1. 03 8月, 2014 1 次提交
  2. 29 7月, 2014 1 次提交
  3. 28 7月, 2014 1 次提交
  4. 23 7月, 2014 1 次提交
  5. 17 7月, 2014 3 次提交
    • D
      KEYS: validate certificate trust only with builtin keys · 32c4741c
      Dmitry Kasatkin 提交于
      Instead of allowing public keys, with certificates signed by any
      key on the system trusted keyring, to be added to a trusted keyring,
      this patch further restricts the certificates to those signed only by
      builtin keys on the system keyring.
      
      This patch defines a new option 'builtin' for the kernel parameter
      'keys_ownerid' to allow trust validation using builtin keys.
      
      Simplified Mimi's "KEYS: define an owner trusted keyring" patch
      
      Changelog v7:
      - rename builtin_keys to use_builtin_keys
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      32c4741c
    • D
      KEYS: validate certificate trust only with selected key · ffb70f61
      Dmitry Kasatkin 提交于
      Instead of allowing public keys, with certificates signed by any
      key on the system trusted keyring, to be added to a trusted keyring,
      this patch further restricts the certificates to those signed by a
      particular key on the system keyring.
      
      This patch defines a new kernel parameter 'ca_keys' to identify the
      specific key which must be used for trust validation of certificates.
      
      Simplified Mimi's "KEYS: define an owner trusted keyring" patch.
      
      Changelog:
      - support for builtin x509 public keys only
      - export "asymmetric_keyid_match"
      - remove ifndefs MODULE
      - rename kernel boot parameter from keys_ownerid to ca_keys
      Signed-off-by: NDmitry Kasatkin <d.kasatkin@samsung.com>
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      ffb70f61
    • M
      KEYS: verify a certificate is signed by a 'trusted' key · 3be4beaf
      Mimi Zohar 提交于
      Only public keys, with certificates signed by an existing
      'trusted' key on the system trusted keyring, should be added
      to a trusted keyring.  This patch adds support for verifying
      a certificate's signature.
      
      This is derived from David Howells pkcs7_request_asymmetric_key() patch.
      
      Changelog v6:
      - on error free key - Dmitry
      - validate trust only for not already trusted keys - Dmitry
      - formatting cleanup
      
      Changelog:
      - define get_system_trusted_keyring() to fix kbuild issues
      Signed-off-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NDmitry Kasatkin <dmitry.kasatkin@gmail.com>
      3be4beaf
  6. 24 11月, 2013 1 次提交
    • L
      Revert "KEYS: verify a certificate is signed by a 'trusted' key" · 4c1cc40a
      Linus Torvalds 提交于
      This reverts commit 09fbc473, which
      caused the following build errors:
      
        crypto/asymmetric_keys/x509_public_key.c: In function ‘x509_key_preparse’:
        crypto/asymmetric_keys/x509_public_key.c:237:35: error: ‘system_trusted_keyring’ undeclared (first use in this function)
         ret = x509_validate_trust(cert, system_trusted_keyring);
                                         ^
        crypto/asymmetric_keys/x509_public_key.c:237:35: note: each undeclared identifier is reported only once for each function it appears in
      
      reported by Jim Davis. Mimi says:
      
       "I made the classic mistake of requesting this patch to be upstreamed
        at the last second, rather than waiting until the next open window.
      
        At this point, the best course would probably be to revert the two
        commits and fix them for the next open window"
      Reported-by: NJim Davis <jim.epost@gmail.com>
      Acked-by: NMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      4c1cc40a
  7. 26 10月, 2013 2 次提交
  8. 26 9月, 2013 8 次提交
  9. 25 9月, 2013 2 次提交
  10. 10 10月, 2012 2 次提交
  11. 08 10月, 2012 1 次提交
    • D
      X.509: Add a crypto key parser for binary (DER) X.509 certificates · c26fd69f
      David Howells 提交于
      Add a crypto key parser for binary (DER) encoded X.509 certificates.  The
      certificate is parsed and, if possible, the signature is verified.
      
      An X.509 key can be added like this:
      
      	# keyctl padd crypto bar @s </tmp/x509.cert
      	15768135
      
      and displayed like this:
      
      	# cat /proc/keys
      	00f09a47 I--Q---     1 perm 39390000     0     0 asymmetri bar: X509.RSA e9fd6d08 []
      
      Note that this only works with binary certificates.  PEM encoded certificates
      are ignored by the parser.
      
      Note also that the X.509 key ID is not congruent with the PGP key ID, but for
      the moment, they will match.
      
      If a NULL or "" name is given to add_key(), then the parser will generate a key
      description from the CertificateSerialNumber and Name fields of the
      TBSCertificate:
      
      	00aefc4e I--Q---     1 perm 39390000     0     0 asymmetri bfbc0cd76d050ea4:/C=GB/L=Cambridge/O=Red Hat/CN=kernel key: X509.RSA 0c688c7b []
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
      c26fd69f