| Message ID | 20230425161015.593988-3-stefanb@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Update README and examples for ECC key support | expand |
hHi Stefan, On Tue, 2023-04-25 at 12:10 -0400, Stefan Berger wrote: > Add example scripts for ECC key and certificate creation and reference > them from the README. > > Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Thank you for adding the ECC examples. With Eric Snowberg's "Add CA enforcement keyring restrictions" patch (Linux v6.4) and the proposed IMA changes, the existing scripts in the examples/ directory need to be updated. Before upstreaming these ECC scripts, let's at least update them. From Jarkko's v6.4 pull request The .machine keyring, used for Machine Owner Keys (MOK), acquired the ability to store only CA enforced keys, and put rest to the .platform keyring, thus separating the code signing keys from the keys that are used to sign certificates. This essentially unlocks the use of the .machine keyring as a trust anchor for IMA. It is an opt-in feature, meaning that the additional contraints won't brick anyone who does not care about them. > --- > README | 3 +++ > examples/ima-gen-local-ca-ecc.sh | 29 ++++++++++++++++++++++++++++ > examples/ima-genkey-ecc.sh | 33 ++++++++++++++++++++++++++++++++ > examples/ima-genkey-self-ecc.sh | 29 ++++++++++++++++++++++++++++ > 4 files changed, 94 insertions(+) > create mode 100755 examples/ima-gen-local-ca-ecc.sh > create mode 100755 examples/ima-genkey-ecc.sh > create mode 100755 examples/ima-genkey-self-ecc.sh > > diff --git a/README b/README > index fd12680..ef7f475 100644 > --- a/README > +++ b/README > @@ -469,6 +469,9 @@ Examples of scripts to generate X509 public key certificates: > /usr/share/doc/ima-evm-utils/ima-genkey-self.sh > /usr/share/doc/ima-evm-utils/ima-genkey.sh > /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh > + /usr/share/doc/ima-evm-utils/ima-genkey-self-ecc.sh > + /usr/share/doc/ima-evm-utils/ima-genkey-ecc.sh > + /usr/share/doc/ima-evm-utils/ima-gen-local-ca-ecc.sh > > > AUTHOR > diff --git a/examples/ima-gen-local-ca-ecc.sh b/examples/ima-gen-local-ca-ecc.sh > new file mode 100755 > index 0000000..ee2aeb6 > --- /dev/null > +++ b/examples/ima-gen-local-ca-ecc.sh > @@ -0,0 +1,29 @@ > +#!/bin/sh > + > +GENKEY=ima-local-ca.genkey > + > +cat << __EOF__ >$GENKEY > +[ req ] > +distinguished_name = req_distinguished_name > +prompt = no > +string_mask = utf8only > +x509_extensions = v3_ca > + > +[ req_distinguished_name ] > +O = IMA-CA > +CN = IMA/EVM certificate signing key > +emailAddress = ca@ima-ca > + > +[ v3_ca ] > +basicConstraints=CA:TRUE > +subjectKeyIdentifier=hash > +authorityKeyIdentifier=keyid:always,issuer > +# keyUsage = cRLSign, keyCertSign With the INTEGRITY_CA_MACHINE_KEYRING_MAX Kconfig, keyCertSign is required for loading keys onto the .machine keyring. Please uncomment the above line. > +__EOF > + > +openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ Please update sha1 to sha256. > + -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \ > + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 > + > +openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem > + > diff --git a/examples/ima-genkey-ecc.sh b/examples/ima-genkey-ecc.sh > new file mode 100755 > index 0000000..735c665 > --- /dev/null > +++ b/examples/ima-genkey-ecc.sh > @@ -0,0 +1,33 @@ > +#!/bin/sh > + > +GENKEY=ima.genkey > + > +cat << __EOF__ >$GENKEY > +[ req ] > +distinguished_name = req_distinguished_name > +prompt = no > +string_mask = utf8only > +x509_extensions = v3_usr > + > +[ req_distinguished_name ] > +O = `hostname` > +CN = `whoami` signing key > +emailAddress = `whoami`@`hostname` > + > +[ v3_usr ] > +basicConstraints=critical,CA:FALSE > +#basicConstraints=CA:FALSE > +keyUsage=digitalSignature > +#keyUsage = nonRepudiation, digitalSignature, keyEncipherment In preparation to allowing only code signing keys on the IMA keyring, please add "extendedKeyUsage=critical,codeSigning", > +subjectKeyIdentifier=hash > +authorityKeyIdentifier=keyid > +#authorityKeyIdentifier=keyid,issuer > +__EOF__ > + > +openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ And similarly change sha1 to sha256 here. > + -out csr_ima.pem -keyout privkey_ima.pem \ > + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 > +openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ > + -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \ > + -outform DER -out x509_ima.der > +
On 4/26/23 09:58, Mimi Zohar wrote: > In preparation to allowing only code signing keys on the IMA keyring, > please add "extendedKeyUsage=critical,codeSigning", > >> +subjectKeyIdentifier=hash >> +authorityKeyIdentifier=keyid >> +#authorityKeyIdentifier=keyid,issuer >> +__EOF__ >> + >> +openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ > > And similarly change sha1 to sha256 here. Should we make all these changes first to the existing scripts for RSA keys?
