[PATCH 0/9] KEYS: Improve asymmetric key and PKCS#7 handling

From: David Howells
Date: Fri Sep 12 2014 - 15:05:23 EST



Here are some patches to improve the matching of asymmetric keys and to
improve the handling of PKCS#7 certificates:

(1) Provide a method to preparse the data supplied for matching a key. This
permits they key type to extract out the bits it needs for matching once
only.

Further, the type of search (direct lookup or iterative) can be set and
the function used to actually check the match can be set by preparse
rather than being hard coded for the type.

(2) Improves asymmetric keys identification.

Keys derived from X.509 certs now get labelled with IDs derived from their
issuer and certificate number (required to match PKCS#7) and from their
SKID and subject (required to match X.509).

IDs are now binary and match criterion preparsing is provided so that
criteria can be turned into binary blobs to make matching faster.

(3) Improves PKCS#7 message handling to permit PKCS#7 messages without X.509
cert lists to be matched to trusted keys, thereby allowing minimally sized
PKCS#7 certs to be used.

(4) Improves PKCS#7 message handling to better handle certificate chains that
are broken due to unsupported crypto that can otherwise by used to
intersect a trust keyring.

They can be found here also:

http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-pkcs7

David
---
David Howells (9):
Provide a binary to hex conversion function
KEYS: Preparse match data
KEYS: Remove key_type::def_lookup_type
KEYS: Remove key_type::match in favour of overriding default by match_preparse
KEYS: Make the key matching functions return bool
KEYS: Implement binary asymmetric key ID handling
KEYS: Overhaul key identification when searching for asymmetric keys
PKCS#7: Better handling of unsupported crypto
PKCS#7: Handle PKCS#7 messages that contain no X.509 certs


crypto/asymmetric_keys/asymmetric_keys.h | 8 +
crypto/asymmetric_keys/asymmetric_type.c | 213 +++++++++++++++++++++--------
crypto/asymmetric_keys/pkcs7_key_type.c | 2
crypto/asymmetric_keys/pkcs7_parser.c | 38 ++++-
crypto/asymmetric_keys/pkcs7_parser.h | 7 -
crypto/asymmetric_keys/pkcs7_trust.c | 72 +++++++---
crypto/asymmetric_keys/pkcs7_verify.c | 105 ++++++++++----
crypto/asymmetric_keys/x509_cert_parser.c | 55 ++++---
crypto/asymmetric_keys/x509_parser.h | 6 +
crypto/asymmetric_keys/x509_public_key.c | 102 ++++++++------
fs/cifs/cifs_spnego.c | 1
fs/cifs/cifsacl.c | 1
fs/nfs/idmap.c | 2
include/crypto/public_key.h | 5 -
include/keys/asymmetric-type.h | 38 +++++
include/keys/user-type.h | 1
include/linux/kernel.h | 1
include/linux/key-type.h | 34 ++++-
lib/hexdump.c | 18 ++
net/ceph/crypto.c | 1
net/dns_resolver/dns_key.c | 18 ++
net/rxrpc/ar-key.c | 2
security/keys/big_key.c | 2
security/keys/encrypted-keys/encrypted.c | 1
security/keys/internal.h | 10 +
security/keys/key.c | 2
security/keys/keyring.c | 59 +++++---
security/keys/proc.c | 8 +
security/keys/process_keys.c | 13 +-
security/keys/request_key.c | 21 ++-
security/keys/request_key_auth.c | 6 -
security/keys/trusted.c | 1
security/keys/user_defined.c | 14 --
33 files changed, 584 insertions(+), 283 deletions(-)

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/