ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message

When public keys are specified on the boot command line (--key "<public key file>,[<public key file>,...]"), the appropriate public key is used to verify EVM or file signatures. If no keys are specified, the default x509_evm.der or pubkey_evm.pem file is used to verify the DIGSIG_VERSION_2 or DIGSIG_VERSION_1 signatures respectively, without first checking the keyids. Instead of emitting a "verification failed: 0 (invalid padding)" message, an "unknown keyid" message would be clearer. To address this problem, when no public keys are specified, this patch loads the x509_evm.der default public key onto the "public_keys" list, while the pubkey_evm.pem continues to be passed to verify_hash_v1() Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2025-04-28 06:33:36 +02:00 · 2019-07-16 21:36:29 -04:00 · 2019-07-16 21:36:29 -04:00 · 388f807a0f
commit 388f807a0f
parent a225728550
2 changed files with 18 additions and 13 deletions
--- a/src/evmctl.c
+++ b/src/evmctl.c
@ -838,6 +838,11 @@ static int cmd_verify_evm(struct command *cmd)
 		return -1;
 	}

+	if (params.keyfile)	/* Support multiple public keys */
+		init_public_keys(params.keyfile);
+	else			/* assume read pubkey from x509 cert */
+		init_public_keys("/etc/keys/x509_evm.der");
+
 	err = verify_evm(file);
 	if (!err && params.verbose >= LOG_INFO)
 		log_info("%s: verification is OK\n", file);
@ -879,8 +884,10 @@ static int cmd_verify_ima(struct command *cmd)
 	char *file = g_argv[optind++];
 	int err;

-	if (params.keyfile)
+	if (params.keyfile)	/* Support multiple public keys */
 		init_public_keys(params.keyfile);
+	else			/* assume read pubkey from x509 cert */
+		init_public_keys("/etc/keys/x509_evm.der");

 	errno = 0;
 	if (!file) {
@ -1602,9 +1609,10 @@ static int ima_measurement(const char *file)
 		return -1;
 	}

-	/* Support multiple public keys */
-	if (params.keyfile)
+	if (params.keyfile)	/* Support multiple public keys */
 		init_public_keys(params.keyfile);
+	else			/* assume read pubkey from x509 cert */
+		init_public_keys("/etc/keys/x509_evm.der");

 	while (fread(&entry.header, sizeof(entry.header), 1, fp)) {
 		ima_extend_pcr(pcr[entry.header.pcr], entry.header.digest,
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@ -302,6 +302,9 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
 	X509 *crt = NULL;
 	EVP_PKEY *pkey = NULL;

+	if (!keyfile)
+		return NULL;
+
 	fp = fopen(keyfile, "r");
 	if (!fp) {
 		log_err("Failed to open keyfile: %s\n", keyfile);
@ -569,27 +572,21 @@ static int get_hash_algo_from_sig(unsigned char *sig)
 int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig,
 		int siglen)
 {
-	const char *key;
-	int x509;
+	const char *key = NULL;
 	verify_hash_fn_t verify_hash;

 	/* Get signature type from sig header */
 	if (sig[0] == DIGSIG_VERSION_1) {
 		verify_hash = verify_hash_v1;
+
 		/* Read pubkey from RSA key */
-		x509 = 0;
+		if (!params.keyfile)
+			key = "/etc/keys/pubkey_evm.pem";
 	} else if (sig[0] == DIGSIG_VERSION_2) {
 		verify_hash = verify_hash_v2;
-		/* Read pubkey from x509 cert */
-		x509 = 1;
 	} else
 		return -1;

-	/* Determine what key to use for verification*/
-	key = params.keyfile ? : x509 ?
-			"/etc/keys/x509_evm.der" :
-			"/etc/keys/pubkey_evm.pem";
-
 	return verify_hash(file, hash, size, sig, siglen, key);
 }