On Wed, 2023-04-26 at 10:20 -0400, Stefan Berger wrote: > > On 4/26/23 09:58, Mimi Zohar wrote: > > > In preparation to allowing only code signing keys on the IMA keyring, > > please add "extendedKeyUsage=critical,codeSigning", > > > >> +subjectKeyIdentifier=hash > >> +authorityKeyIdentifier=keyid > >> +#authorityKeyIdentifier=keyid,issuer > >> +__EOF__ > >> + > >> +openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ > > > > And similarly change sha1 to sha256 here. > > Should we make all these changes first to the existing scripts for RSA keys? Definitely. Please also update the "doc_DATA" in Makefile.am to include the new scripts.
diff --git a/README b/README index fd12680..ef7f475 100644 --- a/README +++ b/README @@ -469,6 +469,9 @@ Examples of scripts to generate X509 public key certificates: /usr/share/doc/ima-evm-utils/ima-genkey-self.sh /usr/share/doc/ima-evm-utils/ima-genkey.sh /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh + /usr/share/doc/ima-evm-utils/ima-genkey-self-ecc.sh + /usr/share/doc/ima-evm-utils/ima-genkey-ecc.sh + /usr/share/doc/ima-evm-utils/ima-gen-local-ca-ecc.sh AUTHOR diff --git a/examples/ima-gen-local-ca-ecc.sh b/examples/ima-gen-local-ca-ecc.sh new file mode 100755 index 0000000..ee2aeb6 --- /dev/null +++ b/examples/ima-gen-local-ca-ecc.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +GENKEY=ima-local-ca.genkey + +cat << __EOF__ >$GENKEY +[ req ] +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_ca + +[ req_distinguished_name ] +O = IMA-CA +CN = IMA/EVM certificate signing key +emailAddress = ca@ima-ca + +[ v3_ca ] +basicConstraints=CA:TRUE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +# keyUsage = cRLSign, keyCertSign +__EOF__ + +openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ + -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 + +openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem + diff --git a/examples/ima-genkey-ecc.sh b/examples/ima-genkey-ecc.sh new file mode 100755 index 0000000..735c665 --- /dev/null +++ b/examples/ima-genkey-ecc.sh @@ -0,0 +1,33 @@ +#!/bin/sh + +GENKEY=ima.genkey + +cat << __EOF__ >$GENKEY +[ req ] +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_usr + +[ req_distinguished_name ] +O = `hostname` +CN = `whoami` signing key +emailAddress = `whoami`@`hostname` + +[ v3_usr ] +basicConstraints=critical,CA:FALSE +#basicConstraints=CA:FALSE +keyUsage=digitalSignature +#keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +#authorityKeyIdentifier=keyid,issuer +__EOF__ + +openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ + -out csr_ima.pem -keyout privkey_ima.pem \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 +openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ + -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \ + -outform DER -out x509_ima.der + diff --git a/examples/ima-genkey-self-ecc.sh b/examples/ima-genkey-self-ecc.sh new file mode 100755 index 0000000..3d8f11f --- /dev/null +++ b/examples/ima-genkey-self-ecc.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +GENKEY=x509_evm.genkey + +cat << __EOF__ >$GENKEY +[ req ] +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = myexts + +[ req_distinguished_name ] +O = `hostname` +CN = `whoami` signing key +emailAddress = `whoami`@`hostname` + +[ myexts ] +basicConstraints=critical,CA:FALSE +keyUsage=digitalSignature +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +__EOF__ + +openssl req -x509 -new -nodes -utf8 -sha1 -days 3650 -batch -config $GENKEY \ + -outform DER -out x509_evm.der -keyout privkey_evm.pem \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 + +openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem +
Add example scripts for ECC key and certificate creation and reference them from the README. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> --- README | 3 +++ examples/ima-gen-local-ca-ecc.sh | 29 ++++++++++++++++++++++++++++ examples/ima-genkey-ecc.sh | 33 ++++++++++++++++++++++++++++++++ examples/ima-genkey-self-ecc.sh | 29 ++++++++++++++++++++++++++++ 4 files changed, 94 insertions(+) create mode 100755 examples/ima-gen-local-ca-ecc.sh create mode 100755 examples/ima-genkey-ecc.sh create mode 100755 examples/ima-genkey-self-ecc.sh