summaryrefslogtreecommitdiff
path: root/crypto/asymmetric_keys/x509_public_key.c
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2014-10-06 18:21:05 +0400
committerDavid Howells <dhowells@redhat.com>2014-10-06 18:21:05 +0400
commitf1b731dbc2530cab93fcfc5fcb18c9f3a100feeb (patch)
treeb5b02c3fd51b13e11a5212e4b726f5e2df653f8a /crypto/asymmetric_keys/x509_public_key.c
parentdd2f6c4481debfa389c1f2b2b1d5bd6449c42611 (diff)
downloadlinux-f1b731dbc2530cab93fcfc5fcb18c9f3a100feeb.tar.xz
KEYS: Restore partial ID matching functionality for asymmetric keys
Bring back the functionality whereby an asymmetric key can be matched with a partial match on one of its IDs. Whilst we're at it, allow for the possibility of having an increased number of IDs. Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'crypto/asymmetric_keys/x509_public_key.c')
-rw-r--r--crypto/asymmetric_keys/x509_public_key.c18
1 files changed, 13 insertions, 5 deletions
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 8bffb06b2683..6ef54495be87 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -53,13 +53,15 @@ __setup("ca_keys=", ca_keys_setup);
* x509_request_asymmetric_key - Request a key by X.509 certificate params.
* @keyring: The keys to search.
* @kid: The key ID.
+ * @partial: Use partial match if true, exact if false.
*
* Find a key in the given keyring by subject name and key ID. These might,
* for instance, be the issuer name and the authority key ID of an X.509
* certificate that needs to be verified.
*/
struct key *x509_request_asymmetric_key(struct key *keyring,
- const struct asymmetric_key_id *kid)
+ const struct asymmetric_key_id *kid,
+ bool partial)
{
key_ref_t key;
char *id, *p;
@@ -69,8 +71,13 @@ struct key *x509_request_asymmetric_key(struct key *keyring,
if (!id)
return ERR_PTR(-ENOMEM);
- *p++ = 'i';
- *p++ = 'd';
+ if (partial) {
+ *p++ = 'i';
+ *p++ = 'd';
+ } else {
+ *p++ = 'e';
+ *p++ = 'x';
+ }
*p++ = ':';
p = bin2hex(p, kid->data, kid->len);
*p = 0;
@@ -207,10 +214,11 @@ static int x509_validate_trust(struct x509_certificate *cert,
if (!trust_keyring)
return -EOPNOTSUPP;
- if (ca_keyid && !asymmetric_key_id_same(cert->authority, ca_keyid))
+ if (ca_keyid && !asymmetric_key_id_partial(cert->authority, ca_keyid))
return -EPERM;
- key = x509_request_asymmetric_key(trust_keyring, cert->authority);
+ key = x509_request_asymmetric_key(trust_keyring, cert->authority,
+ false);
if (!IS_ERR(key)) {
if (!use_builtin_keys
|| test_bit(KEY_FLAG_BUILTIN, &key->flags))