Re: [PATCH 0/2] certs: Add FIPS self-test for signature verification
From: Simo Sorce
Date: Tue Jun 14 2022 - 10:15:47 EST
On Mon, 2022-06-13 at 22:56 +0100, David Howells wrote:
> Hi Herbert,
>
> If you could look over this pair of patches? The second patch adds a simple
> selftest to allow the signature verification code so that it can be FIPS
> compliant. The first moves load_certificate_list() to the asymmetric key code
> to make this easier and renames it.
>
> I generated the test data myself, but I'm open to using some standard test
> data if you know of some; we don't want too much, however, as it's
> incompressible. Also, it has avoid blacklist checks on the keys it is using,
> lest the UEFI blacklist cause the selftest to fail.
>
> The patches can be found on the following branch:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes
>
> David
> ---
> David Howells (2):
> certs: Move load_certificate_list() to be with the asymmetric keys code
> certs: Add FIPS selftests
>
>
> certs/Makefile | 4 +-
> certs/blacklist.c | 8 +-
> certs/common.c | 57 ------
> certs/common.h | 9 -
> certs/system_keyring.c | 6 +-
> crypto/asymmetric_keys/Kconfig | 10 +
> crypto/asymmetric_keys/Makefile | 2 +
> crypto/asymmetric_keys/selftest.c | 224 +++++++++++++++++++++++
> crypto/asymmetric_keys/x509_loader.c | 57 ++++++
> crypto/asymmetric_keys/x509_parser.h | 9 +
> crypto/asymmetric_keys/x509_public_key.c | 8 +-
> include/keys/asymmetric-type.h | 3 +
> 12 files changed, 321 insertions(+), 76 deletions(-)
> delete mode 100644 certs/common.c
> delete mode 100644 certs/common.h
> create mode 100644 crypto/asymmetric_keys/selftest.c
> create mode 100644 crypto/asymmetric_keys/x509_loader.c
>
>
Reviewed-by: Simo Sorce <simo@xxxxxxxxxx>
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc