lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1455113244.2538.88.camel@linux.vnet.ibm.com>
Date:	Wed, 10 Feb 2016 09:07:24 -0500
From:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
To:	David Howells <dhowells@...hat.com>
Cc:	linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
	petkan@...-labs.com, linux-kernel@...r.kernel.org
Subject: Re: How to add additional blacklist entries?

Hi David,

Sorry, for the delay in responding...

On Tue, 2016-02-09 at 10:42 +0000, David Howells wrote:
> Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote:

> > The keys being added to the IMA keyring are signed x509 certs (eg.
> > openssl ca -ss_cert).  It would be nice to be able to include the skid
> > in the description, without a payload, and sign that.  I have no idea if
> > that Is possible or if it makes sense.  I'm open to suggestions.

I'm back tracking here a bit.  Problem statement: we need a safe method
for revoking an x509 certificate. The RFCs describe x509 certificate
revocation lists(CRL).  Perhaps in addition to the x509 cert, require a
CRL, containing the revoked x509 certificate, to load the cert on the
blacklist?  That way having just a cert, already signed by a trusted
key, would not be enough for it to be added to the blacklist.  The CRL
itself could be verified against a key on the trusted keyring.

> I think we need a new keyctl or syscall for this.
> 
> We need to run through the X.509 parser, but we don't actually want to keep
> any of the payload - and, in fact, we don't even necessarily want to create an
> asymmetric-type key, though it's not a complete loss if we do that and create
> one with a blacklist subtype.  The blacklist subtype would just return an
> error from all operation points, but would otherwise be handled as normal.

Having back tracked,  a new version of the "key add" syscall might be
needed to include the CRL.  The kernel could extract what it needs from
the revoked certificates (and CRL) to be stored on the blacklist
keyring.

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