首页 发现 帮助
登录
GfA
/
linux_kernel
5
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

KEYS: validate certificate trust only with selected key

Instead of allowing public keys, with certificates signed by any
key on the system trusted keyring, to be added to a trusted keyring,
this patch further restricts the certificates to those signed by a
particular key on the system keyring.

This patch defines a new kernel parameter 'ca_keys' to identify the
specific key which must be used for trust validation of certificates.

Simplified Mimi's "KEYS: define an owner trusted keyring" patch.

Changelog:
- support for builtin x509 public keys only
- export "asymmetric_keyid_match"
- remove ifndefs MODULE
- rename kernel boot parameter from keys_ownerid to ca_keys

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Dmitry Kasatkin 11 年之前
父节点
b3426827c8
当前提交
ffb70f61ba
共有 3 个文件被更改,包括 25 次插入0 次删除
合并视图 显示文件统计
  1. 5 0
      Documentation/kernel-parameters.txt
  2. 1 0
      crypto/asymmetric_keys/asymmetric_type.c
  3. 19 0
      crypto/asymmetric_keys/x509_public_key.c

+ 5 - 0
Documentation/kernel-parameters.txt
查看文件 

@@ -566,6 +566,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
 
 			possible to determine what the correct size should be.
 
 			possible to determine what the correct size should be.
 
 			This option provides an override for these situations.
 
 			This option provides an override for these situations.
 
 
 
+	ca_keys=	[KEYS] This parameter identifies a specific key(s) on
 
+			the system trusted keyring to be used for certificate
 
+			trust validation.
 
+			format: id:<keyid>
 
+
 
 	ccw_timeout_log [S390]
 
 	ccw_timeout_log [S390]
 
 			See Documentation/s390/CommonIO for details.
 
 			See Documentation/s390/CommonIO for details.

+ 1 - 0
crypto/asymmetric_keys/asymmetric_type.c
查看文件 

@@ -49,6 +49,7 @@ int asymmetric_keyid_match(const char *kid, const char *id)
 
 
 
 	return 1;
 
 	return 1;
 
 }
 
 }
 
+EXPORT_SYMBOL_GPL(asymmetric_keyid_match);
 
 
 
 /*
 
 /*
 
  * Match asymmetric keys on (part of) their name
 
  * Match asymmetric keys on (part of) their name

+ 19 - 0
crypto/asymmetric_keys/x509_public_key.c
查看文件 

@@ -24,6 +24,22 @@
 
 #include "public_key.h"
 
 #include "public_key.h"
 
 #include "x509_parser.h"
 
 #include "x509_parser.h"
 
 
 
+static char *ca_keyid;
 
+
 
+#ifndef MODULE
 
+static int __init ca_keys_setup(char *str)
 
+{
 
+	if (!str)		/* default system keyring */
 
+		return 1;
 
+
 
+	if (strncmp(str, "id:", 3) == 0)
 
+		ca_keyid = str;	/* owner key 'id:xxxxxx' */
 
+
 
+	return 1;
 
+}
 
+__setup("ca_keys=", ca_keys_setup);
 
+#endif
 
+
 
 /*
 
 /*
 
  * Find a key in the given keyring by issuer and authority.
 
  * Find a key in the given keyring by issuer and authority.
 
  */
 
  */
 
@@ -171,6 +187,9 @@ static int x509_validate_trust(struct x509_certificate *cert,
 
 	if (!trust_keyring)
 
 	if (!trust_keyring)
 
 		return -EOPNOTSUPP;
 
 		return -EOPNOTSUPP;
 
 
 
+	if (ca_keyid && !asymmetric_keyid_match(cert->authority, ca_keyid))
 
+		return -EPERM;
 
+
 
 	key = x509_request_asymmetric_key(trust_keyring,
 
 	key = x509_request_asymmetric_key(trust_keyring,
 
 					  cert->issuer, strlen(cert->issuer),
 
 					  cert->issuer, strlen(cert->issuer),
 
 					  cert->authority,
 
 					  cert->authority,