[PATCH ima-evm-utils v9 3/3] Read keyid from the cert appended to the key file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Allow to have certificate appended to the private key of `--key'
specified (PEM) file (for v2 signing) to facilitate reading of keyid
from the associated cert. This will allow users to have private and
public key as a single file and avoid the need of manually specifying
keyid. There is no check that public key form the cert matches
associated private key.

Signed-off-by: Vitaly Chikunov <vt@xxxxxxxxxxxx>
---
 README                 |  3 +++
 src/libimaevm.c        |  8 ++++++--
 tests/gen-keys.sh      | 31 +++++++++++++++++++++++++------
 tests/sign_verify.test |  1 +
 4 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/README b/README
index a130519..23e7d17 100644
--- a/README
+++ b/README
@@ -128,6 +128,9 @@ for signing and importing the key.
 Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
 in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
 
+For v2 signatures x509 certificate (containing the public key) could be appended to the
+private key (they both are in PEM format) to automatically extract keyid from its Subject
+Key Identifier (SKID).
 
 Integrity keyrings
 ----------------
diff --git a/src/libimaevm.c b/src/libimaevm.c
index ce1e276..7d5cbe0 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -1046,8 +1046,12 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
 
 	if (imaevm_params.keyid)
 		keyid = htonl(imaevm_params.keyid);
-	else
-		calc_keyid_v2(&keyid, name, pkey);
+	else {
+		int keyid_read_failed = read_keyid_from_cert(&keyid, keyfile, false);
+
+		if (keyid_read_failed)
+			calc_keyid_v2(&keyid, name, pkey);
+	}
 	hdr->keyid = keyid;
 
 	st = "EVP_PKEY_CTX_new";
diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh
index 46130cf..d2c2f80 100755
--- a/tests/gen-keys.sh
+++ b/tests/gen-keys.sh
@@ -20,13 +20,14 @@ PATH=../src:$PATH
 type openssl
 
 log() {
-  echo - "$*"
+  echo >&2 - "$*"
   eval "$@"
 }
 
 if [ "$1" = clean ]; then
   rm -f test-ca.conf
-elif [ "$1" = force ] || [ ! -e test-ca.conf ]; then
+elif [ "$1" = force ] || [ ! -e test-ca.conf ] \
+	|| [ gen-keys.sh -nt test-ca.conf ]; then
 cat > test-ca.conf <<- EOF
 	[ req ]
 	distinguished_name = req_distinguished_name
@@ -43,26 +44,44 @@ cat > test-ca.conf <<- EOF
 	basicConstraints=CA:TRUE
 	subjectKeyIdentifier=hash
 	authorityKeyIdentifier=keyid:always,issuer
+
+	[ skid ]
+	basicConstraints=CA:TRUE
+	subjectKeyIdentifier=12345678
+	authorityKeyIdentifier=keyid:always,issuer
 EOF
 fi
 
 # RSA
 # Second key will be used for wrong key tests.
-for m in 1024 2048; do
-  if [ "$1" = clean ] || [ "$1" = force ]; then
+for m in 1024 1024_skid 2048; do
+  if [ "$1" = clean ] || [ "$1" = force ] \
+	  || [ gen-keys.sh -nt test-rsa$m.key ]; then
     rm -f test-rsa$m.cer test-rsa$m.key test-rsa$m.pub
   fi
   if [ "$1" = clean ]; then
     continue
   fi
+  if [ -z "${m%%*_*}" ]; then
+    # Add named extension.
+    bits=${m%_*}
+    ext="-extensions ${m#*_}"
+  else
+    bits=$m
+    ext=
+  fi
   if [ ! -e test-rsa$m.key ]; then
-    log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
+    log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 $ext \
       -config test-ca.conf \
-      -newkey rsa:$m \
+      -newkey rsa:$bits \
       -out test-rsa$m.cer -outform DER \
       -keyout test-rsa$m.key
     # for v1 signatures
     log openssl pkey -in test-rsa$m.key -out test-rsa$m.pub -pubout
+    if [ $m = 1024_skid ]; then
+      # Create combined key+cert.
+      log openssl x509 -inform DER -in test-rsa$m.cer >> test-rsa$m.key
+    fi
   fi
 done
 
diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index 1fdd786..df4304a 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@@ -367,6 +367,7 @@ sign_verify  rsa1024  sha1    0x030202:K:0080
 sign_verify  rsa1024  sha224  0x030207:K:0080
 expect_pass check_sign TYPE=ima KEY=rsa1024 ALG=sha256 PREFIX=0x030204aabbccdd0080 OPTS=--keyid=aabbccdd
 expect_pass check_sign TYPE=ima KEY=rsa1024 ALG=sha256 PREFIX=0x030204:K:0080 OPTS=--keyid-from-cert=test-rsa1024.cer
+expect_pass check_sign TYPE=ima KEY=rsa1024_skid ALG=sha256 PREFIX=0x030204123456780080
 sign_verify  rsa1024  sha256  0x030204:K:0080
   try_different_keys
   try_different_sigs
-- 
2.29.3




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux