
emailAddress = `whoami`@`hostname`
[ v3_usr ]
basicConstraints=critical,CA:FALSE
#basicConstraints=CA:FALSE
keyUsage=digitalSignature
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage=critical,codeSigning
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
#authorityKeyIdentifier=keyid,issuer
__EOF__
openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \
-out csr_ima.pem -keyout privkey_ima.pem \
-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
-outform DER -out x509_ima.der

28
examples/ima-genkey-self-ecc.sh Executable file
View File

@ -0,0 +1,28 @@
#!/bin/sh
GENKEY=x509_evm.genkey
cat << __EOF__ >$GENKEY
[ req ]
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
O = `hostname`
CN = `whoami` signing key
emailAddress = `whoami`@`hostname`
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
__EOF__
openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \
-outform DER -out x509_evm.der -keyout privkey_evm.pem \
-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem

4
examples/ima-genkey-self.sh
View File

@ -4,7 +4,7 @@ GENKEY=x509_evm.genkey
cat << __EOF__ >$GENKEY cat << __EOF__ >$GENKEY
[ req ] [ req ]
default_bits = 1024 default_bits = 2048
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
prompt = no prompt = no
string_mask = utf8only string_mask = utf8only
@ -22,7 +22,7 @@ subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid authorityKeyIdentifier=keyid
__EOF__ __EOF__
openssl req -x509 -new -nodes -utf8 -sha1 -days 3650 -batch -config $GENKEY \ openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \
-outform DER -out x509_evm.der -keyout privkey_evm.pem -outform DER -out x509_evm.der -keyout privkey_evm.pem
openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem

5
examples/ima-genkey.sh
View File

@ -4,7 +4,7 @@ GENKEY=ima.genkey
cat << __EOF__ >$GENKEY cat << __EOF__ >$GENKEY
[ req ] [ req ]
default_bits = 1024 default_bits = 2048
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
prompt = no prompt = no
string_mask = utf8only string_mask = utf8only
@ -20,12 +20,13 @@ basicConstraints=critical,CA:FALSE
#basicConstraints=CA:FALSE #basicConstraints=CA:FALSE
keyUsage=digitalSignature keyUsage=digitalSignature
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage=critical,codeSigning
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid authorityKeyIdentifier=keyid
#authorityKeyIdentifier=keyid,issuer #authorityKeyIdentifier=keyid,issuer
__EOF__ __EOF__
openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \
-out csr_ima.pem -keyout privkey_ima.pem -out csr_ima.pem -keyout privkey_ima.pem
openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \ -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \