From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: [PATCH] ima-evm-utils: Do not load keys from x509 certs if user pass --rsa
Date: Sun, 28 Jul 2019 07:03:54 +0300 [thread overview]
Message-ID: <20190728040354.14983-1-vt@altlinux.org> (raw)
If user wants to verify v1 signature and specify RSA public key in `-k'
option, this key will be attempted to be loaded as x509 certificate and
this process will output errors.
Do not load a key as a x509 cert if user pass `--rsa'.
This is not perfect solution. As now it's possible to specify `-k' and
`--rsa' and v2 signatures will not verify, because of no keys.
This improvement is not added into ima_measurement().
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
src/evmctl.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index e0a835f..0f821e4 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -843,10 +843,12 @@ static int cmd_verify_evm(struct command *cmd)
return -1;
}
- if (imaevm_params.keyfile) /* Support multiple public keys */
- init_public_keys(imaevm_params.keyfile);
- else /* assume read pubkey from x509 cert */
- init_public_keys("/etc/keys/x509_evm.der");
+ if (imaevm_params.x509) {
+ if (imaevm_params.keyfile) /* Support multiple public keys */
+ init_public_keys(imaevm_params.keyfile);
+ else /* assume read pubkey from x509 cert */
+ init_public_keys("/etc/keys/x509_evm.der");
+ }
err = verify_evm(file);
if (!err && imaevm_params.verbose >= LOG_INFO)
@@ -889,10 +891,12 @@ static int cmd_verify_ima(struct command *cmd)
char *file = g_argv[optind++];
int err, fails = 0;
- if (imaevm_params.keyfile) /* Support multiple public keys */
- init_public_keys(imaevm_params.keyfile);
- else /* assume read pubkey from x509 cert */
- init_public_keys("/etc/keys/x509_evm.der");
+ if (imaevm_params.x509) {
+ if (imaevm_params.keyfile) /* Support multiple public keys */
+ init_public_keys(imaevm_params.keyfile);
+ else /* assume read pubkey from x509 cert */
+ init_public_keys("/etc/keys/x509_evm.der");
+ }
errno = 0;
if (!file) {
--
2.11.0
reply other threads:[~2019-07-28 4:04 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190728040354.14983-1-vt@altlinux.org \
--to=vt@altlinux.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.