Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package pesign-obs-integration for
openSUSE:Factory checked in at 2022-01-25 17:35:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pesign-obs-integration (Old)
and /work/SRC/openSUSE:Factory/.pesign-obs-integration.new.1938 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pesign-obs-integration"
Tue Jan 25 17:35:37 2022 rev:46 rq:948089 version:10.2+git20210804.ff18da1
Changes:
--------
---
/work/SRC/openSUSE:Factory/pesign-obs-integration/pesign-obs-integration.changes
2021-08-06 22:44:57.682051383 +0200
+++
/work/SRC/openSUSE:Factory/.pesign-obs-integration.new.1938/pesign-obs-integration.changes
2022-01-25 17:35:43.326478156 +0100
@@ -1,0 +2,9 @@
+Fri Jan 21 08:49:34 UTC 2022 - Michal Suchanek <msucha...@suse.com>
+
+- Support signing grub on powerpc (jsc#SLE-18271 bsc#1192764).
+ + 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
+ + 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
+ + 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
+ + 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
+
+-------------------------------------------------------------------
@@ -19 +28 @@
- * Add support for GZIP and ZSTD module compression
+ * Add support for GZIP and ZSTD module compression (bsc#1188636)
@@ -54 +63 @@
- * Compress kernel modules in batch and in parallel
+ * Compress kernel modules in batch and in parallel (bsc#1188636)
@@ -127 +136 @@
- support kernel module compression (bsc#1135854)
+ support kernel module compression (bsc#1135854, jsc#SLE-16661)
New:
----
0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pesign-obs-integration.spec ++++++
--- /var/tmp/diff_new_pack.sv4X8G/_old 2022-01-25 17:35:46.102459037 +0100
+++ /var/tmp/diff_new_pack.sv4X8G/_new 2022-01-25 17:35:46.110458982 +0100
@@ -1,7 +1,7 @@
#
# spec file for package pesign-obs-integration
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -25,6 +25,10 @@
Group: Development/Tools/Other
URL: https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
Source: %{name}-%{version}.tar.gz
+Patch1: 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch
+Patch2: 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch
+Patch3: 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch
+Patch4: 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch
BuildRequires: openssl
Requires: fipscheck
Requires: mozilla-nss-tools
++++++ 0001-Support-ppc-grub-signing-jsc-SLE-18271-bsc-1192764.patch ++++++
>From 13efe2232909a600531142959b2e4380af46676f Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msucha...@suse.de>
Date: Tue, 23 Nov 2021 16:40:27 +0100
Subject: [PATCH 1/4] Support ppc grub signing (jsc#SLE-18271 bsc#1192764).
Signed-off-by: Michal Suchanek <msucha...@suse.de>
---
brp-99-pesign | 14 ++++++++++++++
pesign-repackage.spec.in | 22 +++++++++++++++++++++-
2 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/brp-99-pesign b/brp-99-pesign
index 0e415d6..c6e9d54 100644
--- a/brp-99-pesign
+++ b/brp-99-pesign
@@ -58,6 +58,19 @@ if ! mkdir -p "$output"; then
exit 0
fi
+case "$BRP_PESIGN_GRUB_RESERVATION" in
+ '')
+ pesign_grub_reservation="0"
+ ;;
+ *[!0-9]*)
+ echo "$0: warning: non-numerc value
'$BRP_PESIGN_GRUB_RESERVATION' of BRP_PESIGN_GRUB_RESERVATION" >&2
+ pesign_grub_reservation="0"
+ ;;
+ *)
+ pesign_grub_reservation="${BRP_PESIGN_GRUB_RESERVATION}"
+ ;;
+esac
+
if test "${BRP_PESIGN_COMPRESS_MODULE}" = "xz"; then
pesign_repackage_compress="--compress xz"
elif test "${BRP_PESIGN_COMPRESS_MODULE}" = "gzip"; then
@@ -77,6 +90,7 @@ else
fi
sed "
s:@NAME@:$RPM_PACKAGE_NAME:g
