How to additional public keys to .secondary_trusted_keys?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












0















I am trying to add additional keys to .secondary_trusted_keys. Documentation says, to do so the additional keys has to be signed by a key which is already a resident in either .builtin_trusted_keys or .secondary_trusted_keys.



Steps:

1.Rebuilt Kernel 4.15.8 for Ubuntu 18.04 to get hold of signing key (certs/signing_key.pem) which is built into the Kernel.



prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -in signing_key.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
83:db:41:db:8e:32:42:ba
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = Build time autogenerated kernel key
Validity
Not Before: Jan 17 17:49:27 2019 GMT
Not After : Dec 24 17:49:27 2118 GMT
Subject: CN = Build time autogenerated kernel key
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b5:2a:d2:eb:f5:27:69:84:fa:37:39:38:b7:1f:
7b:a0:e3:28:c7:60:09:b2:0a:c4:f6:78:be:ce:66:
de:1f:a1:55:1d:48:fa:08:db:c4:16:fe:fb:33:d1:
70:40:88:18:b7:44:83:c1:f9:c2:90:40:06:97:4a:
dd:94:f1:70:e9:dd:8a:ee:75:f4:dd:d3:c6:56:bc:
dd:71:d2:ac:7b:d1:60:9f:bc:e4:19:70:96:65:b2:
11:da:64:d8:2f:d4:ea:b9:b2:73:3f:24:1b:bd:31:
bd:4b:21:b9:8d:ea:ea:ba:88:2e:a3:6c:5a:12:72:
46:36:e0:a3:0b:2a:95:13:1a:a3:32:a0:bb:e2:83:
37:98:c2:00:c8:dd:1a:99:f6:b4:03:cd:21:9e:42:
f5:9f:a4:c8:50:c1:61:10:28:fb:2e:16:8b:f5:f4:
09:f6:72:e7:5a:e4:9d:61:7f:b3:71:59:63:b4:70:
76:bd:50:e5:77:aa:ba:d4:53:a5:06:50:1e:6d:0c:
9c:17:09:34:c7:60:13:0a:10:5a:06:ff:17:08:6e:
45:07:06:e5:26:87:70:a6:5f:a6:ae:09:5d:ac:48:
45:ee:e1:2f:b5:c8:57:90:b0:29:5e:d2:86:c4:e4:
0b:f9:ff:97:c1:b4:8c:fb:e3:91:85:76:50:bf:61:
a8:40:d5:45:ba:3b:94:63:1c:7d:b8:27:f1:13:53:
18:20:2f:1b:36:7d:8a:a3:5a:8d:3b:01:3d:98:e9:
02:48:ba:03:92:e9:0a:c1:40:92:f5:0b:2e:ed:70:
48:14:a1:b8:6c:3b:10:36:bb:38:f5:d2:73:a1:a2:
81:4c:cd:dc:49:95:da:8f:75:b8:1b:ed:e4:be:67:
1a:fa:7f:51:69:46:53:51:75:2e:55:f7:c1:10:f1:
62:7b:ba:6a:67:d3:19:0a:22:5d:77:51:ec:9a:0f:
3a:5d:46:5c:25:33:4a:31:69:c1:5a:f4:88:7b:91:
d0:79:47:ad:22:c8:8e:8e:6c:ec:22:d9:d1:3e:74:
5a:f9:0c:5f:5b:ad:c7:20:38:89:c7:ff:cc:0b:a0:
c8:99:a9:aa:c5:5a:70:5b:90:e1:96:38:38:6f:60:
6a:b5:ae:02:fc:9d:90:b7:84:08:bd:a1:9a:b3:46:
a6:25:3e:51:14:ab:fc:95:f8:bd:e4:e0:88:16:88:
18:76:e4:b7:5e:0e:72:a4:49:92:98:32:ac:04:d4:
8f:9e:e0:13:de:b4:dd:3b:9c:85:93:bc:51:42:a0:
7e:68:ef:60:09:f0:72:c8:30:da:5d:b8:d4:71:98:
3c:c4:52:e0:81:b8:21:2f:5b:f7:fa:9e:0f:d0:23:
e4:8b:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61
X509v3 Authority Key Identifier:
keyid:A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61

