FEX-Emu/linux
1
0
Fork 0
mirror of https://github.com/FEX-Emu/linux.git synced 2025-01-30 15:43:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

KEYS: validate certificate trust only with selected key

Browse Source 
Instead of allowing public keys, with certificates signed by any
key on the system trusted keyring, to be added to a trusted keyring,
this patch further restricts the certificates to those signed by a
particular key on the system keyring.

This patch defines a new kernel parameter 'ca_keys' to identify the
specific key which must be used for trust validation of certificates.

Simplified Mimi's "KEYS: define an owner trusted keyring" patch.

Changelog:
- support for builtin x509 public keys only
- export "asymmetric_keyid_match"
- remove ifndefs MODULE
- rename kernel boot parameter from keys_ownerid to ca_keys

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
This commit is contained in:
Dmitry Kasatkin 2014-06-17 11:56:58 +03:00 committed by Mimi Zohar
parent b3426827c8
commit ffb70f61ba
3 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Documentation/kernel-parameters.txt
View File

@ -566,6 +566,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
possible to determine what the correct size should be. possible to determine what the correct size should be.
This option provides an override for these situations. This option provides an override for these situations.
ca_keys= [KEYS] This parameter identifies a specific key(s) on
the system trusted keyring to be used for certificate
trust validation.
format: id:<keyid>
ccw_timeout_log [S390] ccw_timeout_log [S390]
See Documentation/s390/CommonIO for details. See Documentation/s390/CommonIO for details.

1
crypto/asymmetric_keys/asymmetric_type.c
View File

@ -49,6 +49,7 @@ int asymmetric_keyid_match(const char *kid, const char *id)
return 1; return 1;
} }
EXPORT_SYMBOL_GPL(asymmetric_keyid_match);
/* /*
* Match asymmetric keys on (part of) their name * Match asymmetric keys on (part of) their name

19
crypto/asymmetric_keys/x509_public_key.c
View File

@ -24,6 +24,22 @@
#include "public_key.h" #include "public_key.h"
#include "x509_parser.h" #include "x509_parser.h"
static char *ca_keyid;
#ifndef MODULE
static int __init ca_keys_setup(char *str)
{
if (!str) /* default system keyring */
return 1;
if (strncmp(str, "id:", 3) == 0)
ca_keyid = str; /* owner key 'id:xxxxxx' */
return 1;
}
__setup("ca_keys=", ca_keys_setup);
#endif
/* /*
* Find a key in the given keyring by issuer and authority. * Find a key in the given keyring by issuer and authority.
*/ */
@ -171,6 +187,9 @@ static int x509_validate_trust(struct x509_certificate *cert,
if (!trust_keyring) if (!trust_keyring)
return -EOPNOTSUPP; return -EOPNOTSUPP;
if (ca_keyid && !asymmetric_keyid_match(cert->authority, ca_keyid))
return -EPERM;
key = x509_request_asymmetric_key(trust_keyring, key = x509_request_asymmetric_key(trust_keyring,
cert->issuer, strlen(cert->issuer), cert->issuer, strlen(cert->issuer),
cert->authority, cert->authority,