[ima-evm-utils,v2,2/2] examples: Add examples for elliptic curve key and certs generation

Commit Message

Stefan Berger April 25, 2023, 4:10 p.m. UTC

Add example scripts for ECC key and certificate creation and reference
them from the README.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 README                           |  3 +++
 examples/ima-gen-local-ca-ecc.sh | 29 ++++++++++++++++++++++++++++
 examples/ima-genkey-ecc.sh       | 33 ++++++++++++++++++++++++++++++++
 examples/ima-genkey-self-ecc.sh  | 29 ++++++++++++++++++++++++++++
 4 files changed, 94 insertions(+)
 create mode 100755 examples/ima-gen-local-ca-ecc.sh
 create mode 100755 examples/ima-genkey-ecc.sh
 create mode 100755 examples/ima-genkey-self-ecc.sh

Comments

Mimi Zohar April 26, 2023, 1:58 p.m. UTC | #1

hHi Stefan,

On Tue, 2023-04-25 at 12:10 -0400, Stefan Berger wrote:
> Add example scripts for ECC key and certificate creation and reference
> them from the README.
> 
> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>

Thank you for adding the ECC examples.  With Eric Snowberg's "Add CA
enforcement keyring restrictions" patch (Linux v6.4) and the proposed
IMA changes, the existing scripts in the examples/ directory need to be
updated.   Before upstreaming these ECC scripts, let's at least update
them.

From Jarkko's v6.4 pull request

The .machine keyring, used for Machine Owner Keys (MOK), acquired the
ability to store only CA enforced keys, and put rest to the .platform
keyring, thus separating the code signing keys from the keys that are
used to sign certificates. This essentially unlocks the use of the
.machine keyring as a trust anchor for IMA. It is an opt-in feature,
meaning that the additional contraints won't brick anyone who does not
care about them.

> ---
>  README                           |  3 +++
>  examples/ima-gen-local-ca-ecc.sh | 29 ++++++++++++++++++++++++++++
>  examples/ima-genkey-ecc.sh       | 33 ++++++++++++++++++++++++++++++++
>  examples/ima-genkey-self-ecc.sh  | 29 ++++++++++++++++++++++++++++
>  4 files changed, 94 insertions(+)
>  create mode 100755 examples/ima-gen-local-ca-ecc.sh
>  create mode 100755 examples/ima-genkey-ecc.sh
>  create mode 100755 examples/ima-genkey-self-ecc.sh
> 
> diff --git a/README b/README
> index fd12680..ef7f475 100644
> --- a/README
> +++ b/README
> @@ -469,6 +469,9 @@ Examples of scripts to generate X509 public key certificates:
>   /usr/share/doc/ima-evm-utils/ima-genkey-self.sh
>   /usr/share/doc/ima-evm-utils/ima-genkey.sh
>   /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
> + /usr/share/doc/ima-evm-utils/ima-genkey-self-ecc.sh
> + /usr/share/doc/ima-evm-utils/ima-genkey-ecc.sh
> + /usr/share/doc/ima-evm-utils/ima-gen-local-ca-ecc.sh
>  
>  
>  AUTHOR
> diff --git a/examples/ima-gen-local-ca-ecc.sh b/examples/ima-gen-local-ca-ecc.sh
> new file mode 100755
> index 0000000..ee2aeb6
> --- /dev/null
> +++ b/examples/ima-gen-local-ca-ecc.sh
> @@ -0,0 +1,29 @@
> +#!/bin/sh
> +
> +GENKEY=ima-local-ca.genkey
> +
> +cat << __EOF__ >$GENKEY
> +[ req ]
> +distinguished_name = req_distinguished_name
> +prompt = no
> +string_mask = utf8only
> +x509_extensions = v3_ca
> +
> +[ req_distinguished_name ]
> +O = IMA-CA
> +CN = IMA/EVM certificate signing key
> +emailAddress = ca@ima-ca
> +
> +[ v3_ca ]
> +basicConstraints=CA:TRUE
> +subjectKeyIdentifier=hash
> +authorityKeyIdentifier=keyid:always,issuer
> +# keyUsage = cRLSign, keyCertSign

With the INTEGRITY_CA_MACHINE_KEYRING_MAX Kconfig, keyCertSign is
required for loading keys onto the .machine keyring.  Please uncomment
the above line.


> +__EOF
> +
> +openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \

Please update sha1 to sha256.


> +		-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \
> +		-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
> +
> +openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
> +
> diff --git a/examples/ima-genkey-ecc.sh b/examples/ima-genkey-ecc.sh
> new file mode 100755
> index 0000000..735c665
> --- /dev/null
> +++ b/examples/ima-genkey-ecc.sh
> @@ -0,0 +1,33 @@
> +#!/bin/sh
> +
> +GENKEY=ima.genkey
> +
> +cat << __EOF__ >$GENKEY
> +[ req ]
> +distinguished_name = req_distinguished_name
> +prompt = no
> +string_mask = utf8only
> +x509_extensions = v3_usr
> +
> +[ req_distinguished_name ]
> +O = `hostname`
> +CN = `whoami` signing key
> +emailAddress = `whoami`@`hostname`
> +
> +[ v3_usr ]
> +basicConstraints=critical,CA:FALSE
> +#basicConstraints=CA:FALSE
> +keyUsage=digitalSignature
> +#keyUsage = nonRepudiation, digitalSignature, keyEncipherment

In preparation to allowing only code signing keys on the IMA keyring,
please add "extendedKeyUsage=critical,codeSigning",

> +subjectKeyIdentifier=hash
> +authorityKeyIdentifier=keyid
> +#authorityKeyIdentifier=keyid,issuer
> +__EOF__
> +
> +openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \

And similarly change sha1 to sha256 here.

