lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140908153704.28301.41578.stgit@warthog.procyon.org.uk>
Date:	Mon, 08 Sep 2014 16:37:05 +0100
From:	David Howells <dhowells@...hat.com>
To:	rusty@...tcorp.com.au
Cc:	keyrings@...ux-nfs.org, jwboyer@...hat.com,
	linux-kernel@...r.kernel.org, dhowells@...hat.com,
	linux-security-module@...r.kernel.org, pjones@...hat.com,
	vgoyal@...hat.com
Subject: [RFC][PATCH 00/13] MODSIGN: Use PKCS#7 for module signatures


Here's a set of patches that does the following:

 (1) Improves asymmetric keys identification.

     Keys derived from X.509 certs now get labelled with IDs derived from their
     issuer and certificate number (required to match PKCS#7) and from their
     SKID and subject (required to match X.509).

     IDs are now binary and match criterion preparsing is provided so that
     criteria can be turned into binary blobs to make matching faster.

 (2) Improves PKCS#7 message handling to permit PKCS#7 messages without X.509
     cert lists to be matched to trusted keys, thereby allowing minimally sized
     PKCS#7 certs to be used.

 (3) Improves PKCS#7 message handling to better handle certificate chains that
     are broken due to unsupported crypto that can otherwise by used to
     intersect a trust keyring.

 (4) Makes use of the PKCS#7 facility to provide module signatures.

     sign-file is replaced with a program that generates a PKCS#7 message that
     has no X.509 certs embedded and that has detached data (the module
     content) and adds it onto the message with magic string and descriptor.

 (5) The PKCS#7 message (and matching X.509 cert) supply all the information
     that is needed to select the X.509 cert to be used to verify the signature
     by standard means (including selection of digest algorithm and public key
     algorithm).  No kernel-specific magic values are required.

The following need to be considered also:

 (1) How to support externally generated signatures (sign-file -s).  Ideally,
     externally generated signatures would be provided as PKCS#7 certificates.

 (2) How to handle the old signature format: do we change the magic number and
     just pretend they don't exist (which would allow us to get rid of most of
     the descriptor), do we give an error (which I've chosen to do) or do we
     have to support them still?

 (3) Do I really need to make one of the X.509-derived IDs out of the subjKeyId
     and the subject, or can I just use the subjKeyId by itself?  (And likewise
     for auth + issuer)

They can be found here also:

	http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=modsign-pkcs7

David
---
David Howells (13):
      Provide a binary to hex conversion utility
      KEYS: Preparse match data
      KEYS: Remove key_type::def_lookup_type
      KEYS: Remove key_type::match in favour of overriding default by match_preparse
      KEYS: Make the key matching functions return bool
      KEYS: Implement binary asymmetric key ID handling
      PKCS#7: Clean up the signed info freeing and fix the parser cleanup
      KEYS: Overhaul key identification when searching for asymmetric keys
      PKCS#7: Better handling of unsupported crypto
      PKCS#7: Handle PKCS#7 messages that contain no X.509 certs
      PKCS#7: Allow detached data to be supplied for signature checking purposes
      MODSIGN: Provide a utility to append a PKCS#7 signature to a module
      MODSIGN: Use PKCS#7 messages as module signatures


 crypto/asymmetric_keys/asymmetric_keys.h  |    8 -
 crypto/asymmetric_keys/asymmetric_type.c  |  213 ++++++++++-----
 crypto/asymmetric_keys/pkcs7_key_type.c   |    2 
 crypto/asymmetric_keys/pkcs7_parser.c     |   66 +++--
 crypto/asymmetric_keys/pkcs7_parser.h     |    7 
 crypto/asymmetric_keys/pkcs7_trust.c      |   72 +++--
 crypto/asymmetric_keys/pkcs7_verify.c     |  131 +++++++--
 crypto/asymmetric_keys/x509_cert_parser.c |   55 ++--
 crypto/asymmetric_keys/x509_parser.h      |    6 
 crypto/asymmetric_keys/x509_public_key.c  |  102 ++++---
 fs/cifs/cifs_spnego.c                     |    1 
 fs/cifs/cifsacl.c                         |    1 
 fs/nfs/idmap.c                            |    2 
 include/crypto/pkcs7.h                    |    3 
 include/crypto/public_key.h               |    6 
 include/keys/asymmetric-type.h            |   38 +++
 include/keys/user-type.h                  |    1 
 include/linux/kernel.h                    |    1 
 include/linux/key-type.h                  |   34 ++
 init/Kconfig                              |    1 
 kernel/module_signing.c                   |  220 +++------------
 lib/hexdump.c                             |   18 +
 net/dns_resolver/dns_key.c                |   18 +
 net/rxrpc/ar-key.c                        |    2 
 scripts/Makefile                          |    2 
 scripts/sign-file                         |  421 -----------------------------
 scripts/sign-file.c                       |  189 +++++++++++++
 security/keys/big_key.c                   |    2 
 security/keys/encrypted-keys/encrypted.c  |    1 
 security/keys/internal.h                  |   10 -
 security/keys/key.c                       |    2 
 security/keys/keyring.c                   |   59 +++-
 security/keys/proc.c                      |    8 -
 security/keys/process_keys.c              |   13 -
 security/keys/request_key.c               |   21 +
 security/keys/request_key_auth.c          |    6 
 security/keys/trusted.c                   |    1 
 security/keys/user_defined.c              |   14 -
 38 files changed, 869 insertions(+), 888 deletions(-)
 delete mode 100755 scripts/sign-file
 create mode 100755 scripts/sign-file.c

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