diff options
| author | David Howells <dhowells@redhat.com> | 2016-04-06 11:14:25 -0400 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2016-04-11 17:41:56 -0400 |
| commit | 9eb029893ad5bf9303ed7f145860b312cbe5f889 (patch) | |
| tree | d68958292bb88d58bbd653bbbdd5b17debba78b0 /crypto/asymmetric_keys | |
| parent | 983023f28bff62b4462fd3575a86a8947ac592d8 (diff) | |
KEYS: Generalise x509_request_asymmetric_key()
Generalise x509_request_asymmetric_key(). It doesn't really have any
dependencies on X.509 features as it uses generalised IDs and the
public_key structs that contain data extracted from X.509.
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'crypto/asymmetric_keys')
| -rw-r--r-- | crypto/asymmetric_keys/asymmetric_keys.h | 2 | ||||
| -rw-r--r-- | crypto/asymmetric_keys/asymmetric_type.c | 42 | ||||
| -rw-r--r-- | crypto/asymmetric_keys/pkcs7_trust.c | 19 | ||||
| -rw-r--r-- | crypto/asymmetric_keys/x509_public_key.c | 5 |
4 files changed, 33 insertions, 35 deletions
diff --git a/crypto/asymmetric_keys/asymmetric_keys.h b/crypto/asymmetric_keys/asymmetric_keys.h index 1d450b580245..ca8e9ac34ce6 100644 --- a/crypto/asymmetric_keys/asymmetric_keys.h +++ b/crypto/asymmetric_keys/asymmetric_keys.h | |||
| @@ -9,6 +9,8 @@ | |||
| 9 | * 2 of the Licence, or (at your option) any later version. | 9 | * 2 of the Licence, or (at your option) any later version. |
| 10 | */ | 10 | */ |
| 11 | 11 | ||
| 12 | #include <keys/asymmetric-type.h> | ||
| 13 | |||
| 12 | extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id); | 14 | extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id); |
| 13 | 15 | ||
| 14 | extern int __asymmetric_key_hex_to_key_id(const char *id, | 16 | extern int __asymmetric_key_hex_to_key_id(const char *id, |
diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c index c4d66cd82860..6600181d5d01 100644 --- a/crypto/asymmetric_keys/asymmetric_type.c +++ b/crypto/asymmetric_keys/asymmetric_type.c | |||
| @@ -35,21 +35,20 @@ static LIST_HEAD(asymmetric_key_parsers); | |||
| 35 | static DECLARE_RWSEM(asymmetric_key_parsers_sem); | 35 | static DECLARE_RWSEM(asymmetric_key_parsers_sem); |
| 36 | 36 | ||
| 37 | /** | 37 | /** |
| 38 | * x509_request_asymmetric_key - Request a key by X.509 certificate params. | 38 | * find_asymmetric_key - Find a key by ID. |
| 39 | * @keyring: The keys to search. | 39 | * @keyring: The keys to search. |
| 40 | * @id: The issuer & serialNumber to look for or NULL. | 40 | * @id_0: The first ID to look for or NULL. |
| 41 | * @skid: The subjectKeyIdentifier to look for or NULL. | 41 | * @id_1: The second ID to look for or NULL. |
| 42 | * @partial: Use partial match if true, exact if false. | 42 | * @partial: Use partial match if true, exact if false. |
| 43 | * | 43 | * |
| 44 | * Find a key in the given keyring by identifier. The preferred identifier is | 44 | * Find a key in the given keyring by identifier. The preferred identifier is |
| 45 | * the issuer + serialNumber and the fallback identifier is the | 45 | * the id_0 and the fallback identifier is the id_1. If both are given, the |
| 46 | * subjectKeyIdentifier. If both are given, the lookup is by the former, but | 46 | * lookup is by the former, but the latter must also match. |
| 47 | * the latter must also match. | ||
| 48 | */ | 47 | */ |
| 49 | struct key *x509_request_asymmetric_key(struct key *keyring, | 48 | struct key *find_asymmetric_key(struct key *keyring, |
| 50 | const struct asymmetric_key_id *id, | 49 | const struct asymmetric_key_id *id_0, |
| 51 | const struct asymmetric_key_id *skid, | 50 | const struct asymmetric_key_id *id_1, |
| 52 | bool partial) | 51 | bool partial) |
| 53 | { | 52 | { |
| 54 | struct key *key; | 53 | struct key *key; |
| 55 | key_ref_t ref; | 54 | key_ref_t ref; |
| @@ -57,12 +56,12 @@ struct key *x509_request_asymmetric_key(struct key *keyring, | |||
| 57 | char *req, *p; | 56 | char *req, *p; |
| 58 | int len; | 57 | int len; |
| 59 | 58 | ||
| 60 | if (id) { | 59 | if (id_0) { |
| 61 | lookup = id->data; | 60 | lookup = id_0->data; |
| 62 | len = id->len; | 61 | len = id_0->len; |
| 63 | } else { | 62 | } else { |
| 64 | lookup = skid->data; | 63 | lookup = id_1->data; |
| 65 | len = skid->len; | 64 | len = id_1->len; |
| 66 | } | 65 | } |
| 67 | 66 | ||
| 68 | /* Construct an identifier "id:<keyid>". */ | 67 | /* Construct an identifier "id:<keyid>". */ |
| @@ -102,14 +101,15 @@ struct key *x509_request_asymmetric_key(struct key *keyring, | |||
| 102 | } | 101 | } |
| 103 | 102 | ||
