From: Dmitry Kasatkin <d.kasatkin@samsung.com>
To: David Howells <dhowells@redhat.com>
Cc: rusty@rustcorp.com.au, keyrings@linux-nfs.org,
jwboyer@redhat.com, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, pjones@redhat.com,
vgoyal@redhat.com
Subject: Re: [PATCH 08/13] KEYS: Overhaul key identification when searching for asymmetric keys
Date: Fri, 03 Oct 2014 15:23:24 +0300 [thread overview]
Message-ID: <542E953C.3010705@samsung.com> (raw)
In-Reply-To: <28438.1412338372@warthog.procyon.org.uk>
On 03/10/14 15:12, David Howells wrote:
> Dmitry Kasatkin <d.kasatkin@samsung.com> wrote:
>
>> Also I noticed that output of 'keyctl show' and 'cat /proc/keys' output
>> also has changed in respect of certificate ids..
>>
>> Those ids does not look any close to my kernel X509 X509v3 Subject Key
>> Identifier, which is:
>> 92:63:05:D6:DD:A6:6F:47:13:9E:B4:E3:CB:25:A6:AD:EF:52:7F:08
>>
>> proc/keys shows
>>
>> symmetri Magrathea: Glacier signing key: d9e2e4c6951f1e83: X509.RSA
>> 6865612e68326732 []
>>
>> Very different ids..
>>
>> How could I match certificate now?
> There are two IDs available:
>
> id: serial number + issuer
> skid: subjKeyId + subject
>
> You can use either of them and their content is somewhat negotiable. Note
> that they are both compound IDs at this point.
>
> We have to move away from using subjKeyId for module signatures because we
> have to be able to deal with keys that don't have one. Blech, but the PKCS
> specs suck somewhat.
>
> This is why I want to move to using detached-data PKCS#7 certs as the
> signature. We have the PKCS#7 handling in the kernel now for doing kexec.
I looked to the code and understood...
See my patches please.
- Dmitry
> David
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2014-10-03 12:23 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-08 15:37 [RFC][PATCH 00/13] MODSIGN: Use PKCS#7 for module signatures David Howells
2014-09-08 15:37 ` [PATCH 01/13] Provide a binary to hex conversion utility David Howells
2014-09-08 15:37 ` [PATCH 02/13] KEYS: Preparse match data David Howells
2014-09-08 15:37 ` [PATCH 03/13] KEYS: Remove key_type::def_lookup_type David Howells
2014-09-08 15:37 ` [PATCH 04/13] KEYS: Remove key_type::match in favour of overriding default by match_preparse David Howells
2014-09-08 15:37 ` [PATCH 05/13] KEYS: Make the key matching functions return bool David Howells
2014-09-08 15:38 ` [PATCH 06/13] KEYS: Implement binary asymmetric key ID handling David Howells
2014-09-08 15:38 ` [PATCH 07/13] PKCS#7: Clean up the signed info freeing and fix the parser cleanup David Howells
2014-09-08 15:38 ` [PATCH 08/13] KEYS: Overhaul key identification when searching for asymmetric keys David Howells
2014-10-02 15:49 ` Dmitry Kasatkin
2014-10-02 16:04 ` Dmitry Kasatkin
2014-10-02 18:32 ` Dmitry Kasatkin
2014-10-03 12:20 ` David Howells
2014-10-03 12:22 ` David Howells
2014-10-02 18:38 ` Mimi Zohar
2014-10-03 12:13 ` David Howells
2014-10-03 12:25 ` Dmitry Kasatkin
2014-10-03 12:12 ` David Howells
2014-10-03 12:23 ` Dmitry Kasatkin [this message]
2014-09-08 15:38 ` [PATCH 09/13] PKCS#7: Better handling of unsupported crypto David Howells
2014-09-08 15:38 ` [PATCH 10/13] PKCS#7: Handle PKCS#7 messages that contain no X.509 certs David Howells
2014-09-08 15:39 ` [PATCH 11/13] PKCS#7: Allow detached data to be supplied for signature checking purposes David Howells
2014-09-08 15:39 ` [PATCH 12/13] MODSIGN: Provide a utility to append a PKCS#7 signature to a module David Howells
2014-09-08 15:39 ` [PATCH 13/13] MODSIGN: Use PKCS#7 messages as module signatures David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=542E953C.3010705@samsung.com \
--to=d.kasatkin@samsung.com \
--cc=dhowells@redhat.com \
--cc=jwboyer@redhat.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pjones@redhat.com \
--cc=rusty@rustcorp.com.au \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.