Signature Algorithm: sha512WithRSAEncryption
b2:28:03:c3:2b:43:a6:1f:cd:e0:56:a7:a5:cf:e3:e9:88:48:
1c:86:d1:fa:ea:3f:21:15:6f:ec:95:66:57:e5:37:0c:ae:1a:
6b:86:5c:af:21:38:b6:87:e7:f8:8e:cc:da:66:c0:a2:6f:be:
44:11:58:e4:97:ac:a4:ce:e3:37:9d:37:bc:a5:b4:22:aa:7c:
ca:f5:c8:67:b5:a6:aa:31:37:34:dd:a4:81:55:80:b0:e7:0e:
da:61:ee:ad:7a:92:95:3a:18:3d:7f:3c:a3:ea:c8:fb:98:78:
b4:cd:b0:43:3e:3b:ee:a2:7a:00:58:c1:3d:15:51:ca:db:7c:
ef:ab:d1:66:3e:42:a9:d2:8a:48:1f:69:ff:7a:56:1e:03:23:
dd:6f:fc:97:28:9f:07:94:81:63:b4:76:c2:69:77:68:3d:7c:
71:3e:bc:02:fc:95:0b:49:31:82:a8:b0:78:45:60:18:7e:d6:
f7:f6:8e:e1:82:29:bc:28:91:e9:4e:77:ce:61:40:a1:7b:8b:
c1:77:b3:af:5f:e0:1c:90:56:98:0b:7c:70:ec:ad:ea:02:77:
26:d5:7d:f7:35:ae:18:da:24:c6:51:19:45:7c:2a:e3:07:26:
c4:88:8b:c0:4e:c2:98:07:fd:0a:5e:d7:23:19:76:35:3f:1f:
d7:15:95:22:a1:6a:28:8a:a4:24:d7:fe:2b:c4:86:7e:51:4f:
15:a6:e0:9e:76:dd:e2:ae:db:ca:e1:84:6d:e6:f7:30:da:3a:
22:83:2a:2b:35:76:93:44:a0:40:2d:23:c6:6d:0c:fd:b5:a7:
b6:7f:a2:25:3c:7e:f1:bd:ff:2c:f7:7b:e1:bb:de:02:36:eb:
5d:c4:eb:83:e9:16:4f:ce:dc:4c:c8:a3:1f:93:aa:b9:38:b2:
8c:68:50:4a:5a:50:ef:31:d3:cc:25:3b:5d:ec:84:24:a9:c9:
4d:61:f1:4c:7a:c1:63:39:66:78:94:cb:ba:4e:09:5e:9b:a8:
23:a5:a2:c4:be:08:13:f6:80:9f:41:1f:05:7b:1e:34:1b:d3:
92:5b:43:36:e2:06:30:9d:b6:40:0d:4a:ea:75:03:fa:90:8b:
15:ae:3c:fe:06:b8:19:96:e6:4b:b0:c3:c9:be:90:ea:99:9b:
54:41:ab:b1:16:1e:25:d5:42:78:e4:28:19:c0:67:30:86:df:
b7:f4:d9:fc:62:2c:2f:73:27:47:58:33:5a:c2:da:98:b8:a2:
dd:1f:80:2f:20:33:75:a2:a0:b8:af:d1:03:46:1a:a8:20:ea:
a9:c9:39:82:cb:b8:a2:26:24:43:f7:b8:79:5f:65:22:76:3f:
97:88:e5:21:d1:25:fc:77


2.Verified that .builtin_trusted_keys has the same signing key.



prashant@pra-ubuntu-1804:~/bionic/certs$ sudo keyctl show -x %:.builtin_trusted_keys
Keyring
0x3c40ebe7 ---lswrv 0 0 keyring: .builtin_trusted_keys
0x00a352e3 ---lswrv 0 0 _ asymmetric: Build time autogenerated kernel key: a5e01ce6a46683251bdc0c7e6e4c9d35861b5661


3.Generated a key pair signed by this build time autogenerated
kernel key to add to .secondary_trusted_keys



prashant@pra-ubuntu-1804:~/bionic/certs$ openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -out additional_cert.csr -keyout additional_key.pem
Generating a 2048 bit RSA private key
................................+++
..................................+++
writing new private key to 'additional_key.pem'
-----
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -req -sha512 -days 36500 -in additional_cert.csr -outform DER -out additional_cert.x509 -CA signing_key.pem -CAkey signing_key.pem -CAcreateserial
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Getting CA Private Key


4.But when I try to add additional_cert to .secondary_trusted_keys, it fails:



prashant@pra-ubuntu-1804:~$ sudo keyctl padd asymmetric "" %:.secondary_trusted_keys <additional_cert.x509 
add_key: Required key not available


I need to add additional public keys to .secondary_trusted_keys.










share|improve this question




























    0















    I am trying to add additional keys to .secondary_trusted_keys. Documentation says, to do so the additional keys has to be signed by a key which is already a resident in either .builtin_trusted_keys or .secondary_trusted_keys.



