linux/include/crypto
David Howells 46963b774d KEYS: Overhaul key identification when searching for asymmetric keys
Make use of the new match string preparsing to overhaul key identification
when searching for asymmetric keys.  The following changes are made:

 (1) Use the previously created asymmetric_key_id struct to hold the following
     key IDs derived from the X.509 certificate or PKCS#7 message:

	id: serial number + issuer
	skid: subjKeyId + subject
	authority: authKeyId + issuer

 (2) Replace the hex fingerprint attached to key->type_data[1] with an
     asymmetric_key_ids struct containing the id and the skid (if present).

 (3) Make the asymmetric_type match data preparse select one of two searches:

     (a) An iterative search for the key ID given if prefixed with "id:".  The
     	 prefix is expected to be followed by a hex string giving the ID to
     	 search for.  The criterion key ID is checked against all key IDs
     	 recorded on the key.

     (b) A direct search if the key ID is not prefixed with "id:".  This will
     	 look for an exact match on the key description.

 (4) Make x509_request_asymmetric_key() take a key ID.  This is then converted
     into "id:<hex>" and passed into keyring_search() where match preparsing
     will turn it back into a binary ID.

 (5) X.509 certificate verification then takes the authority key ID and looks
     up a key that matches it to find the public key for the certificate
     signature.

 (6) PKCS#7 certificate verification then takes the id key ID and looks up a
     key that matches it to find the public key for the signed information
     block signature.

Additional changes:

 (1) Multiple subjKeyId and authKeyId values on an X.509 certificate cause the
     cert to be rejected with -EBADMSG.

 (2) The 'fingerprint' ID is gone.  This was primarily intended to convey PGP
     public key fingerprints.  If PGP is supported in future, this should
     generate a key ID that carries the fingerprint.

 (3) Th ca_keyid= kernel command line option is now converted to a key ID and
     used to match the authority key ID.  Possibly this should only match the
     actual authKeyId part and not the issuer as well.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vivek Goyal <vgoyal@redhat.com>
2014-09-16 17:36:13 +01:00
..
internal crypto: hash - Add real ahash walk interface 2014-05-21 20:56:12 +08:00
ablk_helper.h crypto: create generic version of ablk_helper 2013-09-24 06:02:24 +10:00
aead.h [CRYPTO] aead: Add top-level givencrypt/givdecrypt calls 2008-01-11 08:16:50 +11:00
aes.h crypto: aes - Move key_length in struct crypto_aes_ctx to be the last field 2009-02-18 16:48:04 +08:00
algapi.h crypto: allow blkcipher walks over AEAD data 2014-03-10 20:17:11 +08:00
authenc.h crypto: authenc - Export key parsing helper function 2013-10-16 20:56:25 +08:00
b128ops.h [CRYPTO] lib: some common 128-bit block operations, nicely centralized 2006-12-06 18:38:55 -08:00
blowfish.h crypto: blowfish - split generic and common c code 2011-09-22 21:25:25 +10:00
cast5.h crypto: cast5/cast6 - move lookup tables to shared module 2012-12-06 17:16:26 +08:00
cast6.h crypto: cast5/cast6 - move lookup tables to shared module 2012-12-06 17:16:26 +08:00
cast_common.h crypto: cast5/cast6 - move lookup tables to shared module 2012-12-06 17:16:26 +08:00
compress.h crypto: zlib - New zlib crypto module, using pcomp 2009-03-04 15:16:19 +08:00
cryptd.h crypto: cryptd - Adding the AEAD interface type support to cryptd 2010-09-20 16:05:12 +08:00
crypto_wq.h crypto: api - Use dedicated workqueue for crypto subsystem 2009-02-19 14:33:40 +08:00
ctr.h [CRYPTO] ctr: Refactor into ctr and rfc3686 2008-01-11 08:16:41 +11:00
des.h [CRYPTO] des: Create header file for common macros 2008-01-11 08:16:02 +11:00
gf128mul.h Update broken web addresses in the kernel. 2010-10-18 11:03:14 +02:00
hash.h crypto: shash - Fix digest size offset 2009-07-15 21:16:05 +08:00
hash_info.h crypto: provide single place for hash algo information 2013-10-25 17:14:03 -04:00
if_alg.h net: remove mm.h inclusion from netdevice.h 2011-06-21 19:17:20 -07:00
lrw.h crypto: lrw - add interface for parallelized cipher implementions 2011-11-09 11:50:31 +08:00
md5.h crypto: md5 - Add export support 2010-01-17 21:55:31 +11:00
null.h crypto: export NULL algorithms defines 2014-03-21 21:54:26 +08:00
padlock.h crypto: padlock - Move padlock.h into include/crypto 2011-01-07 14:52:00 +11:00
pcrypt.h crypto: pcrypt - Add pcrypt crypto parallelization wrapper 2010-01-07 15:57:19 +11:00
pkcs7.h PKCS#7: Find intersection between PKCS#7 message and known, trusted keys 2014-07-08 13:50:15 +01:00
public_key.h KEYS: Overhaul key identification when searching for asymmetric keys 2014-09-16 17:36:13 +01:00
rng.h crypto: rng - RNG interface and implementation 2008-08-29 15:50:04 +10:00
scatterwalk.h crypto: scatterwalk - Use sg_chain_ptr on chain entries 2013-12-09 19:58:52 +08:00
serpent.h crypto: serpent-sse2 - add lrw support 2011-11-21 16:13:24 +08:00
sha.h crypto: sha512 - Expose generic sha512 routine to be callable from other modules 2013-04-25 21:00:57 +08:00
skcipher.h [CRYPTO] skcipher: Add top-level givencrypt/givdecrypt calls 2008-01-11 08:16:49 +11:00
twofish.h crypto: twofish-x86_64-3way - add lrw support 2011-11-09 11:53:32 +08:00
vmac.h crypto: vmac - Make VMAC work when blocks aren't aligned 2012-10-15 22:33:20 +08:00
xts.h crypto: xts: add interface for parallelized cipher implementations 2011-11-09 11:56:06 +08:00