[PATCH ima-evm-utils v3 0/4] Update README and examples and add EC key support

[PATCH ima-evm-utils v3 0/4] Update README and examples and add EC key support

[Stefan Berger]

Update the README and add example scripts for RSA keys to use more up-to-date
values for key sizes and hash being used and adjust the OpenSSL config files so
that the created keys can be used with the .machine keyring. Add EC key and cert
support scripts and describe EC key and certificate generation in the README.

Regards,
   Stefan

Stefan Berger (4):
  Update default key sizes and hash to up-to-date values
  Update OpenSSL config files for support for .machine keyring
  Add openssl command line examples for creation of EC keys
  Add example scripts for EC key and certs generation

 Makefile.am                      |  8 ++++++-
 README                           | 41 +++++++++++++++++++++++++-------
 examples/ima-gen-local-ca-ecc.sh | 29 ++++++++++++++++++++++
 examples/ima-gen-local-ca.sh     |  4 ++--
 examples/ima-genkey-ecc.sh       | 34 ++++++++++++++++++++++++++
 examples/ima-genkey-self-ecc.sh  | 29 ++++++++++++++++++++++
 examples/ima-genkey-self.sh      |  4 ++--
 examples/ima-genkey.sh           |  5 ++--
 8 files changed, 139 insertions(+), 15 deletions(-)
 create mode 100755 examples/ima-gen-local-ca-ecc.sh
 create mode 100755 examples/ima-genkey-ecc.sh
 create mode 100755 examples/ima-genkey-self-ecc.sh

-- 
2.39.2

[PATCH ima-evm-utils v3 1/4] Update default key sizes and hash to up-to-date values

[Stefan Berger]

Update the documentation and example scripts to use 2048 bit RSA keys
and sha256.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 README                       | 14 +++++++-------
 examples/ima-gen-local-ca.sh |  2 +-
 examples/ima-genkey-self.sh  |  4 ++--
 examples/ima-genkey.sh       |  4 ++--
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/README b/README
index 75e4fd2..ae92f95 100644
--- a/README
+++ b/README
@@ -200,11 +200,11 @@ Generate signing and verification keys
 
 Generate private key in plain text format:
 
-    openssl genrsa -out privkey_evm.pem 1024
+    openssl genrsa -out privkey_evm.pem 2048
 
 Generate encrypted private key:
 
-    openssl genrsa -des3 -out privkey_evm.pem 1024
+    openssl genrsa -des3 -out privkey_evm.pem 2048
 
 Make encrypted private key from unencrypted:
 
@@ -213,7 +213,7 @@ Make encrypted private key from unencrypted:
 Generate self-signed X509 public key certificate and private key for using kernel
 asymmetric keys support:
 
-    openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
+    openssl req -new -nodes -utf8 -sha256 -days 36500 -batch \
     	        -x509 -config x509_evm.genkey \
 	        -outform DER -out x509_evm.der -keyout privkey_evm.pem
 
@@ -221,7 +221,7 @@ Configuration file x509_evm.genkey:
 
 	# Beginning of the file
 	[ req ]
-	default_bits = 1024
+	default_bits = 2048
 	distinguished_name = req_distinguished_name
 	prompt = no
 	string_mask = utf8only
@@ -292,7 +292,7 @@ Configuration file ima-local-ca.genkey:
 
 Generate private key and X509 public key certificate:
 
- openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+ openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
              -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
 
 Produce X509 in DER format for using while building the kernel:
@@ -303,7 +303,7 @@ Configuration file ima.genkey:
 
 	# Beginning of the file
 	[ req ]
-	default_bits = 1024
+	default_bits = 2048
 	distinguished_name = req_distinguished_name
 	prompt = no
 	string_mask = utf8only
@@ -327,7 +327,7 @@ Configuration file ima.genkey:
 
 Generate private key and X509 public key certificate signing request:
 
- openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
+ openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \
              -out csr_ima.pem -keyout privkey_ima.pem
 
 Sign X509 public key certificate signing request with local IMA CA private key:
diff --git a/examples/ima-gen-local-ca.sh b/examples/ima-gen-local-ca.sh
index 1f24949..055463c 100755
--- a/examples/ima-gen-local-ca.sh
+++ b/examples/ima-gen-local-ca.sh
@@ -22,7 +22,7 @@ authorityKeyIdentifier=keyid:always,issuer
 # keyUsage = cRLSign, keyCertSign
 __EOF__
 
-openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
 		-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
 
 openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
diff --git a/examples/ima-genkey-self.sh b/examples/ima-genkey-self.sh
index e293b94..c04df37 100755
--- a/examples/ima-genkey-self.sh
+++ b/examples/ima-genkey-self.sh
@@ -4,7 +4,7 @@ GENKEY=x509_evm.genkey
 
 cat << __EOF__ >$GENKEY
 [ req ]
-default_bits = 1024
+default_bits = 2048
 distinguished_name = req_distinguished_name
 prompt = no
 string_mask = utf8only
@@ -22,7 +22,7 @@ subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
 __EOF__
 
