[PATCH] ima-evm-utils: Do not load keys from x509 certs if user pass --rsa

linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] ima-evm-utils: Do not load keys from x509 certs if user pass --rsa
@ 2019-07-28  4:03 Vitaly Chikunov
  0 siblings, 0 replies; only message in thread
From: Vitaly Chikunov @ 2019-07-28  4:03 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin, linux-integrity

If user wants to verify v1 signature and specify RSA public key in `-k'
option, this key will be attempted to be loaded as x509 certificate and
this process will output errors.

Do not load a key as a x509 cert if user pass `--rsa'.

This is not perfect solution. As now it's possible to specify `-k' and
`--rsa' and v2 signatures will not verify, because of no keys.

This improvement is not added into ima_measurement().

Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
 src/evmctl.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index e0a835f..0f821e4 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -843,10 +843,12 @@ static int cmd_verify_evm(struct command *cmd)
 		return -1;
 	}
 
-	if (imaevm_params.keyfile)	/* Support multiple public keys */
-		init_public_keys(imaevm_params.keyfile);
-	else				/* assume read pubkey from x509 cert */
-		init_public_keys("/etc/keys/x509_evm.der");
+	if (imaevm_params.x509) {
+		if (imaevm_params.keyfile) /* Support multiple public keys */
+			init_public_keys(imaevm_params.keyfile);
+		else			   /* assume read pubkey from x509 cert */
+			init_public_keys("/etc/keys/x509_evm.der");
+	}
 
 	err = verify_evm(file);
 	if (!err && imaevm_params.verbose >= LOG_INFO)
@@ -889,10 +891,12 @@ static int cmd_verify_ima(struct command *cmd)
 	char *file = g_argv[optind++];
 	int err, fails = 0;
 
-	if (imaevm_params.keyfile)	/* Support multiple public keys */
-		init_public_keys(imaevm_params.keyfile);
-	else				/* assume read pubkey from x509 cert */
-		init_public_keys("/etc/keys/x509_evm.der");
+	if (imaevm_params.x509) {
+		if (imaevm_params.keyfile) /* Support multiple public keys */
+			init_public_keys(imaevm_params.keyfile);
+		else			   /* assume read pubkey from x509 cert */
+			init_public_keys("/etc/keys/x509_evm.der");
+	}
 
 	errno = 0;
 	if (!file) {
-- 
2.11.0


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2019-07-28  4:04 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-07-28  4:03 [PATCH] ima-evm-utils: Do not load keys from x509 certs if user pass --rsa Vitaly Chikunov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).