Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pesign-obs-integration for openSUSE:Factory checked in at 2022-01-25 17:35:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pesign-obs-integration (Old) and /work/SRC/openSUSE:Factory/.pesign-obs-integration.new.1938 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pesign-obs-integration" Tue Jan 25 17:35:37 2022 rev:46 rq:948089 version:10.2+git20210804.ff18da1 Changes: -------- --- /work/SRC/openSUSE:Factory/pesign-obs-integration/pesign-obs-integration.changes 2021-08-06 22:44:57.682051383 +0200 +++ /work/SRC/openSUSE:Factory/.pesign-obs-integration.new.1938/pesign-obs-integration.changes 2022-01-25 17:35:43.326478156 +0100 @@ -1,0 +2,9 @@ +Fri Jan 21 08:49:34 UTC 2022 - Michal Suchanek <msucha...@suse.com> + +- Support signing grub on powerpc (jsc#SLE-18271 bsc#1192764). + + 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch + + 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch + + 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch + + 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch + +------------------------------------------------------------------- @@ -19 +28 @@ - * Add support for GZIP and ZSTD module compression + * Add support for GZIP and ZSTD module compression (bsc#1188636) @@ -54 +63 @@ - * Compress kernel modules in batch and in parallel + * Compress kernel modules in batch and in parallel (bsc#1188636) @@ -127 +136 @@ - support kernel module compression (bsc#1135854) + support kernel module compression (bsc#1135854, jsc#SLE-16661) New: ---- 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pesign-obs-integration.spec ++++++ --- /var/tmp/diff_new_pack.sv4X8G/_old 2022-01-25 17:35:46.102459037 +0100 +++ /var/tmp/diff_new_pack.sv4X8G/_new 2022-01-25 17:35:46.110458982 +0100 @@ -1,7 +1,7 @@ # # spec file for package pesign-obs-integration # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,6 +25,10 @@ Group: Development/Tools/Other URL: https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools Source: %{name}-%{version}.tar.gz +Patch1: 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch +Patch2: 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch +Patch3: 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch +Patch4: 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch BuildRequires: openssl Requires: fipscheck Requires: mozilla-nss-tools ++++++ 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch ++++++ >From 13efe2232909a600531142959b2e4380af46676f Mon Sep 17 00:00:00 2001 From: Michal Suchanek <msucha...@suse.de> Date: Tue, 23 Nov 2021 16:40:27 +0100 Subject: [PATCH 1/4] Support ppc grub signing (jsc#SLE-18271 bsc#1192764). Signed-off-by: Michal Suchanek <msucha...@suse.de> --- brp-99-pesign | 14 ++++++++++++++ pesign-repackage.spec.in | 22 +++++++++++++++++++++- 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/brp-99-pesign b/brp-99-pesign index 0e415d6..c6e9d54 100644 --- a/brp-99-pesign +++ b/brp-99-pesign @@ -58,6 +58,19 @@ if ! mkdir -p "$output"; then exit 0 fi +case "$BRP_PESIGN_GRUB_RESERVATION" in + '') + pesign_grub_reservation="0" + ;; + *[!0-9]*) + echo "$0: warning: non-numerc value '$BRP_PESIGN_GRUB_RESERVATION' of BRP_PESIGN_GRUB_RESERVATION" >&2 + pesign_grub_reservation="0" + ;; + *) + pesign_grub_reservation="${BRP_PESIGN_GRUB_RESERVATION}" + ;; +esac + if test "${BRP_PESIGN_COMPRESS_MODULE}" = "xz"; then pesign_repackage_compress="--compress xz" elif test "${BRP_PESIGN_COMPRESS_MODULE}" = "gzip"; then @@ -77,6 +90,7 @@ else fi sed " s:@NAME@:$RPM_PACKAGE_NAME:g + s:@PESIGN_GRUB_RESERVATION@:$pesign_grub_reservation:g s:@PESIGN_REPACKAGE_COMPRESS@:$pesign_repackage_compress:g /@CERT@/ { r $cert diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in index eebc609..f473fa1 100644 --- a/pesign-repackage.spec.in +++ b/pesign-repackage.spec.in @@ -126,7 +126,7 @@ sigs=($(find -type f -name '*.sig' -printf '%%P\n')) for sig in "${sigs[@]}"; do f=%buildroot/${sig%.sig} case "/$sig" in - *.ko.sig) + *.ko.sig|*.mod.sig) /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" ;; /boot/* | *.efi.sig | */lib/modules/*/vmlinu[xz].sig | */lib/modules/*/[Ii]mage.sig | */lib/modules/*/z[Ii]mage.sig) @@ -157,6 +157,26 @@ for sig in "${sigs[@]}"; do *stage3.bin.sig) /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" ;; + *grub.elf.sig) + sig_size="$(wc -c < "$sig")" + unsigned_grub_size="$(wc -c < "$f")" + /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" "$f".appendtest + signed_grub_size="$(wc -c < "$f".appendtest)" + rm "$f".appendtest + footer_size="$(expr "$signed_grub_size" - "$unsigned_grub_size" - "$sig_size")" + if ! [ $(expr "$sig_size" + "$footer_size") -le "@PESIGN_GRUB_RESERVATION@" ] ; then + echo "size of '$sig' ($sig_size) cannot fit into reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)" + exit 1 + fi + sig_size="$(expr "@PESIGN_GRUB_RESERVATION@" - "$footer_size")" + truncate -s $sig_size "$sig" + /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" + grub_size="$(wc -c < "$f")" + if ! [ "$(expr "$unsigned_grub_size" + "@PESIGN_GRUB_RESERVATION@")" -eq "$grub_size" ] ; then + echo "The size of unsigned grub ($unsigned_grub_size) + reservation (@PESIGN_GRUB_RESERVATION@) does not add up to signed grub size ($grub_size)" + exit 1 + fi + ;; *) echo "Warning: unhandled signature: $sig" >&2 esac -- 2.34.1 ++++++ 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch ++++++ >From 85f8f72c2f055ca2fa48ec1e7ad7911e8e3744ad Mon Sep 17 00:00:00 2001 From: Michal Suchanek <msucha...@suse.de> Date: Tue, 4 Jan 2022 12:49:54 +0100 Subject: [PATCH 2/4] kernel-sign-file: Move x509 parsing into a function. This should not introduce any functionality change but next patch will make the parsing optional. Signed-off-by: Michal Suchanek <msucha...@suse.de> --- kernel-sign-file | 201 +++++++++++++++++++++++++---------------------- 1 file changed, 106 insertions(+), 95 deletions(-) diff --git a/kernel-sign-file b/kernel-sign-file index ce76a40..2e5b7aa 100755 --- a/kernel-sign-file +++ b/kernel-sign-file @@ -226,113 +226,119 @@ sub asn1_pack($@) # Roughly parse the X.509 certificate # ############################################################################### -my $cursor = [ 0, length($x509_certificate), \$x509_certificate ]; - -my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE); -my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE); -my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1); -my $serial_number = asn1_extract($tbs->[1], $UNIV | $INTEGER); -my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); -my $issuer = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); -my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); -my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); -my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); -my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1); -my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1); -my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1); - -my $subject_key_id = (); -my $authority_key_id = (); - -# -# Parse the extension list -# -if ($extension_list->[0] != -1) { - my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS | $SEQUENCE); - - while ($extensions->[1]->[1] > 0) { - my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE); - my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID); - my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1); - my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING); +sub parse_certificate($) +{ + my ($x509_certificate) = @_; + my $cursor = [ 0, length($x509_certificate), \$x509_certificate ]; + my %result; + + my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE); + my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE); + my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1); + $result{serial_number} = asn1_extract($tbs->[1], $UNIV | $INTEGER); + my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); + $result{issuer} = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); + my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); + my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); + my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE); + my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1); + my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1); + my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1); + + $result{subject_key_id} = (); + my $authority_key_id = (); + + # + # Parse the extension list + # + if ($extension_list->[0] != -1) { + my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS | $SEQUENCE); + + while ($extensions->[1]->[1] > 0) { + my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE); + my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID); + my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1); + my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING); + + my $raw_oid = asn1_retrieve($x_oid->[1]); + next if (!exists($OIDs{$raw_oid})); + my $x_type = $OIDs{$raw_oid}; + + my $raw_value = asn1_retrieve($x_val->[1]); + + if ($x_type eq "subjectKeyIdentifier") { + my $vcursor = [ 