From 65d543b2335ede80e5e66bc4f559f62db5f469bd Mon Sep 17 00:00:00 2001 From: Dmitry Kasatkin Date: Wed, 5 Nov 2014 17:01:13 +0200 Subject: integrity: provide a function to load x509 certificate from the kernel Provide the function to load x509 certificates from the kernel into the integrity kernel keyring. Changes in v2: * configuration option removed * function declared as '__init' Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar --- security/integrity/digsig.c | 36 +++++++++++++++++++++++++++++++++++- security/integrity/integrity.h | 2 ++ 2 files changed, 37 insertions(+), 1 deletion(-) (limited to 'security') diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c index 4f643d1b34dd..5e3bd72b299a 100644 --- a/security/integrity/digsig.c +++ b/security/integrity/digsig.c @@ -14,7 +14,7 @@ #include #include -#include +#include #include #include #include @@ -84,3 +84,37 @@ int __init integrity_init_keyring(const unsigned int id) } return err; } + +int __init integrity_load_x509(const unsigned int id, char *path) +{ + key_ref_t key; + char *data; + int rc; + + if (!keyring[id]) + return -EINVAL; + + rc = integrity_read_file(path, &data); + if (rc < 0) + return rc; + + key = key_create_or_update(make_key_ref(keyring[id], 1), + "asymmetric", + NULL, + data, + rc, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ), + KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_TRUSTED); + if (IS_ERR(key)) { + rc = PTR_ERR(key); + pr_err("Problem loading X.509 certificate (%d): %s\n", + rc, path); + } else { + pr_notice("Loaded X.509 cert '%s': %s\n", + key_ref_to_ptr(key)->description, path); + key_ref_put(key); + } + kfree(data); + return 0; +} diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h index 20d220481025..1057abbd31cd 100644 --- a/security/integrity/integrity.h +++ b/security/integrity/integrity.h @@ -134,6 +134,7 @@ int integrity_digsig_verify(const unsigned int id, const char *sig, int siglen, const char *digest, int digestlen); int __init integrity_init_keyring(const unsigned int id); +int __init integrity_load_x509(const unsigned int id, char *path); #else static inline int integrity_digsig_verify(const unsigned int id, @@ -147,6 +148,7 @@ static inline int integrity_init_keyring(const unsigned int id) { return 0; } + #endif /* CONFIG_INTEGRITY_SIGNATURE */ #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS -- cgit v1.2.3-58-ga151