* [GIT PULL] Keyrings and asymmetric keys patches for 3.17
@ 2014-07-17 22:34 David Howells
2014-07-17 23:22 ` Stephen Rothwell
2014-07-18 19:07 ` David Howells
0 siblings, 2 replies; 5+ messages in thread
From: David Howells @ 2014-07-17 22:34 UTC (permalink / raw)
To: James Morris
Cc: dhowells, Mimi Zohar, mimi.e.zohar, Dmitry Kasatkin, vgoyal,
keyrings, linux-security-module, linux-crypto, linux-kernel
Hi James,
I have a number of sets of patches for you to pull. I've git-merged them
together into a single branch (keys-next) as there are some conflicts and
tagged the end.
The component subsets are:
(1) Tag keys-preparse-1-20140707
A set of patches that mostly convert extant key types to perform
preparsing to make it possible to determine the amount of quota in
advance.
I haven't fixed the encrypted and trusted keys as yet as they incorrectly
use the ->update() op, but I'd like to get the changes I have done out
the door.
(2) Tag keys-pkcs7-20140708
A set of patches that can parse binary PKCS#7 messages and verify the
X.509 certificates and signatures contained therein and look to see if
there's an intersection between those certificates/signatures and a ring
of trusted keys.
This has a conflict with (1) that is solved in the merge: A debugging key
type is added for testing the PKCS#7 parser and this uses the user
keyring type.
(3) Tag keys-pefile-20140709
A set of patches that take a signed PE binary, extract the PKCS#7
message, validate the signature of the signed parts of the PE binary and
verify the PKCS#7 certificate using (2) above.
Subsets (2) and (3) will then be used to do signed kexec.
(4) Branch linux-integrity/next-with-key
Mimi and Dmitry's keyrings patches.
Note that this branch is on top of their next-without-key branch. If you
pull that first as Mimi has asked, git should connect this correctly.
This is commit 7d2ce2320e8efdc4a6dcbae7b329ed3f0d1cd778.
(5) Branch keys-fixes
Three fixes:
(a) Allow CAP_SYS_ADMIN capable processes to invalidate keys that are
appropriately marked.
This has a conflict with (4) since both add new key flags.
(b) Don't select MPILIB_EXTRA as it doesn't exist.
(c) Select CRYPTO if SIGNATURE is enabled rather than depending on it to
get module vs built-in correct.
There's some duplicate code between the patches in (2) and (4) for looking up
a key containing a public key. The code exists in different places and
doesn't interfere with each other, so I'll deal with it later when one or both
of these sets has gone in.
David
---
The following changes since commit b6b8a371f5541c2b839caba84fede693f3fcc43d:
Merge branch 'stable-3.16' of git://git.infradead.org/users/pcmoore/selinux into next (2014-07-17 03:05:51 +1000)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-next-20140717
for you to fetch changes up to e6df35b37ce9789a636d13f1e625d08ce029851b:
Merge branch 'keys-fixes' into keys-next (2014-07-17 21:02:01 +0100)
----------------------------------------------------------------
(from the branch description for keys-next local branch)
Keyrings for linux-next
Keyrings patches
----------------------------------------------------------------
David Howells (34):
X.509: Add bits needed for PKCS#7
X.509: Export certificate parse and free functions
KEYS: Provide a generic instantiation function
KEYS: struct key_preparsed_payload should have two payload pointers
KEYS: Allow expiry time to be set when preparsing a key
KEYS: Call ->free_preparse() even after ->preparse() returns an error
KEYS: user: Use key preparsing
KEYS: Ceph: Use key preparsing
KEYS: Ceph: Use user_match()
KEYS: DNS: Use key preparsing
KEYS: RxRPC: Use key preparsing
KEYS: big_key: Use key preparsing
KEYS: keyring: Provide key preparsing
KEYS: request_key_auth: Provide key preparsing
PKCS#7: Implement a parser [RFC 2315]
PKCS#7: Digest the data in a signed-data message
PKCS#7: Find the right key in the PKCS#7 key list and verify the signature
PKCS#7: Verify internal certificate chain
PKCS#7: Find intersection between PKCS#7 message and known, trusted keys
PKCS#7: Provide a key type for testing PKCS#7
KEYS: X.509: Fix a spelling mistake
Provide PE binary definitions
pefile: Parse a PE binary to find a key and a signature contained therein
pefile: Strip the wrapper off of the cert data block
pefile: Parse the presumed PKCS#7 content of the certificate blob
pefile: Parse the "Microsoft individual code signing" data blob
pefile: Digest the PE binary and compare to the PKCS#7 data
pefile: Validate PKCS#7 trust chain
Merge branch 'keys-preparse-1' into keys-next
Merge tag 'keys-pkcs7-20140708' into keys-next
Merge tag 'keys-pefile-20140709' into keys-next
Merge remote-tracking branch 'integrity/next-with-keys' into keys-next
KEYS: Allow special keys (eg. DNS results) to be invalidated by CAP_SYS_ADMIN
Merge branch 'keys-fixes' into keys-next
Dmitry Kasatkin (9):
ima: remove unnecessary i_mutex locking from ima_rdwr_violation_check()
ima: delay template descriptor lookup until use
ima: use ahash API for file hash calculation
ima: introduce multi-page collect buffers
ima: provide double buffering for hash calculation
KEYS: make partial key id matching as a dedicated function
KEYS: validate certificate trust only with selected key
KEYS: validate certificate trust only with builtin keys
digsig: make crypto builtin if digsig selected as builtin
Jean Delvare (1):
RSA: Don't select non-existent symbol
Mimi Zohar (3):
KEYS: special dot prefixed keyring name bug fix
KEYS: verify a certificate is signed by a 'trusted' key
ima: define '.ima' as a builtin 'trusted' keyring
Richard Guy Briggs (1):
audit: fix dangling keywords in integrity ima message output
Vivek Goyal (1):
pefile: Handle pesign using the wrong OID
Documentation/kernel-parameters.txt | 22 ++
Documentation/security/keys.txt | 14 +-
crypto/asymmetric_keys/Kconfig | 34 ++-
crypto/asymmetric_keys/Makefile | 37 +++
crypto/asymmetric_keys/asymmetric_keys.h | 2 +
crypto/asymmetric_keys/asymmetric_type.c | 78 +++--
crypto/asymmetric_keys/mscode.asn1 | 28 ++
crypto/asymmetric_keys/mscode_parser.c | 126 ++++++++
crypto/asymmetric_keys/pkcs7.asn1 | 127 +++++++++
crypto/asymmetric_keys/pkcs7_key_type.c | 99 +++++++
crypto/asymmetric_keys/pkcs7_parser.c | 396 ++++++++++++++++++++++++++
crypto/asymmetric_keys/pkcs7_parser.h | 61 ++++
crypto/asymmetric_keys/pkcs7_trust.c | 219 ++++++++++++++
crypto/asymmetric_keys/pkcs7_verify.c | 323 +++++++++++++++++++++
crypto/asymmetric_keys/verify_pefile.c | 457 ++++++++++++++++++++++++++++++
crypto/asymmetric_keys/verify_pefile.h | 42 +++
crypto/asymmetric_keys/x509.asn1 | 2 +-
crypto/asymmetric_keys/x509_cert_parser.c | 20 ++
crypto/asymmetric_keys/x509_parser.h | 13 +-
crypto/asymmetric_keys/x509_public_key.c | 111 +++++++-
fs/nfs/idmap.c | 10 +-
include/crypto/pkcs7.h | 36 +++
include/keys/big_key-type.h | 3 +-
include/keys/system_keyring.h | 10 +-
include/keys/user-type.h | 3 +-
include/linux/key-type.h | 5 +-
include/linux/key.h | 2 +
include/linux/oid_registry.h | 8 +-
include/linux/pe.h | 448 +++++++++++++++++++++++++++++
include/linux/verify_pefile.h | 18 ++
kernel/system_keyring.c | 1 +
lib/Kconfig | 3 +-
net/ceph/crypto.c | 26 +-
net/dns_resolver/dns_key.c | 43 +--
net/dns_resolver/dns_query.c | 1 +
net/rxrpc/ar-key.c | 165 ++++++-----
security/integrity/digsig.c | 28 ++
security/integrity/ima/Kconfig | 10 +
security/integrity/ima/ima.h | 12 +
security/integrity/ima/ima_appraise.c | 2 +-
security/integrity/ima/ima_crypto.c | 312 +++++++++++++++++++-
security/integrity/ima/ima_main.c | 17 +-
security/integrity/ima/ima_policy.c | 6 +-
security/integrity/integrity.h | 5 +
security/keys/big_key.c | 41 +--
security/keys/encrypted-keys/encrypted.c | 2 +-
security/keys/key.c | 49 +++-
security/keys/keyctl.c | 21 +-
security/keys/keyring.c | 34 ++-
security/keys/request_key_auth.c | 13 +
security/keys/user_defined.c | 41 +--
51 files changed, 3357 insertions(+), 229 deletions(-)
create mode 100644 crypto/asymmetric_keys/mscode.asn1
create mode 100644 crypto/asymmetric_keys/mscode_parser.c
create mode 100644 crypto/asymmetric_keys/pkcs7.asn1
create mode 100644 crypto/asymmetric_keys/pkcs7_key_type.c
create mode 100644 crypto/asymmetric_keys/pkcs7_parser.c
create mode 100644 crypto/asymmetric_keys/pkcs7_parser.h
create mode 100644 crypto/asymmetric_keys/pkcs7_trust.c
create mode 100644 crypto/asymmetric_keys/pkcs7_verify.c
create mode 100644 crypto/asymmetric_keys/verify_pefile.c
create mode 100644 crypto/asymmetric_keys/verify_pefile.h
create mode 100644 include/crypto/pkcs7.h
create mode 100644 include/linux/pe.h
create mode 100644 include/linux/verify_pefile.h
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [GIT PULL] Keyrings and asymmetric keys patches for 3.17
2014-07-17 22:34 [GIT PULL] Keyrings and asymmetric keys patches for 3.17 David Howells
@ 2014-07-17 23:22 ` Stephen Rothwell
2014-07-18 19:07 ` David Howells
1 sibling, 0 replies; 5+ messages in thread
From: Stephen Rothwell @ 2014-07-17 23:22 UTC (permalink / raw)
To: David Howells
Cc: James Morris, Mimi Zohar, mimi.e.zohar, Dmitry Kasatkin, vgoyal,
keyrings, linux-security-module, linux-crypto, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 922 bytes --]
Hi David,
On Thu, 17 Jul 2014 23:34:05 +0100 David Howells <dhowells@redhat.com> wrote:
>
> I have a number of sets of patches for you to pull. I've git-merged them
> together into a single branch (keys-next) as there are some conflicts and
> tagged the end.
>
> The component subsets are:
>
> (1) Tag keys-preparse-1-20140707
>
> A set of patches that mostly convert extant key types to perform
> preparsing to make it possible to determine the amount of quota in
> advance.
>
> I haven't fixed the encrypted and trusted keys as yet as they incorrectly
> use the ->update() op, but I'd like to get the changes I have done out
> the door.
I hate to be a pest, but this whole branch has only your signed off by
and no indication that any of it has been reviewed/tested by anyone
else ...
