sbvarsign: do not include PKCS#7 attributes
The UEFI spec (8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2 descriptor) includes the following information about constructing the PKCS#7 message for the authentication descriptor under point 4(g): SignedData.signerInfos shall be constructed as: ... - SignerInfo.authenticatedAttributes shall not be present. sbvarsign does not currently honour this, and generates a PKCS#7 message containing authenticated attributes. This is a snippet from OpenSSL's printout of a message I reconstructed from an auth file: signedAttrs: object: contentType (1.2.840.113549.1.9.3) set: OBJECT:pkcs7-data (1.2.840.113549.1.7.1) object: signingTime (1.2.840.113549.1.9.5) set: UTCTIME:Mar 2 11:20:21 2021 GMT object: messageDigest (1.2.840.113549.1.9.4) set: OCTET STRING: 0000 - 99 58 87 86 82 82 b6 4b-c4 6a e4 e5 6b .X.....K.j..k 000d - 51 39 ac c3 b8 21 24 30-0c 28 e6 e3 aa Q9...!$0.(... 001a - 5c 33 c1 80 3f d1 \3..?. Tell OpenSSL to stop adding attributes. This also brings sbvarsign in to line with sign-efi-sig-list. Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
This commit is contained in:
parent
f12484869c
commit
4b8fc11877
|
@ -251,7 +251,7 @@ static int add_auth_descriptor(struct varsign_context *ctx)
|
|||
md = EVP_get_digestbyname("SHA256");
|
||||
|
||||
p7 = PKCS7_new();
|
||||
flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP;;
|
||||
flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP | PKCS7_NOATTR;;
|
||||
PKCS7_set_type(p7, NID_pkcs7_signed);
|
||||
|
||||
PKCS7_content_new(p7, NID_pkcs7_data);
|
||||
|
|
Loading…
Reference in New Issue