Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp313201pxb; Wed, 27 Jan 2021 08:18:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJy7G48mUD6KQucq3cGeu2Md1rEvLg29PrnSmcC7hhP63pq1GIwbif7YnRJ2WPOxuEA81m+Y X-Received: by 2002:a17:907:3e02:: with SMTP id hp2mr7271326ejc.411.1611764294652; Wed, 27 Jan 2021 08:18:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611764294; cv=none; d=google.com; s=arc-20160816; b=OZWW8jV66NSHMOozvzbtCF8V1WZ4rQqm4TijvPTyHPyvKwfkIAR6BOGHR3uqmWRBFg xd+OzXC3zj94JhWC14d0CxYCYRA6GHEbcBaztMr1FTCg7IXjzBPAKWoABtf8TfETKVaj 219s83xEwBJAd5F1WT+Qri/OOYHUDDJknp4A6Wf/hPLeOjGDubeA6apukh8IGQHX//ZD WwHOubrapGK/sJEbdyqg82sMgOjB0P8UbCtGNEgLPRuPAVZxzvscsyNjY+7vBs2TYToc OsnseApTTKCEGoGABg/duH/3eG3MoDrWASVK6w4qKA9QXKcviEMXTIbuoBxPv7I7mLY8 LZLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:reply-to:cc:from:to :dkim-signature:date; bh=CXG+0jciHe2vDbT437FM3Qo95DNVBYkdhL5WZaYUPoY=; b=HfxdSNTWg4nMLJ+BUI9ZoEonJWEXJogugOqFhW8ofCFVaUGk98mUPmwRiGwDskaCTO runYlmee/ZrIzmjMGn5Wqcl1me5Js3YVTTtX0ooC1C6PXgUixYIG5C/wmnDF5KMaczMS RCIl5GW+5NJkgvpA4zBYLxiYsKxwX0rozuRxkOsrzbWoKUn8+QGk/AOpEwIgn2XaCj82 JkmGoAIhyWU6kw1MDDl+sz+zqWXgjvhjvDngvqCVs1+CccZfCMpRXrXcn8NQpA0sz87w Nuu1cJmBoHB2rgbb1O5RiUZ9KoV53xvG1GJbe1DvwE+wEde/R7CnDf75MXzui5Rm8Bge VORQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail header.b=soC1P8y5; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 18si1237056edv.166.2021.01.27.08.17.41; Wed, 27 Jan 2021 08:18:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail header.b=soC1P8y5; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343899AbhA0QNq (ORCPT + 99 others); Wed, 27 Jan 2021 11:13:46 -0500 Received: from mail-40140.protonmail.ch ([185.70.40.140]:21406 "EHLO mail-40140.protonmail.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343837AbhA0QNA (ORCPT ); Wed, 27 Jan 2021 11:13:00 -0500 Date: Wed, 27 Jan 2021 16:12:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1611763933; bh=CXG+0jciHe2vDbT437FM3Qo95DNVBYkdhL5WZaYUPoY=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=soC1P8y5fbrH54We/uaS8kb/dds+4mQBpXZy35ILyJjxvA7AiwxabAYh4pvwxNXoo sJd2t2PH7IVYBhWLFvnCrNo+hPtPM1ZejKxhc3NLHZ9YAHPXrOXkLzXeFUIYdAwfM9 0DlB1Lw9h8W/zKKX63lNfW2kdfm8askULqa6Nv10= To: Stefan Berger From: Nym Seddon Cc: "dhowells@redhat.com" , "keyrings@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "herbert@gondor.apana.org.au" , "davem@davemloft.net" , "linux-crypto@vger.kernel.org" , "patrick@puiterwijk.org" , Stefan Berger Reply-To: Nym Seddon Subject: Re: [PATCH v3 0/3] Add support for x509 certs with NIST p256 and p192 keys Message-ID: In-Reply-To: <20210127123350.817593-1-stefanb@linux.vnet.ibm.com> References: <20210127123350.817593-1-stefanb@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Stefan, In the recommendations from SafeCurves (https://safecurves.cr.yp.to/twist.h= tml) there are a number of attacks against ECC twists. Two of those attacks= are relevant against NIST P192: invalid-curve attacks and invalid-curve at= tacks against ladders. Both attacks can be mitigated by checking the supplied public key is on the= correct curve, before performing curve operations. Not sure if the right place for those checks are in the signature verificat= ion code provided in these patches, or when reading public keys from the ce= rtificates. Does the kernel provide functions for checking curve points sat= isfy their respective curve equations? There are also tables describing the cost of combined attacks on various cu= rves, where NIST P224 already falls below the safe threshold. Because of th= at, I would recommend not implementing support for NIST P192 (since it woul= d fair even worse). What are your thoughts? Best, Nym =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Wednesday, January 27, 2021 12:33 PM, Stefan Berger wrote: > From: Stefan Berger stefanb@linux.ibm.com > > This series of patches adds support for x509 certificates signed by a CA > that uses NIST p256 or p192 keys for signing. It also adds support for > certificates where the public key is a NIST p256 or p192 key. The math > for ECDSA signature verification is also added. > > Since self-signed certificates are verified upon loading, the following > script can be used for testing: > > k=3D$(keyctrl newring test @u) > > while :; do > for hash in sha1 sha224 sha256 sha384 sha512; do > openssl req \ > -x509 \ > -${hash} \ > -newkey ec \ > -pkeyopt ec_paramgen_curve:prime256v1 \ > -keyout key.pem \ > -days 365 \ > -subj '/CN=3Dtest' \ > -nodes \ > -outform der \ > -out cert.der > keyctl padd asymmetric testkey $k < cert.der > if [ $? -ne 0 ]; then > echo "ERROR" > exit 1 > fi > done > done > > It also works with restricted keyrings where an RSA key is used to sign > a NIST P256/P192 key. Scripts for testing are here: > > https://github.com/stefanberger/eckey-testing > > The ECDSA signature verification will be used by IMA Appraisal where ECDS= A > file signatures stored in RPM packages will use substantially less space > than if RSA signatures were to be used. > > Stefan > > v2->v3: > > - patch 2 now includes linux/scatterlist.h > > v1->v2: > > - using faster vli_sub rather than newly added vli_mod_fast to 'reduce' > result > > - rearranged switch statements to follow after RSA > > - 3rd patch from 1st posting is now 1st patch > > Stefan Berger (3): > x509: Detect sm2 keys by their parameters OID > x509: Add support for parsing x509 certs with NIST p256 keys > x509: Add support for NIST p192 keys in certificates and akcipher > > crypto/Makefile | 9 +- > crypto/asymmetric_keys/public_key.c | 19 ++ > crypto/asymmetric_keys/x509_cert_parser.c | 45 ++- > crypto/ecc.c | 318 ++++++++++++++++++++++ > crypto/ecc.h | 2 + > crypto/ecc_curve_defs.h | 4 + > crypto/eccsignature.asn1 | 4 + > include/linux/oid_registry.h | 6 + > 8 files changed, 404 insertions(+), 3 deletions(-) > create mode 100644 crypto/eccsignature.asn1 > > -- > 2.25.4 >