Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp890179iog;
        Mon, 13 Jun 2022 15:28:26 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1vT3TpHp9qh/m6rgedd60JWAmuNu4Arb5UDZowscQVXZCDkgujo0xLa9Y/HadH4ppyEZ4d6
X-Received: by 2002:a17:902:db0f:b0:164:597:3382 with SMTP id m15-20020a170902db0f00b0016405973382mr1496283plx.76.1655159306095;
        Mon, 13 Jun 2022 15:28:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1655159306; cv=none;
        d=google.com; s=arc-20160816;
        b=Zuq5MYxIQy53ttL8E8jTABJiLsou0PAZBwgjYo4BHqg58WecEvIA3l9TtWZ3iu+frp
         +/dU6WLUhCS/srz/vIwnKe58LPWPp8bDfGlv7c4aNgjFDftTmTACSbOyv78zpfe4aEq4
         OnndNOW+UQErhodfSUkPuIA1RejSxCkX9n9VL515dUBDX+EIwltZqFZMfz1eyd/AItuW
         YBAMOrJs5ksf1/GcR4QiGKs2N3/sKkq9JwaJrr38aILxj+odJI//oE/ofJRN7oPQSTFO
         lbgB8dNHEOd9JJwqYuE+cJRPouuBCTkAcQO1GSIQIqGrIk2hIdp0WiPdwATLwOPNtk5K
         NlaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:message-id:date:cc:to:from:subject:dkim-signature;
        bh=D83Efqbr8bQ/N2xRIQQiVrPpXT7X88uP5o56lC1QtDw=;
        b=vkb9pQ3woWqWryOi5JF8GwTTH1zLP8FGji5SQ5f7N7bc1PE9gAxM7Hymbfv6/dUJzi
         T2ALy7F0qhrJZOvzEPPmd2m6XWm9B6FWcWiPMAolYUx98SUREbh2ouggFqaeF1rpQnCi
         zvdveB8+m6YxBmnrWFzBUy2jWla+GMXjx+zSy4/ErnBmWbKopJGKQeTKkU6n3OB6zqVY
         XcnwrgoEsyavuQqSJPGGEXbI7flvy98/spweDuEihCUiJXP1XRbz7NT6J1/WMbaWgqSV
         T/RKku8mnu+3A/3P+ifQ7cGbylWsrnZOgPyMy1KM2w+7q7xLqx/uCxMsXiB7WDFCRlje
         o0HQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=aYE8eVWJ;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id c13-20020a63d14d000000b003fc75297697si11647584pgj.4.2022.06.13.15.28.12;
        Mon, 13 Jun 2022 15:28:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=aYE8eVWJ;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231506AbiFMV5E (ORCPT <rfc822;benevolent.opressor@gmail.com>
        + 99 others); Mon, 13 Jun 2022 17:57:04 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35362 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S244825AbiFMV5B (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Mon, 13 Jun 2022 17:57:01 -0400
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id DD81220F5F
        for <linux-crypto@vger.kernel.org>; Mon, 13 Jun 2022 14:57:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1655157420;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding;
        bh=D83Efqbr8bQ/N2xRIQQiVrPpXT7X88uP5o56lC1QtDw=;
        b=aYE8eVWJd2qBWkYZap5SyfJLA0PZGib/yLQhOGFvhY66IuE/1izf1aaTduTqDgQ7H6tRSm
        BjH7kwZViMMEkxN7zKLPkkSDRtJEhfTfj06lxehsWW5gEBJsZZdWGtwj92FgKc9HsdqFSU
        u89v3UrgkU625BpSngxkArTWT/l50KY=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-307-BtK2wMyjOzqX5WMSwVWj8w-1; Mon, 13 Jun 2022 17:56:56 -0400
X-MC-Unique: BtK2wMyjOzqX5WMSwVWj8w-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 46AA485A581;
        Mon, 13 Jun 2022 21:56:56 +0000 (UTC)
Received: from warthog.procyon.org.uk (unknown [10.33.36.62])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 02D3A40D282F;
        Mon, 13 Jun 2022 21:56:54 +0000 (UTC)
Subject: [PATCH 0/2] certs: Add FIPS self-test for signature verification
From:   David Howells <dhowells@redhat.com>
To:     Herbert Xu <herbert@gondor.apana.org.au>
Cc:     Simo Sorce <simo@redhat.com>, dhowells@redhat.com, simo@redhat.com,
        Jarkko Sakkinen <jarkko@kernel.org>, keyrings@vger.kernel.org,
        linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Date:   Mon, 13 Jun 2022 22:56:54 +0100
Message-ID: <165515741424.1554877.9363755381201121213.stgit@warthog.procyon.org.uk>
User-Agent: StGit/1.4
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2
X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org


Hi Herbert,

If you could look over this pair of patches?  The second patch adds a simple
selftest to allow the signature verification code so that it can be FIPS
compliant.  The first moves load_certificate_list() to the asymmetric key code
to make this easier and renames it.

I generated the test data myself, but I'm open to using some standard test
data if you know of some; we don't want too much, however, as it's
incompressible.  Also, it has avoid blacklist checks on the keys it is using,
lest the UEFI blacklist cause the selftest to fail.

The patches can be found on the following branch:

	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes

David
---
David Howells (2):
      certs: Move load_certificate_list() to be with the asymmetric keys code
      certs: Add FIPS selftests


 certs/Makefile                           |   4 +-
 certs/blacklist.c                        |   8 +-
 certs/common.c                           |  57 ------
 certs/common.h                           |   9 -
 certs/system_keyring.c                   |   6 +-
 crypto/asymmetric_keys/Kconfig           |  10 +
 crypto/asymmetric_keys/Makefile          |   2 +
 crypto/asymmetric_keys/selftest.c        | 224 +++++++++++++++++++++++
 crypto/asymmetric_keys/x509_loader.c     |  57 ++++++
 crypto/asymmetric_keys/x509_parser.h     |   9 +
 crypto/asymmetric_keys/x509_public_key.c |   8 +-
 include/keys/asymmetric-type.h           |   3 +
 12 files changed, 321 insertions(+), 76 deletions(-)
 delete mode 100644 certs/common.c
 delete mode 100644 certs/common.h
 create mode 100644 crypto/asymmetric_keys/selftest.c
 create mode 100644 crypto/asymmetric_keys/x509_loader.c