aboutsummaryrefslogtreecommitdiffstats
path: root/include/keys
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2014-09-16 12:36:11 -0400
committerDavid Howells <dhowells@redhat.com>2014-09-16 12:36:11 -0400
commit7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 (patch)
treed11b8945fe52a9973fa56d9d7aa99a5496a9115f /include/keys
parentf93b3cc7b1e6f16aedd745a8edba64355383184c (diff)
KEYS: Implement binary asymmetric key ID handling
Implement the first step in using binary key IDs for asymmetric keys rather than hex string keys. The previously added match data preparsing will be able to convert hex criterion strings into binary which can then be compared more rapidly. Further, we actually want more then one ID string per public key. The problem is that X.509 certs refer to other X.509 certs by matching Issuer + AuthKeyId to Subject + SubjKeyId, but PKCS#7 messages match against X.509 Issuer + SerialNumber. This patch just provides facilities for a later patch to make use of. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Vivek Goyal <vgoyal@redhat.com>
Diffstat (limited to 'include/keys')
-rw-r--r--include/keys/asymmetric-type.h38
1 files changed, 38 insertions, 0 deletions
diff --git a/include/keys/asymmetric-type.h b/include/keys/asymmetric-type.h
index 7dd473496180..044ab0d3aa45 100644
--- a/include/keys/asymmetric-type.h
+++ b/include/keys/asymmetric-type.h
@@ -19,6 +19,44 @@
19extern struct key_type key_type_asymmetric; 19extern struct key_type key_type_asymmetric;
20 20
21/* 21/*
22 * Identifiers for an asymmetric key ID. We have three ways of looking up a
23 * key derived from an X.509 certificate:
24 *
25 * (1) Serial Number & Issuer. Non-optional. This is the only valid way to
26 * map a PKCS#7 signature to an X.509 certificate.
27 *
28 * (2) Issuer & Subject Unique IDs. Optional. These were the original way to
29 * match X.509 certificates, but have fallen into disuse in favour of (3).
30 *
31 * (3) Auth & Subject Key Identifiers. Optional. SKIDs are only provided on
32 * CA keys that are intended to sign other keys, so don't appear in end
33 * user certificates unless forced.
34 *
35 * We could also support an PGP key identifier, which is just a SHA1 sum of the
36 * public key and certain parameters, but since we don't support PGP keys at
37 * the moment, we shall ignore those.
38 *
39 * What we actually do is provide a place where binary identifiers can be
40 * stashed and then compare against them when checking for an id match.
41 */
42struct asymmetric_key_id {
43 unsigned short len;
44 unsigned char data[];
45};
46
47struct asymmetric_key_ids {
48 void *id[2];
49};
50
51extern bool asymmetric_key_id_same(const struct asymmetric_key_id *kid1,
52 const struct asymmetric_key_id *kid2);
53
54extern struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1,
55 size_t len_1,
56 const void *val_2,
57 size_t len_2);
58
59/*
22 * The payload is at the discretion of the subtype. 60 * The payload is at the discretion of the subtype.
23 */ 61 */
24 62