@@ -208,6 +208,9 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
goto error_free_kids;
}
+ if (cert->kcs_set && cert->self_signed && cert->root_ca)
+ prep->payload_flags |= KEY_ALLOC_PECA;
+
/* We're pinning the module by being linked against it */
__module_get(public_key_subtype.owner);
prep->payload.data[asym_subtype] = &public_key_subtype;
@@ -36,6 +36,8 @@ struct key_preparsed_payload {
size_t datalen; /* Raw datalen */
size_t quotalen; /* Quota length for proposed payload */
time64_t expiry; /* Expiry time of key */
+ unsigned int payload_flags; /* Proposed payload flags */
+#define KEY_ALLOC_PECA 0x0001 /* Proposed Endorsed CA (ECA) key */
} __randomize_layout;
typedef int (*request_key_actor_t)(struct key *auth_key, void *aux);
@@ -236,6 +236,7 @@ struct key {
#define KEY_FLAG_ROOT_CAN_INVAL 7 /* set if key can be invalidated by root without permission */
#define KEY_FLAG_KEEP 8 /* set if key should not be removed */
#define KEY_FLAG_UID_KEYRING 9 /* set if key is a user or user session keyring */
+#define KEY_FLAG_ECA 10 /* set if key is an Endorsed CA key */
/* the key type and key description string
* - the desc is used to match a key against search criteria
@@ -296,6 +297,7 @@ extern struct key *key_alloc(struct key_type *type,
#define KEY_ALLOC_BYPASS_RESTRICTION 0x0008 /* Override the check on restricted keyrings */
#define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user session keyring */
#define KEY_ALLOC_SET_KEEP 0x0020 /* Set the KEEP flag on the key/keyring */
+#define KEY_ALLOC_ECA 0x0040 /* Add Endorsed CA key */
extern void key_revoke(struct key *key);
extern void key_invalidate(struct key *key);
@@ -305,6 +305,8 @@ struct key *key_alloc(struct key_type *type, const char *desc,
key->flags |= 1 << KEY_FLAG_UID_KEYRING;
if (flags & KEY_ALLOC_SET_KEEP)
key->flags |= 1 << KEY_FLAG_KEEP;
+ if (flags & KEY_ALLOC_ECA)
+ key->flags |= 1 << KEY_FLAG_ECA;
#ifdef KEY_DEBUGGING
key->magic = KEY_DEBUG_MAGIC;
@@ -929,6 +931,12 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref,
perm |= KEY_POS_WRITE;
}
+ /* Only allow KEY_ALLOC_ECA flag to be set by preparser contents */
+ if (prep.payload_flags & KEY_ALLOC_PECA)
+ flags |= KEY_ALLOC_ECA;
+ else
+ flags &= ~KEY_ALLOC_ECA;
+
/* allocate a new key */
key = key_alloc(index_key.type, index_key.description,
cred->fsuid, cred->fsgid, cred, perm, flags, NULL);
Some subsystems are interested in knowing if a key has been endorsed as a Certificate Authority (CA). From the data contained in struct key, it is not possible to make this determination after the key parsing is complete. Introduce a new Endorsed Certificate Authority flag called KEY_FLAG_ECA. The first type of key to use this is X.509. When a X.509 certificate is self signed, has the keyCertSign Key Usage set and contains the CA bit set, this new flag is set. In the future, other usage fields could be added as flags, i.e. digitialSignature. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- crypto/asymmetric_keys/x509_public_key.c | 3 +++ include/linux/key-type.h | 2 ++ include/linux/key.h | 2 ++ security/keys/key.c | 8 ++++++++ 4 files changed, 15 insertions(+)