Allow to have certificate appended to the private key of `--key'
specified (PEM) file (for v2 signing) to facilitate reading of keyid
from the associated cert. This will allow users to have private and
public key as a single file. There is no check that public key form the
cert matches associated private key.
Signed-off-by: Vitaly Chikunov <vt@xxxxxxxxxxxx>
---
README | 3 +++
src/libimaevm.c | 8 +++++---
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/README b/README
index 0e1f6ba..ea11bde 100644
--- a/README
+++ b/README
@@ -127,6 +127,9 @@ for signing and importing the key.
Second key format uses X509 DER encoded public key certificates and uses asymmetric key support
in the kernel (since kernel 3.9). CONFIG_INTEGRITY_ASYMMETRIC_KEYS must be enabled (default).
+For v2 signatures x509 certificate with the public key could be appended to the private
+key (both are in PEM format) to properly determine its Subject Key Identifier (SKID).
+
Integrity keyrings
----------------
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 1c03768..bfce7ef 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -1021,10 +1021,12 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
return -1;
}
- if (imaevm_params.keyid)
+ if (imaevm_params.keyid) {
hdr->keyid = htonl(imaevm_params.keyid);
- else
- calc_keyid_v2(&hdr->keyid, name, pkey);
+ } else {
+ if (__read_keyid(&hdr->keyid, keyfile, KEYID_FILE_PEM_KEY))
+ calc_keyid_v2(&hdr->keyid, name, pkey);
+ }
st = "EVP_PKEY_CTX_new";
if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
--
2.11.0
