Stefan, On Wed, Feb 02, 2022 at 07:55:43AM -0500, Stefan Berger wrote: > On 2/2/22 01:59, Vitaly Chikunov wrote: > > Rarely used `keyctl pkey_verify' can verify raw signatures, but was > > failing, because ECDSA/EC-RDSA signature sizes are twice key sizes which > > does not pass in/out sizes check in keyctl_pkey_params_get_2. > > This in turn because these values cannot be distinguished by a single > > `max_size' callback return value. > > Also, `keyctl pkey_query` displays incorrect `max_sig_size' about these > > algorithms. > > > > Signed-off-by: Vitaly Chikunov <vt@xxxxxxxxxxxx> > > How do you use pkey_query? > > $ keyctl padd asymmetric testkey %keyring:test < cert.der > 385037223 It should be (for RSA key): keyctl pkey_query 385037223 0 enc=pkcs1 hash=sha256 `0` is placeholder for a password. For example, I generated keys with your eckey-testing/generate.sh, and pkey_query after this patch is applied: # keyctl padd asymmetric "" @u < ecdsa-ca/ca.crt.der 66509339 # keyctl pkey_query 66509339 0 enc=x962 hash=sha256 key_size=256 max_data_size=64 max_sig_size=64 max_enc_size=32 max_dec_size=32 encrypt=y decrypt=n sign=n verify=y W/o patch max_data_size= and max_sig_size= will be 32. Thanks, > $ keyctl pkey_query 385037223 '' > Password passing is not yet supported > $ keyctl pkey_query 385037223 > Format: > keyctl --version > keyctl add <type> <desc> <data> <keyring> > [...] > > $ keyctl unlink 385037223 > 1 links removed >
