Message ID | 20230302164652.83571-4-eric.snowberg@oracle.com (mailing list archive) |
---|---|
State | Handled Elsewhere |
Headers | show
Return-Path: <linux-security-module-owner@vger.kernel.org> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8140C7EE45 for <linux-security-module@archiver.kernel.org>; Thu, 2 Mar 2023 16:47:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230122AbjCBQrm (ORCPT <rfc822;linux-security-module@archiver.kernel.org>); Thu, 2 Mar 2023 11:47:42 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56118 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230070AbjCBQrg (ORCPT <rfc822;linux-security-module@vger.kernel.org>); Thu, 2 Mar 2023 11:47:36 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 32DC34AFFE; Thu, 2 Mar 2023 08:47:29 -0800 (PST) Received: from pps.filterd (m0333521.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 322FCmhg028183; Thu, 2 Mar 2023 16:47:00 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : content-transfer-encoding : content-type : mime-version; s=corp-2022-7-12; bh=ds3EDTffAzMh8JEz+W8FxnAH9vvZstp6bSSlX0uMyow=; b=m7K1RJRi99TYbSaLE/8j3fKo6yjHAc8VEr8ug3jDKW0LzcSi5mm9QF4MtuLGfQIHBcaG 2YQ1LrsTdFoa4i0twn4zvLUhKVZhSI5cGrT8b4BmX8wNJSF2UzmS+o9O6KzQcmH2WwI9 n9M8dJvtKN6siAkdsgiTzdE5r9bJcPEK+lnj/ueJgr1U/t320uvDI8JkO2DeDJ0nJQrW ejQQvL1nLCmnDMfvuAH2N/CVDlZxVuryDu5auQWaJL6IpiTji1c1vnTsmqAbxmx/AZ90 AwllWZjS8TyHd2ydW7UEPcsz1Bm/ywjd7xNPGB9xdztCLpuC7rMQ+JNCOHaNsdBC0r5p qw== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3nyb7wvfqf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 02 Mar 2023 16:47:00 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 322FUguS000581; Thu, 2 Mar 2023 16:46:59 GMT Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2175.outbound.protection.outlook.com [104.47.59.175]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3ny8sa9sff-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 02 Mar 2023 16:46:59 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VVt5Ptxike8Ha7tBmgss839EpFzh9Fzz2LuwHU53ozu+CNq/H2bzePBbIVZv78ynotzIP/htijdwaK/HzltiRME9/ofv0jpgIimPqu5PYiObKte3+shz/gYtslbLAOF3OvTW0//0WxLUCbgvT/iK4TfljJWfW6m/PvzFjesUUYvySY1LyNif7TC7iizGVp83v3PH3eAjJo8WpTqz/c4bwVaJ7SLrAteyRgGZhe9NQ7epxdUgCLqAgQDths5yHp2JSmY0VBwWnfyAm2yWMgYpM8xo/7nMVJTlIa2c0WDoiB4MKwIrpZWOI6OhJlR1Kv/j4sX14GxZbQWS1ccdSUyK2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ds3EDTffAzMh8JEz+W8FxnAH9vvZstp6bSSlX0uMyow=; b=MW8aSDJQo8IqrzF58cJsixzbA+5wxnCbA1pFQOaU45BgPFsYwUb8JdWPwbE6KUTeLCG+5EfuTp/xpAEZ45k4sIdnxdZXgKlqI6eIcWYlEOUYeCZvjAgSk3hYX33Wo+x6YSIicThj7X1wGd4LgK4iDasTo4E3mhaUukkpErUjAC1x2H8yb4VpX1alngC0ydKcTeQglURB8XatKjjJOLaQri2eEFw4KxxGIMp2G4MwAwW7W+GJof+JAoberzS2cBCc/cq13j7+aupyMdoROmAzG/H1h5ykEa5iGkGqqsmVOs6PZjXltYFcEZHygbTfzezIxgbJXj35uH1P4ZQaHL6sjg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ds3EDTffAzMh8JEz+W8FxnAH9vvZstp6bSSlX0uMyow=; b=Cm4iYOE9uyU5NwUM81rKjBCVlYxBgpbmhWULpEhwIW/jlMEj117iUYmB6OXCJ5knpLLJfv7/G108AFwZAS4OWk70wvXzm5t8VXiccYhLT2CG6jX9qKi6b+0AfE5zSsaBCJFeciciUbQ76Rwmlkeg573MTgkwZHcpzzZXEFw6XMA= Received: from CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) by DS7PR10MB5150.namprd10.prod.outlook.com (2603:10b6:5:3a1::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6156.19; Thu, 2 Mar 2023 16:46:57 +0000 Received: from CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a326:1794:402f:1adb]) by CH2PR10MB4150.namprd10.prod.outlook.com ([fe80::a326:1794:402f:1adb%3]) with mapi id 15.20.6156.019; Thu, 2 Mar 2023 16:46:57 +0000 From: Eric Snowberg <eric.snowberg@oracle.com> To: jarkko@kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org Cc: herbert@gondor.apana.org.au, davem@davemloft.net, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, pvorel@suse.cz, eric.snowberg@oracle.com, kanth.ghatraju@oracle.com, konrad.wilk@oracle.com, erpalmer@linux.vnet.ibm.com, coxu@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v5 3/6] KEYS: X.509: Parse Basic Constraints for CA Date: Thu, 2 Mar 2023 11:46:49 -0500 Message-Id: <20230302164652.83571-4-eric.snowberg@oracle.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20230302164652.83571-1-eric.snowberg@oracle.com> References: <20230302164652.83571-1-eric.snowberg@oracle.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: SJ0PR03CA0280.namprd03.prod.outlook.com (2603:10b6:a03:39e::15) To CH2PR10MB4150.namprd10.prod.outlook.com (2603:10b6:610:ac::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CH2PR10MB4150:EE_|DS7PR10MB5150:EE_ X-MS-Office365-Filtering-Correlation-Id: 4b7999d2-f1d3-46ca-a7d6-08db1b3dbc4b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: NtDH1qtf14yKF5Vg1UXVv66A5o+xRjfM/Dxlzo+tOXRVUloEsrsYw6USfanWbel0P6vprdpnQdSzJ1BPc8s57FXHDPekDkXXinmNMzRUUOsVe/x/jKxuhNjnKLwgYAfhU6fpCO5dUSKEEHkZLS7TmAX9m3bKgRuadz3SKYXrPPfP0zhn0fcoIif6l0MFARxakPv0nAYRQ2FAzHxlmCVN8ezZbqEtSjT86/oJBrSOavIUvqMJ4Hq5nXfunZQMm9KkX2/OdOML6vwkIDbYTVULBytUJUaMq7VQbOionncIHAZ60uPQ9kptBVtta3xLWlUuBUF4yRju8zW1BOzf/vcAUMClM1l2a9QSbtVOXRUvHF60KkXG02qstZiuW4dCHzjYRjK25RsVXmtn78gRxAZmwDefh8Uf8/loJToFwATC9oI3g2WnvO7yEhTtvH8ViBxG+i801oPC8l2P19PYLPBCsSOmoAD/2yMpGfj4qVzCEmBAbRK4DH8yc782zFpgyje0pjWD3SiDMCAbdxxbTI2W1TZAxIDC5XxlNsx9cWiwg+76rjhM/2SW8ayPk4nuDgqTt03dqtfVL/W5LdfWjHn8JKW53YpcJ2rNiKK/U3wDZNqWFTSjJD9o2XORHYkqwi3X X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH2PR10MB4150.