+ s:@PESIGN_GRUB_RESERVATION@:$pesign_grub_reservation:g
s:@PESIGN_REPACKAGE_COMPRESS@:$pesign_repackage_compress:g
/@CERT@/ {
r $cert
diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
index eebc609..f473fa1 100644
--- a/pesign-repackage.spec.in
+++ b/pesign-repackage.spec.in
@@ -126,7 +126,7 @@ sigs=($(find -type f -name '*.sig' -printf '%%P\n'))
for sig in "${sigs[@]}"; do
f=%buildroot/${sig%.sig}
case "/$sig" in
- *.ko.sig)
+ *.ko.sig|*.mod.sig)
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256
"$cert" "$f"
;;
/boot/* | *.efi.sig | */lib/modules/*/vmlinu[xz].sig |
*/lib/modules/*/[Ii]mage.sig | */lib/modules/*/z[Ii]mage.sig)
@@ -157,6 +157,26 @@ for sig in "${sigs[@]}"; do
*stage3.bin.sig)
/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256
"$cert" "$f"
;;
+ *grub.elf.sig)
+ sig_size="$(wc -c < "$sig")"
+ unsigned_grub_size="$(wc -c < "$f")"
+ /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256
"$cert" "$f" "$f".appendtest
+ signed_grub_size="$(wc -c < "$f".appendtest)"
+ rm "$f".appendtest
+ footer_size="$(expr "$signed_grub_size" - "$unsigned_grub_size"
- "$sig_size")"
+ if ! [ $(expr "$sig_size" + "$footer_size") -le
"@PESIGN_GRUB_RESERVATION@" ] ; then
+ echo "size of '$sig' ($sig_size) cannot fit into
reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
+ exit 1
+ fi
+ sig_size="$(expr "@PESIGN_GRUB_RESERVATION@" - "$footer_size")"
+ truncate -s $sig_size "$sig"
+ /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256
"$cert" "$f"
+ grub_size="$(wc -c < "$f")"
+ if ! [ "$(expr "$unsigned_grub_size" +
"@PESIGN_GRUB_RESERVATION@")" -eq "$grub_size" ] ; then
+ echo "The size of unsigned grub ($unsigned_grub_size) +
reservation (@PESIGN_GRUB_RESERVATION@) does not add up to signed grub size
($grub_size)"
+ exit 1
+ fi
+ ;;
*)
echo "Warning: unhandled signature: $sig" >&2
esac
--
2.34.1
++++++ 0002-kernel-sign-file-Move-x509-parsing-into-a-function.patch ++++++
>From 85f8f72c2f055ca2fa48ec1e7ad7911e8e3744ad Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msucha...@suse.de>
Date: Tue, 4 Jan 2022 12:49:54 +0100
Subject: [PATCH 2/4] kernel-sign-file: Move x509 parsing into a function.
This should not introduce any functionality change but next patch will
make the parsing optional.
Signed-off-by: Michal Suchanek <msucha...@suse.de>
---
kernel-sign-file | 201 +++++++++++++++++++++++++----------------------
1 file changed, 106 insertions(+), 95 deletions(-)
diff --git a/kernel-sign-file b/kernel-sign-file
index ce76a40..2e5b7aa 100755
--- a/kernel-sign-file
+++ b/kernel-sign-file
@@ -226,113 +226,119 @@ sub asn1_pack($@)
# Roughly parse the X.509 certificate
#
###############################################################################
-my $cursor = [ 0, length($x509_certificate), \$x509_certificate ];
-
-my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE);
-my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE);
-my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1);
-my $serial_number = asn1_extract($tbs->[1], $UNIV | $INTEGER);
-my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $issuer = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
-my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1);
-my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1);
-my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1);
-
-my $subject_key_id = ();
-my $authority_key_id = ();
-
-#
-# Parse the extension list
-#
-if ($extension_list->[0] != -1) {
- my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS |
$SEQUENCE);
-
- while ($extensions->[1]->[1] > 0) {
