Re: [PATCH ima-evm-utils v3] ima-evm-utils: Support SM2 algorithm for sign and verify

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/13/21 4:27 AM, Petr Vorel wrote:

Hi Tianjia, Mimi,


On 7/12/21 8:35 PM, Mimi Zohar wrote:

On Mon, 2021-07-12 at 20:12 +0800, Tianjia Zhang wrote:



On 7/9/21 8:05 PM, Mimi Zohar wrote:

On Fri, 2021-07-09 at 17:06 +0800, Tianjia Zhang wrote:

On 7/7/21 10:28 AM, Mimi Zohar wrote:




I'm also seeing:
- openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 -sm3
-sigopt distid:1234567812345678 -config test-ca.conf -copy_extensions
copyall -newkey sm2 -out test-sm2.cer -outform DER -keyout test-sm2.key
req: Unrecognized flag copy_extensions




This command is for openssl 3.0, and '-copy_extensions copyall' is also
a parameter supported on 3.0. At present, the mainstream version of
openssl 1.1.1 only partially supports SM2 signatures. For example, the
USERID in the SM2 specification cannot be used, and the certificate
cannot be operated in the command using the SM2/3 algorithm combination,
just like the modification of libimaevm.c in this patch, this cannot be
done directly through the openssl command, even if the '-copy_extensions
copyall' parameter is deleted, this command will be failed on openssl
1.1.1. The final solution may be openssl 3.0.



On openssl 1.1.1, there is no problem to operate the signature of the
SM2/3 algorithm combination through the API. If it is possible, the
sign_verify test of sm2/3 is not required. What is your opinion?



Instead of dropping the test altogether, add an openssl version
dependency.



Great. will do in next version patch.



Please consider adding a new CI distro matrix rule that includes the
needed openssl version.  Another option would be to define a new script
in the tests directory to install openssl from the git repo.  Please
limit using that script to a single distro matrix rule.




Got it, thanks for your suggestion. It seems that the second method is more
suitable.

Although it appears there is no distro which would have openssl 3.0 [1],
Debian actually have 3.0.0~~beta1-1 in experimental [2]. openSUSE has slightly
older version openssl-3.0.0-alpha16 [3]. I suppose we update soon to beta1 as
well.

Using distro packages would be probably faster to run in CI than install from git.

Kind regards,
Petr

[1] https://pkgs.org/download/openssl
[2] https://tracker.debian.org/pkg/openssl
[3] https://build.opensuse.org/package/show/security:tls/openssl-3
Thanks for your suggestion. I used the release package of beta1 on github, which has been implemented in the patch of v4. Please also help review it. 

Best regards,
Tianjia
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux