mbox series

[v2,0/2] support sign module with SM2-with-SM3 algorithm

Message ID 20210324121525.16062-1-tianjia.zhang@linux.alibaba.com
Headers show
Series support sign module with SM2-with-SM3 algorithm | expand

Message

tianjia.zhang March 24, 2021, 12:15 p.m. UTC
The kernel module signature supports the option to use the SM3 secure
hash (OSCCA GM/T 0004-2012 SM3). SM2 and SM3 always appear in pairs.
The former is used for signing and the latter is used for hash
calculation.

To sign a kernel module, first, prepare openssl 3.0.0 alpha6 and a
configuration file openssl.cnf with the following content:

  [ req ]
  default_bits = 2048
  distinguished_name = req_distinguished_name
  prompt = no
  string_mask = utf8only
  x509_extensions = v3_req

  [ req_distinguished_name ]
  C = CN
  ST = HangZhou
  L = foo
  O = Test
  OU = Test
  CN = Test key
  emailAddress = test@foo.com

  [ v3_req ]
  basicConstraints=critical,CA:FALSE
  keyUsage=digitalSignature
  subjectKeyIdentifier=hash
  authorityKeyIdentifier=keyid:always

Then we can use the following method to sign module with SM2-with-SM3
algorithm combination:

  # generate CA key and self-signed CA certificate
  openssl ecparam -genkey -name SM2 -text -out ca.key
  openssl req -new -x509 -days 3650 -key ca.key \
      -sm3 -sigopt "distid:1234567812345678" \
      -subj "/O=testCA/OU=testCA/CN=testCA/emailAddress=ca@foo.com" \
      -config openssl.cnf -out ca.crt

  # generate SM2 private key and sign request
  openssl ecparam -genkey -name SM2 -text -out private.pem
  openssl req -new -key private.pem -config openssl.cnf \
      -sm3 -sigopt "distid:1234567812345678" -out csr.pem

  # generate SM2-with-SM3 certificate signed by CA
  openssl x509 -req -days 3650 -sm3 -in csr.pem \
      -sigopt "distid:1234567812345678" \
      -vfyopt "distid:1234567812345678" \
      -CA ca.crt -CAkey ca.key -CAcreateserial \
      -extfile openssl.cnf -extensions v3_req \
      -out cert.pem

  # sign module with SM2-with-SM3 algorithm
  sign-file sm3 private.pem cert.pem test.ko test.ko.signed

At this point, we should built the CA certificate into the kernel, and
then we can load the SM2-with-SM3 signed module normally.

---
v2 change:
  - split one patch into twos.
  - richer commit log.

Tianjia Zhang (2):
  pkcs7: make parser enable SM2 and SM3 algorithms combination
  init/Kconfig: support sign module with SM2-with-SM3 algorithm

 Documentation/admin-guide/module-signing.rst | 5 +++--
 crypto/asymmetric_keys/pkcs7_parser.c        | 7 +++++++
 init/Kconfig                                 | 5 +++++
 3 files changed, 15 insertions(+), 2 deletions(-)

Comments

tianjia.zhang April 7, 2021, 3:29 a.m. UTC | #1
ping.

Thanks,
Tianjia

On 3/24/21 8:15 PM, Tianjia Zhang wrote:
> The kernel module signature supports the option to use the SM3 secure

> hash (OSCCA GM/T 0004-2012 SM3). SM2 and SM3 always appear in pairs.

> The former is used for signing and the latter is used for hash

> calculation.

> 

> To sign a kernel module, first, prepare openssl 3.0.0 alpha6 and a

> configuration file openssl.cnf with the following content:

> 

>    [ req ]

>    default_bits = 2048

>    distinguished_name = req_distinguished_name

>    prompt = no

>    string_mask = utf8only

>    x509_extensions = v3_req

> 

>    [ req_distinguished_name ]

>    C = CN

>    ST = HangZhou

>    L = foo

>    O = Test

>    OU = Test

>    CN = Test key

>    emailAddress = test@foo.com

> 

>    [ v3_req ]

>    basicConstraints=critical,CA:FALSE

>    keyUsage=digitalSignature

>    subjectKeyIdentifier=hash

>    authorityKeyIdentifier=keyid:always

> 

> Then we can use the following method to sign module with SM2-with-SM3

> algorithm combination:

> 

>    # generate CA key and self-signed CA certificate

>    openssl ecparam -genkey -name SM2 -text -out ca.key

>    openssl req -new -x509 -days 3650 -key ca.key \

>        -sm3 -sigopt "distid:1234567812345678" \

>        -subj "/O=testCA/OU=testCA/CN=testCA/emailAddress=ca@foo.com" \

>        -config openssl.cnf -out ca.crt

> 

>    # generate SM2 private key and sign request

>    openssl ecparam -genkey -name SM2 -text -out private.pem

>    openssl req -new -key private.pem -config openssl.cnf \

>        -sm3 -sigopt "distid:1234567812345678" -out csr.pem

> 

>    # generate SM2-with-SM3 certificate signed by CA

>    openssl x509 -req -days 3650 -sm3 -in csr.pem \

>        -sigopt "distid:1234567812345678" \

>        -vfyopt "distid:1234567812345678" \

>        -CA ca.crt -CAkey ca.key -CAcreateserial \

>        -extfile openssl.cnf -extensions v3_req \

>        -out cert.pem

> 

>    # sign module with SM2-with-SM3 algorithm

>    sign-file sm3 private.pem cert.pem test.ko test.ko.signed

> 

> At this point, we should built the CA certificate into the kernel, and

> then we can load the SM2-with-SM3 signed module normally.

> 

> ---

> v2 change:

>    - split one patch into twos.

>    - richer commit log.

> 

> Tianjia Zhang (2):

>    pkcs7: make parser enable SM2 and SM3 algorithms combination

>    init/Kconfig: support sign module with SM2-with-SM3 algorithm

> 

>   Documentation/admin-guide/module-signing.rst | 5 +++--

>   crypto/asymmetric_keys/pkcs7_parser.c        | 7 +++++++

>   init/Kconfig                                 | 5 +++++

>   3 files changed, 15 insertions(+), 2 deletions(-)

>