1. 16 Sep, 2014 18 commits
    • David Howells's avatar
      Merge tag 'keys-pkcs7-20140916' into keys-next · d3e4f419
      David Howells authored
      Changes for next to improve the matching of asymmetric keys and to improve the
      handling of PKCS#7 certificates:
      
       (1) Provide a method to preparse the data supplied for matching a key.  This
           permits they key type to extract out the bits it needs for matching once
           only.
      
           Further, the type of search (direct lookup or iterative) can be set and
           the function used to actually check the match can be set by preparse
           rather than being hard coded for the type.
      
       (2) Improves asymmetric keys identification.
      
           Keys derived from X.509 certs now get labelled with IDs derived from their
           issuer and certificate number (required to match PKCS#7) and from their
           SKID and subject (required to match X.509).
      
           IDs are now binary and match criterion preparsing is provided so that
           criteria can be turned into binary blobs to make matching faster.
      
       (3) Improves PKCS#7 message handling to permit PKCS#7 messages without X.509
           cert lists to be matched to trusted keys, thereby allowing minimally sized
           PKCS#7 certs to be used.
      
       (4) Improves PKCS#7 message handling to better handle certificate chains that
           are broken due to unsupported crypto that can otherwise by used to
           intersect a trust keyring.
      
      These must go on top of the PKCS#7 parser cleanup fixes.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      d3e4f419
    • David Howells's avatar
      PKCS#7: Handle PKCS#7 messages that contain no X.509 certs · 757932e6
      David Howells authored
      The X.509 certificate list in a PKCS#7 message is optional.  To save space, we
      can omit the inclusion of any X.509 certificates if we are sure that we can
      look the relevant public key up by the serial number and issuer given in a
      signed info block.
      
      This also supports use of a signed info block for which we can't find a
      matching X.509 cert in the certificate list, though it be populated.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      757932e6
    • David Howells's avatar
      PKCS#7: Better handling of unsupported crypto · 41559420
      David Howells authored
      Provide better handling of unsupported crypto when verifying a PKCS#7 message.
      If we can't bridge the gap between a pair of X.509 certs or between a signed
      info block and an X.509 cert because it involves some crypto we don't support,
      that's not necessarily the end of the world as there may be other ways points
      at which we can intersect with a ring of trusted keys.
      
      Instead, only produce ENOPKG immediately if all the signed info blocks in a
      PKCS#7 message require unsupported crypto to bridge to the first X.509 cert.
      Otherwise, we defer the generation of ENOPKG until we get ENOKEY during trust
      validation.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      41559420
    • David Howells's avatar
      KEYS: Overhaul key identification when searching for asymmetric keys · 46963b77
      David Howells authored
      Make use of the new match string preparsing to overhaul key identification
      when searching for asymmetric keys.  The following changes are made:
      
       (1) Use the previously created asymmetric_key_id struct to hold the following
           key IDs derived from the X.509 certificate or PKCS#7 message:
      
      	id: serial number + issuer
      	skid: subjKeyId + subject
      	authority: authKeyId + issuer
      
       (2) Replace the hex fingerprint attached to key->type_data[1] with an
           asymmetric_key_ids struct containing the id and the skid (if present).
      
       (3) Make the asymmetric_type match data preparse select one of two searches:
      
           (a) An iterative search for the key ID given if prefixed with "id:".  The
           	 prefix is expected to be followed by a hex string giving the ID to
           	 search for.  The criterion key ID is checked against all key IDs
           	 recorded on the key.
      
           (b) A direct search if the key ID is not prefixed with "id:".  This will
           	 look for an exact match on the key description.
      
       (4) Make x509_request_asymmetric_key() take a key ID.  This is then converted
           into "id:<hex>" and passed into keyring_search() where match preparsing
           will turn it back into a binary ID.
      
       (5) X.509 certificate verification then takes the authority key ID and looks
           up a key that matches it to find the public key for the certificate
           signature.
      
       (6) PKCS#7 certificate verification then takes the id key ID and looks up a
           key that matches it to find the public key for the signed information
           block signature.
      
      Additional changes:
      
       (1) Multiple subjKeyId and authKeyId values on an X.509 certificate cause the
           cert to be rejected with -EBADMSG.
      
       (2) The 'fingerprint' ID is gone.  This was primarily intended to convey PGP
           public key fingerprints.  If PGP is supported in future, this should
           generate a key ID that carries the fingerprint.
      
       (3) Th ca_keyid= kernel command line option is now converted to a key ID and
           used to match the authority key ID.  Possibly this should only match the
           actual authKeyId part and not the issuer as well.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      46963b77
    • David Howells's avatar
      KEYS: Implement binary asymmetric key ID handling · 7901c1a8
      David Howells authored
      Implement the first step in using binary key IDs for asymmetric keys rather
      than hex string keys.
      
      The previously added match data preparsing will be able to convert hex
      criterion strings into binary which can then be compared more rapidly.
      
