| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADLDEKth6j2ZBRi8A_U8t8kpBRaT5sXnro1cEruy54+YV0SAgQ@mail.gmail.com> Date: Mon, 25 Jan 2016 10:47:18 +0100 From: Juerg Haefliger <juergh@...il.com> To: LKML <linux-kernel@...r.kernel.org> Subject: Re: PKCS#7 parser and MS SpcSpOpusInfo OID On Mon, Jan 18, 2016 at 3:54 PM, Juerg Haefliger <juergh@...il.com> wrote: > Hi, > > The pkcs7 kernel parser currently checks for the following AuthAttrs > (in pkcs7_sig_note_set_of_authattrs()): > > (ctx->msg->data_type == OID_msIndirectData && > !test_bit(sinfo_has_ms_opus_info, &sinfo->aa_set)) > > This check passes for an MS signtool signed kernel but not for an sbsign > signed kernel. The sbsign'ed kernel signature doesn't contain an SpcSpOpusInfo > structure. > > signtool signature: > $ dumpasn1 signtool.sig | grep '1 3 6 1 4 1 311' > : spcIndirectDataContext (1 3 6 1 4 1 311 2 1 4) > : spcPEImageData (1 3 6 1 4 1 311 2 1 15) > : spcSpOpusInfo (1 3 6 1 4 1 311 2 1 12) > : spcIndirectDataContext (1 3 6 1 4 1 311 2 1 4) > : spcStatementType (1 3 6 1 4 1 311 2 1 11) > : individualCodeSigning (1 3 6 1 4 1 311 2 1 21) > > sbsign signature: > $ dumpasn1 sbsign.sig | grep '1 3 6 1 4 1 311' > : spcIndirectDataContext (1 3 6 1 4 1 311 2 1 4) > : spcPEImageData (1 3 6 1 4 1 311 2 1 15) > : spcIndirectDataContext (1 3 6 1 4 1 311 2 1 4) > > Is the check too restrictive or is sbsign doing something wrong? What am I > missing? Addressed here: https://lkml.org/lkml/2016/1/18/331 > Thanks > ...Juerg > > -- > Juerg Haefliger > Hewlett Packard Enterprise -- Juerg Haefliger Hewlett Packard Enterprise
Powered by blists - more mailing lists