diff mbox series

ima-evm-utils: Fix ima_verify for v1 signatures

Message ID 20190726222309.8106-1-vt@altlinux.org (mailing list archive)
State New, archived
Headers show
Series ima-evm-utils: Fix ima_verify for v1 signatures | expand

Commit Message

Vitaly Chikunov July 26, 2019, 10:23 p.m. UTC 
Use user supplied key in verify_hash for DIGSIG_VERSION_1.
Otherwise v1 signatures don't pass verification.

Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
 src/libimaevm.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Mimi Zohar July 30, 2019, 11:31 a.m. UTC | #1 
On Sat, 2019-07-27 at 01:23 +0300, Vitaly Chikunov wrote:
> Use user supplied key in verify_hash for DIGSIG_VERSION_1.
> Otherwise v1 signatures don't pass verification.
> 
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>

Thanks!

Mimi
diff mbox series

Patch

diff --git a/src/libimaevm.c b/src/libimaevm.c
index a582872..97f193e 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -612,6 +612,8 @@  int verify_hash(const char *file, const unsigned char *hash, int size, unsigned
 		/* Read pubkey from RSA key */
 		if (!imaevm_params.keyfile)
 			key = "/etc/keys/pubkey_evm.pem";
+		else
+			key = imaevm_params.keyfile;
 		return verify_hash_v1(file, hash, size, sig, siglen, key);
 	} else if (sig[0] == DIGSIG_VERSION_2) {
 		return verify_hash_v2(file, hash, size, sig, siglen);