Red Hat Bugzilla – Bug 869665
shim: Fedora Secure Boot CA certificate issues
Last modified: 2013-10-24 22:24:38 EDT
The certificate is a bit odd:
Version: 3 (0x2)
Serial Number: 2574709492 (0x9976f2f4)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Fedora Secure Boot CA
Not Before: Oct 10 17:14:58 2012 GMT
Not After : Jan 10 17:14:58 2013 GMT
Subject: CN=Fedora Secure Boot CA
Subject Public Key Info:
Netscape Cert Type:
Object Signing CA
X509v3 Key Usage:
Certificate Sign, CRL Sign
It's too short-lived, Basic Constraints are not set, and the (mostly meaningless) self-signature should use SHA-256 (because that's the hash algorithm mandated throughout the UEFI specification).
I've attached the wrong file here. Sorry. Will update shortly with the correct one.
Created attachment 635698 [details]
Actual updated certificate.
It should be noted, though, that nothing in secure boot seems to care about any of: Basic Constraints, Auth Key Id, Subject Key Id, or Validity dates. To a certain degree this seems to be correct - those fields aren't necessary for validation of a signature, and the system clock is something that can be set by an attacker.
SHA-256 is clearly what we need to have there, as there's no (current) guarantee that anything else will be implemented in system firmware.