    Steps:

    1.Rebuilt Kernel 4.15.8 for Ubuntu 18.04 to get hold of signing key (certs/signing_key.pem) which is built into the Kernel.



    prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -in signing_key.pem -text -noout
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    83:db:41:db:8e:32:42:ba
    Signature Algorithm: sha512WithRSAEncryption
    Issuer: CN = Build time autogenerated kernel key
    Validity
    Not Before: Jan 17 17:49:27 2019 GMT
    Not After : Dec 24 17:49:27 2118 GMT
    Subject: CN = Build time autogenerated kernel key
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (4096 bit)
    Modulus:
    00:b5:2a:d2:eb:f5:27:69:84:fa:37:39:38:b7:1f:
    7b:a0:e3:28:c7:60:09:b2:0a:c4:f6:78:be:ce:66:
    de:1f:a1:55:1d:48:fa:08:db:c4:16:fe:fb:33:d1:
    70:40:88:18:b7:44:83:c1:f9:c2:90:40:06:97:4a:
    dd:94:f1:70:e9:dd:8a:ee:75:f4:dd:d3:c6:56:bc:
    dd:71:d2:ac:7b:d1:60:9f:bc:e4:19:70:96:65:b2:
    11:da:64:d8:2f:d4:ea:b9:b2:73:3f:24:1b:bd:31:
    bd:4b:21:b9:8d:ea:ea:ba:88:2e:a3:6c:5a:12:72:
    46:36:e0:a3:0b:2a:95:13:1a:a3:32:a0:bb:e2:83:
    37:98:c2:00:c8:dd:1a:99:f6:b4:03:cd:21:9e:42:
    f5:9f:a4:c8:50:c1:61:10:28:fb:2e:16:8b:f5:f4:
    09:f6:72:e7:5a:e4:9d:61:7f:b3:71:59:63:b4:70:
    76:bd:50:e5:77:aa:ba:d4:53:a5:06:50:1e:6d:0c:
    9c:17:09:34:c7:60:13:0a:10:5a:06:ff:17:08:6e:
    45:07:06:e5:26:87:70:a6:5f:a6:ae:09:5d:ac:48:
    45:ee:e1:2f:b5:c8:57:90:b0:29:5e:d2:86:c4:e4:
    0b:f9:ff:97:c1:b4:8c:fb:e3:91:85:76:50:bf:61:
    a8:40:d5:45:ba:3b:94:63:1c:7d:b8:27:f1:13:53:
    18:20:2f:1b:36:7d:8a:a3:5a:8d:3b:01:3d:98:e9:
    02:48:ba:03:92:e9:0a:c1:40:92:f5:0b:2e:ed:70:
    48:14:a1:b8:6c:3b:10:36:bb:38:f5:d2:73:a1:a2:
    81:4c:cd:dc:49:95:da:8f:75:b8:1b:ed:e4:be:67:
    1a:fa:7f:51:69:46:53:51:75:2e:55:f7:c1:10:f1:
    62:7b:ba:6a:67:d3:19:0a:22:5d:77:51:ec:9a:0f:
    3a:5d:46:5c:25:33:4a:31:69:c1:5a:f4:88:7b:91:
    d0:79:47:ad:22:c8:8e:8e:6c:ec:22:d9:d1:3e:74:
    5a:f9:0c:5f:5b:ad:c7:20:38:89:c7:ff:cc:0b:a0:
    c8:99:a9:aa:c5:5a:70:5b:90:e1:96:38:38:6f:60:
    6a:b5:ae:02:fc:9d:90:b7:84:08:bd:a1:9a:b3:46:
    a6:25:3e:51:14:ab:fc:95:f8:bd:e4:e0:88:16:88:
    18:76:e4:b7:5e:0e:72:a4:49:92:98:32:ac:04:d4:
    8f:9e:e0:13:de:b4:dd:3b:9c:85:93:bc:51:42:a0:
    7e:68:ef:60:09:f0:72:c8:30:da:5d:b8:d4:71:98:
    3c:c4:52:e0:81:b8:21:2f:5b:f7:fa:9e:0f:d0:23:
    e4:8b:ff
    Exponent: 65537 (0x10001)
    X509v3 extensions:
    X509v3 Basic Constraints: critical
    CA:FALSE
    X509v3 Key Usage:
    Digital Signature
    X509v3 Subject Key Identifier:
    A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61
    X509v3 Authority Key Identifier:
    keyid:A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61

    Signature Algorithm: sha512WithRSAEncryption
    b2:28:03:c3:2b:43:a6:1f:cd:e0:56:a7:a5:cf:e3:e9:88:48:
    1c:86:d1:fa:ea:3f:21:15:6f:ec:95:66:57:e5:37:0c:ae:1a:
    6b:86:5c:af:21:38:b6:87:e7:f8:8e:cc:da:66:c0:a2:6f:be:
    44:11:58:e4:97:ac:a4:ce:e3:37:9d:37:bc:a5:b4:22:aa:7c:
    ca:f5:c8:67:b5:a6:aa:31:37:34:dd:a4:81:55:80:b0:e7:0e:
    da:61:ee:ad:7a:92:95:3a:18:3d:7f:3c:a3:ea:c8:fb:98:78:
    b4:cd:b0:43:3e:3b:ee:a2:7a:00:58:c1:3d:15:51:ca:db:7c:
    ef:ab:d1:66:3e:42:a9:d2:8a:48:1f:69:ff:7a:56:1e:03:23:
    dd:6f:fc:97:28:9f:07:94:81:63:b4:76:c2:69:77:68:3d:7c:
    71:3e:bc:02:fc:95:0b:49:31:82:a8:b0:78:45:60:18:7e:d6:
    f7:f6:8e:e1:82:29:bc:28:91:e9:4e:77:ce:61:40:a1:7b:8b:
    c1:77:b3:af:5f:e0:1c:90:56:98:0b:7c:70:ec:ad:ea:02:77:
    26:d5:7d:f7:35:ae:18:da:24:c6:51:19:45:7c:2a:e3:07:26:
    c4:88:8b:c0:4e:c2:98:07:fd:0a:5e:d7:23:19:76:35:3f:1f:
    d7:15:95:22:a1:6a:28:8a:a4:24:d7:fe:2b:c4:86:7e:51:4f:
    15:a6:e0:9e:76:dd:e2:ae:db:ca:e1:84:6d:e6:f7:30:da:3a:
    22:83:2a:2b:35:76:93:44:a0:40:2d:23:c6:6d:0c:fd:b5:a7:
    b6:7f:a2:25:3c:7e:f1:bd:ff:2c:f7:7b:e1:bb:de:02:36:eb:
    5d:c4:eb:83:e9:16:4f:ce:dc:4c:c8:a3:1f:93:aa:b9:38:b2:
    8c:68:50:4a:5a:50:ef:31:d3:cc:25:3b:5d:ec:84:24:a9:c9:
    4d:61:f1:4c:7a:c1:63:39:66:78:94:cb:ba:4e:09:5e:9b:a8:
    23:a5:a2:c4:be:08:13:f6:80:9f:41:1f:05:7b:1e:34:1b:d3:
    92:5b:43:36:e2:06:30:9d:b6:40:0d:4a:ea:75:03:fa:90:8b:
    15:ae:3c:fe:06:b8:19:96:e6:4b:b0:c3:c9:be:90:ea:99:9b:
    54:41:ab:b1:16:1e:25:d5:42:78:e4:28:19:c0:67:30:86:df:
    b7:f4:d9:fc:62:2c:2f:73:27:47:58:33:5a:c2:da:98:b8:a2:
    dd:1f:80:2f:20:33:75:a2:a0:b8:af:d1:03:46:1a:a8:20:ea:
    a9:c9:39:82:cb:b8:a2:26:24:43:f7:b8:79:5f:65:22:76:3f:
    97:88:e5:21:d1:25:fc:77


    2.Verified that .builtin_trusted_keys has the same signing key.



    prashant@pra-ubuntu-1804:~/bionic/certs$ sudo keyctl show -x %:.builtin_trusted_keys
    Keyring
    0x3c40ebe7 ---lswrv 0 0 keyring: .builtin_trusted_keys
    0x00a352e3 ---lswrv 0 0 _ asymmetric: Build time autogenerated kernel key: a5e01ce6a46683251bdc0c7e6e4c9d35861b5661


    3.Generated a key pair signed by this build time autogenerated
    kernel key to add to .secondary_trusted_keys



    prashant@pra-ubuntu-1804:~/bionic/certs$ openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -out additional_cert.csr -keyout additional_key.pem
    Generating a 2048 bit RSA private key
    ................................+++
    ..................................+++
    writing new private key to 'additional_key.pem'
    -----
    prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -req -sha512 -days 36500 -in additional_cert.csr -outform DER -out additional_cert.x509 -CA signing_key.pem -CAkey signing_key.pem -CAcreateserial
    Signature ok
    subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
    Getting CA Private Key


    4.But when I try to add additional_cert to .secondary_trusted_keys, it fails:



    prashant@pra-ubuntu-1804:~$ sudo keyctl padd asymmetric "" %:.secondary_trusted_keys <additional_cert.x509 
    add_key: Required key not available


    I need to add additional public keys to .secondary_trusted_keys.










    share|improve this question


























      0












      0








      0








      I am trying to add additional keys to .secondary_trusted_keys. Documentation says, to do so the additional keys has to be signed by a key which is already a resident in either .builtin_trusted_keys or .secondary_trusted_keys.