- my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE);
- my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID);
- my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1);
- my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING);
+sub parse_certificate($)
+{
+ my ($x509_certificate) = @_;
+ my $cursor = [ 0, length($x509_certificate), \$x509_certificate ];
+ my %result;
+
+ my $cert = asn1_extract($cursor, $UNIV | $CONS | $SEQUENCE);
+ my $tbs = asn1_extract($cert->[1], $UNIV | $CONS | $SEQUENCE);
+ my $version = asn1_extract($tbs->[1], $CONT | $CONS | 0, 1);
+ $result{serial_number} = asn1_extract($tbs->[1], $UNIV | $INTEGER);
+ my $sig_type = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ $result{issuer} = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ my $validity = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ my $subject = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ my $key = asn1_extract($tbs->[1], $UNIV | $CONS | $SEQUENCE);
+ my $issuer_uid = asn1_extract($tbs->[1], $CONT | $CONS | 1, 1);
+ my $subject_uid = asn1_extract($tbs->[1], $CONT | $CONS | 2, 1);
+ my $extension_list = asn1_extract($tbs->[1], $CONT | $CONS | 3, 1);
+
+ $result{subject_key_id} = ();
+ my $authority_key_id = ();
+
+ #
+ # Parse the extension list
+ #
+ if ($extension_list->[0] != -1) {
+ my $extensions = asn1_extract($extension_list->[1], $UNIV | $CONS |
$SEQUENCE);
+
+ while ($extensions->[1]->[1] > 0) {
+ my $ext = asn1_extract($extensions->[1], $UNIV | $CONS | $SEQUENCE);
+ my $x_oid = asn1_extract($ext->[1], $UNIV | $OBJ_ID);
+ my $x_crit = asn1_extract($ext->[1], $UNIV | $BOOLEAN, 1);
+ my $x_val = asn1_extract($ext->[1], $UNIV | $OCTET_STRING);
+
+ my $raw_oid = asn1_retrieve($x_oid->[1]);
+ next if (!exists($OIDs{$raw_oid}));
+ my $x_type = $OIDs{$raw_oid};
+
+ my $raw_value = asn1_retrieve($x_val->[1]);
+
+ if ($x_type eq "subjectKeyIdentifier") {
+ my $vcursor = [ 0, length($raw_value), \$raw_value ];
+
+ $result{subject_key_id} = asn1_extract($vcursor, $UNIV |
$OCTET_STRING);
+ }
+ }
+ }
- my $raw_oid = asn1_retrieve($x_oid->[1]);
+
###############################################################################
+ #
+ # Determine what we're going to use as the signer's name. In order of
+ # preference, take one of: commonName, organizationName or emailAddress.
+ #
+
###############################################################################
+ my $org = "";
+ my $cn = "";
+ my $email = "";
+
+ while ($subject->[1]->[1] > 0) {
+ my $rdn = asn1_extract($subject->[1], $UNIV | $CONS | $SET);
+ my $attr = asn1_extract($rdn->[1], $UNIV | $CONS | $SEQUENCE);
+ my $n_oid = asn1_extract($attr->[1], $UNIV | $OBJ_ID);
+ my $n_val = asn1_extract($attr->[1], -1);
+
+ my $raw_oid = asn1_retrieve($n_oid->[1]);
next if (!exists($OIDs{$raw_oid}));
- my $x_type = $OIDs{$raw_oid};
-
- my $raw_value = asn1_retrieve($x_val->[1]);
+ my $n_type = $OIDs{$raw_oid};
- if ($x_type eq "subjectKeyIdentifier") {
- my $vcursor = [ 0, length($raw_value), \$raw_value ];
+ my $raw_value = asn1_retrieve($n_val->[1]);
- $subject_key_id = asn1_extract($vcursor, $UNIV | $OCTET_STRING);
+ if ($n_type eq "organizationName") {
+ $org = $raw_value;
+ } elsif ($n_type eq "commonName") {
+ $cn = $raw_value;
+ } elsif ($n_type eq "emailAddress") {
+ $email = $raw_value;
}
}
-}
-###############################################################################
-#
-# Determine what we're going to use as the signer's name. In order of
-# preference, take one of: commonName, organizationName or emailAddress.
