Merge tag 'keys-next-20140805' of...

 * user defined keys take an arbitrary string as the description and an

 * arbitrary blob of data as the payload

 */

struct key_type key_type_pkcs7 = {

static struct key_type key_type_pkcs7 = {

	.name			= "pkcs7_test",

	.def_lookup_type	= KEYRING_SEARCH_LOOKUP_DIRECT,

	.preparse		= pkcs7_preparse,

#include "public_key.h"

#include "pkcs7_parser.h"

/*

 * Request an asymmetric key.

 */

static struct key *pkcs7_request_asymmetric_key(

	struct key *keyring,

	const char *signer, size_t signer_len,

	const char *authority, size_t auth_len)

{

	key_ref_t key;

	char *id;

	kenter(",%zu,,%zu", signer_len, auth_len);

	/* Construct an identifier. */

	id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL);

	if (!id)

		return ERR_PTR(-ENOMEM);

	memcpy(id, signer, signer_len);

	id[signer_len + 0] = ':';

	id[signer_len + 1] = ' ';

	memcpy(id + signer_len + 2, authority, auth_len);

	id[signer_len + 2 + auth_len] = 0;

	pr_debug("Look up: \"%s\"\n", id);

	key = keyring_search(make_key_ref(keyring, 1),

			     &key_type_asymmetric, id);

	if (IS_ERR(key))

		pr_debug("Request for module key '%s' err %ld\n",

			 id, PTR_ERR(key));

	kfree(id);

	if (IS_ERR(key)) {

		switch (PTR_ERR(key)) {

			/* Hide some search errors */

		case -EACCES:

		case -ENOTDIR:

		case -EAGAIN:

			return ERR_PTR(-ENOKEY);

		default:

			return ERR_CAST(key);

		}

	}

	pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key_ref_to_ptr(key)));

	return key_ref_to_ptr(key);

}

/**

 * Check the trust on one PKCS#7 SignedInfo block.

 */

		/* Look to see if this certificate is present in the trusted

		 * keys.

		 */

		key = pkcs7_request_asymmetric_key(

			trust_keyring,

			x509->subject, strlen(x509->subject),

			x509->fingerprint, strlen(x509->fingerprint));

		key = x509_request_asymmetric_key(trust_keyring, x509->subject,

						  x509->fingerprint);

		if (!IS_ERR(key))

			/* One of the X.509 certificates in the PKCS#7 message

			 * is apparently the same as one we already trust.

		return -ENOKEY;

	}

	key = pkcs7_request_asymmetric_key(

		trust_keyring,

		last->issuer, strlen(last->issuer),

		last->authority, strlen(last->authority));

	key = x509_request_asymmetric_key(trust_keyring, last->issuer,

					  last->authority);

	if (IS_ERR(key))

		return PTR_ERR(key) == -ENOMEM ? -ENOMEM : -ENOKEY;

	x509 = last;

		if (ret < 0)

			return ret;

		if (x509->issuer)

		pr_debug("- issuer %s\n", x509->issuer);

		if (x509->authority)

			pr_debug("- authkeyid %s\n", x509->authority);

		if (!x509->authority ||

		    (x509->subject &&

		     strcmp(x509->subject, x509->issuer) == 0)) {

		    strcmp(x509->subject, x509->issuer) == 0) {

			/* If there's no authority certificate specified, then

			 * the certificate must be self-signed and is the root

			 * of the chain.  Likewise if the cert is its own

__setup("ca_keys=", ca_keys_setup);

#endif

/*

 * Find a key in the given keyring by issuer and authority.

/**

 * x509_request_asymmetric_key - Request a key by X.509 certificate params.

 * @keyring: The keys to search.

 * @subject: The name of the subject to whom the key belongs.

 * @key_id: The subject key ID as a hex string.

 *

 * Find a key in the given keyring by subject name and key ID.  These might,

 * for instance, be the issuer name and the authority key ID of an X.509

 * certificate that needs to be verified.

 */

static struct key *x509_request_asymmetric_key(struct key *keyring,

					       const char *signer,

					       size_t signer_len,

					       const char *authority,

					       size_t auth_len)

struct key *x509_request_asymmetric_key(struct key *keyring,

					const char *subject,

					const char *key_id)

{

	key_ref_t key;

	size_t subject_len = strlen(subject), key_id_len = strlen(key_id);

	char *id;

	/* Construct an identifier. */

	id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL);

	/* Construct an identifier "<subjname>:<keyid>". */

	id = kmalloc(subject_len + 2 + key_id_len + 1, GFP_KERNEL);

	if (!id)

		return ERR_PTR(-ENOMEM);

	memcpy(id, signer, signer_len);

	id[signer_len + 0] = ':';

	id[signer_len + 1] = ' ';

	memcpy(id + signer_len + 2, authority, auth_len);

	id[signer_len + 2 + auth_len] = 0;

	memcpy(id, subject, subject_len);

	id[subject_len + 0] = ':';

	id[subject_len + 1] = ' ';

	memcpy(id + subject_len + 2, key_id, key_id_len);

	id[subject_len + 2 + key_id_len] = 0;

	pr_debug("Look up: \"%s\"\n", id);

	key = keyring_search(make_key_ref(keyring, 1),

			     &key_type_asymmetric, id);

	if (IS_ERR(key))

		pr_debug("Request for module key '%s' err %ld\n",

			 id, PTR_ERR(key));

		pr_debug("Request for key '%s' err %ld\n", id, PTR_ERR(key));

	kfree(id);

	if (IS_ERR(key)) {

		 key_serial(key_ref_to_ptr(key)));

	return key_ref_to_ptr(key);

}

EXPORT_SYMBOL_GPL(x509_request_asymmetric_key);

/*

 * Set up the signature parameters in an X.509 certificate.  This involves

		return -EPERM;

	key = x509_request_asymmetric_key(trust_keyring,

					  cert->issuer, strlen(cert->issuer),

					  cert->authority,

					  strlen(cert->authority));

					  cert->issuer, cert->authority);

	if (!IS_ERR(key))  {

		if (!use_builtin_keys

		    || test_bit(KEY_FLAG_BUILTIN, &key->flags))

extern int verify_signature(const struct key *key,

			    const struct public_key_signature *sig);

extern struct key *x509_request_asymmetric_key(struct key *keyring,

					       const char *issuer,

					       const char *key_id);

#endif /* _LINUX_PUBLIC_KEY_H */