linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org
Subject: Re: [PATCH v2] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message
Date: Thu, 18 Jul 2019 18:59:29 +0300	[thread overview]
Message-ID: <20190718155929.jystftv4oemwx5r4@altlinux.org> (raw)
In-Reply-To: <20190717231446.au4kjxvrgkyajn2v@altlinux.org>

Mimi,

On Thu, Jul 18, 2019 at 02:14:46AM +0300, Vitaly Chikunov wrote:
> On Tue, Jul 16, 2019 at 09:36:29PM -0400, Mimi Zohar wrote:
> > When keys are not provided, the default key is used to verify the file
> > signature, resulting in this erroneous message.  Before using the default
> > key to verify the file signature, verify the keyid is correct.
> > 
> > This patch adds the public key from the default x509 certificate onto the
> > "public_keys" list.
> > 
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > ---
> >  src/evmctl.c    |  9 ++++++---
> >  src/libimaevm.c | 17 +++++++----------
> >  2 files changed, 13 insertions(+), 13 deletions(-)
> > 
> > diff --git a/src/evmctl.c b/src/evmctl.c
> > index 61808d276419..65cc5bd12bad 100644
> > --- a/src/evmctl.c
> > +++ b/src/evmctl.c
> > @@ -879,8 +879,10 @@ static int cmd_verify_ima(struct command *cmd)
> >  	char *file = g_argv[optind++];
> >  	int err;
> >  
> > -	if (params.keyfile)
> > +	if (params.keyfile)	/* Support multiple public keys */
> >  		init_public_keys(params.keyfile);
> > +	else			/* assume read pubkey from x509 cert */
> > +		init_public_keys("/etc/keys/x509_evm.der");
> >  
> >  	errno = 0;
> >  	if (!file) {
> > @@ -1602,9 +1604,10 @@ static int ima_measurement(const char *file)
> >  		return -1;
> >  	}
> >  
> > -	/* Support multiple public keys */
> > -	if (params.keyfile)
> > +	if (params.keyfile)	/* Support multiple public keys */
> >  		init_public_keys(params.keyfile);
> > +	else			/* assume read pubkey from x509 cert */
> > +		init_public_keys("/etc/keys/x509_evm.der");
> >  
> >  	while (fread(&entry.header, sizeof(entry.header), 1, fp)) {
> >  		ima_extend_pcr(pcr[entry.header.pcr], entry.header.digest,
> > diff --git a/src/libimaevm.c b/src/libimaevm.c
> > index ae487f9fe36c..afd21051b09a 100644
> > --- a/src/libimaevm.c
> > +++ b/src/libimaevm.c
> > @@ -302,6 +302,9 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
> >  	X509 *crt = NULL;
> >  	EVP_PKEY *pkey = NULL;
> >  
> > +	if (!keyfile)
> > +		return NULL;
> > +
> >  	fp = fopen(keyfile, "r");
> >  	if (!fp) {
> >  		log_err("Failed to open keyfile: %s\n", keyfile);
> > @@ -569,27 +572,21 @@ static int get_hash_algo_from_sig(unsigned char *sig)
> >  int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig,
> >  		int siglen)
> >  {
> > -	const char *key;
> > -	int x509;
> > +	const char *key = NULL;
> >  	verify_hash_fn_t verify_hash;
> >  
> >  	/* Get signature type from sig header */
> >  	if (sig[0] == DIGSIG_VERSION_1) {
> >  		verify_hash = verify_hash_v1;
> > +
> >  		/* Read pubkey from RSA key */
> > -		x509 = 0;
> > +		if (!params.keyfile)
> > +			key = "/etc/keys/pubkey_evm.pem";
> 
> There is only three code path reaching here:
> 
> 1. From cmd_ima_measurement - calls init_public_keys.
> 2. From cmd_verify_ima - calls init_public_keys.
> 3. From cmd_verify_evm - probably it should call init_public_keys too.
> 
> Otherwise this change looks, good. When `--key` is not specified load
> default public key from x509_evm.der, but for signature v1 pass
> pubkey_evm.pem into verify_hash_v1.
> 
> As a consequence, verify_hash_v2 should remove code handling `keyfile`
> argument (maybe with argument itself) because it's now always NULL, and
> just call find_keyid.

Btw, there is strange code in evmctl.c:cmd_convert():

        params.x509 = 0;

        inkey = g_argv[optind++];
        if (!inkey) {
                inkey = params.x509 ? "/etc/keys/x509_evm.der" :
                                      "/etc/keys/pubkey_evm.pem";
        }

Assigning zero to params.x509 makes `params.x509 ? ... : ...` redundant.

Thanks,



  reply	other threads:[~2019-07-18 15:59 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-17  1:36 [PATCH v2] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message Mimi Zohar
2019-07-17 23:14 ` Vitaly Chikunov
2019-07-18 15:59   ` Vitaly Chikunov [this message]
2019-07-18 17:09     ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190718155929.jystftv4oemwx5r4@altlinux.org \
    --to=vt@altlinux.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).