crypto/asymmetric_keys/restrict.c

2 /* Instantiate a public key crypto key from an X.509 Certificate
43 			ca_keyid = p;	/* owner key 'id:xxxxxx' */
56  * @type: The type of key being added.
57  * @payload: The payload of the new key.
61  * those is the signing key and validates the new certificate, then mark the
66  * signature check fails or the key is blacklisted, -ENOPKG if the signature
70 int restrict_link_by_signature(struct key *dest_keyring,
73 			       struct key *trust_keyring)
76 	struct key *key;
96 	/* See if we have a key that signed this one. */
97 	key = find_asymmetric_key(trust_keyring,
100 	if (IS_ERR(key))
103 	if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags))
107 		 !test_bit(KEY_FLAG_BUILTIN, &key->flags))
110 		ret = verify_signature(key, sig);
111 	key_put(key);
118  * @type: The type of key being added.
119  * @payload: The payload of the new key.
130 int restrict_link_by_ca(struct key *dest_keyring,
133 			struct key *trust_keyring)
158  * @type: The type of key being added.
159  * @payload: The payload of the new key.
171 int restrict_link_by_digsig(struct key *dest_keyring,
174 			    struct key *trust_keyring)
206 static int key_or_keyring_common(struct key *dest_keyring,
209 				 struct key *trusted, bool check_dest)
212 	struct key *key = NULL;
236 			/* See if we have a key that signed this one. */
237 			key = find_asymmetric_key(trusted, sig->auth_ids[0],
240 			if (IS_ERR(key))
241 				key = NULL;
249 			 * The auth_ids come from the candidate key (the
251 			 * dest_keyring) and identify the key that was
255 			 * signing key specified for dest_keyring.
270 					key = __key_get(trusted);
277 					key = __key_get(trusted);
283 				key = __key_get(trusted);
290 	if (check_dest && !key) {
291 		/* See if the destination has a key that signed this one. */
292 		key = find_asymmetric_key(dest_keyring, sig->auth_ids[0],
295 		if (IS_ERR(key))
296 			key = NULL;
299 	if (!key)
302 	ret = key_validate(key);
304 		ret = verify_signature(key, sig);
306 	key_put(key);
314  * @type: The type of key being added.
315  * @payload: The payload of the new key.
316  * @trusted: A key or ring of keys that can be used to vouch for the new cert.
318  * Check the new certificate only against the key or keys passed in the data
319  * parameter. If one of those is the signing key and validates the new
328 int restrict_link_by_key_or_keyring(struct key *dest_keyring,
331 				    struct key *trusted)
341  * @type: The type of key being added.
342  * @payload: The payload of the new key.
343  * @trusted: A key or ring of keys that can be used to vouch for the new cert.
345  * Check the new certificate against the key or keys passed in the data
347  * one of those is the signing key and validates the new certificate, then mark
356 int restrict_link_by_key_or_keyring_chain(struct key *dest_keyring,
359 					  struct key *trusted)