> +		-out csr_ima.pem -keyout privkey_ima.pem \
> +		-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
> +openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
> +		-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
> +		-outform DER -out x509_ima.der
> +

Stefan Berger April 26, 2023, 2:20 p.m. UTC | #2

On 4/26/23 09:58, Mimi Zohar wrote:

> In preparation to allowing only code signing keys on the IMA keyring,
> please add "extendedKeyUsage=critical,codeSigning",
> 
>> +subjectKeyIdentifier=hash
>> +authorityKeyIdentifier=keyid
>> +#authorityKeyIdentifier=keyid,issuer
>> +__EOF__
>> +
>> +openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
> 
> And similarly change sha1 to sha256 here.

Should we make all these changes first to the existing scripts for RSA keys?

Mimi Zohar April 26, 2023, 9:29 p.m. UTC | #3

On Wed, 2023-04-26 at 10:20 -0400, Stefan Berger wrote:
> 
> On 4/26/23 09:58, Mimi Zohar wrote:
> 
> > In preparation to allowing only code signing keys on the IMA keyring,
> > please add "extendedKeyUsage=critical,codeSigning",
> > 
> >> +subjectKeyIdentifier=hash
> >> +authorityKeyIdentifier=keyid
> >> +#authorityKeyIdentifier=keyid,issuer
> >> +__EOF__
> >> +
> >> +openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
> > 
> > And similarly change sha1 to sha256 here.
> 
> Should we make all these changes first to the existing scripts for RSA keys?

Definitely.

Please also update the "doc_DATA" in Makefile.am to include the new
scripts.

Patch

diff --git a/README b/README
index fd12680..ef7f475 100644
--- a/README
+++ b/README
@@ -469,6 +469,9 @@  Examples of scripts to generate X509 public key certificates:
  /usr/share/doc/ima-evm-utils/ima-genkey-self.sh
  /usr/share/doc/ima-evm-utils/ima-genkey.sh
  /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
+ /usr/share/doc/ima-evm-utils/ima-genkey-self-ecc.sh
+ /usr/share/doc/ima-evm-utils/ima-genkey-ecc.sh
+ /usr/share/doc/ima-evm-utils/ima-gen-local-ca-ecc.sh
 
 
 AUTHOR
diff --git a/examples/ima-gen-local-ca-ecc.sh b/examples/ima-gen-local-ca-ecc.sh
new file mode 100755
index 0000000..ee2aeb6
--- /dev/null
+++ b/examples/ima-gen-local-ca-ecc.sh
@@ -0,0 +1,29 @@ 
+#!/bin/sh
+
+GENKEY=ima-local-ca.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+O = IMA-CA
+CN = IMA/EVM certificate signing key
+emailAddress = ca@ima-ca
+
+[ v3_ca ]
+basicConstraints=CA:TRUE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+# keyUsage = cRLSign, keyCertSign
+__EOF__
+
+openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+		-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \
+		-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+
+openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
+
diff --git a/examples/ima-genkey-ecc.sh b/examples/ima-genkey-ecc.sh
new file mode 100755
index 0000000..735c665
--- /dev/null
+++ b/examples/ima-genkey-ecc.sh
@@ -0,0 +1,33 @@ 
+#!/bin/sh
+
+GENKEY=ima.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = v3_usr
+
+[ req_distinguished_name ]
+O = `hostname`
+CN = `whoami` signing key
+emailAddress = `whoami`@`hostname`
+
+[ v3_usr ]
+basicConstraints=critical,CA:FALSE
+#basicConstraints=CA:FALSE
+keyUsage=digitalSignature
+#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+#authorityKeyIdentifier=keyid,issuer
+__EOF__
+
+openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
+		-out csr_ima.pem -keyout privkey_ima.pem \
+		-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
+		-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
+		-outform DER -out x509_ima.der
+
diff --git a/examples/ima-genkey-self-ecc.sh b/examples/ima-genkey-self-ecc.sh
new file mode 100755
index 0000000..3d8f11f
--- /dev/null
+++ b/examples/ima-genkey-self-ecc.sh
@@ -0,0 +1,29 @@ 
+#!/bin/sh
+
+GENKEY=x509_evm.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = `hostname`
+CN = `whoami` signing key
+emailAddress = `whoami`@`hostname`
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+__EOF__
+
+openssl req -x509 -new -nodes -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+		-outform DER -out x509_evm.der -keyout privkey_evm.pem \
+		-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+
+openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem
+