diff options
author | Daniel Axtens <dja@axtens.net> | 2022-02-21 11:22:47 +1100 |
---|---|---|
committer | James Bottomley <James.Bottomley@HansenPartnership.com> | 2022-02-21 07:45:56 -0500 |
commit | 4b8fc118774a3dfce41cd21fea3e7cda6bbd0a47 (patch) | |
tree | 4d70da5756fbc2568e97230e016c6b1985768611 | |
parent | f12484869c9590682ac3253d583bf59b890bb826 (diff) | |
download | sbsigntools-4b8fc118774a3dfce41cd21fea3e7cda6bbd0a47.tar.gz |
sbvarsign: do not include PKCS#7 attributes
The UEFI spec (8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2
descriptor) includes the following information about constructing
the PKCS#7 message for the authentication descriptor under
point 4(g):
SignedData.signerInfos shall be constructed as:
...
- SignerInfo.authenticatedAttributes shall not be present.
sbvarsign does not currently honour this, and generates a PKCS#7
message containing authenticated attributes. This is a snippet from
OpenSSL's printout of a message I reconstructed from an auth file:
signedAttrs:
object: contentType (1.2.840.113549.1.9.3)
set:
OBJECT:pkcs7-data (1.2.840.113549.1.7.1)
object: signingTime (1.2.840.113549.1.9.5)
set:
UTCTIME:Mar 2 11:20:21 2021 GMT
object: messageDigest (1.2.840.113549.1.9.4)
set:
OCTET STRING:
0000 - 99 58 87 86 82 82 b6 4b-c4 6a e4 e5 6b .X.....K.j..k
000d - 51 39 ac c3 b8 21 24 30-0c 28 e6 e3 aa Q9...!$0.(...
001a - 5c 33 c1 80 3f d1 \3..?.
Tell OpenSSL to stop adding attributes.
This also brings sbvarsign in to line with sign-efi-sig-list.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-rw-r--r-- | src/sbvarsign.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/sbvarsign.c b/src/sbvarsign.c index 15dfe8b..58031ec 100644 --- a/src/sbvarsign.c +++ b/src/sbvarsign.c @@ -251,7 +251,7 @@ static int add_auth_descriptor(struct varsign_context *ctx) md = EVP_get_digestbyname("SHA256"); p7 = PKCS7_new(); - flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP;; + flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP | PKCS7_NOATTR;; PKCS7_set_type(p7, NID_pkcs7_signed); PKCS7_content_new(p7, NID_pkcs7_data); |