booting error when using code signing for linux kernel image

[apoorvmunshi]

1. openssl req -newkey rsa -keyout codesign.key -out codesign.req
2. openssl ca -config ca.cnf -extensions codesigning -in codesign.req -out codesign.crt

3. openssl cms -sign -binary -noattr -in vmlinuz -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER -out vmlinuz.sig



The ca.cnf file is for my own private CA infrastructure and it has digitalSignature key usage extension and the codeSigning extended key usage extension enabled.

Ca.cnf format:

[ ca ]

default_ca = ca_default

[ ca_default ]

certificate = ca.crt

private_key = ca.key

serial = ca.srl

database = ca.idx

new_certs_dir = /home/apoorv/projects/signed

default_md = default

policy = policy_anything

preserve = yes

default_days = 90

unique_subject = no

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = optional

emailAddress = optional

[ cross ]

basicConstraints = critical,CA:true

keyUsage = critical,cRLSign,keyCertSign

[ codesigning ]

keyUsage = digitalSignature

extendedKeyUsage = codeSigning

Command : openssl cms -verify -binary -content vmlinuz -inform DER -in vmlinuz.sig -CAfile ca.crt

Output:

Verification failure 140187569694352:error:2E099064:CMS routines:CMS_SIGNERINFO_VERIFY_CERT:certificate verify error:cms_smime.c:287:Verify error:unsupported certificate purpose


Can anyone please help me what is going wrong here ?