summaryrefslogtreecommitdiffstats
path: root/usr
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2014-07-22 21:52:33 +0100
committerDavid Howells <dhowells@redhat.com>2014-07-22 21:53:21 +0100
commit1ca72c96dbad332ebd89b5756640f881ff0e6e9e (patch)
treee256d23f3ed8217b18bd36e78fdda242954d2d60 /usr
parenta19e3c22b34ae599eafd9fd05c887fc8e7ec2e3a (diff)
parent22d01afb210ff77fc480a1fc531cd59a4f32157a (diff)
downloadlinux-1ca72c96dbad332ebd89b5756640f881ff0e6e9e.tar.bz2
Merge tag 'keys-pkcs7-20140708' into keys-next
Here's a set of changes that implement a PKCS#7 message parser in the kernel. The PKCS#7 message parsing will then be used to limit kexec to authenticated kernels only if so configured. The changes provide the following facilities: (1) Parse an ASN.1 PKCS#7 message and pick out useful bits such as the data content and the X.509 certificates used to sign it and all the data signatures. (2) Verify all the data signatures against the set of X.509 certificates available in the message. (3) Follow the certificate chains and verify that: (a) for every self-signed X.509 certificate, check that it validly signed itself, and: (b) for every non-self-signed certificate, if we have a 'parent' certificate, the former is validly signed by the latter. (4) Look for intersections between the certificate chains and the trusted keyring, if any intersections are found, verify that the trusted certificates signed the intersection point in the chain. (5) For testing purposes, a key type can be made available that will take a PKCS#7 message, check that the message is trustworthy, and if so, add its data content into the key. Note that (5) has to be altered to take account of the preparsing patches already committed to this branch. Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'usr')
0 files changed, 0 insertions, 0 deletions