diff options
| author | David Howells <dhowells@redhat.com> | 2014-07-22 21:52:33 +0100 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2014-07-22 21:53:21 +0100 |
| commit | 1ca72c96dbad332ebd89b5756640f881ff0e6e9e (patch) | |
| tree | e256d23f3ed8217b18bd36e78fdda242954d2d60 /crypto/asymmetric_keys/Kconfig | |
| parent | a19e3c22b34ae599eafd9fd05c887fc8e7ec2e3a (diff) | |
| parent | 22d01afb210ff77fc480a1fc531cd59a4f32157a (diff) | |
Merge tag 'keys-pkcs7-20140708' into keys-next
Here's a set of changes that implement a PKCS#7 message parser in the kernel.
The PKCS#7 message parsing will then be used to limit kexec to authenticated
kernels only if so configured.
The changes provide the following facilities:
(1) Parse an ASN.1 PKCS#7 message and pick out useful bits such as the data
content and the X.509 certificates used to sign it and all the data
signatures.
(2) Verify all the data signatures against the set of X.509 certificates
available in the message.
(3) Follow the certificate chains and verify that:
(a) for every self-signed X.509 certificate, check that it validly signed
itself, and:
(b) for every non-self-signed certificate, if we have a 'parent'
certificate, the former is validly signed by the latter.
(4) Look for intersections between the certificate chains and the trusted
keyring, if any intersections are found, verify that the trusted
certificates signed the intersection point in the chain.
(5) For testing purposes, a key type can be made available that will take a
PKCS#7 message, check that the message is trustworthy, and if so, add its
data content into the key.
Note that (5) has to be altered to take account of the preparsing patches
already committed to this branch.
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'crypto/asymmetric_keys/Kconfig')
| -rw-r--r-- | crypto/asymmetric_keys/Kconfig | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig index 03a6eb95ab50..b6df198d1b6f 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig @@ -37,4 +37,26 @@ config X509_CERTIFICATE_PARSER data and provides the ability to instantiate a crypto key from a public key packet found inside the certificate. +config PKCS7_MESSAGE_PARSER + tristate "PKCS#7 message parser" + depends on X509_CERTIFICATE_PARSER + select ASN1 + select OID_REGISTRY + help + This option provides support for parsing PKCS#7 format messages for + signature data and provides the ability to verify the signature. + +config PKCS7_TEST_KEY + tristate "PKCS#7 testing key type" + depends on PKCS7_MESSAGE_PARSER + select SYSTEM_TRUSTED_KEYRING + help + This option provides a type of key that can be loaded up from a + PKCS#7 message - provided the message is signed by a trusted key. If + it is, the PKCS#7 wrapper is discarded and reading the key returns + just the payload. If it isn't, adding the key will fail with an + error. + + This is intended for testing the PKCS#7 parser. + endif # ASYMMETRIC_KEY_TYPE |