      Steps:

      1.Rebuilt Kernel 4.15.8 for Ubuntu 18.04 to get hold of signing key (certs/signing_key.pem) which is built into the Kernel.



      prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -in signing_key.pem -text -noout
      Certificate:
      Data:
      Version: 3 (0x2)
      Serial Number:
      83:db:41:db:8e:32:42:ba
      Signature Algorithm: sha512WithRSAEncryption
      Issuer: CN = Build time autogenerated kernel key
      Validity
      Not Before: Jan 17 17:49:27 2019 GMT
      Not After : Dec 24 17:49:27 2118 GMT
      Subject: CN = Build time autogenerated kernel key
      Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
      Public-Key: (4096 bit)
      Modulus:
      00:b5:2a:d2:eb:f5:27:69:84:fa:37:39:38:b7:1f:
      7b:a0:e3:28:c7:60:09:b2:0a:c4:f6:78:be:ce:66:
      de:1f:a1:55:1d:48:fa:08:db:c4:16:fe:fb:33:d1:
      70:40:88:18:b7:44:83:c1:f9:c2:90:40:06:97:4a:
      dd:94:f1:70:e9:dd:8a:ee:75:f4:dd:d3:c6:56:bc:
      dd:71:d2:ac:7b:d1:60:9f:bc:e4:19:70:96:65:b2:
      11:da:64:d8:2f:d4:ea:b9:b2:73:3f:24:1b:bd:31:
      bd:4b:21:b9:8d:ea:ea:ba:88:2e:a3:6c:5a:12:72:
      46:36:e0:a3:0b:2a:95:13:1a:a3:32:a0:bb:e2:83:
      37:98:c2:00:c8:dd:1a:99:f6:b4:03:cd:21:9e:42:
      f5:9f:a4:c8:50:c1:61:10:28:fb:2e:16:8b:f5:f4:
      09:f6:72:e7:5a:e4:9d:61:7f:b3:71:59:63:b4:70:
      76:bd:50:e5:77:aa:ba:d4:53:a5:06:50:1e:6d:0c:
      9c:17:09:34:c7:60:13:0a:10:5a:06:ff:17:08:6e:
      45:07:06:e5:26:87:70:a6:5f:a6:ae:09:5d:ac:48:
      45:ee:e1:2f:b5:c8:57:90:b0:29:5e:d2:86:c4:e4:
      0b:f9:ff:97:c1:b4:8c:fb:e3:91:85:76:50:bf:61:
      a8:40:d5:45:ba:3b:94:63:1c:7d:b8:27:f1:13:53:
      18:20:2f:1b:36:7d:8a:a3:5a:8d:3b:01:3d:98:e9:
      02:48:ba:03:92:e9:0a:c1:40:92:f5:0b:2e:ed:70:
      48:14:a1:b8:6c:3b:10:36:bb:38:f5:d2:73:a1:a2:
      81:4c:cd:dc:49:95:da:8f:75:b8:1b:ed:e4:be:67:
      1a:fa:7f:51:69:46:53:51:75:2e:55:f7:c1:10:f1:
      62:7b:ba:6a:67:d3:19:0a:22:5d:77:51:ec:9a:0f:
      3a:5d:46:5c:25:33:4a:31:69:c1:5a:f4:88:7b:91:
      d0:79:47:ad:22:c8:8e:8e:6c:ec:22:d9:d1:3e:74:
      5a:f9:0c:5f:5b:ad:c7:20:38:89:c7:ff:cc:0b:a0:
      c8:99:a9:aa:c5:5a:70:5b:90:e1:96:38:38:6f:60:
      6a:b5:ae:02:fc:9d:90:b7:84:08:bd:a1:9a:b3:46:
      a6:25:3e:51:14:ab:fc:95:f8:bd:e4:e0:88:16:88:
      18:76:e4:b7:5e:0e:72:a4:49:92:98:32:ac:04:d4:
      8f:9e:e0:13:de:b4:dd:3b:9c:85:93:bc:51:42:a0:
      7e:68:ef:60:09:f0:72:c8:30:da:5d:b8:d4:71:98:
      3c:c4:52:e0:81:b8:21:2f:5b:f7:fa:9e:0f:d0:23:
      e4:8b:ff
      Exponent: 65537 (0x10001)
      X509v3 extensions:
      X509v3 Basic Constraints: critical
      CA:FALSE
      X509v3 Key Usage:
      Digital Signature
      X509v3 Subject Key Identifier:
      A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61
      X509v3 Authority Key Identifier:
      keyid:A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61

