On Mon, 2014-07-28 at 14:54 +0100, David Howells wrote: > pkcs7_request_asymmetric_key() and x509_request_asymmetric_key() do the same > thing, the latter being a copy of the former created by the IMA folks, so drop > the PKCS#7 version as the X.509 location is more general. > > Whilst we're at it, rename the arguments of x509_request_asymmetric_key() to > better reflect what the values being passed in are intended to match on an > X.509 cert. > > Signed-off-by: David Howells <dhowe...@redhat.com>
Acked-by: Mimi Zohar <zo...@linux.vnet.ibm.com> > --- > crypto/asymmetric_keys/pkcs7_trust.c | 61 > ++---------------------------- > crypto/asymmetric_keys/x509_public_key.c | 36 ++++++++++-------- > include/crypto/public_key.h | 4 ++ > 3 files changed, 29 insertions(+), 72 deletions(-) > > diff --git a/crypto/asymmetric_keys/pkcs7_trust.c > b/crypto/asymmetric_keys/pkcs7_trust.c > index b6b045131403..e666eb011a85 100644 > --- a/crypto/asymmetric_keys/pkcs7_trust.c > +++ b/crypto/asymmetric_keys/pkcs7_trust.c > @@ -20,55 +20,6 @@ > #include "public_key.h" > #include "pkcs7_parser.h" > > -/* > - * Request an asymmetric key. > - */ > -static struct key *pkcs7_request_asymmetric_key( > - struct key *keyring, > - const char *signer, size_t signer_len, > - const char *authority, size_t auth_len) > -{ > - key_ref_t key; > - char *id; > - > - kenter(",%zu,,%zu", signer_len, auth_len); > - > - /* Construct an identifier. */ > - id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL); > - if (!id) > - return ERR_PTR(-ENOMEM); > - > - memcpy(id, signer, signer_len); > - id[signer_len + 0] = ':'; > - id[signer_len + 1] = ' '; > - memcpy(id + signer_len + 2, authority, auth_len); > - id[signer_len + 2 + auth_len] = 0; > - > - pr_debug("Look up: \"%s\"\n", id); > - > - key = keyring_search(make_key_ref(keyring, 1), > - &key_type_asymmetric, id); > - if (IS_ERR(key)) > - pr_debug("Request for module key '%s' err %ld\n", > - id, PTR_ERR(key)); > - kfree(id); > - > - if (IS_ERR(key)) { > - switch (PTR_ERR(key)) { > - /* Hide some search errors */ > - case -EACCES: > - case -ENOTDIR: > - case -EAGAIN: > - return ERR_PTR(-ENOKEY); > - default: > - return ERR_CAST(key); > - } > - } > - > - pr_devel("<==%s() = 0 [%x]\n", __func__, > key_serial(key_ref_to_ptr(key))); > - return key_ref_to_ptr(key); > -} > - > /** > * Check the trust on one PKCS#7 SignedInfo block. > */ > @@ -98,10 +49,8 @@ int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, > /* Look to see if this certificate is present in the trusted > * keys. > */ > - key = pkcs7_request_asymmetric_key( > - trust_keyring, > - x509->subject, strlen(x509->subject), > - x509->fingerprint, strlen(x509->fingerprint)); > + key = x509_request_asymmetric_key(trust_keyring, x509->subject, > + x509->fingerprint); > if (!IS_ERR(key)) > /* One of the X.509 certificates in the PKCS#7 message > * is apparently the same as one we already trust. > @@ -133,10 +82,8 @@ int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, > return -ENOKEY; > } > > - key = pkcs7_request_asymmetric_key( > - trust_keyring, > - last->issuer, strlen(last->issuer), > - last->authority, strlen(last->authority)); > + key = x509_request_asymmetric_key(trust_keyring, last->issuer, > + last->authority); > if (IS_ERR(key)) > return PTR_ERR(key) == -ENOMEM ? -ENOMEM : -ENOKEY; > x509 = last; > diff --git a/crypto/asymmetric_keys/x509_public_key.c > b/crypto/asymmetric_keys/x509_public_key.c > index 4ae982234d78..da1e5fc85346 100644 > --- a/crypto/asymmetric_keys/x509_public_key.c > +++ b/crypto/asymmetric_keys/x509_public_key.c > @@ -43,35 +43,41 @@ static int __init ca_keys_setup(char *str) > __setup("ca_keys=", ca_keys_setup); > #endif > > -/* > - * Find a key in the given keyring by issuer and authority. > +/** > + * x509_request_asymmetric_key - Request a key by X.509 certificate params. > + * @keyring: The keys to search. > + * @subject: The name of the subject to whom the key belongs. > + * @key_id: The subject key ID as a hex string. > + * > + * Find a key in the given keyring by subject name and key ID. These might, > + * for instance, be the issuer name and the authority key ID of an X.509 > + * certificate that needs to be verified. > */ > -static struct key *x509_request_asymmetric_key(struct key *keyring, > - const char *signer, > - const char *authority) > +struct key *x509_request_asymmetric_key(struct key *keyring, > + const char *subject, > + const char *key_id) > { > key_ref_t key; > - size_t signer_len = strlen(signer), auth_len = strlen(authority); > + size_t subject_len = strlen(subject), key_id_len = strlen(key_id); > char *id; > > - /* Construct an identifier. */ > - id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL); > + /* Construct an identifier "<subjname>:<keyid>". */ > + id = kmalloc(subject_len + 2 + key_id_len + 1, GFP_KERNEL); > if (!id) > return ERR_PTR(-ENOMEM); > > - memcpy(id, signer, signer_len); > - id[signer_len + 0] = ':'; > - id[signer_len + 1] = ' '; > - memcpy(id + signer_len + 2, authority, auth_len); > - id[signer_len + 2 + auth_len] = 0; > + memcpy(id, subject, subject_len); > + id[subject_len + 0] = ':'; > + id[subject_len + 1] = ' '; > + memcpy(id + subject_len + 2, key_id, key_id_len); > + id[subject_len + 2 + key_id_len] = 0; > > pr_debug("Look up: \"%s\"\n", id); > > key = keyring_search(make_key_ref(keyring, 1), > &key_type_asymmetric, id); > if (IS_ERR(key)) > - pr_debug("Request for module key '%s' err %ld\n", > - id, PTR_ERR(key)); > + pr_debug("Request for key '%s' err %ld\n", id, PTR_ERR(key)); > kfree(id); > > if (IS_ERR(key)) { > diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h > index fc09732613ad..0d164c6af539 100644 > --- a/include/crypto/public_key.h > +++ b/include/crypto/public_key.h > @@ -98,4 +98,8 @@ struct key; > extern int verify_signature(const struct key *key, > const struct public_key_signature *sig); > > +extern struct key *x509_request_asymmetric_key(struct key *keyring, > + const char *issuer, > + const char *key_id); > + > #endif /* _LINUX_PUBLIC_KEY_H */ > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/