| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Jan 2016 15:54:33 +0100
From: Juerg Haefliger <juergh@...il.com>
To: LKML <linux-kernel@...r.kernel.org>
Subject: PKCS#7 parser and MS SpcSpOpusInfo OID
Hi,
The pkcs7 kernel parser currently checks for the following AuthAttrs
(in pkcs7_sig_note_set_of_authattrs()):
(ctx->msg->data_type == OID_msIndirectData &&
!test_bit(sinfo_has_ms_opus_info, &sinfo->aa_set))
This check passes for an MS signtool signed kernel but not for an sbsign
signed kernel. The sbsign'ed kernel signature doesn't contain an SpcSpOpusInfo
structure.
signtool signature:
$ dumpasn1 signtool.sig | grep '1 3 6 1 4 1 311'
: spcIndirectDataContext (1 3 6 1 4 1 311 2 1 4)
: spcPEImageData (1 3 6 1 4 1 311 2 1 15)
: spcSpOpusInfo (1 3 6 1 4 1 311 2 1 12)
: spcIndirectDataContext (1 3 6 1 4 1 311 2 1 4)
: spcStatementType (1 3 6 1 4 1 311 2 1 11)
: individualCodeSigning (1 3 6 1 4 1 311 2 1 21)
sbsign signature:
$ dumpasn1 sbsign.sig | grep '1 3 6 1 4 1 311'
: spcIndirectDataContext (1 3 6 1 4 1 311 2 1 4)
: spcPEImageData (1 3 6 1 4 1 311 2 1 15)
: spcIndirectDataContext (1 3 6 1 4 1 311 2 1 4)
Is the check too restrictive or is sbsign doing something wrong? What am I
missing?
Thanks
...Juerg
--
Juerg Haefliger
Hewlett Packard Enterprise
Powered by blists - more mailing lists