1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Instantiate a public key crypto key from an X.509 Certificate
31 		size_t hexlen = (strlen(str) - 3) / 2;  in ca_keys_setup()
43 			ca_keyid = p;	/* owner key 'id:xxxxxx' */  in ca_keys_setup()
54  * restrict_link_by_signature - Restrict additions to a ring of public keys
56  * @type: The type of key being added.
57  * @payload: The payload of the new key.
61  * those is the signing key and validates the new certificate, then mark the
64  * Returns 0 if the new certificate was accepted, -ENOKEY if we couldn't find a
65  * matching parent certificate in the trusted list, -EKEYREJECTED if the
66  * signature check fails or the key is blacklisted, -ENOPKG if the signature
70 int restrict_link_by_signature(struct key *dest_keyring,  in restrict_link_by_signature()
73 			       struct key *trust_keyring)  in restrict_link_by_signature()
76 	struct key *key;  in restrict_link_by_signature()  local
82 		return -ENOKEY;  in restrict_link_by_signature()
85 		return -EOPNOTSUPP;  in restrict_link_by_signature()
87 	sig = payload->data[asym_auth];  in restrict_link_by_signature()
89 		return -ENOPKG;  in restrict_link_by_signature()
90 	if (!sig->auth_ids[0] && !sig->auth_ids[1] && !sig->auth_ids[2])  in restrict_link_by_signature()
91 		return -ENOKEY;  in restrict_link_by_signature()
93 	if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid))  in restrict_link_by_signature()
94 		return -EPERM;  in restrict_link_by_signature()
96 	/* See if we have a key that signed this one. */  in restrict_link_by_signature()
97 	key = find_asymmetric_key(trust_keyring,  in restrict_link_by_signature()
98 				  sig->auth_ids[0], sig->auth_ids[1],  in restrict_link_by_signature()
99 				  sig->auth_ids[2], false);  in restrict_link_by_signature()
100 	if (IS_ERR(key))  in restrict_link_by_signature()
101 		return -ENOKEY;  in restrict_link_by_signature()
103 	if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags))  in restrict_link_by_signature()
104 		ret = -ENOKEY;  in restrict_link_by_signature()
106 		 !strcmp(dest_keyring->description, ".secondary_trusted_keys") &&  in restrict_link_by_signature()
107 		 !test_bit(KEY_FLAG_BUILTIN, &key->flags))  in restrict_link_by_signature()
108 		ret = -ENOKEY;  in restrict_link_by_signature()
110 		ret = verify_signature(key, sig);  in restrict_link_by_signature()
111 	key_put(key);  in restrict_link_by_signature()
116  * restrict_link_by_ca - Restrict additions to a ring of CA keys
118  * @type: The type of key being added.
119  * @payload: The payload of the new key.
125  * Returns 0 if the new certificate was accepted, -ENOKEY if the
126  * certificate is not a CA. -ENOPKG if the signature uses unsupported
130 int restrict_link_by_ca(struct key *dest_keyring,  in restrict_link_by_ca()
133 			struct key *trust_keyring)  in restrict_link_by_ca()
138 		return -EOPNOTSUPP;  in restrict_link_by_ca()
140 	pkey = payload->data[asym_crypto];  in restrict_link_by_ca()
142 		return -ENOPKG;  in restrict_link_by_ca()
143 	if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags))  in restrict_link_by_ca()
144 		return -ENOKEY;  in restrict_link_by_ca()
145 	if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags))  in restrict_link_by_ca()
146 		return -ENOKEY;  in restrict_link_by_ca()
149 	if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags))  in restrict_link_by_ca()
150 		return -ENOKEY;  in restrict_link_by_ca()
156  * restrict_link_by_digsig - Restrict additions to a ring of digsig keys
158  * @type: The type of key being added.
159  * @payload: The payload of the new key.
166  * Returns 0 if the new certificate was accepted, -ENOKEY if the
167  * certificate is not a digsig. -ENOPKG if the signature uses unsupported
171 int restrict_link_by_digsig(struct key *dest_keyring,  in restrict_link_by_digsig()
174 			    struct key *trust_keyring)  in restrict_link_by_digsig()
179 		return -EOPNOTSUPP;  in restrict_link_by_digsig()
181 	pkey = payload->data[asym_crypto];  in restrict_link_by_digsig()
184 		return -ENOPKG;  in restrict_link_by_digsig()
186 	if (!test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags))  in restrict_link_by_digsig()
187 		return -ENOKEY;  in restrict_link_by_digsig()
189 	if (test_bit(KEY_EFLAG_CA, &pkey->key_eflags))  in restrict_link_by_digsig()
190 		return -ENOKEY;  in restrict_link_by_digsig()
192 	if (test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags))  in restrict_link_by_digsig()
193 		return -ENOKEY;  in restrict_link_by_digsig()
206 static int key_or_keyring_common(struct key *dest_keyring,  in key_or_keyring_common()
209 				 struct key *trusted, bool check_dest)  in key_or_keyring_common()
212 	struct key *key = NULL;  in key_or_keyring_common()  local
218 		return -ENOKEY;  in key_or_keyring_common()
219 	else if (dest_keyring->type != &key_type_keyring)  in key_or_keyring_common()
220 		return -EOPNOTSUPP;  in key_or_keyring_common()
223 		return -ENOKEY;  in key_or_keyring_common()
226 		return -EOPNOTSUPP;  in key_or_keyring_common()
228 	sig = payload->data[asym_auth];  in key_or_keyring_common()
230 		return -ENOPKG;  in key_or_keyring_common()
231 	if (!sig->auth_ids[0] && !sig->auth_ids[1] && !sig->auth_ids[2])  in key_or_keyring_common()
232 		return -ENOKEY;  in key_or_keyring_common()
235 		if (trusted->type == &key_type_keyring) {  in key_or_keyring_common()
236 			/* See if we have a key that signed this one. */  in key_or_keyring_common()
237 			key = find_asymmetric_key(trusted, sig->auth_ids[0],  in key_or_keyring_common()
238 						  sig->auth_ids[1],  in key_or_keyring_common()
239 						  sig->auth_ids[2], false);  in key_or_keyring_common()
240 			if (IS_ERR(key))  in key_or_keyring_common()
241 				key = NULL;  in key_or_keyring_common()
242 		} else if (trusted->type == &key_type_asymmetric) {  in key_or_keyring_common()
246 				asymmetric_key_ids(trusted)->id;  in key_or_keyring_common()
249 			 * The auth_ids come from the candidate key (the  in key_or_keyring_common()
251 			 * dest_keyring) and identify the key that was  in key_or_keyring_common()
255 			 * signing key specified for dest_keyring.  in key_or_keyring_common()
257 			 * The first auth_id is the preferred id, 2nd and  in key_or_keyring_common()
264 			 * available, auth_ids[2] is matched against  in key_or_keyring_common()
265 			 * signer_ids[2] as a fallback.  in key_or_keyring_common()
267 			if (!sig->auth_ids[0] && !sig->auth_ids[1]) {  in key_or_keyring_common()
268 				if (asymmetric_key_id_same(signer_ids[2],  in key_or_keyring_common()
269 							   sig->auth_ids[2]))  in key_or_keyring_common()
270 					key = __key_get(trusted);  in key_or_keyring_common()
272 			} else if (!sig->auth_ids[0] || !sig->auth_ids[1]) {  in key_or_keyring_common()
275 				auth_id = sig->auth_ids[0] ?: sig->auth_ids[1];  in key_or_keyring_common()
277 					key = __key_get(trusted);  in key_or_keyring_common()
280 							  sig->auth_ids[1]) &&  in key_or_keyring_common()
282 						   sig->auth_ids[0])) {  in key_or_keyring_common()
283 				key = __key_get(trusted);  in key_or_keyring_common()
286 			return -EOPNOTSUPP;  in key_or_keyring_common()
290 	if (check_dest && !key) {  in key_or_keyring_common()
291 		/* See if the destination has a key that signed this one. */  in key_or_keyring_common()
292 		key = find_asymmetric_key(dest_keyring, sig->auth_ids[0],  in key_or_keyring_common()
293 					  sig->auth_ids[1], sig->auth_ids[2],  in key_or_keyring_common()
295 		if (IS_ERR(key))  in key_or_keyring_common()
296 			key = NULL;  in key_or_keyring_common()
299 	if (!key)  in key_or_keyring_common()
300 		return -ENOKEY;  in key_or_keyring_common()
302 	ret = key_validate(key);  in key_or_keyring_common()
304 		ret = verify_signature(key, sig);  in key_or_keyring_common()
306 	key_put(key);  in key_or_keyring_common()
311  * restrict_link_by_key_or_keyring - Restrict additions to a ring of public
314  * @type: The type of key being added.
315  * @payload: The payload of the new key.
316  * @trusted: A key or ring of keys that can be used to vouch for the new cert.
318  * Check the new certificate only against the key or keys passed in the data
319  * parameter. If one of those is the signing key and validates the new
322  * Returns 0 if the new certificate was accepted, -ENOKEY if we
324  * -EKEYREJECTED if the signature check fails, -ENOPKG if the signature uses
328 int restrict_link_by_key_or_keyring(struct key *dest_keyring,  in restrict_link_by_key_or_keyring()
331 				    struct key *trusted)  in restrict_link_by_key_or_keyring()
338  * restrict_link_by_key_or_keyring_chain - Restrict additions to a ring of
341  * @type: The type of key being added.
342  * @payload: The payload of the new key.
343  * @trusted: A key or ring of keys that can be used to vouch for the new cert.
345  * Check the new certificate against the key or keys passed in the data
347  * one of those is the signing key and validates the new certificate, then mark
350  * Returns 0 if the new certificate was accepted, -ENOKEY if we
352  * -EKEYREJECTED if the signature check fails, -ENOPKG if the signature uses
356 int restrict_link_by_key_or_keyring_chain(struct key *dest_keyring,  in restrict_link_by_key_or_keyring_chain()
359 					  struct key *trusted)  in restrict_link_by_key_or_keyring_chain()