diff options
author | Mat Martineau | 2016-10-04 16:42:45 -0700 |
---|---|---|
committer | Mat Martineau | 2017-04-04 14:10:13 -0700 |
commit | 8e323a02e866014091180443ccb186fee1e3d30d (patch) | |
tree | bb473a491f791be1c0f9c42b66c4b700ff151d74 /Documentation/crypto | |
parent | 7e3c4d22083f6e7316c5229b6197ca2d5335aa35 (diff) |
KEYS: Keyring asymmetric key restrict method with chaining
Add a restrict_link_by_key_or_keyring_chain link restriction that
searches for signing keys in the destination keyring in addition to the
signing key or keyring designated when the destination keyring was
created. Userspace enables this behavior by including the "chain" option
in the keyring restriction:
keyctl(KEYCTL_RESTRICT_KEYRING, keyring, "asymmetric",
"key_or_keyring:<signing key>:chain");
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Diffstat (limited to 'Documentation/crypto')
-rw-r--r-- | Documentation/crypto/asymmetric-keys.txt | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/Documentation/crypto/asymmetric-keys.txt b/Documentation/crypto/asymmetric-keys.txt index 9814722f4b6b..5ad6480e3fb9 100644 --- a/Documentation/crypto/asymmetric-keys.txt +++ b/Documentation/crypto/asymmetric-keys.txt @@ -343,7 +343,7 @@ Several restriction methods are available: (3) Restrict using a separate key or keyring - Option string used with KEYCTL_RESTRICT_KEYRING: - - "key_or_keyring:<key or keyring serial number>" + - "key_or_keyring:<key or keyring serial number>[:chain]" Whenever a key link is requested, the link will only succeed if the key being linked is signed by one of the designated keys. This key may be @@ -351,6 +351,11 @@ Several restriction methods are available: a group of keys may be searched for the signing key by providing the serial number for a keyring. + When the "chain" option is provided at the end of the string, the keys + within the destination keyring will also be searched for signing keys. + This allows for verification of certificate chains by adding each + cert in order (starting closest to the root) to one keyring. + In all of these cases, if the signing key is found the signature of the key to be linked will be verified using the signing key. The requested key is added to the keyring only if the signature is successfully verified. -ENOKEY is |