From: Dmitry Kasatkin <d.kasatkin@samsung.com>
To: David Howells <dhowells@redhat.com>
Cc: zohar@linux.vnet.ibm.com, linux-ima-devel@lists.sourceforge.net,
linux-security-module@vger.kernel.org, jmorris@namei.org,
rusty@rustcorp.com.au, keyrings@linux-nfs.org,
linux-kernel@vger.kernel.org, dmitry.kasatkin@gmail.com
Subject: Re: [PATCH 3/4] module: search the key only by keyid
Date: Fri, 03 Oct 2014 16:08:56 +0300 [thread overview]
Message-ID: <542E9FE8.2070009@samsung.com> (raw)
In-Reply-To: <542E9C65.4030208@samsung.com>
On 03/10/14 15:53, Dmitry Kasatkin wrote:
> On 03/10/14 15:49, Dmitry Kasatkin wrote:
>> On 03/10/14 15:46, David Howells wrote:
>>> Dmitry Kasatkin <d.kasatkin@samsung.com> wrote:
>>>
>>>> Latest KEYS code change the way keys identified and module
>>>> signing keys are not searchable anymore with original id.
>>>>
>>>> This patch fixes this problem without change module signature
>>>> data.
>>> This isn't sufficient. The key search must also include the signer.
BTW. But actually why signer is needed to find the key?
Every key has unique fingerprint.
Or you say that different certificates might have the same PK?
What I would consider strange. But anyway, if PK is the same, then
verification succeed.
- Dmitry
>> IMA uses "id:<id>" partial matching.. There is no signer in the signature.
>> It is added as "last resort"
>>
>> It is here... the same but I renamed with finger print..
>>
>> http://git.kernel.org/cgit/linux/kernel/git/kasatkin/linux-digsig.git/commit/?h=keys-fixes&id=f036bb9a4c1b3c548f315226d3284e6a91d284e7
>>
>> - Dmitry
>>
>>
> For module actually I made it as a fix because it was broken.
> Other requires changes in module signature format...
>
> - Dmitry
>
>
next prev parent reply other threads:[~2014-10-03 13:09 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-03 9:09 [PATCH 0/4] KEYS fixes Dmitry Kasatkin
2014-10-03 9:09 ` [PATCH 1/4] KEYS: handle error code encoded in pointer Dmitry Kasatkin
2014-10-03 12:46 ` David Howells
2014-10-03 9:09 ` [PATCH 2/4] KEYS: provide pure subject key identifier (fingerprint) as key id Dmitry Kasatkin
2014-10-06 13:51 ` David Howells
2014-10-03 9:09 ` [PATCH 3/4] module: search the key only by keyid Dmitry Kasatkin
2014-10-03 12:46 ` David Howells
2014-10-03 12:49 ` Dmitry Kasatkin
2014-10-03 12:53 ` Dmitry Kasatkin
2014-10-03 13:08 ` Dmitry Kasatkin [this message]
2014-10-03 13:40 ` David Howells
2014-10-03 14:00 ` Dmitry Kasatkin
2014-10-06 12:44 ` James Morris
2014-10-06 17:14 ` Dmitry Kasatkin
2014-10-06 19:39 ` Mimi Zohar
2014-10-03 9:09 ` [PATCH 4/4] integrity: do zero padding of the key id Dmitry Kasatkin
2014-10-03 10:43 ` [PATCH 0/4] KEYS fixes Dmitry Kasatkin
2014-10-03 14:19 ` Mimi Zohar
2014-10-03 15:54 ` [PATCH] X.509: If available, use the raw subjKeyId to form the key description David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=542E9FE8.2070009@samsung.com \
--to=d.kasatkin@samsung.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=jmorris@namei.org \
--cc=keyrings@linux-nfs.org \
--cc=linux-ima-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox