linux_dsm_epyc7002/crypto/asymmetric_keys
David Howells e7c87bef7d X.509: Don't strip leading 00's from key ID when constructing key description
Don't strip leading zeros from the crypto key ID when using it to construct
the struct key description as the signature in kernels up to and including
4.2 matched this aspect of the key.  This means that 1 in 256 keys won't
actually match if their key ID begins with 00.

The key ID is stored in the module signature as binary and so must be
converted to text in order to invoke request_key() - but it isn't stripped
at this point.

Something like this is likely to be observed in dmesg when the key is loaded:

[    1.572423] Loaded X.509 cert 'Build time autogenerated kernel
    key: 62a7c3d2da278be024da4af8652c071f3fea33'

followed by this when we try and use it:

  [    1.646153] Request for unknown module key 'Build time autogenerated
    kernel key: 0062a7c3d2da278be024da4af8652c071f3fea33' err -11

The 'Loaded' line should show an extra '00' on the front of the hex string.

This problem should not affect 4.3-rc1 and onwards because there the key
should be matched on one of its auxiliary identities rather than the key
struct's description string.

Reported-by: Arjan van de Ven <arjan@linux.intel.com>
Reported-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2015-09-25 16:31:46 +01:00
..
.gitignore X.509: Add a crypto key parser for binary (DER) X.509 certificates 2012-10-08 13:50:22 +10:30
asymmetric_keys.h KEYS: fix "ca_keys=" partial key matching 2015-05-21 13:58:59 -04:00
asymmetric_type.c PKCS#7: Appropriately restrict authenticated attributes and content type 2015-08-12 17:01:01 +01:00
Kconfig Merge branch 'keys-fixes' into keys-next 2014-07-22 21:55:45 +01:00
Makefile X.509: Extract both parts of the AuthorityKeyIdentifier 2015-08-07 16:26:13 +01:00
mscode_parser.c PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them 2015-09-01 09:59:20 +10:00
mscode.asn1 pefile: Parse the "Microsoft individual code signing" data blob 2014-07-09 14:58:37 +01:00
pkcs7_key_type.c PKCS#7: Add MODULE_LICENSE() to test module 2015-08-13 02:51:33 +01:00
pkcs7_parser.c PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them 2015-09-01 09:59:20 +10:00
pkcs7_parser.h PKCS#7: Appropriately restrict authenticated attributes and content type 2015-08-12 17:01:01 +01:00
pkcs7_trust.c X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier 2015-08-07 16:26:13 +01:00
pkcs7_verify.c PKCS#7: Appropriately restrict authenticated attributes and content type 2015-08-12 17:01:01 +01:00
pkcs7.asn1 PKCS#7: Appropriately restrict authenticated attributes and content type 2015-08-12 17:01:01 +01:00
public_key.c KEYS: Add a name for PKEY_ID_PKCS7 2015-08-12 17:01:01 +01:00
public_key.h KEYS: Split public_key_verify_signature() and make available 2013-09-25 17:17:00 +01:00
rsa.c crypto: asymmetric_keys/rsa - Use non-conflicting variable name 2015-06-25 23:18:33 +08:00
signature.c KEYS: Set pr_fmt() in asymmetric key signature handling 2014-09-03 11:08:45 +10:00
verify_pefile.c PKCS#7: Appropriately restrict authenticated attributes and content type 2015-08-12 17:01:01 +01:00
verify_pefile.h pefile: Parse the "Microsoft individual code signing" data blob 2014-07-09 14:58:37 +01:00
x509_akid.asn1 X.509: Extract both parts of the AuthorityKeyIdentifier 2015-08-07 16:26:13 +01:00
x509_cert_parser.c PKCS#7: Improve and export the X.509 ASN.1 time object decoder 2015-08-12 17:01:01 +01:00
x509_parser.h PKCS#7: Improve and export the X.509 ASN.1 time object decoder 2015-08-12 17:01:01 +01:00
x509_public_key.c X.509: Don't strip leading 00's from key ID when constructing key description 2015-09-25 16:31:46 +01:00
x509_rsakey.asn1 X.509: Add a crypto key parser for binary (DER) X.509 certificates 2012-10-08 13:50:22 +10:30
x509.asn1 X.509: Add bits needed for PKCS#7 2014-07-01 16:40:19 +01:00