From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Dmitry Kasatkin <d.kasatkin@samsung.com>
Cc: dhowells@redhat.com, jmorris@namei.org, roberto.sassu@polito.it,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 01/20] KEYS: verify a certificate is signed by a 'trusted' key
Date: Thu, 24 Apr 2014 12:53:52 -0400 [thread overview]
Message-ID: <1398358432.2293.17.camel@dhcp-9-2-203-236.watson.ibm.com> (raw)
In-Reply-To: <0f7915604c69374f15cbaf36c499a5d88264e89d.1398259638.git.d.kasatkin@samsung.com>
On Wed, 2014-04-23 at 16:30 +0300, Dmitry Kasatkin wrote:
> From: Mimi Zohar <zohar@linux.vnet.ibm.com>
>
> Only public keys, with certificates signed by an existing
> 'trusted' key on the system trusted keyring, should be added
> to a trusted keyring. This patch adds support for verifying
> a certificate's signature.
>
> This is derived from David Howells pkcs7_request_asymmetric_key() patch.
>
> Changes:
> - Flaged out the code to prevent build break if system keyring
> is not enabled (Dmitry).
An updated version of this patch was posted, which resolves the Kconfig
issues. There are a number of other issues which need to be addressed,
before this patch can be upstreamed. Please refer to the patch
description for more details -
http://marc.info/?l=linux-security-module&m=138672063109662&w=2
Reminder, as per Documentation/SubmittingPatches: "#ifdefs are ugly",
please no ifdefs in C code.
thanks,
Mimi
>
> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Signed-off-by: David Howells <dhowells@redhat.com>
> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
> ---
> crypto/asymmetric_keys/x509_public_key.c | 85 +++++++++++++++++++++++++++++++-
> 1 file changed, 84 insertions(+), 1 deletion(-)
>
> diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
> index 382ef0d..d279f43 100644
> --- a/crypto/asymmetric_keys/x509_public_key.c
> +++ b/crypto/asymmetric_keys/x509_public_key.c
> @@ -18,6 +18,7 @@
> #include <linux/asn1_decoder.h>
> #include <keys/asymmetric-subtype.h>
> #include <keys/asymmetric-parser.h>
> +#include <keys/system_keyring.h>
> #include <crypto/hash.h>
> #include "asymmetric_keys.h"
> #include "public_key.h"
> @@ -102,6 +103,82 @@ int x509_check_signature(const struct public_key *pub,
> }
> EXPORT_SYMBOL_GPL(x509_check_signature);
>
> +#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
> +/*
> + * Find a key in the given keyring by issuer and authority.
> + */
> +static struct key *x509_request_asymmetric_key(
> + struct key *keyring,
> + const char *signer, size_t signer_len,
> + const char *authority, size_t auth_len)
> +{
> + key_ref_t key;
> + char *id;
> +
> + /* Construct an identifier. */
> + id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL);
> + if (!id)
> + return ERR_PTR(-ENOMEM);
> +
> + memcpy(id, signer, signer_len);
> + id[signer_len + 0] = ':';
> + id[signer_len + 1] = ' ';
> + memcpy(id + signer_len + 2, authority, auth_len);
> + id[signer_len + 2 + auth_len] = 0;
> +
> + pr_debug("Look up: \"%s\"\n", id);
> +
> + key = keyring_search(make_key_ref(keyring, 1),
> + &key_type_asymmetric, id);
> + if (IS_ERR(key))
> + pr_debug("Request for module key '%s' err %ld\n",
> + id, PTR_ERR(key));
> + kfree(id);
> +
> + if (IS_ERR(key)) {
> + switch (PTR_ERR(key)) {
> + /* Hide some search errors */
> + case -EACCES:
> + case -ENOTDIR:
> + case -EAGAIN:
> + return ERR_PTR(-ENOKEY);
> + default:
> + return ERR_CAST(key);
> + }
> + }
> +
> + pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key_ref_to_ptr(key)));
> + return key_ref_to_ptr(key);
> +}
> +
> +/*
> + * Check the new certificate against the ones in the trust keyring. If one of
> + * those is the signing key and validates the new certificate, then mark the
> + * new certificate as being trusted.
