From ab18c60ec1160d6460083818e1e5390f33766e2a Mon Sep 17 00:00:00 2001 From: Vivek Goyal Date: Fri, 12 Jul 2013 14:52:11 -0400 Subject: [PATCH] Get signature version from the header Currently we assume signature version is v1 until and unless -x is specified on kernel command line. Given the fact that signature version information is available in signature itself, it is much better to get it from there and not require user to pass -x during verification phase. If user passed -x on command line, then honor it. Now one can do following. evmctl ima_sign -x /tmp/data.txt evmctl ima_verify /tmp/data.txt Signed-off-by: Vivek Goyal --- src/evmctl.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/evmctl.c b/src/evmctl.c index da9d86c..9a36def 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -256,6 +256,7 @@ static int sigfile; static int modsig; static char *uuid_str; static int x509; +static int user_sig_type; static char *keyfile; typedef int (*sign_hash_fn_t)(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig); @@ -1306,6 +1307,17 @@ static int verify_ima(const char *file) if (hashlen <= 1) return hashlen; + /* Get signature type from sig header if user did not enforce it */ + if (!user_sig_type) { + if (sig[1] == DIGSIG_VERSION_1) + verify_hash = verify_hash_v1; + else if (sig[1] == DIGSIG_VERSION_2) { + verify_hash = verify_hash_v2; + /* Read pubkey from x509 cert */ + x509 = 1; + } + } + /* Determine what key to use for verification*/ key = keyfile ? : x509 ? "/etc/keys/x509_evm.der" : @@ -1719,6 +1731,7 @@ int main(int argc, char *argv[]) x509 = 1; sign_hash = sign_hash_v2; verify_hash = verify_hash_v2; + user_sig_type = 1; break; case 'k': keyfile = optarg;