Commit 9eb02989 authored by David Howells's avatar David Howells

KEYS: Generalise x509_request_asymmetric_key()

Generalise x509_request_asymmetric_key().  It doesn't really have any
dependencies on X.509 features as it uses generalised IDs and the
public_key structs that contain data extracted from X.509.
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
parent 983023f2
...@@ -9,6 +9,8 @@ ...@@ -9,6 +9,8 @@
* 2 of the Licence, or (at your option) any later version. * 2 of the Licence, or (at your option) any later version.
*/ */
#include <keys/asymmetric-type.h>
extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id); extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id);
extern int __asymmetric_key_hex_to_key_id(const char *id, extern int __asymmetric_key_hex_to_key_id(const char *id,
......
...@@ -35,21 +35,20 @@ static LIST_HEAD(asymmetric_key_parsers); ...@@ -35,21 +35,20 @@ static LIST_HEAD(asymmetric_key_parsers);
static DECLARE_RWSEM(asymmetric_key_parsers_sem); static DECLARE_RWSEM(asymmetric_key_parsers_sem);
/** /**
* x509_request_asymmetric_key - Request a key by X.509 certificate params. * find_asymmetric_key - Find a key by ID.
* @keyring: The keys to search. * @keyring: The keys to search.
* @id: The issuer & serialNumber to look for or NULL. * @id_0: The first ID to look for or NULL.
* @skid: The subjectKeyIdentifier to look for or NULL. * @id_1: The second ID to look for or NULL.
* @partial: Use partial match if true, exact if false. * @partial: Use partial match if true, exact if false.
* *
* Find a key in the given keyring by identifier. The preferred identifier is * Find a key in the given keyring by identifier. The preferred identifier is
* the issuer + serialNumber and the fallback identifier is the * the id_0 and the fallback identifier is the id_1. If both are given, the
* subjectKeyIdentifier. If both are given, the lookup is by the former, but * lookup is by the former, but the latter must also match.
* the latter must also match.
*/ */
struct key *x509_request_asymmetric_key(struct key *keyring, struct key *find_asymmetric_key(struct key *keyring,
const struct asymmetric_key_id *id, const struct asymmetric_key_id *id_0,
const struct asymmetric_key_id *skid, const struct asymmetric_key_id *id_1,
bool partial) bool partial)
{ {
struct key *key; struct key *key;
key_ref_t ref; key_ref_t ref;
...@@ -57,12 +56,12 @@ struct key *x509_request_asymmetric_key(struct key *keyring, ...@@ -57,12 +56,12 @@ struct key *x509_request_asymmetric_key(struct key *keyring,
char *req, *p; char *req, *p;
int len; int len;
if (id) { if (id_0) {
lookup = id->data; lookup = id_0->data;
len = id->len; len = id_0->len;
} else { } else {
lookup = skid->data; lookup = id_1->data;
len = skid->len; len = id_1->len;
} }
/* Construct an identifier "id:<keyid>". */ /* Construct an identifier "id:<keyid>". */
...@@ -102,14 +101,15 @@ struct key *x509_request_asymmetric_key(struct key *keyring, ...@@ -102,14 +101,15 @@ struct key *x509_request_asymmetric_key(struct key *keyring,
} }
key = key_ref_to_ptr(ref); key = key_ref_to_ptr(ref);
if (id && skid) { if (id_0 && id_1) {
const struct asymmetric_key_ids *kids = asymmetric_key_ids(key); const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
if (!kids->id[1]) {
pr_debug("issuer+serial match, but expected SKID missing\n"); if (!kids->id[0]) {
pr_debug("First ID matches, but second is missing\n");
goto reject; goto reject;
} }
if (!asymmetric_key_id_same(skid, kids->id[1])) { if (!asymmetric_key_id_same(id_1, kids->id[1])) {
pr_debug("issuer+serial match, but SKID does not\n"); pr_debug("First ID matches, but second does not\n");
goto reject; goto reject;
} }
} }
...@@ -121,7 +121,7 @@ struct key *x509_request_asymmetric_key(struct key *keyring, ...@@ -121,7 +121,7 @@ struct key *x509_request_asymmetric_key(struct key *keyring,
key_put(key); key_put(key);
return ERR_PTR(-EKEYREJECTED); return ERR_PTR(-EKEYREJECTED);
} }
EXPORT_SYMBOL_GPL(x509_request_asymmetric_key); EXPORT_SYMBOL_GPL(find_asymmetric_key);
/** /**
* asymmetric_key_generate_id: Construct an asymmetric key ID * asymmetric_key_generate_id: Construct an asymmetric key ID
......