      Signature Algorithm: sha512WithRSAEncryption
      b2:28:03:c3:2b:43:a6:1f:cd:e0:56:a7:a5:cf:e3:e9:88:48:
      1c:86:d1:fa:ea:3f:21:15:6f:ec:95:66:57:e5:37:0c:ae:1a:
      6b:86:5c:af:21:38:b6:87:e7:f8:8e:cc:da:66:c0:a2:6f:be:
      44:11:58:e4:97:ac:a4:ce:e3:37:9d:37:bc:a5:b4:22:aa:7c:
      ca:f5:c8:67:b5:a6:aa:31:37:34:dd:a4:81:55:80:b0:e7:0e:
      da:61:ee:ad:7a:92:95:3a:18:3d:7f:3c:a3:ea:c8:fb:98:78:
      b4:cd:b0:43:3e:3b:ee:a2:7a:00:58:c1:3d:15:51:ca:db:7c:
      ef:ab:d1:66:3e:42:a9:d2:8a:48:1f:69:ff:7a:56:1e:03:23:
      dd:6f:fc:97:28:9f:07:94:81:63:b4:76:c2:69:77:68:3d:7c:
      71:3e:bc:02:fc:95:0b:49:31:82:a8:b0:78:45:60:18:7e:d6:
      f7:f6:8e:e1:82:29:bc:28:91:e9:4e:77:ce:61:40:a1:7b:8b:
      c1:77:b3:af:5f:e0:1c:90:56:98:0b:7c:70:ec:ad:ea:02:77:
      26:d5:7d:f7:35:ae:18:da:24:c6:51:19:45:7c:2a:e3:07:26:
      c4:88:8b:c0:4e:c2:98:07:fd:0a:5e:d7:23:19:76:35:3f:1f:
      d7:15:95:22:a1:6a:28:8a:a4:24:d7:fe:2b:c4:86:7e:51:4f:
      15:a6:e0:9e:76:dd:e2:ae:db:ca:e1:84:6d:e6:f7:30:da:3a:
      22:83:2a:2b:35:76:93:44:a0:40:2d:23:c6:6d:0c:fd:b5:a7:
      b6:7f:a2:25:3c:7e:f1:bd:ff:2c:f7:7b:e1:bb:de:02:36:eb:
      5d:c4:eb:83:e9:16:4f:ce:dc:4c:c8:a3:1f:93:aa:b9:38:b2:
      8c:68:50:4a:5a:50:ef:31:d3:cc:25:3b:5d:ec:84:24:a9:c9:
      4d:61:f1:4c:7a:c1:63:39:66:78:94:cb:ba:4e:09:5e:9b:a8:
      23:a5:a2:c4:be:08:13:f6:80:9f:41:1f:05:7b:1e:34:1b:d3:
      92:5b:43:36:e2:06:30:9d:b6:40:0d:4a:ea:75:03:fa:90:8b:
      15:ae:3c:fe:06:b8:19:96:e6:4b:b0:c3:c9:be:90:ea:99:9b:
      54:41:ab:b1:16:1e:25:d5:42:78:e4:28:19:c0:67:30:86:df:
      b7:f4:d9:fc:62:2c:2f:73:27:47:58:33:5a:c2:da:98:b8:a2:
      dd:1f:80:2f:20:33:75:a2:a0:b8:af:d1:03:46:1a:a8:20:ea:
      a9:c9:39:82:cb:b8:a2:26:24:43:f7:b8:79:5f:65:22:76:3f:
      97:88:e5:21:d1:25:fc:77


      2.Verified that .builtin_trusted_keys has the same signing key.



      prashant@pra-ubuntu-1804:~/bionic/certs$ sudo keyctl show -x %:.builtin_trusted_keys
      Keyring
      0x3c40ebe7 ---lswrv 0 0 keyring: .builtin_trusted_keys
      0x00a352e3 ---lswrv 0 0 _ asymmetric: Build time autogenerated kernel key: a5e01ce6a46683251bdc0c7e6e4c9d35861b5661


      3.Generated a key pair signed by this build time autogenerated
      kernel key to add to .secondary_trusted_keys



      prashant@pra-ubuntu-1804:~/bionic/certs$ openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -out additional_cert.csr -keyout additional_key.pem
      Generating a 2048 bit RSA private key
      ................................+++
      ..................................+++
      writing new private key to 'additional_key.pem'
      -----
      prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -req -sha512 -days 36500 -in additional_cert.csr -outform DER -out additional_cert.x509 -CA signing_key.pem -CAkey signing_key.pem -CAcreateserial
      Signature ok
      subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
      Getting CA Private Key


      4.But when I try to add additional_cert to .secondary_trusted_keys, it fails:



      prashant@pra-ubuntu-1804:~$ sudo keyctl padd asymmetric "" %:.secondary_trusted_keys <additional_cert.x509 
      add_key: Required key not available


      I need to add additional public keys to .secondary_trusted_keys.










      share|improve this question
















      I am trying to add additional keys to .secondary_trusted_keys. Documentation says, to do so the additional keys has to be signed by a key which is already a resident in either .builtin_trusted_keys or .secondary_trusted_keys.



