From: Stefan Berger <stefanb@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH ima-evm-utils v3 2/4] Update OpenSSL config files for support for .machine keyring
Date: Wed, 26 Apr 2023 18:35:57 -0400 [thread overview]
Message-ID: <20230426223559.681668-3-stefanb@linux.ibm.com> (raw)
In-Reply-To: <20230426223559.681668-1-stefanb@linux.ibm.com>
Update the OpenSSL config files for support for loading certs onto
the .machine keyring where certain key usage flags must be set.
Also update the OpenSSL config files shown in the README.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
README | 3 ++-
examples/ima-gen-local-ca.sh | 2 +-
examples/ima-genkey.sh | 1 +
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/README b/README
index ae92f95..9e47eaf 100644
--- a/README
+++ b/README
@@ -235,6 +235,7 @@ Configuration file x509_evm.genkey:
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
+ extendedKeyUsage=critical,codeSigning
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
# EOF
@@ -287,7 +288,7 @@ Configuration file ima-local-ca.genkey:
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
- # keyUsage = cRLSign, keyCertSign
+ keyUsage = cRLSign, keyCertSign
# EOF
Generate private key and X509 public key certificate:
diff --git a/examples/ima-gen-local-ca.sh b/examples/ima-gen-local-ca.sh
index 055463c..6fd4997 100755
--- a/examples/ima-gen-local-ca.sh
+++ b/examples/ima-gen-local-ca.sh
@@ -19,7 +19,7 @@ emailAddress = ca@ima-ca
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
-# keyUsage = cRLSign, keyCertSign
+keyUsage = cRLSign, keyCertSign
__EOF__
openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \
diff --git a/examples/ima-genkey.sh b/examples/ima-genkey.sh
index c09205a..00fa648 100755
--- a/examples/ima-genkey.sh
+++ b/examples/ima-genkey.sh
@@ -20,6 +20,7 @@ basicConstraints=critical,CA:FALSE
#basicConstraints=CA:FALSE
keyUsage=digitalSignature
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage=critical,codeSigning
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
#authorityKeyIdentifier=keyid,issuer
--
2.39.2
next prev parent reply other threads:[~2023-04-26 22:36 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-26 22:35 [PATCH ima-evm-utils v3 0/4] Update README and examples and add EC key support Stefan Berger
2023-04-26 22:35 ` [PATCH ima-evm-utils v3 1/4] Update default key sizes and hash to up-to-date values Stefan Berger
2023-04-26 22:35 ` Stefan Berger [this message]
2023-04-26 22:35 ` [PATCH ima-evm-utils v3 3/4] Add openssl command line examples for creation of EC keys Stefan Berger
2023-04-26 22:35 ` [PATCH ima-evm-utils v3 4/4] Add example scripts for EC key and certs generation Stefan Berger
2023-04-27 14:21 ` [PATCH ima-evm-utils v3 0/4] Update README and examples and add EC key support Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230426223559.681668-3-stefanb@linux.ibm.com \
--to=stefanb@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox