Re: [Linux-ima-devel] [PATCH 6/7] ima_verify(): Get signatuer version from header

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Mon, Jul 15, 2013 at 06:59:24PM +0300, Dmitry Kasatkin wrote:
> On Fri, Jul 12, 2013 at 9:52 PM, Vivek Goyal <vg...@re...> wrote:
> > Currently we assume signature version is v1 until and unless -x is
> > specified on kernel command line. Given the fact that signature version
> > information is available in signature itself, it is much better to get
> > it from there and not require user to pass -x during verification phase.
> >
> > If user passed -x on command line, then honor it.
> >
> > Now one can do following.
> >
> >         evmctl ima_sign -x /tmp/data.txt
> >         evmctl ima_verify /tmp/data.txt
> >
> > Signed-off-by: Vivek Goyal <vg...@re...>
> > ---
> >  src/evmctl.c |   10 ++++++++++
> >  1 files changed, 10 insertions(+), 0 deletions(-)
> >
> > diff --git a/src/evmctl.c b/src/evmctl.c
> > index 03a81ae..ca467c5 100644
> > --- a/src/evmctl.c
> > +++ b/src/evmctl.c
> > @@ -255,6 +255,7 @@ static int sigfile;
> >  static int modsig;
> >  static char *uuid_str;
> >  static int x509;
> > +static bool user_sig_type = false;
> >  static char *keyfile;
> >
> >  typedef int (*sign_hash_fn_t)(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig);
> > @@ -1304,6 +1305,14 @@ static int verify_ima(const char *file, const char *key)
> >         if (hashlen <= 1)
> >                 return hashlen;
> >
> > +       /* Get signature type from sig header if user did not enforce it */
> > +       if (!user_sig_type) {
> > +               if (sig[1] == DIGSIG_VERSION_1)
> > +                       verify_hash = verify_hash_v1;
> > +               else if (sig[1] == DIGSIG_VERSION_2)
> > +                       verify_hash = verify_hash_v2;
> > +       }
> > +
> >         return verify_hash(hash, hashlen, sig + 1, len - 1, key);
> >  }
> >
> > @@ -1716,6 +1725,7 @@ int main(int argc, char *argv[])
> >                         x509 = 1;
> >                         sign_hash = sign_hash_v2;
> >                         verify_hash = verify_hash_v2;
> > +                       user_sig_type = true;
> 
> Command line set x509 = 1, which will select "correct" public key/cert file...
> 
> In the case of reading the signature version from the header, this
> fact is not addressed.
> 
> Right?

Hmm.., so if read signature version from header and say it is v2, but
we will still be reading public key from a key file and not x509 cert.

That raises an important question. We seem to have tied key format (
plain rsa key or x509 certificate) to signature version and that does
not seem to be right.

One should be able to sign a file in V1 or V2 form using either RSA
key or using an x509 cert. They both contain the same info just that
certificate carries more metadata about the key. AFAIK, form of the
key does not enforce what kind of signature it is.

So to me, -x should just say that we want to use an x509 cert for
signing but it should not enforce version of a signature.

And we should either deprecate V1 of signauture (if nobody is using
it ) or introduce a new option which specifies what kind of signature
we want to generate.

Thoughts?

Thanks
Vivek