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(39860400002)(396003)(136003)(346002)(376002)(366004)(451199018)(36756003)(86362001)(8676002)(41300700001)(66556008)(66476007)(5660300002)(7416002)(8936002)(4326008)(2906002)(44832011)(38100700002)(966005)(6486002)(316002)(478600001)(6666004)(66946007)(6512007)(1076003)(6506007)(2616005)(186003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: DlZgxoc+SRJQ+sHa8CMa1ptH+dmwnUEMqlwtW39Q4Nw65RI4fvcqByts812PJn0hZT3r8AjJetIMbkPg8YpTkvDGlpvsDlSRqnMRJs28Oc7IPWk9ott3B5MuCdRzhuycTJhMY3ZgJPttSXoKwqFtSdSrAvjZ8A8pPdm36ML/u/a+YlzoEMnVhrou6Uf7wPXiKWfUqq4ULQ0/E4ngspjulTvfe7MJNu3IH8cNFBW2DvtkZswYm7RMuhEOpmObM0cJL8fjmwrE1KBAoujj32481rPjju/klKQ9BY1pmLLhA5tMcJQM4lZe9nboCEBuTQdTevtQoCHZSA2lm/5giQ/SS03B45IFQAuqkPoe5pBfHWTDHcw6atuV00rIX9E9WgWdpFK5u2UfPT2csxGdImxmhfx7iOyr0nu+po1XR6xslX90zP2fZvXbPkLZToJUCfIYVZtvApmaqWQawzMa2vCt8szcygPD9NL5iYrZMzzBT8QC3WUJD+yXn4+38FZkD5qmr3M/hK0wGwEub9pVqWqsCrsqqhFLxY/7S2d20v3AIn/cktQ802W32qhXH4wPsqvdZwxpHOG1LT4qzfThCSU8eqq0o4Q2MTTwHIW56gss/go6S4JvSA9HtT+YUPzuUMfFeOK474jPFE2RTOAjgCBppexyKwdohc3TjXeoRRxC3bE3f/BL05BFxWoSOonOwJeaCpKbheXFUUYerMKaQoKyB7Xf37lal83E9w5+N519RBSAC/3ROU0IOGOO7ILjKr5ROV0tVvhtqSVo+E4yBdUYKjXoAhvxyesK6ti/iPRwHQgQuM1D07ARNts1Bw2gfl6iOd0CHkY0sxSWmw0iCUkhqyWW8mFWJk1xt3O1hABd7lWdlenBJAMF3hzoSoXnHpaUZLr7Hu0fu/3+clhirsDosdFHH7bt39jYR3KUJjAhBBw4K59L799f3Ck6S3qIi8ND8Oc31ZQ3YogyZJXzPhSXNRoUFm4IwfPyZN/LOCJSu7Nu15UOe8VHnvB4G2M6B/sizMlFqlxZL0tyTEg1pwDRRsO5texGKLnK9esSj9svjpUM3ePfE1bxBiiYC3b5mfEk1XP/Rs2Ts/t5n/Nl9K4vPsDQ7DH3RMzFcJoTT4LUMb7h9UTlaQIQEFpeLk+5EAlQBRXzYvS6hkDsUZvlspF6OewXWhUFSN+2sVW6abSzSLVCdRaECYBi6uS1CEYJIbKPFeIxiULawwwIVNnBc/XzSCixFbvpLMYgKF1MyOIKS1yhjZa5qDvFthDs/IMBQaCq6wKZXGuHUSZiBlIYlBbLVgIeLJ0eKnmmRvlDDDevIloN6Dm/O5D/8nbNi+Vd+W8Ar/6uNPBjKZwEJGYLuc82RGbtBafZ1I8VAb8sotsCUE/iIru3nNFEbi14kM0ycQn/sWkf+EzllRVywUUHN4g85GVfDYVNIqIeUsz+oP4gaf7MQvlRCxRa1JzpQj3f1Zf7+WWdaZvY+9jgnMWZYdlg0CBHmP4sNK2/k/MX3IBabttoYr2e1SbVhvT53q0Vsk14J8Fofr7sqIzTyk8NZf5WUShX4Sxe+84zR4ewfC3dR/4BxHH1xyprb+v9ws314AcKOoyLZ45y/CRR9/IqXrARsQTVTDHwPEkEIKPxlOcyrKI= X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: jMmgT7Um/c/Awyb64mMHnHcgM5mFN+s2HM31ARHxkJChFv//lR+s4+xyj9EobICiKu2pIwPjn6QYq3BE7612jw3ciVk9eSf/NGEKSzQFgiK5ScFOyGH8mbfIwMJuv+dfrX1X73KW2ynAtRBQaQb2SHd+GQHvbKwJvYrmzMG654BEufqbv6OwT5pQ9eOW8CYLgzf9JAKWgwErYYkF0c7IE8lTywc0qcQ2f+CyihRM3pUaGnU47V7baDDjg2GwvhS+4SWyK2iJhXdjxQNp7tuLh0dSuNfMLvQmAk5BO0mvgyWJgkxAi8Lj+O8poZAT/HKwY9mrpwcBhWkRfdm4m17fXUuUmgjjhaM5f4PzYlIcVthI33wFy0ycmVpHDaGkpu7BXdP8lI7c5LjeLh8u12698WvOR5jhSWKqj8+7C8cMsTN1ylI6GfVxkVPibisFvfEyg9EmPvKj0fZHjN3fZMH1K9+xV1M4YymJlGwDrGlW+sQPHU44pWk5SYW8UNj+tCAr3ADOs65z38sWbMsY3gRTpMnDiEGHHPqrX/Xx6T/SKScDl+f8sk1NDuFX5fp3w7TEFbtpaI9scIrMbMoqKmbra+0uoODpsUTS/oLZLECYKEzVe7Fy/H0iRKPygpb0RzPa8YyjTOdiX91Q9XHQyDGMCvo+0nC9qo9sliB+xdzI8ZXfxTa5dt/+EYcgqL8IRTpbdt5Z8splsjBWvMgI0Q8tI5JY94qNOfCQt0RxmwxPPai4X4xI7p8MS+UsIwCo74mIUwnJQIWogMFitMa2BmaHUux7U0fp2DVA4UyYikEwP8Gt3X9b/qaBT1f3j/ek/tq18Kb+9xTDHuDTM9rbKpcgiCYk6uQJJBjJk+yuxOnvFfZZttXZMy69RO2PCk6TBs+0McFv8q9tZr7saUHd6BgEreNI/wWEFR9D+LcmoWzZK4RnmIplCkie3WZPZwD64ROFIx2NbCWveSIH4Y0MNUDotrQEGnnNyHeY2hsvHMsIAp4r4A5eMKDFT855YNskbmbfF3u1onu66Ltyb50Pzb2H5Hxmxoje6vLCnqk7QiV3wUjqMexS0NmTtdG4ot3dVf2R/zCh32gwQmpl3VjL1J+aaVwEZo6fAr6otYLDe+D0I4p1/FasxsJGHomlzaLY+4821A1fXrfl6f5Z7o0ShoAYcEBK4CG3SGNQT7RGGQfYKvM= X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4b7999d2-f1d3-46ca-a7d6-08db1b3dbc4b X-MS-Exchange-CrossTenant-AuthSource: CH2PR10MB4150.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Mar 2023 16:46:57.0806 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 4wMRyb66OFQyi70WfzCewRZM0HogrdQENiDawkbArdIFCp1yWAugRmLQn0f4L4PwI4kCj5DvOzhMGI3p6aaOxdpcSrvmya4mpd5ADiCbUCw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS7PR10MB5150 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-02_10,2023-03-02_02,2023-02-09_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 mlxlogscore=999 phishscore=0 bulkscore=0 spamscore=0 suspectscore=0 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2303020146 X-Proofpoint-GUID: 0qX1nu4vHPoXAgJg-1qMkVj_Xg0j0jkh X-Proofpoint-ORIG-GUID: 0qX1nu4vHPoXAgJg-1qMkVj_Xg0j0jkh Precedence: bulk List-ID: <linux-security-module.vger.kernel.org> |
Series |
Add CA enforcement keyring restrictions
|
expand
|
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 7a9b084e2043..77547d4bd94d 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -586,6 +586,28 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_basicConstraints) { + /* + * Get hold of the basicConstraints + * v[1] is the encoding size + * (Expect 0x2 or greater, making it 1 or more bytes) + * v[2] is the encoding type + * (Expect an ASN1_BOOL for the CA) + * v[3] is the contents of the ASN1_BOOL + * (Expect 1 if the CA is TRUE) + * vlen should match the entire extension size + */ + if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ)) + return -EBADMSG; + if (vlen < 2) + return -EBADMSG; + if (v[1] != vlen - 2) + return -EBADMSG; + if (vlen >= 4 && v[1] != 0 && v[2] == ASN1_BOOL && v[3] == 1) + ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_CA; + return 0; + } + return 0; } diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 6d61695e1cde..c401762850f2 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -28,6 +28,8 @@ struct public_key { bool key_is_private; const char *id_type; const char *pkey_algo; + unsigned long key_eflags; /* key extension flags */ +#define KEY_EFLAG_CA 0 /* set if the CA basic constraints is set */ }; extern void public_key_free(struct public_key *key);