KEYS: Generalise x509_request_asymmetric_key()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Generalise x509_request_asymmetric_key(). It doesn't really have any
dependencies on X.509 features as it uses generalised IDs and the
public_key structs that contain data extracted from X.509.

Signed-off-by: David Howells <dhowells@redhat.com>

David Howells 10 years ago 9eb02989 983023f2

+37 -39

5 changed files

expand all

crypto

asymmetric_keys

asymmetric_keys.h

asymmetric_type.c

pkcs7_trust.c

x509_public_key.c

include

keys

asymmetric-type.h

crypto/asymmetric_keys/asymmetric_keys.h

··· 9 9 * 2 of the Licence, or (at your option) any later version. 10 10 */ 11 11 12 + #include <keys/asymmetric-type.h> 13 + 12 14 extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id); 13 15 14 16 extern int __asymmetric_key_hex_to_key_id(const char *id,

+21 -21

crypto/asymmetric_keys/asymmetric_type.c

··· 35 35 static DECLARE_RWSEM(asymmetric_key_parsers_sem); 36 36 37 37 /** 38 - * x509_request_asymmetric_key - Request a key by X.509 certificate params. 38 + * find_asymmetric_key - Find a key by ID. 39 39 * @keyring: The keys to search. 40 - * @id: The issuer & serialNumber to look for or NULL. 41 - * @skid: The subjectKeyIdentifier to look for or NULL. 40 + * @id_0: The first ID to look for or NULL. 41 + * @id_1: The second ID to look for or NULL. 42 42 * @partial: Use partial match if true, exact if false. 43 43 * 44 44 * Find a key in the given keyring by identifier. The preferred identifier is 45 - * the issuer + serialNumber and the fallback identifier is the 46 - * subjectKeyIdentifier. If both are given, the lookup is by the former, but 47 - * the latter must also match. 45 + * the id_0 and the fallback identifier is the id_1. If both are given, the 46 + * lookup is by the former, but the latter must also match. 48 47 */ 49 - struct key *x509_request_asymmetric_key(struct key *keyring, 50 - const struct asymmetric_key_id *id, 51 - const struct asymmetric_key_id *skid, 52 - bool partial) 48 + struct key *find_asymmetric_key(struct key *keyring, 49 + const struct asymmetric_key_id *id_0, 50 + const struct asymmetric_key_id *id_1, 51 + bool partial) 53 52 { 54 53 struct key *key; 55 54 key_ref_t ref; ··· 56 57 char *req, *p; 57 58 int len; 58 59 59 - if (id) { 60 - lookup = id->data; 61 - len = id->len; 60 + if (id_0) { 61 + lookup = id_0->data; 62 + len = id_0->len; 62 63 } else { 63 - lookup = skid->data; 64 - len = skid->len; 64 + lookup = id_1->data; 65 + len = id_1->len; 65 66 } 66 67 67 68 /* Construct an identifier "id:<keyid>". */ ··· 101 102 } 102 103 103 104 key = key_ref_to_ptr(ref); 104 - if (id && skid) { 105 + if (id_0 && id_1) { 105 106 const struct asymmetric_key_ids *kids = asymmetric_key_ids(key); 106 - if (!kids->id[1]) { 107 - pr_debug("issuer+serial match, but expected SKID missing\n"); 107 + 108 + if (!kids->id[0]) { 109 + pr_debug("First ID matches, but second is missing\n"); 108 110 goto reject; 109 111 } 110 - if (!asymmetric_key_id_same(skid, kids->id[1])) { 111 - pr_debug("issuer+serial match, but SKID does not\n"); 112 + if (!asymmetric_key_id_same(id_1, kids->id[1])) { 113 + pr_debug("First ID matches, but second does not\n"); 112 114 goto reject; 113 115 } 114 116 } ··· 121 121 key_put(key); 122 122 return ERR_PTR(-EKEYREJECTED); 123 123 } 124 - EXPORT_SYMBOL_GPL(x509_request_asymmetric_key); 124 + EXPORT_SYMBOL_GPL(find_asymmetric_key); 125 125 126 126 /** 127 127 * asymmetric_key_generate_id: Construct an asymmetric key ID

+8 -11

crypto/asymmetric_keys/pkcs7_trust.c

··· 51 51 /* Look to see if this certificate is present in the trusted 52 52 * keys. 53 53 */ 54 - key = x509_request_asymmetric_key(trust_keyring, 55 - x509->id, x509->skid, 56 - false); 54 + key = find_asymmetric_key(trust_keyring, 55 + x509->id, x509->skid, false); 57 56 if (!IS_ERR(key)) { 58 57 /* One of the X.509 certificates in the PKCS#7 message 59 58 * is apparently the same as one we already trust. ··· 83 84 * trusted keys. 84 85 */ 85 86 if (last && (last->sig->auth_ids[0] || last->sig->auth_ids[1])) { 86 - key = x509_request_asymmetric_key(trust_keyring, 87 - last->sig->auth_ids[0], 88 - last->sig->auth_ids[1], 89 - false); 87 + key = find_asymmetric_key(trust_keyring, 88 + last->sig->auth_ids[0], 89 + last->sig->auth_ids[1], 90 + false); 90 91 if (!IS_ERR(key)) { 91 92 x509 = last; 92 93 pr_devel("sinfo %u: Root cert %u signer is key %x\n", ··· 100 101 /* As a last resort, see if we have a trusted public key that matches 101 102 * the signed info directly. 102 103 */ 103 - key = x509_request_asymmetric_key(trust_keyring, 104 - sinfo->sig->auth_ids[0], 105 - NULL, 106 - false); 104 + key = find_asymmetric_key(trust_keyring, 105 + sinfo->sig->auth_ids[0], NULL, false); 107 106 if (!IS_ERR(key)) { 108 107 pr_devel("sinfo %u: Direct signer is key %x\n", 109 108 sinfo->index, key_serial(key));

+2 -3

crypto/asymmetric_keys/x509_public_key.c

··· 213 213 if (cert->unsupported_sig) 214 214 return -ENOPKG; 215 215 216 - key = x509_request_asymmetric_key(trust_keyring, 217 - sig->auth_ids[0], sig->auth_ids[1], 218 - false); 216 + key = find_asymmetric_key(trust_keyring, 217 + sig->auth_ids[0], sig->auth_ids[1], false); 219 218 if (IS_ERR(key)) 220 219 return PTR_ERR(key); 221 220

+4 -4

include/keys/asymmetric-type.h

··· 76 76 return key->payload.data[asym_key_ids]; 77 77 } 78 78 79 - extern struct key *x509_request_asymmetric_key(struct key *keyring, 80 - const struct asymmetric_key_id *id, 81 - const struct asymmetric_key_id *skid, 82 - bool partial); 79 + extern struct key *find_asymmetric_key(struct key *keyring, 80 + const struct asymmetric_key_id *id_0, 81 + const struct asymmetric_key_id *id_1, 82 + bool partial); 83 83 84 84 /* 85 85 * The payload is at the discretion of the subtype.