Bug 2232118

Summary: IMA signature verification keys missing Subject Key Identifier
Product: [Fedora] Fedora Reporter: Stefan Berger <stefanb>
Component: fedora-reposAssignee: Mohan Boddu <mboddu>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 39CC: coxu, fedoraproject, kevin, ksrot, mboddu, pbrobinson, thrcka
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stefan Berger 2023-08-15 12:32:01 UTC 
The IMA signature verification keys from the fedora-gpg-keys-39-0.5.noarch package are missing the Subject Key Identifier that is necessary to be able to load them onto the .IMA keyring.

$ openssl x509 -inform der -in /etc/keys/ima/fedora-39-ima.der -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 42 (0x2a)
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: CN = Fedora 39 IMA CA
        Validity
            Not Before: Feb 18 18:04:16 2023 GMT
            Not After : Feb 18 18:04:16 2053 GMT
        Subject: CN = Fedora 39 IMA Key
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:f5:41:95:b8:67:f0:bc:fd:3c:b0:f4:2e:aa:72:
                    49:af:63:83:16:53:74:89:a9:db:16:f2:31:eb:3e:
                    2f:dd:4c:9e:d5:85:2a:3e:61:47:ce:87:7b:d9:0d:
                    f3:b2:a9:84:fb:ac:a3:a5:9d:44:f0:cb:7f:8a:2e:
                    6a:b4:9a:35:d1
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                A7:14:3E:CB:64:D0:C4:CA:F3:9D:0C:7D:C4:38:45:46:D8:53:FF:52
            Netscape Comment:
                IMA signature verification key
    Signature Algorithm: ecdsa-with-SHA384
    Signature Value:
        30:65:02:31:00:b2:40:cf:6e:21:9b:82:ee:3f:d7:85:78:0c:
        82:18:a8:d6:76:aa:c1:20:08:76:11:ce:e4:52:99:00:2e:ab:
        df:64:76:61:3f:fa:a1:86:a0:31:28:43:8e:ea:fe:ba:66:02:
        30:60:e6:cb:75:69:97:4c:63:76:24:64:4b:63:a2:b0:71:4a:
        29:ad:70:04:09:36:06:5f:d1:e3:1a:ab:f6:ff:bc:6b:b7:b8:
        42:4b:0a:a3:a4:8a:f6:f5:75:ce:8b:69:af


The Subject Key Identifier's last 4 digits will have to be 0x388b603e so that the key can be used to verify the signature of 'bash':

$ getfattr -m ^security.ima -e hex --dump /usr/bin/bash
getfattr: Removing leading '/' from absolute path names
# file: usr/bin/bash
security.ima=0x030204388b603e0048304602210090a328b99a8e65cbea51660b5824a548955ddc491aa68982e4389f30960d1a9b022100e9a034b9203793b66e205a76c92c2aa137b9819fb7763f6fe1fbcb72352e9f8f


The 4th-7th digit of security.ima is '0x388b603e'.

Once the key has the Subject Key Identifier, the following should then work if the key's CA has been built into the Linux kernel:

[root@fedora ~]# keyctl padd asymmetric "" %keyring:.ima < /etc/keys/ima/fedora-39-ima.der
add_key: Required key not available


Reproducible: Always

Steps to Reproduce:
1. openssl x509 -inform der -in /etc/keys/ima/fedora-39-ima.der -text

Actual Results:  
No Subject Key Identifier displayed

Expected Results:  
Subject Key Identifier should be there