lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3114062.1611757328@warthog.procyon.org.uk>
Date:   Wed, 27 Jan 2021 14:22:08 +0000
From:   David Howells <dhowells@...hat.com>
To:     Stefan Berger <stefanb@...ux.vnet.ibm.com>
Cc:     dhowells@...hat.com, keyrings@...r.kernel.org,
        linux-kernel@...r.kernel.org, herbert@...dor.apana.org.au,
        davem@...emloft.net, linux-crypto@...r.kernel.org,
        patrick@...terwijk.org, Stefan Berger <stefanb@...ux.ibm.com>
Subject: Re: [PATCH v3 0/3] Add support for x509 certs with NIST p256 and p192 keys

Stefan Berger <stefanb@...ux.vnet.ibm.com> wrote:

> This series of patches adds support for x509 certificates signed by a CA
> that uses NIST p256 or p192 keys for signing. It also adds support for
> certificates where the public key is a NIST p256 or p192 key. The math
> for ECDSA signature verification is also added.
> 
> Since self-signed certificates are verified upon loading, the following
> script can be used for testing:
> 
> k=$(keyctrl newring test @u)
> 
> while :; do
> 	for hash in sha1 sha224 sha256 sha384 sha512; do
> 		openssl req \
> 			-x509 \
> 			-${hash} \
> 			-newkey ec \
> 			-pkeyopt ec_paramgen_curve:prime256v1 \
> 			-keyout key.pem \
> 			-days 365 \
> 			-subj '/CN=test' \
> 			-nodes \
> 			-outform der \
> 			-out cert.der
> 		keyctl padd asymmetric testkey $k < cert.der
> 		if [ $? -ne 0 ]; then
> 			echo "ERROR"
> 			exit 1
> 		fi
> 	done
> done
> 
> It also works with restricted keyrings where an RSA key is used to sign
> a NIST P256/P192 key. Scripts for testing are here:
> 
> https://github.com/stefanberger/eckey-testing
> 
> The ECDSA signature verification will be used by IMA Appraisal where ECDSA
> file signatures stored in RPM packages will use substantially less space
> than if RSA signatures were to be used.

I've pulled this into my keys-next branch.

David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