On Thu, 2020-01-02 at 15:10 -0500, Ken Goldman wrote: > I'm trying to document the ima-modsig template and then write aparser. > Can anyone help me complete it? > > 1 - What the implementation does today is interesting. Even betterwould > be what the implementation is permitted to do so that theparser will > handle future changes. > > 2 - My understanding so far: > > ima-modsig is d-ng | n-ng | sig | d-modsig |modsig > > where (both have a prepended uint32_t length) > > d-modsig is d-ng, filedata hash, omitting the > appended modsig signature > modsig is pkcs7DER, appended signature > > My immediate issue is that the d-modsig should be a length + > hashalgorithm + file data hash. However, the length in my sample log > issometimes zero, which I did not expect. > > I.e., it it legal for an ima-modsig template to contain an emptyd-modsig > item? > > Can the modsig item also be empty? Like the "sig" field in the "ima-sig" template, both the "d-modsig" and "modsig" fields in the "ima-modsig" template may be empty. Mimi
