sbvarsign: do not include PKCS#7 attributes
The UEFI spec (8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2
descriptor) includes the following information about constructing
the PKCS#7 message for the authentication descriptor under
point 4(g):
SignedData.signerInfos shall be constructed as:
...
- SignerInfo.authenticatedAttributes shall not be present.
sbvarsign does not currently honour this, and generates a PKCS#7
message containing authenticated attributes. This is a snippet from
OpenSSL's printout of a message I reconstructed from an auth file:
signedAttrs:
object: contentType (1.2.840.113549.1.9.3)
set:
OBJECT:pkcs7-data (1.2.840.113549.1.7.1)
object: signingTime (1.2.840.113549.1.9.5)
set:
UTCTIME:Mar 2 11:20:21 2021 GMT
object: messageDigest (1.2.840.113549.1.9.4)
set:
OCTET STRING:
0000 - 99 58 87 86 82 82 b6 4b-c4 6a e4 e5 6b .X.....K.j..k
000d - 51 39 ac c3 b8 21 24 30-0c 28 e6 e3 aa Q9...!$0.(...
001a - 5c 33 c1 80 3f d1 \3..?.
Tell OpenSSL to stop adding attributes.
This also brings sbvarsign in to line with sign-efi-sig-list.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
1 file changed