Re: [PATCH 08/13] KEYS: Overhaul key identification when searching for asymmetric keys

From: Dmitry Kasatkin
Date: Fri Oct 03 2014 - 08:23:46 EST


On 03/10/14 15:12, David Howells wrote:
> Dmitry Kasatkin <d.kasatkin@xxxxxxxxxxx> wrote:
>
>> Also I noticed that output of 'keyctl show' and 'cat /proc/keys' output
>> also has changed in respect of certificate ids..
>>
>> Those ids does not look any close to my kernel X509 X509v3 Subject Key
>> Identifier, which is:
>> 92:63:05:D6:DD:A6:6F:47:13:9E:B4:E3:CB:25:A6:AD:EF:52:7F:08
>>
>> proc/keys shows
>>
>> symmetri Magrathea: Glacier signing key: d9e2e4c6951f1e83: X509.RSA
>> 6865612e68326732 []
>>
>> Very different ids..
>>
>> How could I match certificate now?
> There are two IDs available:
>
> id: serial number + issuer
> skid: subjKeyId + subject
>
> You can use either of them and their content is somewhat negotiable. Note
> that they are both compound IDs at this point.
>
> We have to move away from using subjKeyId for module signatures because we
> have to be able to deal with keys that don't have one. Blech, but the PKCS
> specs suck somewhat.
>
> This is why I want to move to using detached-data PKCS#7 certs as the
> signature. We have the PKCS#7 handling in the kernel now for doing kexec.

I looked to the code and understood...

See my patches please.

- Dmitry

> David
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/