diff options
| author | David Howells <dhowells@redhat.com> | 2014-07-28 09:11:32 -0400 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2014-07-29 08:07:58 -0400 |
| commit | 5ce43ad28262115a1eab866392f8cfb985094160 (patch) | |
| tree | b89fbce6bb60fcd4dcb2102a11cf084fa6375552 /crypto | |
| parent | 185de09c6aa9d38ec04e34b2d9a996561963f895 (diff) | |
PKCS#7: Use x509_request_asymmetric_key()
pkcs7_request_asymmetric_key() and x509_request_asymmetric_key() do the same
thing, the latter being a copy of the former created by the IMA folks, so drop
the PKCS#7 version as the X.509 location is more general.
Whilst we're at it, rename the arguments of x509_request_asymmetric_key() to
better reflect what the values being passed in are intended to match on an
X.509 cert.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/asymmetric_keys/pkcs7_trust.c | 61 | ||||
| -rw-r--r-- | crypto/asymmetric_keys/x509_public_key.c | 36 |
2 files changed, 25 insertions, 72 deletions
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index b6b045131403..e666eb011a85 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c | |||
| @@ -20,55 +20,6 @@ | |||
| 20 | #include "public_key.h" | 20 | #include "public_key.h" |
| 21 | #include "pkcs7_parser.h" | 21 | #include "pkcs7_parser.h" |
| 22 | 22 | ||
| 23 | /* | ||
| 24 | * Request an asymmetric key. | ||
| 25 | */ | ||
| 26 | static struct key *pkcs7_request_asymmetric_key( | ||
| 27 | struct key *keyring, | ||
| 28 | const char *signer, size_t signer_len, | ||
| 29 | const char *authority, size_t auth_len) | ||
| 30 | { | ||
| 31 | key_ref_t key; | ||
| 32 | char *id; | ||
| 33 | |||
| 34 | kenter(",%zu,,%zu", signer_len, auth_len); | ||
| 35 | |||
| 36 | /* Construct an identifier. */ | ||
| 37 | id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL); | ||
| 38 | if (!id) | ||
| 39 | return ERR_PTR(-ENOMEM); | ||
| 40 | |||
| 41 | memcpy(id, signer, signer_len); | ||
| 42 | id[signer_len + 0] = ':'; | ||
| 43 | id[signer_len + 1] = ' '; | ||
| 44 | memcpy(id + signer_len + 2, authority, auth_len); | ||
| 45 | id[signer_len + 2 + auth_len] = 0; | ||
| 46 | |||
| 47 | pr_debug("Look up: \"%s\"\n", id); | ||
| 48 | |||
| 49 | key = keyring_search(make_key_ref(keyring, 1), | ||
| 50 | &key_type_asymmetric, id); | ||
| 51 | if (IS_ERR(key)) | ||
| 52 | pr_debug("Request for module key '%s' err %ld\n", | ||
| 53 | id, PTR_ERR(key)); | ||
| 54 | kfree(id); | ||
| 55 | |||
| 56 | if (IS_ERR(key)) { | ||
| 57 | switch (PTR_ERR(key)) { | ||
| 58 | /* Hide some search errors */ | ||
| 59 | case -EACCES: | ||
| 60 | case -ENOTDIR: | ||
| 61 | case -EAGAIN: | ||
| 62 | return ERR_PTR(-ENOKEY); | ||
| 63 | default: | ||
| 64 | return ERR_CAST(key); | ||
| 65 | } | ||
| 66 | } | ||
| 67 | |||
| 68 | pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key_ref_to_ptr(key))); | ||
| 69 | return key_ref_to_ptr(key); | ||
| 70 | } | ||
| 71 | |||
| 72 | /** | 23 | /** |
| 73 | * Check the trust on one PKCS#7 SignedInfo block. | 24 | * Check the trust on one PKCS#7 SignedInfo block. |
| 74 | */ | 25 | */ |
| @@ -98,10 +49,8 @@ int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, | |||
| 98 | /* Look to see if this certificate is present in the trusted | 49 | /* Look to see if this certificate is present in the trusted |
| 99 | * keys. | 50 | * keys. |
| 100 | */ | 51 | */ |
| 101 | key = pkcs7_request_asymmetric_key( | 52 | key = x509_request_asymmetric_key(trust_keyring, x509->subject, |
| 102 | trust_keyring, | 53 | x509->fingerprint); |
| 103 | x509->subject, strlen(x509->subject), | ||
| 104 | x509->fingerprint, strlen(x509->fingerprint)); | ||
| 105 | if (!IS_ERR(key)) | 54 | if (!IS_ERR(key)) |
