From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: Re: [RFC PATCH] ima-evm-utils: convert sign v2 from RSA to EVP_PKEY API
Date: Wed, 30 Jan 2019 06:12:08 +0300 [thread overview]
Message-ID: <20190130031208.2e7fxzvekenmwzil@altlinux.org> (raw)
In-Reply-To: <20190128171154.24073-1-vt@altlinux.org>
On Mon, Jan 28, 2019 at 08:11:53PM +0300, Vitaly Chikunov wrote:
> Convert sign_v2 and related to using EVP_PKEY API instead of RSA API.
> This enables more signatures to work out of the box.
>
> Only in single instance GOST NIDs are checked to produce correct keyid.
> Other than that code is quite generic.
There is was to generalize it a bit more.
> Remove RSA_ASN1_templates[] as it does not needed anymore. OpenSSL sign
> is doing proper PKCS1 padding automatically (tested to be compatible
> with previous version, except for MD4). This also fixes bug with MD4
> which produced wrong signature because of absence of the appropriate
> RSA_ASN1_template.
>
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> ---
> src/evmctl.c | 25 +++---
> src/imaevm.h | 4 +-
> src/libimaevm.c | 271 +++++++++++++++++++++++++++-----------------------------
> 3 files changed, 146 insertions(+), 154 deletions(-)
>
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index d9ffa13..bd99c60 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -776,16 +724,32 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
> log_info("keyid-v1: %s\n", str);
> }
>
> -void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
> +void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *key)
> {
> + X509_PUBKEY *pk = NULL;
> uint8_t sha1[SHA_DIGEST_LENGTH];
> - unsigned char *pkey = NULL;
> + const unsigned char *pkey = NULL;
> + unsigned char *pp = NULL;
> int len;
>
> - len = i2d_RSAPublicKey(key, &pkey);
> -
> - SHA1(pkey, len, sha1);
> + switch (EVP_PKEY_id(key)) {
> + case NID_id_GostR3410_2012_256:
> + case NID_id_GostR3410_2012_512:
> + X509_PUBKEY_set(&pk, key);
> + X509_PUBKEY_get0_param(NULL, &pkey, &len, NULL, pk);
> + break;
> + default:
> + len = i2d_PublicKey(key, &pp);
Because two calls to X509_PUBKEY_set and X509_PUBKEY_get0_param can
handle more keys (including RSA), call to i2d_PublicKey could be
avoided, so switch with Gost NIDs could be removed too. Tested.
> + pkey = pp;
> + }
>
> + if (len <= 0) {
> + ERR_print_errors_fp(stderr);
> + /* Produce invalid key in case of error. */
> + len = SHA_DIGEST_LENGTH;
> + memset(sha1, 0, len);
> + } else
> + SHA1(pkey, len, sha1);
> /* sha1[12 - 19] is exactly keyid from gpg file */
> memcpy(keyid, sha1 + 16, 4);
> log_debug("keyid: ");
next prev parent reply other threads:[~2019-01-30 3:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-28 17:11 [RFC PATCH] ima-evm-utils: convert sign v2 from RSA to EVP_PKEY API Vitaly Chikunov
2019-01-30 3:12 ` Vitaly Chikunov [this message]
2019-01-30 22:34 ` Dmitry Kasatkin
2019-02-05 15:38 ` Dmitry Kasatkin
2019-02-05 16:05 ` Dmitry Kasatkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190130031208.2e7fxzvekenmwzil@altlinux.org \
--to=vt@altlinux.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox