Re: [PATCH 1/4] key: Add cert chain validation capability to keyring

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Denis Kenzior <denkenz@gmail.com>
To: ell@lists.01.org
Subject: Re: [PATCH 1/4] key: Add cert chain validation capability to keyring
Date: Mon, 24 Oct 2016 11:01:14 -0500	[thread overview]
Message-ID: <580E304A.1040301@gmail.com> (raw)
In-Reply-To: <20161021205226.419-1-mathew.j.martineau@linux.intel.com>

[-- Attachment #1: Type: text/plain, Size: 1155 bytes --]

Hi Mat,

On 10/21/2016 03:52 PM, Mat Martineau wrote:
> Verifying certificate chains was a little awkward using the
> L_KEYRING_TRUSTED_ASYM keyring type, which required verifying the
> signature and then separately adding the verified certificate to the
> "trusted" keyring.
>
> With L_KEYRING_TRUSTED_ASYM_CHAIN, the destination keyring is also
> searched for signing keys.
>
> One use model is to have two keyrings:
>
>   1. trust_keyring: contains long-lived root and intermediate CA certs.
>   2. verify_keyring: an L_KEYRING_TRUSTED_ASYM_CHAIN keyring that
>                      is created with "trust_keyring" referenced for
> 		    trusted certificates.
>
> In order to validate new certificates, they are added to verify_keyring
> in series, starting with certs that are signed by those in
> trust_keyring. Once an intermediate CA cert is added to verify_keyring,
> certs signed by that intermediate CA can also be added to verify_keyring.
> ---
>   ell/key.c | 22 ++++++++++++++++------
>   ell/key.h |  3 ++-
>   2 files changed, 18 insertions(+), 7 deletions(-)
>

All four applied, thanks.

Regards,
-Denis

     prev parent reply	other threads:[~2016-10-24 16:01 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-21 20:52 [PATCH 1/4] key: Add cert chain validation capability to keyring Mat Martineau
2016-10-21 20:52 ` [PATCH 2/4] unit: Update certificate generation script Mat Martineau
2016-10-21 20:52 ` [PATCH 3/4] unit: New certificates for intermediate CA testing Mat Martineau
2016-10-21 20:52 ` [PATCH 4/4] unit: Add L_KEYRING_TRUSTED_ASYM_CHAIN test Mat Martineau
2016-10-24 16:01 ` Denis Kenzior [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=580E304A.1040301@gmail.com \
    --to=denkenz@gmail.com \
    --cc=ell@lists.01.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.