2015年4月23日 星期四

PKCS#7 parser testing

I have a chance to test the PKCS#7 parser in kernel, so writing it down for note. Things very easy, just follow David Howells's 22d01afb2 patch, his patch added a key type for testing:

PKCS#7: Provide a key type for testing PKCS#7

Extracting the Makefile from the description in 22d01afb2 patch, put it to a new directory. My directory is pkcs7, then running make to generate keys and stuff.pkcs7 message for testing:

~/pkcs7 # make
echo "The quick red fox jumped over the lazy brown dog" >stuff.txt
Generating X.509 key generation config
[...snip]
openssl asn1parse -inform DER -in stuff.pkcs7  -i >out

~/pkcs7 # ls
certs        key1.x509           key2.x509           key3.srl     key4.srl            out
key1.genkey  key1.x509_unsigned  key2.x509_unsigned  key3.x509    key4.x509           stuff.pkcs7
key1.priv    key2.genkey         key3.genkey         key4.genkey  key4.x509_unsigned  stuff.txt
key1.srl     key2.priv           key3.priv           key4.priv    Makefile

The key files of testing is stuff.pkcs7. Then, setting up kernel config, just enabling kernel config:

CONFIG_PKCS7_MESSAGE_PARSER=y
CONFIG_PKCS7_TEST_KEY=y

Please put the stuff.pkcs7 in kernel source folder and transfer it from PEM to DER format:

> openssl x509 -in ~/pkcs7/key3.x509 -outform DER -out key3.x509

rebuild kernel:

> make
[...snip]
  CERTS   kernel/x509_certificate_list
  - Including cert key3.x509
  - Including cert signing_key.x509
  AS      kernel/system_certificates.o
  LD      kernel/built-in.o
[...snip]

Install kernel and reboot system. In dmesg will show the PKCS7 key loaded to system keyring:

[    4.503832] Loaded X.509 cert 'Magrathea: PKCS7 key 3: e4e626de614f8e28b15539ac67c5650d38dc455e'

If you forgot to transfer key3.x509 from PEM format to DER format, then you should see:

[    4.464986] Loading compiled-in X.509 certificates
[    4.469795] Problem parsing in-kernel X.509 certificate list

Now the key for testing PKCS#7 already loaded, start testing by keyctl:

~/pkcs7> keyctl padd pkcs7_test a @u <stuff.pkcs7
914276432

Show user keyring show the new key from PKCS#7:

~/pkcs7> keyctl show @u
Keyring
 255695369 --alswrv   1000 65534  keyring: _uid.1000
 914276432 --als-rv   1000   100   \_ pkcs7_test: a

If you forgot build-in key3.x509 in kernel, then you will see:

~/pkcs7 # keyctl padd pkcs7_test a @u <stuff.pkcs7
add_key: Required key not available
張貼者: 沒有留言:
標籤:
訂閱: 文章 (Atom)