06 Oct, 2014

1 commit

• f1b731dbc   KEYS: Restore partial ID matching functionality for asymmetric keys ... Browse Code »

  Bring back the functionality whereby an asymmetric key can be matched with a
  partial match on one of its IDs.

  Whilst we're at it, allow for the possibility of having an increased number of
  IDs.

  Reported-by: Dmitry Kasatkin
  Signed-off-by: Dmitry Kasatkin
  Signed-off-by: David Howells

  Dmitry Kasatkin

  2014-10-06 22:21:05 +0800  

17 Sep, 2014

4 commits

• 757932e6d   PKCS#7: Handle PKCS#7 messages that contain no X.509 certs ... Browse Code »

  The X.509 certificate list in a PKCS#7 message is optional. To save space, we
  can omit the inclusion of any X.509 certificates if we are sure that we can
  look the relevant public key up by the serial number and issuer given in a
  signed info block.

  This also supports use of a signed info block for which we can't find a
  matching X.509 cert in the certificate list, though it be populated.

  Signed-off-by: David Howells
  Acked-by: Vivek Goyal

  David Howells

  2014-09-17 00:36:17 +0800  
• 415594200   PKCS#7: Better handling of unsupported crypto ... Browse Code »

  Provide better handling of unsupported crypto when verifying a PKCS#7 message.
  If we can't bridge the gap between a pair of X.509 certs or between a signed
  info block and an X.509 cert because it involves some crypto we don't support,
  that's not necessarily the end of the world as there may be other ways points
  at which we can intersect with a ring of trusted keys.

  Instead, only produce ENOPKG immediately if all the signed info blocks in a
  PKCS#7 message require unsupported crypto to bridge to the first X.509 cert.
  Otherwise, we defer the generation of ENOPKG until we get ENOKEY during trust
  validation.

  Signed-off-by: David Howells
  Acked-by: Vivek Goyal

  David Howells

  2014-09-17 00:36:15 +0800  
• 46963b774   KEYS: Overhaul key identification when searching for asymmetric keys ... Browse Code »

  13

  Make use of the new match string preparsing to overhaul key identification
  when searching for asymmetric keys. The following changes are made:

  (1) Use the previously created asymmetric_key_id struct to hold the following
  key IDs derived from the X.509 certificate or PKCS#7 message:

  id: serial number + issuer
  skid: subjKeyId + subject
  authority: authKeyId + issuer

  (2) Replace the hex fingerprint attached to key->type_data[1] with an
  asymmetric_key_ids struct containing the id and the skid (if present).

  (3) Make the asymmetric_type match data preparse select one of two searches:

  (a) An iterative search for the key ID given if prefixed with "id:". The
  prefix is expected to be followed by a hex string giving the ID to
  search for. The criterion key ID is checked against all key IDs
  recorded on the key.

  (b) A direct search if the key ID is not prefixed with "id:". This will
  look for an exact match on the key description.

  (4) Make x509_request_asymmetric_key() take a key ID. This is then converted
  into "id:" and passed into keyring_search() where match preparsing
  will turn it back into a binary ID.

  (5) X.509 certificate verification then takes the authority key ID and looks
  up a key that matches it to find the public key for the certificate
  signature.

  (6) PKCS#7 certificate verification then takes the id key ID and looks up a
  key that matches it to find the public key for the signed information
  block signature.

  Additional changes:

  (1) Multiple subjKeyId and authKeyId values on an X.509 certificate cause the
  cert to be rejected with -EBADMSG.

  (2) The 'fingerprint' ID is gone. This was primarily intended to convey PGP
  public key fingerprints. If PGP is supported in future, this should
  generate a key ID that carries the fingerprint.

  (3) Th ca_keyid= kernel command line option is now converted to a key ID and
  used to match the authority key ID. Possibly this should only match the
  actual authKeyId part and not the issuer as well.

  Signed-off-by: David Howells
  Acked-by: Vivek Goyal

  David Howells

  2014-09-17 00:36:13 +0800  
• 15155b9a4   PKCS#7: Add a missing static ... Browse Code »

  Add a missing static (found by checker).

  Signed-off-by: David Howells
  Acked-by: Vivek Goyal

  David Howells

  2014-09-17 00:07:07 +0800  

29 Jul, 2014

1 commit

• 5ce43ad28   PKCS#7: Use x509_request_asymmetric_key() ... Browse Code »

  pkcs7_request_asymmetric_key() and x509_request_asymmetric_key() do the same
  thing, the latter being a copy of the former created by the IMA folks, so drop
  the PKCS#7 version as the X.509 location is more general.

  Whilst we're at it, rename the arguments of x509_request_asymmetric_key() to
  better reflect what the values being passed in are intended to match on an
  X.509 cert.

  Signed-off-by: David Howells
  Acked-by: Mimi Zohar

  David Howells

  2014-07-29 20:07:58 +0800  

08 Jul, 2014

1 commit

• 08815b62d   PKCS#7: Find intersection between PKCS#7 message and known, trusted keys ... Browse Code »

  Find the intersection between the X.509 certificate chain contained in a PKCS#7
  message and a set of keys that we already know and trust.

  Signed-off-by: David Howells
  Acked-by: Vivek Goyal
  Reviewed-by: Kees Cook

  David Howells

  2014-07-08 20:50:15 +0800