3 files changed, 25 insertions, 0 deletions
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 8b2ab548b6e4..bdb193afe176 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -566,6 +566,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
                        possible to determine what the correct size should be.
                        This option provides an override for these situations.
+        ca_keys=        [KEYS] This parameter identifies a specific key(s) on
+                        the system trusted keyring to be used for certificate
+                        trust validation.
+                        format: id:<keyid>
        ccw_timeout_log [S390]
                        See Documentation/s390/CommonIO for details.
diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c
index 1fd1d304a15a..c948df5c4ecd 100644
--- a/crypto/asymmetric_keys/asymmetric_type.c
+++ b/crypto/asymmetric_keys/asymmetric_type.c
@@ -49,6 +49,7 @@ int asymmetric_keyid_match(const char *kid, const char *id)
        return 1;
 }
+EXPORT_SYMBOL_GPL(asymmetric_keyid_match);
 /*
 * Match asymmetric keys on (part of) their name
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 436fbd8552fc..d376195e1d08 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -24,6 +24,22 @@
 #include "public_key.h"
 #include "x509_parser.h"
+static char *ca_keyid;
+#ifndef MODULE
+static int __init ca_keys_setup(char *str)
+{
+        if (!str)               /* default system keyring */
+                return 1;
+        if (strncmp(str, "id:", 3) == 0)
+                ca_keyid = str; /* owner key 'id:xxxxxx' */
+        return 1;
+}
+__setup("ca_keys=", ca_keys_setup);
+#endif
 /*
 * Find a key in the given keyring by issuer and authority.
 */
@@ -171,6 +187,9 @@ static int x509_validate_trust(struct x509_certificate *cert,
        if (!trust_keyring)
                return -EOPNOTSUPP;
+        if (ca_keyid && !asymmetric_keyid_match(cert->authority, ca_keyid))
+                return -EPERM;
        key = x509_request_asymmetric_key(trust_keyring,
                                          cert->issuer, strlen(cert->issuer),
                                          cert->authority,

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index 8b2ab548b6e4..bdb193afe176 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt
@@ -566,6 +566,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
566	possible to determine what the correct size should be.	566	possible to determine what the correct size should be.
567	This option provides an override for these situations.	567	This option provides an override for these situations.
568		568
		569	ca_keys= [KEYS] This parameter identifies a specific key(s) on
		570	the system trusted keyring to be used for certificate
		571	trust validation.
		572	format: id:<keyid>
		573
569	ccw_timeout_log [S390]	574	ccw_timeout_log [S390]
570	See Documentation/s390/CommonIO for details.	575	See Documentation/s390/CommonIO for details.
571		576


diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c index 1fd1d304a15a..c948df5c4ecd 100644 --- a/crypto/asymmetric_keys/asymmetric_type.c +++ b/crypto/asymmetric_keys/asymmetric_type.c
@@ -49,6 +49,7 @@ int asymmetric_keyid_match(const char kid, const char id)
49		49
50	return 1;	50	return 1;
51	}	51	}
		52	EXPORT_SYMBOL_GPL(asymmetric_keyid_match);
52		53
53	/*	54	/*
54	* Match asymmetric keys on (part of) their name	55	* Match asymmetric keys on (part of) their name


diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 436fbd8552fc..d376195e1d08 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -24,6 +24,22 @@
24	#include "public_key.h"	24	#include "public_key.h"
25	#include "x509_parser.h"	25	#include "x509_parser.h"
26		26
		27	static char *ca_keyid;
		28
		29	#ifndef MODULE
		30	static int __init ca_keys_setup(char *str)
		31	{
		32	if (!str) /* default system keyring */
		33	return 1;
		34
		35	if (strncmp(str, "id:", 3) == 0)
		36	ca_keyid = str; /* owner key 'id:xxxxxx' */
		37
		38	return 1;
		39	}
		40	__setup("ca_keys=", ca_keys_setup);
		41	#endif
		42
27	/*	43	/*
28	* Find a key in the given keyring by issuer and authority.	44	* Find a key in the given keyring by issuer and authority.
29	*/	45	*/
@@ -171,6 +187,9 @@ static int x509_validate_trust(struct x509_certificate *cert,
171	if (!trust_keyring)	187	if (!trust_keyring)
172	return -EOPNOTSUPP;	188	return -EOPNOTSUPP;
173		189
		190	if (ca_keyid && !asymmetric_keyid_match(cert->authority, ca_keyid))
		191	return -EPERM;
		192
174	key = x509_request_asymmetric_key(trust_keyring,	193	key = x509_request_asymmetric_key(trust_keyring,
175	cert->issuer, strlen(cert->issuer),	194	cert->issuer, strlen(cert->issuer),
176	cert->authority,	195	cert->authority,