linux-kernel - Re: [PATCH v9 2/9] x509: Detect sm2 keys by their parameters OID

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date:   Fri, 5 Mar 2021 15:37:21 +0800
From:   Tianjia Zhang <tianjia.zhang@...ux.alibaba.com>
To:     Stefan Berger <stefanb@...ux.ibm.com>
Cc:     linux-kernel@...r.kernel.org, linux-integrity@...r.kernel.org,
        "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" 
        <linux-crypto@...r.kernel.org>,
        Mimi Zohar <zohar@...ux.vnet.ibm.com>,
        David Howells <dhowells@...hat.com>,
        "open list:KEYS-TRUSTED" <keyrings@...r.kernel.org>,
        "davem@...emloft.net" <davem@...emloft.net>,
        Herbert Xu <herbert@...dor.apana.org.au>
Subject: Re: [PATCH v9 2/9] x509: Detect sm2 keys by their parameters OID

Hi,

On 3/4/21 7:46 AM, Stefan Berger wrote:
> Tianjia,
> 
>     can you say whether SM2 support works for you before and after 
> applying this patch? I cannot verify it with an sm2 key I have created 
> using a sequence of commands like this:
> 
>  > modprobe sm2_generic
>  > id=$(keyctl newring test @u)
>  > keyctl padd asymmetric "" $id < sm2.der
> add_key: Key was rejected by service
>  > keyctl padd asymmetric "" $id < eckeys/cert-prime192v1-0.der
> 88506426
> 
> The sm2 key is reject but the pime192v1 key works just fine. SM2 support 
> neither worked for me before nor after this patch here. The difference 
> is that before it returned 'add_key: Package not installed'.
> 
> This is my sm2 cert:
> 
>  > base64 < sm2.der
> MIIBbzCCARWgAwIBAgIUfqwndeAy7reymWLwvCHOgYPU2YUwCgYIKoZIzj0EAwIwDTELMAkGA1UE 
> 
> AwwCbWUwHhcNMjEwMTI0MTgwNjQ3WhcNMjIwMTI0MTgwNjQ3WjANMQswCQYDVQQDDAJtZTBZMBMG 
> 
> ByqGSM49AgEGCCqBHM9VAYItA0IABEtiMaczdk46MEugmOsY/u+puf5qoi7JdLd/w3VpdixvDd26 
> 
> vrxLKL7lCTVn5w3a07G7QB1dgdMDpzIRgWrVXC6jUzBRMB0GA1UdDgQWBBSxOVnE7ihvTb6Nczb4 
> 
> /mow+HIc9TAfBgNVHSMEGDAWgBSxOVnE7ihvTb6Nczb4/mow+HIc9TAPBgNVHRMBAf8EBTADAQH/ 
> 
> MAoGCCqGSM49BAMCA0gAMEUCIE1kiji2ABUy663NANe0iCPjCeeqg02Yk4b3K+Ci/Qh4AiEA/cFB 
> 
> eJEVklyveRMvuTP7BN7FG4U8iRdtedjiX+YrNio=
> 
> Regards,
>     Stefan
> 

Yes, it works fine here. Your test method may be wrong. First of all, 
the certificate looks wrong, I don’t know if it is not sent completely. 
Secondly, the SM2 algorithm must be compiled with builtin. There will be 
a problem when it is compiled into a module. This is a restriction for 
SM2 signature with Za. you may refer to this discussion:

https://lkml.org/lkml/2021/1/12/1736

In addition, give you a self-signed root certificate for my test:

-----BEGIN CERTIFICATE-----
MIICLjCCAdWgAwIBAgIUEoozP6LzMYWh4gCpcWlzsUyfgsIwCgYIKoEcz1UBg3Uw
bTELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdTMQswCQYDVQQHDAJHdDENMAsGA1UE
CgwEYmFiYTELMAkGA1UECwwCT1MxCzAJBgNVBAMMAmNhMRswGQYJKoZIhvcNAQkB
FgxjYUB3b3JsZC5jb20wHhcNMjAwNDE1MTE1NDA3WhcNMzAwNDEzMTE1NDA3WjBt
MQswCQYDVQQGEwJDTjELMAkGA1UECAwCR1MxCzAJBgNVBAcMAkd0MQ0wCwYDVQQK
DARiYWJhMQswCQYDVQQLDAJPUzELMAkGA1UEAwwCY2ExGzAZBgkqhkiG9w0BCQEW
DGNhQHdvcmxkLmNvbTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABMTGRiHezKm5
MiKHlyfa5Bv5jLxge/WRRG0nLNsZx1yf0XQTQBR/tFFjPGePEr7+Fa1CPgYpXExx
i44coYMmQT6jUzBRMB0GA1UdDgQWBBSjd9GWIe98Ll9J0dquxgCktp9DrTAfBgNV
HSMEGDAWgBSjd9GWIe98Ll9J0dquxgCktp9DrTAPBgNVHRMBAf8EBTADAQH/MAoG
CCqBHM9VAYN1A0cAMEQCIAvLWIfGFq85u/vVMLc5H1D/DnrNS0VhSkQA4daRO4tc
AiABbeWENcQZDZLWTuqG9P2KDPOoNqV/QV/+0XjMAVblhg==
-----END CERTIFICATE-----

If you can, please add:

Tested-by: Tianjia Zhang <tianjia.zhang@...ux.alibaba.com>

good luck!

Tianjia