diff options
| author | David Howells <dhowells@redhat.com> | 2014-09-16 12:36:13 -0400 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2014-09-16 12:36:13 -0400 |
| commit | 46963b774d441c833afc1535f6d84b3df2a94204 (patch) | |
| tree | 335cbd163ef2581b72d462f49984a6809609a58b /include/crypto | |
| parent | 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 (diff) | |
KEYS: Overhaul key identification when searching for asymmetric keys
Make use of the new match string preparsing to overhaul key identification
when searching for asymmetric keys. The following changes are made:
(1) Use the previously created asymmetric_key_id struct to hold the following
key IDs derived from the X.509 certificate or PKCS#7 message:
id: serial number + issuer
skid: subjKeyId + subject
authority: authKeyId + issuer
(2) Replace the hex fingerprint attached to key->type_data[1] with an
asymmetric_key_ids struct containing the id and the skid (if present).
(3) Make the asymmetric_type match data preparse select one of two searches:
(a) An iterative search for the key ID given if prefixed with "id:". The
prefix is expected to be followed by a hex string giving the ID to
search for. The criterion key ID is checked against all key IDs
recorded on the key.
(b) A direct search if the key ID is not prefixed with "id:". This will
look for an exact match on the key description.
(4) Make x509_request_asymmetric_key() take a key ID. This is then converted
into "id:<hex>" and passed into keyring_search() where match preparsing
will turn it back into a binary ID.
(5) X.509 certificate verification then takes the authority key ID and looks
up a key that matches it to find the public key for the certificate
signature.
(6) PKCS#7 certificate verification then takes the id key ID and looks up a
key that matches it to find the public key for the signed information
block signature.
Additional changes:
(1) Multiple subjKeyId and authKeyId values on an X.509 certificate cause the
cert to be rejected with -EBADMSG.
(2) The 'fingerprint' ID is gone. This was primarily intended to convey PGP
public key fingerprints. If PGP is supported in future, this should
generate a key ID that carries the fingerprint.
(3) Th ca_keyid= kernel command line option is now converted to a key ID and
used to match the authority key ID. Possibly this should only match the
actual authKeyId part and not the issuer as well.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
Diffstat (limited to 'include/crypto')
| -rw-r--r-- | include/crypto/public_key.h | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 0d164c6af539..fa73a6fd536c 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h | |||
| @@ -15,6 +15,7 @@ | |||
| 15 | #define _LINUX_PUBLIC_KEY_H | 15 | #define _LINUX_PUBLIC_KEY_H |
| 16 | 16 | ||
| 17 | #include <linux/mpi.h> | 17 | #include <linux/mpi.h> |
| 18 | #include <keys/asymmetric-type.h> | ||
| 18 | #include <crypto/hash_info.h> | 19 | #include <crypto/hash_info.h> |
| 19 | 20 | ||
| 20 | enum pkey_algo { | 21 | enum pkey_algo { |
| @@ -98,8 +99,8 @@ struct key; | |||
| 98 | extern int verify_signature(const struct key *key, | 99 | extern int verify_signature(const struct key *key, |
| 99 | const struct public_key_signature *sig); | 100 | const struct public_key_signature *sig); |
| 100 | 101 | ||
| 102 | struct asymmetric_key_id; | ||
| 101 | extern struct key *x509_request_asymmetric_key(struct key *keyring, | 103 | extern struct key *x509_request_asymmetric_key(struct key *keyring, |
| 102 | const char *issuer, | 104 | const struct asymmetric_key_id *kid); |
| 103 | const char *key_id); | ||
| 104 | 105 | ||
| 105 | #endif /* _LINUX_PUBLIC_KEY_H */ | 106 | #endif /* _LINUX_PUBLIC_KEY_H */ |