From: Kevin Bowling <kevin.bowling@kev009.com>
To: dhowells@redhat.com, keyrings@vger.kernel.org
Cc: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
Kevin Bowling <kevin.bowling@kev009.com>,
stable@vger.kernel.org
Subject: [PATCH] KEYS: Print digitalSignature and CA link errors
Date: Thu, 1 Aug 2024 14:01:55 -0700 [thread overview]
Message-ID: <20240801210155.89097-1-kevin.bowling@kev009.com> (raw)
ENOKEY is overloaded for several different failure types in these link
functions. In addition, by the time we are consuming the return several
other methods can return ENOKEY. Add some error prints to help diagnose
fundamental certificate issues.
Cc: stable@vger.kernel.org
Signed-off-by: Kevin Bowling <kevin.bowling@kev009.com>
---
crypto/asymmetric_keys/restrict.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index afcd4d101ac5..472561e451b3 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -140,14 +140,20 @@ int restrict_link_by_ca(struct key *dest_keyring,
pkey = payload->data[asym_crypto];
if (!pkey)
return -ENOPKG;
- if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags))
+ if (!test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) {
+ pr_err("Missing CA usage bit\n");
return -ENOKEY;
- if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags))
+ }
+ if (!test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) {
+ pr_err("Missing keyCertSign usage bit\n");
return -ENOKEY;
+ }
if (!IS_ENABLED(CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX))
return 0;
- if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags))
+ if (test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) {
+ pr_err("Unexpected digitalSignature usage bit\n");
return -ENOKEY;
+ }
return 0;
}
@@ -183,14 +189,20 @@ int restrict_link_by_digsig(struct key *dest_keyring,
if (!pkey)
return -ENOPKG;
- if (!test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags))
+ if (!test_bit(KEY_EFLAG_DIGITALSIG, &pkey->key_eflags)) {
+ pr_err("Missing digitalSignature usage bit\n");
return -ENOKEY;
+ }
- if (test_bit(KEY_EFLAG_CA, &pkey->key_eflags))
+ if (test_bit(KEY_EFLAG_CA, &pkey->key_eflags)) {
+ pr_err("Unexpected CA usage bit\n");
return -ENOKEY;
+ }
- if (test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags))
+ if (test_bit(KEY_EFLAG_KEYCERTSIGN, &pkey->key_eflags)) {
+ pr_err("Unexpected keyCertSign usage bit\n");
return -ENOKEY;
+ }
return restrict_link_by_signature(dest_keyring, type, payload,
trust_keyring);
--
2.46.0
next reply other threads:[~2024-08-01 21:02 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-01 21:01 Kevin Bowling [this message]
2024-10-07 2:32 ` [PATCH] KEYS: Print digitalSignature and CA link errors Kevin Bowling
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240801210155.89097-1-kevin.bowling@kev009.com \
--to=kevin.bowling@kev009.com \
--cc=dhowells@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).