From patchwork Tue Feb 2 15:56:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 12062093 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 70388C433E9 for ; Tue, 2 Feb 2021 15:59:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4527D64E2B for ; Tue, 2 Feb 2021 15:59:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235883AbhBBP7W (ORCPT ); Tue, 2 Feb 2021 10:59:22 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:3860 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235887AbhBBP5T (ORCPT ); Tue, 2 Feb 2021 10:57:19 -0500 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 112FWDM7082394; Tue, 2 Feb 2021 10:56:29 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=SGBWaiRV18Qg4DhtBk/DUGHQvFIvmwDgzCbpj9xKQS0=; b=dzvHa3xYzwWwyFZaRZ6P3tXqd4RL8hj1gHtUaEC7aXVW2y8FfD6oNjznXK9AqR38YZPg bMQyrh+nIMVXjCtHPK54hv1DQc+LXQ+bYQOBGh/8AdFh8kHHdyfAFp5vHKsyW4ZBwfJ9 o37iWWt1hZy1YgDp1Dit13RJgrXJ6ZAMqJIogPcJ6aOcLA3feq3Qg12iLCIrSxj4cljY i6A2J/Kf32quVmRXPZ06r2jEHvCTun7sq+k7xNTCdd2c7rJ/Y5QDMaXQUMjOyXR2oO7O Bqmo5zEZGapBaS+AaQ0MqTE+CyAXU56nZKnElWY/c3qXWpzJzlawxWbwbJeZ1OTlvMMr GQ== Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0a-001b2d01.pphosted.com with ESMTP id 36f5nm9fcc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 02 Feb 2021 10:56:28 -0500 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 112Fjguv010180; Tue, 2 Feb 2021 15:56:27 GMT Received: from b01cxnp23034.gho.pok.ibm.com (b01cxnp23034.gho.pok.ibm.com [9.57.198.29]) by ppma02wdc.us.ibm.com with ESMTP id 36cy397amf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 02 Feb 2021 15:56:27 +0000 Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 112FuRrb43712962 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 2 Feb 2021 15:56:27 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 48CA5AC05F; Tue, 2 Feb 2021 15:56:27 +0000 (GMT) Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 32B9FAC065; Tue, 2 Feb 2021 15:56:27 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP; Tue, 2 Feb 2021 15:56:27 +0000 (GMT) From: Stefan Berger To: zohar@linux.ibm.com, vt@altlinux.org, linux-integrity@vger.kernel.org Cc: Stefan Berger Subject: [PATCH v2 1/2] ima_evm_utils: Fix calculation of keyid for older distros Date: Tue, 2 Feb 2021 10:56:24 -0500 Message-Id: <20210202155625.3555769-2-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210202155625.3555769-1-stefanb@linux.ibm.com> References: <20210202155625.3555769-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.737 definitions=2021-02-02_07:2021-02-02,2021-02-02 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 priorityscore=1501 lowpriorityscore=0 bulkscore=0 impostorscore=0 adultscore=0 mlxscore=0 clxscore=1015 suspectscore=0 mlxlogscore=999 phishscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102020104 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Older distros, such as Ubuntu Xenial or Centos 7, fail to calculate the keyid properly in the bash script. Adding 'tail -n1' into the pipe fixes the issue since we otherwise have two numbers in 'id' due to two 'BIT STRING's. Signed-off-by: Stefan Berger --- tests/sign_verify.test | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/sign_verify.test b/tests/sign_verify.test index 288e133..2477b34 100755 --- a/tests/sign_verify.test +++ b/tests/sign_verify.test @@ -43,6 +43,7 @@ _keyid_from_cert() { id=$($cmd 2>/dev/null \ | openssl asn1parse \ | grep BIT.STRING \ + | tail -n1 \ | cut -d: -f1) if [ -z "$id" ]; then echo - "$cmd" >&2 From patchwork Tue Feb 2 15:56:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 12062095 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58227C433E6 for ; Tue, 2 Feb 2021 15:59:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1EAB464F64 for ; Tue, 2 Feb 2021 15:59:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235967AbhBBP7M (ORCPT ); Tue, 2 Feb 2021 10:59:12 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:43508 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S235885AbhBBP5Q (ORCPT ); Tue, 2 Feb 2021 10:57:16 -0500 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 112FWMTN140921; Tue, 2 Feb 2021 10:56:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=LvSZqEh97YHxdRMnXnMDj20GwsfIEeRV+OxiRIvPD9s=; b=nDEdvipt7BIRPEFLD/kdYJTXCmNlSwWEjKdotiEtABq/OOvup8SfsBYhFQ/t/am/POgE JoOco455qqGWlr7TdzntDHGMLmzhqqOAUGrbRgsVv03Qaf2EhVW6wRcc7CCNG5WNanD1 0EJMw5oW8952TU1rg2bATyDSnZJCTpFV1i0aWJFf/Dk/AHWNtjkydWqEXEy1KTgHFyMj qQ4jPLr1YCMYLNlo/uZiqO/mavB/IsXaocN93YkbLUyJeUN33bB7MJJrmvPIXqitqvf9 Qn9vuTdDNbdpdj72CNM7C2Vn84C0ytgXAucwwwNXsVU6yDr59lI8rANEJJwZO9Ps3yeb gQ== Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10]) by mx0b-001b2d01.pphosted.com with ESMTP id 36f8sfjdut-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 02 Feb 2021 10:56:28 -0500 Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1]) by ppma02dal.