0, length($raw_value), \$raw_value ]; + + $result{subject_key_id} = asn1_extract($vcursor, $UNIV | $OCTET_STRING); + } + } + } - my $raw_oid = asn1_retrieve($x_oid->[1]); + ############################################################################### + # + # Determine what we're going to use as the signer's name. In order of + # preference, take one of: commonName, organizationName or emailAddress. + # + ############################################################################### + my $org = ""; + my $cn = ""; + my $email = ""; + + while ($subject->[1]->[1] > 0) { + my $rdn = asn1_extract($subject->[1], $UNIV | $CONS | $SET); + my $attr = asn1_extract($rdn->[1], $UNIV | $CONS | $SEQUENCE); + my $n_oid = asn1_extract($attr->[1], $UNIV | $OBJ_ID); + my $n_val = asn1_extract($attr->[1], -1); + + my $raw_oid = asn1_retrieve($n_oid->[1]); next if (!exists($OIDs{$raw_oid})); - my $x_type = $OIDs{$raw_oid}; - - my $raw_value = asn1_retrieve($x_val->[1]); + my $n_type = $OIDs{$raw_oid}; - if ($x_type eq "subjectKeyIdentifier") { - my $vcursor = [ 0, length($raw_value), \$raw_value ]; + my $raw_value = asn1_retrieve($n_val->[1]); - $subject_key_id = asn1_extract($vcursor, $UNIV | $OCTET_STRING); + if ($n_type eq "organizationName") { + $org = $raw_value; + } elsif ($n_type eq "commonName") { + $cn = $raw_value; + } elsif ($n_type eq "emailAddress") { + $email = $raw_value; } } -} -############################################################################### -# -# Determine what we're going to use as the signer's name. In order of -# preference, take one of: commonName, organizationName or emailAddress. -# -############################################################################### -my $org = ""; -my $cn = ""; -my $email = ""; - -while ($subject->[1]->[1] > 0) { - my $rdn = asn1_extract($subject->[1], $UNIV | $CONS | $SET); - my $attr = asn1_extract($rdn->[1], $UNIV | $CONS | $SEQUENCE); - my $n_oid = asn1_extract($attr->[1], $UNIV | $OBJ_ID); - my $n_val = asn1_extract($attr->[1], -1); - - my $raw_oid = asn1_retrieve($n_oid->[1]); - next if (!exists($OIDs{$raw_oid})); - my $n_type = $OIDs{$raw_oid}; - - my $raw_value = asn1_retrieve($n_val->[1]); - - if ($n_type eq "organizationName") { - $org = $raw_value; - } elsif ($n_type eq "commonName") { - $cn = $raw_value; - } elsif ($n_type eq "emailAddress") { - $email = $raw_value; - } -} + $result{signers_name} = $email; -my $signers_name = $email; + if ($org && $cn) { + # Don't use the organizationName if the commonName repeats it + if (length($org) <= length($cn) && + substr($cn, 0, length($org)) eq $org) { + $result{signers_name} = $cn; + goto got_id_name; + } -if ($org && $cn) { - # Don't use the organizationName if the commonName repeats it - if (length($org) <= length($cn) && - substr($cn, 0, length($org)) eq $org) { - $signers_name = $cn; - goto got_id_name; - } + # Or a signifcant chunk of it + if (length($org) >= 7 && + length($cn) >= 7 && + substr($cn, 0, 7) eq substr($org, 0, 7)) { + $result{signers_name} = $cn; + goto got_id_name; + } - # Or a signifcant chunk of it - if (length($org) >= 7 && - length($cn) >= 7 && - substr($cn, 0, 7) eq substr($org, 0, 7)) { - $signers_name = $cn; - goto got_id_name; + $result{signers_name} = $org . ": " . $cn; + } elsif ($org) { + $result{signers_name} = $org; + } elsif ($cn) { + $result{signers_name} = $cn; } - $signers_name = $org . ": " . $cn; -} elsif ($org) { - $signers_name = $org; -} elsif ($cn) { - $signers_name = $cn; -} + got_id_name: -got_id_name: + die $x509, ": ", "X.509: Couldn't find the Subject Key Identifier extension\n" + if (!$result{subject_key_id}); -die $x509, ": ", "X.509: Couldn't find the Subject Key Identifier extension\n" - if (!$subject_key_id); - -my $key_identifier = asn1_retrieve($subject_key_id->[1]); + $result{key_identifier} = asn1_retrieve($result{subject_key_id}->[1]); + return %result; +} ############################################################################### # # Create and attach the module signature @@ -430,8 +436,13 @@ if ($signature_file) { "openssl rsautl -sign -inkey $private_key -keyform PEM"); } +my %certdata = parse_certificate($x509_certificate); +my $signers_name; +my $key_identifier; if ($id_type == 1) { $signature = pack("n", length($signature)) . $signature, + $signers_name = $certdata{signers_name}; + $key_identifier = $certdata{key_identifier}; } elsif ($id_type == 2) { # create PKCS7 signature $signature = asn1_pack($UNIV | $OCTET_STRING, $signature); @@ -439,10 +450,10 @@ if ($id_type == 1) { my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo); my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET, $digest_algo_seq); my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1)); - my $si_issuer = asn1_pack($issuer->[0], asn1_retrieve($issuer->[1])); - my $si_serial = asn1_pack($serial_number->[0], asn1_retrieve($serial_number->[1])); + my $si_issuer = asn1_pack($certdata{issuer}->[0], asn1_retrieve($certdata{issuer}->[1])); + my $si_serial = asn1_pack($certdata{serial_number}->[0], asn1_retrieve($certdata{serial_number}->[1])); my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer, $si_serial); - my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($subject_key_id->[1])); + my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($certdata{subject_key_id}->[1])); my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1)); my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption, asn1_pack($UNIV | $NULL)); my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial; -- 2.34.1 ++++++ 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch ++++++ >From 68baaf0ca940712d4cfbe5d7c55bc8407efc19ce Mon Sep 17 00:00:00 2001 From: Michal Suchanek <msucha...@suse.de> Date: Tue, 4 Jan 2022 12:29:21 +0100 Subject: [PATCH 3/4] kernel-sign-file: Support appending verbatim PKCS#7 signature. When existing signature is specified upstream appends it verbatim as PKCS#7 but kernel-ding-file assumes it's raw RSA signature and wraps PKCS#7 around it beforee appending. Because the certificate is not required for just dumping the whole signature after the data but is required to create the PKCS#7 wrapper we can support both. When a certificate is specified create a wrapper, when not just copy the signature without touching it. Signed-off-by: Michal Suchanek <msucha...@suse.de> --- kernel-sign-file | 60 +++++++++++++++++++++++++++++------------------- 1 file changed, 37 insertions(+), 23 deletions(-) diff --git a/kernel-sign-file b/kernel-sign-file index 2e5b7aa..9cacefb 100755 --- a/kernel-sign-file +++ b/kernel-sign-file @@ -42,7 +42,6 @@ if (@ARGV) { die "Can't read private key\n" if (!$signature_file && !-r $private_key); die "Can't read signature file\n" if ($signature_file && !-r $signature_file); -die "Can't read X.509 certificate\n" unless (-r $x509); die "Can't read module\n" unless (-r $module); # @@ -99,7 +98,6 @@ sub openssl_pipe($$) { # we're intending to use to sign the module. # ############################################################################### -my $x509_certificate = read_file($x509); my $UNIV = 0 << 6; my $APPL = 1 << 6; @@ -436,35 +434,51 @@ if ($signature_file) { "openssl rsautl -sign -inkey $private_key -keyform PEM"); } -my %certdata = parse_certificate($x509_certificate); +my %certdata; my $signers_name; my $key_identifier; +my $x509_certificate; if ($id_type == 1) { + die "Can't read X.509 certificate\n" unless (-r $x509); + $x509_certificate = read_file($x509); + %certdata = parse_certificate($x509_certificate); $signature = pack("n", length($signature)) . $signature, $signers_name = $certdata{signers_name}; $key_identifier = $certdata{key_identifier}; } elsif ($id_type == 2) { # create PKCS7 signature - $signature = asn1_pack($UNIV | $OCTET_STRING, $signature); - my $digest_algo = substr($prologue, 4, 2 + unpack('C', substr($prologue, 5, 1))); - my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo); - my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET, $digest_algo_seq); - my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1)); - my $si_issuer = asn1_pack($certdata{issuer}->[0], asn1_retrieve($certdata{issuer}->[1])); - my $si_serial = asn1_pack($certdata{serial_number}->[0], asn1_retrieve($certdata{serial_number}->[1])); - my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer, $si_serial); - my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($certdata{subject_key_id}->[1])); - my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1)); - my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption, asn1_pack($UNIV | $NULL)); - my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial; - my $si = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_verstion, $signer_identifier, $digest_algo_seq, $encryption_seq, $signature); - my $si_set = asn1_pack($UNIV | $CONS | $SET, $si); - my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1)); - my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 1)); - my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data); - my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version, $digest_algo_seq_set, $pkcs7_data_seq, $si_set); - my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 2)); - $signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data, asn1_pack($CONT | $CONS | 0, $sid)); + if ($x509) { + die "Can't read X.509 certificate\n" unless (-r $x509); + $x509_certificate = read_file($x509); + } else { + print "No certificate specified, assuming pre-built PKCS#7 signature.\n" if ($verbose); + $x509_certificate = ''; + } + if ($x509_certificate) { + %certdata = parse_certificate($x509_certificate); + $signature = asn1_pack($UNIV | $OCTET_STRING, $signature); + my $digest_algo = substr($prologue, 4, 2 + unpack('C', substr($prologue, 5, 1))); + my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo); + my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET, $digest_algo_seq); + my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1)); + my $si_issuer = asn1_pack($certdata{issuer}->[0], asn1_retrieve($certdata{issuer}->[1])); + my $si_serial = asn1_pack($certdata{serial_number}->[0], asn1_retrieve($certdata{serial_number}->[1])); + my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer, $si_serial); + my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($certdata{subject_key_id}->[1])); + my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 1, 1)); + my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption, asn1_pack($UNIV | $NULL)); + my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial; + my $si = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_verstion, $signer_identifier, $digest_algo_seq, $encryption_seq, $signature); + my $si_set = asn1_pack($UNIV | $CONS | $SET, $si); + my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 : 1)); + my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 1)); + my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data); + my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version, $digest_algo_seq_set, $pkcs7_data_seq, $si_set); + my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72, 134, 247, 13, 1, 7, 2)); + $signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data, asn1_pack($CONT | $CONS | 0, $sid)); + } else { + print "Certificate is empty, assuming pre-built PKCS#7 signature.\n" if ($verbose); + } # zero out unneeded entries $signers_name = ''; $key_identifier = ''; -- 2.34.1 ++++++ 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch ++++++ >From 5b255595f4101b136db55538a59ef5b1fc3439e5 Mon Sep 17 00:00:00 2001 From: Michal Suchanek <msucha...@suse.de> Date: Tue, 4 Jan 2022 12:20:36 +0100 Subject: [PATCH 4/4] Add padding to grub signature correctly (jsc#SLE-18271 bsc#1192764). Upstream sign-file supports including whole PKCS#7 signature verbatim while kernel-sign-file supports building PKCS#7 around raw RSA signature as provided by OBS. Now kernel-sign-file also supports what upstream does so make use of it. First wrap PKCS#7 around the RSA signature, then pad, then append. Fixes: 13efe22 ("Support ppc grub signing (jsc#SLE-18271 bsc#1192764).") --- pesign-repackage.spec.in | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in index f473fa1..8c07fc4 100644 --- a/pesign-repackage.spec.in +++ b/pesign-repackage.spec.in @@ -160,17 +160,18 @@ for sig in "${sigs[@]}"; do *grub.elf.sig) sig_size="$(wc -c < "$sig")" unsigned_grub_size="$(wc -c < "$f")" - /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" "$f".appendtest - signed_grub_size="$(wc -c < "$f".appendtest)" - rm "$f".appendtest - footer_size="$(expr "$signed_grub_size" - "$unsigned_grub_size" - "$sig_size")" + /usr/lib/rpm/pesign/kernel-sign-file -vpd -i pkcs7 -s "$sig" sha256 "$cert" "$f" + sig_size="$(wc -c < "$f.p7s")" + footer_size=40 + grub_size="$(wc -c < "$f")" if ! [ $(expr "$sig_size" + "$footer_size") -le "@PESIGN_GRUB_RESERVATION@" ] ; then - echo "size of '$sig' ($sig_size) cannot fit into reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)" + echo "size of '$f.p7s' ($sig_size) cannot fit into reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)" exit 1 fi sig_size="$(expr "@PESIGN_GRUB_RESERVATION@" - "$footer_size")" - truncate -s $sig_size "$sig" - /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f" + truncate -s $sig_size "$f.p7s" + /usr/lib/rpm/pesign/kernel-sign-file -v -i pkcs7 -s "$f.p7s" sha256 "" "$f" + rm "$f.p7s" grub_size="$(wc -c < "$f")" if ! [ "$(expr "$unsigned_grub_size" + "@PESIGN_GRUB_RESERVATION@")" -eq "$grub_size" ] ; then echo "The size of unsigned grub ($unsigned_grub_size) + reservation (@PESIGN_GRUB_RESERVATION@) does not add up to signed grub size ($grub_size)" -- 2.34.1