在 2021/4/7 16:38, Jarkko Sakkinen 写道:
> On Tue, Apr 06, 2021 at 09:11:21PM +0800, Hongbo Li wrote:
>> From: Hongbo Li <herberth...@tencent.com>
>>
>> This series of patches adds support for x509 cert signed by RSA
>> with PSS encoding method. RSA PSS is described in rfc8017.
> Please also briefly describe it here AND also provide link to the
> RFC. In the way this currently is, it is too time consuming to
> review the patch set.
>
> /Jarkko
Thanks, will add that in the following patches.
>> This series of patches adds support for x509 cert signed by RSA
>> with PSS encoding method. RSA PSS is described in rfc8017.
>>
>> Patch1 make x509 support rsa pss algo and parse hash parameter.
>>
>> Patch2 add rsa pss template.
>>
>> Patch3 add test vector for rsa pss.
>>
>> Patch4 is the ecdsa ima patch borrowed from Stefan Berge's ecdsa
>> patch series, rsa-pss's ima patch is made on top of this patch.
>>
>> Patch5 is the rsa-pss's ima patch.
>>
>> Test by the following script, it tests different saltlen, hash, mgfhash.
>>
>> keyctl newring test @u
>>
>> while :; do
>> for modbits in 1024 2048 4096; do
>> if [ $modbits -eq 1024 ]; then
>> saltlen=(-1 -2 0 20 32 48 64 94)
>> elif [ $modbits -eq 2048 ]; then
>> saltlen=(-1 -2 0 20 32 48 64 222)
>> else
>> saltlen=(-1 -2 0 20 32 48 64 478)
>> fi
>>
>> for slen in ${saltlen[@]}; do
>> for hash in sha1 sha224 sha256 sha384 sha512; do
>> for mgfhash in sha1 sha224 sha256 sha384 sha512; do
>> certfile="cert.der"
>> echo slen $slen
>> openssl req \
>> -x509 \
>> -${hash} \
>> -newkey rsa:$modbits \
>> -keyout key.pem \
>> -days 365 \
>> -subj '/CN=test' \
>> -nodes \
>> -sigopt rsa_padding_mode:pss \
>> -sigopt rsa_mgf1_md:$mgfhash \
>> -sigopt rsa_pss_saltlen:${slen} \
>> -outform der \
>> -out ${certfile} 2>/dev/null
>>
>> exp=0
>> id=$(keyctl padd asymmetric testkey %keyring:test <
>> "${certfile}")
>> rc=$?
>> if [ $rc -ne $exp ]; then
>> case "$exp" in
>> 0) echo "Error: Could not load rsa-pss
>> certificate!";;
>> esac
>> echo "modbits $modbits sha: $hash mgfhash $mgfhash
>> saltlen: $slen"
>> exit 1
>> else
>> case "$rc" in
>> 0) echo "load cert: keyid: $id modbits $modbits
>> hash: $hash mgfhash $mgfhash saltlen $slen"
>> esac
>> fi
>> done
>> done
>> done
>> done
>> done
>>
>> Hongbo Li (5):
>> x509: add support for rsa-pss
>> crypto: support rsa-pss encoding
>> crypto: add rsa pss test vector
>> crypto: ecdsa ima support
>> ima: add support for rsa pss verification
>>
>> crypto/Makefile | 7 +-
>> crypto/asymmetric_keys/Makefile | 7 +-
>> crypto/asymmetric_keys/public_key.c | 5 ++
>> crypto/asymmetric_keys/x509_cert_parser.c | 71 ++++++++++++++++-
>> crypto/rsa.c | 14 ++--
>> crypto/rsa_helper.c | 127
>> ++++++++++++++++++++++++++++++
>> crypto/testmgr.c | 7 ++
>> crypto/testmgr.h | 87 ++++++++++++++++++++
>> include/crypto/internal/rsa.h | 25 +++++-
>> include/keys/asymmetric-type.h | 6 ++
>> include/linux/oid_registry.h | 2 +
>> security/integrity/digsig_asymmetric.c | 34 ++++----
>> 12 files changed, 363 insertions(+), 29 deletions(-)
>>
>> --
>> 1.8.3.1
>>
>>
>
