[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3114062.1611757328@warthog.procyon.org.uk>
Date: Wed, 27 Jan 2021 14:22:08 +0000
From: David Howells <dhowells@...hat.com>
To: Stefan Berger <stefanb@...ux.vnet.ibm.com>
Cc: dhowells@...hat.com, keyrings@...r.kernel.org,
linux-kernel@...r.kernel.org, herbert@...dor.apana.org.au,
davem@...emloft.net, linux-crypto@...r.kernel.org,
patrick@...terwijk.org, Stefan Berger <stefanb@...ux.ibm.com>
Subject: Re: [PATCH v3 0/3] Add support for x509 certs with NIST p256 and p192 keys
Stefan Berger <stefanb@...ux.vnet.ibm.com> wrote:
> This series of patches adds support for x509 certificates signed by a CA
> that uses NIST p256 or p192 keys for signing. It also adds support for
> certificates where the public key is a NIST p256 or p192 key. The math
> for ECDSA signature verification is also added.
>
> Since self-signed certificates are verified upon loading, the following
> script can be used for testing:
>
> k=$(keyctrl newring test @u)
>
> while :; do
> for hash in sha1 sha224 sha256 sha384 sha512; do
> openssl req \
> -x509 \
> -${hash} \
> -newkey ec \
> -pkeyopt ec_paramgen_curve:prime256v1 \
> -keyout key.pem \
> -days 365 \
> -subj '/CN=test' \
> -nodes \
> -outform der \
> -out cert.der
> keyctl padd asymmetric testkey $k < cert.der
> if [ $? -ne 0 ]; then
> echo "ERROR"
> exit 1
> fi
> done
> done
>
> It also works with restricted keyrings where an RSA key is used to sign
> a NIST P256/P192 key. Scripts for testing are here:
>
> https://github.com/stefanberger/eckey-testing
>
> The ECDSA signature verification will be used by IMA Appraisal where ECDSA
> file signatures stored in RPM packages will use substantially less space
> than if RSA signatures were to be used.
I've pulled this into my keys-next branch.
David
Powered by blists - more mailing lists