| 106 | /* One of the X.509 certificates in the PKCS#7 message | 55 | /* One of the X.509 certificates in the PKCS#7 message |
| 107 | * is apparently the same as one we already trust. | 56 | * is apparently the same as one we already trust. |
| @@ -133,10 +82,8 @@ int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, | |||
| 133 | return -ENOKEY; | 82 | return -ENOKEY; |
| 134 | } | 83 | } |
| 135 | 84 | ||
| 136 | key = pkcs7_request_asymmetric_key( | 85 | key = x509_request_asymmetric_key(trust_keyring, last->issuer, |
| 137 | trust_keyring, | 86 | last->authority); |
| 138 | last->issuer, strlen(last->issuer), | ||
| 139 | last->authority, strlen(last->authority)); | ||
| 140 | if (IS_ERR(key)) | 87 | if (IS_ERR(key)) |
| 141 | return PTR_ERR(key) == -ENOMEM ? -ENOMEM : -ENOKEY; | 88 | return PTR_ERR(key) == -ENOMEM ? -ENOMEM : -ENOKEY; |
| 142 | x509 = last; | 89 | x509 = last; |
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 4ae982234d78..da1e5fc85346 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c | |||
| @@ -43,35 +43,41 @@ static int __init ca_keys_setup(char *str) | |||
| 43 | __setup("ca_keys=", ca_keys_setup); | 43 | __setup("ca_keys=", ca_keys_setup); |
| 44 | #endif | 44 | #endif |
| 45 | 45 | ||
| 46 | /* | 46 | /** |
| 47 | * Find a key in the given keyring by issuer and authority. | 47 | * x509_request_asymmetric_key - Request a key by X.509 certificate params. |
| 48 | * @keyring: The keys to search. | ||
| 49 | * @subject: The name of the subject to whom the key belongs. | ||
| 50 | * @key_id: The subject key ID as a hex string. | ||
| 51 | * | ||
| 52 | * Find a key in the given keyring by subject name and key ID. These might, | ||
| 53 | * for instance, be the issuer name and the authority key ID of an X.509 | ||
| 54 | * certificate that needs to be verified. | ||
| 48 | */ | 55 | */ |
| 49 | static struct key *x509_request_asymmetric_key(struct key *keyring, | 56 | struct key *x509_request_asymmetric_key(struct key *keyring, |
| 50 | const char *signer, | 57 | const char *subject, |
| 51 | const char *authority) | 58 | const char *key_id) |
| 52 | { | 59 | { |
| 53 | key_ref_t key; | 60 | key_ref_t key; |
| 54 | size_t signer_len = strlen(signer), auth_len = strlen(authority); | 61 | size_t subject_len = strlen(subject), key_id_len = strlen(key_id); |
| 55 | char *id; | 62 | char *id; |
| 56 | 63 | ||
| 57 | /* Construct an identifier. */ | 64 | /* Construct an identifier "<subjname>:<keyid>". */ |
| 58 | id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL); | 65 | id = kmalloc(subject_len + 2 + key_id_len + 1, GFP_KERNEL); |
| 59 | if (!id) | 66 | if (!id) |
| 60 | return ERR_PTR(-ENOMEM); | 67 | return ERR_PTR(-ENOMEM); |
| 61 | 68 | ||
| 62 | memcpy(id, signer, signer_len); | 69 | memcpy(id, subject, subject_len); |
| 63 | id[signer_len + 0] = ':'; | 70 | id[subject_len + 0] = ':'; |
| 64 | id[signer_len + 1] = ' '; | 71 | id[subject_len + 1] = ' '; |
| 65 | memcpy(id + signer_len + 2, authority, auth_len); | 72 | memcpy(id + subject_len + 2, key_id, key_id_len); |
| 66 | id[signer_len + 2 + auth_len] = 0; | 73 | id[subject_len + 2 + key_id_len] = 0; |
| 67 | 74 | ||
| 68 | pr_debug("Look up: \"%s\"\n", id); | 75 | pr_debug("Look up: \"%s\"\n", id); |
| 69 | 76 | ||
| 70 | key = keyring_search(make_key_ref(keyring, 1), | 77 | key = keyring_search(make_key_ref(keyring, 1), |
| 71 | &key_type_asymmetric, id); | 78 | &key_type_asymmetric, id); |
| 72 | if (IS_ERR(key)) | 79 | if (IS_ERR(key)) |
| 73 | pr_debug("Request for module key '%s' err %ld\n", | 80 | pr_debug("Request for key '%s' err %ld\n", id, PTR_ERR(key)); |
| 74 | id, PTR_ERR(key)); | ||
| 75 | kfree(id); | 81 | kfree(id); |
| 76 | 82 | ||
| 77 | if (IS_ERR(key)) { | 83 | if (IS_ERR(key)) { |