On Thu, 2020-01-02 at 17:24 -0500, Ken Goldman wrote: > On 1/2/2020 3:25 PM, Mimi Zohar wrote: > > On Thu, 2020-01-02 at 15:10 -0500, Ken Goldman wrote: > >> I'm trying to document the ima-modsig template and then write aparser. > >> Can anyone help me complete it? > >> > >> 1 - What the implementation does today is interesting. Even betterwould > >> be what the implementation is permitted to do so that theparser will > >> handle future changes. > >> > >> 2 - My understanding so far: > >> > >> ima-modsig is d-ng | n-ng | sig | d-modsig |modsig > >> > >> where (both have a prepended uint32_t length) > >> > >> d-modsig is d-ng, filedata hash, omitting the > >> appended modsig signature > >> modsig is pkcs7DER, appended signature > >> > >> My immediate issue is that the d-modsig should be a length + > >> hashalgorithm + file data hash. However, the length in my sample log > >> issometimes zero, which I did not expect. > >> > >> I.e., it it legal for an ima-modsig template to contain an emptyd-modsig > >> item? > >> > >> Can the modsig item also be empty? > > > > Like the "sig" field in the "ima-sig" template, both the "d-modsig" > > and "modsig" fields in the "ima-modsig" template may be empty. > > > > I understand sig being empty is the file isn't signed. Same with > modsig. The verifier could flag that. > > However, d-modsig is a hash. How should a parser interpret a missing > [file data] hash? Under what conditions would that be legal / illegal / > something to flag to an admin UI? The "d-modsig" is the hash of the file without the appended signature. That hash is needed to verify the appended signature. If there isn't an appended signature, then there would be no reason for "d-modsig". Mimi
