Re: How to add additional blacklist entries?

[Mimi Zohar]

Hi David,

Sorry, for the delay in responding...

On Tue, 2016-02-09 at 10:42 +0000, David Howells wrote:
> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

> > The keys being added to the IMA keyring are signed x509 certs (eg.
> > openssl ca -ss_cert).  It would be nice to be able to include the skid
> > in the description, without a payload, and sign that.  I have no idea if
> > that Is possible or if it makes sense.  I'm open to suggestions.

I'm back tracking here a bit.  Problem statement: we need a safe method
for revoking an x509 certificate. The RFCs describe x509 certificate
revocation lists(CRL).  Perhaps in addition to the x509 cert, require a
CRL, containing the revoked x509 certificate, to load the cert on the
blacklist?  That way having just a cert, already signed by a trusted
key, would not be enough for it to be added to the blacklist.  The CRL
itself could be verified against a key on the trusted keyring.

> I think we need a new keyctl or syscall for this.
> 
> We need to run through the X.509 parser, but we don't actually want to keep
> any of the payload - and, in fact, we don't even necessarily want to create an
> asymmetric-type key, though it's not a complete loss if we do that and create
> one with a blacklist subtype.  The blacklist subtype would just return an
> error from all operation points, but would otherwise be handled as normal.

Having back tracked,  a new version of the "key add" syscall might be
needed to include the CRL.  The kernel could extract what it needs from
the revoked certificates (and CRL) to be stored on the blacklist
keyring.

Mimi