Re: [PATCH 16/20] PKCS#7: Add an optional authenticated attribute to hold... | linux-wireless

[PATCH 00/20] MODSIGN: Use PKCS#7 for module signatures [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 01/20] X.509: Extract both parts of the AuthorityKeyIdentifier [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 02/20] X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 03/20] PKCS#7: Allow detached data to be supplied for signature checking purposes [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 04/20] MODSIGN: Provide a utility to append a PKCS#7 signature to a module [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 06/20] sign-file: Add option to only create signature file [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 07/20] system_keyring.c doesn't need to #include module-internal.h [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 08/20] MODSIGN: Extract the blob PKCS#7 signature verifier from module signing [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 09/20] modsign: Abort modules_install when signing fails [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 10/20] modsign: Allow password to be specified for signing key [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 11/20] modsign: Allow signing key to be PKCS#11 [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 12/20] modsign: Allow external signing key to be specified [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 13/20] modsign: Extract signing cert from CONFIG_MODULE_SIG_KEY if needed [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 15/20] modsign: Add explicit CONFIG_SYSTEM_TRUSTED_KEYS option [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 17/20] X.509: Restrict the usage of a key based on information in X.509 certificate [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 19/20] KEYS: Restrict signature verification to keys appropriate to the purpose [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 20/20] sign-file: use .p7s instead of .pkcs7 file extension [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 18/20] X.509: Parse the keyUsage extension to detect key-signing keys [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 16/20] PKCS#7: Add an optional authenticated attribute to hold firmware name [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
Re: [PATCH 16/20] PKCS#7: Add an optional authenticated attribute to hold firmware name [ver #5] · Andy Lutomirski <luto@kernel.org> · 2015-05-29
Re: [PATCH 16/20] PKCS#7: Add an optional authenticated attribute to hold firmware name [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-29
Re: [PATCH 16/20] PKCS#7: Add an optional authenticated attribute to hold firmware name [ver #5] · Andy Lutomirski <luto@amacapital.net> · 2015-05-29
Re: [PATCH 16/20] PKCS#7: Add an optional authenticated attribute to hold firmware name [ver #5] · David Howells <dhowells@redhat.com> · 2015-06-01
Re: [PATCH 16/20] PKCS#7: Add an optional authenticated attribute to hold firmware name [ver #5] · Andy Lutomirski <luto@amacapital.net> · 2015-06-01
[PATCH 14/20] modsign: Use single PEM file for autogenerated key [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
[PATCH 05/20] MODSIGN: Use PKCS#7 messages as module signatures [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28
Re: [PATCH 00/20] MODSIGN: Use PKCS#7 for module signatures [ver #5] · David Woodhouse <dwmw2@infradead.org> · 2015-05-28
Re: [PATCH 00/20] MODSIGN: Use PKCS#7 for module signatures [ver #5] · David Howells <dhowells@redhat.com> · 2015-05-28

Re: [PATCH 16/20] PKCS#7: Add an optional authenticated attribute to hold firmware name [ver #5]

From: Andy Lutomirski <luto@amacapital.net>
Date: 2015-06-01 17:07:19
Also in: lkml

On Mon, Jun 1, 2015 at 8:50 AM, David Howells [off-list ref] wrote:

Andy Lutomirski [off-list ref] wrote:

quoted

You can also fudge the signature (or a hash) by adding extra data to or
modifying the data blob and by switching signature values between signature
blobs.

So there's another design error in PKCS#7?  Great!

No.  This applies to *all* signatures where you're signing a hash.

What kind of fudging are you talking about here?  I don't see what
not-intentionally-signed message can be generically fudged to look
like it's signed.

--Andy

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help