diff options
| author | David Howells | 2014-09-16 18:38:07 +0200 |
|---|---|---|
| committer | David Howells | 2014-09-16 18:38:07 +0200 |
| commit | d3e4f41973753a7768a5728be53c7d9a3fdf86cb (patch) | |
| tree | ad9bf9a2fa35fa4dbb1a4402f1c3d6b092fc7f28 /include | |
| parent | Merge tag 'keys-next-fixes-20140916' into keys-next (diff) | |
| parent | PKCS#7: Handle PKCS#7 messages that contain no X.509 certs (diff) | |
| download | kernel-qcow2-linux-d3e4f41973753a7768a5728be53c7d9a3fdf86cb.tar.gz kernel-qcow2-linux-d3e4f41973753a7768a5728be53c7d9a3fdf86cb.tar.xz kernel-qcow2-linux-d3e4f41973753a7768a5728be53c7d9a3fdf86cb.zip | |
Merge tag 'keys-pkcs7-20140916' into keys-next
Changes for next to improve the matching of asymmetric keys and to improve the
handling of PKCS#7 certificates:
(1) Provide a method to preparse the data supplied for matching a key. This
permits they key type to extract out the bits it needs for matching once
only.
Further, the type of search (direct lookup or iterative) can be set and
the function used to actually check the match can be set by preparse
rather than being hard coded for the type.
(2) Improves asymmetric keys identification.
Keys derived from X.509 certs now get labelled with IDs derived from their
issuer and certificate number (required to match PKCS#7) and from their
SKID and subject (required to match X.509).
IDs are now binary and match criterion preparsing is provided so that
criteria can be turned into binary blobs to make matching faster.
(3) Improves PKCS#7 message handling to permit PKCS#7 messages without X.509
cert lists to be matched to trusted keys, thereby allowing minimally sized
PKCS#7 certs to be used.
(4) Improves PKCS#7 message handling to better handle certificate chains that
are broken due to unsupported crypto that can otherwise by used to
intersect a trust keyring.
These must go on top of the PKCS#7 parser cleanup fixes.
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'include')
| -rw-r--r-- | include/crypto/public_key.h | 5 | ||||
| -rw-r--r-- | include/keys/asymmetric-type.h | 38 | ||||
| -rw-r--r-- | include/keys/user-type.h | 1 | ||||
| -rw-r--r-- | include/linux/kernel.h | 1 | ||||
| -rw-r--r-- | include/linux/key-type.h | 34 |
5 files changed, 69 insertions, 10 deletions
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 0d164c6af539..fa73a6fd536c 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -15,6 +15,7 @@ #define _LINUX_PUBLIC_KEY_H #include <linux/mpi.h> +#include <keys/asymmetric-type.h> #include <crypto/hash_info.h> enum pkey_algo { @@ -98,8 +99,8 @@ struct key; extern int verify_signature(const struct key *key, const struct public_key_signature *sig); +struct asymmetric_key_id; extern struct key *x509_request_asymmetric_key(struct key *keyring, - const char *issuer, - const char *key_id); + const struct asymmetric_key_id *kid); #endif /* _LINUX_PUBLIC_KEY_H */ diff --git a/include/keys/asymmetric-type.h b/include/keys/asymmetric-type.h index 7dd473496180..044ab0d3aa45 100644 --- a/include/keys/asymmetric-type.h +++ b/include/keys/asymmetric-type.h @@ -19,6 +19,44 @@ extern struct key_type key_type_asymmetric; /* + * Identifiers for an asymmetric key ID. We have three ways of looking up a + * key derived from an X.509 certificate: + * + * (1) Serial Number & Issuer. Non-optional. This is the only valid way to + * map a PKCS#7 signature to an X.509 certificate. + * + * (2) Issuer & Subject Unique IDs. Optional. These were the original way to + * match X.509 certificates, but have fallen into disuse in favour of (3). + * + * (3) Auth & Subject Key Identifiers. Optional. SKIDs are only provided on + * CA keys that are intended to sign other keys, so don't appear in end + * user certificates unless forced. + * + * We could also support an PGP key identifier, which is just a SHA1 sum of the + * public key