From: David Howells <dhowells@redhat.com>
To: rusty@rustcorp.com.au
Cc: dhowells@redhat.com, dmitry.kasatkin@intel.com,
zohar@linux.vnet.ibm.com, jmorris@namei.org,
keyrings@linux-nfs.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 15/25] KEYS: Provide PGP key description autogeneration
Date: Thu, 16 Aug 2012 02:36:57 +0100 [thread overview]
Message-ID: <20120816013657.872.48479.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <20120816013405.872.42381.stgit@warthog.procyon.org.uk>
Provide a facility to autogenerate the name of PGP keys from the contents of
the payload. If add_key() is given a blank description, a description is
constructed from the last user ID packet in the payload data plus the last 8
hex digits of the key ID. For instance:
keyctl padd crypto "" @s </tmp/key.pub
might create a key with a constructed description that can be seen in
/proc/keys:
2f674b96 I--Q--- 1 perm 39390000 0 0 crypto Sample kernel key 31f0ae93: PGP.RSA 31f0ae93 []
Signed-off-by: David Howells <dhowells@redhat.com>
---
security/keys/crypto/pgp_public_key.c | 64 +++++++++++++++++++++++++++------
1 file changed, 53 insertions(+), 11 deletions(-)
diff --git a/security/keys/crypto/pgp_public_key.c b/security/keys/crypto/pgp_public_key.c
index c260e02..2347ecd 100644
--- a/security/keys/crypto/pgp_public_key.c
+++ b/security/keys/crypto/pgp_public_key.c
@@ -52,6 +52,9 @@ struct pgp_key_data_parse_context {
struct crypto_key_subtype *subtype;
char *fingerprint;
void *payload;
+ const char *user_id;
+ size_t user_id_len;
+ size_t fingerprint_len;
};
/*
@@ -166,6 +169,7 @@ static int pgp_generate_fingerprint(struct pgp_key_data_parse_context *ctx,
if (ret < 0)
goto cleanup_raw_fingerprint;
+ ctx->fingerprint_len = digest_size * 2;
fingerprint = kmalloc(digest_size * 2 + 1, GFP_KERNEL);
if (!fingerprint)
goto cleanup_raw_fingerprint;
@@ -212,6 +216,13 @@ static int pgp_process_public_key(struct pgp_parse_context *context,
kenter(",%u,%u,,%zu", type, headerlen, datalen);
+ if (type == PGP_PKT_USER_ID) {
+ ctx->user_id = data;
+ ctx->user_id_len = datalen;
+ kleave(" = 0 [user ID]");
+ return 0;
+ }
+
if (ctx->subtype) {
kleave(" = -ENOKEY [already]");
return -EBADMSG;
@@ -297,21 +308,44 @@ static int pgp_key_preparse(struct key_preparsed_payload *prep)
kenter("");
+ memset(&ctx, 0, sizeof(ctx));
ctx.pgp.types_of_interest =
- (1 << PGP_PKT_PUBLIC_KEY) | (1 << PGP_PKT_PUBLIC_SUBKEY);
+ (1 << PGP_PKT_PUBLIC_KEY) | (1 << PGP_PKT_PUBLIC_SUBKEY) |
+ (1 << PGP_PKT_USER_ID);
ctx.pgp.process_packet = pgp_process_public_key;
- ctx.subtype = NULL;
- ctx.fingerprint = NULL;
- ctx.payload = NULL;
ret = pgp_parse_packets(prep->data, prep->datalen, &ctx.pgp);
- if (ret < 0) {
- if (ctx.payload)
- ctx.subtype->destroy(ctx.payload);
- if (ctx.subtype)
- module_put(ctx.subtype->owner);
- kfree(ctx.fingerprint);
- return ret;
+ if (ret < 0)
+ goto error;
+
+ if (ctx.user_id && ctx.user_id_len > 0) {
+ /* Propose a description for the key (user ID without the comment) */
+ size_t ulen = ctx.user_id_len, flen = ctx.fingerprint_len;
+ const char *p;
+
+ p = memchr(ctx.user_id, '(', ulen);
+ if (p) {
+ /* Remove the comment */
+ do {
+ p--;
+ } while (*p == ' ' && p > ctx.user_id);
+ if (*p != ' ')
+ p++;
+ ulen = p - ctx.user_id;
+ }
+
+ if (ulen > 255 - 9)
+ ulen = 255 - 9;
+ prep->description = kmalloc(ulen + 1 + 8 + 1, GFP_KERNEL);
+ ret = -ENOMEM;
+ if (!prep->description)
+ goto error;
+ memcpy(prep->description, ctx.user_id, ulen);
+ prep->description[ulen] = ' ';
+ memcpy(prep->description + ulen + 1,
+ ctx.fingerprint + flen - 8, 8);
+ prep->description[ulen + 9] = 0;
+ pr_debug("desc '%s'\n", prep->description);
}
prep->type_data[0] = ctx.subtype;
@@ -319,6 +353,14 @@ static int pgp_key_preparse(struct key_preparsed_payload *prep)
prep->payload = ctx.payload;
prep->quotalen = prep->datalen;
return 0;
+
+error:
+ if (ctx.payload)
