This patch adds support for ima verification for rsa with
pss encoding.

And a patch for ima-evm-utils will be sent later.

Signed-off-by: Hongbo Li <herbert.tenc...@gmail.com>
---
 security/integrity/digsig_asymmetric.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/security/integrity/digsig_asymmetric.c 
b/security/integrity/digsig_asymmetric.c
index 23240d7..ef7a51a 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -85,6 +85,7 @@ int asymmetric_verify(struct key *keyring, const char *sig,
        struct public_key_signature pks;
        struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
        const struct public_key *pk;
+       struct public_key_signature *cert_sig;
        struct key *key;
        int ret;
 
@@ -109,16 +110,21 @@ int asymmetric_verify(struct key *keyring, const char 
*sig,
 
        pk = asymmetric_key_public_key(key);
        pks.pkey_algo = pk->pkey_algo;
-       if (!strcmp(pk->pkey_algo, "rsa"))
-               pks.encoding = "pkcs1";
-       else if (!strncmp(pk->pkey_algo, "ecdsa-", 6))
+       if (!strcmp(pk->pkey_algo, "rsa")) {
+               cert_sig = key->payload.data[asym_auth];
+               if (cert_sig)
+                       pks.encoding = cert_sig->encoding;
+               else
+                       pks.encoding = "pkcs1";
+       } else if (!strncmp(pk->pkey_algo, "ecdsa-", 6)) {
                /* edcsa-nist-p192 etc. */
                pks.encoding = "x962";
-       else if (!strcmp(pk->pkey_algo, "ecrdsa") ||
-                  !strcmp(pk->pkey_algo, "sm2"))
+       } else if (!strcmp(pk->pkey_algo, "ecrdsa") ||
+                  !strcmp(pk->pkey_algo, "sm2")) {
                pks.encoding = "raw";
-       else
+       } else {
                return -ENOPKG;
+       }
 
        pks.digest = (u8 *)data;
        pks.digest_size = datalen;
-- 
1.8.3.1

Reply via email to