3 files changed, 117 insertions, 0 deletions
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index a7cec9dd6154..b6df198d1b6f 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -46,4 +46,17 @@ config PKCS7_MESSAGE_PARSER
          This option provides support for parsing PKCS#7 format messages for
          signature data and provides the ability to verify the signature.
+config PKCS7_TEST_KEY
+        tristate "PKCS#7 testing key type"
+        depends on PKCS7_MESSAGE_PARSER
+        select SYSTEM_TRUSTED_KEYRING
+        help
+          This option provides a type of key that can be loaded up from a
+          PKCS#7 message - provided the message is signed by a trusted key.  If
+          it is, the PKCS#7 wrapper is discarded and reading the key returns
+          just the payload.  If it isn't, adding the key will fail with an
+          error.
+          This is intended for testing the PKCS#7 parser.
 endif # ASYMMETRIC_KEY_TYPE
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index d63cb4320b96..92d0e9af24d5 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -40,3 +40,10 @@ $(obj)/pkcs7_parser.o: $(obj)/pkcs7-asn1.h
 $(obj)/pkcs7-asn1.o: $(obj)/pkcs7-asn1.c $(obj)/pkcs7-asn1.h
 clean-files     += pkcs7-asn1.c pkcs7-asn1.h
+#
+# PKCS#7 parser testing key
+#
+obj-$(CONFIG_PKCS7_TEST_KEY) += pkcs7_test_key.o
+pkcs7_test_key-y := \
+        pkcs7_key_type.o
diff --git a/crypto/asymmetric_keys/pkcs7_key_type.c b/crypto/asymmetric_keys/pkcs7_key_type.c
new file mode 100644
index 000000000000..b1797d2516e2
--- /dev/null
+++ b/crypto/asymmetric_keys/pkcs7_key_type.c
@@ -0,0 +1,97 @@
+/* Testing module to load key from trusted PKCS#7 message
+ *
+ * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+#define pr_fmt(fmt) "PKCS7key: "fmt
+#include <linux/key.h>
+#include <linux/key-type.h>
+#include <crypto/pkcs7.h>
+#include <keys/user-type.h>
+#include <keys/system_keyring.h>
+#include "pkcs7_parser.h"
+/*
+ * Instantiate a PKCS#7 wrapped and validated key.
+ */
+int pkcs7_instantiate(struct key *key, struct key_preparsed_payload *prep)
+{
+        struct pkcs7_message *pkcs7;
+        const void *data, *saved_prep_data;
+        size_t datalen, saved_prep_datalen;
+        bool trusted;
+        int ret;
+        kenter("");
+        saved_prep_data = prep->data;
+        saved_prep_datalen = prep->datalen;
+        pkcs7 = pkcs7_parse_message(saved_prep_data, saved_prep_datalen);
+        if (IS_ERR(pkcs7)) {
+                ret = PTR_ERR(pkcs7);
+                goto error;
+        }
+        ret = pkcs7_verify(pkcs7);
+        if (ret < 0)
+                goto error_free;
+        ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
+        if (ret < 0)
+                goto error_free;
+        if (!trusted)
+                pr_warn("PKCS#7 message doesn't chain back to a trusted key\n");
+        ret = pkcs7_get_content_data(pkcs7, &data, &datalen, false);
+        if (ret < 0)
+                goto error_free;
+        prep->data = data;
+        prep->datalen = datalen;
+        ret = user_instantiate(key, prep);
+        prep->data = saved_prep_data;
+        prep->datalen = saved_prep_datalen;
+error_free:
+        pkcs7_free_message(pkcs7);
+error:
+        kleave(" = %d", ret);
+        return ret;
+}
+/*
+ * user defined keys take an arbitrary string as the description and an
+ * arbitrary blob of data as the payload
+ */
+struct key_type key_type_pkcs7 = {
+        .name                   = "pkcs7_test",
+        .def_lookup_type        = KEYRING_SEARCH_LOOKUP_DIRECT,
+        .instantiate            = pkcs7_instantiate,
+        .match                  = user_match,
+        .revoke                 = user_revoke,
+        .destroy                = user_destroy,
+        .describe               = user_describe,
+        .read                   = user_read,
+};
+/*
+ * Module stuff
+ */
+static int __init pkcs7_key_init(void)
+{
+        return register_key_type(&key_type_pkcs7);
+}
+static void __exit pkcs7_key_cleanup(void)
+{
+        unregister_key_type(&key_type_pkcs7);
+}
+module_init(pkcs7_key_init);
+module_exit(pkcs7_key_cleanup);

diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig index a7cec9dd6154..b6df198d1b6f 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig
@@ -46,4 +46,17 @@ config PKCS7_MESSAGE_PARSER
46	This option provides support for parsing PKCS#7 format messages for	46	This option provides support for parsing PKCS#7 format messages for
47	signature data and provides the ability to verify the signature.	47	signature data and provides the ability to verify the signature.
48		48
		49	config PKCS7_TEST_KEY
		50	tristate "PKCS#7 testing key type"
		51	depends on PKCS7_MESSAGE_PARSER
		52	select SYSTEM_TRUSTED_KEYRING
		53	help
		54	This option provides a type of key that can be loaded up from a
		55	PKCS#7 message - provided the message is signed by a trusted key. If
		56	it is, the PKCS#7 wrapper is discarded and reading the key returns
		57	just the payload. If it isn't, adding the key will fail with an
		58	error.
		59
		60	This is intended for testing the PKCS#7 parser.
		61
49	endif # ASYMMETRIC_KEY_TYPE	62	endif # ASYMMETRIC_KEY_TYPE


diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile index d63cb4320b96..92d0e9af24d5 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile
@@ -40,3 +40,10 @@ $(obj)/pkcs7_parser.o: $(obj)/pkcs7-asn1.h
40	$(obj)/pkcs7-asn1.o: $(obj)/pkcs7-asn1.c $(obj)/pkcs7-asn1.h	40	$(obj)/pkcs7-asn1.o: $(obj)/pkcs7-asn1.c $(obj)/pkcs7-asn1.h
41		41
42	clean-files += pkcs7-asn1.c pkcs7-asn1.h	42	clean-files += pkcs7-asn1.c pkcs7-asn1.h
		43
		44	#
		45	# PKCS#7 parser testing key
		46	#
		47	obj-$(CONFIG_PKCS7_TEST_KEY) += pkcs7_test_key.o
		48	pkcs7_test_key-y := \
		49	pkcs7_key_type.o


diff --git a/crypto/asymmetric_keys/pkcs7_key_type.c b/crypto/asymmetric_keys/pkcs7_key_type.c new file mode 100644 index 000000000000..b1797d2516e2 --- /dev/null +++ b/crypto/asymmetric_keys/pkcs7_key_type.c
@@ -0,0 +1,97 @@
		1	/* Testing module to load key from trusted PKCS#7 message
		2	*
		3	* Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
		4	* Written by David Howells (dhowells@redhat.com)
		5	*
		6	* This program is free software; you can redistribute it and/or
		7	* modify it under the terms of the GNU General Public Licence
		8	* as published by the Free Software Foundation; either version
		9	* 2 of the Licence, or (at your option) any later version.
		10	*/
		11
		12	#define pr_fmt(fmt) "PKCS7key: "fmt
		13	#include <linux/key.h>
		14	#include <linux/key-type.h>
		15	#include <crypto/pkcs7.h>
		16	#include <keys/user-type.h>
		17	#include <keys/system_keyring.h>
		18	#include "pkcs7_parser.h"
		19
		20	/*
		21	* Instantiate a PKCS#7 wrapped and validated key.
		22	*/
		23	int pkcs7_instantiate(struct key key, struct key_preparsed_payload prep)
		24	{
		25	struct pkcs7_message *pkcs7;
		26	const void data, saved_prep_data;
		27	size_t datalen, saved_prep_datalen;
		28	bool trusted;
		29	int ret;
		30
		31	kenter("");
		32
		33	saved_prep_data = prep->data;
		34	saved_prep_datalen = prep->datalen;
		35	pkcs7 = pkcs7_parse_message(saved_prep_data, saved_prep_datalen);
		36	if (IS_ERR(pkcs7)) {
		37	ret = PTR_ERR(pkcs7);
		38	goto error;
		39	}
		40
		41	ret = pkcs7_verify(pkcs7);
		42	if (ret < 0)
		43	goto error_free;
		44
		45	ret = pkcs7_validate_trust(pkcs7, system_trusted_keyring, &trusted);
		46	if (ret < 0)
		47	goto error_free;
		48	if (!trusted)
		49	pr_warn("PKCS#7 message doesn't chain back to a trusted key\n");
		50
		51	ret = pkcs7_get_content_data(pkcs7, &data, &datalen, false);
		52	if (ret < 0)
		53	goto error_free;
		54
		55	prep->data = data;
		56	prep->datalen = datalen;
		57	ret = user_instantiate(key, prep);
		58	prep->data = saved_prep_data;
		59	prep->datalen = saved_prep_datalen;
		60
		61	error_free:
		62	pkcs7_free_message(pkcs7);
		63	error:
		64	kleave(" = %d", ret);
		65	return ret;
		66	}
		67
		68	/*
		69	* user defined keys take an arbitrary string as the description and an
		70	* arbitrary blob of data as the payload
		71	*/
		72	struct key_type key_type_pkcs7 = {
		73	.name = "pkcs7_test",
		74	.def_lookup_type = KEYRING_SEARCH_LOOKUP_DIRECT,
		75	.instantiate = pkcs7_instantiate,
		76	.match = user_match,
		77	.revoke = user_revoke,
		78	.destroy = user_destroy,
		79	.describe = user_describe,
		80	.read = user_read,
		81	};
		82
		83	/*
		84	* Module stuff
		85	*/
		86	static int __init pkcs7_key_init(void)
		87	{
		88	return register_key_type(&key_type_pkcs7);
		89	}
		90
		91	static void __exit pkcs7_key_cleanup(void)
		92	{
		93	unregister_key_type(&key_type_pkcs7);
		94	}
		95
		96	module_init(pkcs7_key_init);
		97	module_exit(pkcs7_key_cleanup);