From 90176e835ab8b95bfc57f6b34c7d59312c3c194c Mon Sep 17 00:00:00 2001 From: Vitaly Chikunov Date: Sun, 28 Jul 2019 07:03:54 +0300 Subject: [PATCH] ima-evm-utils: Do not load keys from x509 certs if user pass --rsa If user wants to verify v1 signature and specify RSA public key in `-k' option, this key will be attempted to be loaded as x509 certificate and this process will output errors. Do not load a key as a x509 cert if user pass `--rsa'. This is not perfect solution. As now it's possible to specify `-k' and `--rsa' and v2 signatures will not verify, because of no keys. This improvement is not added into ima_measurement(). Signed-off-by: Vitaly Chikunov Signed-off-by: Mimi Zohar --- src/evmctl.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index d1cd79b..3d2a10b 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -843,10 +843,12 @@ static int cmd_verify_evm(struct command *cmd) return -1; } - if (imaevm_params.keyfile) /* Support multiple public keys */ - init_public_keys(imaevm_params.keyfile); - else /* assume read pubkey from x509 cert */ - init_public_keys("/etc/keys/x509_evm.der"); + if (imaevm_params.x509) { + if (imaevm_params.keyfile) /* Support multiple public keys */ + init_public_keys(imaevm_params.keyfile); + else /* assume read pubkey from x509 cert */ + init_public_keys("/etc/keys/x509_evm.der"); + } err = verify_evm(file); if (!err && imaevm_params.verbose >= LOG_INFO) @@ -889,10 +891,12 @@ static int cmd_verify_ima(struct command *cmd) char *file = g_argv[optind++]; int err, fails = 0; - if (imaevm_params.keyfile) /* Support multiple public keys */ - init_public_keys(imaevm_params.keyfile); - else /* assume read pubkey from x509 cert */ - init_public_keys("/etc/keys/x509_evm.der"); + if (imaevm_params.x509) { + if (imaevm_params.keyfile) /* Support multiple public keys */ + init_public_keys(imaevm_params.keyfile); + else /* assume read pubkey from x509 cert */ + init_public_keys("/etc/keys/x509_evm.der"); + } errno = 0; if (!file) {