Re: [PATCH 3/3] crypto: ecdsa - Fix NIST P521 key size reported by KEYCTL_PKEY_QUERY

[Stefan Berger <stefanb@xxxxxxxxxxxxx>]

On 1/3/25 12:38 PM, Lukas Wunner wrote:
> On Thu, Jan 02, 2025 at 12:45:47PM -0500, Stefan Berger wrote:
> > On 12/26/24 1:08 PM, Lukas Wunner wrote:
> > > When user space issues a KEYCTL_PKEY_QUERY system call for a NIST P521
> > > key, the key_size is incorrectly reported as 528 bits instead of 521.
> >
> > Is there a way to query this with keyctl pkey_query?
>
> Yes, these are the commands I've used for testing:
>
>    id=`keyctl padd asymmetric "" %:_uid.0 < end_responder.cert.der`
>    keyctl pkey_query $id 0 enc=x962 hash=sha256

I had tried with these here as root:

# keyctl show %keyring:.ima
Keyring
 461728044 ---lswrv      0     0  keyring: .ima
 579203092 ---lswrv      0     0   \_ asymmetric: Fedora kernel signing 
key: 50e9f2a484a5b9e7279e7bf7f3ad54b0572c2f1e
 774765589 --als--v      0     0   \_ asymmetric: my rsa signing key: 
69f518ae20dbb4a412f33b8950b2fd1e2b850fd1
  15381609 --als--v      0     0   \_ asymmetric: my ecc signing key: 
0ab4280f3df700f2cb6711b930748e1224eae40d
  72176491 --als--v      0     0   \_ asymmetric: Fedora 42 IMA 
Code-signing cert: a1a5c4c8d90554e0ce5c07c9e127f20362f02aa4
 612838334 --als--v      0     0   \_ asymmetric: Fedora 41 IMA 
Code-signing cert: 158befb98fc2ee070833d1a2a46669e7876d7435
  51623090 --als--v      0     0   \_ asymmetric: Fedora 40 IMA 
Code-signing cert: 2defa2e1d528db308d3e1ca28274aa40a3204a9e
  85986135 --als--v      0     0   \_ asymmetric: Fedora 39 IMA 
Code-signing cert: 155266a4a3ea7bdddc9e38ddb192c2d2388b603e
# keyctl pkey_query 612838334 0 enc=x962
keyctl_pkey_query: Permission denied
# keyctl pkey_query 612838334 0 enc=x962 hash=sha256
keyctl_pkey_query: Permission denied
# keyctl pkey_query 579203092 0 enc=x962 hash=sha256
keyctl_pkey_query: Permission denied
# keyctl pkey_query 774765589 0 enc=x962 hash=sha256
keyctl_pkey_query: Permission denied


> This is the certificate I've used:
>
>    https://github.com/DMTF/libspdm/raw/refs/heads/main/unit_test/sample_key/ecp521/end_responder.cert.der

# keyctl show
Session Keyring
 377868180 --alswrv      0     0  keyring: _ses
1014059943 --alswrv      0 65534   \_ keyring: _uid.0
 138203159 --als--v      0     0       \_ asymmetric: DMTF libspdm 
ECP521 responder cert: e4bcd74895d3a7bd230ad2a46941c3be6d5c91cc

# keyctl pkey_query $id 0 enc=x962 hash=sha256
key_size=528
max_data_size=64
max_sig_size=139
max_enc_size=66
max_dec_size=66
encrypt=n
decrypt=n
sign=n
verify=y

more favorable permissions - obviously

Thanks!

  Stefan

> > Before:
>    key_size=528
>    max_data_size=64
>    max_sig_size=139
>    max_enc_size=66
>    max_dec_size=66
>    encrypt=n
>    decrypt=n
>    sign=n
>    verify=y
>
> After:
>
>    key_size=521
>    max_data_size=64
>    max_sig_size=139
>    max_enc_size=0
>    max_dec_size=0
>    encrypt=n
>    decrypt=n
>    sign=n
>    verify=y
>
> Thanks,
>
> Lukas