ima: Document and replace keys and adapt scripts for EC keys
For shorted file signatures use EC keys rather than RSA keys.
Document the debug keys and their purpose.
Adapt the scripts for creating these types of keys to now
create EC keys.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh b/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh
index 5f3a728..b10b1ba 100755
--- a/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh
+++ b/meta-security/meta-integrity/scripts/ima-gen-CA-signed.sh
@@ -20,7 +20,6 @@
cat << __EOF__ >$GENKEY
[ req ]
-default_bits = 1024
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
@@ -36,13 +35,15 @@
#basicConstraints=CA:FALSE
keyUsage=digitalSignature
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage=critical,codeSigning
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
#authorityKeyIdentifier=keyid,issuer
__EOF__
-openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
- -out csr_ima.pem -keyout privkey_ima.pem
-openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
+openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -config $GENKEY \
+ -out csr_ima.pem -keyout privkey_ima.pem \
+ -newkey ec -pkeyopt ec_paramgen_curve:prime256v1
+openssl x509 -req -in csr_ima.pem -days 36500 -extfile $GENKEY -extensions v3_usr \
-CA $CA -CAkey $CAKEY -CAcreateserial \
-outform DER -out x509_ima.der
diff --git a/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh b/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh
index b600761..339d3e3 100755
--- a/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh
+++ b/meta-security/meta-integrity/scripts/ima-gen-local-ca.sh
@@ -18,7 +18,6 @@
cat << __EOF__ >$GENKEY
[ req ]
-default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
@@ -33,10 +32,11 @@
basicConstraints=CA:TRUE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
-# keyUsage = cRLSign, keyCertSign
+keyUsage = cRLSign, keyCertSign
__EOF__
-openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+openssl req -new -x509 -utf8 -sha256 -days 36500 -batch -config $GENKEY \
+ -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
diff --git a/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh b/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh
deleted file mode 100755
index 5ee876c..0000000
--- a/meta-security/meta-integrity/scripts/ima-gen-self-signed.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/sh
-#
-# Copied from ima-evm-utils.
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# version 2 as published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-GENKEY=ima.genkey
-
-cat << __EOF__ >$GENKEY
-[ req ]
-default_bits = 1024
-distinguished_name = req_distinguished_name
-prompt = no
-string_mask = utf8only
-x509_extensions = myexts
-
-[ req_distinguished_name ]
-O = example.com
-CN = meta-intel-iot-security example signing key
-emailAddress = john.doe@example.com
-
-[ myexts ]
-basicConstraints=critical,CA:FALSE
-keyUsage=digitalSignature
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid
-__EOF__
-
-openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
- -x509 -config $GENKEY \
- -outform DER -out x509_ima.der -keyout privkey_ima.pem