      Steps:

      1.Rebuilt Kernel 4.15.8 for Ubuntu 18.04 to get hold of signing key (certs/signing_key.pem) which is built into the Kernel.



      prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -in signing_key.pem -text -noout
      Certificate:
      Data:
      Version: 3 (0x2)
      Serial Number:
      83:db:41:db:8e:32:42:ba
      Signature Algorithm: sha512WithRSAEncryption
      Issuer: CN = Build time autogenerated kernel key
      Validity
      Not Before: Jan 17 17:49:27 2019 GMT
      Not After : Dec 24 17:49:27 2118 GMT
      Subject: CN = Build time autogenerated kernel key
      Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
      Public-Key: (4096 bit)
      Modulus:
      00:b5:2a:d2:eb:f5:27:69:84:fa:37:39:38:b7:1f:
      7b:a0:e3:28:c7:60:09:b2:0a:c4:f6:78:be:ce:66:
      de:1f:a1:55:1d:48:fa:08:db:c4:16:fe:fb:33:d1:
      70:40:88:18:b7:44:83:c1:f9:c2:90:40:06:97:4a:
      dd:94:f1:70:e9:dd:8a:ee:75:f4:dd:d3:c6:56:bc:
      dd:71:d2:ac:7b:d1:60:9f:bc:e4:19:70:96:65:b2:
      11:da:64:d8:2f:d4:ea:b9:b2:73:3f:24:1b:bd:31:
      bd:4b:21:b9:8d:ea:ea:ba:88:2e:a3:6c:5a:12:72:
      46:36:e0:a3:0b:2a:95:13:1a:a3:32:a0:bb:e2:83:
      37:98:c2:00:c8:dd:1a:99:f6:b4:03:cd:21:9e:42:
      f5:9f:a4:c8:50:c1:61:10:28:fb:2e:16:8b:f5:f4:
      09:f6:72:e7:5a:e4:9d:61:7f:b3:71:59:63:b4:70:
      76:bd:50:e5:77:aa:ba:d4:53:a5:06:50:1e:6d:0c:
      9c:17:09:34:c7:60:13:0a:10:5a:06:ff:17:08:6e:
      45:07:06:e5:26:87:70:a6:5f:a6:ae:09:5d:ac:48:
      45:ee:e1:2f:b5:c8:57:90:b0:29:5e:d2:86:c4:e4:
      0b:f9:ff:97:c1:b4:8c:fb:e3:91:85:76:50:bf:61:
      a8:40:d5:45:ba:3b:94:63:1c:7d:b8:27:f1:13:53:
      18:20:2f:1b:36:7d:8a:a3:5a:8d:3b:01:3d:98:e9:
      02:48:ba:03:92:e9:0a:c1:40:92:f5:0b:2e:ed:70:
      48:14:a1:b8:6c:3b:10:36:bb:38:f5:d2:73:a1:a2:
      81:4c:cd:dc:49:95:da:8f:75:b8:1b:ed:e4:be:67:
      1a:fa:7f:51:69:46:53:51:75:2e:55:f7:c1:10:f1:
      62:7b:ba:6a:67:d3:19:0a:22:5d:77:51:ec:9a:0f:
      3a:5d:46:5c:25:33:4a:31:69:c1:5a:f4:88:7b:91:
      d0:79:47:ad:22:c8:8e:8e:6c:ec:22:d9:d1:3e:74:
      5a:f9:0c:5f:5b:ad:c7:20:38:89:c7:ff:cc:0b:a0:
      c8:99:a9:aa:c5:5a:70:5b:90:e1:96:38:38:6f:60:
      6a:b5:ae:02:fc:9d:90:b7:84:08:bd:a1:9a:b3:46:
      a6:25:3e:51:14:ab:fc:95:f8:bd:e4:e0:88:16:88:
      18:76:e4:b7:5e:0e:72:a4:49:92:98:32:ac:04:d4:
      8f:9e:e0:13:de:b4:dd:3b:9c:85:93:bc:51:42:a0:
      7e:68:ef:60:09:f0:72:c8:30:da:5d:b8:d4:71:98:
      3c:c4:52:e0:81:b8:21:2f:5b:f7:fa:9e:0f:d0:23:
      e4:8b:ff
      Exponent: 65537 (0x10001)
      X509v3 extensions:
      X509v3 Basic Constraints: critical
      CA:FALSE
      X509v3 Key Usage:
      Digital Signature
      X509v3 Subject Key Identifier:
      A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61
      X509v3 Authority Key Identifier:
      keyid:A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61

