On 11/21/19 8:38 AM, James Bottomley wrote: Hi James,
You're making the assumption that the public key and the certificate are isomorphic. That's only true if you trust the issuer (which you obviously do, since it's you [microsoft]) but nothing in X.509 prevents the issuer from issuing multiple certificates with the same public key and different properties. Even in your use case, I would think attesting to whether the certificate had expired or not would be useful.
I agree attesting the x509 certificate and not just the public key is the right approach. But in the kernel the certificate is not stored - only the key extracted from the certificate is stored (please correct me if I am wrong).
When IMA, for instance, verifies the file signature only the public key (the data in "struct public_key") of the corresponding IMA key is used - the certificate is not used.
In my key measurement implementation, IMA hook is called when key_create_or_update() function has successfully added\updated a key in a keyring. At that point, I do not have the corresponding x509 certificate.
Please let me know if the kernel indeed stores the x509 certificate also and it can be queried when the corresponding key is added to a keyring. I'll make the changes to measure the x509 cert instead of just the public key.
Thank you. -lakshmi
