From: Dmitry Kasatkin <d.kasatkin@samsung.com>
To: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: linux-security-module <linux-security-module@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Josh Boyer <jwboyer@redhat.com>,
keyrings <keyrings@linux-nfs.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [RFC PATCH v5 2/4] KEYS: verify a certificate is signed by a 'trusted' key
Date: Mon, 09 Jun 2014 16:13:12 +0300 [thread overview]
Message-ID: <5395B2E8.3030602@samsung.com> (raw)
In-Reply-To: <CACE9dm_VGRiG7Sok_nONwbBTGoH3RbJCvBD=YayiWuRDoJo3-g@mail.gmail.com>
On 07/06/14 00:50, Dmitry Kasatkin wrote:
> On 3 June 2014 20:58, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>> Only public keys, with certificates signed by an existing
>> 'trusted' key on the system trusted keyring, should be added
>> to a trusted keyring. This patch adds support for verifying
>> a certificate's signature.
>>
>> This is derived from David Howells pkcs7_request_asymmetric_key() patch.
>>
>> Changelog:
>> - define get_system_trusted_keyring() to fix kbuild issues
>>
>> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
>> Signed-off-by: David Howells <dhowells@redhat.com>
> Acked-by: me
>
>
>> ---
>> crypto/asymmetric_keys/x509_public_key.c | 84 +++++++++++++++++++++++++++++++-
>> include/keys/system_keyring.h | 10 +++-
>> 2 files changed, 92 insertions(+), 2 deletions(-)
>>
>> diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
>> index 382ef0d..1af8a30 100644
>> --- a/crypto/asymmetric_keys/x509_public_key.c
>> +++ b/crypto/asymmetric_keys/x509_public_key.c
>> @@ -18,12 +18,60 @@
>> #include <linux/asn1_decoder.h>
>> #include <keys/asymmetric-subtype.h>
>> #include <keys/asymmetric-parser.h>
>> +#include <keys/system_keyring.h>
>> #include <crypto/hash.h>
>> #include "asymmetric_keys.h"
>> #include "public_key.h"
>> #include "x509_parser.h"
>>
>> /*
>> + * Find a key in the given keyring by issuer and authority.
>> + */
>> +static struct key *x509_request_asymmetric_key(
>> + struct key *keyring,
>> + const char *signer, size_t signer_len,
>> + const char *authority, size_t auth_len)
>> +{
>> + key_ref_t key;
>> + char *id;
>> +
>> + /* Construct an identifier. */
>> + id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL);
>> + if (!id)
>> + return ERR_PTR(-ENOMEM);
>> +
>> + memcpy(id, signer, signer_len);
>> + id[signer_len + 0] = ':';
>> + id[signer_len + 1] = ' ';
>> + memcpy(id + signer_len + 2, authority, auth_len);
>> + id[signer_len + 2 + auth_len] = 0;
>> +
>> + pr_debug("Look up: \"%s\"\n", id);
>> +
>> + key = keyring_search(make_key_ref(keyring, 1),
>> + &key_type_asymmetric, id);
>> + if (IS_ERR(key))
>> + pr_debug("Request for module key '%s' err %ld\n",
>> + id, PTR_ERR(key));
>> + kfree(id);
>> +
>> + if (IS_ERR(key)) {
>> + switch (PTR_ERR(key)) {
>> + /* Hide some search errors */
>> + case -EACCES:
>> + case -ENOTDIR:
>> + case -EAGAIN:
>> + return ERR_PTR(-ENOKEY);
>> + default:
>> + return ERR_CAST(key);
>> + }
>> + }
>> +
>> + pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key_ref_to_ptr(key)));
>> + return key_ref_to_ptr(key);
>> +}
>> +
>> +/*
>> * Set up the signature parameters in an X.509 certificate. This involves
>> * digesting the signed data and extracting the signature.
