You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
I use smallstep as CA and for creating my certificates. Like mentioned in the documentation I created my leaf certificate with the needed X509 keyUsage and extendedKeyUsage parameters. (keyUsage = "digitalSignature" and extendetKeyUsage = "codeSigning").
The bundle creation worked fine with the demo certificate mentioned in the documentation, but when I tried to use my self signed certificate it failed with the error message:
405A1CF6FB7F0000:error:17000064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:../crypto/cms/cms_smime.c:289:Verify error: unsupported certificate purpose
Failed to resign bundle: failed to sign manifest: signature verification failed: error:1700006B:CMS routines::content type not enveloped data
Background information
RAUC version: rauc 1.9.96-973ae
System:
I'm running a ubuntu server 22.04.2 LTS version in a qemu virtualization
root@secc04:~# hostnamectl
Static hostname: my_comp
Icon name: computer-vm
Chassis: vm
Machine ID: bae476e4d484402eae8536cd64b293ec
Boot ID: cc401e676ee44947bced60480c38d611
Virtualization: kvm
Operating System: Ubuntu 22.04.2 LTS
Kernel: Linux 5.19.0-41-generic
Architecture: x86-64
Hardware Vendor: QEMU
Hardware Model: Standard PC _Q35 + ICH9, 2009_
root@secc04:~#
To Reproduce
Steps to reproduce the behavior:
Create leaf certificate 'my_leaf.pem' with smallstep (step ca certificate). Chain: "root -> intermediate -> leaf"
1.1 My provisioner config was updated with this template:
402AEF40DF7F0000:error:17000064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:../crypto/cms/cms_smime.c:289:Verify error: unsupported certificate purpose
Failed to resign bundle: failed to sign manifest: signature verification failed: error:1700006B:CMS routines::content type not enveloped data
Additional context
After a view hours of trying to find the problem and even changing my intermediate certificate to include the extendetKeyUsage = "codeSigning" parameter without luck, I found the problem!
The leaf certificate also needed the S/MIME signing parameter!
With the updated template, everything worked as expected:
Before including the "emailProtection" in the extKeyUsage Field, I also tried to include the "check-purpose=codesign" inside the config file, but it didn't change anything.
When you pass a keyring to rauc bundle, it will try to verify the generated signature against that keyring (which helps catching inconsistencies or expired certs). Currently, it's not possible to set the certificate purpose for that check without passing a config file. So for bundle either pass a config file or don't pass --keyring.
Your output also mentions Failed to resign bundle, is that part of your workflow? As resign currently requires --keyring even with --no-verify, you have to pass a config file to set the purpose and use the same purpose for both the old certificate (input signature check) and the new one (generated signature check).
Together this should be a workaround for your case. To fix this properly, we'd have to:
split config file parsing from config consistency check (to require [system] only on the target)
allow passing config file key/values from the command line (perhaps something like -C keyring.check-purpose=codesign)
support different verification settings for the consistency check of the generated signature
When #1268 is merged, you should be able to use rauc resign --no-verify without --keyring to disable signature checks completely. You should probably automate those a different way, in that case. :)
Describe the bug
I use smallstep as CA and for creating my certificates. Like mentioned in the documentation I created my leaf certificate with the needed X509 keyUsage and extendedKeyUsage parameters. (keyUsage = "digitalSignature" and extendetKeyUsage = "codeSigning").
The bundle creation worked fine with the demo certificate mentioned in the documentation, but when I tried to use my self signed certificate it failed with the error message:
Background information
RAUC version: rauc 1.9.96-973ae
System:
I'm running a ubuntu server 22.04.2 LTS version in a qemu virtualization
To Reproduce
Steps to reproduce the behavior:
1.1 My provisioner config was updated with this template:
cat root.crt intermediate.crt > keyring.pem
rauc --cert=/data/update/certs/my_leaf.pem --key=/data/update/certs/my_leaf.key --keyring=/data/update/certs/keyring.pem bundle rauc-bundle/ update-2023.05-1.raucb
Expected behavior
Bundle creation without error
Logs
Additional context
After a view hours of trying to find the problem and even changing my intermediate certificate to include the extendetKeyUsage = "codeSigning" parameter without luck, I found the problem!
The leaf certificate also needed the S/MIME signing parameter!
With the updated template, everything worked as expected:
Before including the "emailProtection" in the extKeyUsage Field, I also tried to include the "check-purpose=codesign" inside the config file, but it didn't change anything.
My config file now:
Therefore either the documentation is incomplete or the implementation is wrong.
Just wanted to let you know that I had huge problems with this. :)
Kind regards
Michael
The text was updated successfully, but these errors were encountered: