| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Apr 2021 21:11:21 +0800
From: Hongbo Li <herbert.tencent@...il.com>
To: keyrings@...r.kernel.org, linux-crypto@...r.kernel.org,
herbert@...dor.apana.org.au, dhowells@...hat.com,
zohar@...ux.ibm.com, jarkko@...nel.org, herberthbli@...cent.com
Cc: linux-kernel@...r.kernel.org, linux-integrity@...r.kernel.org,
Hongbo Li <herbert.tencent@...il.com>
Subject: [PATCH 0/5] crypto: add rsa pss support for x509
From: Hongbo Li <herberthbli@...cent.com>
This series of patches adds support for x509 cert signed by RSA
with PSS encoding method. RSA PSS is described in rfc8017.
This series of patches adds support for x509 cert signed by RSA
with PSS encoding method. RSA PSS is described in rfc8017.
Patch1 make x509 support rsa pss algo and parse hash parameter.
Patch2 add rsa pss template.
Patch3 add test vector for rsa pss.
Patch4 is the ecdsa ima patch borrowed from Stefan Berge's ecdsa
patch series, rsa-pss's ima patch is made on top of this patch.
Patch5 is the rsa-pss's ima patch.
Test by the following script, it tests different saltlen, hash, mgfhash.
keyctl newring test @u
while :; do
for modbits in 1024 2048 4096; do
if [ $modbits -eq 1024 ]; then
saltlen=(-1 -2 0 20 32 48 64 94)
elif [ $modbits -eq 2048 ]; then
saltlen=(-1 -2 0 20 32 48 64 222)
else
saltlen=(-1 -2 0 20 32 48 64 478)
fi
for slen in ${saltlen[@]}; do
for hash in sha1 sha224 sha256 sha384 sha512; do
for mgfhash in sha1 sha224 sha256 sha384 sha512; do
certfile="cert.der"
echo slen $slen
openssl req \
-x509 \
-${hash} \
-newkey rsa:$modbits \
-keyout key.pem \
-days 365 \
-subj '/CN=test' \
-nodes \
-sigopt rsa_padding_mode:pss \
-sigopt rsa_mgf1_md:$mgfhash \
-sigopt rsa_pss_saltlen:${slen} \
-outform der \
-out ${certfile} 2>/dev/null
exp=0
id=$(keyctl padd asymmetric testkey %keyring:test < "${certfile}")
rc=$?
if [ $rc -ne $exp ]; then
case "$exp" in
0) echo "Error: Could not load rsa-pss certificate!";;
esac
echo "modbits $modbits sha: $hash mgfhash $mgfhash saltlen: $slen"
exit 1
else
case "$rc" in
0) echo "load cert: keyid: $id modbits $modbits hash: $hash mgfhash $mgfhash saltlen $slen"
esac
fi
done
done
done
done
done
Hongbo Li (5):
x509: add support for rsa-pss
crypto: support rsa-pss encoding
crypto: add rsa pss test vector
crypto: ecdsa ima support
ima: add support for rsa pss verification
crypto/Makefile | 7 +-
crypto/asymmetric_keys/Makefile | 7 +-
crypto/asymmetric_keys/public_key.c | 5 ++
crypto/asymmetric_keys/x509_cert_parser.c | 71 ++++++++++++++++-
crypto/rsa.c | 14 ++--
crypto/rsa_helper.c | 127 ++++++++++++++++++++++++++++++
crypto/testmgr.c | 7 ++
crypto/testmgr.h | 87 ++++++++++++++++++++
include/crypto/internal/rsa.h | 25 +++++-
include/keys/asymmetric-type.h | 6 ++
include/linux/oid_registry.h | 2 +
security/integrity/digsig_asymmetric.c | 34 ++++----
12 files changed, 363 insertions(+), 29 deletions(-)
--
1.8.3.1
Powered by blists - more mailing lists