>> */
>> @@ -103,6 +151,36 @@ int x509_check_signature(const struct public_key *pub,
>> EXPORT_SYMBOL_GPL(x509_check_signature);
>>
>> /*
>> + * Check the new certificate against the ones in the trust keyring. If one of
>> + * those is the signing key and validates the new certificate, then mark the
>> + * new certificate as being trusted.
>> + *
>> + * Return 0 if the new certificate was successfully validated, 1 if we couldn't
>> + * find a matching parent certificate in the trusted list and an error if there
>> + * is a matching certificate but the signature check fails.
>> + */
>> +static int x509_validate_trust(struct x509_certificate *cert,
>> + struct key *trust_keyring)
>> +{
>> + const struct public_key *pk;
>> + struct key *key;
>> + int ret = 1;
>> +
>> + if (!trust_keyring)
>> + return -EOPNOTSUPP;
>> +
>> + key = x509_request_asymmetric_key(trust_keyring,
>> + cert->issuer, strlen(cert->issuer),
>> + cert->authority,
>> + strlen(cert->authority));
>> + if (!IS_ERR(key)) {
>> + pk = key->payload.data;
>> + ret = x509_check_signature(pk, cert);
>> + }
>> + return ret;
>> +}
>> +
>> +/*
>> * Attempt to parse a data blob for a key as an X509 certificate.
>> */
>> static int x509_key_preparse(struct key_preparsed_payload *prep)
>> @@ -155,9 +233,13 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
>> /* Check the signature on the key if it appears to be self-signed */
>> if (!cert->authority ||
>> strcmp(cert->fingerprint, cert->authority) == 0) {
>> - ret = x509_check_signature(cert->pub, cert);
>> + ret = x509_check_signature(cert->pub, cert); /* self-signed */
>> if (ret < 0)
>> goto error_free_cert;
>> + } else {
>> + ret = x509_validate_trust(cert, get_system_trusted_keyring());
>> + if (!ret)
>> + prep->trusted = 1;
Actually this can be like this
>> + } else if (!prep->trusted)
>> + ret = x509_validate_trust(cert,
get_system_trusted_keyring());
>> + if (!ret)
>> + prep->trusted = 1;
>> }
>>
>> /* Propose a description */
>> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
>> index 8dabc39..72665eb 100644
>> --- a/include/keys/system_keyring.h
>> +++ b/include/keys/system_keyring.h
>> @@ -17,7 +17,15 @@
>> #include <linux/key.h>
>>
>> extern struct key *system_trusted_keyring;
>> -
>> +static inline struct key *get_system_trusted_keyring(void)
>> +{
>> + return system_trusted_keyring;
>> +}
>> +#else
>> +static inline struct key *get_system_trusted_keyring(void)
>> +{
>> + return NULL;
>> +}
>> #endif
>>
>> #endif /* _KEYS_SYSTEM_KEYRING_H */
>> --
>> 1.8.1.4
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
next prev parent reply other threads:[~2014-06-09 13:13 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-03 17:58 [RFC PATCH v5 0/4] ima: extending secure boot certificate chain of trust Mimi Zohar
2014-06-03 17:58 ` [RFC PATCH v5 1/4] KEYS: special dot prefixed keyring name bug fix Mimi Zohar
2014-06-06 21:48 ` Dmitry Kasatkin
2014-06-06 22:00 ` Mimi Zohar
2014-06-09 7:56 ` Dmitry Kasatkin
2014-06-09 8:17 ` Dmitry Kasatkin
2014-06-03 17:58 ` [RFC PATCH v5 2/4] KEYS: verify a certificate is signed by a 'trusted' key Mimi Zohar
2014-06-06 21:50 ` Dmitry Kasatkin
2014-06-09 13:13 ` Dmitry Kasatkin [this message]
2014-06-09 13:48 ` Mimi Zohar
2014-06-09 14:57 ` Dmitry Kasatkin
2014-06-03 17:58 ` [RFC PATCH v5 3/4] ima: define '.ima' as a builtin 'trusted' keyring Mimi Zohar
2014-06-06 21:53 ` Dmitry Kasatkin
2014-06-06 23:27 ` Mimi Zohar
2014-06-09 8:45 ` Dmitry Kasatkin
2014-06-03 17:58 ` [RFC PATCH v5 4/4] KEYS: define an owner trusted keyring Mimi Zohar
2014-06-09 12:13 ` Dmitry Kasatkin
2014-06-09 12:51 ` Mimi Zohar
2014-06-09 13:05 ` Dmitry Kasatkin
2014-06-09 13:48 ` Mimi Zohar
2014-06-09 13:58 ` Dmitry Kasatkin
2014-06-09 14:06 ` Dmitry Kasatkin
2014-06-09 16:33 ` Mimi Zohar
2014-06-10 8:48 ` [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only Dmitry Kasatkin
2014-06-10 8:48 ` [PATCH 1/4] KEYS: define an owner trusted keyring Dmitry Kasatkin
2014-06-10 12:24 ` Josh Boyer
2014-06-10 12:41 ` Dmitry Kasatkin
2014-06-10 13:07 ` Mimi Zohar
2014-06-10 8:48 ` [PATCH 2/4] KEYS: fix couple of things Dmitry Kasatkin
2014-06-10 8:48 ` [PATCH 3/4] KEYS: validate key trust only with selected owner key Dmitry Kasatkin
2014-06-12 16:03 ` Vivek Goyal
2014-06-12 16:55 ` Mimi Zohar
2014-06-12 17:00 ` Vivek Goyal
2014-06-12 17:17 ` Mimi Zohar
2014-06-12 17:23 ` Vivek Goyal
2014-06-12 17:23 ` Dmitry Kasatkin
2014-06-12 17:32 ` Vivek Goyal
2014-06-12 17:37 ` Mimi Zohar
2014-06-12 18:36 ` Dmitry Kasatkin
2014-06-12 19:01 ` Vivek Goyal
2014-06-12 19:04 ` Dmitry Kasatkin
2014-06-12 19:05 ` Vivek Goyal
2014-06-12 19:15 ` Dmitry Kasatkin
2014-06-10 8:48 ` [PATCH 4/4] KEYS: validate key trust only with builtin keys Dmitry Kasatkin
2014-06-10 12:20 ` [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only Josh Boyer
2014-06-10 12:52 ` Mimi Zohar
2014-06-10 13:21 ` Dmitry Kasatkin
2014-06-10 13:29 ` Josh Boyer
2014-06-10 14:53 ` Mimi Zohar
2014-06-10 12:58 ` Dmitry Kasatkin
2014-06-10 15:08 ` Matthew Garrett
2014-06-10 20:39 ` Dmitry Kasatkin
[not found] ` <CACE9dm9Ff6b3J=05QfcgBv-c_y=5qGNq1-ZSfo4smtj34i1e-A@mail.gmail.com>
2014-06-10 20:40 ` Matthew Garrett
2014-06-10 21:00 ` Dmitry Kasatkin
2014-06-10 21:17 ` Dmitry Kasatkin
2014-06-10 21:25 ` Matthew Garrett
2014-06-10 21:34 ` Dmitry Kasatkin
2014-06-10 21:40 ` Matthew Garrett
2014-06-10 21:45 ` Dmitry Kasatkin
2014-06-11 1:24 ` Mimi Zohar
2014-06-11 2:22 ` Matthew Garrett
2014-06-11 3:08 ` Mimi Zohar
2014-06-11 3:23 ` Matthew Garrett
2014-06-11 12:30 ` Mimi Zohar
2014-06-11 15:20 ` Matthew Garrett
2014-06-27 14:16 ` David Howells
2014-06-10 21:40 ` Dmitry Kasatkin
2014-06-10 12:45 ` Mimi Zohar
2014-06-10 12:49 ` Dmitry Kasatkin
2014-06-11 20:49 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5395B2E8.3030602@samsung.com \
--to=d.kasatkin@samsung.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jwboyer@redhat.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.