Kasatkin, Dmitry <dmitry.kasatkin@xxxxxxxxx> wrote: > Just one question about key description... > request_asymmetric_key uses format for key description: "<signer>: <key-id>". > Preparsing code creates description from those values. > I see that key id is not 8 bytes anymore but full hash size of 20 bytes. Remember: This is for viewing via /proc/keys and KEYCTL_DESCRIBE as much as for matching. > For practical reasons for IMA it might be nice to save some space in > xattrs and use shorter key id/description. That's reasonable. > As I understand from implementation, if key name is provided with "keyctl > add", it will not be replaced with preparsed value. Correct. > And we can actually use any keyid we want? Yes. Note: The key type ->match() function is not required to limit itself to a direct strcmp(). It is at liberty to partially match the description or any other data attached to the key. Look at asymmetric_key_match() in crypto/asymmetric/asymmetric_type.c. If you do a search for: "id:<hex-string>" this will do a partial tail match on the key fingerprint: [root@andromeda ~]# keyctl padd asymmetric "" @s </tmp/uefi-x509 289786205 [root@andromeda ~]# cat /proc/keys 1145c95d I--Q--- 1 perm 39390000 0 0 asymmetri Red Hat Test Certificate: 3580cf35d76b3b667a40df66691cbcf87353b23c: X509.RSA 7353b23c [] ... [root@andromeda ~]# keyctl search @s asymmetric "id:53b23c" 289786205 As an optimisation, it might be worth internally calling keyring_search_aux() with our own match function that takes a binary key ID and storing the fingerprint as binary rather than hex (attached to key->type_data.p[1]). The type match function can only take text strings as it has to be invoked from userspace. David -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