-openssl req -x509 -new -nodes -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \
 		-outform DER -out x509_evm.der -keyout privkey_evm.pem
 
 openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
diff --git a/examples/ima-genkey.sh b/examples/ima-genkey.sh
index b08778f..c09205a 100755
--- a/examples/ima-genkey.sh
+++ b/examples/ima-genkey.sh
@@ -4,7 +4,7 @@ GENKEY=ima.genkey
 
 cat << __EOF__ >$GENKEY
 [ req ]
-default_bits = 1024
+default_bits = 2048
 distinguished_name = req_distinguished_name
 prompt = no
 string_mask = utf8only
@@ -25,7 +25,7 @@ authorityKeyIdentifier=keyid
 #authorityKeyIdentifier=keyid,issuer
 __EOF__
 
-openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
+openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \
 		-out csr_ima.pem -keyout privkey_ima.pem
 openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
 		-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
-- 
2.39.2

[PATCH ima-evm-utils v3 2/4] Update OpenSSL config files for support for .machine keyring

[Stefan Berger]

Update the OpenSSL config files for support for loading certs onto
the .machine keyring where certain key usage flags must be set.

Also update the OpenSSL config files shown in the README.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 README                       | 3 ++-
 examples/ima-gen-local-ca.sh | 2 +-
 examples/ima-genkey.sh       | 1 +
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/README b/README
index ae92f95..9e47eaf 100644
--- a/README
+++ b/README
@@ -235,6 +235,7 @@ Configuration file x509_evm.genkey:
 	[ myexts ]
 	basicConstraints=critical,CA:FALSE
 	keyUsage=digitalSignature
+	extendedKeyUsage=critical,codeSigning
 	subjectKeyIdentifier=hash
 	authorityKeyIdentifier=keyid
 	# EOF
@@ -287,7 +288,7 @@ Configuration file ima-local-ca.genkey:
 	basicConstraints=CA:TRUE
 	subjectKeyIdentifier=hash
 	authorityKeyIdentifier=keyid:always,issuer
-	# keyUsage = cRLSign, keyCertSign
+	keyUsage = cRLSign, keyCertSign
 	# EOF
 
 Generate private key and X509 public key certificate:
diff --git a/examples/ima-gen-local-ca.sh b/examples/ima-gen-local-ca.sh
index 055463c..6fd4997 100755
--- a/examples/ima-gen-local-ca.sh
+++ b/examples/ima-gen-local-ca.sh
@@ -19,7 +19,7 @@ emailAddress = ca@ima-ca
 basicConstraints=CA:TRUE
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer
-# keyUsage = cRLSign, keyCertSign
+keyUsage = cRLSign, keyCertSign
 __EOF__
 
 openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
diff --git a/examples/ima-genkey.sh b/examples/ima-genkey.sh
index c09205a..00fa648 100755
--- a/examples/ima-genkey.sh
+++ b/examples/ima-genkey.sh
@@ -20,6 +20,7 @@ basicConstraints=critical,CA:FALSE
 #basicConstraints=CA:FALSE
 keyUsage=digitalSignature
 #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage=critical,codeSigning
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
 #authorityKeyIdentifier=keyid,issuer
-- 
2.39.2

[PATCH ima-evm-utils v3 3/4] Add openssl command line examples for creation of EC keys

[Stefan Berger]

Add openssl command line examples for creation of EC keys for EVM and IMA
CA and signing key.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 README | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/README b/README
index 9e47eaf..d631eb7 100644
--- a/README
+++ b/README
@@ -217,6 +217,18 @@ asymmetric keys support:
     	        -x509 -config x509_evm.genkey \
 	        -outform DER -out x509_evm.der -keyout privkey_evm.pem
 
+Create an elliptic curve (EC) key (supported since Linux v5.13)
+
+    openssl ecparam -name prime256v1 -genkey -out privkey_evm.pem
+
+Generate self-signed x509 EC public key certificate and private key for using
+kernel asymmetric key support (supported since Linux v5.13):
+
+   openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
+                -x509 -config x509_evm.genkey \
+                -outform DER -out x509_evm.der -keyout privkey_evm.pem \
+                -newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+
 Configuration file x509_evm.genkey:
 
 	# Beginning of the file
@@ -245,6 +257,9 @@ Generate public key for using RSA key format:
 
     openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
 
+Similarly generate public EC key:
+
+    openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem
 
 Copy keys to /etc/keys:
 
@@ -291,6 +306,12 @@ Configuration file ima-local-ca.genkey:
 	keyUsage = cRLSign, keyCertSign
 	# EOF
 
