Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ffb70f61 authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by Mimi Zohar
Browse files

KEYS: validate certificate trust only with selected key 



Instead of allowing public keys, with certificates signed by any
key on the system trusted keyring, to be added to a trusted keyring,
this patch further restricts the certificates to those signed by a
particular key on the system keyring.

This patch defines a new kernel parameter 'ca_keys' to identify the
specific key which must be used for trust validation of certificates.

Simplified Mimi's "KEYS: define an owner trusted keyring" patch.

Changelog:
- support for builtin x509 public keys only
- export "asymmetric_keyid_match"
- remove ifndefs MODULE
- rename kernel boot parameter from keys_ownerid to ca_keys

Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
parent b3426827

Documentation/kernel-parameters.txt

+5 −0
Original line number Diff line number Diff line
@@ -566,6 +566,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted. 
			possible to determine what the correct size should be.

			This option provides an override for these situations.



	ca_keys=	[KEYS] This parameter identifies a specific key(s) on

			the system trusted keyring to be used for certificate

			trust validation.

			format: id:<keyid>



	ccw_timeout_log [S390]

			See Documentation/s390/CommonIO for details.

crypto/asymmetric_keys/asymmetric_type.c

+1 −0
Original line number Diff line number Diff line
@@ -49,6 +49,7 @@ int asymmetric_keyid_match(const char *kid, const char *id) 


	return 1;

}

EXPORT_SYMBOL_GPL(asymmetric_keyid_match);



/*

 * Match asymmetric keys on (part of) their name

crypto/asymmetric_keys/x509_public_key.c

+19 −0
Original line number Diff line number Diff line
@@ -24,6 +24,22 @@ 
#include "public_key.h"

#include "x509_parser.h"



static char *ca_keyid;



#ifndef MODULE

static int __init ca_keys_setup(char *str)

{

	if (!str)		/* default system keyring */

		return 1;



	if (strncmp(str, "id:", 3) == 0)

		ca_keyid = str;	/* owner key 'id:xxxxxx' */



	return 1;

}

__setup("ca_keys=", ca_keys_setup);

#endif



/*

 * Find a key in the given keyring by issuer and authority.

 */
@@ -171,6 +187,9 @@ static int x509_validate_trust(struct x509_certificate *cert, 
	if (!trust_keyring)

		return -EOPNOTSUPP;



	if (ca_keyid && !asymmetric_keyid_match(cert->authority, ca_keyid))

		return -EPERM;



	key = x509_request_asymmetric_key(trust_keyring,

					  cert->issuer, strlen(cert->issuer),

					  cert->authority,