From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: [PATCH v3 3/3] ima-evm-utils: Read keyid from the cert appended to the key file
Date: Wed, 5 May 2021 06:48:29 +0300 [thread overview]
Message-ID: <20210505034829.80698-4-vt@altlinux.org> (raw)
In-Reply-To: <20210505034829.80698-1-vt@altlinux.org>
Allow to have certificate appended to the private key of `--key'
specified (PEM) file (for v2 signing) to facilitate reading of keyid
from the associated cert. This will allow users to have private and
public key as a single file. There is no check that public key form the
cert matches associated private key.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
README | 3 +++
src/libimaevm.c | 8 +++++---
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/README b/README
index 0e1f6ba..ea11bde 100644
--- a/README
+++ b/README
@@ -127,6 +127,9 @@ for signing and importing the key.
Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
+For v2 signatures x509 certificate with the public key could be appended to the private
+key (both are in PEM format) to properly determine its Subject Key Identifier (SKID).
+
Integrity keyrings
----------------
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 17d1c26..95b30f5 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -994,10 +994,12 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
return -1;
}
- if (imaevm_params.keyid)
+ if (imaevm_params.keyid) {
hdr->keyid = htonl(imaevm_params.keyid);
- else
- calc_keyid_v2(&hdr->keyid, name, pkey);
+ } else {
+ if (ima_read_keyid(keyfile, &hdr->keyid) == ULONG_MAX)
+ calc_keyid_v2(&hdr->keyid, name, pkey);
+ }
st = "EVP_PKEY_CTX_new";
if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
--
2.11.0
prev parent reply other threads:[~2021-05-05 3:49 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-05 3:48 [PATCH v3 0/3] ima-evm-utils: Add --keyid option Vitaly Chikunov
2021-05-05 3:48 ` [PATCH v3 1/3] ima-evm-utils: Allow manual setting keyid for signing Vitaly Chikunov
2021-05-05 3:48 ` [PATCH v3 2/3] ima-evm-utils: Allow manual setting keyid from a cert file Vitaly Chikunov
2021-05-05 3:48 ` Vitaly Chikunov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210505034829.80698-4-vt@altlinux.org \
--to=vt@altlinux.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).