KEYS: Keyring asymmetric key restrict method with chaining

Add a restrict_link_by_key_or_keyring_chain link restriction that searches for signing keys in the destination keyring in addition to the signing key or keyring designated when the destination keyring was created. Userspace enables this behavior by including the "chain" option in the keyring restriction: keyctl(KEYCTL_RESTRICT_KEYRING, keyring, "asymmetric", "key_or_keyring:<signing key>:chain"); Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
2016-10-04 16:42:45 -07:00
parent 7e3c4d2208
commit 8e323a02e8
4 changed files with 164 additions and 55 deletions
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -60,6 +60,11 @@ extern int restrict_link_by_key_or_keyring(struct key *dest_keyring,
 					   const union key_payload *payload,
 					   struct key *trusted);

+extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring,
+						 const struct key_type *type,
+						 const union key_payload *payload,
+						 struct key *trusted);
+
 extern int verify_signature(const struct key *key,
 			    const struct public_key_signature *sig);