From: Roberto Sassu <roberto.sassu@huawei.com> To: <dhowells@redhat.com>, <dwmw2@infradead.org>, <herbert@gondor.apana.org.au>, <davem@davemloft.net> Cc: <keyrings@vger.kernel.org>, <linux-crypto@vger.kernel.org>, <linux-integrity@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <silviu.vlasceanu@huawei.com>, Roberto Sassu <roberto.sassu@huawei.com> Subject: [RFC][PATCH 09/12] verification: introduce verify_pgp_signature() Date: Mon, 12 Nov 2018 11:24:20 +0100 [thread overview] Message-ID: <20181112102423.30415-10-roberto.sassu@huawei.com> (raw) In-Reply-To: <20181112102423.30415-1-roberto.sassu@huawei.com> Introduce verify_pgp_signature() to to verify PGP signatures from data or a digest. One user of this function would be IMA, that can verify the signature of RPM headers when appraisal is enabled. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> --- certs/system_keyring.c | 39 ++++++++++++++++++++++++++++++++++++ include/linux/verification.h | 5 +++++ 2 files changed, 44 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 81728717523d..e4c59a5c7a9d 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -19,6 +19,7 @@ #include <keys/asymmetric-type.h> #include <keys/system_keyring.h> #include <crypto/pkcs7.h> +#include <linux/pgp_sig.h> static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING @@ -265,4 +266,42 @@ int verify_pkcs7_signature(const void *data, size_t len, } EXPORT_SYMBOL_GPL(verify_pkcs7_signature); +/** + * verify_pgp_signature - Verify a PGP-based signature on system data. + * @data: The data to be verified (NULL if expecting internal data). + * @len: Size of @data. + * @digest: Digest for signature verification. + * @digest_size: Size of @digest. + * @raw_pgp: The PGP message that is the signature. + * @pgp_len: Size of @raw_pgp. + * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only, + * (void *)1UL for all trusted keys). + */ +int verify_pgp_signature(const void *data, size_t len, + const void *digest, size_t digest_size, + const void *raw_pgp, size_t pgp_len, + struct key *trusted_keys) +{ + int ret = -ENOTSUPP; + +#ifdef CONFIG_PGP_KEY_PARSER + if (!trusted_keys) { + trusted_keys = builtin_trusted_keys; + } else if (trusted_keys == (void *)1UL) { +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING + trusted_keys = secondary_trusted_keys; +#else + trusted_keys = builtin_trusted_keys; +#endif + } + + ret = pgp_verify_sig(trusted_keys, data, len, digest, digest_size, + raw_pgp, pgp_len); + +#endif /* CONFIG_PGP_KEY_PARSER */ + + return ret; +} +EXPORT_SYMBOL_GPL(verify_pgp_signature); + #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ diff --git a/include/linux/verification.h b/include/linux/verification.h index cfa4730d607a..6fd7bf60efaa 100644 --- a/include/linux/verification.h +++ b/include/linux/verification.h @@ -45,6 +45,11 @@ extern int verify_pkcs7_signature(const void *data, size_t len, size_t asn1hdrlen), void *ctx); +extern int verify_pgp_signature(const void *data, size_t len, + const void *digest, size_t digest_size, + const void *raw_pgp, size_t pgp_len, + struct key *trusted_keys); + #ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION extern int verify_pefile_signature(const void *pebuf, unsigned pelen, struct key *trusted_keys, -- 2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Roberto Sassu <roberto.sassu@huawei.com> To: dhowells@redhat.com, dwmw2@infradead.org, herbert@gondor.apana.org.au, davem@davemloft.net Cc: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, silviu.vlasceanu@huawei.com, Roberto Sassu <roberto.sassu@huawei.com> Subject: [RFC][PATCH 09/12] verification: introduce verify_pgp_signature() Date: Mon, 12 Nov 2018 10:24:20 +0000 [thread overview] Message-ID: <20181112102423.30415-10-roberto.sassu@huawei.com> (raw) In-Reply-To: <20181112102423.30415-1-roberto.sassu@huawei.com> Introduce verify_pgp_signature() to to verify PGP signatures from data or a digest. One user of this function would be IMA, that can verify the signature of RPM headers when appraisal is enabled. Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com> --- certs/system_keyring.c | 39 ++++++++++++++++++++++++++++++++++++ include/linux/verification.h | 5 +++++ 2 files changed, 44 insertions(+) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 81728717523d..e4c59a5c7a9d 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -19,6 +19,7 @@ #include <keys/asymmetric-type.h> #include <keys/system_keyring.h> #include <crypto/pkcs7.h> +#include <linux/pgp_sig.h> static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING @@ -265,4 +266,42 @@ int verify_pkcs7_signature(const void *data, size_t len, } EXPORT_SYMBOL_GPL(verify_pkcs7_signature); +/** + * verify_pgp_signature - Verify a PGP-based signature on system data. + * @data: The data to be verified (NULL if expecting internal data). + * @len: Size of @data. + * @digest: Digest for signature verification. + * @digest_size: Size of @digest. + * @raw_pgp: The PGP message that is the signature. + * @pgp_len: Size of @raw_pgp. + * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only, + * (void *)1UL for all trusted keys). + */ +int verify_pgp_signature(const void *data, size_t len, + const void *digest, size_t digest_size, + const void *raw_pgp, size_t pgp_len, + struct key *trusted_keys) +{ + int ret = -ENOTSUPP; + +#ifdef CONFIG_PGP_KEY_PARSER + if (!trusted_keys) { + trusted_keys = builtin_trusted_keys; + } else if (trusted_keys = (void *)1UL) { +#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING + trusted_keys = secondary_trusted_keys; +#else + trusted_keys = builtin_trusted_keys; +#endif + } + + ret = pgp_verify_sig(trusted_keys, data, len, digest, digest_size, + raw_pgp, pgp_len); + +#endif /* CONFIG_PGP_KEY_PARSER */ + + return ret; +} +EXPORT_SYMBOL_GPL(verify_pgp_signature); + #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ diff --git a/include/linux/verification.h b/include/linux/verification.h index cfa4730d607a..6fd7bf60efaa 100644 --- a/include/linux/verification.h +++ b/include/linux/verification.h @@ -45,6 +45,11 @@ extern int verify_pkcs7_signature(const void *data, size_t len, size_t asn1hdrlen), void *ctx); +extern int verify_pgp_signature(const void *data, size_t len, + const void *digest, size_t digest_size, + const void *raw_pgp, size_t pgp_len, + struct key *trusted_keys); + #ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION extern int verify_pefile_signature(const void *pebuf, unsigned pelen, struct key *trusted_keys, -- 2.17.1
next prev parent reply other threads:[~2018-11-12 20:26 UTC|newest] Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-11-12 10:24 [RFC][PATCH 00/12] keys: add support for PGP keys and signatures Roberto Sassu 2018-11-12 10:24 ` Roberto Sassu 2018-11-12 10:24 ` [RFC][PATCH 01/12] mpi: introduce mpi_key_length() Roberto Sassu 2018-11-12 10:24 ` Roberto Sassu 2018-11-12 10:24 ` [RFC][PATCH 02/12] rsa: add parser of raw format Roberto Sassu 2018-11-12 10:24 ` Roberto Sassu 2018-11-12 10:24 ` [RFC][PATCH 03/12] PGPLIB: PGP definitions (RFC 4880) Roberto Sassu 2018-11-12 10:24 ` Roberto Sassu 2018-11-12 10:24 ` [RFC][PATCH 04/12] PGPLIB: Basic packet parser Roberto Sassu 2018-11-12 10:24 ` Roberto Sassu 2018-11-12 10:24 ` [RFC][PATCH 05/12] PGPLIB: Signature parser Roberto Sassu 2018-11-12 10:24 ` Roberto Sassu 2018-11-12 10:24 ` [RFC][PATCH 06/12] KEYS: PGP data parser Roberto Sassu 2018-11-12 10:24 ` Roberto Sassu 2018-11-12 10:24 ` [RFC][PATCH 07/12] KEYS: Provide PGP key description autogeneration Roberto Sassu 2018-11-12 10:24 ` Roberto Sassu 2018-11-12 10:24 ` [RFC][PATCH 08/12] KEYS: PGP-based public key signature verification Roberto Sassu 2018-11-12 10:24 ` Roberto Sassu 2018-11-12 10:24 ` Roberto Sassu [this message] 2018-11-12 10:24 ` [RFC][PATCH 09/12] verification: introduce verify_pgp_signature() Roberto Sassu 2018-11-12 10:24 ` [RFC][PATCH 10/12] PGP: Provide a key type for testing PGP signatures Roberto Sassu 2018-11-12 10:24 ` Roberto Sassu 2018-11-12 10:24 ` [RFC][PATCH 11/12] KEYS: Provide a function to load keys from a PGP keyring blob Roberto Sassu 2018-11-12 10:24 ` Roberto Sassu 2018-11-12 10:24 ` [RFC][PATCH 12/12] KEYS: Introduce load_pgp_public_keyring() Roberto Sassu 2018-11-12 10:24 ` Roberto Sassu 2018-11-12 12:31 ` [RFC][PATCH 04/12] PGPLIB: Basic packet parser David Howells 2018-11-12 12:35 ` [RFC][PATCH 05/12] PGPLIB: Signature parser David Howells 2018-11-12 12:43 ` [RFC][PATCH 08/12] KEYS: PGP-based public key signature verification David Howells 2018-11-12 14:22 ` Roberto Sassu 2018-11-12 14:22 ` Roberto Sassu 2018-12-10 16:58 ` David Howells 2018-12-10 18:04 ` Roberto Sassu 2018-12-10 18:04 ` Roberto Sassu
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20181112102423.30415-10-roberto.sassu@huawei.com \ --to=roberto.sassu@huawei.com \ --cc=davem@davemloft.net \ --cc=dhowells@redhat.com \ --cc=dwmw2@infradead.org \ --cc=herbert@gondor.apana.org.au \ --cc=keyrings@vger.kernel.org \ --cc=linux-crypto@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=silviu.vlasceanu@huawei.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.