Re: [PATCH 0/5] crypto: add rsa pss support for x509(Internet mail)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



在 2021/4/7 16:38, Jarkko Sakkinen 写道:
> On Tue, Apr 06, 2021 at 09:11:21PM +0800, Hongbo Li wrote:
>> From: Hongbo Li <herberthbli@xxxxxxxxxxx>
>>
>> This series of patches adds support for x509 cert signed by RSA
>> with PSS encoding method. RSA PSS is described in rfc8017.
> Please also briefly describe it here AND also provide link to the
> RFC. In the way this currently is, it is too time consuming to
> review the patch set.
>
> /Jarkko

Thanks, will add that in the following patches.


>> This series of patches adds support for x509 cert signed by RSA
>> with PSS encoding method. RSA PSS is described in rfc8017.
>>
>> Patch1 make x509 support rsa pss algo and parse hash parameter.
>>
>> Patch2 add rsa pss template.
>>
>> Patch3 add test vector for rsa pss.
>>
>> Patch4 is the ecdsa ima patch borrowed from Stefan Berge's ecdsa
>>        patch series, rsa-pss's ima patch is made on top of this patch.
>>
>> Patch5 is the rsa-pss's ima patch.
>>
>> Test by the following script, it tests different saltlen, hash, mgfhash.
>>
>> keyctl newring test @u
>>
>> while :; do
>>     for modbits in 1024 2048 4096; do
>> 	if [ $modbits -eq 1024 ]; then
>> 	    saltlen=(-1 -2 0 20 32 48 64 94)
>> 	elif [ $modbits -eq 2048 ]; then
>> 	    saltlen=(-1 -2 0 20 32 48 64 222)
>> 	else
>> 	    saltlen=(-1 -2 0 20 32 48 64 478)
>> 	fi
>>
>> 	for slen in ${saltlen[@]}; do
>> 	    for hash in sha1 sha224 sha256 sha384 sha512; do
>> 		for mgfhash in sha1 sha224 sha256 sha384 sha512; do
>> 		    certfile="cert.der"
>> 		    echo slen $slen
>> 		    openssl req \
>> 			    -x509 \
>> 			    -${hash} \
>> 			    -newkey rsa:$modbits \
>> 			    -keyout key.pem \
>> 			    -days 365 \
>> 			    -subj '/CN=test' \
>> 			    -nodes \
>> 			    -sigopt rsa_padding_mode:pss \
>> 			    -sigopt rsa_mgf1_md:$mgfhash \
>> 			    -sigopt rsa_pss_saltlen:${slen} \
>> 			    -outform der \
>> 			    -out ${certfile} 2>/dev/null
>>
>> 		    exp=0
>> 		    id=$(keyctl padd asymmetric testkey %keyring:test < "${certfile}")
>> 		    rc=$?
>> 		    if [ $rc -ne $exp ]; then
>> 			case "$exp" in
>> 			    0) echo "Error: Could not load rsa-pss certificate!";;
>> 			esac
>> 			echo "modbits $modbits sha: $hash mgfhash $mgfhash saltlen: $slen"
>> 			exit 1
>> 		    else
>> 			case "$rc" in
>> 			    0) echo "load cert: keyid: $id modbits $modbits hash: $hash mgfhash $mgfhash saltlen $slen"
>> 			esac
>> 		    fi
>> 		done
>> 	    done
>> 	done
>>     done
>> done
>>
>> Hongbo Li (5):
>>   x509: add support for rsa-pss
>>   crypto: support rsa-pss encoding
>>   crypto: add rsa pss test vector
>>   crypto: ecdsa ima support
>>   ima: add support for rsa pss verification
>>
>>  crypto/Makefile                           |   7 +-
>>  crypto/asymmetric_keys/Makefile           |   7 +-
>>  crypto/asymmetric_keys/public_key.c       |   5 ++
>>  crypto/asymmetric_keys/x509_cert_parser.c |  71 ++++++++++++++++-
>>  crypto/rsa.c                              |  14 ++--
>>  crypto/rsa_helper.c                       | 127 ++++++++++++++++++++++++++++++
>>  crypto/testmgr.c                          |   7 ++
>>  crypto/testmgr.h                          |  87 ++++++++++++++++++++
>>  include/crypto/internal/rsa.h             |  25 +++++-
>>  include/keys/asymmetric-type.h            |   6 ++
>>  include/linux/oid_registry.h              |   2 +
>>  security/integrity/digsig_asymmetric.c    |  34 ++++----
>>  12 files changed, 363 insertions(+), 29 deletions(-)
>>
>> -- 
>> 1.8.3.1
>>
>>
>





[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux