How to additional public keys to .secondary_trusted_keys?
Clash Royale CLAN TAG#URR8PPP
I am trying to add additional keys to .secondary_trusted_keys. Documentation says, to do so the additional keys has to be signed by a key which is already a resident in either .builtin_trusted_keys or .secondary_trusted_keys.
Steps:
1.Rebuilt Kernel 4.15.8 for Ubuntu 18.04 to get hold of signing key (certs/signing_key.pem) which is built into the Kernel.
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -in signing_key.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
83:db:41:db:8e:32:42:ba
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = Build time autogenerated kernel key
Validity
Not Before: Jan 17 17:49:27 2019 GMT
Not After : Dec 24 17:49:27 2118 GMT
Subject: CN = Build time autogenerated kernel key
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b5:2a:d2:eb:f5:27:69:84:fa:37:39:38:b7:1f:
7b:a0:e3:28:c7:60:09:b2:0a:c4:f6:78:be:ce:66:
de:1f:a1:55:1d:48:fa:08:db:c4:16:fe:fb:33:d1:
70:40:88:18:b7:44:83:c1:f9:c2:90:40:06:97:4a:
dd:94:f1:70:e9:dd:8a:ee:75:f4:dd:d3:c6:56:bc:
dd:71:d2:ac:7b:d1:60:9f:bc:e4:19:70:96:65:b2:
11:da:64:d8:2f:d4:ea:b9:b2:73:3f:24:1b:bd:31:
bd:4b:21:b9:8d:ea:ea:ba:88:2e:a3:6c:5a:12:72:
46:36:e0:a3:0b:2a:95:13:1a:a3:32:a0:bb:e2:83:
37:98:c2:00:c8:dd:1a:99:f6:b4:03:cd:21:9e:42:
f5:9f:a4:c8:50:c1:61:10:28:fb:2e:16:8b:f5:f4:
09:f6:72:e7:5a:e4:9d:61:7f:b3:71:59:63:b4:70:
76:bd:50:e5:77:aa:ba:d4:53:a5:06:50:1e:6d:0c:
9c:17:09:34:c7:60:13:0a:10:5a:06:ff:17:08:6e:
45:07:06:e5:26:87:70:a6:5f:a6:ae:09:5d:ac:48:
45:ee:e1:2f:b5:c8:57:90:b0:29:5e:d2:86:c4:e4:
0b:f9:ff:97:c1:b4:8c:fb:e3:91:85:76:50:bf:61:
a8:40:d5:45:ba:3b:94:63:1c:7d:b8:27:f1:13:53:
18:20:2f:1b:36:7d:8a:a3:5a:8d:3b:01:3d:98:e9:
02:48:ba:03:92:e9:0a:c1:40:92:f5:0b:2e:ed:70:
48:14:a1:b8:6c:3b:10:36:bb:38:f5:d2:73:a1:a2:
81:4c:cd:dc:49:95:da:8f:75:b8:1b:ed:e4:be:67:
1a:fa:7f:51:69:46:53:51:75:2e:55:f7:c1:10:f1:
62:7b:ba:6a:67:d3:19:0a:22:5d:77:51:ec:9a:0f:
3a:5d:46:5c:25:33:4a:31:69:c1:5a:f4:88:7b:91:
d0:79:47:ad:22:c8:8e:8e:6c:ec:22:d9:d1:3e:74:
5a:f9:0c:5f:5b:ad:c7:20:38:89:c7:ff:cc:0b:a0:
c8:99:a9:aa:c5:5a:70:5b:90:e1:96:38:38:6f:60:
6a:b5:ae:02:fc:9d:90:b7:84:08:bd:a1:9a:b3:46:
a6:25:3e:51:14:ab:fc:95:f8:bd:e4:e0:88:16:88:
18:76:e4:b7:5e:0e:72:a4:49:92:98:32:ac:04:d4:
8f:9e:e0:13:de:b4:dd:3b:9c:85:93:bc:51:42:a0:
7e:68:ef:60:09:f0:72:c8:30:da:5d:b8:d4:71:98:
3c:c4:52:e0:81:b8:21:2f:5b:f7:fa:9e:0f:d0:23:
e4:8b:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61
X509v3 Authority Key Identifier:
keyid:A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61
Signature Algorithm: sha512WithRSAEncryption
b2:28:03:c3:2b:43:a6:1f:cd:e0:56:a7:a5:cf:e3:e9:88:48:
1c:86:d1:fa:ea:3f:21:15:6f:ec:95:66:57:e5:37:0c:ae:1a:
6b:86:5c:af:21:38:b6:87:e7:f8:8e:cc:da:66:c0:a2:6f:be:
44:11:58:e4:97:ac:a4:ce:e3:37:9d:37:bc:a5:b4:22:aa:7c:
ca:f5:c8:67:b5:a6:aa:31:37:34:dd:a4:81:55:80:b0:e7:0e:
da:61:ee:ad:7a:92:95:3a:18:3d:7f:3c:a3:ea:c8:fb:98:78:
b4:cd:b0:43:3e:3b:ee:a2:7a:00:58:c1:3d:15:51:ca:db:7c:
ef:ab:d1:66:3e:42:a9:d2:8a:48:1f:69:ff:7a:56:1e:03:23:
dd:6f:fc:97:28:9f:07:94:81:63:b4:76:c2:69:77:68:3d:7c:
71:3e:bc:02:fc:95:0b:49:31:82:a8:b0:78:45:60:18:7e:d6:
f7:f6:8e:e1:82:29:bc:28:91:e9:4e:77:ce:61:40:a1:7b:8b:
c1:77:b3:af:5f:e0:1c:90:56:98:0b:7c:70:ec:ad:ea:02:77:
26:d5:7d:f7:35:ae:18:da:24:c6:51:19:45:7c:2a:e3:07:26:
c4:88:8b:c0:4e:c2:98:07:fd:0a:5e:d7:23:19:76:35:3f:1f:
d7:15:95:22:a1:6a:28:8a:a4:24:d7:fe:2b:c4:86:7e:51:4f:
15:a6:e0:9e:76:dd:e2:ae:db:ca:e1:84:6d:e6:f7:30:da:3a:
22:83:2a:2b:35:76:93:44:a0:40:2d:23:c6:6d:0c:fd:b5:a7:
b6:7f:a2:25:3c:7e:f1:bd:ff:2c:f7:7b:e1:bb:de:02:36:eb:
5d:c4:eb:83:e9:16:4f:ce:dc:4c:c8:a3:1f:93:aa:b9:38:b2:
8c:68:50:4a:5a:50:ef:31:d3:cc:25:3b:5d:ec:84:24:a9:c9:
4d:61:f1:4c:7a:c1:63:39:66:78:94:cb:ba:4e:09:5e:9b:a8:
23:a5:a2:c4:be:08:13:f6:80:9f:41:1f:05:7b:1e:34:1b:d3:
92:5b:43:36:e2:06:30:9d:b6:40:0d:4a:ea:75:03:fa:90:8b:
15:ae:3c:fe:06:b8:19:96:e6:4b:b0:c3:c9:be:90:ea:99:9b:
54:41:ab:b1:16:1e:25:d5:42:78:e4:28:19:c0:67:30:86:df:
b7:f4:d9:fc:62:2c:2f:73:27:47:58:33:5a:c2:da:98:b8:a2:
dd:1f:80:2f:20:33:75:a2:a0:b8:af:d1:03:46:1a:a8:20:ea:
a9:c9:39:82:cb:b8:a2:26:24:43:f7:b8:79:5f:65:22:76:3f:
97:88:e5:21:d1:25:fc:77
2.Verified that .builtin_trusted_keys has the same signing key.
prashant@pra-ubuntu-1804:~/bionic/certs$ sudo keyctl show -x %:.builtin_trusted_keys
Keyring
0x3c40ebe7 ---lswrv 0 0 keyring: .builtin_trusted_keys
0x00a352e3 ---lswrv 0 0 _ asymmetric: Build time autogenerated kernel key: a5e01ce6a46683251bdc0c7e6e4c9d35861b5661
3.Generated a key pair signed by this build time autogenerated
kernel key to add to .secondary_trusted_keys
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -out additional_cert.csr -keyout additional_key.pem
Generating a 2048 bit RSA private key
................................+++
..................................+++
writing new private key to 'additional_key.pem'
-----
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -req -sha512 -days 36500 -in additional_cert.csr -outform DER -out additional_cert.x509 -CA signing_key.pem -CAkey signing_key.pem -CAcreateserial
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Getting CA Private Key
4.But when I try to add additional_cert to .secondary_trusted_keys, it fails:
prashant@pra-ubuntu-1804:~$ sudo keyctl padd asymmetric "" %:.secondary_trusted_keys <additional_cert.x509
add_key: Required key not available
I need to add additional public keys to .secondary_trusted_keys.
kernel linux-kernel security kernel-modules
add a comment |
I am trying to add additional keys to .secondary_trusted_keys. Documentation says, to do so the additional keys has to be signed by a key which is already a resident in either .builtin_trusted_keys or .secondary_trusted_keys.
Steps:
1.Rebuilt Kernel 4.15.8 for Ubuntu 18.04 to get hold of signing key (certs/signing_key.pem) which is built into the Kernel.
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -in signing_key.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
83:db:41:db:8e:32:42:ba
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = Build time autogenerated kernel key
Validity
Not Before: Jan 17 17:49:27 2019 GMT
Not After : Dec 24 17:49:27 2118 GMT
Subject: CN = Build time autogenerated kernel key
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b5:2a:d2:eb:f5:27:69:84:fa:37:39:38:b7:1f:
7b:a0:e3:28:c7:60:09:b2:0a:c4:f6:78:be:ce:66:
de:1f:a1:55:1d:48:fa:08:db:c4:16:fe:fb:33:d1:
70:40:88:18:b7:44:83:c1:f9:c2:90:40:06:97:4a:
dd:94:f1:70:e9:dd:8a:ee:75:f4:dd:d3:c6:56:bc:
dd:71:d2:ac:7b:d1:60:9f:bc:e4:19:70:96:65:b2:
11:da:64:d8:2f:d4:ea:b9:b2:73:3f:24:1b:bd:31:
bd:4b:21:b9:8d:ea:ea:ba:88:2e:a3:6c:5a:12:72:
46:36:e0:a3:0b:2a:95:13:1a:a3:32:a0:bb:e2:83:
37:98:c2:00:c8:dd:1a:99:f6:b4:03:cd:21:9e:42:
f5:9f:a4:c8:50:c1:61:10:28:fb:2e:16:8b:f5:f4:
09:f6:72:e7:5a:e4:9d:61:7f:b3:71:59:63:b4:70:
76:bd:50:e5:77:aa:ba:d4:53:a5:06:50:1e:6d:0c:
9c:17:09:34:c7:60:13:0a:10:5a:06:ff:17:08:6e:
45:07:06:e5:26:87:70:a6:5f:a6:ae:09:5d:ac:48:
45:ee:e1:2f:b5:c8:57:90:b0:29:5e:d2:86:c4:e4:
0b:f9:ff:97:c1:b4:8c:fb:e3:91:85:76:50:bf:61:
a8:40:d5:45:ba:3b:94:63:1c:7d:b8:27:f1:13:53:
18:20:2f:1b:36:7d:8a:a3:5a:8d:3b:01:3d:98:e9:
02:48:ba:03:92:e9:0a:c1:40:92:f5:0b:2e:ed:70:
48:14:a1:b8:6c:3b:10:36:bb:38:f5:d2:73:a1:a2:
81:4c:cd:dc:49:95:da:8f:75:b8:1b:ed:e4:be:67:
1a:fa:7f:51:69:46:53:51:75:2e:55:f7:c1:10:f1:
62:7b:ba:6a:67:d3:19:0a:22:5d:77:51:ec:9a:0f:
3a:5d:46:5c:25:33:4a:31:69:c1:5a:f4:88:7b:91:
d0:79:47:ad:22:c8:8e:8e:6c:ec:22:d9:d1:3e:74:
5a:f9:0c:5f:5b:ad:c7:20:38:89:c7:ff:cc:0b:a0:
c8:99:a9:aa:c5:5a:70:5b:90:e1:96:38:38:6f:60:
6a:b5:ae:02:fc:9d:90:b7:84:08:bd:a1:9a:b3:46:
a6:25:3e:51:14:ab:fc:95:f8:bd:e4:e0:88:16:88:
18:76:e4:b7:5e:0e:72:a4:49:92:98:32:ac:04:d4:
8f:9e:e0:13:de:b4:dd:3b:9c:85:93:bc:51:42:a0:
7e:68:ef:60:09:f0:72:c8:30:da:5d:b8:d4:71:98:
3c:c4:52:e0:81:b8:21:2f:5b:f7:fa:9e:0f:d0:23:
e4:8b:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61
X509v3 Authority Key Identifier:
keyid:A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61
Signature Algorithm: sha512WithRSAEncryption
b2:28:03:c3:2b:43:a6:1f:cd:e0:56:a7:a5:cf:e3:e9:88:48:
1c:86:d1:fa:ea:3f:21:15:6f:ec:95:66:57:e5:37:0c:ae:1a:
6b:86:5c:af:21:38:b6:87:e7:f8:8e:cc:da:66:c0:a2:6f:be:
44:11:58:e4:97:ac:a4:ce:e3:37:9d:37:bc:a5:b4:22:aa:7c:
ca:f5:c8:67:b5:a6:aa:31:37:34:dd:a4:81:55:80:b0:e7:0e:
da:61:ee:ad:7a:92:95:3a:18:3d:7f:3c:a3:ea:c8:fb:98:78:
b4:cd:b0:43:3e:3b:ee:a2:7a:00:58:c1:3d:15:51:ca:db:7c:
ef:ab:d1:66:3e:42:a9:d2:8a:48:1f:69:ff:7a:56:1e:03:23:
dd:6f:fc:97:28:9f:07:94:81:63:b4:76:c2:69:77:68:3d:7c:
71:3e:bc:02:fc:95:0b:49:31:82:a8:b0:78:45:60:18:7e:d6:
f7:f6:8e:e1:82:29:bc:28:91:e9:4e:77:ce:61:40:a1:7b:8b:
c1:77:b3:af:5f:e0:1c:90:56:98:0b:7c:70:ec:ad:ea:02:77:
26:d5:7d:f7:35:ae:18:da:24:c6:51:19:45:7c:2a:e3:07:26:
c4:88:8b:c0:4e:c2:98:07:fd:0a:5e:d7:23:19:76:35:3f:1f:
d7:15:95:22:a1:6a:28:8a:a4:24:d7:fe:2b:c4:86:7e:51:4f:
15:a6:e0:9e:76:dd:e2:ae:db:ca:e1:84:6d:e6:f7:30:da:3a:
22:83:2a:2b:35:76:93:44:a0:40:2d:23:c6:6d:0c:fd:b5:a7:
b6:7f:a2:25:3c:7e:f1:bd:ff:2c:f7:7b:e1:bb:de:02:36:eb:
5d:c4:eb:83:e9:16:4f:ce:dc:4c:c8:a3:1f:93:aa:b9:38:b2:
8c:68:50:4a:5a:50:ef:31:d3:cc:25:3b:5d:ec:84:24:a9:c9:
4d:61:f1:4c:7a:c1:63:39:66:78:94:cb:ba:4e:09:5e:9b:a8:
23:a5:a2:c4:be:08:13:f6:80:9f:41:1f:05:7b:1e:34:1b:d3:
92:5b:43:36:e2:06:30:9d:b6:40:0d:4a:ea:75:03:fa:90:8b:
15:ae:3c:fe:06:b8:19:96:e6:4b:b0:c3:c9:be:90:ea:99:9b:
54:41:ab:b1:16:1e:25:d5:42:78:e4:28:19:c0:67:30:86:df:
b7:f4:d9:fc:62:2c:2f:73:27:47:58:33:5a:c2:da:98:b8:a2:
dd:1f:80:2f:20:33:75:a2:a0:b8:af:d1:03:46:1a:a8:20:ea:
a9:c9:39:82:cb:b8:a2:26:24:43:f7:b8:79:5f:65:22:76:3f:
97:88:e5:21:d1:25:fc:77
2.Verified that .builtin_trusted_keys has the same signing key.
prashant@pra-ubuntu-1804:~/bionic/certs$ sudo keyctl show -x %:.builtin_trusted_keys
Keyring
0x3c40ebe7 ---lswrv 0 0 keyring: .builtin_trusted_keys
0x00a352e3 ---lswrv 0 0 _ asymmetric: Build time autogenerated kernel key: a5e01ce6a46683251bdc0c7e6e4c9d35861b5661
3.Generated a key pair signed by this build time autogenerated
kernel key to add to .secondary_trusted_keys
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -out additional_cert.csr -keyout additional_key.pem
Generating a 2048 bit RSA private key
................................+++
..................................+++
writing new private key to 'additional_key.pem'
-----
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -req -sha512 -days 36500 -in additional_cert.csr -outform DER -out additional_cert.x509 -CA signing_key.pem -CAkey signing_key.pem -CAcreateserial
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Getting CA Private Key
4.But when I try to add additional_cert to .secondary_trusted_keys, it fails:
prashant@pra-ubuntu-1804:~$ sudo keyctl padd asymmetric "" %:.secondary_trusted_keys <additional_cert.x509
add_key: Required key not available
I need to add additional public keys to .secondary_trusted_keys.
kernel linux-kernel security kernel-modules
add a comment |
I am trying to add additional keys to .secondary_trusted_keys. Documentation says, to do so the additional keys has to be signed by a key which is already a resident in either .builtin_trusted_keys or .secondary_trusted_keys.
Steps:
1.Rebuilt Kernel 4.15.8 for Ubuntu 18.04 to get hold of signing key (certs/signing_key.pem) which is built into the Kernel.
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -in signing_key.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
83:db:41:db:8e:32:42:ba
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = Build time autogenerated kernel key
Validity
Not Before: Jan 17 17:49:27 2019 GMT
Not After : Dec 24 17:49:27 2118 GMT
Subject: CN = Build time autogenerated kernel key
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b5:2a:d2:eb:f5:27:69:84:fa:37:39:38:b7:1f:
7b:a0:e3:28:c7:60:09:b2:0a:c4:f6:78:be:ce:66:
de:1f:a1:55:1d:48:fa:08:db:c4:16:fe:fb:33:d1:
70:40:88:18:b7:44:83:c1:f9:c2:90:40:06:97:4a:
dd:94:f1:70:e9:dd:8a:ee:75:f4:dd:d3:c6:56:bc:
dd:71:d2:ac:7b:d1:60:9f:bc:e4:19:70:96:65:b2:
11:da:64:d8:2f:d4:ea:b9:b2:73:3f:24:1b:bd:31:
bd:4b:21:b9:8d:ea:ea:ba:88:2e:a3:6c:5a:12:72:
46:36:e0:a3:0b:2a:95:13:1a:a3:32:a0:bb:e2:83:
37:98:c2:00:c8:dd:1a:99:f6:b4:03:cd:21:9e:42:
f5:9f:a4:c8:50:c1:61:10:28:fb:2e:16:8b:f5:f4:
09:f6:72:e7:5a:e4:9d:61:7f:b3:71:59:63:b4:70:
76:bd:50:e5:77:aa:ba:d4:53:a5:06:50:1e:6d:0c:
9c:17:09:34:c7:60:13:0a:10:5a:06:ff:17:08:6e:
45:07:06:e5:26:87:70:a6:5f:a6:ae:09:5d:ac:48:
45:ee:e1:2f:b5:c8:57:90:b0:29:5e:d2:86:c4:e4:
0b:f9:ff:97:c1:b4:8c:fb:e3:91:85:76:50:bf:61:
a8:40:d5:45:ba:3b:94:63:1c:7d:b8:27:f1:13:53:
18:20:2f:1b:36:7d:8a:a3:5a:8d:3b:01:3d:98:e9:
02:48:ba:03:92:e9:0a:c1:40:92:f5:0b:2e:ed:70:
48:14:a1:b8:6c:3b:10:36:bb:38:f5:d2:73:a1:a2:
81:4c:cd:dc:49:95:da:8f:75:b8:1b:ed:e4:be:67:
1a:fa:7f:51:69:46:53:51:75:2e:55:f7:c1:10:f1:
62:7b:ba:6a:67:d3:19:0a:22:5d:77:51:ec:9a:0f:
3a:5d:46:5c:25:33:4a:31:69:c1:5a:f4:88:7b:91:
d0:79:47:ad:22:c8:8e:8e:6c:ec:22:d9:d1:3e:74:
5a:f9:0c:5f:5b:ad:c7:20:38:89:c7:ff:cc:0b:a0:
c8:99:a9:aa:c5:5a:70:5b:90:e1:96:38:38:6f:60:
6a:b5:ae:02:fc:9d:90:b7:84:08:bd:a1:9a:b3:46:
a6:25:3e:51:14:ab:fc:95:f8:bd:e4:e0:88:16:88:
18:76:e4:b7:5e:0e:72:a4:49:92:98:32:ac:04:d4:
8f:9e:e0:13:de:b4:dd:3b:9c:85:93:bc:51:42:a0:
7e:68:ef:60:09:f0:72:c8:30:da:5d:b8:d4:71:98:
3c:c4:52:e0:81:b8:21:2f:5b:f7:fa:9e:0f:d0:23:
e4:8b:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61
X509v3 Authority Key Identifier:
keyid:A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61
Signature Algorithm: sha512WithRSAEncryption
b2:28:03:c3:2b:43:a6:1f:cd:e0:56:a7:a5:cf:e3:e9:88:48:
1c:86:d1:fa:ea:3f:21:15:6f:ec:95:66:57:e5:37:0c:ae:1a:
6b:86:5c:af:21:38:b6:87:e7:f8:8e:cc:da:66:c0:a2:6f:be:
44:11:58:e4:97:ac:a4:ce:e3:37:9d:37:bc:a5:b4:22:aa:7c:
ca:f5:c8:67:b5:a6:aa:31:37:34:dd:a4:81:55:80:b0:e7:0e:
da:61:ee:ad:7a:92:95:3a:18:3d:7f:3c:a3:ea:c8:fb:98:78:
b4:cd:b0:43:3e:3b:ee:a2:7a:00:58:c1:3d:15:51:ca:db:7c:
ef:ab:d1:66:3e:42:a9:d2:8a:48:1f:69:ff:7a:56:1e:03:23:
dd:6f:fc:97:28:9f:07:94:81:63:b4:76:c2:69:77:68:3d:7c:
71:3e:bc:02:fc:95:0b:49:31:82:a8:b0:78:45:60:18:7e:d6:
f7:f6:8e:e1:82:29:bc:28:91:e9:4e:77:ce:61:40:a1:7b:8b:
c1:77:b3:af:5f:e0:1c:90:56:98:0b:7c:70:ec:ad:ea:02:77:
26:d5:7d:f7:35:ae:18:da:24:c6:51:19:45:7c:2a:e3:07:26:
c4:88:8b:c0:4e:c2:98:07:fd:0a:5e:d7:23:19:76:35:3f:1f:
d7:15:95:22:a1:6a:28:8a:a4:24:d7:fe:2b:c4:86:7e:51:4f:
15:a6:e0:9e:76:dd:e2:ae:db:ca:e1:84:6d:e6:f7:30:da:3a:
22:83:2a:2b:35:76:93:44:a0:40:2d:23:c6:6d:0c:fd:b5:a7:
b6:7f:a2:25:3c:7e:f1:bd:ff:2c:f7:7b:e1:bb:de:02:36:eb:
5d:c4:eb:83:e9:16:4f:ce:dc:4c:c8:a3:1f:93:aa:b9:38:b2:
8c:68:50:4a:5a:50:ef:31:d3:cc:25:3b:5d:ec:84:24:a9:c9:
4d:61:f1:4c:7a:c1:63:39:66:78:94:cb:ba:4e:09:5e:9b:a8:
23:a5:a2:c4:be:08:13:f6:80:9f:41:1f:05:7b:1e:34:1b:d3:
92:5b:43:36:e2:06:30:9d:b6:40:0d:4a:ea:75:03:fa:90:8b:
15:ae:3c:fe:06:b8:19:96:e6:4b:b0:c3:c9:be:90:ea:99:9b:
54:41:ab:b1:16:1e:25:d5:42:78:e4:28:19:c0:67:30:86:df:
b7:f4:d9:fc:62:2c:2f:73:27:47:58:33:5a:c2:da:98:b8:a2:
dd:1f:80:2f:20:33:75:a2:a0:b8:af:d1:03:46:1a:a8:20:ea:
a9:c9:39:82:cb:b8:a2:26:24:43:f7:b8:79:5f:65:22:76:3f:
97:88:e5:21:d1:25:fc:77
2.Verified that .builtin_trusted_keys has the same signing key.
prashant@pra-ubuntu-1804:~/bionic/certs$ sudo keyctl show -x %:.builtin_trusted_keys
Keyring
0x3c40ebe7 ---lswrv 0 0 keyring: .builtin_trusted_keys
0x00a352e3 ---lswrv 0 0 _ asymmetric: Build time autogenerated kernel key: a5e01ce6a46683251bdc0c7e6e4c9d35861b5661
3.Generated a key pair signed by this build time autogenerated
kernel key to add to .secondary_trusted_keys
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -out additional_cert.csr -keyout additional_key.pem
Generating a 2048 bit RSA private key
................................+++
..................................+++
writing new private key to 'additional_key.pem'
-----
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -req -sha512 -days 36500 -in additional_cert.csr -outform DER -out additional_cert.x509 -CA signing_key.pem -CAkey signing_key.pem -CAcreateserial
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Getting CA Private Key
4.But when I try to add additional_cert to .secondary_trusted_keys, it fails:
prashant@pra-ubuntu-1804:~$ sudo keyctl padd asymmetric "" %:.secondary_trusted_keys <additional_cert.x509
add_key: Required key not available
I need to add additional public keys to .secondary_trusted_keys.
kernel linux-kernel security kernel-modules
I am trying to add additional keys to .secondary_trusted_keys. Documentation says, to do so the additional keys has to be signed by a key which is already a resident in either .builtin_trusted_keys or .secondary_trusted_keys.
Steps:
1.Rebuilt Kernel 4.15.8 for Ubuntu 18.04 to get hold of signing key (certs/signing_key.pem) which is built into the Kernel.
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -in signing_key.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
83:db:41:db:8e:32:42:ba
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = Build time autogenerated kernel key
Validity
Not Before: Jan 17 17:49:27 2019 GMT
Not After : Dec 24 17:49:27 2118 GMT
Subject: CN = Build time autogenerated kernel key
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b5:2a:d2:eb:f5:27:69:84:fa:37:39:38:b7:1f:
7b:a0:e3:28:c7:60:09:b2:0a:c4:f6:78:be:ce:66:
de:1f:a1:55:1d:48:fa:08:db:c4:16:fe:fb:33:d1:
70:40:88:18:b7:44:83:c1:f9:c2:90:40:06:97:4a:
dd:94:f1:70:e9:dd:8a:ee:75:f4:dd:d3:c6:56:bc:
dd:71:d2:ac:7b:d1:60:9f:bc:e4:19:70:96:65:b2:
11:da:64:d8:2f:d4:ea:b9:b2:73:3f:24:1b:bd:31:
bd:4b:21:b9:8d:ea:ea:ba:88:2e:a3:6c:5a:12:72:
46:36:e0:a3:0b:2a:95:13:1a:a3:32:a0:bb:e2:83:
37:98:c2:00:c8:dd:1a:99:f6:b4:03:cd:21:9e:42:
f5:9f:a4:c8:50:c1:61:10:28:fb:2e:16:8b:f5:f4:
09:f6:72:e7:5a:e4:9d:61:7f:b3:71:59:63:b4:70:
76:bd:50:e5:77:aa:ba:d4:53:a5:06:50:1e:6d:0c:
9c:17:09:34:c7:60:13:0a:10:5a:06:ff:17:08:6e:
45:07:06:e5:26:87:70:a6:5f:a6:ae:09:5d:ac:48:
45:ee:e1:2f:b5:c8:57:90:b0:29:5e:d2:86:c4:e4:
0b:f9:ff:97:c1:b4:8c:fb:e3:91:85:76:50:bf:61:
a8:40:d5:45:ba:3b:94:63:1c:7d:b8:27:f1:13:53:
18:20:2f:1b:36:7d:8a:a3:5a:8d:3b:01:3d:98:e9:
02:48:ba:03:92:e9:0a:c1:40:92:f5:0b:2e:ed:70:
48:14:a1:b8:6c:3b:10:36:bb:38:f5:d2:73:a1:a2:
81:4c:cd:dc:49:95:da:8f:75:b8:1b:ed:e4:be:67:
1a:fa:7f:51:69:46:53:51:75:2e:55:f7:c1:10:f1:
62:7b:ba:6a:67:d3:19:0a:22:5d:77:51:ec:9a:0f:
3a:5d:46:5c:25:33:4a:31:69:c1:5a:f4:88:7b:91:
d0:79:47:ad:22:c8:8e:8e:6c:ec:22:d9:d1:3e:74:
5a:f9:0c:5f:5b:ad:c7:20:38:89:c7:ff:cc:0b:a0:
c8:99:a9:aa:c5:5a:70:5b:90:e1:96:38:38:6f:60:
6a:b5:ae:02:fc:9d:90:b7:84:08:bd:a1:9a:b3:46:
a6:25:3e:51:14:ab:fc:95:f8:bd:e4:e0:88:16:88:
18:76:e4:b7:5e:0e:72:a4:49:92:98:32:ac:04:d4:
8f:9e:e0:13:de:b4:dd:3b:9c:85:93:bc:51:42:a0:
7e:68:ef:60:09:f0:72:c8:30:da:5d:b8:d4:71:98:
3c:c4:52:e0:81:b8:21:2f:5b:f7:fa:9e:0f:d0:23:
e4:8b:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61
X509v3 Authority Key Identifier:
keyid:A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61
Signature Algorithm: sha512WithRSAEncryption
b2:28:03:c3:2b:43:a6:1f:cd:e0:56:a7:a5:cf:e3:e9:88:48:
1c:86:d1:fa:ea:3f:21:15:6f:ec:95:66:57:e5:37:0c:ae:1a:
6b:86:5c:af:21:38:b6:87:e7:f8:8e:cc:da:66:c0:a2:6f:be:
44:11:58:e4:97:ac:a4:ce:e3:37:9d:37:bc:a5:b4:22:aa:7c:
ca:f5:c8:67:b5:a6:aa:31:37:34:dd:a4:81:55:80:b0:e7:0e:
da:61:ee:ad:7a:92:95:3a:18:3d:7f:3c:a3:ea:c8:fb:98:78:
b4:cd:b0:43:3e:3b:ee:a2:7a:00:58:c1:3d:15:51:ca:db:7c:
ef:ab:d1:66:3e:42:a9:d2:8a:48:1f:69:ff:7a:56:1e:03:23:
dd:6f:fc:97:28:9f:07:94:81:63:b4:76:c2:69:77:68:3d:7c:
71:3e:bc:02:fc:95:0b:49:31:82:a8:b0:78:45:60:18:7e:d6:
f7:f6:8e:e1:82:29:bc:28:91:e9:4e:77:ce:61:40:a1:7b:8b:
c1:77:b3:af:5f:e0:1c:90:56:98:0b:7c:70:ec:ad:ea:02:77:
26:d5:7d:f7:35:ae:18:da:24:c6:51:19:45:7c:2a:e3:07:26:
c4:88:8b:c0:4e:c2:98:07:fd:0a:5e:d7:23:19:76:35:3f:1f:
d7:15:95:22:a1:6a:28:8a:a4:24:d7:fe:2b:c4:86:7e:51:4f:
15:a6:e0:9e:76:dd:e2:ae:db:ca:e1:84:6d:e6:f7:30:da:3a:
22:83:2a:2b:35:76:93:44:a0:40:2d:23:c6:6d:0c:fd:b5:a7:
b6:7f:a2:25:3c:7e:f1:bd:ff:2c:f7:7b:e1:bb:de:02:36:eb:
5d:c4:eb:83:e9:16:4f:ce:dc:4c:c8:a3:1f:93:aa:b9:38:b2:
8c:68:50:4a:5a:50:ef:31:d3:cc:25:3b:5d:ec:84:24:a9:c9:
4d:61:f1:4c:7a:c1:63:39:66:78:94:cb:ba:4e:09:5e:9b:a8:
23:a5:a2:c4:be:08:13:f6:80:9f:41:1f:05:7b:1e:34:1b:d3:
92:5b:43:36:e2:06:30:9d:b6:40:0d:4a:ea:75:03:fa:90:8b:
15:ae:3c:fe:06:b8:19:96:e6:4b:b0:c3:c9:be:90:ea:99:9b:
54:41:ab:b1:16:1e:25:d5:42:78:e4:28:19:c0:67:30:86:df:
b7:f4:d9:fc:62:2c:2f:73:27:47:58:33:5a:c2:da:98:b8:a2:
dd:1f:80:2f:20:33:75:a2:a0:b8:af:d1:03:46:1a:a8:20:ea:
a9:c9:39:82:cb:b8:a2:26:24:43:f7:b8:79:5f:65:22:76:3f:
97:88:e5:21:d1:25:fc:77
2.Verified that .builtin_trusted_keys has the same signing key.
prashant@pra-ubuntu-1804:~/bionic/certs$ sudo keyctl show -x %:.builtin_trusted_keys
Keyring
0x3c40ebe7 ---lswrv 0 0 keyring: .builtin_trusted_keys
0x00a352e3 ---lswrv 0 0 _ asymmetric: Build time autogenerated kernel key: a5e01ce6a46683251bdc0c7e6e4c9d35861b5661
3.Generated a key pair signed by this build time autogenerated
kernel key to add to .secondary_trusted_keys
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -out additional_cert.csr -keyout additional_key.pem
Generating a 2048 bit RSA private key
................................+++
..................................+++
writing new private key to 'additional_key.pem'
-----
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -req -sha512 -days 36500 -in additional_cert.csr -outform DER -out additional_cert.x509 -CA signing_key.pem -CAkey signing_key.pem -CAcreateserial
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Getting CA Private Key
4.But when I try to add additional_cert to .secondary_trusted_keys, it fails:
prashant@pra-ubuntu-1804:~$ sudo keyctl padd asymmetric "" %:.secondary_trusted_keys <additional_cert.x509
add_key: Required key not available
I need to add additional public keys to .secondary_trusted_keys.
kernel linux-kernel security kernel-modules
kernel linux-kernel security kernel-modules
edited Jan 19 at 8:50
Rui F Ribeiro
39.9k1479134
39.9k1479134
asked Jan 19 at 0:47
PrashantPrashant
42
42
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f495387%2fhow-to-additional-public-keys-to-secondary-trusted-keys%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f495387%2fhow-to-additional-public-keys-to-secondary-trusted-keys%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown