• David Howells's avatar
    KEYS: Overhaul key identification when searching for asymmetric keys · 46963b77
    David Howells authored
    Make use of the new match string preparsing to overhaul key identification
    when searching for asymmetric keys.  The following changes are made:
    
     (1) Use the previously created asymmetric_key_id struct to hold the following
         key IDs derived from the X.509 certificate or PKCS#7 message:
    
    	id: serial number + issuer
    	skid: subjKeyId + subject
    	authority: authKeyId + issuer
    
     (2) Replace the hex fingerprint attached to key->type_data[1] with an
         asymmetric_key_ids struct containing the id and the skid (if present).
    
     (3) Make the asymmetric_type match data preparse select one of two searches:
    
         (a) An iterative search for the key ID given if prefixed with "id:".  The
         	 prefix is expected to be followed by a hex string giving the ID to
         	 search for.  The criterion key ID is checked against all key IDs
         	 recorded on the key.
    
         (b) A direct search if the key ID is not prefixed with "id:".  This will
         	 look for an exact match on the key description.
    
     (4) Make x509_request_asymmetric_key() take a key ID.  This is then converted
         into "id:<hex>" and passed into keyring_search() where match preparsing
         will turn it back into a binary ID.
    
     (5) X.509 certificate verification then takes the authority key ID and looks
         up a key that matches it to find the public key for the certificate
         signature.
    
     (6) PKCS#7 certificate verification then takes the id key ID and looks up a
         key that matches it to find the public key for the signed information
         block signature.
    
    Additional changes:
    
     (1) Multiple subjKeyId and authKeyId values on an X.509 certificate cause the
         cert to be rejected with -EBADMSG.
    
     (2) The 'fingerprint' ID is gone.  This was primarily intended to convey PGP
         public key fingerprints.  If PGP is supported in future, this should
         generate a key ID that carries the fingerprint.
    
     (3) Th ca_keyid= kernel command line option is now converted to a key ID and
         used to match the authority key ID.  Possibly this should only match the
         actual authKeyId part and not the issuer as well.
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
    46963b77
asymmetric_keys.h 749 Bytes