KEYS: Generalise x509_request_asymmetric_key()
authorDavid Howells <dhowells@redhat.com>
Wed, 6 Apr 2016 15:14:25 +0000 (16:14 +0100)
committerDavid Howells <dhowells@redhat.com>
Mon, 11 Apr 2016 21:41:56 +0000 (22:41 +0100)
Generalise x509_request_asymmetric_key().  It doesn't really have any
dependencies on X.509 features as it uses generalised IDs and the
public_key structs that contain data extracted from X.509.

Signed-off-by: David Howells <dhowells@redhat.com>
crypto/asymmetric_keys/asymmetric_keys.h
crypto/asymmetric_keys/asymmetric_type.c
crypto/asymmetric_keys/pkcs7_trust.c
crypto/asymmetric_keys/x509_public_key.c
include/keys/asymmetric-type.h

index 1d450b580245157b500db100de8576f4027bf030..ca8e9ac34ce621613d29de02ba051eba593e7fc6 100644 (file)
@@ -9,6 +9,8 @@
  * 2 of the Licence, or (at your option) any later version.
  */
 
+#include <keys/asymmetric-type.h>
+
 extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id);
 
 extern int __asymmetric_key_hex_to_key_id(const char *id,
index c4d66cd82860eff0ac1eced635743e38daf452dd..6600181d5d01b72e7cfe04fc3fb4054a9a2a108a 100644 (file)
@@ -35,21 +35,20 @@ static LIST_HEAD(asymmetric_key_parsers);
 static DECLARE_RWSEM(asymmetric_key_parsers_sem);
 
 /**
- * x509_request_asymmetric_key - Request a key by X.509 certificate params.
+ * find_asymmetric_key - Find a key by ID.
  * @keyring: The keys to search.
- * @id: The issuer & serialNumber to look for or NULL.
- * @skid: The subjectKeyIdentifier to look for or NULL.
+ * @id_0: The first ID to look for or NULL.
+ * @id_1: The second ID to look for or NULL.
  * @partial: Use partial match if true, exact if false.
  *
  * Find a key in the given keyring by identifier.  The preferred identifier is
- * the issuer + serialNumber and the fallback identifier is the
- * subjectKeyIdentifier.  If both are given, the lookup is by the former, but
- * the latter must also match.
+ * the id_0 and the fallback identifier is the id_1.  If both are given, the
+ * lookup is by the former, but the latter must also match.
  */
-struct key *x509_request_asymmetric_key(struct key *keyring,
-                                       const struct asymmetric_key_id *id,
-                                       const struct asymmetric_key_id *skid,
-                                       bool partial)
+struct key *find_asymmetric_key(struct key *keyring,
+                               const struct asymmetric_key_id *id_0,
+                               const struct asymmetric_key_id *id_1,
+                               bool partial)
 {
        struct key *key;
        key_ref_t ref;
@@ -57,12 +56,12 @@ struct key *x509_request_asymmetric_key(struct key *keyring,
        char *req, *p;
        int len;
 
-       if (id) {
-               lookup = id->data;
-               len = id->len;
+       if (id_0) {
+               lookup = id_0->data;
+               len = id_0->len;
        } else {
-               lookup = skid->data;
-               len = skid->len;
+               lookup = id_1->data;
+               len = id_1->len;
        }
 
        /* Construct an identifier "id:<keyid>". */
@@ -102,14 +101,15 @@ struct key *x509_request_asymmetric_key(struct key *keyring,
        }
 
        key = key_ref_to_ptr(ref);
-       if (id && skid) {
+       if (id_0 && id_1) {
                const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
-               if (!kids->id[1]) {
-                       pr_debug("issuer+serial match, but expected SKID missing\n");
+
+               if (!kids->id[0]) {
+                       pr_debug("First ID matches, but second is missing\n");
                        goto reject;
                }
-               if (!asymmetric_key_id_same(skid, kids->id[1])) {
-                       pr_debug("issuer+serial match, but SKID does not\n");
+               if (!asymmetric_key_id_same(id_1, kids->id[1])) {
+                       pr_debug("First ID matches, but second does not\n");
                        goto reject;
                }
        }
@@ -121,7 +121,7 @@ reject:
        key_put(key);
        return ERR_PTR(-EKEYREJECTED);
 }
-EXPORT_SYMBOL_GPL(x509_request_asymmetric_key);
+EXPORT_SYMBOL_GPL(find_asymmetric_key);
 
 /**
  * asymmetric_key_generate_id: Construct an asymmetric key ID
index 36e77cb07bd03671a5197eb6ab19c6a75ee000db..f6a009d88a33fb550654b11d2cfc4460c733a049 100644 (file)
@@ -51,9 +51,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
                /* Look to see if this certificate is present in the trusted
                 * keys.
                 */
-               key = x509_request_asymmetric_key(trust_keyring,
-                                                 x509->id, x509->skid,
-                                                 false);
+               key = find_asymmetric_key(trust_keyring,
+                                         x509->id, x509->skid, false);
                if (!IS_ERR(key)) {
                        /* One of the X.509 certificates in the PKCS#7 message
                         * is apparently the same as one we already trust.
@@ -84,10 +83,10 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
         * trusted keys.
         */
        if (last && (last->sig->auth_ids[0] || last->sig->auth_ids[1])) {
-               key = x509_request_asymmetric_key(trust_keyring,
-                                                 last->sig->auth_ids[0],
-                                                 last->sig->auth_ids[1],
-                                                 false);
+               key = find_asymmetric_key(trust_keyring,
+                                         last->sig->auth_ids[0],
+                                         last->sig->auth_ids[1],
+                                         false);
                if (!IS_ERR(key)) {
                        x509 = last;
                        pr_devel("sinfo %u: Root cert %u signer is key %x\n",
@@ -101,10 +100,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
        /* As a last resort, see if we have a trusted public key that matches
         * the signed info directly.
         */
-       key = x509_request_asymmetric_key(trust_keyring,
-                                         sinfo->sig->auth_ids[0],
-                                         NULL,
-                                         false);
+       key = find_asymmetric_key(trust_keyring,
+                                 sinfo->sig->auth_ids[0], NULL, false);
        if (!IS_ERR(key)) {
                pr_devel("sinfo %u: Direct signer is key %x\n",
                         sinfo->index, key_serial(key));
index 2fb594175cef541ba9d3928fce3041ccd40f0f04..9c8483ef1cfeb0e5eb885634d0916b330274ba37 100644 (file)
@@ -213,9 +213,8 @@ static int x509_validate_trust(struct x509_certificate *cert,
        if (cert->unsupported_sig)
                return -ENOPKG;
 
-       key = x509_request_asymmetric_key(trust_keyring,
-                                         sig->auth_ids[0], sig->auth_ids[1],
-                                         false);
+       key = find_asymmetric_key(trust_keyring,
+                                 sig->auth_ids[0], sig->auth_ids[1], false);
        if (IS_ERR(key))
                return PTR_ERR(key);
 
index 735db697c4d2636a80bd7ab4d6acb3d3c6a9254d..b38240716d411745b9e11e2d68030b1ae4a948fb 100644 (file)
@@ -76,10 +76,10 @@ const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key)
        return key->payload.data[asym_key_ids];
 }
 
-extern struct key *x509_request_asymmetric_key(struct key *keyring,
-                                              const struct asymmetric_key_id *id,
-                                              const struct asymmetric_key_id *skid,
-                                              bool partial);
+extern struct key *find_asymmetric_key(struct key *keyring,
+                                      const struct asymmetric_key_id *id_0,
+                                      const struct asymmetric_key_id *id_1,
+                                      bool partial);
 
 /*
  * The payload is at the discretion of the subtype.