@@ -843,10 +843,12 @@ static int cmd_verify_evm(struct command *cmd)
return -1;
}
- if (imaevm_params.keyfile) /* Support multiple public keys */
- init_public_keys(imaevm_params.keyfile);
- else /* assume read pubkey from x509 cert */
- init_public_keys("/etc/keys/x509_evm.der");
+ if (imaevm_params.x509) {
+ if (imaevm_params.keyfile) /* Support multiple public keys */
+ init_public_keys(imaevm_params.keyfile);
+ else /* assume read pubkey from x509 cert */
+ init_public_keys("/etc/keys/x509_evm.der");
+ }
err = verify_evm(file);
if (!err && imaevm_params.verbose >= LOG_INFO)
@@ -889,10 +891,12 @@ static int cmd_verify_ima(struct command *cmd)
char *file = g_argv[optind++];
int err, fails = 0;
- if (imaevm_params.keyfile) /* Support multiple public keys */
- init_public_keys(imaevm_params.keyfile);
- else /* assume read pubkey from x509 cert */
- init_public_keys("/etc/keys/x509_evm.der");
+ if (imaevm_params.x509) {
+ if (imaevm_params.keyfile) /* Support multiple public keys */
+ init_public_keys(imaevm_params.keyfile);
+ else /* assume read pubkey from x509 cert */
+ init_public_keys("/etc/keys/x509_evm.der");
+ }
errno = 0;
if (!file) {
If user wants to verify v1 signature and specify RSA public key in `-k' option, this key will be attempted to be loaded as x509 certificate and this process will output errors. Do not load a key as a x509 cert if user pass `--rsa'. This is not perfect solution. As now it's possible to specify `-k' and `--rsa' and v2 signatures will not verify, because of no keys. This improvement is not added into ima_measurement(). Signed-off-by: Vitaly Chikunov <vt@altlinux.org> --- src/evmctl.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-)