      Signature Algorithm: sha512WithRSAEncryption
      b2:28:03:c3:2b:43:a6:1f:cd:e0:56:a7:a5:cf:e3:e9:88:48:
      1c:86:d1:fa:ea:3f:21:15:6f:ec:95:66:57:e5:37:0c:ae:1a:
      6b:86:5c:af:21:38:b6:87:e7:f8:8e:cc:da:66:c0:a2:6f:be:
      44:11:58:e4:97:ac:a4:ce:e3:37:9d:37:bc:a5:b4:22:aa:7c:
      ca:f5:c8:67:b5:a6:aa:31:37:34:dd:a4:81:55:80:b0:e7:0e:
      da:61:ee:ad:7a:92:95:3a:18:3d:7f:3c:a3:ea:c8:fb:98:78:
      b4:cd:b0:43:3e:3b:ee:a2:7a:00:58:c1:3d:15:51:ca:db:7c:
      ef:ab:d1:66:3e:42:a9:d2:8a:48:1f:69:ff:7a:56:1e:03:23:
      dd:6f:fc:97:28:9f:07:94:81:63:b4:76:c2:69:77:68:3d:7c:
      71:3e:bc:02:fc:95:0b:49:31:82:a8:b0:78:45:60:18:7e:d6:
      f7:f6:8e:e1:82:29:bc:28:91:e9:4e:77:ce:61:40:a1:7b:8b:
      c1:77:b3:af:5f:e0:1c:90:56:98:0b:7c:70:ec:ad:ea:02:77:
      26:d5:7d:f7:35:ae:18:da:24:c6:51:19:45:7c:2a:e3:07:26:
      c4:88:8b:c0:4e:c2:98:07:fd:0a:5e:d7:23:19:76:35:3f:1f:
      d7:15:95:22:a1:6a:28:8a:a4:24:d7:fe:2b:c4:86:7e:51:4f:
      15:a6:e0:9e:76:dd:e2:ae:db:ca:e1:84:6d:e6:f7:30:da:3a:
      22:83:2a:2b:35:76:93:44:a0:40:2d:23:c6:6d:0c:fd:b5:a7:
      b6:7f:a2:25:3c:7e:f1:bd:ff:2c:f7:7b:e1:bb:de:02:36:eb:
      5d:c4:eb:83:e9:16:4f:ce:dc:4c:c8:a3:1f:93:aa:b9:38:b2:
      8c:68:50:4a:5a:50:ef:31:d3:cc:25:3b:5d:ec:84:24:a9:c9:
      4d:61:f1:4c:7a:c1:63:39:66:78:94:cb:ba:4e:09:5e:9b:a8:
      23:a5:a2:c4:be:08:13:f6:80:9f:41:1f:05:7b:1e:34:1b:d3:
      92:5b:43:36:e2:06:30:9d:b6:40:0d:4a:ea:75:03:fa:90:8b:
      15:ae:3c:fe:06:b8:19:96:e6:4b:b0:c3:c9:be:90:ea:99:9b:
      54:41:ab:b1:16:1e:25:d5:42:78:e4:28:19:c0:67:30:86:df:
      b7:f4:d9:fc:62:2c:2f:73:27:47:58:33:5a:c2:da:98:b8:a2:
      dd:1f:80:2f:20:33:75:a2:a0:b8:af:d1:03:46:1a:a8:20:ea:
      a9:c9:39:82:cb:b8:a2:26:24:43:f7:b8:79:5f:65:22:76:3f:
      97:88:e5:21:d1:25:fc:77


      2.Verified that .builtin_trusted_keys has the same signing key.



      prashant@pra-ubuntu-1804:~/bionic/certs$ sudo keyctl show -x %:.builtin_trusted_keys
      Keyring
      0x3c40ebe7 ---lswrv 0 0 keyring: .builtin_trusted_keys
      0x00a352e3 ---lswrv 0 0 _ asymmetric: Build time autogenerated kernel key: a5e01ce6a46683251bdc0c7e6e4c9d35861b5661


      3.Generated a key pair signed by this build time autogenerated
      kernel key to add to .secondary_trusted_keys



      prashant@pra-ubuntu-1804:~/bionic/certs$ openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -out additional_cert.csr -keyout additional_key.pem
      Generating a 2048 bit RSA private key
      ................................+++
      ..................................+++
      writing new private key to 'additional_key.pem'
      -----
      prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -req -sha512 -days 36500 -in additional_cert.csr -outform DER -out additional_cert.x509 -CA signing_key.pem -CAkey signing_key.pem -CAcreateserial
      Signature ok
      subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
      Getting CA Private Key


      4.But when I try to add additional_cert to .secondary_trusted_keys, it fails:



      prashant@pra-ubuntu-1804:~$ sudo keyctl padd asymmetric "" %:.secondary_trusted_keys <additional_cert.x509 
      add_key: Required key not available


      I need to add additional public keys to .secondary_trusted_keys.







      kernel linux-kernel security kernel-modules






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 19 at 8:50









      Rui F Ribeiro

      39.9k1479134




      39.9k1479134










      asked Jan 19 at 0:47









      PrashantPrashant

      42




      42




















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f495387%2fhow-to-additional-public-keys-to-secondary-trusted-keys%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f495387%2fhow-to-additional-public-keys-to-secondary-trusted-keys%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown






          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?