KEYS: Restrict signature verification to keys appropriate to the purpose
Restrict the verification of X.509 certificates such that a certificate can
only be verified if either:
(1) A certificate is signed with the key it holds.
(2) A certificate is signed with a key that has keyCertSign set in its
keyUsage extension and has no purpose restriction set.
Restrict the verification of PKCS#7 messages such that a signature can only
be verified by a matching key if the key does not have keyCertSign set and
either of the following is true:
(1) The key has no purpose restriction and the PKCS#7 is not a firmware
signature.
(2) The key has a recognised purpose restriction that matches the use to
which the PKCS#7 signature is being put.
In the event that a restriction mismatch occurs, EKEYREJECTED will be
returned and an error similar to one of the following will be logged to
dmesg:
PKEY: Firmware signed with non-firmware key (module sig)
PKEY: Restricted usage key (module sig) used for wrong purpose (kexec sig)
The PKCS#7 test key type is given the usage to specify in a module
parameter. For example:
echo 1 >/sys/module/pkcs7_test_key/parameters/usage
keyctl padd pkcs7_test foo @s </tmp/stuff.pkcs7
will attempt to check the signature on stuff.pkcs7 as if it contains a
firmware blob (1 being KEY_VERIFYING_FIRMWARE_SIGNATURE).
Signed-off-by: David Howells <dhowells@redhat.com>
19 files changed
