[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #38620] Unable to verify a signature using Verify module in grub
From: |
Wei Hu |
Subject: |
[bug #38620] Unable to verify a signature using Verify module in grub |
Date: |
Thu, 28 Mar 2013 23:30:52 +0000 |
User-agent: |
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:19.0) Gecko/20100101 Firefox/19.0 |
URL:
<http://savannah.gnu.org/bugs/?38620>
Summary: Unable to verify a signature using Verify module in
grub
Project: GNU GRUB
Submitted by: whu
Submitted on: Thu 28 Mar 2013 11:30:52 PM GMT
Category: Security
Severity: Major
Priority: 5 - Normal
Item Group: Software Error
Status: None
Privacy: Public
Assigned to: None
Originator Name: wei hu
Originator Email: address@hidden
Open/Closed: Open
Discussion Lock: Any
Release:
Release: 1.97
Reproducibility: Every Time
Planned Release: None
_______________________________________________________
Details:
I am trying to use the grub verify module to verify a detached signature I
signed using gpg on Linux. I did two different signings. Both of them failed,
but at the different places in grub_verify_signature(). I am wonder if I did
something wrong or the module has some bugs in it. Let me detail my procedure
here. The text file, signature file and my public key are all attached.
Signing Approach 1
-----------------------
On my Ubuntu system, say I want to detached sign myfile.txt
> gpg --detach-sign myfile.txt
It creates the signature file myfile.txt.sig. I noticed it uses ripemd160 hash
algorithm. Then I export my public key as
> gpg --output my.pubkey --export 'address@hidden'
The my.pubkey file contains my public key. Then I create a grub rescue cd
image with all these three file myfile.txt myfile.txt.sig and my.pubkey.
> grub-mkrescue -o image.iso ./myfile.txt ./myfile.txt.sig ./my.pubkey
After this, I booted the image and at the grub prompt I did
grub > verify_detached /myfile.txt /myfile.txt.sig /my.pubkey
It returns bad signature in grub_verify_signature() after following line:
...
hash->final (context);
grub_dprintf ("crypt", "aliven");
hval = hash->read (context);
if (grub_file_read (sig, hash_start, sizeof (hash_start)) != sizeof
(hash_start))
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
if (grub_memcmp (hval, hash_start, sizeof (hash_start)) != 0)
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
<-- - failed here
My understanding is it calls ripemd160 algorithm to verify a two byte hash
value and it failed. So I try to change the algorithm using in gpg for hashing
as follows:
Signing Approch 2
---------------------
I just sign the myfile.txt with sha512 like this:
> gpg --digest-algo sha512 --detach-sign myfile.txt
It creates a myfile.txt.sig file. Then a created the iso image and boot just
as in approach 1.
grub > verify_detached /myfile.txt /myfile.txt.sig /my.pubkey
This time I went much further in grub_verify_signature(). It seem failed at
last when calling dsa verify routine:
unsigned nbits = gcry_mpi_get_nbits (sk->mpis[1]);
grub_dprintf ("crypt", "must be %u bits got %d bitsn", nbits,
(int)(8 * hash->mdlen));
<---- Here debug output is: must be 17 bits got 512 bits
....
if (!grub_crypto_pk_dsa)
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("module `%s' isn't
loaded"), "gcry_dsa");
if (grub_crypto_pk_dsa->verify (0, hmpi, mpis, sk->mpis, 0, 0))
<------ failed here.
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
So I guess I was not doing right somewhere? Have you tested this verification
module? The grub_dprintf() output (expecting 17bits but got 512 bits) is very
suspicious.
For this Verify module to work, what tool and what procedure should I follow
to sign a file?
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Thu 28 Mar 2013 11:30:52 PM GMT Name: my.pubkey Size: 1kB By: whu
<http://savannah.gnu.org/bugs/download.php?file_id=27706>
-------------------------------------------------------
Date: Thu 28 Mar 2013 11:30:52 PM GMT Name: myfile.txt Size: 17B By: whu
<http://savannah.gnu.org/bugs/download.php?file_id=27707>
-------------------------------------------------------
Date: Thu 28 Mar 2013 11:30:52 PM GMT Name: myfile.txt.ripemd160.sig Size:
287B By: whu
<http://savannah.gnu.org/bugs/download.php?file_id=27708>
-------------------------------------------------------
Date: Thu 28 Mar 2013 11:30:52 PM GMT Name: myfile.txt.sha512.sig Size: 287B
By: whu
<http://savannah.gnu.org/bugs/download.php?file_id=27709>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?38620>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [bug #38620] Unable to verify a signature using Verify module in grub,
Wei Hu <=