Always generate a random GOST key for the kernel keyring (later add preinstalled trusted GOST keys)

kernel.spec

@@ -11,7 +11,7 @@
 %define sublevel	25
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		9
+%define rpmrel		10
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}
@@ -53,7 +53,7 @@
 %endif
 # User Mode Linux, https://habr.com/ru/company/itsumma/blog/459558/
 %bcond_without uml
-%bcond_with gost_keys
+%bcond_with gost_sign
 
 # "Nickel" is a special brand for certified distros
 %if %{mdvver} == 201900 || %{mdvver} == 201905
@@ -928,6 +928,9 @@ sed -i '/CONFIG_CRYPTO_STREEBOG/d' .config
 echo 'CONFIG_CRYPTO_STREEBOG=y' >> %{build_dir}/.config.append
 sed -i '/CONFIG_CRYPTO_ECRDSA/d' .config
 echo 'CONFIG_CRYPTO_ECRDSA=y' >> %{build_dir}/.config.append
+# RSA is =m after make ARCH=um defconfig
+sed -i '/CONFIG_CRYPTO_RSA/d' .config
+echo 'CONFIG_CRYPTO_RSA=y' >> %{build_dir}/.config.append
 
 sed -i '/CONFIG_LSM/d' .config
 echo 'CONFIG_LSM="yama,loadpin,integrity,selinux,apparmor,altha"' >> %{build_dir}/.config.append
@@ -1030,12 +1033,12 @@ cat <<EOF > "%{certs_key_config_rnd}"
 [ req ]
 prompt = no
 string_mask = utf8only
-default_keyfile = %{certs_signing_key_priv_rnd}
+#default_keyfile = %{certs_signing_key_priv_rnd}
 distinguished_name = req_distinguished_name
 x509_extensions = myexts
 [ req_distinguished_name ]
 organizationName = %{vendor} rpmbuild
-commonName = Build time autogenerated kernel key
+commonName = Build time autogenerated @ALGO@ kernel key
 emailAddress = ${email}
 [ myexts ]
 basicConstraints=critical,CA:FALSE
@@ -1044,33 +1047,54 @@ subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
 EOF
 cat "%{certs_key_config_rnd}"
+sed -e 's,@ALGO@,RSA,g' "%{certs_key_config_rnd}" > "%{certs_key_config_rnd}.RSA"
+sed -e 's,@ALGO@,GOST R 34.10-2012,g' "%{certs_key_config_rnd}" > "%{certs_key_config_rnd}.GOST"
+# avoid using the template
+rm -f "%{certs_key_config_rnd}"
 
-libressl req -new -nodes -utf8 -batch \
+_libressl_gen_key(){
-%if %{with gost_keys}
+	if [ "$GOST_KEY" = 1 ]
-	-newkey gost2001 \
+	then
-	-pkeyopt dgst:streebog512 -pkeyopt paramset:A \
+		lssl_req_gost_args="\
-	-streebog512 \
+			-newkey gost2001 \
-%endif
+			-pkeyopt dgst:streebog512 -pkeyopt paramset:A \
-	-days 109500 \
+			-streebog512"
-	-x509 -config "%{certs_key_config_rnd}" \
+		OUT="%{certs_signing_key_priv_rnd}.GOST"
-	-outform PEM \
+		CONFIG="%{certs_key_config_rnd}.GOST"
-	-out "%{certs_signing_key_priv_rnd}" \
+	else
-	-keyout "%{certs_signing_key_priv_rnd}"
+		lssl_req_gost_args=""
+		OUT="%{certs_signing_key_priv_rnd}.RSA"
+		CONFIG="%{certs_key_config_rnd}.RSA"
+	fi
+		libressl req -new -nodes -utf8 -batch \
+			$lssl_req_gost_args \
+			-days 109500 \
+			-x509 -config "$CONFIG" \
+			-out "$OUT" \
+			-keyout "$OUT"
 
-# Verify
+	# Verify
-%if %{with gost_keys}
+	if [ "$GOST_KEY" = 1 ]; then
-libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
+		libressl x509 -in "%{certs_signing_key_priv_rnd}.GOST" -text -noout \
-	| grep -E 'Signature Algorithm:.*GOST R 34.10-2012'
+			| grep -E 'Signature Algorithm:.*GOST R 34.10-2012'
-libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
+		libressl x509 -in "%{certs_signing_key_priv_rnd}.GOST" -text -noout \
-	| grep -E 'Digest Algorithm:.*GOST R 34-11-2012'
+			| grep -E 'Digest Algorithm:.*GOST R 34-11-2012'
-libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
+		libressl x509 -in "%{certs_signing_key_priv_rnd}.GOST" -text -noout \
-	| grep -E 'Public Key Algorithm:.*GOST R 34.10-2012'
+			| grep -E 'Public Key Algorithm:.*GOST R 34.10-2012'
-%endif
+	fi
+}
 
-# Strip public part from the generated PEM
+GOST_KEY=0 _libressl_gen_key
+GOST_KEY=1 _libressl_gen_key
+# Fake CONFIG_MODULE_SIG_KEY to make build scripts happy
+cp -v "%{certs_signing_key_priv_rnd}.RSA" "%{certs_signing_key_priv_rnd}"
+
+# Strip public parts from the generated PEMs
 sed -n \
-	'/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p;/^-----END CERTIFICATE-----$/q' \
+	'/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p' \
-	"%{certs_signing_key_priv_rnd}" > "%{certs_public_keys}"
+	"%{certs_signing_key_priv_rnd}.GOST" \
+	"%{certs_signing_key_priv_rnd}.RSA" \
+	> "%{certs_public_keys}"
 
 # link sign-file and extract-cert with LibreSSL instead of OpenSSL
 libressl_cflags="$(pkg-config --cflags --libs libressl-libcrypto)"
@@ -1081,8 +1105,9 @@ sed -i %{src_dir}/scripts/Makefile \
 %endif
 	-e "s,-lcrypto,${libressl_cflags},g"
 
-%if %{with additional_keys} && !%{with gost_keys}
+%if %{with additional_keys}
 # Add additional public RSA keys to the list of trusted keys for kernel modules
+# TODO: add GOST keys
 # Build kernel --without additional_keys if you do not want to trust them
 cat %{expand:%(for i in `seq 1 12`; do echo "%%SOURCE$((200+${i}))" | tr "\n" " "; done)} \
 	>> "%{certs_public_keys}"
@@ -1273,7 +1298,7 @@ _libressl_sign(){
 	  return 0
 	fi
 	f="$1"
-%if %{with gost_keys}
+%if %{with gost_sign}
 	# This is an incorrect signature, GOST support is needed in CMS (?!)
 	libressl dgst -streebog512 \
 		-sign "%{certs_signing_key_priv_rnd}" "$f" \