@@ -17,6 +17,7 @@
#include <linux/uidgid.h>
#include <keys/asymmetric-type.h>
#include <keys/system_keyring.h>
+#include <crypto/public_key.h>
#include "blacklist.h"
/*
@@ -289,7 +290,9 @@ int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
{
int ret;
+ pkcs7_set_usage_flag(pkcs7, PKS_REVOCATION_PASS);
ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
+ pkcs7_clear_usage_flag(pkcs7, PKS_REVOCATION_PASS);
if (ret == 0)
return -EKEYREJECTED;
@@ -131,6 +131,26 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
return 0;
}
+void pkcs7_clear_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage)
+{
+ struct pkcs7_signed_info *sinfo;
+
+ for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
+ if (sinfo->sig)
+ clear_bit(usage, &sinfo->sig->usage_flags);
+ }
+}
+
+void pkcs7_set_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage)
+{
+ struct pkcs7_signed_info *sinfo;
+
+ for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
+ if (sinfo->sig)
+ set_bit(usage, &sinfo->sig->usage_flags);
+ }
+}
+
/**
* pkcs7_validate_trust - Validate PKCS#7 trust chain
* @pkcs7: The PKCS#7 certificate to validate
@@ -455,6 +455,10 @@ int pkcs7_verify(struct pkcs7_message *pkcs7,
return ret;
}
actual_ret = 0;
+ if (sinfo->sig) {
+ sinfo->sig->usage = usage;
+ set_bit(PKS_USAGE_SET, &sinfo->sig->usage_flags);
+ }
}
kleave(" = %d", actual_ret);
@@ -32,6 +32,9 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
struct key *trust_keyring);
+extern void pkcs7_set_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage);
+extern void pkcs7_clear_usage_flag(struct pkcs7_message *pkcs7, unsigned long usage);
+
/*
* pkcs7_verify.c
*/
@@ -49,6 +49,10 @@ struct public_key_signature {
const char *pkey_algo;
const char *hash_algo;
const char *encoding;
+ u32 usage; /* Intended usage */
+ unsigned long usage_flags;
+#define PKS_USAGE_SET 0
+#define PKS_REVOCATION_PASS 1
};
extern void public_key_signature_free(struct public_key_signature *sig);
Add two new fields in public_key_signature to track the intended usage of the signature. Also add a flag for the revocation pass. During signature validation, two verifications can take place for the same signature. One to see if it verifies against something on the .blacklist keyring and the other to see if it verifies against the supplied keyring. The flag is used to determine which stage the verification is in. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- certs/blacklist.c | 3 +++ crypto/asymmetric_keys/pkcs7_trust.c | 20 ++++++++++++++++++++ crypto/asymmetric_keys/pkcs7_verify.c | 4 ++++ include/crypto/pkcs7.h | 3 +++ include/crypto/public_key.h | 4 ++++ 5 files changed, 34 insertions(+)