summaryrefslogtreecommitdiffstats
path: root/crypto/asymmetric_keys/x509_public_key.c
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2016-04-06 16:14:26 +0100
committerDavid Howells <dhowells@redhat.com>2016-04-11 22:43:43 +0100
commita511e1af8b12f44c6e55786c463c9f093c214fb6 (patch)
tree68451cc38ab74ac81f11825a407008c01918147b /crypto/asymmetric_keys/x509_public_key.c
parent99716b7cae8263e1c7e7c1987e95d8f67071ab3e (diff)
downloadlinux-a511e1af8b12f44c6e55786c463c9f093c214fb6.tar.gz
linux-a511e1af8b12f44c6e55786c463c9f093c214fb6.tar.bz2
linux-a511e1af8b12f44c6e55786c463c9f093c214fb6.zip
KEYS: Move the point of trust determination to __key_link()
Move the point at which a key is determined to be trustworthy to __key_link() so that we use the contents of the keyring being linked in to to determine whether the key being linked in is trusted or not. What is 'trusted' then becomes a matter of what's in the keyring. Currently, the test is done when the key is parsed, but given that at that point we can only sensibly refer to the contents of the system trusted keyring, we can only use that as the basis for working out the trustworthiness of a new key. With this change, a trusted keyring is a set of keys that once the trusted-only flag is set cannot be added to except by verification through one of the contained keys. Further, adding a key into a trusted keyring, whilst it might grant trustworthiness in the context of that keyring, does not automatically grant trustworthiness in the context of a second keyring to which it could be secondarily linked. To accomplish this, the authentication data associated with the key source must now be retained. For an X.509 cert, this means the contents of the AuthorityKeyIdentifier and the signature data. If system keyrings are disabled then restrict_link_by_builtin_trusted() resolves to restrict_link_reject(). The integrity digital signature code still works correctly with this as it was previously using KEY_FLAG_TRUSTED_ONLY, which doesn't permit anything to be added if there is no system keyring against which trust can be determined. Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'crypto/asymmetric_keys/x509_public_key.c')
-rw-r--r--crypto/asymmetric_keys/x509_public_key.c21
1 files changed, 1 insertions, 20 deletions
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 6d7f42f0de9a..fb732296cd36 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -178,31 +178,12 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
cert->pub->id_type = "X509";
- /* See if we can derive the trustability of this certificate.
- *
- * When it comes to self-signed certificates, we cannot evaluate
- * trustedness except by the fact that we obtained it from a trusted
- * location. So we just rely on x509_validate_trust() failing in this
- * case.
- *
- * Note that there's a possibility of a self-signed cert matching a
- * cert that we have (most likely a duplicate that we already trust) -
- * in which case it will be marked trusted.
- */
- if (cert->unsupported_sig || cert->self_signed) {
+ if (cert->unsupported_sig) {
public_key_signature_free(cert->sig);
cert->sig = NULL;
} else {
pr_devel("Cert Signature: %s + %s\n",
cert->sig->pkey_algo, cert->sig->hash_algo);
-
- ret = x509_validate_trust(cert, get_system_trusted_keyring());
- if (ret)
- ret = x509_validate_trust(cert, get_ima_mok_keyring());
- if (ret == -EKEYREJECTED)
- goto error_free_cert;
- if (!ret)
- prep->trusted = true;
}
/* Propose a description */