Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1205829pxb; Thu, 4 Mar 2021 06:09:18 -0800 (PST) X-Google-Smtp-Source: ABdhPJy/fMZNNbliQdIoVEIaLFTafa2dboYPTx0tFeLMDSSlOC3tn1xah4aZiVjLNTU+1uUL6mBi X-Received: by 2002:aa7:cb05:: with SMTP id s5mr4651882edt.19.1614866958259; Thu, 04 Mar 2021 06:09:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614866958; cv=none; d=google.com; s=arc-20160816; b=WOuRedYALzpLIBzymxtexwXGTuFhczH6P9qfUYlBcMMIv9BxrCNJyiMSJpIGKn4ERz TrJ9vShZKDhn7x48Y9p6licNJtyMa2HhDgfiOnzxO6M0WKInSnB3xiCjL1mXSUNCZzkG +bIIznkQerigLN5Io4pn7f9jdcQpP+7FAoG0cn2tc4V/GEeJkYBixwyVf2/dOsJhIwLN ArfcOQJpca/qyTOjQJCQw3thL+0Vm1jZvHfdUQ+hhT0PmFG1Yzh7n7NT4hbB/2en3Z0j eqR0W/SLd7khUHxnjATSCvMH5l168FO5vOBsAAGXLFDUCMNnGVpVj/a6XbamKQKNkuUB EDFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=9hmufHBx8zEm/lSY8SP5hpZIAwhMnmA4N+Y9juxescc=; b=lSRAoRq/gJIu2CdgCsK9YCs3CuyQU6FHaHX1TS95YLqyF3jzGOSisVhLtGl4t3BlCo XeNl1SHafulnKF6luWlfjenT9HpM0rVpUfPPzlpxBQfQjrN28Npkhc1dESjnqx+/y4xT p7r7w4wp/ppS5QUsOKAI+6OJvy/PmYnXCjDbyeXP/DGgiwQlse0mtmkyVQvb0aOr8+xE heBwz2vyKWvDz77h7osa1AtAWMK1meMuHRPM/Y8JPWdat1Bam6HJwkpAn1TqCajRnsqf mab4mPn2/QJHSaqTTg9TIcmGDkRckPypDOTZU7sfM9qAKFKFuKUqYzFOVniiGpIE9tYP wO7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=ndGszCqa; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r26si3840766edc.478.2021.03.04.06.08.48; Thu, 04 Mar 2021 06:09:18 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ibm.com header.s=pp1 header.b=ndGszCqa; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353102AbhCDBCN (ORCPT + 99 others); Wed, 3 Mar 2021 20:02:13 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:20640 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1388903AbhCDAMW (ORCPT ); Wed, 3 Mar 2021 19:12:22 -0500 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 123NiF7E187060; Wed, 3 Mar 2021 18:46:15 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=pp1; bh=9hmufHBx8zEm/lSY8SP5hpZIAwhMnmA4N+Y9juxescc=; b=ndGszCqaTZThXbYE1yudxey01QJ3extFyMAhKY9vvbjzwn9o3X0yGhGuPlncqJp0Ng4g C9w3LBP0VxlDpqFVOOYxcWQjB3sYv53APMpzK7e1GZR1z5C0PNy31lxP0dnYB2LpPuaK 9pOsek4ANiPN65o0I5X+ebFQCGgNM9kAt3SWVzmXW4r0Ryfb1sPu2AYcR3SWj4anI4WZ gxRf32psbmVnphSwzvaX/uGJZMWdbXGrcBAq4mW4Dw0DvE9j+++GMfvTpN4nh+XI6CDb FvcsEhewXrz28SW44VV+rcmRiR+kA4iiT9zHwEBxKzMYNRhxfZpPuUAwwxgM6hN4N6+f VA== Received: from pps.reinject (localhost [127.0.0.1]) by mx0a-001b2d01.pphosted.com with ESMTP id 372mcx80yd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 03 Mar 2021 18:46:15 -0500 Received: from m0098394.ppops.net (m0098394.ppops.net [127.0.0.1]) by pps.reinject (8.16.0.43/8.16.0.43) with SMTP id 123NjJeQ193130; Wed, 3 Mar 2021 18:46:14 -0500 Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com with ESMTP id 372mcx80xw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 03 Mar 2021 18:46:14 -0500 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.0.42/8.16.0.42) with SMTP id 123Nh1JL010430; Wed, 3 Mar 2021 23:46:13 GMT Received: from b01cxnp23033.gho.pok.ibm.com (b01cxnp23033.gho.pok.ibm.com [9.57.198.28]) by ppma01dal.us.ibm.com with ESMTP id 371qmunegh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 03 Mar 2021 23:46:13 +0000 Received: from b01ledav005.gho.pok.ibm.com (b01ledav005.gho.pok.ibm.com [9.57.199.110]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 123NkDes26739058 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 3 Mar 2021 23:46:13 GMT Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0DA49AE05F; Wed, 3 Mar 2021 23:46:13 +0000 (GMT) Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D2EE6AE062; Wed, 3 Mar 2021 23:46:12 +0000 (GMT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b01ledav005.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 3 Mar 2021 23:46:12 +0000 (GMT) Subject: Re: [PATCH v9 2/9] x509: Detect sm2 keys by their parameters OID To: Tianjia Zhang Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" , Mimi Zohar , David Howells , "open list:KEYS-TRUSTED" , "davem@davemloft.net" , Herbert Xu References: <20210225160802.2478700-1-stefanb@linux.vnet.ibm.com> <20210225160802.2478700-3-stefanb@linux.vnet.ibm.com> From: Stefan Berger Message-ID: <048e22c7-45e3-022c-cd5b-a6bc127958d3@linux.ibm.com> Date: Wed, 3 Mar 2021 18:46:12 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <20210225160802.2478700-3-stefanb@linux.vnet.ibm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369,18.0.761 definitions=2021-03-03_07:2021-03-03,2021-03-03 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 bulkscore=0 lowpriorityscore=0 adultscore=0 clxscore=1015 mlxscore=0 priorityscore=1501 spamscore=0 suspectscore=0 impostorscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2103030169 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Tianjia,    can you say whether SM2 support works for you before and after applying this patch? I cannot verify it with an sm2 key I have created using a sequence of commands like this: > modprobe sm2_generic > id=$(keyctl newring test @u) > keyctl padd asymmetric "" $id < sm2.der add_key: Key was rejected by service > keyctl padd asymmetric "" $id < eckeys/cert-prime192v1-0.der 88506426 The sm2 key is reject but the pime192v1 key works just fine. SM2 support neither worked for me before nor after this patch here. The difference is that before it returned 'add_key: Package not installed'. This is my sm2 cert: > base64 < sm2.der MIIBbzCCARWgAwIBAgIUfqwndeAy7reymWLwvCHOgYPU2YUwCgYIKoZIzj0EAwIwDTELMAkGA1UE AwwCbWUwHhcNMjEwMTI0MTgwNjQ3WhcNMjIwMTI0MTgwNjQ3WjANMQswCQYDVQQDDAJtZTBZMBMG ByqGSM49AgEGCCqBHM9VAYItA0IABEtiMaczdk46MEugmOsY/u+puf5qoi7JdLd/w3VpdixvDd26 vrxLKL7lCTVn5w3a07G7QB1dgdMDpzIRgWrVXC6jUzBRMB0GA1UdDgQWBBSxOVnE7ihvTb6Nczb4 /mow+HIc9TAfBgNVHSMEGDAWgBSxOVnE7ihvTb6Nczb4/mow+HIc9TAPBgNVHRMBAf8EBTADAQH/ MAoGCCqGSM49BAMCA0gAMEUCIE1kiji2ABUy663NANe0iCPjCeeqg02Yk4b3K+Ci/Qh4AiEA/cFB eJEVklyveRMvuTP7BN7FG4U8iRdtedjiX+YrNio= Regards,    Stefan On 2/25/21 11:07 AM, Stefan Berger wrote: > From: Stefan Berger > > Detect whether a key is an sm2 type of key by its OID in the parameters > array rather than assuming that everything under OID_id_ecPublicKey > is sm2, which is not the case. > > Cc: David Howells > Cc: keyrings@vger.kernel.org > Signed-off-by: Stefan Berger > Reviewed-by: Tianjia Zhang > --- > crypto/asymmetric_keys/x509_cert_parser.c | 12 +++++++++++- > include/linux/oid_registry.h | 1 + > lib/oid_registry.c | 13 +++++++++++++ > 3 files changed, 25 insertions(+), 1 deletion(-) > > diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c > index 52c9b455fc7d..1621ceaf5c95 100644 > --- a/crypto/asymmetric_keys/x509_cert_parser.c > +++ b/crypto/asymmetric_keys/x509_cert_parser.c > @@ -459,6 +459,7 @@ int x509_extract_key_data(void *context, size_t hdrlen, > const void *value, size_t vlen) > { > struct x509_parse_context *ctx = context; > + enum OID oid; > > ctx->key_algo = ctx->last_oid; > switch (ctx->last_oid) { > @@ -470,7 +471,16 @@ int x509_extract_key_data(void *context, size_t hdrlen, > ctx->cert->pub->pkey_algo = "ecrdsa"; > break; > case OID_id_ecPublicKey: > - ctx->cert->pub->pkey_algo = "sm2"; > + if (parse_OID(ctx->params, ctx->params_size, &oid) != 0) > + return -EBADMSG; > + > + switch (oid) { > + case OID_sm2: > + ctx->cert->pub->pkey_algo = "sm2"; > + break; > + default: > + return -ENOPKG; > + } > break; > default: > return -ENOPKG; > diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h > index b504e2f36b25..f32d91895e4d 100644 > --- a/include/linux/oid_registry.h > +++ b/include/linux/oid_registry.h > @@ -121,6 +121,7 @@ enum OID { > }; > > extern enum OID look_up_OID(const void *data, size_t datasize); > +extern int parse_OID(const void *data, size_t datasize, enum OID *oid); > extern int sprint_oid(const void *, size_t, char *, size_t); > extern int sprint_OID(enum OID, char *, size_t); > > diff --git a/lib/oid_registry.c b/lib/oid_registry.c > index f7ad43f28579..508e0b34b5f0 100644 > --- a/lib/oid_registry.c > +++ b/lib/oid_registry.c > @@ -11,6 +11,7 @@ > #include > #include > #include > +#include > #include "oid_registry_data.c" > > MODULE_DESCRIPTION("OID Registry"); > @@ -92,6 +93,18 @@ enum OID look_up_OID(const void *data, size_t datasize) > } > EXPORT_SYMBOL_GPL(look_up_OID); > > +int parse_OID(const void *data, size_t datasize, enum OID *oid) > +{ > + const unsigned char *v = data; > + > + if (datasize < 2 || v[0] != ASN1_OID || v[1] != datasize - 2) > + return -EBADMSG; > + > + *oid = look_up_OID(data + 2, datasize - 2); > + return 0; > +} > +EXPORT_SYMBOL_GPL(parse_OID); > + > /* > * sprint_OID - Print an Object Identifier into a buffer > * @data: The encoded OID to print