--
Cheers,
Stephen Rothwell sfr@canb.auug.org.au
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [GIT PULL] Keyrings and asymmetric keys patches for 3.17
2014-07-17 22:34 [GIT PULL] Keyrings and asymmetric keys patches for 3.17 David Howells
2014-07-17 23:22 ` Stephen Rothwell
@ 2014-07-18 19:07 ` David Howells
1 sibling, 0 replies; 5+ messages in thread
From: David Howells @ 2014-07-18 19:07 UTC (permalink / raw)
To: Stephen Rothwell
Cc: dhowells, James Morris, Mimi Zohar, mimi.e.zohar,
Dmitry Kasatkin, vgoyal, keyrings, linux-security-module,
linux-crypto, linux-kernel
Stephen Rothwell <sfr@canb.auug.org.au> wrote:
> I hate to be a pest, but this whole branch has only your signed off by
> and no indication that any of it has been reviewed/tested by anyone
> else ...
Okay, I've got at least one review for most of the patches. I'll try and get
some more, but it probably won't be till next week.
Anyway, I've updated the keys-preparse-1 branch and tagged it anew with
keys-preparse-1-20140718. There was a spelling fix in the docs and the
patches have been rebased on the updated security/next.
I've also rebuilt the keys-next branch, basing it on the updated
security/next, and tagged it with keys-next-20140718.
warthog>git diff keys-next-20140717 keys-next-20140718 | diffstat
keys.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
David
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [GIT PULL] Keyrings and asymmetric keys patches for 3.17
2014-07-22 21:07 David Howells
@ 2014-07-24 11:37 ` James Morris
0 siblings, 0 replies; 5+ messages in thread
From: James Morris @ 2014-07-24 11:37 UTC (permalink / raw)
To: David Howells
Cc: Mimi Zohar, mimi.e.zohar, Dmitry Kasatkin, vgoyal, keyrings,
linux-security-module, linux-crypto, linux-kernel
On Tue, 22 Jul 2014, David Howells wrote:
> I have a number of sets of patches for you to pull. I've git-merged them
> together into a single branch (keys-next) as there are some conflicts and
> tagged the end.
Pulled, thanks.
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [GIT PULL] Keyrings and asymmetric keys patches for 3.17
@ 2014-07-22 21:07 David Howells
2014-07-24 11:37 ` James Morris
0 siblings, 1 reply; 5+ messages in thread
From: David Howells @ 2014-07-22 21:07 UTC (permalink / raw)
To: James Morris
Cc: dhowells, Mimi Zohar, mimi.e.zohar, Dmitry Kasatkin, vgoyal,
keyrings, linux-security-module, linux-crypto, linux-kernel
I have a number of sets of patches for you to pull. I've git-merged them
together into a single branch (keys-next) as there are some conflicts and
tagged the end.
The keys-preparse-1 branch has been updated with various Acked-bys and
Reviewed-bys plus one documentation change and retagged:
git diff keys-next-20140717 keys-next-20140722 | diffstat
keys.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
The component subsets are:
(1) Tag keys-preparse-1-20140722
A set of patches that mostly convert extant key types to perform
preparsing to make it possible to determine the amount of quota in
advance.
I haven't fixed the encrypted and trusted keys as yet as they incorrectly
use the ->update() op, but I'd like to get the changes I have done out
the door.
(2) Tag keys-pkcs7-20140708
A set of patches that can parse binary PKCS#7 messages and verify the
X.509 certificates and signatures contained therein and look to see if
there's an intersection between those certificates/signatures and a ring
of trusted keys.
This has a conflict with (1) that is solved in the merge: A debugging key
type is added for testing the PKCS#7 parser and this uses the user
keyring type.
(3) Tag keys-pefile-20140709
A set of patches that take a signed PE binary, extract the PKCS#7
message, validate the signature of the signed parts of the PE binary and
verify the PKCS#7 certificate using (2) above.
Subsets (2) and (3) will then be used to do signed kexec.
(4) Branch linux-integrity/next-with-key
Mimi and Dmitry's keyrings patches.
Note that this branch is on top of their next-without-key branch. If you
pull that first as Mimi has asked, git should connect this correctly.
This is commit 7d2ce2320e8efdc4a6dcbae7b329ed3f0d1cd778.