+Note: To generated elliptic curve keys add the following parameters to
+      the 'req' commands below (supported since Linux v5.13):
+
+      -newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+
+
 Generate private key and X509 public key certificate:
 
  openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
-- 
2.39.2

[PATCH ima-evm-utils v3 4/4] Add example scripts for EC key and certs generation

[Stefan Berger]

Add example scripts for EC key and certificate creation and reference
them from the README and Makefile.am.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 Makefile.am                      |  8 +++++++-
 README                           |  3 +++
 examples/ima-gen-local-ca-ecc.sh | 29 +++++++++++++++++++++++++++
 examples/ima-genkey-ecc.sh       | 34 ++++++++++++++++++++++++++++++++
 examples/ima-genkey-self-ecc.sh  | 29 +++++++++++++++++++++++++++
 5 files changed, 102 insertions(+), 1 deletion(-)
 create mode 100755 examples/ima-gen-local-ca-ecc.sh
 create mode 100755 examples/ima-genkey-ecc.sh
 create mode 100755 examples/ima-genkey-self-ecc.sh

diff --git a/Makefile.am b/Makefile.am
index e686d65..9ec5681 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -7,7 +7,13 @@ if MANPAGE_DOCBOOK_XSL
 dist_man_MANS = evmctl.1
 endif
 
-doc_DATA =  examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh
+doc_DATA = \
+	 examples/ima-genkey-self.sh \
+	 examples/ima-genkey.sh \
+	 examples/ima-gen-local-ca.sh \
+	 examples/ima-genkey-self-ecc.sh \
+	 examples/ima-genkey-ecc.sh \
+	 examples/ima-gen-local-ca-ecc.sh
 EXTRA_DIST = autogen.sh $(doc_DATA)
 
 CLEANFILES = *.html *.xsl
diff --git a/README b/README
index d631eb7..40a61f9 100644
--- a/README
+++ b/README
@@ -470,6 +470,9 @@ Examples of scripts to generate X509 public key certificates:
  /usr/share/doc/ima-evm-utils/ima-genkey-self.sh
  /usr/share/doc/ima-evm-utils/ima-genkey.sh
  /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh
+ /usr/share/doc/ima-evm-utils/ima-genkey-self-ecc.sh
+ /usr/share/doc/ima-evm-utils/ima-genkey-ecc.sh
+ /usr/share/doc/ima-evm-utils/ima-gen-local-ca-ecc.sh
 
 
 AUTHOR
diff --git a/examples/ima-gen-local-ca-ecc.sh b/examples/ima-gen-local-ca-ecc.sh
new file mode 100755
index 0000000..1f17bcf
--- /dev/null
+++ b/examples/ima-gen-local-ca-ecc.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+GENKEY=ima-local-ca.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+O = IMA-CA
+CN = IMA/EVM certificate signing key
+emailAddress = ca@ima-ca
+
+[ v3_ca ]
+basicConstraints=CA:TRUE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+keyUsage = cRLSign, keyCertSign
+__EOF__
+
+openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
+		-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \
+		-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+
+openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
+
diff --git a/examples/ima-genkey-ecc.sh b/examples/ima-genkey-ecc.sh
new file mode 100755
index 0000000..bdc8d17
--- /dev/null
+++ b/examples/ima-genkey-ecc.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+GENKEY=ima.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = v3_usr
+
+[ req_distinguished_name ]
+O = `hostname`
+CN = `whoami` signing key
+emailAddress = `whoami`@`hostname`
+
+[ v3_usr ]
+basicConstraints=critical,CA:FALSE
+#basicConstraints=CA:FALSE
+keyUsage=digitalSignature
+#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage=critical,codeSigning
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+#authorityKeyIdentifier=keyid,issuer
+__EOF__
+
+openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \
+		-out csr_ima.pem -keyout privkey_ima.pem \
+		-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
+		-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
+		-outform DER -out x509_ima.der
+
diff --git a/examples/ima-genkey-self-ecc.sh b/examples/ima-genkey-self-ecc.sh
new file mode 100755
index 0000000..b5431e2
--- /dev/null
+++ b/examples/ima-genkey-self-ecc.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+GENKEY=x509_evm.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = `hostname`
+CN = `whoami` signing key
+emailAddress = `whoami`@`hostname`
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+__EOF__
+
+openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \
+		-outform DER -out x509_evm.der -keyout privkey_evm.pem \
+		-newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+
+openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem
+
-- 
2.39.2

Re: [PATCH ima-evm-utils v3 0/4] Update README and examples and add EC key support

[Mimi Zohar]

On Wed, 2023-04-26 at 18:35 -0400, Stefan Berger wrote:
> Update the README and add example scripts for RSA keys to use more up-to-date
> values for key sizes and hash being used and adjust the OpenSSL config files so
> that the created keys can be used with the .machine keyring. Add EC key and cert
> support scripts and describe EC key and certificate generation in the README.

Thanksb, Stefan.  The patches are now queued in next, next-testing.

Mimi