On 1/2/2020 3:25 PM, Mimi Zohar wrote:
On Thu, 2020-01-02 at 15:10 -0500, Ken Goldman wrote:I'm trying to document the ima-modsig template and then write aparser. Can anyone help me complete it? 1 - What the implementation does today is interesting. Even betterwould be what the implementation is permitted to do so that theparser will handle future changes. 2 - My understanding so far: ima-modsig is d-ng | n-ng | sig | d-modsig |modsig where (both have a prepended uint32_t length) d-modsig is d-ng, filedata hash, omitting the appended modsig signature modsig is pkcs7DER, appended signature My immediate issue is that the d-modsig should be a length + hashalgorithm + file data hash. However, the length in my sample log issometimes zero, which I did not expect. I.e., it it legal for an ima-modsig template to contain an emptyd-modsig item? Can the modsig item also be empty?Like the "sig" field in the "ima-sig" template, both the "d-modsig" and "modsig" fields in the "ima-modsig" template may be empty.
I understand sig being empty is the file isn't signed. Same with modsig. The verifier could flag that.
However, d-modsig is a hash. How should a parser interpret a missing [file data] hash? Under what conditions would that be legal / illegal / something to flag to an admin UI?
