Menu
▾
▴
Re: [Linux-ima-devel] Query regarding digital signature hash algorithm
|
From: Dmitry K. <dmi...@gm...> - 2013-05-31 10:09:02
|
Hello VIvek, On Thu, May 30, 2013 at 9:50 PM, Vivek Goyal <vg...@re...> wrote: > Hi Dmitry, > > I have more queries about evmctl. This time hash algorithm used for digital > signing by evmctl. Will be great if you can help out. > > IIUC, following seems to be the case. > > - We always use SHA1 for v1 of digital signature. Even if one specifies > -a option, we ignore that for v1? > As kernel signature verification did not support other than sha1 algos in v1 we put sha1 in evmctl. In fact evmctl should "complain" when doing signature if someone try to use '-a' option with other than sha1. We could update implementation for v2, but..... now we have v2 and added support for multiple hash algorithms. > - hash algo into is put in digital signature header. Looks like we put > this info differently for v1 and v2. For v1, we always seem to use > DIGEST_ALGO_SHA1 that is value 0. For V2, we seem to map algo to > enum pkey_hash_algo. That means even if we sign v2 header using sha1, > value will be 2. Yes... But header versions are different.... No confusion here... > > IOW, sha1 is mapped to different values in v1 and v2. v2 seems to > map to kernel defined hash algo enum while v1 does not. So if I decide > to parse signatures in kernel and extract hash algorithm in kernel, I > need to do it differently based on version of signature? Yes. it is different and v2 is using enums for asymmetric keys.. May be with your new functionality we should mandate using only new signature format. Old support should be depricated in the future... may be... - Dmitry > > Thanks > Vivke > |