-
David Howells authored
Restrict the verification of X.509 certificates such that a certificate can only be verified if either: (1) A certificate is signed with the key it holds. (2) A certificate is signed with a key that has keyCertSign set in its keyUsage extension and has no purpose restriction set. Restrict the verification of PKCS#7 messages such that a signature can only be verified by a matching key if the key does not have keyCertSign set and either of the following is true: (1) The key has no purpose restriction and the PKCS#7 is not a firmware signature. (2) The key has a recognised purpose restriction that matches the use to which the PKCS#7 signature is being put. In the event that a restriction mismatch occurs, EKEYREJECTED will be returned and an error similar to one of the following will be logged to dmesg: PKEY: Firmware signed with non-firmware key (module sig) PKEY: Restricted usage key (module sig) used for wrong purpose (kexec sig) The PKCS#7 test key type is given the usage to specify in a module parameter. For example: echo 1 >/sys/module/pkcs7_test_key/parameters/usage keyctl padd pkcs7_test foo @s </tmp/stuff.pkcs7 will attempt to check the signature on stuff.pkcs7 as if it contains a firmware blob (1 being KEY_VERIFYING_FIRMWARE_SIGNATURE). Signed-off-by:David Howells <dhowells@redhat.com>
d80903d5