...@@ -51,9 +51,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, ...@@ -51,9 +51,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
/* Look to see if this certificate is present in the trusted /* Look to see if this certificate is present in the trusted
* keys. * keys.
*/ */
key = x509_request_asymmetric_key(trust_keyring, key = find_asymmetric_key(trust_keyring,
x509->id, x509->skid, x509->id, x509->skid, false);
false);
if (!IS_ERR(key)) { if (!IS_ERR(key)) {
/* One of the X.509 certificates in the PKCS#7 message /* One of the X.509 certificates in the PKCS#7 message
* is apparently the same as one we already trust. * is apparently the same as one we already trust.
...@@ -84,10 +83,10 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, ...@@ -84,10 +83,10 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
* trusted keys. * trusted keys.
*/ */
if (last && (last->sig->auth_ids[0] || last->sig->auth_ids[1])) { if (last && (last->sig->auth_ids[0] || last->sig->auth_ids[1])) {
key = x509_request_asymmetric_key(trust_keyring, key = find_asymmetric_key(trust_keyring,
last->sig->auth_ids[0], last->sig->auth_ids[0],
last->sig->auth_ids[1], last->sig->auth_ids[1],
false); false);
if (!IS_ERR(key)) { if (!IS_ERR(key)) {
x509 = last; x509 = last;
pr_devel("sinfo %u: Root cert %u signer is key %x\n", pr_devel("sinfo %u: Root cert %u signer is key %x\n",
...@@ -101,10 +100,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, ...@@ -101,10 +100,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
/* As a last resort, see if we have a trusted public key that matches /* As a last resort, see if we have a trusted public key that matches
* the signed info directly. * the signed info directly.
*/ */
key = x509_request_asymmetric_key(trust_keyring, key = find_asymmetric_key(trust_keyring,
sinfo->sig->auth_ids[0], sinfo->sig->auth_ids[0], NULL, false);
NULL,
false);
if (!IS_ERR(key)) { if (!IS_ERR(key)) {
pr_devel("sinfo %u: Direct signer is key %x\n", pr_devel("sinfo %u: Direct signer is key %x\n",
sinfo->index, key_serial(key)); sinfo->index, key_serial(key));
......
...@@ -213,9 +213,8 @@ static int x509_validate_trust(struct x509_certificate *cert, ...@@ -213,9 +213,8 @@ static int x509_validate_trust(struct x509_certificate *cert,
if (cert->unsupported_sig) if (cert->unsupported_sig)
return -ENOPKG; return -ENOPKG;
key = x509_request_asymmetric_key(trust_keyring, key = find_asymmetric_key(trust_keyring,
sig->auth_ids[0], sig->auth_ids[1], sig->auth_ids[0], sig->auth_ids[1], false);
false);
if (IS_ERR(key)) if (IS_ERR(key))
return PTR_ERR(key); return PTR_ERR(key);
......
...@@ -76,10 +76,10 @@ const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key) ...@@ -76,10 +76,10 @@ const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key)
return key->payload.data[asym_key_ids]; return key->payload.data[asym_key_ids];
} }
extern struct key *x509_request_asymmetric_key(struct key *keyring, extern struct key *find_asymmetric_key(struct key *keyring,
const struct asymmetric_key_id *id, const struct asymmetric_key_id *id_0,
const struct asymmetric_key_id *skid, const struct asymmetric_key_id *id_1,
bool partial); bool partial);
/* /*
* The payload is at the discretion of the subtype. * The payload is at the discretion of the subtype.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment