OpenCloudOS-Kernel/crypto/asymmetric_keys
Mat Martineau acddc72015 KEYS: Fix for erroneous trust of incorrectly signed X.509 certs
Arbitrary X.509 certificates without authority key identifiers (AKIs)
can be added to "trusted" keyrings, including IMA or EVM certs loaded
from the filesystem. Signature verification is currently bypassed for
certs without AKIs.

Trusted keys were recently refactored, and this bug is not present in
4.6.

restrict_link_by_signature should return -ENOKEY (no matching parent
certificate found) if the certificate being evaluated has no AKIs,
instead of bypassing signature checks and returning 0 (new certificate
accepted).

Reported-by: Petko Manolov <petkan@mip-labs.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
2016-07-18 12:19:47 +10:00
..
.gitignore X.509: Add a crypto key parser for binary (DER) X.509 certificates 2012-10-08 13:50:22 +10:30
Kconfig Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2016-05-30 15:20:18 -07:00
Makefile X.509: Move the trust validation code out to its own file 2016-04-11 22:42:55 +01:00
asymmetric_keys.h KEYS: Generalise x509_request_asymmetric_key() 2016-04-11 22:41:56 +01:00
asymmetric_type.c KEYS: Generalise x509_request_asymmetric_key() 2016-04-11 22:41:56 +01:00
mscode.asn1 pefile: Parse the "Microsoft individual code signing" data blob 2014-07-09 14:58:37 +01:00
mscode_parser.c pefile: Fix the failure of calculation for digest 2016-07-18 12:19:46 +10:00
pkcs7.asn1 PKCS#7: Appropriately restrict authenticated attributes and content type 2015-08-12 17:01:01 +01:00
pkcs7_key_type.c KEYS: The PKCS#7 test key type should use the secondary keyring 2016-05-11 14:31:55 +01:00
pkcs7_parser.c KEYS: Generalise system_verify_data() to provide access to internal content 2016-04-06 16:14:24 +01:00
pkcs7_parser.h PKCS#7: Make trust determination dependent on contents of trust keyring 2016-04-06 16:14:24 +01:00
pkcs7_trust.c KEYS: Generalise x509_request_asymmetric_key() 2016-04-11 22:41:56 +01:00
pkcs7_verify.c PKCS#7: Fix panic when referring to the empty AKID when DEBUG defined 2016-07-18 12:19:44 +10:00
public_key.c KEYS: Allow authentication data to be stored in an asymmetric key 2016-04-06 16:13:33 +01:00
restrict.c KEYS: Fix for erroneous trust of incorrectly signed X.509 certs 2016-07-18 12:19:47 +10:00
signature.c KEYS: Add identifier pointers to public_key_signature struct 2016-04-06 16:13:33 +01:00
verify_pefile.c PKCS#7: Make trust determination dependent on contents of trust keyring 2016-04-06 16:14:24 +01:00
verify_pefile.h KEYS: Generalise system_verify_data() to provide access to internal content 2016-04-06 16:14:24 +01:00
x509.asn1 X.509: Add bits needed for PKCS#7 2014-07-01 16:40:19 +01:00
x509_akid.asn1 X.509: Extract both parts of the AuthorityKeyIdentifier 2015-08-07 16:26:13 +01:00
x509_cert_parser.c X.509: Extract signature digest and make self-signed cert checks earlier 2016-04-06 16:13:34 +01:00
x509_parser.h KEYS: Move the point of trust determination to __key_link() 2016-04-11 22:43:43 +01:00
x509_public_key.c KEYS: Move the point of trust determination to __key_link() 2016-04-11 22:43:43 +01:00