lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-id: <542E953C.3010705@samsung.com>
Date:	Fri, 03 Oct 2014 15:23:24 +0300
From:	Dmitry Kasatkin <d.kasatkin@...sung.com>
To:	David Howells <dhowells@...hat.com>
Cc:	rusty@...tcorp.com.au, keyrings@...ux-nfs.org, jwboyer@...hat.com,
	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org, pjones@...hat.com,
	vgoyal@...hat.com
Subject: Re: [PATCH 08/13] KEYS: Overhaul key identification when searching for
 asymmetric keys

On 03/10/14 15:12, David Howells wrote:
> Dmitry Kasatkin <d.kasatkin@...sung.com> wrote:
>
>> Also I noticed that output of 'keyctl show' and 'cat /proc/keys' output
>> also has changed in respect of certificate ids..
>>
>> Those ids does not look any close to my kernel X509 X509v3 Subject Key
>> Identifier, which is:
>> 92:63:05:D6:DD:A6:6F:47:13:9E:B4:E3:CB:25:A6:AD:EF:52:7F:08
>>
>> proc/keys shows
>>
>> symmetri Magrathea: Glacier signing key: d9e2e4c6951f1e83: X509.RSA
>> 6865612e68326732 []
>>
>> Very different ids..
>>
>> How could I match certificate now?
> There are two IDs available:
>
> 	id: serial number + issuer
> 	skid: subjKeyId + subject
>
> You can use either of them and their content is somewhat negotiable.  Note
> that they are both compound IDs at this point.
>
> We have to move away from using subjKeyId for module signatures because we
> have to be able to deal with keys that don't have one.  Blech, but the PKCS
> specs suck somewhat.
>
> This is why I want to move to using detached-data PKCS#7 certs as the
> signature.  We have the PKCS#7 handling in the kernel now for doing kexec.

I looked to the code and understood...

See my patches please.

- Dmitry

> David
> --
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