(5) Branch keys-fixes
Three fixes:
(a) Allow CAP_SYS_ADMIN capable processes to invalidate keys that are
appropriately marked.
This has a conflict with (4) since both add new key flags.
(b) Don't select MPILIB_EXTRA as it doesn't exist.
(c) Select CRYPTO if SIGNATURE is enabled rather than depending on it to
get module vs built-in correct.
There's some duplicate code between the patches in (2) and (4) for looking up
a key containing a public key. The code exists in different places and
doesn't interfere with each other, so I'll deal with it later when one or both
of these sets has gone in.
David
---
The following changes since commit 32c2e6752ff0f48fe03b9e1c7c64bde580a840d2:
ima: provide double buffering for hash calculation (2014-07-17 09:35:11 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-next-20140722
for you to fetch changes up to 633706a2ee81637be37b6bc02c5336950cc163b5:
Merge branch 'keys-fixes' into keys-next (2014-07-22 21:55:45 +0100)
----------------------------------------------------------------
(from the branch description for keys-next local branch)
Keyrings for linux-next
Keyrings patches
----------------------------------------------------------------
David Howells (34):
X.509: Add bits needed for PKCS#7
X.509: Export certificate parse and free functions
PKCS#7: Implement a parser [RFC 2315]
PKCS#7: Digest the data in a signed-data message
PKCS#7: Find the right key in the PKCS#7 key list and verify the signature
PKCS#7: Verify internal certificate chain
PKCS#7: Find intersection between PKCS#7 message and known, trusted keys
PKCS#7: Provide a key type for testing PKCS#7
KEYS: X.509: Fix a spelling mistake
Provide PE binary definitions
pefile: Parse a PE binary to find a key and a signature contained therein
pefile: Strip the wrapper off of the cert data block
pefile: Parse the presumed PKCS#7 content of the certificate blob
pefile: Parse the "Microsoft individual code signing" data blob
pefile: Digest the PE binary and compare to the PKCS#7 data
pefile: Validate PKCS#7 trust chain
KEYS: Allow special keys (eg. DNS results) to be invalidated by CAP_SYS_ADMIN
KEYS: Provide a generic instantiation function
KEYS: struct key_preparsed_payload should have two payload pointers
KEYS: Allow expiry time to be set when preparsing a key
KEYS: Call ->free_preparse() even after ->preparse() returns an error
KEYS: user: Use key preparsing
KEYS: Ceph: Use key preparsing
KEYS: Ceph: Use user_match()
KEYS: DNS: Use key preparsing
KEYS: RxRPC: Use key preparsing
KEYS: big_key: Use key preparsing
KEYS: keyring: Provide key preparsing
KEYS: request_key_auth: Provide key preparsing
Merge tag 'keys-preparse-1-20140722' into keys-next
Merge tag 'keys-pkcs7-20140708' into keys-next
Merge tag 'keys-pefile-20140709' into keys-next
Merge remote-tracking branch 'integrity/next-with-keys' into keys-next
Merge branch 'keys-fixes' into keys-next
Dmitry Kasatkin (4):
KEYS: make partial key id matching as a dedicated function
KEYS: validate certificate trust only with selected key
KEYS: validate certificate trust only with builtin keys
digsig: make crypto builtin if digsig selected as builtin
Jean Delvare (1):
RSA: Don't select non-existent symbol
Mimi Zohar (3):
KEYS: special dot prefixed keyring name bug fix
