forked from Minki/linux
46963b774d
Make use of the new match string preparsing to overhaul key identification
when searching for asymmetric keys. The following changes are made:
(1) Use the previously created asymmetric_key_id struct to hold the following
key IDs derived from the X.509 certificate or PKCS#7 message:
id: serial number + issuer
skid: subjKeyId + subject
authority: authKeyId + issuer
(2) Replace the hex fingerprint attached to key->type_data[1] with an
asymmetric_key_ids struct containing the id and the skid (if present).
(3) Make the asymmetric_type match data preparse select one of two searches:
(a) An iterative search for the key ID given if prefixed with "id:". The
prefix is expected to be followed by a hex string giving the ID to
search for. The criterion key ID is checked against all key IDs
recorded on the key.
(b) A direct search if the key ID is not prefixed with "id:". This will
look for an exact match on the key description.
(4) Make x509_request_asymmetric_key() take a key ID. This is then converted
into "id:<hex>" and passed into keyring_search() where match preparsing
will turn it back into a binary ID.
(5) X.509 certificate verification then takes the authority key ID and looks
up a key that matches it to find the public key for the certificate
signature.
(6) PKCS#7 certificate verification then takes the id key ID and looks up a
key that matches it to find the public key for the signed information
block signature.
Additional changes:
(1) Multiple subjKeyId and authKeyId values on an X.509 certificate cause the
cert to be rejected with -EBADMSG.
(2) The 'fingerprint' ID is gone. This was primarily intended to convey PGP
public key fingerprints. If PGP is supported in future, this should
generate a key ID that carries the fingerprint.
(3) Th ca_keyid= kernel command line option is now converted to a key ID and
used to match the authority key ID. Possibly this should only match the
actual authKeyId part and not the issuer as well.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
107 lines
2.7 KiB
C
107 lines
2.7 KiB
C
/* Asymmetric public-key algorithm definitions
|
|
*
|
|
* See Documentation/crypto/asymmetric-keys.txt
|
|
*
|
|
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public Licence
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the Licence, or (at your option) any later version.
|
|
*/
|
|
|
|
#ifndef _LINUX_PUBLIC_KEY_H
|
|
#define _LINUX_PUBLIC_KEY_H
|
|
|
|
#include <linux/mpi.h>
|
|
#include <keys/asymmetric-type.h>
|
|
#include <crypto/hash_info.h>
|
|
|
|
enum pkey_algo {
|
|
PKEY_ALGO_DSA,
|
|
PKEY_ALGO_RSA,
|
|
PKEY_ALGO__LAST
|
|
};
|
|
|
|
extern const char *const pkey_algo_name[PKEY_ALGO__LAST];
|
|
extern const struct public_key_algorithm *pkey_algo[PKEY_ALGO__LAST];
|
|
|
|
/* asymmetric key implementation supports only up to SHA224 */
|
|
#define PKEY_HASH__LAST (HASH_ALGO_SHA224 + 1)
|
|
|
|
enum pkey_id_type {
|
|
PKEY_ID_PGP, /* OpenPGP generated key ID */
|
|
PKEY_ID_X509, /* X.509 arbitrary subjectKeyIdentifier */
|
|
PKEY_ID_TYPE__LAST
|
|
};
|
|
|
|
extern const char *const pkey_id_type_name[PKEY_ID_TYPE__LAST];
|
|
|
|
/*
|
|
* Cryptographic data for the public-key subtype of the asymmetric key type.
|
|
*
|
|
* Note that this may include private part of the key as well as the public
|
|
* part.
|
|
*/
|
|
struct public_key {
|
|
const struct public_key_algorithm *algo;
|
|
u8 capabilities;
|
|
#define PKEY_CAN_ENCRYPT 0x01
|
|
#define PKEY_CAN_DECRYPT 0x02
|
|
#define PKEY_CAN_SIGN 0x04
|
|
#define PKEY_CAN_VERIFY 0x08
|
|
enum pkey_algo pkey_algo : 8;
|
|
enum pkey_id_type id_type : 8;
|
|
union {
|
|
MPI mpi[5];
|
|
struct {
|
|
MPI p; /* DSA prime */
|
|
MPI q; /* DSA group order */
|
|
MPI g; /* DSA group generator */
|
|
MPI y; /* DSA public-key value = g^x mod p */
|
|
MPI x; /* DSA secret exponent (if present) */
|
|
} dsa;
|
|
struct {
|
|
MPI n; /* RSA public modulus */
|
|
MPI e; /* RSA public encryption exponent */
|
|
MPI d; /* RSA secret encryption exponent (if present) */
|
|
MPI p; /* RSA secret prime (if present) */
|
|
MPI q; /* RSA secret prime (if present) */
|
|
} rsa;
|
|
};
|
|
};
|
|
|
|
extern void public_key_destroy(void *payload);
|
|
|
|
/*
|
|
* Public key cryptography signature data
|
|
*/
|
|
struct public_key_signature {
|
|
u8 *digest;
|
|
u8 digest_size; /* Number of bytes in digest */
|
|
u8 nr_mpi; /* Occupancy of mpi[] */
|
|
enum pkey_algo pkey_algo : 8;
|
|
enum hash_algo pkey_hash_algo : 8;
|
|
union {
|
|
MPI mpi[2];
|
|
struct {
|
|
MPI s; /* m^d mod n */
|
|
} rsa;
|
|
struct {
|
|
MPI r;
|
|
MPI s;
|
|
} dsa;
|
|
};
|
|
};
|
|
|
|
struct key;
|
|
extern int verify_signature(const struct key *key,
|
|
const struct public_key_signature *sig);
|
|
|
|
struct asymmetric_key_id;
|
|
extern struct key *x509_request_asymmetric_key(struct key *keyring,
|
|
const struct asymmetric_key_id *kid);
|
|
|
|
#endif /* _LINUX_PUBLIC_KEY_H */
|