@@ -48,6 +48,7 @@ OPTIONS
--xattr-user store xattrs in user namespace (for testing purposes)
--rsa use RSA key type and signing scheme v1
-k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)
+ --keyid n overwrite signature keyid with a 32-bit value in hex (for signing)
-o, --portable generate portable EVM signatures
-p, --pass password for encrypted signing key
-r, --recursive recurse into directories (sign)
@@ -2514,6 +2514,7 @@ static void usage(void)
" --xattr-user store xattrs in user namespace (for testing purposes)\n"
" --rsa use RSA key type and signing scheme v1\n"
" -k, --key path to signing key (default: /etc/keys/{privkey,pubkey}_evm.pem)\n"
+ " --keyid n overwrite signature keyid with a 32-bit value in hex (for signing)\n"
" -o, --portable generate portable EVM signatures\n"
" -p, --pass password for encrypted signing key\n"
" -r, --recursive recurse into directories (sign)\n"
@@ -2594,6 +2595,7 @@ static struct option opts[] = {
{"ignore-violations", 0, 0, 141},
{"pcrs", 1, 0, 142},
{"verify-bank", 2, 0, 143},
+ {"keyid", 1, 0, 144},
{}
};
@@ -2638,6 +2640,8 @@ int main(int argc, char *argv[])
{
int err = 0, c, lind;
ENGINE *eng = NULL;
+ unsigned long keyid;
+ char *eptr;
#if !(OPENSSL_VERSION_NUMBER < 0x10100000)
OPENSSL_init_crypto(
@@ -2785,6 +2789,22 @@ int main(int argc, char *argv[])
case 143:
verify_bank = optarg;
break;
+ case 144:
+ errno = 0;
+ keyid = strtoul(optarg, &eptr, 16);
+ /*
+ * ULONG_MAX is error from strtoul(3),
+ * UINT_MAX is `imaevm_params.keyid' maximum value,
+ * 0 is reserved for keyid being unset.
+ */
+ if (errno || eptr - optarg != strlen(optarg) ||
+ keyid == ULONG_MAX || keyid > UINT_MAX ||
+ keyid == 0) {
+ log_err("Invalid keyid value.\n");
+ exit(1);
+ }
+ imaevm_params.keyid = keyid;
+ break;
case '?':
exit(1);
break;
@@ -196,6 +196,7 @@ struct libimaevm_params {
const char *hash_algo;
const char *keyfile;
const char *keypass;
+ uint32_t keyid; /* keyid overriding value, unless 0. (Host order.) */
};
struct RSA_ASN1_template {
@@ -45,6 +45,7 @@
#include <sys/param.h>
#include <sys/stat.h>
#include <asm/byteorder.h>
+#include <arpa/inet.h>
#include <unistd.h>
#include <dirent.h>
#include <string.h>
@@ -929,7 +930,10 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
return -1;
}
- calc_keyid_v2(&keyid, name, pkey);
+ if (imaevm_params.keyid)
+ keyid = htonl(imaevm_params.keyid);
+ else
+ calc_keyid_v2(&keyid, name, pkey);
hdr->keyid = keyid;
st = "EVP_PKEY_CTX_new";
@@ -365,6 +365,7 @@ sign_verify rsa1024 sha256 0x0301 --rsa
sign_verify rsa1024 md5 0x030201:K:0080
sign_verify rsa1024 sha1 0x030202:K:0080
sign_verify rsa1024 sha224 0x030207:K:0080
+expect_pass check_sign TYPE=ima KEY=rsa1024 ALG=sha256 PREFIX=0x030204aabbccdd0080 OPTS=--keyid=aabbccdd
sign_verify rsa1024 sha256 0x030204:K:0080
try_different_keys
try_different_sigs