When trying to verify signatures then verification may fail if the key id derived from the subject key identifier (skid) is different from the one that is being calculated from the public key. Therefore, first try to get the key id from the skid of a certificate and only if this does not work then fall back to calculating it from the public key. This way signature verification will first use the same method to get the key id as the Linux kernel does.
Signed-off-by: Stefan Berger <[email protected]> --- src/libimaevm.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/libimaevm.c b/src/libimaevm.c index 89330c4..729be7b 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -71,6 +71,9 @@ #include "imaevm.h" #include "hash_info.h" +static int read_keyid_from_cert(uint32_t *keyid_be, const char *certfile, + int try_der); + /* Names that are primary for OpenSSL. */ static const char *const pkey_hash_algo[PKEY_HASH__LAST] = { [PKEY_HASH_MD4] = "md4", @@ -458,7 +461,9 @@ int imaevm_init_public_keys(const char *keyfiles, continue; } - calc_keyid_v2(&entry->keyid, entry->name, entry->key); + if (read_keyid_from_cert(&entry->keyid, keyfile, 1) < 0) + calc_keyid_v2(&entry->keyid, entry->name, entry->key); + sprintf(entry->name, "%x", __be32_to_cpup(&entry->keyid)); log_info("key %d: %s %s\n", i++, entry->name, keyfile); entry->next = *public_keys; -- 2.34.1
