Re: [PATCH v2 00/14] KEYS: Add support for PGP keys and signatures

On Tue, 2024-09-10 at 16:16 +0100, Jonathan McDowell wrote: > On Tue, Sep 10, 2024 at 04:51:22PM +0200, Roberto Sassu wrote: > > On Tue, 2024-09-10 at 16:36 +0200, Roberto Sassu wrote: > > > On Tue, 2024-08-20 at 15:12 +0100, Jonathan McDowell wrote: > > > > On Mon, Aug 19, 2024 at 05:15:02PM +0200

Re: [PATCH] integrity: prevent deadlock during digsig verification.

On Wed, Jun 27, 2018 at 04:33:42PM +0300, Mikhail Kurinnoi wrote: > +int integrity_kernel_module_request(char *kmod_name) > +{ > + if (strncmp(kmod_name, "crypto-pkcs1pad(rsa,", 20) == 0) > + return -EINVAL; > + > + return 0; > +} Just a heads-up: The above was applied as comm

[PATCH v3 01/14] mpi: Introduce mpi_key_length()

From: Roberto Sassu Introduce the new function to get the number of bits and bytes from an MPI. Signed-off-by: Roberto Sassu Signed-off-by: David Howells --- include/linux/mpi.h | 2 ++ lib/crypto/mpi/mpicoder.c | 33 ++--- 2 files changed, 28 insertions(+),

[PATCH v3 00/14] KEYS: Add support for PGP keys and signatures

From: Roberto Sassu Support for PGP keys and signatures was proposed by David long time ago, before the decision of using PKCS#7 for kernel modules signatures verification was made. After that, there has been not enough interest to support PGP too. Lately, there is renewed interest in supporting

[PATCH v3 02/14] rsa: add parser of raw format

From: Roberto Sassu Parse the RSA key with RAW format if the ASN.1 parser returns an error, to avoid passing somehow the key format as parameter. Signed-off-by: Roberto Sassu Signed-off-by: David Howells --- crypto/rsa.c | 14 -- crypto/rsa_helper.c | 83 +++

[PATCH v3 03/14] PGPLIB: PGP definitions (RFC 9580)

From: David Howells Provide some useful PGP definitions from RFC 9580. These describe details of public key crypto as used by crypto keys for things like signature verification. Signed-off-by: David Howells Co-developed-by: Roberto Sassu Signed-off-by: Roberto Sassu --- crypto/asymmetric_ke

[PATCH v3 04/14] PGPLIB: Basic packet parser

From: David Howells Provide a simple parser that extracts the packets from a PGP packet blob and passes the desirous ones to the given processor function: struct pgp_parse_context { u64 types_of_interest; int (*process_packet)(struct pgp_parse_context *con

[PATCH v3 05/14] PGPLIB: Signature parser

From: David Howells Provide some PGP signature parsing helpers: (1) A function to parse V4 signature subpackets and pass the desired ones to a processor function: int pgp_parse_sig_subpkts(const u8 *data, size_t datalen, struct pgp_parse_sig_conte

[PATCH v3 06/14] KEYS: PGP data parser

From: David Howells Implement a PGP data parser for the crypto key type to use when instantiating a key. This parser attempts to parse the instantiation data as a PGP packet sequence (RFC 9580), v4 keys only, and if it parses okay attempts to extract a public-key algorithm key or subkey from it.

[PATCH v3 07/14] KEYS: Provide PGP key description autogeneration

From: David Howells Provide a facility to autogenerate the name of PGP keys from the contents of the payload. If add_key() is given a blank description, a description is constructed from the last user ID packet in the payload data plus the last 8 hex digits of the key ID. For instance:

[PATCH v3 08/14] KEYS: PGP-based public key signature verification

From: David Howells Provide handlers for PGP-based public-key algorithm signature verification. This does most of the work involved in signature verification as most of it is public-key algorithm agnostic. The public-key verification algorithm itself is just the last little bit and is supplied t

[PATCH v3 09/14] KEYS: Retry asym key search with partial ID in restrict_link_by_signature()

From: Roberto Sassu Retry asymmetric key search in restrict_link_by_signature() to support the case of partial IDs, provided by PGP signatures (only the last 8 bytes). Although RFC 9580 supports the signature subpacket type 33, which contains the full issuer fingerprint, we cannot rely on existi

[PATCH v3 10/14] KEYS: Calculate key digest and get signature of the key

From: Roberto Sassu Calculate the digest of the signature, according to the RFC 9580 section 5.2.4, get the last suitable signature with types 0x10 (Generic certification of a User ID and Public-Key packet) or 0x13 (Positive certification of a User ID and Public Key packet), and store it in the a

[PATCH v3 11/14] verification: introduce verify_pgp_signature()

From: Roberto Sassu Introduce verify_pgp_signature() to verify PGP signatures from detached data. It can be used by kernel subsystems (e.g. IMA). Signed-off-by: Roberto Sassu --- certs/system_keyring.c | 71 include/linux/verification.h | 23 +

[PATCH v3 12/14] PGP: Provide a key type for testing PGP signatures

From: David Howells Provide a key type for testing the PGP signature parser. It is given a non-detached PGP message as payload: keyctl padd pgp_test a @s content.txt gpg --compress-algo=none -s content.txt Signed-off-by: David Howells Co-developed-by: Roberto Sassu Signed-off

[PATCH v3 13/14] KEYS: Provide a function to load keys from a PGP keyring blob

From: David Howells Provide a function to load keys from a PGP keyring blob to the built-in and .ima keyrings: int preload_pgp_keys(const u8 *pgpdata, size_t pgpdatalen, struct key *keyring); Descriptions are generated from user ID notes and key fingerprints

[PATCH v3 14/14] KEYS: Introduce load_pgp_public_keyring()

From: Roberto Sassu Preload PGP keys from 'pubring.gpg', placed in certs/ of the kernel source directory. Signed-off-by: Roberto Sassu --- certs/Kconfig | 11 +++ certs/Makefile | 7 +++ certs/system_certificates.S | 18 ++ certs/system_k