From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
petkan@mip-labs.com, linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH 03/20] X.509: Allow X.509 certs to be blacklisted [ver #2]
Date: Fri, 05 Feb 2016 11:16:19 -0500 [thread overview]
Message-ID: <1454688979.2648.97.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <25815.1454514412@warthog.procyon.org.uk>
Hi David,
On Wed, 2016-02-03 at 15:46 +0000, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>
> > > Allow X.509 certs to be blacklisted based on their TBS hash.
> >
> > What is the TBS hash? This doesn't seem to be the key identifier.
>
> It's the TBSCertificate hash (I'll change to calling it that in the patch
> description). "TBS" stands for "To Be Signed". This is what is hashed for
> the signature to be generated upon - so it's something we have to expend
> resources calculating anyway.
>
> The reason I'm using this is this is what UEFI puts into its blacklist. See:
>
> http://uefi.blogspot.co.uk/2013/09/uefi-24-review-part-13-hash-of.html
>
> To quote:
>
> Now, in the UEFI 2.4 specification, three new types of signatures for
> the black list were added. Specifically, the various recommended forms
> of the To-Be-Signed hash value (160, 256 and 512-bits) which are
> created during the creation of a certificate could be added to the
> black list instead of the certificate itself.
>
> > The cert associated with this key identifier is loaded onto the .ima
> > keyring.
>
> We could also check that. There's no requirement that we only check the TBS -
> but the TBS hash is something we must check.
Ok, but before "IMA: Use the system blacklist keyring" patch, this needs
to be addressed.
> I wonder if I should mark the blacklist key as to what the value it holds
> should be checked against. There's a number of different things we could put
> in there:
>
> (1) TBSCertificate hash.
>
> (2) Subject Key Identifier content.
>
> (3) Authenticode Binary hash (for PE files).
>
> (4) PKCS#7 component digest.
Ok
> > eg: openssl x509 -in <pathname> -inform DER -notext -out
> >
> > <snip>
> >
> > X509v3 extensions:
> > X509v3 Subject Key Identifier:
> >
> > 71:12:39:B3:AB:E6:8D:BF:70:E7:26:DE:C8:4A:3F:5F:17:EF:00:6C
>
> Note that this isn't a mandatoryy field and if it's not present, we have no way
> to calculate it as there's no one standard-defined method.
The hex string appears when displaying the keys. For example,
keyctl show %keyring:.ima shows:
734429129 --als--v 0 0 \_ asymmetric: : local: signing key:
711239b3abe68dbf70e726dec84a3f5f17ef006c
Mimi
next prev parent reply other threads:[~2016-02-05 16:17 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-19 11:30 [RFC PATCH 00/20] KEYS: Restrict additions to 'trusted' keyrings [ver #2] David Howells
2016-01-19 11:30 ` [RFC PATCH 01/20] KEYS: Add an alloc flag to convey the builtinness of a key " David Howells
2016-01-20 18:58 ` Mimi Zohar
2016-02-03 15:30 ` David Howells
2016-01-19 11:30 ` [RFC PATCH 02/20] KEYS: Add a system blacklist keyring " David Howells
2016-01-20 19:31 ` Mimi Zohar
2016-01-20 20:26 ` Mimi Zohar
2016-02-03 15:27 ` David Howells
2016-02-08 13:34 ` Mimi Zohar
2016-02-08 13:55 ` David Howells
2016-02-08 15:03 ` Mimi Zohar
2016-02-08 15:53 ` How to add additional blacklist entries? David Howells
2016-02-08 16:32 ` Mimi Zohar
2016-02-08 16:43 ` David Howells
2016-02-08 19:28 ` Mimi Zohar
2016-02-09 10:42 ` David Howells
2016-02-10 14:07 ` Mimi Zohar
2016-02-08 14:55 ` [RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2] David Howells
2016-02-08 16:39 ` Mimi Zohar
2016-02-19 11:48 ` David Howells
2016-02-03 15:29 ` David Howells
2016-01-19 11:30 ` [RFC PATCH 03/20] X.509: Allow X.509 certs to be blacklisted " David Howells
2016-01-20 20:33 ` Mimi Zohar
2016-02-03 15:46 ` David Howells
2016-02-05 16:16 ` Mimi Zohar [this message]
2016-01-19 11:30 ` [RFC PATCH 04/20] X.509: Don't treat self-signed keys specially " David Howells
2016-01-20 20:40 ` Mimi Zohar
2016-01-19 11:31 ` [RFC PATCH 05/20] KEYS: Generalise system_verify_data() to provide access to internal content " David Howells
2016-01-19 11:31 ` [RFC PATCH 06/20] PKCS#7: Make trust determination dependent on contents of trust keyring " David Howells
2016-01-19 11:31 ` [RFC PATCH 07/20] KEYS: Add a facility to restrict new links into a " David Howells
2016-02-08 11:59 ` Mimi Zohar
2016-02-29 15:49 ` David Howells
2016-01-19 11:31 ` [RFC PATCH 08/20] KEYS: Allow authentication data to be stored in an asymmetric key " David Howells
2016-01-19 11:31 ` [RFC PATCH 09/20] KEYS: Add identifier pointers to public_key_signature struct " David Howells
2016-01-19 11:31 ` [RFC PATCH 10/20] X.509: Retain the key verification data " David Howells
2016-01-19 11:31 ` [RFC PATCH 11/20] X.509: Extract signature digest and make self-signed cert checks earlier " David Howells
2016-01-19 11:31 ` [RFC PATCH 12/20] PKCS#7: Make the signature a pointer rather than embedding it " David Howells
2016-02-08 12:00 ` Mimi Zohar
2016-02-19 11:56 ` David Howells
2016-01-19 11:32 ` [RFC PATCH 13/20] X.509: Move the trust validation code out to its own file " David Howells
2016-02-08 11:59 ` Mimi Zohar
2016-01-19 11:32 ` [RFC PATCH 14/20] KEYS: Generalise x509_request_asymmetric_key() " David Howells
2016-02-08 11:59 ` Mimi Zohar
2016-01-19 11:32 ` [RFC PATCH 15/20] KEYS: Move the point of trust determination to __key_link() " David Howells
2016-01-19 11:32 ` [RFC PATCH 16/20] KEYS: Remove KEY_FLAG_TRUSTED and KEY_ALLOC_TRUSTED " David Howells
2016-01-19 11:32 ` [RFC PATCH 17/20] PKCS#7: Handle blacklisted certificates " David Howells
2016-01-19 11:32 ` [RFC PATCH 18/20] IMA: Use the system blacklist keyring " David Howells
2016-02-10 19:12 ` Mimi Zohar
2016-02-19 11:58 ` David Howells
2016-02-19 12:16 ` Mimi Zohar
2016-01-19 11:32 ` [RFC PATCH 19/20] certs: Add a secondary system keyring that can be added to dynamically " David Howells
2016-01-19 11:32 ` [RFC PATCH 20/20] IMA: Replace the .ima_mok keyring with the secondary system keyring " David Howells
2016-01-20 17:24 ` [RFC PATCH 00/20] KEYS: Restrict additions to 'trusted' keyrings " Petko Manolov
2016-01-20 18:57 ` Mimi Zohar
2016-02-03 15:47 ` David Howells
2016-02-03 15:56 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1454688979.2648.97.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=petkan@mip-labs.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).