Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp2584449pxb;
        Thu, 3 Feb 2022 09:35:20 -0800 (PST)
X-Google-Smtp-Source: ABdhPJywj1fPs9pNYRT8qP5Kk1pI0taI00U/+wunRSo4fGuBUS6PKUXyderDh6VP1tObMO77e26Z
X-Received: by 2002:a17:903:2003:: with SMTP id s3mr36232569pla.97.1643909720008;
        Thu, 03 Feb 2022 09:35:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1643909719; cv=none;
        d=google.com; s=arc-20160816;
        b=s+i4Zke0cGrn3Y25pfjJFf1I+F08I5pL7TGz5hx4vuXAWAui69nmbtJANcboGJwIF5
         Ia0BEZbRIKVvI0t0NpOa8bds6ncvnOB/ZmNe/23UxHtYBYzu83ifnzxdW13Ab2HkB5Dy
         CkAc4KsjziN8ObuHb5OXGaVsT+KWiLJ2G9DUdlwkBmXfeuRtanbtJfUSefjyQhHBaGwh
         bOFHZImTvmBZkNDy2Rf59N44qtFntp7qZ8caFXbrRBMIvzQX2Eu0DxWq2iJrH2NoaJBU
         dLzqAydgXy2HCQIlbPMlD38tI0SGw/ellUV5f83IcC1S9RtSKgAwWam5mQy7qmKI6Fij
         X+Xg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=2RwMLWSdylvBOyWxtayL6HUo80+l/MOZbYWIJ/48vq8=;
        b=wCFSM97NhJelJbATTxabJtUPeENluHMlFVPQLHrHPCuq3p+kNBUrzXPqFR84+kZjZ3
         HQundg9cc+bUlBB6aFFsLw2FXMW0pKywKMf8xdjV6kLbhQlG8D1XiHxl5f+t2Nrg825v
         3/4Nu6VyXNK+A4u6JZegAZlOZ6y9c46UQAOiLyhjdTWKaU5caESkPq1hsF5ONLhGHkET
         27VpwEFT/x0l+8Q1vV4AxNPc7C8Yqs8eRvbO7G72bekoygDhfoZi3xN4vV8q55WqE6FR
         34hJ9hCyUZIuQ7WKJP3LoCVwWFjy6SimxFvQuLKSubb5hgG5WKzi0wbahT2/7eA+aw7/
         NzNg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id k11si23296603pfu.224.2022.02.03.09.34.58;
        Thu, 03 Feb 2022 09:35:19 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1347611AbiBBVY5 (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Wed, 2 Feb 2022 16:24:57 -0500
Received: from vmicros1.altlinux.org ([194.107.17.57]:50576 "EHLO
        vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1347635AbiBBVYj (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Wed, 2 Feb 2022 16:24:39 -0500
Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38])
        by vmicros1.altlinux.org (Postfix) with ESMTP id 954B672C8FA;
        Thu,  3 Feb 2022 00:24:37 +0300 (MSK)
Received: from altlinux.org (sole.flsd.net [185.75.180.6])
        by imap.altlinux.org (Postfix) with ESMTPSA id 7E9924A46F0;
        Thu,  3 Feb 2022 00:24:37 +0300 (MSK)
Date:   Thu, 3 Feb 2022 00:24:37 +0300
From:   Vitaly Chikunov <vt@altlinux.org>
To:     Stefan Berger <stefanb@linux.ibm.com>
Cc:     keyrings@vger.kernel.org, Jarkko Sakkinen <jarkko@kernel.org>,
        David Howells <dhowells@redhat.com>,
        linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org,
        Eric Biggers <ebiggers@kernel.org>
Subject: Re: [RFC PATCH] KEYS: Double max_size to make keyctl pkey_verify work
Message-ID: <20220202212437.mlj4cta4voqiqfpf@altlinux.org>
References: <20220202065906.2598366-1-vt@altlinux.org>
 <5bb23626-afe1-9e05-566b-8830882904f6@linux.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <5bb23626-afe1-9e05-566b-8830882904f6@linux.ibm.com>
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

Stefan,

On Wed, Feb 02, 2022 at 07:55:43AM -0500, Stefan Berger wrote:
> On 2/2/22 01:59, Vitaly Chikunov wrote:
> > Rarely used `keyctl pkey_verify' can verify raw signatures, but was
> > failing, because ECDSA/EC-RDSA signature sizes are twice key sizes which
> > does not pass in/out sizes check in keyctl_pkey_params_get_2.
> > This in turn because these values cannot be distinguished by a single
> > `max_size' callback return value.
> > Also, `keyctl pkey_query` displays incorrect `max_sig_size' about these
> > algorithms.
> > 
> > Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> 
> How do you use pkey_query?
> 
> $ keyctl padd asymmetric testkey %keyring:test < cert.der
> 385037223

It should be (for RSA key):

  keyctl pkey_query 385037223 0 enc=pkcs1 hash=sha256

`0` is placeholder for a password.

For example, I generated keys with your eckey-testing/generate.sh, and
pkey_query after this patch is applied:
  
  # keyctl padd asymmetric "" @u < ecdsa-ca/ca.crt.der
  66509339
  # keyctl pkey_query 66509339 0 enc=x962 hash=sha256
  key_size=256
  max_data_size=64
  max_sig_size=64
  max_enc_size=32
  max_dec_size=32
  encrypt=y
  decrypt=n
  sign=n
  verify=y

W/o patch max_data_size= and max_sig_size= will be 32.

Thanks,

> $ keyctl pkey_query 385037223 ''
> Password passing is not yet supported
> $ keyctl pkey_query 385037223
> Format:
> ? keyctl --version
> ? keyctl add <type> <desc> <data> <keyring>
> [...]
> 
> $ keyctl unlink 385037223
> 1 links removed
>