Re: [PATCH 0/5] MODSIGN: Use PKCS#7 for module signatures [ver #3]
On 2015-02-06 15:58, David Howells wrote: > Note that the revised sign-file program no longer supports the "-s > " > option as I'm not sure what the best way to deal with this is. Do we generate > a PKCS#7 cert from the signature given, or do we get given a PKCS#7 cert? I > lean towards the latter. It would be convenient to have it, since pesign also has --import-raw-signature. But it can be added back later. Michal -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/5] MODSIGN: Use PKCS#7 for module signatures [ver #3]
On 2015-02-06 15:58, David Howells wrote: Note that the revised sign-file program no longer supports the -s signature option as I'm not sure what the best way to deal with this is. Do we generate a PKCS#7 cert from the signature given, or do we get given a PKCS#7 cert? I lean towards the latter. It would be convenient to have it, since pesign also has --import-raw-signature. But it can be added back later. Michal -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 0/5] MODSIGN: Use PKCS#7 for module signatures [ver #3]
Here's a set of patches that does the following: (1) Extracts both parts of an X.509 AuthorityKeyIdentifier (AKID) extension. We already extract the bit that can match the subjectKeyIdentifier (SKID) of the parent X.509 cert, but we currently ignore the bits that can match the issuer and serialNumber. Looks up an X.509 cert by issuer and serialNumber if those are provided in the AKID. If the keyIdentifier is also provided, checks that the subjectKeyIdentifier of the cert found matches that also. If no issuer and serialNumber are provided in the AKID, looks up an X.509 cert by SKID using the AKID keyIdentifier. This allows module signing to be done with certificates that don't have an SKID by which they can be looked up. (2) Makes use of the PKCS#7 facility to provide module signatures. sign-file is replaced with a program that generates a PKCS#7 message that has no X.509 certs embedded and that has detached data (the module content) and adds it onto the message with magic string and descriptor. (3) The PKCS#7 message (and matching X.509 cert) supply all the information that is needed to select the X.509 cert to be used to verify the signature by standard means (including selection of digest algorithm and public key algorithm). No kernel-specific magic values are required. Note that the revised sign-file program no longer supports the "-s " option as I'm not sure what the best way to deal with this is. Do we generate a PKCS#7 cert from the signature given, or do we get given a PKCS#7 cert? I lean towards the latter. They can be found here also: http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7 and are tagged with: modsign-pkcs7-20150206 These patches are based on the security tree's next branch. Changes: (*) Fixed a comment on x509_certificate::id to show the order of construction correctly [thanks to Vivek Goyal]. (*) The 'id' argument to x509_request_asymmetric_key() can be NULL so needs to be checked [thanks to Mimi Zohar]. (*) pkcs7_supply_detached_data() doesn't need exporting [thanks to Mimi Zohar]. (*) Fixed "make install_modules" to not try to run sign-file under perl [thanks to Dmitry Kasatkin]. (*) Fixed sign-file to handle binary X.509 certs as well as PEM-encoded X.509 certs. (*) Changed the x509_certificate struct members 'auth_id' and 'auth_skid' to be 'akid_id' and akid_skid' as they come from the AKID if it is present. David --- David Howells (5): X.509: Extract both parts of the AuthorityKeyIdentifier X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier PKCS#7: Allow detached data to be supplied for signature checking purposes MODSIGN: Provide a utility to append a PKCS#7 signature to a module MODSIGN: Use PKCS#7 messages as module signatures Makefile |2 crypto/asymmetric_keys/Makefile |8 - crypto/asymmetric_keys/pkcs7_trust.c | 10 - crypto/asymmetric_keys/pkcs7_verify.c | 80 -- crypto/asymmetric_keys/x509_akid.asn1 | 35 ++ crypto/asymmetric_keys/x509_cert_parser.c | 142 ++ crypto/asymmetric_keys/x509_parser.h |5 crypto/asymmetric_keys/x509_public_key.c | 86 -- include/crypto/pkcs7.h|3 include/crypto/public_key.h |4 init/Kconfig |1 kernel/module_signing.c | 220 +++ scripts/Makefile |2 scripts/sign-file | 421 - scripts/sign-file.c | 205 ++ 15 files changed, 523 insertions(+), 701 deletions(-) create mode 100644 crypto/asymmetric_keys/x509_akid.asn1 delete mode 100755 scripts/sign-file create mode 100755 scripts/sign-file.c -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 0/5] MODSIGN: Use PKCS#7 for module signatures [ver #3]
