From patchwork Wed Apr 26 22:35:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 13225008 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37597C77B60 for ; Wed, 26 Apr 2023 22:36:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233315AbjDZWgK (ORCPT ); Wed, 26 Apr 2023 18:36:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46262 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233180AbjDZWgJ (ORCPT ); Wed, 26 Apr 2023 18:36:09 -0400 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3A8B6187 for ; Wed, 26 Apr 2023 15:36:07 -0700 (PDT) Received: from pps.filterd (m0353728.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 33QMZlYk022235 for ; Wed, 26 Apr 2023 22:36:07 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=6xIODLFD2HglC+haoNwg7H0oVpZhbf0xpMMd8y9AsuI=; b=q9PKQc95BIjvZWH+Nri0Yo9TULR/0rtObc2LHwW2nObYzEA73ymejZkBoe39z9M0XfO6 BcKEM38djCxmHBkIgD+T9B1rynooTRLH+WhD5haHPt45o0Vf5vkI6EOFZUHCKkwj+nNN Mq04S2z7C1dxqPsxeDo21yCnbMSXWBYOZrxMDjTomRNJB8CdoUv9cJ1eY7vSIXkb54Wx T2kgHDcvdn8Mz8e2kPiAKYAwufPe0+TZVWScu2K/9d72ev2OH1M8vEb/FXaS763fCLCU iVTWHqNK3NOUkvdKPGY7lIJk/aOxdoS1VAzg8E58mcc5grbonixi5FYpqmYN1lUjbOeK 2Q== Received: from ppma01wdc.us.ibm.com (fd.55.37a9.ip4.static.sl-reverse.com [169.55.85.253]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q7chyggx5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 26 Apr 2023 22:36:06 +0000 Received: from pps.filterd (ppma01wdc.us.ibm.com [127.0.0.1]) by ppma01wdc.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 33QKLJJi012999 for ; Wed, 26 Apr 2023 22:36:04 GMT Received: from smtprelay01.wdc07v.mail.ibm.com ([9.208.129.119]) by ppma01wdc.us.ibm.com (PPS) with ESMTPS id 3q47787gsy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 26 Apr 2023 22:36:04 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 33QMa2O724183362 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 26 Apr 2023 22:36:02 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 69B2258060; Wed, 26 Apr 2023 22:36:02 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 000D058062; Wed, 26 Apr 2023 22:36:01 +0000 (GMT) Received: from sbct-2.pok.ibm.com (unknown [9.47.158.152]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Wed, 26 Apr 2023 22:36:01 +0000 (GMT) From: Stefan Berger To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, Stefan Berger Subject: [PATCH ima-evm-utils v3 1/4] Update default key sizes and hash to up-to-date values Date: Wed, 26 Apr 2023 18:35:56 -0400 Message-Id: <20230426223559.681668-2-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230426223559.681668-1-stefanb@linux.ibm.com> References: <20230426223559.681668-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: WQId2K81-8yl7kYBl6h6T33BP5W36c1v X-Proofpoint-ORIG-GUID: WQId2K81-8yl7kYBl6h6T33BP5W36c1v X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-26_10,2023-04-26_03,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 malwarescore=0 suspectscore=0 bulkscore=0 mlxlogscore=725 clxscore=1015 adultscore=0 impostorscore=0 phishscore=0 spamscore=0 priorityscore=1501 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2304260195 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Update the documentation and example scripts to use 2048 bit RSA keys and sha256. Signed-off-by: Stefan Berger --- README | 14 +++++++------- examples/ima-gen-local-ca.sh | 2 +- examples/ima-genkey-self.sh | 4 ++-- examples/ima-genkey.sh | 4 ++-- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/README b/README index 75e4fd2..ae92f95 100644 --- a/README +++ b/README @@ -200,11 +200,11 @@ Generate signing and verification keys Generate private key in plain text format: - openssl genrsa -out privkey_evm.pem 1024 + openssl genrsa -out privkey_evm.pem 2048 Generate encrypted private key: - openssl genrsa -des3 -out privkey_evm.pem 1024 + openssl genrsa -des3 -out privkey_evm.pem 2048 Make encrypted private key from unencrypted: @@ -213,7 +213,7 @@ Make encrypted private key from unencrypted: Generate self-signed X509 public key certificate and private key for using kernel asymmetric keys support: - openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ + openssl req -new -nodes -utf8 -sha256 -days 36500 -batch \ -x509 -config x509_evm.genkey \ -outform DER -out x509_evm.der -keyout privkey_evm.pem @@ -221,7 +221,7 @@ Configuration file x509_evm.genkey: # Beginning of the file [ req ] - default_bits = 1024 + default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -292,7 +292,7 @@ Configuration file ima-local-ca.genkey: Generate private key and X509 public key certificate: - openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ + openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \ -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv Produce X509 in DER format for using while building the kernel: @@ -303,7 +303,7 @@ Configuration file ima.genkey: # Beginning of the file [ req ] - default_bits = 1024 + default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -327,7 +327,7 @@ Configuration file ima.genkey: Generate private key and X509 public key certificate signing request: - openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ + openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \ -out csr_ima.pem -keyout privkey_ima.pem Sign X509 public key certificate signing request with local IMA CA private key: diff --git a/examples/ima-gen-local-ca.sh b/examples/ima-gen-local-ca.sh index 1f24949..055463c 100755 --- a/examples/ima-gen-local-ca.sh +++ b/examples/ima-gen-local-ca.sh @@ -22,7 +22,7 @@ authorityKeyIdentifier=keyid:always,issuer # keyUsage = cRLSign, keyCertSign __EOF__ -openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \ +openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \ -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem diff --git a/examples/ima-genkey-self.sh b/examples/ima-genkey-self.sh index e293b94..c04df37 100755 --- a/examples/ima-genkey-self.sh +++ b/examples/ima-genkey-self.sh @@ -4,7 +4,7 @@ GENKEY=x509_evm.genkey cat << __EOF__ >$GENKEY [ req ] -default_bits = 1024 +default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -22,7 +22,7 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid __EOF__ -openssl req -x509 -new -nodes -utf8 -sha1 -days 3650 -batch -config $GENKEY \ +openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \ -outform DER -out x509_evm.der -keyout privkey_evm.pem openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem diff --git a/examples/ima-genkey.sh b/examples/ima-genkey.sh index b08778f..c09205a 100755 --- a/examples/ima-genkey.sh +++ b/examples/ima-genkey.sh @@ -4,7 +4,7 @@ GENKEY=ima.genkey cat << __EOF__ >$GENKEY [ req ] -default_bits = 1024 +default_bits = 2048 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only @@ -25,7 +25,7 @@ authorityKeyIdentifier=keyid #authorityKeyIdentifier=keyid,issuer __EOF__ -openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \ +openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \ -out csr_ima.pem -keyout privkey_ima.pem openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \ From patchwork Wed Apr 26 22:35:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 13225010 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7B858C7618E for ; Wed, 26 Apr 2023 22:36:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232343AbjDZWgO (ORCPT ); Wed, 26 Apr 2023 18:36:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46274 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229889AbjDZWgN (ORCPT ); Wed, 26 Apr 2023 18:36:13 -0400 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C08C7E6A for ; Wed, 26 Apr 2023 15:36:12 -0700 (PDT) Received: from pps.filterd (m0353728.