From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932502AbaDXQyx (ORCPT ); Thu, 24 Apr 2014 12:54:53 -0400 Received: from e39.co.us.ibm.com ([32.97.110.160]:54207 "EHLO e39.co.us.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754092AbaDXQyu (ORCPT ); Thu, 24 Apr 2014 12:54:50 -0400 Message-ID: <1398358432.2293.17.camel@dhcp-9-2-203-236.watson.ibm.com> Subject: Re: [PATCH 01/20] KEYS: verify a certificate is signed by a 'trusted' key From: Mimi Zohar To: Dmitry Kasatkin Cc: dhowells@redhat.com, jmorris@namei.org, roberto.sassu@polito.it, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Date: Thu, 24 Apr 2014 12:53:52 -0400 In-Reply-To: <0f7915604c69374f15cbaf36c499a5d88264e89d.1398259638.git.d.kasatkin@samsung.com> References: <0f7915604c69374f15cbaf36c499a5d88264e89d.1398259638.git.d.kasatkin@samsung.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.6.4 (3.6.4-3.fc18) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 14042416-9332-0000-0000-00000099A9CE Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2014-04-23 at 16:30 +0300, Dmitry Kasatkin wrote: > From: Mimi Zohar > > Only public keys, with certificates signed by an existing > 'trusted' key on the system trusted keyring, should be added > to a trusted keyring. This patch adds support for verifying > a certificate's signature. > > This is derived from David Howells pkcs7_request_asymmetric_key() patch. > > Changes: > - Flaged out the code to prevent build break if system keyring > is not enabled (Dmitry). An updated version of this patch was posted, which resolves the Kconfig issues. There are a number of other issues which need to be addressed, before this patch can be upstreamed. Please refer to the patch description for more details - http://marc.info/?l=linux-security-module&m=138672063109662&w=2 Reminder, as per Documentation/SubmittingPatches: "#ifdefs are ugly", please no ifdefs in C code. thanks, Mimi > > Signed-off-by: Mimi Zohar > Signed-off-by: David Howells > Signed-off-by: Dmitry Kasatkin > --- > crypto/asymmetric_keys/x509_public_key.c | 85 +++++++++++++++++++++++++++++++- > 1 file changed, 84 insertions(+), 1 deletion(-) > > diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c > index 382ef0d..d279f43 100644 > --- a/crypto/asymmetric_keys/x509_public_key.c > +++ b/crypto/asymmetric_keys/x509_public_key.c > @@ -18,6 +18,7 @@ > #include > #include > #include > +#include > #include > #include "asymmetric_keys.h" > #include "public_key.h" > @@ -102,6 +103,82 @@ int x509_check_signature(const struct public_key *pub, > } > EXPORT_SYMBOL_GPL(x509_check_signature); > > +#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING > +/* > + * Find a key in the given keyring by issuer and authority. > + */ > +static struct key *x509_request_asymmetric_key( > + struct key *keyring, > + const char *signer, size_t signer_len, > + const char *authority, size_t auth_len) > +{ > + key_ref_t key; > + char *id; > + > + /* Construct an identifier. */ > + id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL); > + if (!id) > + return ERR_PTR(-ENOMEM); > + > + memcpy(id, signer, signer_len); > + id[signer_len + 0] = ':'; > + id[signer_len + 1] = ' '; > + memcpy(id + signer_len + 2, authority, auth_len); > + id[signer_len + 2 + auth_len] = 0; > + > + pr_debug("Look up: \"%s\"\n", id); > + > + key = keyring_search(make_key_ref(keyring, 1), > + &key_type_asymmetric, id); > + if (IS_ERR(key)) > + pr_debug("Request for module key '%s' err %ld\n", > + id, PTR_ERR(key)); > + kfree(id); > + > + if (IS_ERR(key)) { > + switch (PTR_ERR(key)) { > + /* Hide some search errors */ > + case -EACCES: > + case -ENOTDIR: > + case -EAGAIN: > + return ERR_PTR(-ENOKEY); > + default: > + return ERR_CAST(key); > + } > + } > + > + pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key_ref_to_ptr(key))); > + return key_ref_to_ptr(key); > +} > + > +/* > + * Check the new certificate against the ones in the trust keyring. If one of > + * those is the signing key and validates the new certificate, then mark the > + * new certificate as being trusted. > + * > + * Return 0 if the new certificate was successfully validated, 1 if we couldn't > + * find a matching parent certificate in the trusted list and an error if there > + * is a matching certificate but the signature check fails. > + */ > +static int x509_validate_trust(struct x509_certificate *cert, > + struct key *trust_keyring) > +{ > + const struct public_key *pk; > + struct key *key; > + int ret = 1; > + > + key = x509_request_asymmetric_key(trust_keyring, > + cert->issuer, strlen(cert->issuer), > + cert->authority, > + strlen(cert->authority)); > + if (!IS_ERR(key)) { > + pk = key->payload.data; > + ret = x509_check_signature(pk, cert); > + } > + return ret; > +} > +#endif > + > /* > * Attempt to parse a data blob for a key as an X509 certificate. > */ > @@ -155,9 +232,15 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) > /* Check the signature on the key if it appears to be self-signed */ > if (!cert->authority || > strcmp(cert->fingerprint, cert->authority) == 0) { > - ret = x509_check_signature(cert->pub, cert); > + ret = x509_check_signature(cert->pub, cert); /* self-signed */ > if (ret < 0) > goto error_free_cert; > + } else { > +#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING > + ret = x509_validate_trust(cert, system_trusted_keyring); > + if (!ret) > + prep->trusted = 1; > +#endif > } > > /* Propose a description */