On Tue, 9 Oct 2018, David Howells wrote:
>
> Hi James,
>
> Here's a set of patches that does the following, if you could pull it please:
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
next-keys
and next-testing
Please test.
--
James Morris
Hi James,
Here's a set of patches that does the following, if you could pull it please:
(1) Adds keyctl() functions that permit an asymmetric-type key to be used
to encrypt, decrypt, sign and verify a small piece of data (typically
a session key or a hash) using the public and/or pri
Hi David,
> Yes. It shouldn't be much code, either. You still have to check for
> X.509
> DER since the kernel currently supports that.
For reasons of backward compatibility, correct? The kernel also has
mscode.asn1 which we would need to support as well. Since we
David,
On 09/20/2018 11:45 AM, David Woodhouse wrote:
On Thu, 2018-09-20 at 09:26 +0200, Marcel Holtmann wrote:
Hi David,
Yes. It shouldn't be much code, either. You still have to check for X.509
DER since the kernel currently supports that.
For reasons of backward compatibility, correct?
On Thu, 2018-09-20 at 09:26 +0200, Marcel Holtmann wrote:
> Hi David,
>
> > > > Yes. It shouldn't be much code, either. You still have to check for
> > > > X.509
> > > > DER since the kernel currently supports that.
> > >
> > > For reasons of backward compatibility, correct? The kernel also h
Hi David,
>>> Yes. It shouldn't be much code, either. You still have to check for X.509
>>> DER since the kernel currently supports that.
>>
>> For reasons of backward compatibility, correct? The kernel also has
>> mscode.asn1 which we would need to support as well. Since we can't break
>> co
Denis Kenzior wrote:
> > Yes. It shouldn't be much code, either. You still have to check for X.509
> > DER since the kernel currently supports that.
>
> For reasons of backward compatibility, correct? The kernel also has
> mscode.asn1 which we would need to support as well. Since we can't br
Hi David,
On 09/18/2018 11:55 AM, David Howells wrote:
Denis Kenzior wrote:
In theory the PEM file already contains the type of the certificate, at least
at a high level. E.g. private, public, tpm. So if we accept PEM files
directly that could be potentially a faster way of determining the
Denis Kenzior wrote:
> In theory the PEM file already contains the type of the certificate, at least
> at a high level. E.g. private, public, tpm. So if we accept PEM files
> directly that could be potentially a faster way of determining the parser to
> use and would still work with keyctl upda
Hi David,
It passes it to each parser in turn till one says it can parse it. It's not
ideal, but it seems to work - so far. Better would be to annotate it in some
way. I have considered annotating the type field so that the payload doesn't
have to have it added:
keyctl padd asymmetri
David Woodhouse wrote:
> You are passing the raw DER to the kernel in both cases, right?
I haven't put a PEM stripper and base64 decoder into the kernel, though we
certainly could do that. We could even do the decode in-place in the same
buffer since the resulting data would be smaller than the
Hi David,
On 09/18/2018 11:17 AM, David Woodhouse wrote:
On Tue, 2018-09-18 at 00:24 -0500, Denis Kenzior wrote:
Hi David,
On 09/18/2018 10:50 AM, David Howells wrote:
Denis Kenzior wrote:
openssl asn1parse -inform pem -in /tmp/privkey.2048.tpm -noout \
-out /tm
On Tue, 2018-09-18 at 00:24 -0500, Denis Kenzior wrote:
> Hi David,
>
> On 09/18/2018 10:50 AM, David Howells wrote:
> > Denis Kenzior wrote:
> >
> > > openssl asn1parse -inform pem -in /tmp/privkey.2048.tpm -noout \
> > > -out /tmp/privkey.2048.der
> >
> > You can use
Hi David,
On 09/18/2018 10:50 AM, David Howells wrote:
Denis Kenzior wrote:
openssl asn1parse -inform pem -in /tmp/privkey.2048.tpm -noout \
-out /tmp/privkey.2048.der
You can use "... -out - | ..." instead.
Aha! okay, that is even more elegant. Your openssl-fu
Denis Kenzior wrote:
> openssl asn1parse -inform pem -in /tmp/privkey.2048.tpm -noout \
> -out /tmp/privkey.2048.der
You can use "... -out - | ..." instead.
David
On Tue, 2018-09-18 at 16:02 +0100, David Howells wrote:
> It's meant to be stripping off the PEM wrapper and outputting the DER, but see
> below.
>
> > If I run it on a '-BEGIN TSS KEY BLOB-' file I have lying around, I
> > get no output at all.
>
> I lost a bit from the cover note. It n
Hi David,
On 09/18/2018 01:59 AM, David Woodhouse wrote:
On Wed, 2018-09-05 at 22:54 +0100, David Howells wrote:
Example usage for a PKCS#8 blob:
j=`openssl pkcs8 -in private_key.pem -topk8 -nocrypt -outform DER | \
keyctl padd asymmetric foo @s`
The kernel expects a r
David Woodhouse wrote:
> Those examples aren't equivalent
No one said that they are.
But if you really can't figure it out, I can add:
openssl genrsa -out private_key.pem 2048
at the front of the PKCS#8 example;-)
I can even change the examples to have the same private key name.
> F
On Tue, 2018-09-18 at 08:00 +0100, David Woodhouse wrote:
>
> On Sat, 2018-09-08 at 16:26 +0100, David Howells wrote:
> > Marcel Holtmann wrote:
> >
> > >
> > > so I have reviewed and tested this code. In addition, we have
> > > test cases for it in ELL (embedded linux library).
> >
> > I wond
On Sat, 2018-09-08 at 16:26 +0100, David Howells wrote:
> Marcel Holtmann wrote:
>
> >
> > so I have reviewed and tested this code. In addition, we have test cases for
> > it in ELL (embedded linux library).
>
> I wonder if there's any practical way to add a test for this to the keyutils
> tes
On Wed, 2018-09-05 at 22:54 +0100, David Howells wrote:
>
> Example usage for a PKCS#8 blob:
>
> j=`openssl pkcs8 -in private_key.pem -topk8 -nocrypt -outform DER | \
> keyctl padd asymmetric foo @s`
>
> Example usage for a TPM wrapped blob:
>
> openssl genrsa -out /
Marcel Holtmann wrote:
> so I have reviewed and tested this code. In addition, we have test cases for
> it in ELL (embedded linux library).
I wonder if there's any practical way to add a test for this to the keyutils
test suite. I'm guessing it's quite tricky, given the extra bits you need to
e
On Fri, 7 Sep 2018, Marcel Holtmann wrote:
> Hi James,
>
> >> Here's a set of patches that does the following, if you could pull it
> >> please:
> >
> > Thanks, it would be good to see more review / acks, though.
>
> so I have reviewed and tested this code. In addition, we have test cases for
Hi James,
>> Here's a set of patches that does the following, if you could pull it please:
>
> Thanks, it would be good to see more review / acks, though.
so I have reviewed and tested this code. In addition, we have test cases for it
in ELL (embedded linux library).
Tested-by: Marcel Holtmann
On Wed, 5 Sep 2018, David Howells wrote:
>
> Hi James,
>
> Here's a set of patches that does the following, if you could pull it please:
Thanks, it would be good to see more review / acks, though.
--
James Morris
Hi James,
Here's a set of patches that does the following, if you could pull it please:
(1) Adds keyctl() functions that permit an asymmetric-type key to be used
to encrypt, decrypt, sign and verify a small piece of data (typically
a session key or a hash) using the public and/or pri
26 matches
Mail list logo