On 4/30/21 2:33 PM, Vitaly Chikunov wrote:
Stefan,
.
I have been using evmctl successfully with RSA and ECDSA keys now and
certificates created by **OpenSSL**. Problems may occur if the
certificate-generating tool uses something else than a sha1 to calculate the
subject key identifier (skid) and therefore the key id calculated by evmctl
(with a sha1) does not match. For the non-working case one could pass in a
keyidv2 that the user would have to determine from the certificate's subject
key identifier's last 4 bytes.
It would be interesting to know which tools do not use a sha1 to calculate
the subject key identifier or what types of keys those are so that one could
give recommendations for tools to use. GnuTLS's certtool for example does
not seem to use the same algorithm to calculate the skid, so I would not
recommend using it for generating the certs to be used in conjunction with
evmctl and IMA signatures.
You can also reproduce non-sha1 skid with openssl using subjectKeyIdentifier=
config option, see x509v3_config(5).
"Subject Key Identifier.
This is really a string extension and can take two possible values.
Either the word hash which will automatically follow the guidelines in
RFC3280 or a hex string giving the extension value to include. The use
of the hex string is strongly discouraged.
Example:
subjectKeyIdentifier=hash"
From what I know it offers also the possibility of 'none'. It doesn't
seem to be all that bad when using OpenSSL.
Stefan
