On 03/10/14 15:12, David Howells wrote: > Dmitry Kasatkin <[email protected]> wrote: > >> Also I noticed that output of 'keyctl show' and 'cat /proc/keys' output >> also has changed in respect of certificate ids.. >> >> Those ids does not look any close to my kernel X509 X509v3 Subject Key >> Identifier, which is: >> 92:63:05:D6:DD:A6:6F:47:13:9E:B4:E3:CB:25:A6:AD:EF:52:7F:08 >> >> proc/keys shows >> >> symmetri Magrathea: Glacier signing key: d9e2e4c6951f1e83: X509.RSA >> 6865612e68326732 [] >> >> Very different ids.. >> >> How could I match certificate now? > There are two IDs available: > > id: serial number + issuer > skid: subjKeyId + subject > > You can use either of them and their content is somewhat negotiable. Note > that they are both compound IDs at this point. > > We have to move away from using subjKeyId for module signatures because we > have to be able to deal with keys that don't have one. Blech, but the PKCS > specs suck somewhat. > > This is why I want to move to using detached-data PKCS#7 certs as the > signature. We have the PKCS#7 handling in the kernel now for doing kexec.
I looked to the code and understood... See my patches please. - Dmitry > David > -- > To unsubscribe from this list: send the line "unsubscribe > linux-security-module" in > the body of a message to [email protected] > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
