Commit ffb70f61 authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by Mimi Zohar

KEYS: validate certificate trust only with selected key

Instead of allowing public keys, with certificates signed by any
key on the system trusted keyring, to be added to a trusted keyring,
this patch further restricts the certificates to those signed by a
particular key on the system keyring.

This patch defines a new kernel parameter 'ca_keys' to identify the
specific key which must be used for trust validation of certificates.

Simplified Mimi's "KEYS: define an owner trusted keyring" patch.

Changelog:
- support for builtin x509 public keys only
- export "asymmetric_keyid_match"
- remove ifndefs MODULE
- rename kernel boot parameter from keys_ownerid to ca_keys
Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent b3426827
...@@ -566,6 +566,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted. ...@@ -566,6 +566,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
possible to determine what the correct size should be. possible to determine what the correct size should be.
This option provides an override for these situations. This option provides an override for these situations.
ca_keys= [KEYS] This parameter identifies a specific key(s) on
the system trusted keyring to be used for certificate
trust validation.
format: id:<keyid>
ccw_timeout_log [S390] ccw_timeout_log [S390]
See Documentation/s390/CommonIO for details. See Documentation/s390/CommonIO for details.
......
...@@ -49,6 +49,7 @@ int asymmetric_keyid_match(const char *kid, const char *id) ...@@ -49,6 +49,7 @@ int asymmetric_keyid_match(const char *kid, const char *id)
return 1; return 1;
} }
EXPORT_SYMBOL_GPL(asymmetric_keyid_match);
/* /*
* Match asymmetric keys on (part of) their name * Match asymmetric keys on (part of) their name
......
...@@ -24,6 +24,22 @@ ...@@ -24,6 +24,22 @@
#include "public_key.h" #include "public_key.h"
#include "x509_parser.h" #include "x509_parser.h"
static char *ca_keyid;
#ifndef MODULE
static int __init ca_keys_setup(char *str)
{
if (!str) /* default system keyring */
return 1;
if (strncmp(str, "id:", 3) == 0)
ca_keyid = str; /* owner key 'id:xxxxxx' */
return 1;
}
__setup("ca_keys=", ca_keys_setup);
#endif
/* /*
* Find a key in the given keyring by issuer and authority. * Find a key in the given keyring by issuer and authority.
*/ */
...@@ -171,6 +187,9 @@ static int x509_validate_trust(struct x509_certificate *cert, ...@@ -171,6 +187,9 @@ static int x509_validate_trust(struct x509_certificate *cert,
if (!trust_keyring) if (!trust_keyring)
return -EOPNOTSUPP; return -EOPNOTSUPP;
if (ca_keyid && !asymmetric_keyid_match(cert->authority, ca_keyid))
return -EPERM;
key = x509_request_asymmetric_key(trust_keyring, key = x509_request_asymmetric_key(trust_keyring,
cert->issuer, strlen(cert->issuer), cert->issuer, strlen(cert->issuer),
cert->authority, cert->authority,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment