Re: [PATCH Strawman] crypto: Handle PEM-encoded x.509 certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Eric-

> On Nov 12, 2021, at 1:49 PM, Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
> 
> On Fri, Nov 12, 2021 at 12:39:52PM -0500, Chuck Lever wrote:
>> This enables "# cat cert.pem | keyctl padd asymmetric <keyring>"
>> 
>> Since prep->data is a "const void *" I didn't feel comfortable with
>> pem_decode() simply overwriting either the pointer or the contents
>> of the provided buffer. A secondary buffer is therefore allocated,
>> and then later freed by .free_preparse.
>> 
>> This compiles, but is otherwise untested. I'm interested in opinions
>> about this approach.
>> 
>> Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
> 
> Why?  You can easily convert PEM to DER in userspace, for example with a command
> like 'openssl x509 -in cert.pem -out cert.der -outform der'.  There's no need
> for the kernel to do it.

Correct, it's not a hard requirement. However, this change does
broaden the add_key(2) API to enable it to accept a PEM-encoded
certificate directly instead of needing to run the blob through an
intermediate step, simplifying applications that might use it for
adding X.509 keys to kernel keyrings.

Certainly, the kernel could include a single set of base64 encoders
and decoders that can be used by all in-kernel consumers. See for
example net/ceph/armor.c and fs/crypto/fname.c .

Because PEM decoding does not require any policy decisions, and
because the kernel already has at least two existing partial
base64 implementations, I'm not aware of a technical reason a
system call like add_key(2) should not to accept PEM-encoded
asymmetric key material.


--
Chuck Lever







[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux