Hello ,
Image link :
image link
We are trying to implement code signing while using ipxe.
Case 1 : We implemented code signing by following commands given on the ipxe documentation.It worked.
Case 2: We turned on HTTPS option, embedded our private root certificate in ipxe binary, installed self-signed cert on our nginx server. As you can see in the screenshot, the fetching of our script "debian.ipxe" over HTTPS is successful. However, code signing seems to fail.
Please help. Thank you in advance.
The
http://ipxe.org/0216eb3c errors points to x509 not being able to validate,
maybe you could build with DEBUG=x509 to get more information about what the cause might be.
Could you post your scripts, and maybe also trying the commands one by one, to see exactly what fails?
(2016-04-09 18:31)NiKiZe Wrote: [ -> ]The http://ipxe.org/0216eb3c errors points to x509 not being able to validate,
maybe you could build with DEBUG=x509 to get more information about what the cause might be.
Could you post your scripts, and maybe also trying the commands one by one, to see exactly what fails?
hi NikiZe ,
Please find the image of the debug messages here:
dubug messages
The commands in our script are as follows:
#!ipxe
imgtrust
kernel
https://192.168.1.42/debian/vmlinuz
imgstat
imgverify vmlinuz
https://192.168.1.42/debian/vmlinuz.sig
imgstat
module
https://192.168.1.42/debian/initrd.img
imgargs vmlinuz boot=live config username=live fetch=http://192.168.1.42/debian/filesystem.squashfs
boot
Any help is deeply appreciated. Also, just for your information, we followed the exact steps given on the ipxe manual.
I'm no expert on the iPXE cert, but until someone with more knowledge comes along...
based on ipxe.org/0216eb3c and "X509 chain ... found no usable certificates" would suggest to me that the .sig does not match the cert or vice versa.
Searching for ipxe "found no usable certificates" hopefully gives more insights.
1. openssl req -newkey rsa -keyout codesign.key -out codesign.req
2. openssl ca -config ca.cnf -extensions codesigning -in codesign.req -out codesign.crt
3. openssl cms -sign -binary -noattr -in vmlinuz -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER -out vmlinuz.sig
The ca.cnf file is for my own private CA infrastructure and it has digitalSignature key usage extension and the codeSigning extended key usage extension enabled.
Ca.cnf format:
[ ca ]
default_ca = ca_default
[ ca_default ]
certificate = ca.crt
private_key = ca.key
serial = ca.srl
database = ca.idx
new_certs_dir = /home/apoorv/projects/signed
default_md = default
policy = policy_anything
preserve = yes
default_days = 90
unique_subject = no
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ cross ]
basicConstraints = critical,CA:true
keyUsage = critical,cRLSign,keyCertSign
[ codesigning ]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
Command : openssl cms -verify -binary -content vmlinuz -inform DER -in vmlinuz.sig -CAfile ca.crt
Output:
Verification failure 140187569694352:error:2E099064:CMS routines:CMS_SIGNERINFO_VERIFY_CERT:certificate verify error:cms_smime.c:287:Verify error:unsupported certificate purpose
Can anyone please help me what is going wrong here ?
Hello everyone ,
We solved the problem by entering the following commands:
openssl req -newkey rsa -keyout codesign.key -out codesign.req
openssl ca -config ca.cnf -extensions codesigning -in codesign.req -out codesign.crt
openssl cms -sign -binary -noattr -in vmlinuz -purpose any -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER -out vmlinuz.sig
It seems that adding the purpose -any option solved the problem.
Thank you for your help.