> + *
> + * Return 0 if the new certificate was successfully validated, 1 if we couldn't
> + * find a matching parent certificate in the trusted list and an error if there
> + * is a matching certificate but the signature check fails.
> + */
> +static int x509_validate_trust(struct x509_certificate *cert,
> + struct key *trust_keyring)
> +{
> + const struct public_key *pk;
> + struct key *key;
> + int ret = 1;
> +
> + key = x509_request_asymmetric_key(trust_keyring,
> + cert->issuer, strlen(cert->issuer),
> + cert->authority,
> + strlen(cert->authority));
> + if (!IS_ERR(key)) {
> + pk = key->payload.data;
> + ret = x509_check_signature(pk, cert);
> + }
> + return ret;
> +}
> +#endif
> +
> /*
> * Attempt to parse a data blob for a key as an X509 certificate.
> */
> @@ -155,9 +232,15 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
> /* Check the signature on the key if it appears to be self-signed */
> if (!cert->authority ||
> strcmp(cert->fingerprint, cert->authority) == 0) {
> - ret = x509_check_signature(cert->pub, cert);
> + ret = x509_check_signature(cert->pub, cert); /* self-signed */
> if (ret < 0)
> goto error_free_cert;
> + } else {
> +#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
> + ret = x509_validate_trust(cert, system_trusted_keyring);
> + if (!ret)
> + prep->trusted = 1;
> +#endif
> }
>
> /* Propose a description */
next prev parent reply other threads:[~2014-04-24 16:54 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-23 13:30 [PATCH 00/20] in-kernel IMA/EVM initialization Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 01/20] KEYS: verify a certificate is signed by a 'trusted' key Dmitry Kasatkin
2014-04-24 16:53 ` Mimi Zohar [this message]
2014-04-24 20:07 ` Dmitry Kasatkin
2014-04-24 21:03 ` Mimi Zohar
2014-04-23 13:30 ` [PATCH 02/20] integrity: initialize EVM before IMA Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 03/20] ima: move asymmetric keys config option Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 04/20] integrity: move integrity subsystem options to a separate menu Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 05/20] integrity: provide builtin 'trusted' keyrings Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 06/20] ima: create '_ima' as a builtin 'trusted' keyring Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 07/20] integrity: provide x509 certificate loading from the kernel Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 08/20] ima: load x509 certificate " Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 09/20] evm: create '_evm' as a builtin 'trusted' keyring Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 10/20] evm: load x509 certificate from the kernel Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 11/20] ima: added kernel parameter for disabling IMA Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 12/20] ima: provide buffer hash calculation function Dmitry Kasatkin
2014-04-24 21:04 ` Mimi Zohar
2014-04-25 14:52 ` Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 13/20] ima: replace opencount with bitop Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 14/20] ima: check if policy was set at open Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 15/20] ima: path based policy loading interface Dmitry Kasatkin
2014-04-24 21:03 ` Mimi Zohar
2014-04-25 15:18 ` Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 16/20] ima: load policy from the kernel Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 17/20] ima: make IMA policy replaceable at runtime Dmitry Kasatkin
2014-05-14 23:45 ` Mimi Zohar
2014-05-15 6:08 ` Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 18/20] evm: added kernel parameter for disabling EVM Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 19/20] evm: try enable EVM from the kernel Dmitry Kasatkin
2014-04-23 13:30 ` [PATCH 20/20] evm: read EVM key " Dmitry Kasatkin
2014-04-24 18:44 ` [PATCH 00/20] in-kernel IMA/EVM initialization Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1398358432.2293.17.camel@dhcp-9-2-203-236.watson.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=d.kasatkin@samsung.com \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=roberto.sassu@polito.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).