+ ctx.subtype->destroy(ctx.payload);
+ if (ctx.subtype)
+ module_put(ctx.subtype->owner);
+ kfree(ctx.fingerprint);
+ return ret;
}
static struct crypto_key_parser pgp_key_parser = {
next prev parent reply other threads:[~2012-08-16 1:37 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-16 1:34 [PATCH 00/25] Crypto keys and module signing David Howells
2012-08-16 1:34 ` [PATCH 01/25] KEYS: Add payload preparsing opportunity prior to key instantiate or update David Howells
2012-08-16 1:34 ` [PATCH 02/25] MPILIB: Provide count_leading/trailing_zeros() based on arch functions David Howells
2012-09-10 7:13 ` Kasatkin, Dmitry
2012-09-13 5:14 ` James Morris
2012-09-13 14:09 ` Kasatkin, Dmitry
2012-08-16 1:34 ` [PATCH 03/25] KEYS: Create a key type that can be used for general cryptographic operations David Howells
2012-08-16 1:34 ` [PATCH 04/25] KEYS: Add signature verification facility David Howells
2012-08-16 1:35 ` [PATCH 05/25] KEYS: Asymmetric public-key algorithm crypto key subtype David Howells
2012-08-16 1:35 ` [PATCH 06/25] MPILIB: Reinstate mpi_cmp[_ui]() and export for RSA signature verification David Howells
2012-08-16 1:35 ` [PATCH 07/25] KEYS: RSA: Implement signature verification algorithm [PKCS#1 / RFC3447] David Howells
2012-08-16 1:35 ` [PATCH 08/25] KEYS: RSA: Fix signature verification for shorter signatures David Howells
2012-08-16 1:35 ` [PATCH 09/25] PGPLIB: PGP definitions (RFC 4880) David Howells
2012-08-16 1:36 ` [PATCH 10/25] PGPLIB: Basic packet parser David Howells
2012-08-16 1:36 ` [PATCH 11/25] PGPLIB: Signature parser David Howells
2012-08-16 1:36 ` [PATCH 12/25] KEYS: PGP data parser David Howells
2012-08-16 1:36 ` [PATCH 13/25] KEYS: PGP-based public key signature verification David Howells
2012-08-16 1:36 ` [PATCH 14/25] KEYS: PGP format signature parser David Howells
2012-08-16 1:36 ` David Howells [this message]
2012-08-16 1:37 ` [PATCH 16/25] KEYS: Provide a function to load keys from a PGP keyring blob David Howells
2012-08-16 1:37 ` [PATCH 17/25] MODSIGN: Provide gitignore and make clean rules for extra files David Howells
2012-08-16 1:37 ` [PATCH 18/25] MODSIGN: Provide Documentation and Kconfig options David Howells
2012-08-16 1:37 ` [PATCH 19/25] MODSIGN: Sign modules during the build process David Howells
2012-08-16 1:37 ` [PATCH 20/25] MODSIGN: Provide module signing public keys to the kernel David Howells
2012-08-31 14:33 ` Michal Marek
2012-08-16 1:38 ` [PATCH 21/25] MODSIGN: Module signature verification David Howells
2012-08-16 1:38 ` [PATCH 22/25] MODSIGN: Automatically generate module signing keys if missing David Howells
2012-08-16 1:38 ` [PATCH 23/25] MODSIGN: Panic the kernel if FIPS is enabled upon module signing failure David Howells
2012-08-16 1:38 ` [PATCH 24/25] MODSIGN: Allow modules to be signed with an unknown key unless enforcing David Howells
2012-08-16 1:38 ` [PATCH 25/25] MODSIGN: Fix documentation of signed-nokey behavior when not enforcing David Howells
2012-08-21 5:04 ` [PATCH 00/25] Crypto keys and module signing Rusty Russell
2012-08-22 10:50 ` David Howells
2012-08-22 11:52 ` Mimi Zohar
2012-08-22 16:07 ` Kasatkin, Dmitry
2012-09-04 5:55 ` [RFC] module: signature infrastructure Rusty Russell
2012-09-04 12:07 ` Kasatkin, Dmitry
2012-09-04 12:21 ` Kasatkin, Dmitry
2012-09-04 13:40 ` Mimi Zohar
2012-09-05 0:29 ` Rusty Russell
2012-09-05 13:34 ` Mimi Zohar
2012-09-06 2:05 ` Rusty Russell
2012-09-04 14:25 ` Lucas De Marchi
2012-09-04 15:04 ` Kasatkin, Dmitry
2012-09-05 0:19 ` Rusty Russell
2012-09-05 23:41 ` Lucas De Marchi
2012-09-06 7:55 ` Rusty Russell
2012-09-04 22:51 ` David Howells
2012-09-04 23:17 ` Kasatkin, Dmitry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120816013657.872.48479.stgit@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=dmitry.kasatkin@intel.com \
--cc=jmorris@namei.org \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).