KEYS: verify a certificate is signed by a 'trusted' key
ima: define '.ima' as a builtin 'trusted' keyring
Vivek Goyal (1):
pefile: Handle pesign using the wrong OID
Documentation/kernel-parameters.txt | 5 +
Documentation/security/keys.txt | 14 +-
crypto/asymmetric_keys/Kconfig | 34 ++-
crypto/asymmetric_keys/Makefile | 37 +++
crypto/asymmetric_keys/asymmetric_keys.h | 2 +
crypto/asymmetric_keys/asymmetric_type.c | 78 +++--
crypto/asymmetric_keys/mscode.asn1 | 28 ++
crypto/asymmetric_keys/mscode_parser.c | 126 ++++++++
crypto/asymmetric_keys/pkcs7.asn1 | 127 +++++++++
crypto/asymmetric_keys/pkcs7_key_type.c | 99 +++++++
crypto/asymmetric_keys/pkcs7_parser.c | 396 ++++++++++++++++++++++++++
crypto/asymmetric_keys/pkcs7_parser.h | 61 ++++
crypto/asymmetric_keys/pkcs7_trust.c | 219 ++++++++++++++
crypto/asymmetric_keys/pkcs7_verify.c | 323 +++++++++++++++++++++
crypto/asymmetric_keys/verify_pefile.c | 457 ++++++++++++++++++++++++++++++
crypto/asymmetric_keys/verify_pefile.h | 42 +++
crypto/asymmetric_keys/x509.asn1 | 2 +-
crypto/asymmetric_keys/x509_cert_parser.c | 20 ++
crypto/asymmetric_keys/x509_parser.h | 13 +-
crypto/asymmetric_keys/x509_public_key.c | 111 +++++++-
fs/nfs/idmap.c | 10 +-
include/crypto/pkcs7.h | 36 +++
include/keys/big_key-type.h | 3 +-
include/keys/system_keyring.h | 10 +-
include/keys/user-type.h | 3 +-
include/linux/key-type.h | 5 +-
include/linux/key.h | 2 +
include/linux/oid_registry.h | 8 +-
include/linux/pe.h | 448 +++++++++++++++++++++++++++++
include/linux/verify_pefile.h | 18 ++
kernel/system_keyring.c | 1 +
lib/Kconfig | 3 +-
net/ceph/crypto.c | 26 +-
net/dns_resolver/dns_key.c | 43 +--
net/dns_resolver/dns_query.c | 1 +
net/rxrpc/ar-key.c | 165 ++++++-----
security/integrity/digsig.c | 28 ++
security/integrity/ima/Kconfig | 10 +
security/integrity/ima/ima.h | 12 +
security/integrity/ima/ima_main.c | 10 +-
security/integrity/integrity.h | 5 +
security/keys/big_key.c | 41 +--
security/keys/encrypted-keys/encrypted.c | 2 +-
security/keys/key.c | 49 +++-
security/keys/keyctl.c | 21 +-
security/keys/keyring.c | 34 ++-
security/keys/request_key_auth.c | 13 +
security/keys/user_defined.c | 41 +--
48 files changed, 3025 insertions(+), 217 deletions(-)
create mode 100644 crypto/asymmetric_keys/mscode.asn1
create mode 100644 crypto/asymmetric_keys/mscode_parser.c
create mode 100644 crypto/asymmetric_keys/pkcs7.asn1
create mode 100644 crypto/asymmetric_keys/pkcs7_key_type.c
create mode 100644 crypto/asymmetric_keys/pkcs7_parser.c
create mode 100644 crypto/asymmetric_keys/pkcs7_parser.h
create mode 100644 crypto/asymmetric_keys/pkcs7_trust.c
create mode 100644 crypto/asymmetric_keys/pkcs7_verify.c
create mode 100644 crypto/asymmetric_keys/verify_pefile.c
create mode 100644 crypto/asymmetric_keys/verify_pefile.h
create mode 100644 include/crypto/pkcs7.h
create mode 100644 include/linux/pe.h
create mode 100644 include/linux/verify_pefile.h
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-07-24 11:38 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-07-17 22:34 [GIT PULL] Keyrings and asymmetric keys patches for 3.17 David Howells
2014-07-17 23:22 ` Stephen Rothwell
2014-07-18 19:07 ` David Howells
2014-07-22 21:07 David Howells
2014-07-24 11:37 ` James Morris
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).