From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org
Subject: Re: [PATCH v2] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message
Date: Thu, 18 Jul 2019 18:59:29 +0300 [thread overview]
Message-ID: <20190718155929.jystftv4oemwx5r4@altlinux.org> (raw)
In-Reply-To: <20190717231446.au4kjxvrgkyajn2v@altlinux.org>
Mimi,
On Thu, Jul 18, 2019 at 02:14:46AM +0300, Vitaly Chikunov wrote:
> On Tue, Jul 16, 2019 at 09:36:29PM -0400, Mimi Zohar wrote:
> > When keys are not provided, the default key is used to verify the file
> > signature, resulting in this erroneous message. Before using the default
> > key to verify the file signature, verify the keyid is correct.
> >
> > This patch adds the public key from the default x509 certificate onto the
> > "public_keys" list.
> >
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > ---
> > src/evmctl.c | 9 ++++++---
> > src/libimaevm.c | 17 +++++++----------
> > 2 files changed, 13 insertions(+), 13 deletions(-)
> >
> > diff --git a/src/evmctl.c b/src/evmctl.c
> > index 61808d276419..65cc5bd12bad 100644
> > --- a/src/evmctl.c
> > +++ b/src/evmctl.c
> > @@ -879,8 +879,10 @@ static int cmd_verify_ima(struct command *cmd)
> > char *file = g_argv[optind++];
> > int err;
> >
> > - if (params.keyfile)
> > + if (params.keyfile) /* Support multiple public keys */
> > init_public_keys(params.keyfile);
> > + else /* assume read pubkey from x509 cert */
> > + init_public_keys("/etc/keys/x509_evm.der");
> >
> > errno = 0;
> > if (!file) {
> > @@ -1602,9 +1604,10 @@ static int ima_measurement(const char *file)
> > return -1;
> > }
> >
> > - /* Support multiple public keys */
> > - if (params.keyfile)
> > + if (params.keyfile) /* Support multiple public keys */
> > init_public_keys(params.keyfile);
> > + else /* assume read pubkey from x509 cert */
> > + init_public_keys("/etc/keys/x509_evm.der");
> >
> > while (fread(&entry.header, sizeof(entry.header), 1, fp)) {
> > ima_extend_pcr(pcr[entry.header.pcr], entry.header.digest,
> > diff --git a/src/libimaevm.c b/src/libimaevm.c
> > index ae487f9fe36c..afd21051b09a 100644
> > --- a/src/libimaevm.c
> > +++ b/src/libimaevm.c
> > @@ -302,6 +302,9 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
> > X509 *crt = NULL;
> > EVP_PKEY *pkey = NULL;
> >
> > + if (!keyfile)
> > + return NULL;
> > +
> > fp = fopen(keyfile, "r");
> > if (!fp) {
> > log_err("Failed to open keyfile: %s\n", keyfile);
> > @@ -569,27 +572,21 @@ static int get_hash_algo_from_sig(unsigned char *sig)
> > int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig,
> > int siglen)
> > {
> > - const char *key;
> > - int x509;
> > + const char *key = NULL;
> > verify_hash_fn_t verify_hash;
> >
> > /* Get signature type from sig header */
> > if (sig[0] == DIGSIG_VERSION_1) {
> > verify_hash = verify_hash_v1;
> > +
> > /* Read pubkey from RSA key */
> > - x509 = 0;
> > + if (!params.keyfile)
> > + key = "/etc/keys/pubkey_evm.pem";
>
> There is only three code path reaching here:
>
> 1. From cmd_ima_measurement - calls init_public_keys.
> 2. From cmd_verify_ima - calls init_public_keys.
> 3. From cmd_verify_evm - probably it should call init_public_keys too.
>
> Otherwise this change looks, good. When `--key` is not specified load
> default public key from x509_evm.der, but for signature v1 pass
> pubkey_evm.pem into verify_hash_v1.
>
> As a consequence, verify_hash_v2 should remove code handling `keyfile`
> argument (maybe with argument itself) because it's now always NULL, and
> just call find_keyid.
Btw, there is strange code in evmctl.c:cmd_convert():
params.x509 = 0;
inkey = g_argv[optind++];
if (!inkey) {
inkey = params.x509 ? "/etc/keys/x509_evm.der" :
"/etc/keys/pubkey_evm.pem";
}
Assigning zero to params.x509 makes `params.x509 ? ... : ...` redundant.
Thanks,
next prev parent reply other threads:[~2019-07-18 15:59 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-17 1:36 [PATCH v2] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message Mimi Zohar
2019-07-17 23:14 ` Vitaly Chikunov
2019-07-18 15:59 ` Vitaly Chikunov [this message]
2019-07-18 17:09 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190718155929.jystftv4oemwx5r4@altlinux.org \
--to=vt@altlinux.org \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).