Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9eb02989 authored by David Howells's avatar David Howells
Browse files

KEYS: Generalise x509_request_asymmetric_key() 



Generalise x509_request_asymmetric_key().  It doesn't really have any
dependencies on X.509 features as it uses generalised IDs and the
public_key structs that contain data extracted from X.509.

Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
parent 983023f2

crypto/asymmetric_keys/asymmetric_keys.h

+2 −0
Original line number Diff line number Diff line
@@ -9,6 +9,8 @@ 
 * 2 of the Licence, or (at your option) any later version.

 */



#include <keys/asymmetric-type.h>



extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id);



extern int __asymmetric_key_hex_to_key_id(const char *id,

crypto/asymmetric_keys/asymmetric_type.c

+21 −21
Original line number Diff line number Diff line
@@ -35,20 +35,19 @@ static LIST_HEAD(asymmetric_key_parsers); 
static DECLARE_RWSEM(asymmetric_key_parsers_sem);



/**

 * x509_request_asymmetric_key - Request a key by X.509 certificate params.

 * find_asymmetric_key - Find a key by ID.

 * @keyring: The keys to search.

 * @id: The issuer & serialNumber to look for or NULL.

 * @skid: The subjectKeyIdentifier to look for or NULL.

 * @id_0: The first ID to look for or NULL.

 * @id_1: The second ID to look for or NULL.

 * @partial: Use partial match if true, exact if false.

 *

 * Find a key in the given keyring by identifier.  The preferred identifier is

 * the issuer + serialNumber and the fallback identifier is the

 * subjectKeyIdentifier.  If both are given, the lookup is by the former, but

 * the latter must also match.

 * the id_0 and the fallback identifier is the id_1.  If both are given, the

 * lookup is by the former, but the latter must also match.

 */

struct key *x509_request_asymmetric_key(struct key *keyring,

					const struct asymmetric_key_id *id,

					const struct asymmetric_key_id *skid,

struct key *find_asymmetric_key(struct key *keyring,

				const struct asymmetric_key_id *id_0,

				const struct asymmetric_key_id *id_1,

				bool partial)

{

	struct key *key;
@@ -57,12 +56,12 @@ struct key *x509_request_asymmetric_key(struct key *keyring, 
	char *req, *p;

	int len;



	if (id) {

		lookup = id->data;

		len = id->len;

	if (id_0) {

		lookup = id_0->data;

		len = id_0->len;

	} else {

		lookup = skid->data;

		len = skid->len;

		lookup = id_1->data;

		len = id_1->len;

	}



	/* Construct an identifier "id:<keyid>". */
@@ -102,14 +101,15 @@ struct key *x509_request_asymmetric_key(struct key *keyring, 
	}



	key = key_ref_to_ptr(ref);

	if (id && skid) {

	if (id_0 && id_1) {

		const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);

		if (!kids->id[1]) {

			pr_debug("issuer+serial match, but expected SKID missing\n");



		if (!kids->id[0]) {

			pr_debug("First ID matches, but second is missing\n");

			goto reject;

		}

		if (!asymmetric_key_id_same(skid, kids->id[1])) {

			pr_debug("issuer+serial match, but SKID does not\n");

		if (!asymmetric_key_id_same(id_1, kids->id[1])) {

			pr_debug("First ID matches, but second does not\n");

			goto reject;

		}

	}
@@ -121,7 +121,7 @@ struct key *x509_request_asymmetric_key(struct key *keyring, 
	key_put(key);

	return ERR_PTR(-EKEYREJECTED);

}

EXPORT_SYMBOL_GPL(x509_request_asymmetric_key);

EXPORT_SYMBOL_GPL(find_asymmetric_key);



/**

 * asymmetric_key_generate_id: Construct an asymmetric key ID

crypto/asymmetric_keys/pkcs7_trust.c

+8 −11
Original line number Diff line number Diff line
@@ -51,9 +51,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, 
		/* Look to see if this certificate is present in the trusted

		 * keys.

		 */

		key = x509_request_asymmetric_key(trust_keyring,

						  x509->id, x509->skid,

						  false);

		key = find_asymmetric_key(trust_keyring,

					  x509->id, x509->skid, false);

		if (!IS_ERR(key)) {

			/* One of the X.509 certificates in the PKCS#7 message

			 * is apparently the same as one we already trust.
@@ -84,7 +83,7 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, 
	 * trusted keys.

	 */

	if (last && (last->sig->auth_ids[0] || last->sig->auth_ids[1])) {

		key = x509_request_asymmetric_key(trust_keyring,

		key = find_asymmetric_key(trust_keyring,

					  last->sig->auth_ids[0],

					  last->sig->auth_ids[1],

					  false);
@@ -101,10 +100,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, 
	/* As a last resort, see if we have a trusted public key that matches

	 * the signed info directly.

	 */

	key = x509_request_asymmetric_key(trust_keyring,

					  sinfo->sig->auth_ids[0],

					  NULL,

					  false);

	key = find_asymmetric_key(trust_keyring,

				  sinfo->sig->auth_ids[0], NULL, false);

	if (!IS_ERR(key)) {

		pr_devel("sinfo %u: Direct signer is key %x\n",

			 sinfo->index, key_serial(key));

crypto/asymmetric_keys/x509_public_key.c

+2 −3
Original line number Diff line number Diff line
@@ -213,9 +213,8 @@ static int x509_validate_trust(struct x509_certificate *cert, 
	if (cert->unsupported_sig)

		return -ENOPKG;



	key = x509_request_asymmetric_key(trust_keyring,

					  sig->auth_ids[0], sig->auth_ids[1],

					  false);

	key = find_asymmetric_key(trust_keyring,

				  sig->auth_ids[0], sig->auth_ids[1], false);

	if (IS_ERR(key))

		return PTR_ERR(key);

include/keys/asymmetric-type.h

+4 −4
Original line number Diff line number Diff line
@@ -76,9 +76,9 @@ const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key) 
	return key->payload.data[asym_key_ids];

}



extern struct key *x509_request_asymmetric_key(struct key *keyring,

					       const struct asymmetric_key_id *id,

					       const struct asymmetric_key_id *skid,

extern struct key *find_asymmetric_key(struct key *keyring,

				       const struct asymmetric_key_id *id_0,

				       const struct asymmetric_key_id *id_1,

				       bool partial);



/*