lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5AF81A9E-C4E7-4BEB-86E1-4D2DB613FBF1@oracle.com>
Date:   Fri, 9 Dec 2022 15:44:17 +0000
From:   Eric Snowberg <eric.snowberg@...cle.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>, Coiby Xu <coxu@...hat.com>,
        Jarkko Sakkinen <jarkko@...nel.org>
CC:     David Howells <dhowells@...hat.com>,
        David Woodhouse <dwmw2@...radead.org>,
        "herbert@...dor.apana.org.au" <herbert@...dor.apana.org.au>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "dmitry.kasatkin@...il.com" <dmitry.kasatkin@...il.com>,
        "paul@...l-moore.com" <paul@...l-moore.com>,
        "jmorris@...ei.org" <jmorris@...ei.org>,
        "serge@...lyn.com" <serge@...lyn.com>,
        "pvorel@...e.cz" <pvorel@...e.cz>,
        "noodles@...com" <noodles@...com>, "tiwai@...e.de" <tiwai@...e.de>,
        "bp@...e.de" <bp@...e.de>,
        Kanth Ghatraju <kanth.ghatraju@...cle.com>,
        Konrad Wilk <konrad.wilk@...cle.com>,
        Elaine Palmer <erpalmer@...ux.vnet.ibm.com>,
        "keyrings@...r.kernel.org" <keyrings@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
        "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>,
        "linux-security-module@...r.kernel.org" 
        <linux-security-module@...r.kernel.org>
Subject: Re: [PATCH v2 00/10] Add CA enforcement keyring restrictions


> On Dec 9, 2022, at 3:26 AM, Coiby Xu <coxu@...hat.com> wrote:
> 
> Thanks for your work! The patch set looks good to me except for the
> requirement of an intermediate CA certificate should be vouched for by a
> root CA certificate before it can vouch for other certificates. What if
> users only want to enroll an intermediate CA certificate into the MOK?

This question would need to be answered by the maintainers.  The intermediate 
requirement was based on my understanding of previous discussions requiring
there be a way to validate root of trust all the way back to the root CA.

> If this requirement could be dropped, the code could be simplified and
> some issues could be resolved automatically,

Agreed. I will make sure the issue below is resolved one way or the other,
once we have an agreement on the requirements. 

> 1. "[PATCH v2 03/10] KEYS: X.509: Parse Basic Constraints for CA" added
>   a root_ca filed to a certificate to indicate the subject of the
>   certificate is a CA. The name root_ca implies it's also a root CA. But
>   according to [1], both an intermediate and root CA will have
>   root_ca=True. For example, the intermediate certificate of
>   https://www.kernel.org/ has "Certificate Authority=Yes" in the basic
>   constraints. Btw, a root CA certificate by definition is self-signed,
>   so the following code in "[PATCH v2 05/10] KEYS: Introduce a CA
>   endorsed flag" looks a bit strange to me,
>    if (cert->kcs_set && cert->self_signed && cert->root_ca)
>        prep->payload_flags |= KEY_ALLOC_PECA;
> 
> 2. Since an intermediate CA certificate also has root_ca=True,
>   "[PATCH v2 07/10] KEYS: X.509: Flag Intermediate CA certs as
>   endorsed" won't work as intended i.e. this following else branch
>   will never be reached,
>   else if (!cert->self_signed && !cert->root_ca)
>           prep->payload_flags |= KEY_MAYBE_PECA;
> 
> 3. I see nowhere public_key->key_is_ca is set to true for an intermediate
>   CA certificate after it gains the KEY_ALLOC_PECA flag. So it will fail
>   restrict_link_by_ca even if the KEY_MAYBE_PECA flag is added.
> 
> [1] https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9

Thanks for reviewing the series.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