Here's a set of patches that does the following: (1) Extracts both parts of an X.509 AuthorityKeyIdentifier (AKID) extension. We already extract the bit that can match the subjectKeyIdentifier (SKID) of the parent X.509 cert, but we currently ignore the bits that can match the issuer and serialNumber. Looks up an X.509 cert by issuer and serialNumber if those are provided in the AKID. If the keyIdentifier is also provided, checks that the subjectKeyIdentifier of the cert found matches that also. If no issuer and serialNumber are provided in the AKID, looks up an X.509 cert by SKID using the AKID keyIdentifier. This allows module signing to be done with certificates that don't have an SKID by which they can be looked up. (2) Makes use of the PKCS#7 facility to provide module signatures. sign-file is replaced with a program that generates a PKCS#7 message that has no X.509 certs embedded and that has detached data (the module content) and adds it onto the message with magic string and descriptor. (3) The PKCS#7 message (and matching X.509 cert) supply all the information that is needed to select the X.509 cert to be used to verify the signature by standard means (including selection of digest algorithm and public key algorithm). No kernel-specific magic values are required. Note that the revised sign-file program no longer supports the -s signature option as I'm not sure what the best way to deal with this is. Do we generate a PKCS#7 cert from the signature given, or do we get given a PKCS#7 cert? I lean towards the latter. They can be found here also: http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7 and are tagged with: modsign-pkcs7-20150206 These patches are based on the security tree's next branch. Changes: (*) Fixed a comment on x509_certificate::id to show the order of construction correctly [thanks to Vivek Goyal]. (*) The 'id' argument to x509_request_asymmetric_key() can be NULL so needs to be checked [thanks to Mimi Zohar]. (*) pkcs7_supply_detached_data() doesn't need exporting [thanks to Mimi Zohar]. (*) Fixed make install_modules to not try to run sign-file under perl [thanks to Dmitry Kasatkin]. (*) Fixed sign-file to handle binary X.509 certs as well as PEM-encoded X.509 certs. (*) Changed the x509_certificate struct members 'auth_id' and 'auth_skid' to be 'akid_id' and akid_skid' as they come from the AKID if it is present. David --- David Howells (5): X.509: Extract both parts of the AuthorityKeyIdentifier X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier PKCS#7: Allow detached data to be supplied for signature checking purposes MODSIGN: Provide a utility to append a PKCS#7 signature to a module MODSIGN: Use PKCS#7 messages as module signatures Makefile |2 crypto/asymmetric_keys/Makefile |8 - crypto/asymmetric_keys/pkcs7_trust.c | 10 - crypto/asymmetric_keys/pkcs7_verify.c | 80 -- crypto/asymmetric_keys/x509_akid.asn1 | 35 ++ crypto/asymmetric_keys/x509_cert_parser.c | 142 ++ crypto/asymmetric_keys/x509_parser.h |5 crypto/asymmetric_keys/x509_public_key.c | 86 -- include/crypto/pkcs7.h|3 include/crypto/public_key.h |4 init/Kconfig |1 kernel/module_signing.c | 220 +++ scripts/Makefile |2 scripts/sign-file | 421 - scripts/sign-file.c | 205 ++ 15 files changed, 523 insertions(+), 701 deletions(-) create mode 100644 crypto/asymmetric_keys/x509_akid.asn1 delete mode 100755 scripts/sign-file create mode 100755 scripts/sign-file.c -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