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 112FbtDv005459; Tue, 2 Feb 2021 15:56:28 GMT Received: from b01cxnp23034.gho.pok.ibm.com (b01cxnp23034.gho.pok.ibm.com [9.57.198.29]) by ppma02dal.us.ibm.com with ESMTP id 36f5t4t1d0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 02 Feb 2021 15:56:28 +0000 Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 112FuRG831392064 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 2 Feb 2021 15:56:27 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 67D19AC065; Tue, 2 Feb 2021 15:56:27 +0000 (GMT) Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 517DAAC062; Tue, 2 Feb 2021 15:56:27 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTP; Tue, 2 Feb 2021 15:56:27 +0000 (GMT) From: Stefan Berger To: zohar@linux.ibm.com, vt@altlinux.org, linux-integrity@vger.kernel.org Cc: Stefan Berger Subject: [PATCH v2 2/2] ima_evm_utils: Add testing with elliptic curves prime192v1 and 256v1 Date: Tue, 2 Feb 2021 10:56:25 -0500 Message-Id: <20210202155625.3555769-3-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20210202155625.3555769-1-stefanb@linux.ibm.com> References: <20210202155625.3555769-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.737 definitions=2021-02-02_07:2021-02-02,2021-02-02 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 bulkscore=0 phishscore=0 spamscore=0 priorityscore=1501 clxscore=1015 impostorscore=0 suspectscore=0 adultscore=0 mlxlogscore=999 mlxscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2102020104 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add test cases that test the signing and signature verification with the elliptic curves prime192v1 and prime256v1, also known as NIST P192 and P256. These curves will soon be supported by Linux. If OpenSSL cannot generate prime192v1 keys, as is the case on Fedora, where this curve is not supported, the respective tests will be skipped automatically. The r and s integer components of the signature can have varying size. Therefore we do the size checks for the entire signature with a regular expression that accounts for the varying size. The most typical cases are supported following hours of running the tests with varying keys. Signed-off-by: Stefan Berger --- tests/gen-keys.sh | 20 ++++++++++++++++++++ tests/sign_verify.test | 15 +++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh index 407876b..46130cf 100755 --- a/tests/gen-keys.sh +++ b/tests/gen-keys.sh @@ -66,6 +66,26 @@ for m in 1024 2048; do fi done +for curve in prime192v1 prime256v1; do + if [ "$1" = clean ] || [ "$1" = force ]; then + rm -f test-$curve.cer test-$curve.key test-$curve.pub + fi + if [ "$1" = clean ]; then + continue + fi + if [ ! -e test-$curve.key ]; then + log openssl req -verbose -new -nodes -utf8 -sha1 -days 10000 -batch -x509 \ + -config test-ca.conf \ + -newkey ec \ + -pkeyopt ec_paramgen_curve:$curve \ + -out test-$curve.cer -outform DER \ + -keyout test-$curve.key + if [ -s test-$curve.key ]; then + log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout + fi + fi +done + # EC-RDSA for m in \ gost2012_256:A \ diff --git a/tests/sign_verify.test b/tests/sign_verify.test index 2477b34..4f2caaa 100755 --- a/tests/sign_verify.test +++ b/tests/sign_verify.test @@ -367,6 +367,21 @@ sign_verify rsa1024 sha384 0x030205:K:0080 sign_verify rsa1024 sha512 0x030206:K:0080 sign_verify rsa1024 rmd160 0x030203:K:0080 +# Test v2 signatures with ECDSA +# Signature length is typically 0x34-0x38 bytes long, very rarely 0x33 +sign_verify prime192v1 sha1 0x030202:K:003[345678] +sign_verify prime192v1 sha224 0x030207:K:003[345678] +sign_verify prime192v1 sha256 0x030204:K:003[345678] +sign_verify prime192v1 sha384 0x030205:K:003[345678] +sign_verify prime192v1 sha512 0x030206:K:003[345678] + +# Signature length is typically 0x44-0x48 bytes long, very rarely 0x43 +sign_verify prime256v1 sha1 0x030202:K:004[345678] +sign_verify prime256v1 sha224 0x030207:K:004[345678] +sign_verify prime256v1 sha256 0x030204:K:004[345678] +sign_verify prime256v1 sha384 0x030205:K:004[345678] +sign_verify prime256v1 sha512 0x030206:K:004[345678] + # Test v2 signatures with EC-RDSA _enable_gost_engine sign_verify gost2012_256-A md_gost12_256 0x030212:K:0040