lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7614.1455099176@warthog.procyon.org.uk>
Date:	Wed, 10 Feb 2016 10:12:56 +0000
From:	David Howells <dhowells@...hat.com>
To:	Juerg Haefliger <juerg.haefliger@....com>
Cc:	dhowells@...hat.com, linux-kernel@...r.kernel.org,
	keyrings@...r.kernel.org, dwmw2@...radead.org
Subject: Re: [PATCH v2] scripts/sign-file.c: Add support for signing with a raw signature

Juerg Haefliger <juerg.haefliger@....com> wrote:

> This patch adds support for signing a kernel module with a raw
> detached PKCS#7 signature/message.
> 
> The signature is not converted and is simply appended to the module so
> it needs to be in the right format. Using openssl, a valid signature can
> be generated like this:
>   $ openssl smime -sign -nocerts -noattr -binary -in <module> -inkey \
>     <key> -signer <x509> -outform der -out <raw sig>
> 
> The resulting raw signature from the above command is (more or less)
> identical to the raw signature that sign-file itself can produce like
> this:
>   $ scripts/sign-file -d <hash algo> <key> <x509> <module>

What's the usage case for this?  Can it be done instead with openssl PKCS#11?

David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