Mimi,
On Tue, Jul 06, 2021 at 12:23:26PM -0400, Mimi Zohar wrote:
> On Thu, 2021-07-01 at 04:13 +0300, Vitaly Chikunov wrote:
> > Allow user to set signature's keyid using `--keyid' option. Keyid should
> > correspond to SKID in certificate. When keyid is calculated using SHA-1
> > in libimaevm it may mismatch keyid extracted by the kernel from SKID of
> > certificate (the way public key is presented to the kernel), thus making
> > signatures not verifiable. This may happen when certificate is using non
> > SHA-1 SKID (see rfc7093) or just 'unique number' (see rfc5280 4.2.1.2).
> > As a last resort user may specify arbitrary keyid using the new option.
> > Certificate filename could be used instead of the hex number with
> > `--keyid-from-cert' option. And, third option is to read keyid from the
> > cert appended to the key file.
> >
> > These commits create backward incompatible ABI change for libimaevm,
> > thus soname should be incremented on release.
>
> I haven't started using Github actions.
Will you create repo there?
> Here are some new Travis complaints:
>
> Alpine:
> libimaevm.c: In function 'sign_hash_v2':
> libimaevm.c:996:47: warning: taking address of packed member of 'struct
> signature_v2_hdr' may result in an unaligned pointer value [-Waddress-
> of-packed-member]
> 996 | int keyid_read_failed = read_keyid_from_key(&hdr->keyid,
> keyfile);
> | ^~~~~~~~~~~
> libimaevm.c:999:18: warning: taking address of packed member of 'struct
> signature_v2_hdr' may result in an unaligned pointer value [-Waddress-
> of-packed-member]
> 999 | calc_keyid_v2(&hdr->keyid, name, pkey);
> | ^~~~~~~~~~~
>
> centos:
> ./.libs/libimaevm.so: undefined reference to `X509_get0_subject_key_id'
> ./.libs/libimaevm.so: undefined reference to `ASN1_STRING_get0_data'
>
> xenial:
> libimaevm.c: In function 'extract_keyid':
> libimaevm.c:695:2: warning: implicit declaration of function
> 'X509_get0_subject_key_id' [-Wimplicit-function-declaration]
> if (!(skid = X509_get0_subject_key_id(x))) {
> ^
> libimaevm.c:695:13: warning: assignment makes pointer from integer
> without a cast [enabled by default]
> if (!(skid = X509_get0_subject_key_id(x))) {
Thanks!
>
> thanks,
>
> Mimi
