mirror of
https://github.com/tbsdtv/linux_media.git
synced 2025-07-23 12:43:29 +02:00
KEYS: CA link restriction
Add a new link restriction. Restrict the addition of keys in a keyring based on the key to be added being a CA. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Tested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
This commit is contained in:
Eric Snowberg
committed by
Jarkko Sakkinen
Jarkko Sakkinen
parent
567671281a
commit
76adb2fbc6
@@ -108,6 +108,44 @@ int restrict_link_by_signature(struct key *dest_keyring,
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* restrict_link_by_ca - Restrict additions to a ring of CA keys
|
||||||
|
* @dest_keyring: Keyring being linked to.
|
||||||
|
* @type: The type of key being added.
|
||||||
|
* @payload: The payload of the new key.
|
||||||
|
* @trust_keyring: Unused.
|
||||||
|
*
|
||||||
|
* Check if the new certificate is a CA. If it is a CA, then mark the new
|
||||||
|
* certificate as being ok to link.
|
||||||
|
*
|
||||||
|
* Returns 0 if the new certificate was accepted, -ENOKEY if the
|
||||||
|
* certificate is not a CA. -ENOPKG if the signature uses unsupported
|
||||||
|
* crypto, or some other error if there is a matching certificate but
|
||||||
|
* the signature check cannot be performed.
|
||||||
|
*/
|
||||||
|
int restrict_link_by_ca(struct key *dest_keyring,
|
||||||
|
const struct key_type *type,
|
||||||
|
const union key_payload *payload,
|
||||||
|
struct key *trust_keyring)
|
||||||
|
{
|
||||||
|
const struct public_key *pkey;
|
||||||
|
|
||||||
|
if (type != &key_type_asymmetric)
|
||||||
|
return -EOPNOTSUPP;
|
||||||
|
|
||||||
|
pkey = payload->data[asym_crypto];
|
||||||
|
if (!pkey)
|
||||||
|
return -ENOPKG;
|
||||||
|
if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags))
|
||||||
|
return -ENOKEY;
|
||||||
|
if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags))
|
||||||
|
return -ENOKEY;
|
||||||
|
if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags))
|
||||||
|
return -ENOKEY;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static bool match_either_id(const struct asymmetric_key_id **pair,
|
static bool match_either_id(const struct asymmetric_key_id **pair,
|
||||||
const struct asymmetric_key_id *single)
|
const struct asymmetric_key_id *single)
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -75,6 +75,21 @@ extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring,
|
|||||||
const union key_payload *payload,
|
const union key_payload *payload,
|
||||||
struct key *trusted);
|
struct key *trusted);
|
||||||
|
|
||||||
|
#if IS_REACHABLE(CONFIG_ASYMMETRIC_KEY_TYPE)
|
||||||
|
extern int restrict_link_by_ca(struct key *dest_keyring,
|
||||||
|
const struct key_type *type,
|
||||||
|
const union key_payload *payload,
|
||||||
|
struct key *trust_keyring);
|
||||||
|
#else
|
||||||
|
static inline int restrict_link_by_ca(struct key *dest_keyring,
|
||||||
|
const struct key_type *type,
|
||||||
|
const union key_payload *payload,
|
||||||
|
struct key *trust_keyring)
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
extern int query_asymmetric_key(const struct kernel_pkey_params *,
|
extern int query_asymmetric_key(const struct kernel_pkey_params *,
|
||||||
struct kernel_pkey_query *);
|
struct kernel_pkey_query *);
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user