@@ -128,6 +128,9 @@ for signing and importing the key.
Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
+For v2 signatures x509 certificate (containing the public key) could be appended to the
+private key (they both are in PEM format) to automatically extract keyid from its Subject
+Key Identifier (SKID).
Integrity keyrings
----------------
@@ -1046,8 +1046,12 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
if (imaevm_params.keyid)
keyid = htonl(imaevm_params.keyid);
- else
- calc_keyid_v2(&keyid, name, pkey);
+ else {
+ int keyid_read_failed = read_keyid_from_cert(&keyid, keyfile, false);
+
+ if (keyid_read_failed)
+ calc_keyid_v2(&keyid, name, pkey);
+ }
hdr->keyid = keyid;
st = "EVP_PKEY_CTX_new";
@@ -20,13 +20,14 @@ PATH=../src:$PATH
type openssl
log() {
- echo - "$*"
+ echo >&2 - "$*"
eval "$@"
}
if [ "$1" = clean ]; then
rm -f test-ca.conf
-elif [ "$1" = force ] || [ ! -e test-ca.conf ]; then
+elif [ "$1" = force ] || [ ! -e test-ca.conf ] \
+ || [ gen-keys.sh -nt test-ca.conf ]; then
cat > test-ca.conf <<- EOF
[ req ]
distinguished_name = req_distinguished_name
@@ -43,26 +44,44 @@ cat > test-ca.conf <<- EOF
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
+
+ [ skid ]
+ basicConstraints=CA:TRUE
+ subjectKeyIdentifier=12345678
+ authorityKeyIdentifier=keyid:always,issuer
EOF
fi
# RSA
# Second key will be used for wrong key tests.
-for m in 1024 2048; do
- if [ "$1" = clean ] || [ "$1" = force ]; then
+for m in 1024 1024_skid 2048; do
+ if [ "$1" = clean ] || [ "$1" = force ] \
+ || [ gen-keys.sh -nt test-rsa$m.key ]; then
rm -f test-rsa$m.cer test-rsa$m.key test-rsa$m.pub
fi
if [ "$1" = clean ]; then
continue
fi
+ if [ -z "${m%%*_*}" ]; then
+ # Add named extension.
+ bits=${m%_*}
+ ext="-extensions ${m#*_}"
+ else
+ bits=$m
+ ext=
+ fi
if [ ! -e test-rsa$m.key ]; then
- log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \
+ log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 $ext \
-config test-ca.conf \
- -newkey rsa:$m \
+ -newkey rsa:$bits \
-out test-rsa$m.cer -outform DER \
-keyout test-rsa$m.key
# for v1 signatures
log openssl pkey -in test-rsa$m.key -out test-rsa$m.pub -pubout
+ if [ $m = 1024_skid ]; then
+ # Create combined key+cert.
+ log openssl x509 -inform DER -in test-rsa$m.cer >> test-rsa$m.key
+ fi
fi
done
@@ -367,6 +367,7 @@ sign_verify rsa1024 sha1 0x030202:K:0080
sign_verify rsa1024 sha224 0x030207:K:0080
expect_pass check_sign TYPE=ima KEY=rsa1024 ALG=sha256 PREFIX=0x030204aabbccdd0080 OPTS=--keyid=aabbccdd
expect_pass check_sign TYPE=ima KEY=rsa1024 ALG=sha256 PREFIX=0x030204:K:0080 OPTS=--keyid-from-cert=test-rsa1024.cer
+expect_pass check_sign TYPE=ima KEY=rsa1024_skid ALG=sha256 PREFIX=0x030204123456780080
sign_verify rsa1024 sha256 0x030204:K:0080
try_different_keys
try_different_sigs
Allow to have certificate appended to the private key of `--key' specified (PEM) file (for v2 signing) to facilitate reading of keyid from the associated cert. This will allow users to have private and public key as a single file and avoid the need of manually specifying keyid. There is no check that public key form the cert matches associated private key. Signed-off-by: Vitaly Chikunov <vt@altlinux.org> --- README | 3 +++ src/libimaevm.c | 8 ++++++-- tests/gen-keys.sh | 31 +++++++++++++++++++++++++------ tests/sign_verify.test | 1 + 4 files changed, 35 insertions(+), 8 deletions(-)