[PATCH v4 4/4] ima: add support for rsa pss verification

From: Hongbo Li
Date: Wed Apr 07 2021 - 09:42:46 EST


This patch adds support for ima verification for rsa with
pss encoding.

And a rsa-pss patch for ima-evm-utils has been sent.

Signed-off-by: Hongbo Li <herbert.tencent@xxxxxxxxx>
---
security/integrity/digsig_asymmetric.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/security/integrity/digsig_asymmetric.c b/security/integrity/digsig_asymmetric.c
index 23240d7..ef7a51a 100644
--- a/security/integrity/digsig_asymmetric.c
+++ b/security/integrity/digsig_asymmetric.c
@@ -85,6 +85,7 @@ int asymmetric_verify(struct key *keyring, const char *sig,
struct public_key_signature pks;
struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
const struct public_key *pk;
+ struct public_key_signature *cert_sig;
struct key *key;
int ret;

@@ -109,16 +110,21 @@ int asymmetric_verify(struct key *keyring, const char *sig,

pk = asymmetric_key_public_key(key);
pks.pkey_algo = pk->pkey_algo;
- if (!strcmp(pk->pkey_algo, "rsa"))
- pks.encoding = "pkcs1";
- else if (!strncmp(pk->pkey_algo, "ecdsa-", 6))
+ if (!strcmp(pk->pkey_algo, "rsa")) {
+ cert_sig = key->payload.data[asym_auth];
+ if (cert_sig)
+ pks.encoding = cert_sig->encoding;
+ else
+ pks.encoding = "pkcs1";
+ } else if (!strncmp(pk->pkey_algo, "ecdsa-", 6)) {
/* edcsa-nist-p192 etc. */
pks.encoding = "x962";
- else if (!strcmp(pk->pkey_algo, "ecrdsa") ||
- !strcmp(pk->pkey_algo, "sm2"))
+ } else if (!strcmp(pk->pkey_algo, "ecrdsa") ||
+ !strcmp(pk->pkey_algo, "sm2")) {
pks.encoding = "raw";
- else
+ } else {
return -ENOPKG;
+ }

pks.digest = (u8 *)data;
pks.digest_size = datalen;
--
1.8.3.1