KEYS: Overhaul key identification when searching for asymmetric keys

Make use of the new match string preparsing to overhaul key identification
when searching for asymmetric keys.  The following changes are made:

 (1) Use the previously created asymmetric_key_id struct to hold the following
     key IDs derived from the X.509 certificate or PKCS#7 message:

	id: serial number + issuer
	skid: subjKeyId + subject
	authority: authKeyId + issuer

 (2) Replace the hex fingerprint attached to key->type_data[1] with an
     asymmetric_key_ids struct containing the id and the skid (if present).

 (3) Make the asymmetric_type match data preparse select one of two searches:

     (a) An iterative search for the key ID given if prefixed with "id:".  The
     	 prefix is expected to be followed by a hex string giving the ID to
     	 search for.  The criterion key ID is checked against all key IDs
     	 recorded on the key.

     (b) A direct search if the key ID is not prefixed with "id:".  This will
     	 look for an exact match on the key description.

 (4) Make x509_request_asymmetric_key() take a key ID.  This is then converted
     into "id:<hex>" and passed into keyring_search() where match preparsing
     will turn it back into a binary ID.

 (5) X.509 certificate verification then takes the authority key ID and looks
     up a key that matches it to find the public key for the certificate
     signature.

 (6) PKCS#7 certificate verification then takes the id key ID and looks up a
     key that matches it to find the public key for the signed information
     block signature.

Additional changes:

 (1) Multiple subjKeyId and authKeyId values on an X.509 certificate cause the
     cert to be rejected with -EBADMSG.

 (2) The 'fingerprint' ID is gone.  This was primarily intended to convey PGP
     public key fingerprints.  If PGP is supported in future, this should
     generate a key ID that carries the fingerprint.

 (3) Th ca_keyid= kernel command line option is now converted to a key ID and
     used to match the authority key ID.  Possibly this should only match the
     actual authKeyId part and not the issuer as well.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>

1 files changed, 51 insertions, 38 deletions

diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index f3d62307e6ee..c60905c3f4d2 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -25,7 +25,7 @@
 #include "x509_parser.h"
 
 static bool use_builtin_keys;
-static char *ca_keyid;
+static struct asymmetric_key_id *ca_keyid;
 
 #ifndef MODULE
 static int __init ca_keys_setup(char *str)
@@ -33,10 +33,16 @@ static int __init ca_keys_setup(char *str)
         if (!str)               /* default system keyring */
                 return 1;
 
-        if (strncmp(str, "id:", 3) == 0)
-                ca_keyid = str; /* owner key 'id:xxxxxx' */
-        else if (strcmp(str, "builtin") == 0)
+        if (strncmp(str, "id:", 3) == 0) {
+                struct asymmetric_key_id *p;
+                p = asymmetric_key_hex_to_key_id(str);
+                if (p == ERR_PTR(-EINVAL))
+                        pr_err("Unparsable hex string in ca_keys\n");
+                else if (!IS_ERR(p))
+                        ca_keyid = p;   /* owner key 'id:xxxxxx' */
+        } else if (strcmp(str, "builtin") == 0) {
                 use_builtin_keys = true;
+        }
 
         return 1;
 }
@@ -46,31 +52,28 @@ __setup("ca_keys=", ca_keys_setup);
 /**
  * x509_request_asymmetric_key - Request a key by X.509 certificate params.
  * @keyring: The keys to search.
- * @subject: The name of the subject to whom the key belongs.
- * @key_id: The subject key ID as a hex string.
+ * @kid: The key ID.
  *
  * Find a key in the given keyring by subject name and key ID.  These might,
  * for instance, be the issuer name and the authority key ID of an X.509
  * certificate that needs to be verified.
  */
 struct key *x509_request_asymmetric_key(struct key *keyring,
-                                        const char *subject,
-                                        const char *key_id)
+                                        const struct asymmetric_key_id *kid)
 {
         key_ref_t key;
-        size_t subject_len = strlen(subject), key_id_len = strlen(key_id);
-        char *id;
+        char *id, *p;
 
-        /* Construct an identifier "<subjname>:<keyid>". */
-        id = kmalloc(subject_len + 2 + key_id_len + 1, GFP_KERNEL);
+        /* Construct an identifier "id:<keyid>". */
+        p = id = kmalloc(2 + 1 + kid->len * 2 + 1, GFP_KERNEL);
         if (!id)
                 return ERR_PTR(-ENOMEM);
 
-        memcpy(id, subject, subject_len);
-        id[subject_len + 0] = ':';
-        id[subject_len + 1] = ' ';
-        memcpy(id + subject_len + 2, key_id, key_id_len);
-        id[subject_len + 2 + key_id_len] = 0;
+        *p++ = 'i';
+        *p++ = 'd';
+        *p++ = ':';
+        p = bin2hex(p, kid->data, kid->len);
+        *p = 0;
 
         pr_debug("Look up: \"%s\"\n", id);
 
@@ -195,11 +198,10 @@ static int x509_validate_trust(struct x509_certificate *cert,
         if (!trust_keyring)
                 return -EOPNOTSUPP;
 
-        if (ca_keyid && !asymmetric_keyid_match(cert->authority, ca_keyid))
+        if (ca_keyid && !asymmetric_key_id_same(cert->authority, ca_keyid))
                 return -EPERM;
 
-        key = x509_request_asymmetric_key(trust_keyring,
-                                          cert->issuer, cert->authority);
+        key = x509_request_asymmetric_key(trust_keyring, cert->authority);
         if (!IS_ERR(key))  {
                 if (!use_builtin_keys
                     || test_bit(KEY_FLAG_BUILTIN, &key->flags))
@@ -214,9 +216,11 @@ static int x509_validate_trust(struct x509_certificate *cert,
  */
 static int x509_key_preparse(struct key_preparsed_payload *prep)
 {
+        struct asymmetric_key_ids *kids;
         struct x509_certificate *cert;
+        const char *q;
         size_t srlen, sulen;
-        char *desc = NULL;
+        char *desc = NULL, *p;
         int ret;
 
         cert = x509_cert_parse(prep->data, prep->datalen);
@@ -249,19 +253,12 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
                  pkey_algo_name[cert->sig.pkey_algo],
                  hash_algo_name[cert->sig.pkey_hash_algo]);
 
-        if (!cert->fingerprint) {
-                pr_warn("Cert for '%s' must have a SubjKeyId extension\n",
-                        cert->subject);
-                ret = -EKEYREJECTED;
-                goto error_free_cert;
-        }
-
         cert->pub->algo = pkey_algo[cert->pub->pkey_algo];
         cert->pub->id_type = PKEY_ID_X509;
 
         /* Check the signature on the key if it appears to be self-signed */
         if (!cert->authority ||
-            strcmp(cert->fingerprint, cert->authority) == 0) {
+            asymmetric_key_id_same(cert->skid, cert->authority)) {
                 ret = x509_check_signature(cert->pub, cert); /* self-signed */
                 if (ret < 0)
                         goto error_free_cert;
@@ -273,31 +270,47 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
 
         /* Propose a description */
         sulen = strlen(cert->subject);
-        srlen = strlen(cert->fingerprint);
+        srlen = cert->raw_serial_size;
+        q = cert->raw_serial;
+        if (srlen > 1 && *q == 0) {
+                srlen--;
+                q++;
+        }
+
         ret = -ENOMEM;
-        desc = kmalloc(sulen + 2 + srlen + 1, GFP_KERNEL);
+        desc = kmalloc(sulen + 2 + srlen * 2 + 1, GFP_KERNEL);
         if (!desc)
                 goto error_free_cert;
-        memcpy(desc, cert->subject, sulen);
-        desc[sulen] = ':';
-        desc[sulen + 1] = ' ';
-        memcpy(desc + sulen + 2, cert->fingerprint, srlen);
-        desc[sulen + 2 + srlen] = 0;
+        p = memcpy(desc, cert->subject, sulen);
+        p += sulen;
+        *p++ = ':';
+        *p++ = ' ';
+        p = bin2hex(p, q, srlen);
+        *p = 0;
+
+        kids = kmalloc(sizeof(struct asymmetric_key_ids), GFP_KERNEL);
+        if (!kids)
+                goto error_free_desc;
+        kids->id[0] = cert->id;
+        kids->id[1] = cert->skid;
 
         /* We're pinning the module by being linked against it */
         __module_get(public_key_subtype.owner);
         prep->type_data[0] = &public_key_subtype;
-        prep->type_data[1] = cert->fingerprint;
+        prep->type_data[1] = kids;
         prep->payload[0] = cert->pub;
         prep->description = desc;
         prep->quotalen = 100;
 
         /* We've finished with the certificate */
         cert->pub = NULL;
-        cert->fingerprint = NULL;
+        cert->id = NULL;
+        cert->skid = NULL;
         desc = NULL;
         ret = 0;
 
+error_free_desc:
+        kfree(desc);
 error_free_cert:
         x509_free_certificate(cert);
         return ret;