| 104 | key = key_ref_to_ptr(ref); | 103 | key = key_ref_to_ptr(ref); |
| 105 | if (id && skid) { | 104 | if (id_0 && id_1) { |
| 106 | const struct asymmetric_key_ids *kids = asymmetric_key_ids(key); | 105 | const struct asymmetric_key_ids *kids = asymmetric_key_ids(key); |
| 107 | if (!kids->id[1]) { | 106 | |
| 108 | pr_debug("issuer+serial match, but expected SKID missing\n"); | 107 | if (!kids->id[0]) { |
| 108 | pr_debug("First ID matches, but second is missing\n"); | ||
| 109 | goto reject; | 109 | goto reject; |
| 110 | } | 110 | } |
| 111 | if (!asymmetric_key_id_same(skid, kids->id[1])) { | 111 | if (!asymmetric_key_id_same(id_1, kids->id[1])) { |
| 112 | pr_debug("issuer+serial match, but SKID does not\n"); | 112 | pr_debug("First ID matches, but second does not\n"); |
| 113 | goto reject; | 113 | goto reject; |
| 114 | } | 114 | } |
| 115 | } | 115 | } |
| @@ -121,7 +121,7 @@ reject: | |||
| 121 | key_put(key); | 121 | key_put(key); |
| 122 | return ERR_PTR(-EKEYREJECTED); | 122 | return ERR_PTR(-EKEYREJECTED); |
| 123 | } | 123 | } |
| 124 | EXPORT_SYMBOL_GPL(x509_request_asymmetric_key); | 124 | EXPORT_SYMBOL_GPL(find_asymmetric_key); |
| 125 | 125 | ||
| 126 | /** | 126 | /** |
| 127 | * asymmetric_key_generate_id: Construct an asymmetric key ID | 127 | * asymmetric_key_generate_id: Construct an asymmetric key ID |
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index 36e77cb07bd0..f6a009d88a33 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c | |||
| @@ -51,9 +51,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, | |||
| 51 | /* Look to see if this certificate is present in the trusted | 51 | /* Look to see if this certificate is present in the trusted |
| 52 | * keys. | 52 | * keys. |
| 53 | */ | 53 | */ |
| 54 | key = x509_request_asymmetric_key(trust_keyring, | 54 | key = find_asymmetric_key(trust_keyring, |
| 55 | x509->id, x509->skid, | 55 | x509->id, x509->skid, false); |
| 56 | false); | ||
| 57 | if (!IS_ERR(key)) { | 56 | if (!IS_ERR(key)) { |
| 58 | /* One of the X.509 certificates in the PKCS#7 message | 57 | /* One of the X.509 certificates in the PKCS#7 message |
| 59 | * is apparently the same as one we already trust. | 58 | * is apparently the same as one we already trust. |
| @@ -84,10 +83,10 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, | |||
| 84 | * trusted keys. | 83 | * trusted keys. |
| 85 | */ | 84 | */ |
| 86 | if (last && (last->sig->auth_ids[0] || last->sig->auth_ids[1])) { | 85 | if (last && (last->sig->auth_ids[0] || last->sig->auth_ids[1])) { |
| 87 | key = x509_request_asymmetric_key(trust_keyring, | 86 | key = find_asymmetric_key(trust_keyring, |
| 88 | last->sig->auth_ids[0], | 87 | last->sig->auth_ids[0], |
| 89 | last->sig->auth_ids[1], | 88 | last->sig->auth_ids[1], |
| 90 | false); | 89 | false); |
| 91 | if (!IS_ERR(key)) { | 90 | if (!IS_ERR(key)) { |
| 92 | x509 = last; | 91 | x509 = last; |
| 93 | pr_devel("sinfo %u: Root cert %u signer is key %x\n", | 92 | pr_devel("sinfo %u: Root cert %u signer is key %x\n", |
| @@ -101,10 +100,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, | |||
| 101 | /* As a last resort, see if we have a trusted public key that matches | 100 | /* As a last resort, see if we have a trusted public key that matches |
| 102 | * the signed info directly. | 101 | * the signed info directly. |
| 103 | */ | 102 | */ |
| 104 | key = x509_request_asymmetric_key(trust_keyring, | 103 | key = find_asymmetric_key(trust_keyring, |
| 105 | sinfo->sig->auth_ids[0], | 104 | sinfo->sig->auth_ids[0], NULL, false); |
| 106 | NULL, | ||
| 107 | false); | ||
| 108 | if (!IS_ERR(key)) { | 105 | if (!IS_ERR(key)) { |
| 109 | pr_devel("sinfo %u: Direct signer is key %x\n", | 106 | pr_devel("sinfo %u: Direct signer is key %x\n", |
| 110 | sinfo->index, key_serial(key)); | 107 | sinfo->index, key_serial(key)); |
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 2fb594175cef..9c8483ef1cfe 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c | |||
| @@ -213,9 +213,8 @@ static int x509_validate_trust(struct x509_certificate *cert, | |||
| 213 | if (cert->unsupported_sig) | 213 | if (cert->unsupported_sig) |
| 214 | return -ENOPKG; | 214 | return -ENOPKG; |
| 215 | 215 | ||
| 216 | key = x509_request_asymmetric_key(trust_keyring, | 216 | key = find_asymmetric_key(trust_keyring, |
| 217 | sig->auth_ids[0], sig->auth_ids[1], | 217 | sig->auth_ids[0], sig->auth_ids[1], false); |
| 218 | false); | ||
| 219 | if (IS_ERR(key)) | 218 | if (IS_ERR(key)) |
| 220 | return PTR_ERR(key); | 219 | return PTR_ERR(key); |
| 221 | 220 | ||