From: Dmitry Kasatkin <d.kasatkin@samsung.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: dhowells@redhat.com, jwboyer@redhat.com, keyrings@linux-nfs.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1a 1/2] KEYS: validate certificate trust only with selected owner key
Date: Tue, 17 Jun 2014 11:58:04 +0300 [thread overview]
Message-ID: <53A0031C.5070500@samsung.com> (raw)
In-Reply-To: <1402919001.2527.11.camel@dhcp-9-2-203-236.watson.ibm.com>
On 16/06/14 14:43, Mimi Zohar wrote:
> On Thu, 2014-06-12 at 23:17 +0300, Dmitry Kasatkin wrote:
>> Instead of allowing public keys, with certificates signed by any
>> key on the system trusted keyring, to be added to a trusted keyring,
>> this patch further restricts the certificates to those signed by a
>> particular key on the system keyring.
>>
>> This patch defines a new kernel parameter 'keys_ownerid' to specify
>> owner's key id which must be used for trust validation of certificates.
>>
>> Idea belongs to Mimi Zohar.
>>
>> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
>> ---
>> Documentation/kernel-parameters.txt | 5 +++++
>> crypto/asymmetric_keys/x509_public_key.c | 23 +++++++++++++++++++++++
>> 2 files changed, 28 insertions(+)
>>
>> diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
>> index 7116fda..7a810d3 100644
>> --- a/Documentation/kernel-parameters.txt
>> +++ b/Documentation/kernel-parameters.txt
>> @@ -1434,6 +1434,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
>> use the HighMem zone if it exists, and the Normal
>> zone if it does not.
>>
>> + keys_ownerid=[KEYS] This parameter identifies a specific key(s) on
>> + the system trusted keyring to be used for certificate
>> + trust validation.
>> + format: id:<keyid>
>> +
>> kgdbdbgp= [KGDB,HW] kgdb over EHCI usb debug port.
>> Format: <Controller#>[,poll interval]
>> The controller # is the number of the ehci usb debug
>> diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
>> index 7a9b386..d46b790 100644
>> --- a/crypto/asymmetric_keys/x509_public_key.c
>> +++ b/crypto/asymmetric_keys/x509_public_key.c
>> @@ -24,6 +24,19 @@
>> #include "public_key.h"
>> #include "x509_parser.h"
>>
>> +static char *owner_keyid;
>> +static int __init default_owner_keyid_set(char *str)
>> +{
>> + if (!str) /* default system keyring */
>> + return 1;
>> +
>> + if (strncmp(str, "id:", 3) == 0)
>> + owner_keyid = str; /* owner local key 'id:xxxxxx' */
>> +
>> + return 1;
>> +}
>> +__setup("keys_ownerid=", default_owner_keyid_set);
>> +
>> /*
>> * Find a key in the given keyring by issuer and authority.
>> */
>> @@ -169,6 +182,16 @@ static int x509_validate_trust(struct x509_certificate *cert,
>> if (!trust_keyring)
>> return -EOPNOTSUPP;
>>
>> + if (owner_keyid) {
>> + /* validate trust only with the owner_keyid if specified */
>> + /* partial match of keyid according to the asymmetric_type.c */
>> + int idlen = strlen(owner_keyid) - 3; /* - id: */
>> + int authlen = strlen(cert->authority);
>> + char *auth = cert->authority + authlen - idlen;
>> + if (idlen > authlen || strcasecmp(owner_keyid + 3, auth))
>> + return -EPERM;
>> + }
>> +
> We shouldn't hard code the test here, but use the key type's match
> function. For example, the "KEYS: define an owner trusted keyring" (v4)
> patch defined a key_match() function.
>
> thanks,
Right.
I addressed this in the following patchset.
Thanks.
>
> Mimi
>
>> key = x509_request_asymmetric_key(trust_keyring,
>> cert->issuer, strlen(cert->issuer),
>> cert->authority,
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2014-06-17 8:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-12 20:17 [PATCH v1a 0/2] KEYS: validate key trust with owner and builtin keys only Dmitry Kasatkin
2014-06-12 20:17 ` [PATCH v1a 1/2] KEYS: validate certificate trust only with selected owner key Dmitry Kasatkin
2014-06-16 11:43 ` Mimi Zohar
2014-06-17 8:58 ` Dmitry Kasatkin [this message]
2014-06-12 20:17 ` [PATCH v1a 2/2] KEYS: validate certificate trust only with builtin keys Dmitry Kasatkin
2014-06-16 11:43 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53A0031C.5070500@samsung.com \
--to=d.kasatkin@samsung.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jwboyer@redhat.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.