certs: Add FIPS self-test for signature verification

[PATCH 0/2] certs: Add FIPS self-test for signature verification

Posted by David Howells 3 years, 10 months ago

Hi Herbert,

If you could look over this pair of patches?  The second patch adds a simple
selftest to allow the signature verification code so that it can be FIPS
compliant.  The first moves load_certificate_list() to the asymmetric key code
to make this easier and renames it.

I generated the test data myself, but I'm open to using some standard test
data if you know of some; we don't want too much, however, as it's
incompressible.  Also, it has avoid blacklist checks on the keys it is using,
lest the UEFI blacklist cause the selftest to fail.

The patches can be found on the following branch:

	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes

David
---
David Howells (2):
      certs: Move load_certificate_list() to be with the asymmetric keys code
      certs: Add FIPS selftests


 certs/Makefile                           |   4 +-
 certs/blacklist.c                        |   8 +-
 certs/common.c                           |  57 ------
 certs/common.h                           |   9 -
 certs/system_keyring.c                   |   6 +-
 crypto/asymmetric_keys/Kconfig           |  10 +
 crypto/asymmetric_keys/Makefile          |   2 +
 crypto/asymmetric_keys/selftest.c        | 224 +++++++++++++++++++++++
 crypto/asymmetric_keys/x509_loader.c     |  57 ++++++
 crypto/asymmetric_keys/x509_parser.h     |   9 +
 crypto/asymmetric_keys/x509_public_key.c |   8 +-
 include/keys/asymmetric-type.h           |   3 +
 12 files changed, 321 insertions(+), 76 deletions(-)
 delete mode 100644 certs/common.c
 delete mode 100644 certs/common.h
 create mode 100644 crypto/asymmetric_keys/selftest.c
 create mode 100644 crypto/asymmetric_keys/x509_loader.c

Re: [PATCH 0/2] certs: Add FIPS self-test for signature verification

Posted by Herbert Xu 3 years, 10 months ago

On Mon, Jun 13, 2022 at 10:56:54PM +0100, David Howells wrote:
> 
> Hi Herbert,
> 
> If you could look over this pair of patches?  The second patch adds a simple
> selftest to allow the signature verification code so that it can be FIPS
> compliant.  The first moves load_certificate_list() to the asymmetric key code
> to make this easier and renames it.

Hi David:

It looks OK to me.

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH 0/2] certs: Add FIPS self-test for signature verification

Posted by David Howells 3 years, 10 months ago

Herbert Xu <herbert@gondor.apana.org.au> wrote:

> It looks OK to me.

Can I put that down as a Reviewed-by?

Thanks,
David

Re: [PATCH 0/2] certs: Add FIPS self-test for signature verification

Posted by Herbert Xu 3 years, 10 months ago

On Wed, Jun 15, 2022 at 11:34:18PM +0100, David Howells wrote:
> Herbert Xu <herbert@gondor.apana.org.au> wrote:
> 
> > It looks OK to me.
> 
> Can I put that down as a Reviewed-by?

Reviewd-by: Herbert Xu <herbert@gondor.apana.org.au>
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH 0/2] certs: Add FIPS self-test for signature verification

Posted by Simo Sorce 3 years, 10 months ago

On Mon, 2022-06-13 at 22:56 +0100, David Howells wrote:
> Hi Herbert,
> 
> If you could look over this pair of patches?  The second patch adds a simple
> selftest to allow the signature verification code so that it can be FIPS
> compliant.  The first moves load_certificate_list() to the asymmetric key code
> to make this easier and renames it.
> 
> I generated the test data myself, but I'm open to using some standard test
> data if you know of some; we don't want too much, however, as it's
> incompressible.  Also, it has avoid blacklist checks on the keys it is using,
> lest the UEFI blacklist cause the selftest to fail.
> 
> The patches can be found on the following branch:
> 
> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes
> 
> David
> ---
> David Howells (2):
>       certs: Move load_certificate_list() to be with the asymmetric keys code
>       certs: Add FIPS selftests
> 
> 
>  certs/Makefile                           |   4 +-
>  certs/blacklist.c                        |   8 +-
>  certs/common.c                           |  57 ------
>  certs/common.h                           |   9 -
>  certs/system_keyring.c                   |   6 +-
>  crypto/asymmetric_keys/Kconfig           |  10 +
>  crypto/asymmetric_keys/Makefile          |   2 +
>  crypto/asymmetric_keys/selftest.c        | 224 +++++++++++++++++++++++
>  crypto/asymmetric_keys/x509_loader.c     |  57 ++++++
>  crypto/asymmetric_keys/x509_parser.h     |   9 +
>  crypto/asymmetric_keys/x509_public_key.c |   8 +-
>  include/keys/asymmetric-type.h           |   3 +
>  12 files changed, 321 insertions(+), 76 deletions(-)
>  delete mode 100644 certs/common.c
>  delete mode 100644 certs/common.h
>  create mode 100644 crypto/asymmetric_keys/selftest.c
>  create mode 100644 crypto/asymmetric_keys/x509_loader.c
> 
> 

Reviewed-by: Simo Sorce <simo@redhat.com>

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc