]> git.karo-electronics.de Git - linux-beck.git/blobdiff - crypto/asymmetric_keys/x509_public_key.c
projects / linux-beck.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge remote-tracking branch 'integrity/next-with-keys' into keys-next
[linux-beck.git] / crypto / asymmetric_keys / x509_public_key.c
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 436fbd8552fc4c06ffc8b1464bb1b3fa18e2d253..a0f7cd196c9b031f1448f1c3b9c2795a56301b48 100644 (file)
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -24,6 +24,25 @@
 #include "public_key.h"
 #include "x509_parser.h"
 
+static bool use_builtin_keys;
+static char *ca_keyid;
+
+#ifndef MODULE
+static int __init ca_keys_setup(char *str)
+{
+       if (!str)               /* default system keyring */
+               return 1;
+
+       if (strncmp(str, "id:", 3) == 0)
+               ca_keyid = str; /* owner key 'id:xxxxxx' */
+       else if (strcmp(str, "builtin") == 0)
+               use_builtin_keys = true;
+
+       return 1;
+}
+__setup("ca_keys=", ca_keys_setup);
+#endif
+
 /*
  * Find a key in the given keyring by issuer and authority.
  */
@@ -164,20 +183,23 @@ EXPORT_SYMBOL_GPL(x509_check_signature);
 static int x509_validate_trust(struct x509_certificate *cert,
                               struct key *trust_keyring)
 {
-       const struct public_key *pk;
        struct key *key;
        int ret = 1;
 
        if (!trust_keyring)
                return -EOPNOTSUPP;
 
+       if (ca_keyid && !asymmetric_keyid_match(cert->authority, ca_keyid))
+               return -EPERM;
+
        key = x509_request_asymmetric_key(trust_keyring,
                                          cert->issuer, strlen(cert->issuer),
                                          cert->authority,
                                          strlen(cert->authority));
        if (!IS_ERR(key))  {
-               pk = key->payload.data;
-               ret = x509_check_signature(pk, cert);
+               if (!use_builtin_keys
+                   || test_bit(KEY_FLAG_BUILTIN, &key->flags))
+                       ret = x509_check_signature(key->payload.data, cert);
                key_put(key);
        }
        return ret;
@@ -262,7 +284,7 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
        __module_get(public_key_subtype.owner);
        prep->type_data[0] = &public_key_subtype;
        prep->type_data[1] = cert->fingerprint;
-       prep->payload = cert->pub;
+       prep->payload[0] = cert->pub;
        prep->description = desc;
        prep->quotalen = 100;
 
Beck SC1x5 Kernel