X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=crypto%2Fasymmetric_keys%2Fx509_public_key.c;h=382ef0d2ff2e5e030c0068d1076155364d48f43d;hb=8ae516aa8b8161254d3e402b3348b2a9b8d1efd0;hp=6abc27f2e8a51b0a0d382a6938d818447a8bdab6;hpb=6f799c97f37fc0ee2c9c427fa0dada637394886c;p=~andy%2Flinux diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 6abc27f2e8a..382ef0d2ff2 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -18,59 +18,11 @@ #include #include #include -#include #include #include "asymmetric_keys.h" #include "public_key.h" #include "x509_parser.h" -/* - * Find a key in the given keyring by issuer and authority. - */ -static struct key *x509_request_asymmetric_key( - struct key *keyring, - const char *signer, size_t signer_len, - const char *authority, size_t auth_len) -{ - key_ref_t key; - char *id; - - /* Construct an identifier. */ - id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL); - if (!id) - return ERR_PTR(-ENOMEM); - - memcpy(id, signer, signer_len); - id[signer_len + 0] = ':'; - id[signer_len + 1] = ' '; - memcpy(id + signer_len + 2, authority, auth_len); - id[signer_len + 2 + auth_len] = 0; - - pr_debug("Look up: \"%s\"\n", id); - - key = keyring_search(make_key_ref(keyring, 1), - &key_type_asymmetric, id); - if (IS_ERR(key)) - pr_debug("Request for module key '%s' err %ld\n", - id, PTR_ERR(key)); - kfree(id); - - if (IS_ERR(key)) { - switch (PTR_ERR(key)) { - /* Hide some search errors */ - case -EACCES: - case -ENOTDIR: - case -EAGAIN: - return ERR_PTR(-ENOKEY); - default: - return ERR_CAST(key); - } - } - - pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key_ref_to_ptr(key))); - return key_ref_to_ptr(key); -} - /* * Set up the signature parameters in an X.509 certificate. This involves * digesting the signed data and extracting the signature. @@ -96,7 +48,7 @@ int x509_get_sig_params(struct x509_certificate *cert) /* Allocate the hashing algorithm we're going to need and find out how * big the hash operational data will be. */ - tfm = crypto_alloc_shash(pkey_hash_algo_name[cert->sig.pkey_hash_algo], 0, 0); + tfm = crypto_alloc_shash(hash_algo_name[cert->sig.pkey_hash_algo], 0, 0); if (IS_ERR(tfm)) return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm); @@ -150,33 +102,6 @@ int x509_check_signature(const struct public_key *pub, } EXPORT_SYMBOL_GPL(x509_check_signature); -/* - * Check the new certificate against the ones in the trust keyring. If one of - * those is the signing key and validates the new certificate, then mark the - * new certificate as being trusted. - * - * Return 0 if the new certificate was successfully validated, 1 if we couldn't - * find a matching parent certificate in the trusted list and an error if there - * is a matching certificate but the signature check fails. - */ -static int x509_validate_trust(struct x509_certificate *cert, - struct key *trust_keyring) -{ - const struct public_key *pk; - struct key *key; - int ret = 1; - - key = x509_request_asymmetric_key(trust_keyring, - cert->issuer, strlen(cert->issuer), - cert->authority, - strlen(cert->authority)); - if (!IS_ERR(key)) { - pk = key->payload.data; - ret = x509_check_signature(pk, cert); - } - return ret; -} - /* * Attempt to parse a data blob for a key as an X509 certificate. */ @@ -199,7 +124,7 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) cert->sig.pkey_hash_algo >= PKEY_HASH__LAST || !pkey_algo[cert->pub->pkey_algo] || !pkey_algo[cert->sig.pkey_algo] || - !pkey_hash_algo_name[cert->sig.pkey_hash_algo]) { + !hash_algo_name[cert->sig.pkey_hash_algo]) { ret = -ENOPKG; goto error_free_cert; } @@ -215,7 +140,7 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) cert->valid_to.tm_min, cert->valid_to.tm_sec); pr_devel("Cert Signature: %s + %s\n", pkey_algo_name[cert->sig.pkey_algo], - pkey_hash_algo_name[cert->sig.pkey_hash_algo]); + hash_algo_name[cert->sig.pkey_hash_algo]); if (!cert->fingerprint) { pr_warn("Cert for '%s' must have a SubjKeyId extension\n", @@ -230,13 +155,9 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) /* Check the signature on the key if it appears to be self-signed */ if (!cert->authority || strcmp(cert->fingerprint, cert->authority) == 0) { - ret = x509_check_signature(cert->pub, cert); /* self-signed */ + ret = x509_check_signature(cert->pub, cert); if (ret < 0) goto error_free_cert; - } else { - ret = x509_validate_trust(cert, system_trusted_keyring); - if (!ret) - prep->trusted = 1; } /* Propose a description */