| Message ID | 20221214003401.4086781-10-eric.snowberg@oracle.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Add CA enforcement keyring restrictions | expand |
On Tue, Dec 13, 2022 at 07:34:00PM -0500, Eric Snowberg wrote: > +/** > + * restrict_link_by_ca - Restrict additions to a ring of CA keys > + * @dest_keyring: Keyring being linked to. > + * @type: The type of key being added. > + * @payload: The payload of the new key. > + * @trust_keyring: Unused. > + * > + * Check if the new certificate is a CA. If it is a CA, then mark the new > + * certificate as being ok to link. > + * > + * Returns 0 if the new certificate was accepted, -ENOKEY if the > + * certificate is not a CA. -ENOPKG if the signature uses unsupported > + * crypto, or some other error if there is a matching certificate but > + * the signature check cannot be performed. > + */ > +int restrict_link_by_ca(struct key *dest_keyring, > + const struct key_type *type, > + const union key_payload *payload, > + struct key *trust_keyring) Why you want to define trust_keyring, other than matching the parameter list in restrict_link_by_signature()? Also if it is unused, it should be then just "struct key *)", right? BR, Jarkko
On Wed, Jan 04, 2023 at 11:51:52AM +0000, Jarkko Sakkinen wrote: > On Tue, Dec 13, 2022 at 07:34:00PM -0500, Eric Snowberg wrote: > > +/** > > + * restrict_link_by_ca - Restrict additions to a ring of CA keys > > + * @dest_keyring: Keyring being linked to. > > + * @type: The type of key being added. > > + * @payload: The payload of the new key. > > + * @trust_keyring: Unused. > > + * > > + * Check if the new certificate is a CA. If it is a CA, then mark the new > > + * certificate as being ok to link. > > + * > > + * Returns 0 if the new certificate was accepted, -ENOKEY if the > > + * certificate is not a CA. -ENOPKG if the signature uses unsupported > > + * crypto, or some other error if there is a matching certificate but > > + * the signature check cannot be performed. > > + */ > > +int restrict_link_by_ca(struct key *dest_keyring, > > + const struct key_type *type, > > + const union key_payload *payload, > > + struct key *trust_keyring) > > Why you want to define trust_keyring, other than matching the parameter > list in restrict_link_by_signature()? > > Also if it is unused, it should be then just "struct key *)", right? Please ignore, I forgot how this worked, i.e. "restriction" is set to the correct function so this looks correct to me :-) So it's good. Sorry for the confusion. BR, Jarkko
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c index 005cb28969e4..ca305ba1c0b5 100644 --- a/crypto/asymmetric_keys/restrict.c +++ b/crypto/asymmetric_keys/restrict.c @@ -108,6 +108,41 @@ int restrict_link_by_signature(struct key *dest_keyring, return ret; } +/** + * restrict_link_by_ca - Restrict additions to a ring of CA keys + * @dest_keyring: Keyring being linked to. + * @type: The type of key being added. + * @payload: The payload of the new key. + * @trust_keyring: Unused. + * + * Check if the new certificate is a CA. If it is a CA, then mark the new + * certificate as being ok to link. + * + * Returns 0 if the new certificate was accepted, -ENOKEY if the + * certificate is not a CA. -ENOPKG if the signature uses unsupported + * crypto, or some other error if there is a matching certificate but + * the signature check cannot be performed. + */ +int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + const struct public_key *pkey; + + if (type != &key_type_asymmetric) + return -EOPNOTSUPP; + + pkey = payload->data[asym_crypto]; + if (!pkey) + return -ENOPKG; + + if (!pkey->key_is_ca) + return -ENOKEY; + + return 0; +} + int restrict_link_by_ca_and_signature(struct key *dest_keyring, const struct key_type *type, const union key_payload *payload, diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 75699987a6b1..88c6e9829224 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -209,8 +209,11 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) } if (cert->kcs_set) { - if (cert->root_ca) + if (cert->root_ca) { prep->payload_flags |= KEY_ALLOC_PECA; + cert->pub->key_is_ca = true; + } + /* * In this case it could be an Intermediate CA. Set * KEY_MAYBE_PECA for now. If the restriction check diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index e51bbc5ffe17..3de0f8a68914 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -26,6 +26,7 @@ struct public_key { void *params; u32 paramlen; bool key_is_private; + bool key_is_ca; const char *id_type; const char *pkey_algo; }; @@ -76,6 +77,21 @@ extern int restrict_link_by_ca_and_signature(struct key *dest_keyring, const union key_payload *payload, struct key *unused); +#if IS_REACHABLE(CONFIG_ASYMMETRIC_KEY_TYPE) +extern int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring); +#else +static inline int restrict_link_by_ca(struct key *dest_keyring, + const struct key_type *type, + const union key_payload *payload, + struct key *trust_keyring) +{ + return 0; +} +#endif + extern int query_asymmetric_key(const struct kernel_pkey_params *, struct kernel_pkey_query *);
Add a new link restriction. Restrict the addition of keys in a keyring based on the key to be added being a CA. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- crypto/asymmetric_keys/restrict.c | 35 ++++++++++++++++++++++++ crypto/asymmetric_keys/x509_public_key.c | 5 +++- include/crypto/public_key.h | 16 +++++++++++ 3 files changed, 55 insertions(+), 1 deletion(-)