ima-gen-local-ca-mldsa65.sh creates a CA with an ML-DSA-65 key and ima-genkey-mldsa65.sh creates an ML-DSA-65 IMA file signing key along with its certificate.
Also add a script for creating an ML-DSA-87 IMA file signing key. This key type is good for local testing with the largest possible signature. Signed-off-by: Stefan Berger <[email protected]> --- examples/ima-gen-local-ca-mldsa65.sh | 29 ++++++++++++++++++++++++ examples/ima-genkey-mldsa65.sh | 34 ++++++++++++++++++++++++++++ examples/ima-genkey-mldsa87.sh | 34 ++++++++++++++++++++++++++++ 3 files changed, 97 insertions(+) create mode 100755 examples/ima-gen-local-ca-mldsa65.sh create mode 100755 examples/ima-genkey-mldsa65.sh create mode 100755 examples/ima-genkey-mldsa87.sh diff --git a/examples/ima-gen-local-ca-mldsa65.sh b/examples/ima-gen-local-ca-mldsa65.sh new file mode 100755 index 0000000..e2b54cd --- /dev/null +++ b/examples/ima-gen-local-ca-mldsa65.sh @@ -0,0 +1,29 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later + +GENKEY=ima-local-ca.genkey + +cat << __EOF__ >$GENKEY +[ req ] +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_ca + +[ req_distinguished_name ] +O = IMA-CA +CN = IMA/EVM certificate signing key +emailAddress = ca@ima-ca + +[ v3_ca ] +basicConstraints=CA:TRUE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +keyUsage = cRLSign, keyCertSign +__EOF__ + +openssl req -new -x509 -utf8 -sha256 -days 3650 -batch -config $GENKEY \ + -outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv \ + -newkey mldsa65 + +openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem diff --git a/examples/ima-genkey-mldsa65.sh b/examples/ima-genkey-mldsa65.sh new file mode 100755 index 0000000..b1aaf41 --- /dev/null +++ b/examples/ima-genkey-mldsa65.sh @@ -0,0 +1,34 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later + +GENKEY=ima.genkey + +cat << __EOF__ >$GENKEY +[ req ] +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_usr + +[ req_distinguished_name ] +O = `hostname` +CN = `whoami` signing key +emailAddress = `whoami`@`hostname` + +[ v3_usr ] +basicConstraints=critical,CA:FALSE +#basicConstraints=CA:FALSE +keyUsage=digitalSignature +#keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage=critical,codeSigning +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +#authorityKeyIdentifier=keyid,issuer +__EOF__ + +openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \ + -out csr_ima.pem -keyout privkey_ima.pem \ + -newkey mldsa65 +openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ + -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \ + -outform DER -out x509_ima.der diff --git a/examples/ima-genkey-mldsa87.sh b/examples/ima-genkey-mldsa87.sh new file mode 100755 index 0000000..347ff91 --- /dev/null +++ b/examples/ima-genkey-mldsa87.sh @@ -0,0 +1,34 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later + +GENKEY=ima.genkey + +cat << __EOF__ >$GENKEY +[ req ] +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = v3_usr + +[ req_distinguished_name ] +O = `hostname` +CN = `whoami` signing key +emailAddress = `whoami`@`hostname` + +[ v3_usr ] +basicConstraints=critical,CA:FALSE +#basicConstraints=CA:FALSE +keyUsage=digitalSignature +#keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage=critical,codeSigning +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +#authorityKeyIdentifier=keyid,issuer +__EOF__ + +openssl req -new -nodes -utf8 -sha256 -days 365 -batch -config $GENKEY \ + -out csr_ima.pem -keyout privkey_ima.pem \ + -newkey mldsa87 +openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \ + -CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \ + -outform DER -out x509_ima.der -- 2.53.0