and certain parameters, but since we don't support PGP keys at + * the moment, we shall ignore those. + * + * What we actually do is provide a place where binary identifiers can be + * stashed and then compare against them when checking for an id match. + */ +struct asymmetric_key_id { + unsigned short len; + unsigned char data[]; +}; + +struct asymmetric_key_ids { + void *id[2]; +}; + +extern bool asymmetric_key_id_same(const struct asymmetric_key_id *kid1, + const struct asymmetric_key_id *kid2); + +extern struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1, + size_t len_1, + const void *val_2, + size_t len_2); + +/* * The payload is at the discretion of the subtype. */ diff --git a/include/keys/user-type.h b/include/keys/user-type.h index 3ab1873a4bfa..cebefb069c44 100644 --- a/include/keys/user-type.h +++ b/include/keys/user-type.h @@ -40,7 +40,6 @@ struct key_preparsed_payload; extern int user_preparse(struct key_preparsed_payload *prep); extern void user_free_preparse(struct key_preparsed_payload *prep); extern int user_update(struct key *key, struct key_preparsed_payload *prep); -extern int user_match(const struct key *key, const void *criterion); extern void user_revoke(struct key *key); extern void user_destroy(struct key *key); extern void user_describe(const struct key *user, struct seq_file *m); diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 4c52907a6d8b..89a0b8e5a952 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -500,6 +500,7 @@ static inline char * __deprecated pack_hex_byte(char *buf, u8 byte) extern int hex_to_bin(char ch); extern int __must_check hex2bin(u8 *dst, const char *src, size_t count); +extern char *bin2hex(char *dst, const void *src, size_t count); int mac_pton(const char *s, u8 *mac); diff --git a/include/linux/key-type.h b/include/linux/key-type.h index 44792ee649de..ff9f1d394235 100644 --- a/include/linux/key-type.h +++ b/include/linux/key-type.h @@ -53,6 +53,24 @@ typedef int (*request_key_actor_t)(struct key_construction *key, const char *op, void *aux); /* + * Preparsed matching criterion. + */ +struct key_match_data { + /* Comparison function, defaults to exact description match, but can be + * overridden by type->match_preparse(). Should return true if a match + * is found and false if not. + */ + bool (*cmp)(const struct key *key, + const struct key_match_data *match_data); + + const void *raw_data; /* Raw match data */ + void *preparsed; /* For ->match_preparse() to stash stuff */ + unsigned lookup_type; /* Type of lookup for this search. */ +#define KEYRING_SEARCH_LOOKUP_DIRECT 0x0000 /* Direct lookup by description. */ +#define KEYRING_SEARCH_LOOKUP_ITERATE 0x0001 /* Iterative search. */ +}; + +/* * kernel managed key type definition */ struct key_type { @@ -65,11 +83,6 @@ struct key_type { */ size_t def_datalen; - /* Default key search algorithm. */ - unsigned def_lookup_type; -#define KEYRING_SEARCH_LOOKUP_DIRECT 0x0000 /* Direct lookup by description. */ -#define KEYRING_SEARCH_LOOKUP_ITERATE 0x0001 /* Iterative search. */ - /* vet a description */ int (*vet_description)(const char *description); @@ -96,8 +109,15 @@ struct key_type { */ int (*update)(struct key *key, struct key_preparsed_payload *prep); - /* match a key against a description */ - int (*match)(const struct key *key, const void *desc); + /* Preparse the data supplied to ->match() (optional). The + * data to be preparsed can be found in match_data->raw_data. + * The lookup type can also be set by this function. + */ + int (*match_preparse)(struct key_match_data *match_data); + + /* Free preparsed match data (optional). This should be supplied it + * ->match_preparse() is supplied. */ + void (*match_free)(struct key_match_data *match_data); /* clear some of the data from a key on revokation (optional) * - the key's semaphore will be write-locked by the caller |