lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1431947593.29806.19.camel@infradead.org>
Date:	Mon, 18 May 2015 12:13:13 +0100
From:	David Woodhouse <dwmw2@...radead.org>
To:	David Howells <dhowells@...hat.com>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	Abelardo Ricart III <aricart@...nix.com>,
	Michal Marek <mmarek@...e.cz>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	Sedat Dilek <sedat.dilek@...il.com>, keyrings@...ux-nfs.org,
	Rusty Russell <rusty@...tcorp.com.au>,
	LSM List <linux-security-module@...r.kernel.org>,
	James Morris <james.l.morris@...cle.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: [PATCH] MODSIGN: Change default key details [ver #2]

On Mon, 2015-05-18 at 11:47 +0100, David Howells wrote:
> David Woodhouse <dwmw2@...radead.org> wrote:
> 
> > Why not just take multiple certs in PEM form in a single file, rather
> > than automatically including *.x509 in DER form? Wouldn't that be a
> > whole lot easier? 
> 
> No, for the following reasons:
> 
>  (1) Unless we want the kernel to be able to handle PEM form, they have to be
>      converted to DER form for inclusion in system_certificates.S.

It's just base64. It's fairly trivial to convert.

>  (2) We would have to combine the automatically generated signing cert with
>      the added certs, though, admittedly, this could be done in
>      system_certificates.S.

Yes, merging the signing cert (be it automatically generated or
otherwise) does need to be done. But that's easy enough. And I already
have work to do on processing the signing cert, to allow it to come
from the same PKCS#11 URI that specifies the key.

>  (3) We've already told people they must drop DER certs into the source tree
>      and distribution kernel packages are already doing this, so we have to
>      make sure they get this right.

Yes, absolutely. But I think we can cope with that.

> You could make it so that the make process picks up .pem files and converts
> them to DER-encoded .x509 files. 

I don't actually care whether it's PEM or DER form per se. What I
really care about is the horrid trick of automatically finding the
files to be included with a wildcard, and pulling them into the build.

That would be icky enough if we *weren't* going to *trust* the things! 

With a PEM file it's common to have multiple certs in a single file,
and you could have a simple config option for the 'additional certs'
file which explicitly pulls it in. Rather than the current hack.

Doing that with multiple certs in the same file in DER form, if that
works, would also be tolerable. Although it's less normal to have a
file in that format.

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@...el.com                              Intel Corporation

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5691 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