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 33QMZhxg021981 for ; Wed, 26 Apr 2023 22:36:12 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=y0XoGXPyyxwDmcA+UwwU2jMHsgVU/p5tb072VvlWO+4=; b=ZQkIyGrvlOLV5oRBIMX9yVzP8BcEvErRQ2nmxcMF9/khOUQ0mPNAFde+sYvsu00t8ad1 D3FYGlFqNKgQ8Qm3fmcSQ91Uv1FR0Q32F+M50/J7pZl9E5BT7mYY1y3mM919dXc9rae2 VSJGjZa7Xq1waLLdbXwEGRC/lPL7+4UTF0BHFwPVYA/va1+uLCj3DUumkVSovs2J5L8Y lpyE2KL2dDW4BfS/VNqPDHFCwCjm9GcPa4W5Dqt4ovlsWbb3P2bCcjO2zVXtt2qRY0Vp sj6SdajmuwLxy1qc15xZ+DG7OSDEia878+vuLYv4SMKohMebPvxeDEMqUysmGRFYkKnC 7g== Received: from ppma03wdc.us.ibm.com (ba.79.3fa9.ip4.static.sl-reverse.com [169.63.121.186]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q7chyggy0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 26 Apr 2023 22:36:09 +0000 Received: from pps.filterd (ppma03wdc.us.ibm.com [127.0.0.1]) by ppma03wdc.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 33QK7l3O000734 for ; Wed, 26 Apr 2023 22:36:04 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([9.208.129.120]) by ppma03wdc.us.ibm.com (PPS) with ESMTPS id 3q47787hb4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 26 Apr 2023 22:36:04 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 33QMa3JQ36700548 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 26 Apr 2023 22:36:03 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F038358062; Wed, 26 Apr 2023 22:36:02 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 906C458066; Wed, 26 Apr 2023 22:36:02 +0000 (GMT) Received: from sbct-2.pok.ibm.com (unknown [9.47.158.152]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Wed, 26 Apr 2023 22:36:02 +0000 (GMT) From: Stefan Berger To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, Stefan Berger Subject: [PATCH ima-evm-utils v3 2/4] Update OpenSSL config files for support for .machine keyring Date: Wed, 26 Apr 2023 18:35:57 -0400 Message-Id: <20230426223559.681668-3-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230426223559.681668-1-stefanb@linux.ibm.com> References: <20230426223559.681668-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: MkhfdtUYx8-dUhgrQyyy20M2NBi5FLdz X-Proofpoint-ORIG-GUID: MkhfdtUYx8-dUhgrQyyy20M2NBi5FLdz X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-26_10,2023-04-26_03,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 malwarescore=0 suspectscore=0 bulkscore=0 mlxlogscore=999 clxscore=1015 adultscore=0 impostorscore=0 phishscore=0 spamscore=0 priorityscore=1501 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2304260195 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Update the OpenSSL config files for support for loading certs onto the .machine keyring where certain key usage flags must be set. Also update the OpenSSL config files shown in the README. Signed-off-by: Stefan Berger --- README | 3 ++- examples/ima-gen-local-ca.sh | 2 +- examples/ima-genkey.sh | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/README b/README index ae92f95..9e47eaf 100644 --- a/README +++ b/README @@ -235,6 +235,7 @@ Configuration file x509_evm.genkey: [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature + extendedKeyUsage=critical,codeSigning subjectKeyIdentifier=hash authorityKeyIdentifier=keyid # EOF @@ -287,7 +288,7 @@ Configuration file ima-local-ca.genkey: basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer - # keyUsage = cRLSign, keyCertSign + keyUsage = cRLSign, keyCertSign # EOF Generate private key and X509 public key certificate: diff --git a/examples/ima-gen-local-ca.sh b/examples/ima-gen-local-ca.sh index 055463c..6fd4997 100755 --- a/examples/ima-gen-local-ca.sh +++ b/examples/ima-gen-local-ca.sh @@ -19,7 +19,7 @@ emailAddress = ca@ima-ca basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer -# keyUsage = cRLSign, keyCertSign +keyUsage = cRLSign, keyCertSign __EOF__ openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \ diff --git a/examples/ima-genkey.sh b/examples/ima-genkey.sh index c09205a..00fa648 100755 --- a/examples/ima-genkey.sh +++ b/examples/ima-genkey.sh @@ -20,6 +20,7 @@ basicConstraints=critical,CA:FALSE #basicConstraints=CA:FALSE keyUsage=digitalSignature #keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage=critical,codeSigning subjectKeyIdentifier=hash authorityKeyIdentifier=keyid #authorityKeyIdentifier=keyid,issuer From patchwork Wed Apr 26 22:35:58 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 13225009 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D7C80C7618E for ; Wed, 26 Apr 2023 22:36:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233180AbjDZWgK (ORCPT ); Wed, 26 Apr 2023 18:36:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46264 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229889AbjDZWgK (ORCPT ); Wed, 26 Apr 2023 18:36:10 -0400 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8A537E6A for ; Wed, 26 Apr 2023 15:36:08 -0700 (PDT) Received: from pps.filterd (m0353728.