Message ID | 20190726222309.8106-1-vt@altlinux.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | ima-evm-utils: Fix ima_verify for v1 signatures | expand |
On Sat, 2019-07-27 at 01:23 +0300, Vitaly Chikunov wrote: > Use user supplied key in verify_hash for DIGSIG_VERSION_1. > Otherwise v1 signatures don't pass verification. > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org> Thanks! Mimi
diff --git a/src/libimaevm.c b/src/libimaevm.c index a582872..97f193e 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -612,6 +612,8 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned /* Read pubkey from RSA key */ if (!imaevm_params.keyfile) key = "/etc/keys/pubkey_evm.pem"; + else + key = imaevm_params.keyfile; return verify_hash_v1(file, hash, size, sig, siglen, key); } else if (sig[0] == DIGSIG_VERSION_2) { return verify_hash_v2(file, hash, size, sig, siglen);
Use user supplied key in verify_hash for DIGSIG_VERSION_1. Otherwise v1 signatures don't pass verification. Signed-off-by: Vitaly Chikunov <vt@altlinux.org> --- src/libimaevm.c | 2 ++ 1 file changed, 2 insertions(+)