When keys are not provided, the default key is used to verify the file
signature, resulting in this erroneous message. Before using the default
key to verify the file signature, verify the keyid is correct.
This patch adds the public key from the default x509 certificate onto the
"public_keys" list.
Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
---
src/evmctl.c | 9 ++++++---
src/libimaevm.c | 17 +++++++----------
2 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index 61808d276419..65cc5bd12bad 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -879,8 +879,10 @@ static int cmd_verify_ima(struct command *cmd)
char *file = g_argv[optind++];
int err;
- if (params.keyfile)
+ if (params.keyfile) /* Support multiple public keys */
init_public_keys(params.keyfile);
+ else /* assume read pubkey from x509 cert */
+ init_public_keys("/etc/keys/x509_evm.der");
errno = 0;
if (!file) {
@@ -1602,9 +1604,10 @@ static int ima_measurement(const char *file)
return -1;
}
- /* Support multiple public keys */
- if (params.keyfile)
+ if (params.keyfile) /* Support multiple public keys */
init_public_keys(params.keyfile);
+ else /* assume read pubkey from x509 cert */
+ init_public_keys("/etc/keys/x509_evm.der");
while (fread(&entry.header, sizeof(entry.header), 1, fp)) {
ima_extend_pcr(pcr[entry.header.pcr], entry.header.digest,
diff --git a/src/libimaevm.c b/src/libimaevm.c
index ae487f9fe36c..afd21051b09a 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -302,6 +302,9 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
X509 *crt = NULL;
EVP_PKEY *pkey = NULL;
+ if (!keyfile)
+ return NULL;
+
fp = fopen(keyfile, "r");
if (!fp) {
log_err("Failed to open keyfile: %s\n", keyfile);
@@ -569,27 +572,21 @@ static int get_hash_algo_from_sig(unsigned char *sig)
int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig,
int siglen)
{
- const char *key;
- int x509;
+ const char *key = NULL;
verify_hash_fn_t verify_hash;
/* Get signature type from sig header */
if (sig[0] == DIGSIG_VERSION_1) {
verify_hash = verify_hash_v1;
+
/* Read pubkey from RSA key */
- x509 = 0;
+ if (!params.keyfile)
+ key = "/etc/keys/pubkey_evm.pem";
} else if (sig[0] == DIGSIG_VERSION_2) {
verify_hash = verify_hash_v2;
- /* Read pubkey from x509 cert */
- x509 = 1;
} else
return -1;
- /* Determine what key to use for verification*/
- key = params.keyfile ? : x509 ?
- "/etc/keys/x509_evm.der" :
- "/etc/keys/pubkey_evm.pem";
-
return verify_hash(file, hash, size, sig, siglen, key);
}
--
2.7.5
