mbox series

[RFC,0/8] Crypto operations by key ID

Message ID 20221118211624.19298-1-prestwoj@gmail.com (mailing list archive)
Headers show
Series Crypto operations by key ID | expand

Message

James Prestwood Nov. 18, 2022, 9:16 p.m. UTC 
This adds support for several key based crypto opterations but
instead of using a key directly it uses a key ID. This avoids
the need for ELL to ever hold a copy of the key assuming it
already exists in the kernel.

The motivation behind this is to enhance IWDs profile encryption.
Currently this uses a systemd feature but ultimately the secret
key is decrypted and put onto the file system for IWD to use.
This isn't desirable and it would be better if the key never hits
the FS, and even better if IWD never even sees it. This would
allow some external, trusted, entity (e.g. PAM/systemd-logind) to
set a secret key into the kernel upon user login (e.g. the users
password). This key ID could then be used by IWD to encrypt
profiles without ever seeing the actual key.

James Prestwood (8):
  key: add l_key_search
  unit: add key search test
  checksum: commonize checksum creation
  checksum: add l_checksum_new_hmac_from_key_id
  cert-crypto: refactor l_cert_pkcs5_pbkdf2
  cert: add l_cert_pkcs5_pbkdf2_from_key_id
  cert: add explicit length to l_cert_pkcs5_pbkdf2
  unit: update test-pbkdf2 with API change

 ell/cert-crypto.c  |  97 +++++++++++++++++++++++++++-----------
 ell/cert.h         |   7 ++-
 ell/checksum.c     | 114 ++++++++++++++++++++-------------------------
 ell/checksum.h     |   2 +
 ell/ell.sym        |   3 ++
 ell/key.c          |  46 ++++++++++++++++++
 ell/key.h          |   3 ++
 unit/test-key.c    |  26 +++++++++++
 unit/test-pbkdf2.c |   1 +
 9 files changed, 208 insertions(+), 91 deletions(-)