sbvarsign: do not include PKCS#7 attributes

The UEFI spec (8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2
descriptor) includes the following information about constructing
the PKCS#7 message for the authentication descriptor under
point 4(g):

    SignedData.signerInfos shall be constructed as:
    ...
     - SignerInfo.authenticatedAttributes shall not be present.

sbvarsign does not currently honour this, and generates a PKCS#7
message containing authenticated attributes. This is a snippet from
OpenSSL's printout of a message I reconstructed from an auth file:

         signedAttrs:
            object: contentType (1.2.840.113549.1.9.3)
            set:
              OBJECT:pkcs7-data (1.2.840.113549.1.7.1)

            object: signingTime (1.2.840.113549.1.9.5)
            set:
              UTCTIME:Mar  2 11:20:21 2021 GMT

            object: messageDigest (1.2.840.113549.1.9.4)
            set:
              OCTET STRING:
                0000 - 99 58 87 86 82 82 b6 4b-c4 6a e4 e5 6b   .X.....K.j..k
                000d - 51 39 ac c3 b8 21 24 30-0c 28 e6 e3 aa   Q9...!$0.(...
                001a - 5c 33 c1 80 3f d1                        \3..?.

Tell OpenSSL to stop adding attributes.

This also brings sbvarsign in to line with sign-efi-sig-list.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

1 files changed, 1 insertions, 1 deletions

diff --git a/src/sbvarsign.c b/src/sbvarsign.c
index 15dfe8b..58031ec 100644
--- a/src/sbvarsign.c
+++ b/src/sbvarsign.c
@@ -251,7 +251,7 @@ static int add_auth_descriptor(struct varsign_context *ctx)
 	md = EVP_get_digestbyname("SHA256");
 
 	p7 = PKCS7_new();
-	flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP;;
+	flags = PKCS7_BINARY | PKCS7_DETACHED | PKCS7_NOSMIMECAP | PKCS7_NOATTR;;
 	PKCS7_set_type(p7, NID_pkcs7_signed);
 
 	PKCS7_content_new(p7, NID_pkcs7_data);