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 33QMUO6m012291 for ; Wed, 26 Apr 2023 22:36:08 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=BIvpIuzaOxfO82cI312mhA4CfWg60slJlzKrWtG8u8A=; b=Sg3ofaRrwlpD8jY2T+2NBnB50KKSRny8NsRPsblDTmSRt7gMFSKyrLG5RszRsejRPVjW VKdksQ4o38IQ0TtqTSPKyGAt0952YqBezggXv5nIOL8i58PiSY7EDP+DBiTlsUUl9r4/ retpQ1yrxf5CeFlvae65Yk3KJOtakI3zXvVh2kk4VAfeVT0atXL4kXbCUMFsAthtgx/a Vh/6kEW3KnaZpr0cia04KgRO2nJiQDDA/KUHUtD9ySae9OgmXXDOR5rHWZhRw+IRe2NI 0sbpD812ahGfhaiynBnmny1zj3UtxBBwrP/4d5Rqr2WKvkTQy5GwHeRsuYrN1XhuQcZT 6A== Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q7chyggyn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 26 Apr 2023 22:36:07 +0000 Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 33QKAROH032079 for ; Wed, 26 Apr 2023 22:36:05 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([9.208.129.120]) by ppma04wdc.us.ibm.com (PPS) with ESMTPS id 3q4777yhmy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 26 Apr 2023 22:36:05 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 33QMa3xp36569506 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 26 Apr 2023 22:36:03 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9616F58064; Wed, 26 Apr 2023 22:36:03 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2CAAB58056; Wed, 26 Apr 2023 22:36:03 +0000 (GMT) Received: from sbct-2.pok.ibm.com (unknown [9.47.158.152]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Wed, 26 Apr 2023 22:36:03 +0000 (GMT) From: Stefan Berger To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, Stefan Berger Subject: [PATCH ima-evm-utils v3 3/4] Add openssl command line examples for creation of EC keys Date: Wed, 26 Apr 2023 18:35:58 -0400 Message-Id: <20230426223559.681668-4-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230426223559.681668-1-stefanb@linux.ibm.com> References: <20230426223559.681668-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: hjF2-LcHDQvv2aSQHbR6rje_J4Wt7hPw X-Proofpoint-ORIG-GUID: hjF2-LcHDQvv2aSQHbR6rje_J4Wt7hPw X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-26_10,2023-04-26_03,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 malwarescore=0 suspectscore=0 bulkscore=0 mlxlogscore=999 clxscore=1015 adultscore=0 impostorscore=0 phishscore=0 spamscore=0 priorityscore=1501 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2304260195 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add openssl command line examples for creation of EC keys for EVM and IMA CA and signing key. Signed-off-by: Stefan Berger --- README | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/README b/README index 9e47eaf..d631eb7 100644 --- a/README +++ b/README @@ -217,6 +217,18 @@ asymmetric keys support: -x509 -config x509_evm.genkey \ -outform DER -out x509_evm.der -keyout privkey_evm.pem +Create an elliptic curve (EC) key (supported since Linux v5.13) + + openssl ecparam -name prime256v1 -genkey -out privkey_evm.pem + +Generate self-signed x509 EC public key certificate and private key for using +kernel asymmetric key support (supported since Linux v5.13): + + openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ + -x509 -config x509_evm.genkey \ + -outform DER -out x509_evm.der -keyout privkey_evm.pem \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 + Configuration file x509_evm.genkey: # Beginning of the file @@ -245,6 +257,9 @@ Generate public key for using RSA key format: openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem +Similarly generate public EC key: + + openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem Copy keys to /etc/keys: @@ -291,6 +306,12 @@ Configuration file ima-local-ca.genkey: keyUsage = cRLSign, keyCertSign # EOF +Note: To generated elliptic curve keys add the following parameters to + the 'req' commands below (supported since Linux v5.13): + + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 + + Generate private key and X509 public key certificate: openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \ From patchwork Wed Apr 26 22:35:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Berger X-Patchwork-Id: 13225012 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6074EC77B60 for ; Wed, 26 Apr 2023 22:37:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233641AbjDZWh3 (ORCPT ); Wed, 26 Apr 2023 18:37:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46664 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229889AbjDZWh1 (ORCPT ); Wed, 26 Apr 2023 18:37:27 -0400 Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C06C35B3 for ; Wed, 26 Apr 2023 15:37:21 -0700 (PDT) Received: from pps.filterd (m0353726.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 33QM8B4D030389 for ; Wed, 26 Apr 2023 22:37:20 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=pp1; bh=QjpZQUmmpuJinS6mejsnGUA8Cr1q5JDmmhDlcH9volY=; b=TpqspV1BvTgzX31sxUizH8PxvvultBcVzmoNwew5PTr7wfN5yfYkXjhIqGRCkyrn/TDA zpj2tToOP/r6u714YYKjXgOsopI8ghSZk+3v9OwIOgps7dpC0BA28Z0rsRrRV31w2KZy 8XkqkSR2wNeKYh8g8NAE/NRnEcG+pdTz6d/9ReJIGvC2cMayqOIX8JV7ws6q8EjUyMD+ NvuVYF7Ft+I/pEMSs4v/OQRQ2+qZw1BU8XsWSILV8isFvRsY4rRvthm1pd4FW8ZR6sJ4 3Y6B1BF1vAY24f79JCwJsET8lCywyZoJ2vXFInBA0MN7aKgjZWoDJZdwS0hKh9FTBPN2 NQ== Received: from ppma04wdc.us.ibm.com (1a.90.2fa9.ip4.static.sl-reverse.com [169.47.144.26]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3q7bnhj5hh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 26 Apr 2023 22:37:17 +0000 Received: from pps.filterd (ppma04wdc.us.ibm.com [127.0.0.1]) by ppma04wdc.us.ibm.com (8.17.1.19/8.17.1.19) with ESMTP id 33QKL31N032073 for ; Wed, 26 Apr 2023 22:36:05 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([9.208.129.113]) by ppma04wdc.us.ibm.com (PPS) with ESMTPS id 3q4777yhn0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 26 Apr 2023 22:36:05 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 33QMa4LH33358194 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 26 Apr 2023 22:36:04 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 327FC58054; Wed, 26 Apr 2023 22:36:04 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BCF6E58060; Wed, 26 Apr 2023 22:36:03 +0000 (GMT) Received: from sbct-2.pok.ibm.com (unknown [9.47.158.152]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Wed, 26 Apr 2023 22:36:03 +0000 (GMT) From: Stefan Berger To: linux-integrity@vger.kernel.org Cc: zohar@linux.ibm.com, Stefan Berger Subject: [PATCH ima-evm-utils v3 4/4] Add example scripts for EC key and certs generation Date: Wed, 26 Apr 2023 18:35:59 -0400 Message-Id: <20230426223559.681668-5-stefanb@linux.ibm.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230426223559.681668-1-stefanb@linux.ibm.com> References: <20230426223559.681668-1-stefanb@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: jPmGo0_NDVHvJb-TnsMfH-4rr2NSlWCn X-Proofpoint-ORIG-GUID: jPmGo0_NDVHvJb-TnsMfH-4rr2NSlWCn X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-04-26_10,2023-04-26_03,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 clxscore=1015 spamscore=0 suspectscore=0 bulkscore=0 lowpriorityscore=0 malwarescore=0 priorityscore=1501 impostorscore=0 mlxlogscore=999 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2303200000 definitions=main-2304260195 Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org Add example scripts for EC key and certificate creation and reference them from the README and Makefile.am. Signed-off-by: Stefan Berger --- Makefile.am | 8 +++++++- README | 3 +++ examples/ima-gen-local-ca-ecc.sh | 29 +++++++++++++++++++++++++++ examples/ima-genkey-ecc.sh | 34 ++++++++++++++++++++++++++++++++ examples/ima-genkey-self-ecc.sh | 29 +++++++++++++++++++++++++++ 5 files changed, 102 insertions(+), 1 deletion(-) create mode 100755 examples/ima-gen-local-ca-ecc.sh create mode 100755 examples/ima-genkey-ecc.sh create mode 100755 examples/ima-genkey-self-ecc.sh diff --git a/Makefile.am b/Makefile.am index e686d65..9ec5681 100644 --- a/Makefile.am +++ b/Makefile.am @@ -7,7 +7,13 @@ if MANPAGE_DOCBOOK_XSL dist_man_MANS = evmctl.1 endif -doc_DATA = examples/ima-genkey-self.sh examples/ima-genkey.sh examples/ima-gen-local-ca.sh +doc_DATA = \ + examples/ima-genkey-self.sh \ + examples/ima-genkey.sh \ + examples/ima-gen-local-ca.sh \ + examples/ima-genkey-self-ecc.sh \ + examples/ima-genkey-ecc.sh \ + examples/ima-gen-local-ca-ecc.sh EXTRA_DIST = autogen.sh $(doc_DATA) CLEANFILES = *.html *.xsl diff --git a/README b/README index d631eb7..40a61f9 100644 --- a/README +++ b/README @@ -470,6 +470,9 @@ Examples of scripts to generate X509 public key certificates: /usr/share/doc/ima-evm-utils/ima-genkey-self.sh /usr/share/doc/ima-evm-utils/ima-genkey.sh /usr/share/doc/ima-evm-utils/ima-gen-local-ca.sh + /usr/share/doc/ima-evm-utils/ima-genkey-self-ecc.sh + /usr/share/doc/ima-evm-utils/ima-genkey-ecc.sh + /usr/share/doc/ima-evm-utils/ima-gen-local-ca-ecc.sh AUTHOR diff --git a/examples/ima-gen-local-ca-ecc.sh b/examples/ima-gen-local-ca-ecc.sh new file mode 100755 index 0000000..1f17bcf --- /dev/null +++ b/examples/ima-gen-local-ca-ecc.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +GENKEY=ima-local-ca.genkey + +cat << __EOF__ >$GENKEY +[ req ] +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_ca + +[ req_distinguished_name ] +O = IMA-CA +CN = IMA/EVM certificate signing key +emailAddress = ca@ima-ca + +[ v3_ca ] +basicConstraints=CA:TRUE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +keyUsage = cRLSign, keyCertSign +__EOF__ + +openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \ + -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 + +openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem + diff --git a/examples/ima-genkey-ecc.sh b/examples/ima-genkey-ecc.sh new file mode 100755 index 0000000..bdc8d17 --- /dev/null +++ b/examples/ima-genkey-ecc.sh @@ -0,0 +1,34 @@ +#!/bin/sh + +GENKEY=ima.genkey + +cat << __EOF__ >$GENKEY +[ req ] +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_usr + +[ req_distinguished_name ] +O = `hostname` +CN = `whoami` signing key +emailAddress = `whoami`@`hostname` + +[ v3_usr ] +basicConstraints=critical,CA:FALSE +#basicConstraints=CA:FALSE +keyUsage=digitalSignature +#keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage=critical,codeSigning +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +#authorityKeyIdentifier=keyid,issuer +__EOF__ + +openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \ + -out csr_ima.pem -keyout privkey_ima.pem \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 +openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ + -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \ + -outform DER -out x509_ima.der + diff --git a/examples/ima-genkey-self-ecc.sh b/examples/ima-genkey-self-ecc.sh new file mode 100755 index 0000000..b5431e2 --- /dev/null +++ b/examples/ima-genkey-self-ecc.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +GENKEY=x509_evm.genkey + +cat << __EOF__ >$GENKEY +[ req ] +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = myexts + +[ req_distinguished_name ] +O = `hostname` +CN = `whoami` signing key +emailAddress = `whoami`@`hostname` + +[ myexts ] +basicConstraints=critical,CA:FALSE +keyUsage=digitalSignature +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +__EOF__ + +openssl req -x509 -new -nodes -utf8 -sha256 -days 3650 -batch -config $GENKEY \ + -outform DER -out x509_evm.der -keyout privkey_evm.pem \ + -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 + +openssl ec -pubout -in privkey_evm.pem -out pubkey_evm.pem +