Merge tag 'keys-next-20140805' of...

Merge tag 'keys-next-20140805' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next

Merge tag 'keys-next-20140805' of...
Merge tag 'keys-next-20140805' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into next
478d0855 · James Morris · 103ae675 · cf5b50fd · 478d0855 · 478d0855
Commit 478d0855 authored Aug 06, 2014 by James Morris
5 changed files
--- a/crypto/asymmetric_keys/pkcs7_key_type.c
+++ b/crypto/asymmetric_keys/pkcs7_key_type.c
@@ -70,7 +70,7 @@ static int pkcs7_preparse(struct key_preparsed_payload *prep)
 * user defined keys take an arbitrary string as the description and an
 * arbitrary blob of data as the payload
 */
-struct key_type key_type_pkcs7 = {
+static struct key_type key_type_pkcs7 = {
 	.name			= "pkcs7_test",
 	.def_lookup_type	= KEYRING_SEARCH_LOOKUP_DIRECT,
 	.preparse		= pkcs7_preparse,

--- a/crypto/asymmetric_keys/pkcs7_trust.c
+++ b/crypto/asymmetric_keys/pkcs7_trust.c
@@ -20,55 +20,6 @@
 #include "public_key.h"
 #include "pkcs7_parser.h"

-/*
- * Request an asymmetric key.
- */
-static struct key *pkcs7_request_asymmetric_key(
-	struct key *keyring,
-	const char *signer, size_t signer_len,
-	const char *authority, size_t auth_len)
-{
-	key_ref_t key;
-	char *id;
-
-	kenter(",%zu,,%zu", signer_len, auth_len);
-
-	/* Construct an identifier. */
-	id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL);
-	if (!id)
-		return ERR_PTR(-ENOMEM);
-
-	memcpy(id, signer, signer_len);
-	id[signer_len + 0] = ':';
-	id[signer_len + 1] = ' ';
-	memcpy(id + signer_len + 2, authority, auth_len);
-	id[signer_len + 2 + auth_len] = 0;
-
-	pr_debug("Look up: \"%s\"\n", id);
-
-	key = keyring_search(make_key_ref(keyring, 1),
-			     &key_type_asymmetric, id);
-	if (IS_ERR(key))
-		pr_debug("Request for module key '%s' err %ld\n",
-			 id, PTR_ERR(key));
-	kfree(id);
-
-	if (IS_ERR(key)) {
-		switch (PTR_ERR(key)) {
-			/* Hide some search errors */
-		case -EACCES:
-		case -ENOTDIR:
-		case -EAGAIN:
-			return ERR_PTR(-ENOKEY);
-		default:
-			return ERR_CAST(key);
-		}
-	}
-
-	pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key_ref_to_ptr(key)));
-	return key_ref_to_ptr(key);
-}
-
 /**
 * Check the trust on one PKCS#7 SignedInfo block.
 */
@@ -98,10 +49,8 @@ int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
 		/* Look to see if this certificate is present in the trusted
 		 * keys.
 		 */
-		key = pkcs7_request_asymmetric_key(
-			trust_keyring,
-			x509->subject, strlen(x509->subject),
-			x509->fingerprint, strlen(x509->fingerprint));
+		key = x509_request_asymmetric_key(trust_keyring, x509->subject,
+						  x509->fingerprint);
 		if (!IS_ERR(key))
 			/* One of the X.509 certificates in the PKCS#7 message
 			 * is apparently the same as one we already trust.
@@ -133,10 +82,8 @@ int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
 		return -ENOKEY;
 	}

-	key = pkcs7_request_asymmetric_key(
-		trust_keyring,
-		last->issuer, strlen(last->issuer),
-		last->authority, strlen(last->authority));
+	key = x509_request_asymmetric_key(trust_keyring, last->issuer,
+					  last->authority);
 	if (IS_ERR(key))
 		return PTR_ERR(key) == -ENOMEM ? -ENOMEM : -ENOKEY;
 	x509 = last;

--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -190,14 +190,12 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
 		if (ret < 0)
 			return ret;

-		if (x509->issuer)
-			pr_debug("- issuer %s\n", x509->issuer);
+		pr_debug("- issuer %s\n", x509->issuer);
 		if (x509->authority)
 			pr_debug("- authkeyid %s\n", x509->authority);

 		if (!x509->authority ||
-		    (x509->subject &&
-		     strcmp(x509->subject, x509->issuer) == 0)) {
+		    strcmp(x509->subject, x509->issuer) == 0) {
 			/* If there's no authority certificate specified, then
 			 * the certificate must be self-signed and is the root
 			 * of the chain.  Likewise if the cert is its own

--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -43,36 +43,41 @@ static int __init ca_keys_setup(char *str)
 __setup("ca_keys=", ca_keys_setup);
 #endif

-/*
- * Find a key in the given keyring by issuer and authority.
+/**
+ * x509_request_asymmetric_key - Request a key by X.509 certificate params.
+ * @keyring: The keys to search.
+ * @subject: The name of the subject to whom the key belongs.
+ * @key_id: The subject key ID as a hex string.
+ *
+ * Find a key in the given keyring by subject name and key ID.  These might,
+ * for instance, be the issuer name and the authority key ID of an X.509
+ * certificate that needs to be verified.
 */
-static struct key *x509_request_asymmetric_key(struct key *keyring,
-					       const char *signer,
-					       size_t signer_len,
-					       const char *authority,
-					       size_t auth_len)
+struct key *x509_request_asymmetric_key(struct key *keyring,
+					const char *subject,
+					const char *key_id)
 {
 	key_ref_t key;
+	size_t subject_len = strlen(subject), key_id_len = strlen(key_id);
 	char *id;

-	/* Construct an identifier. */
-	id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL);
+	/* Construct an identifier "<subjname>:<keyid>". */
+	id = kmalloc(subject_len + 2 + key_id_len + 1, GFP_KERNEL);
 	if (!id)
 		return ERR_PTR(-ENOMEM);

-	memcpy(id, signer, signer_len);
-	id[signer_len + 0] = ':';
-	id[signer_len + 1] = ' ';
-	memcpy(id + signer_len + 2, authority, auth_len);
-	id[signer_len + 2 + auth_len] = 0;
+	memcpy(id, subject, subject_len);
+	id[subject_len + 0] = ':';
+	id[subject_len + 1] = ' ';
+	memcpy(id + subject_len + 2, key_id, key_id_len);
+	id[subject_len + 2 + key_id_len] = 0;

 	pr_debug("Look up: \"%s\"\n", id);

 	key = keyring_search(make_key_ref(keyring, 1),
 			     &key_type_asymmetric, id);
 	if (IS_ERR(key))
-		pr_debug("Request for module key '%s' err %ld\n",
-			 id, PTR_ERR(key));
+		pr_debug("Request for key '%s' err %ld\n", id, PTR_ERR(key));
 	kfree(id);

 	if (IS_ERR(key)) {
@@ -91,6 +96,7 @@ static struct key *x509_request_asymmetric_key(struct key *keyring,
 		 key_serial(key_ref_to_ptr(key)));
 	return key_ref_to_ptr(key);
 }
+EXPORT_SYMBOL_GPL(x509_request_asymmetric_key);

 /*
 * Set up the signature parameters in an X.509 certificate.  This involves
@@ -193,9 +199,7 @@ static int x509_validate_trust(struct x509_certificate *cert,
 		return -EPERM;

 	key = x509_request_asymmetric_key(trust_keyring,
-					  cert->issuer, strlen(cert->issuer),
-					  cert->authority,
-					  strlen(cert->authority));
+					  cert->issuer, cert->authority);
 	if (!IS_ERR(key))  {
 		if (!use_builtin_keys
 		    || test_bit(KEY_FLAG_BUILTIN, &key->flags))

--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -98,4 +98,8 @@ struct key;
 extern int verify_signature(const struct key *key,
 			    const struct public_key_signature *sig);

+extern struct key *x509_request_asymmetric_key(struct key *keyring,
+					       const char *issuer,
+					       const char *key_id);
+
 #endif /* _LINUX_PUBLIC_KEY_H */