The Digital Signature Catalog (DSC)

Under Construction

Working with AIX > AIX Security > AIX Trusted Installation

The Digital Signature Catalog (DSC)

To verify filesets during installation, AIX Trusted Installation uses the Digital Signature Catalog (DSC). This is an ODM named dsc_inventory located in /usr/lib/objrepos. Entries in this ODM have the following form:

# ODMDIR=/usr/lib/objrepos odmshow dsc_inventory
class dsc_inventory {
        char pkg_name[145];                          /* offset: 0xc ( 12) */
        char lpp_name[145];                          /* offset: 0x9d ( 157) */
        short ver;                                   /* offset: 0x12e ( 302) */
        short rel;                                   /* offset: 0x130 ( 304) */
        short mod;                                   /* offset: 0x132 ( 306) */
        short fix;                                   /* offset: 0x134 ( 308) */
        char ftype[4];                               /* offset: 0x136 ( 310) */
        vchar signature[1024];                       /* offset: 0x13c ( 316) */
        vchar timestamp[64];                         /* offset: 0x140 ( 320) */
        link dsc_key dsc_key id key[11];             /* offset: 0x144 ( 324) */
        };
/*
        descriptors:    10
        structure size: 0x158 (344) bytes
        data offset:    0x334
        population:     14187 objects (14187 active, 0 deleted)
*/

#

In order for a fileset to be verified during installation, a corresponding entry must exist in the DSC (dsc_inventory) for the fileset to be installed. There is a separate entry for each known version of a fileset. In addition to the package name (pkg_name), the fileset name (lpp_name), and the package type (ftype), the version (ver), the release (rel), the modification level (mod), and the fix level (fix) are also stored. The most important information is the fileset’s digital signature (signature), the build timestamp, and a reference to the ID (key) of the certificate to be used when verifying the signature.

For example, the entry for version 7.3.2.1 of bos.rte.libc looks like this:

# ODMDIR=/usr/lib/objrepos odmget -q "lpp_name=bos.rte.libc AND ver=7 AND rel=3 AND mod=2 AND fix=1" dsc_inventory

dsc_inventory:
        pkg_name = "bos"
        lpp_name = "bos.rte.libc"
        ver = 7
        rel = 3
        mod = 2
        fix = 1
        ftype = "S"
        signature = "lRjpNE9gD+6nWyvPQJH0RoZgISpJrXxYUwlJoZuqfjCNfUWy73WgduuZRnkGeEeGHrC/LGy1VBH+NgXDfqKN+NxKZQmS7IA+wo4G0LsqcidzDIKE4ONbSOhQeA9k8izFxeFrLqFLmkntq6S3vcvku+5OF7ahoy6CuCmdczg580bs/SuQpEjp46XdDHwb6S8YlYBLYWvxunOlXVLneJBaOzCY/KGrKPbnHEwUhKwxamv3xoPWdqI7nOSjCHYoysNVUsIbukYId/XdmVeSIrC8/6EWmuxvZG/aHM0GDAoQdLy6zSNQ8zMlCBM2rfJcVxkgKNHFkzuNPDTW7aFwXVJ4XA=="
        timestamp = "Thu_Mar_21_11-13-28_2024"
        key = "3"
#

The key field refers to the ID of the corresponding certificate in the ODM dsc_key:

# ODMDIR=/usr/lib/objrepos odmget -q id=3 dsc_key

dsc_key:
        id = 3
        type = "certificate"
        alias = "aixpublic_73"
        location = "/etc/security/pkgverify/certfile/aixpublic_73.pem"
        modulus = "b19c33e5eb0b4e2fbdcff3b2eeec31d5"
        hash = "sha256"
        keystore = "03"
#

The certificate can be found at /etc/security/pkgverify/certfile/aixpublic_73.pem. The corresponding public key is located in the same ODM (dsc_key) with type “key” instead of “certificate.” Both entries contain a reference (keystore) to the ID of the corresponding keystore.

For keystores, there is a separate ODM, dsc_keystore. In most cases, this ODM contains only one entry for the IBM default keystore:

# ODMDIR=/usr/lib/objrepos odmget dsc_keystore

dsc_keystore:
        id = 3
        type = "pkcs12"
        alias = "aixpublic_73"
        location = "/etc/security/pkgverify/keystore/aixpublic_73.p12"
#

If AIX Trusted Installation has never been enabled on a system, the two ODMs dsc_key and dsc_keystore will contain no entries. When AIX Trusted Installation is used for the first time by installing filesets with a signature policy other than none, these two ODMs are automatically initialized with default entries. The existing certificates in /etc/security/certificates are used:

# ls -l /etc/security/certificates/certificate_72 /etc/security/certificates/certificate_73
-rw-r-----    1 root     security        846 Jul 25 2020  /etc/security/certificates/certificate_72
-rw-r-----    1 root     security        846 Mar 24 2021  /etc/security/certificates/certificate_73
#

Depending on the AIX version, either certificate_72 or certificate_73 is used.

The initialization of the two ODMs dsc_key and dsc_keystore can also be performed by the administrator using the pkgverify command and the option “-I” (initialize keystore):

# pkgverify -I
#

Note: The pkgverify command is not intended by IBM as an official admin command, but is called implicitly when installing filesets.