linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] ima-evm-utils: Show information about x509 cert when loading public key
@ 2019-07-19 21:44 Vitaly Chikunov
  0 siblings, 0 replies; only message in thread
From: Vitaly Chikunov @ 2019-07-19 21:44 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin, linux-integrity

If verbose output is specified output some interesting x509 cert flags
and if it have defined Digital Signature purpose of not. While these
constraints are not enforced anywhere this may be useful for user to
know.

Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
 src/libimaevm.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 2280add..1c85397 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -56,6 +56,7 @@
 #include <openssl/pem.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <openssl/err.h>
 
 #include "imaevm.h"
@@ -333,6 +334,26 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
 				keyfile);
 			goto out;
 		}
+
+		if (params.verbose > LOG_INFO) {
+			uint32_t flags;
+
+			flags = X509_get_extension_flags(crt);
+			log_info("Load x509 cert: %s flags:", keyfile);
+			if (flags & EXFLAG_CA)
+				log_info(" CA");
+			if (flags & EXFLAG_SI)
+				log_info(" Self-issued");
+			if (flags & EXFLAG_SS)
+				log_info(" Self-signed");
+			flags = X509_get_key_usage(crt);
+			if (flags & KU_DIGITAL_SIGNATURE)
+				log_info(" Digital-Signature");
+			else
+				log_info(" No-Digital-Signature");
+			log_info("\n");
+		}
+
 		pkey = X509_extract_key(crt);
 		X509_free(crt);
 		if (!pkey) {
-- 
2.11.0


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2019-07-19 21:44 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-19 21:44 [PATCH] ima-evm-utils: Show information about x509 cert when loading public key Vitaly Chikunov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).