-#
-###############################################################################
-my $org = "";
-my $cn = "";
-my $email = "";
-
-while ($subject->[1]->[1] > 0) {
- my $rdn = asn1_extract($subject->[1], $UNIV | $CONS | $SET);
- my $attr = asn1_extract($rdn->[1], $UNIV | $CONS | $SEQUENCE);
- my $n_oid = asn1_extract($attr->[1], $UNIV | $OBJ_ID);
- my $n_val = asn1_extract($attr->[1], -1);
-
- my $raw_oid = asn1_retrieve($n_oid->[1]);
- next if (!exists($OIDs{$raw_oid}));
- my $n_type = $OIDs{$raw_oid};
-
- my $raw_value = asn1_retrieve($n_val->[1]);
-
- if ($n_type eq "organizationName") {
- $org = $raw_value;
- } elsif ($n_type eq "commonName") {
- $cn = $raw_value;
- } elsif ($n_type eq "emailAddress") {
- $email = $raw_value;
- }
-}
+ $result{signers_name} = $email;
-my $signers_name = $email;
+ if ($org && $cn) {
+ # Don't use the organizationName if the commonName repeats it
+ if (length($org) <= length($cn) &&
+ substr($cn, 0, length($org)) eq $org) {
+ $result{signers_name} = $cn;
+ goto got_id_name;
+ }
-if ($org && $cn) {
- # Don't use the organizationName if the commonName repeats it
- if (length($org) <= length($cn) &&
- substr($cn, 0, length($org)) eq $org) {
- $signers_name = $cn;
- goto got_id_name;
- }
+ # Or a signifcant chunk of it
+ if (length($org) >= 7 &&
+ length($cn) >= 7 &&
+ substr($cn, 0, 7) eq substr($org, 0, 7)) {
+ $result{signers_name} = $cn;
+ goto got_id_name;
+ }
- # Or a signifcant chunk of it
- if (length($org) >= 7 &&
- length($cn) >= 7 &&
- substr($cn, 0, 7) eq substr($org, 0, 7)) {
- $signers_name = $cn;
- goto got_id_name;
+ $result{signers_name} = $org . ": " . $cn;
+ } elsif ($org) {
+ $result{signers_name} = $org;
+ } elsif ($cn) {
+ $result{signers_name} = $cn;
}
- $signers_name = $org . ": " . $cn;
-} elsif ($org) {
- $signers_name = $org;
-} elsif ($cn) {
- $signers_name = $cn;
-}
+ got_id_name:
-got_id_name:
+ die $x509, ": ", "X.509: Couldn't find the Subject Key Identifier
extension\n"
+ if (!$result{subject_key_id});
-die $x509, ": ", "X.509: Couldn't find the Subject Key Identifier extension\n"
- if (!$subject_key_id);
-
-my $key_identifier = asn1_retrieve($subject_key_id->[1]);
+ $result{key_identifier} = asn1_retrieve($result{subject_key_id}->[1]);
+ return %result;
+}
###############################################################################
#
# Create and attach the module signature
@@ -430,8 +436,13 @@ if ($signature_file) {
"openssl rsautl -sign -inkey $private_key -keyform PEM");
}
+my %certdata = parse_certificate($x509_certificate);
+my $signers_name;
+my $key_identifier;
if ($id_type == 1) {
$signature = pack("n", length($signature)) . $signature,
+ $signers_name = $certdata{signers_name};
+ $key_identifier = $certdata{key_identifier};
} elsif ($id_type == 2) {
# create PKCS7 signature
$signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
@@ -439,10 +450,10 @@ if ($id_type == 1) {
my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo);
my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET,
$digest_algo_seq);
my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 :
1));
- my $si_issuer = asn1_pack($issuer->[0], asn1_retrieve($issuer->[1]));
- my $si_serial = asn1_pack($serial_number->[0],
asn1_retrieve($serial_number->[1]));
+ my $si_issuer = asn1_pack($certdata{issuer}->[0],
asn1_retrieve($certdata{issuer}->[1]));
+ my $si_serial = asn1_pack($certdata{serial_number}->[0],
asn1_retrieve($certdata{serial_number}->[1]));
my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer,
$si_serial);
- my $si_keyid = asn1_pack($CONT | 0, asn1_retrieve($subject_key_id->[1]));
+ my $si_keyid = asn1_pack($CONT | 0,
asn1_retrieve($certdata{subject_key_id}->[1]));
my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134,
72, 134, 247, 13, 1, 1, 1));
my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption,
asn1_pack($UNIV | $NULL));
my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
--
2.34.1
++++++ 0003-kernel-sign-file-Support-appending-verbatim-PKCS-7-s.patch ++++++
>From 68baaf0ca940712d4cfbe5d7c55bc8407efc19ce Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msucha...@suse.de>
Date: Tue, 4 Jan 2022 12:29:21 +0100
Subject: [PATCH 3/4] kernel-sign-file: Support appending verbatim PKCS#7
signature.
When existing signature is specified upstream appends it verbatim as
PKCS#7 but kernel-ding-file assumes it's raw RSA signature and wraps
PKCS#7 around it beforee appending.
Because the certificate is not required for just dumping the whole
signature after the data but is required to create the PKCS#7 wrapper we
can support both. When a certificate is specified create a wrapper, when
not just copy the signature without touching it.
Signed-off-by: Michal Suchanek <msucha...@suse.de>
---
kernel-sign-file | 60 +++++++++++++++++++++++++++++-------------------
1 file changed, 37 insertions(+), 23 deletions(-)
diff --git a/kernel-sign-file b/kernel-sign-file
index 2e5b7aa..9cacefb 100755
--- a/kernel-sign-file
+++ b/kernel-sign-file
@@ -42,7 +42,6 @@ if (@ARGV) {
die "Can't read private key\n" if (!$signature_file && !-r $private_key);
die "Can't read signature file\n" if ($signature_file && !-r $signature_file);
-die "Can't read X.509 certificate\n" unless (-r $x509);
die "Can't read module\n" unless (-r $module);
#
@@ -99,7 +98,6 @@ sub openssl_pipe($$) {
# we're intending to use to sign the module.
#
###############################################################################
-my $x509_certificate = read_file($x509);
my $UNIV = 0 << 6;
my $APPL = 1 << 6;
@@ -436,35 +434,51 @@ if ($signature_file) {
"openssl rsautl -sign -inkey $private_key -keyform PEM");
}
-my %certdata = parse_certificate($x509_certificate);
+my %certdata;
my $signers_name;
my $key_identifier;
+my $x509_certificate;
if ($id_type == 1) {
+ die "Can't read X.509 certificate\n" unless (-r $x509);
+ $x509_certificate = read_file($x509);
+ %certdata = parse_certificate($x509_certificate);
$signature = pack("n", length($signature)) . $signature,
$signers_name = $certdata{signers_name};
$key_identifier = $certdata{key_identifier};
} elsif ($id_type == 2) {
# create PKCS7 signature
- $signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
- my $digest_algo = substr($prologue, 4, 2 + unpack('C', substr($prologue,
5, 1)));
- my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $digest_algo);
- my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET,
$digest_algo_seq);
- my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 :
1));
- my $si_issuer = asn1_pack($certdata{issuer}->[0],
asn1_retrieve($certdata{issuer}->[1]));
- my $si_serial = asn1_pack($certdata{serial_number}->[0],
asn1_retrieve($certdata{serial_number}->[1]));
- my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer,
$si_serial);
- my $si_keyid = asn1_pack($CONT | 0,
asn1_retrieve($certdata{subject_key_id}->[1]));
- my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134,
72, 134, 247, 13, 1, 1, 1));
- my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $rsa_encryption,
asn1_pack($UNIV | $NULL));
- my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
- my $si = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_verstion,
$signer_identifier, $digest_algo_seq, $encryption_seq, $signature);
- my $si_set = asn1_pack($UNIV | $CONS | $SET, $si);
- my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3 :
1));
- my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134, 72,
134, 247, 13, 1, 7, 1));
- my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data);
- my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version,
$digest_algo_seq_set, $pkcs7_data_seq, $si_set);
- my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42,
134, 72, 134, 247, 13, 1, 7, 2));
- $signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data,
asn1_pack($CONT | $CONS | 0, $sid));
+ if ($x509) {
+ die "Can't read X.509 certificate\n" unless (-r $x509);
+ $x509_certificate = read_file($x509);
+ } else {
+ print "No certificate specified, assuming pre-built PKCS#7
signature.\n" if ($verbose);
+ $x509_certificate = '';
+ }
+ if ($x509_certificate) {
+ %certdata = parse_certificate($x509_certificate);
+ $signature = asn1_pack($UNIV | $OCTET_STRING, $signature);
+ my $digest_algo = substr($prologue, 4, 2 + unpack('C',
substr($prologue, 5, 1)));
+ my $digest_algo_seq = asn1_pack($UNIV | $CONS | $SEQUENCE,
$digest_algo);
+ my $digest_algo_seq_set = asn1_pack($UNIV | $CONS | $SET,
$digest_algo_seq);
+ my $si_verstion = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3
: 1));
+ my $si_issuer = asn1_pack($certdata{issuer}->[0],
asn1_retrieve($certdata{issuer}->[1]));
+ my $si_serial = asn1_pack($certdata{serial_number}->[0],
asn1_retrieve($certdata{serial_number}->[1]));
+ my $si_issuer_serial = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_issuer,
$si_serial);
+ my $si_keyid = asn1_pack($CONT | 0,
asn1_retrieve($certdata{subject_key_id}->[1]));
+ my $rsa_encryption = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42,
134, 72, 134, 247, 13, 1, 1, 1));
+ my $encryption_seq = asn1_pack($UNIV | $CONS | $SEQUENCE,
$rsa_encryption, asn1_pack($UNIV | $NULL));
+ my $signer_identifier = $use_keyid ? $si_keyid : $si_issuer_serial;
+ my $si = asn1_pack($UNIV | $CONS | $SEQUENCE, $si_verstion,
$signer_identifier, $digest_algo_seq, $encryption_seq, $signature);
+ my $si_set = asn1_pack($UNIV | $CONS | $SET, $si);
+ my $sid_version = asn1_pack($UNIV | $INTEGER, pack('C', $use_keyid ? 3
: 1));
+ my $pkcs7_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC", 42, 134,
72, 134, 247, 13, 1, 7, 1));
+ my $pkcs7_data_seq = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_data);
+ my $sid = asn1_pack($UNIV | $CONS | $SEQUENCE, $sid_version,
$digest_algo_seq_set, $pkcs7_data_seq, $si_set);
+ my $pkcs7_signed_data = asn1_pack($UNIV | $OBJ_ID, pack("CCCCCCCCC",
42, 134, 72, 134, 247, 13, 1, 7, 2));
+ $signature = asn1_pack($UNIV | $CONS | $SEQUENCE, $pkcs7_signed_data,
asn1_pack($CONT | $CONS | 0, $sid));
+ } else {
+ print "Certificate is empty, assuming pre-built PKCS#7 signature.\n" if
($verbose);
+ }
# zero out unneeded entries
$signers_name = '';
$key_identifier = '';
--
2.34.1
++++++ 0004-Add-padding-to-grub-signature-correctly-jsc-SLE-1827.patch ++++++
>From 5b255595f4101b136db55538a59ef5b1fc3439e5 Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msucha...@suse.de>
Date: Tue, 4 Jan 2022 12:20:36 +0100
Subject: [PATCH 4/4] Add padding to grub signature correctly (jsc#SLE-18271
bsc#1192764).
Upstream sign-file supports including whole PKCS#7 signature verbatim
while kernel-sign-file supports building PKCS#7 around raw RSA signature
as provided by OBS. Now kernel-sign-file also supports what upstream
does so make use of it. First wrap PKCS#7 around the RSA signature, then
pad, then append.
Fixes: 13efe22 ("Support ppc grub signing (jsc#SLE-18271 bsc#1192764).")
---
pesign-repackage.spec.in | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
index f473fa1..8c07fc4 100644
--- a/pesign-repackage.spec.in
+++ b/pesign-repackage.spec.in
@@ -160,17 +160,18 @@ for sig in "${sigs[@]}"; do
*grub.elf.sig)
sig_size="$(wc -c < "$sig")"
unsigned_grub_size="$(wc -c < "$f")"
- /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256
"$cert" "$f" "$f".appendtest
- signed_grub_size="$(wc -c < "$f".appendtest)"
- rm "$f".appendtest
- footer_size="$(expr "$signed_grub_size" - "$unsigned_grub_size"
- "$sig_size")"
+ /usr/lib/rpm/pesign/kernel-sign-file -vpd -i pkcs7 -s "$sig"
sha256 "$cert" "$f"
+ sig_size="$(wc -c < "$f.p7s")"
+ footer_size=40
+ grub_size="$(wc -c < "$f")"
if ! [ $(expr "$sig_size" + "$footer_size") -le
"@PESIGN_GRUB_RESERVATION@" ] ; then
- echo "size of '$sig' ($sig_size) cannot fit into
reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
+ echo "size of '$f.p7s' ($sig_size) cannot fit into
reservation @PESIGN_GRUB_RESERVATION@ (-$footer_size)"
exit 1
fi
sig_size="$(expr "@PESIGN_GRUB_RESERVATION@" - "$footer_size")"
- truncate -s $sig_size "$sig"
- /usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256
"$cert" "$f"
+ truncate -s $sig_size "$f.p7s"
+ /usr/lib/rpm/pesign/kernel-sign-file -v -i pkcs7 -s "$f.p7s"
sha256 "" "$f"
+ rm "$f.p7s"
grub_size="$(wc -c < "$f")"
if ! [ "$(expr "$unsigned_grub_size" +
"@PESIGN_GRUB_RESERVATION@")" -eq "$grub_size" ] ; then
echo "The size of unsigned grub ($unsigned_grub_size) +
reservation (@PESIGN_GRUB_RESERVATION@) does not add up to signed grub size
($grub_size)"
--
2.34.1