      Further, we actually want more then one ID string per public key.  The problem
      is that X.509 certs refer to other X.509 certs by matching Issuer + AuthKeyId
      to Subject + SubjKeyId, but PKCS#7 messages match against X.509 Issuer +
      SerialNumber.
      
      This patch just provides facilities for a later patch to make use of.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      7901c1a8
    • David Howells's avatar
    • David Howells's avatar
      KEYS: Make the key matching functions return bool · 0c903ab6
      David Howells authored
      Make the key matching functions pointed to by key_match_data::cmp return bool
      rather than int.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      0c903ab6
    • David Howells's avatar
      KEYS: Remove key_type::match in favour of overriding default by match_preparse · c06cfb08
      David Howells authored
      A previous patch added a ->match_preparse() method to the key type.  This is
      allowed to override the function called by the iteration algorithm.
      Therefore, we can just set a default that simply checks for an exact match of
      the key description with the original criterion data and allow match_preparse
      to override it as needed.
      
      The key_type::match op is then redundant and can be removed, as can the
      user_match() function.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      c06cfb08
    • David Howells's avatar
      KEYS: Remove key_type::def_lookup_type · 614d8c39
      David Howells authored
      Remove key_type::def_lookup_type as it's no longer used.  The information now
      defaults to KEYRING_SEARCH_LOOKUP_DIRECT but may be overridden by
      type->match_preparse().
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      614d8c39
    • David Howells's avatar
      KEYS: Preparse match data · 46291959
      David Howells authored
      Preparse the match data.  This provides several advantages:
      
       (1) The preparser can reject invalid criteria up front.
      
       (2) The preparser can convert the criteria to binary data if necessary (the
           asymmetric key type really wants to do binary comparison of the key IDs).
      
       (3) The preparser can set the type of search to be performed.  This means
           that it's not then a one-off setting in the key type.
      
       (4) The preparser can set an appropriate comparator function.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      46291959
    • David Howells's avatar
      Provide a binary to hex conversion function · 53d91c5c
      David Howells authored
      Provide a function to convert a buffer of binary data into an unterminated
      ascii hex string representation of that data.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      53d91c5c
    • David Howells's avatar
      Merge tag 'keys-next-fixes-20140916' into keys-next · 1c9c115c
      David Howells authored
      Merge in keyrings fixes for next:
      
       (1) Insert some missing 'static' annotations.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      1c9c115c
    • David Howells's avatar
      Merge tag 'keys-fixes-20140916' into keys-next · 68c45c7f
      David Howells authored
      Merge in keyrings fixes, at least some of which later patches depend on:
      
       (1) Reinstate the production of EPERM for key types beginning with '.' in
           requests from userspace.
      
       (2) Tidy up the cleanup of PKCS#7 message signed information blocks and fix a
           bug this made more obvious.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.coM>
      68c45c7f
    • David Howells's avatar
      PKCS#7: Fix the parser cleanup to drain parsed out X.509 certs · cecf5d2e
      David Howells authored
      Fix the parser cleanup code to drain parsed out X.509 certs in the case that
      the decode fails and we jump to error_decode.
      
      The function is rearranged so that the same cleanup code is used in the success
      case as the error case - just that the message descriptor under construction is
      only released if it is still pointed to by the context struct at that point.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      cecf5d2e
    • David Howells's avatar
      PKCS#7: Provide a single place to do signed info block freeing · 3cd0920c
      David Howells authored
      The code to free a signed info block is repeated several times, so move the
      code to do it into a function of its own.  This gives us a place to add clean
      ups for stuff that gets added to pkcs7_signed_info.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      3cd0920c
    • David Howells's avatar
      KEYS: Reinstate EPERM for a key type name beginning with a '.' · 54e2c2c1
      David Howells authored
      Reinstate the generation of EPERM for a key type name beginning with a '.' in
      a userspace call.  Types whose name begins with a '.' are internal only.
      
      The test was removed by:
      
      	commit a4e3b8d7
      	Author: Mimi Zohar <zohar@linux.vnet.ibm.com>
      	Date:   Thu May 22 14:02:23 2014 -0400
      	Subject: KEYS: special dot prefixed keyring name bug fix
      
      I think we want to keep the restriction on type name so that userspace can't
      add keys of a special internal type.
      
      Note that removal of the test causes several of the tests in the keyutils
      testsuite to fail.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
      54e2c2c1
    • David Howells's avatar
      PKCS#7: Add a missing static · 15155b9a
      David Howells authored
      Add a missing static (found by checker).
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      15155b9a
    • David Howells's avatar
      KEYS: Fix missing statics · 8da79b64
      David Howells authored
      Fix missing statics (found by checker).
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
      8da79b64
  2. 12 Sep, 2014 1 commit
  3. 09 Sep, 2014 13 commits
  4. 08 Sep, 2014 2 commits
  5. 03 Sep, 2014 2 commits
  6. 02 Sep, 2014 4 commits