[2] Enable swtpm_cert to create certificates for ML-KEM and ML-DSA keys#1124
Open
stefanberger wants to merge 11 commits into
Open
[2] Enable swtpm_cert to create certificates for ML-KEM and ML-DSA keys#1124stefanberger wants to merge 11 commits into
stefanberger wants to merge 11 commits into
Conversation
…pport Require that OpenSSL's libcrypto >= v3.5 is available since ML-KEM and ML-DSA support was added in this version. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Since swtpm now needs OpenSSL >= v3.5, upgrade the requirement for Ubuntu to 26.04. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
X509_time_adj_ex will return a NULL pointer if the days parameter is too far in the future. Therefore adjust the error message. Also avoid a memory leak when the return value was NULL. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
The IAK/IDevID certificate did not pass certificate chain verification due to malformed ASN.1 in the SAN. Fix the ASN.1 that is put into the SAN to have proper nesting of sequences. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
stefanberger
force-pushed
the
stefanberger/swtpm_cert_create_certs_for_pqc_keys
branch
from
b89b3df to
5b49754
Compare
Refactor the certificate creation tests to - create all needed keys and certs using openssl CLI tool - accept input parameters passed to test script - grep for more expected data in the created certificates - verify the created certificate with the intermediate CA - test signing with a secp521r1 key Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable the creation of EK and platform certificates where the to-be-certified key is an ML-KEM-512/768/1024 key. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Enable the createion of EK and platform certificates where the certified key is an ML-DSA-44/65/87 key. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add descriptions for the --public and --keyalgo command line options for passing ML-KEM and ML-DSA public keys to the swtpm_cert man page. Also describe the new capabilities. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
…chemes Enable swtpm_cert to sign EK certificates with ML-DSA and EdDSA keys. An ML-DSA-87 EK signed by an ML-DSA-87 private key (currently) leads to an EK certificate of ~7567 bytes. Therefore, large NVRAM spaces are needed to store such certificates. Also allow signing of the certificates with EdDSA keys, such as Ed25519 and Ed448. Add a recommendation for CA keys to the swtpm_setup man page. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Use swtpm_cert to sign the different types of TPM certificates with an ML-DSA-87 key. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
stefanberger
force-pushed
the
stefanberger/swtpm_cert_create_certs_for_pqc_keys
branch
from
5b49754 to
ff8a8f1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See patch descriptions