Re: [PATCH] ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2/1/21 8:50 PM, Stefan Berger wrote:

Add test cases that test the signing and signature verification with the
elliptic curves prime192v1 and prime256v1, also known as NIST P192 and
P256. These curves will soon be supported by Linux. If OpenSSL cannot
generate prime192v1 keys, as is the case on Fedora, where this curve is
not supported, the respective tests will be skipped automatically.

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
---
  tests/gen-keys.sh      | 20 ++++++++++++++++++++
  tests/sign_verify.test | 15 +++++++++++++++
  2 files changed, 35 insertions(+)

diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh
index 407876b..46130cf 100755
--- a/tests/gen-keys.sh
+++ b/tests/gen-keys.sh
@@ -66,6 +66,26 @@ for m in 1024 2048; do
    fi
  done
+for curve in prime192v1 prime256v1; do 
+  if [ "$1" = clean ] || [ "$1" = force ]; then
+    rm -f test-$curve.cer test-$curve.key test-$curve.pub
+  fi
+  if [ "$1" = clean ]; then
+    continue
+  fi
+  if [ ! -e test-$curve.key ]; then
+    log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
+      -config test-ca.conf \
+      -newkey ec \
+      -pkeyopt ec_paramgen_curve:$curve \
+      -out test-$curve.cer -outform DER \
+      -keyout test-$curve.key
+    if [ -s test-$curve.key ]; then
+      log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
+    fi
+  fi
+done
+
  # EC-RDSA
  for m in \
    gost2012_256:A \
diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index 288e133..b4fffda 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@@ -366,6 +366,21 @@ sign_verify  rsa1024  sha384  0x030205:K:0080
  sign_verify  rsa1024  sha512  0x030206:K:0080
  sign_verify  rsa1024  rmd160  0x030203:K:0080
+# Test v2 signatures with ECDSA 
+# Signature length can be 0x36-0x38 bytes long
+sign_verify  prime192v1 sha1   0x030202:K:003[678]
Actually valid sizes are also 0x35 and 0x45 below. Smaller ones seems to be rather rare, though, but I will leave my tests running. It depends on the r and s components of the signature and whether they have leading zeros, which will be cut away. 

So I need to send a v2 for this.


   Stefan
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux