summaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/crypto/public_key.h5
-rw-r--r--include/keys/asymmetric-type.h38
-rw-r--r--include/keys/user-type.h1
-rw-r--r--include/linux/kernel.h1
-rw-r--r--include/linux/key-type.h34
5 files changed, 69 insertions, 10 deletions
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index 0d164c6..fa73a6f 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -15,6 +15,7 @@
#define _LINUX_PUBLIC_KEY_H
#include <linux/mpi.h>
+#include <keys/asymmetric-type.h>
#include <crypto/hash_info.h>
enum pkey_algo {
@@ -98,8 +99,8 @@ struct key;
extern int verify_signature(const struct key *key,
const struct public_key_signature *sig);
+struct asymmetric_key_id;
extern struct key *x509_request_asymmetric_key(struct key *keyring,
- const char *issuer,
- const char *key_id);
+ const struct asymmetric_key_id *kid);
#endif /* _LINUX_PUBLIC_KEY_H */
diff --git a/include/keys/asymmetric-type.h b/include/keys/asymmetric-type.h
index 7dd4734..044ab0d 100644
--- a/include/keys/asymmetric-type.h
+++ b/include/keys/asymmetric-type.h
@@ -19,6 +19,44 @@
extern struct key_type key_type_asymmetric;
/*
+ * Identifiers for an asymmetric key ID. We have three ways of looking up a
+ * key derived from an X.509 certificate:
+ *
+ * (1) Serial Number & Issuer. Non-optional. This is the only valid way to
+ * map a PKCS#7 signature to an X.509 certificate.
+ *
+ * (2) Issuer & Subject Unique IDs. Optional. These were the original way to
+ * match X.509 certificates, but have fallen into disuse in favour of (3).
+ *
+ * (3) Auth & Subject Key Identifiers. Optional. SKIDs are only provided on
+ * CA keys that are intended to sign other keys, so don't appear in end
+ * user certificates unless forced.
+ *
+ * We could also support an PGP key identifier, which is just a SHA1 sum of the
+ * public key and certain parameters, but since we don't support PGP keys at
+ * the moment, we shall ignore those.
+ *
+ * What we actually do is provide a place where binary identifiers can be
+ * stashed and then compare against them when checking for an id match.
+ */
+struct asymmetric_key_id {
+ unsigned short len;
+ unsigned char data[];
+};
+
+struct asymmetric_key_ids {
+ void *id[2];
+};
+
+extern bool asymmetric_key_id_same(const struct asymmetric_key_id *kid1,
+ const struct asymmetric_key_id *kid2);
+
+extern struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1,
+ size_t len_1,
+ const void *val_2,
+ size_t len_2);
+
+/*
* The payload is at the discretion of the subtype.
*/
diff --git a/include/keys/user-type.h b/include/keys/user-type.h
index 3ab1873..cebefb0 100644
--- a/include/keys/user-type.h
+++ b/include/keys/user-type.h
@@ -40,7 +40,6 @@ struct key_preparsed_payload;
extern int user_preparse(struct key_preparsed_payload *prep);
extern void user_free_preparse(struct key_preparsed_payload *prep);
extern int user_update(struct key *key, struct key_preparsed_payload *prep);
-extern int user_match(const struct key *key, const void *criterion);
extern void user_revoke(struct key *key);
extern void user_destroy(struct key *key);
extern void user_describe(const struct key *user, struct seq_file *m);
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index 4c52907..89a0b8e 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -500,6 +500,7 @@ static inline char * __deprecated pack_hex_byte(char *buf, u8 byte)
extern int hex_to_bin(char ch);
extern int __must_check hex2bin(u8 *dst, const char *src, size_t count);
+extern char *bin2hex(char *dst, const void *src, size_t count);
int mac_pton(const char *s, u8 *mac);
diff --git a/include/linux/key-type.h b/include/linux/key-type.h
index 44792ee..ff9f1d3 100644
--- a/include/linux/key-type.h
+++ b/include/linux/key-type.h
@@ -53,6 +53,24 @@ typedef int (*request_key_actor_t)(struct key_construction *key,
const char *op, void *aux);
/*
+ * Preparsed matching criterion.
+ */
+struct key_match_data {
+ /* Comparison function, defaults to exact description match, but can be
+ * overridden by type->match_preparse(). Should return true if a match
+ * is found and false if not.
+ */
+ bool (*cmp)(const struct key *key,
+ const struct key_match_data *match_data);
+
+ const void *raw_data; /* Raw match data */
+ void *preparsed; /* For ->match_preparse() to stash stuff */
+ unsigned lookup_type; /* Type of lookup for this search. */
+#define KEYRING_SEARCH_LOOKUP_DIRECT 0x0000 /* Direct lookup by description. */
+#define KEYRING_SEARCH_LOOKUP_ITERATE 0x0001 /* Iterative search. */
+};
+
+/*
* kernel managed key type definition
*/
struct key_type {
@@ -65,11 +83,6 @@ struct key_type {
*/
size_t def_datalen;
- /* Default key search algorithm. */
- unsigned def_lookup_type;
-#define KEYRING_SEARCH_LOOKUP_DIRECT 0x0000 /* Direct lookup by description. */
-#define KEYRING_SEARCH_LOOKUP_ITERATE 0x0001 /* Iterative search. */
-
/* vet a description */
int (*vet_description)(const char *description);
@@ -96,8 +109,15 @@ struct key_type {
*/
int (*update)(struct key *key, struct key_preparsed_payload *prep);
- /* match a key against a description */
- int (*match)(const struct key *key, const void *desc);
+ /* Preparse the data supplied to ->match() (optional). The
+ * data to be preparsed can be found in match_data->raw_data.
+ * The lookup type can also be set by this function.
+ */
+ int (*match_preparse)(struct key_match_data *match_data);
+
+ /* Free preparsed match data (optional). This should be supplied it
+ * ->match_preparse() is supplied. */
+ void (*match_free)(struct key_match_data *match_data);
/* clear some of the data from a key on revokation (optional)
* - the key's semaphore will be write-locked by the caller
OpenPOWER on IntegriCloud