diff options
author | Dmitry Kasatkin <d.kasatkin@samsung.com> | 2014-10-06 18:21:05 +0400 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2014-10-06 18:21:05 +0400 |
commit | f1b731dbc2530cab93fcfc5fcb18c9f3a100feeb (patch) | |
tree | b5b02c3fd51b13e11a5212e4b726f5e2df653f8a /crypto/asymmetric_keys/x509_public_key.c | |
parent | dd2f6c4481debfa389c1f2b2b1d5bd6449c42611 (diff) | |
download | linux-f1b731dbc2530cab93fcfc5fcb18c9f3a100feeb.tar.xz |
KEYS: Restore partial ID matching functionality for asymmetric keys
Bring back the functionality whereby an asymmetric key can be matched with a
partial match on one of its IDs.
Whilst we're at it, allow for the possibility of having an increased number of
IDs.
Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'crypto/asymmetric_keys/x509_public_key.c')
-rw-r--r-- | crypto/asymmetric_keys/x509_public_key.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 8bffb06b2683..6ef54495be87 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -53,13 +53,15 @@ __setup("ca_keys=", ca_keys_setup); * x509_request_asymmetric_key - Request a key by X.509 certificate params. * @keyring: The keys to search. * @kid: The key ID. + * @partial: Use partial match if true, exact if false. * * Find a key in the given keyring by subject name and key ID. These might, * for instance, be the issuer name and the authority key ID of an X.509 * certificate that needs to be verified. */ struct key *x509_request_asymmetric_key(struct key *keyring, - const struct asymmetric_key_id *kid) + const struct asymmetric_key_id *kid, + bool partial) { key_ref_t key; char *id, *p; @@ -69,8 +71,13 @@ struct key *x509_request_asymmetric_key(struct key *keyring, if (!id) return ERR_PTR(-ENOMEM); - *p++ = 'i'; - *p++ = 'd'; + if (partial) { + *p++ = 'i'; + *p++ = 'd'; + } else { + *p++ = 'e'; + *p++ = 'x'; + } *p++ = ':'; p = bin2hex(p, kid->data, kid->len); *p = 0; @@ -207,10 +214,11 @@ static int x509_validate_trust(struct x509_certificate *cert, if (!trust_keyring) return -EOPNOTSUPP; - if (ca_keyid && !asymmetric_key_id_same(cert->authority, ca_keyid)) + if (ca_keyid && !asymmetric_key_id_partial(cert->authority, ca_keyid)) return -EPERM; - key = x509_request_asymmetric_key(trust_keyring, cert->authority); + key = x509_request_asymmetric_key(trust_keyring, cert->authority, + false); if (!IS_ERR(key)) { if (!use_builtin_keys || test_bit(KEY_FLAG_BUILTIN, &key->flags)) |