[PATCH ima-evm-utils] First try to get keyid from cert then fall back to calculating

[PATCH ima-evm-utils] First try to get keyid from cert then fall back to calculating

[Stefan Berger]

When trying to verify signatures then verification may fail if the key id
derived from the subject key identifier (skid) is different from the one
that is being calculated from the public key. Therefore, first try to get
the key id from the skid of a certificate and only if this does not work
then fall back to calculating it from the public key. This way signature
verification will first use the same method to get the key id as the Linux
kernel does.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/libimaevm.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 89330c4..729be7b 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -71,6 +71,9 @@
 #include "imaevm.h"
 #include "hash_info.h"
 
+static int read_keyid_from_cert(uint32_t *keyid_be, const char *certfile,
+				int try_der);
+
 /* Names that are primary for OpenSSL. */
 static const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
 	[PKEY_HASH_MD4]		= "md4",
@@ -458,7 +461,9 @@ int imaevm_init_public_keys(const char *keyfiles,
 			continue;
 		}
 
-		calc_keyid_v2(&entry->keyid, entry->name, entry->key);
+		if (read_keyid_from_cert(&entry->keyid, keyfile, 1) < 0)
+			calc_keyid_v2(&entry->keyid, entry->name, entry->key);
+
 		sprintf(entry->name, "%x", __be32_to_cpup(&entry->keyid));
 		log_info("key %d: %s %s\n", i++, entry->name, keyfile);
 		entry->next = *public_keys;
-- 
2.34.1