projects / deliverable / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 0a7c8b6) | patch
KEYS: Provide keyctls to drive the new key type ops for asymmetric keys
authorDavid Howells <dhowells@redhat.com>
Thu, 1 Sep 2016 10:13:11 +0000 (11:13 +0100)
committerDavid Howells <dhowells@redhat.com>
Thu, 1 Sep 2016 10:13:11 +0000 (11:13 +0100)
commit47ba9b28bf8e6f1f6fb1937dd5f4a6d2ac267f3d
treed659077a84a54c1614ad0319c25a0d633ba78cc9tree | snapshot
parent0a7c8b6abaa691a1bf705d69d63e6a9cdd837009commit | diff
KEYS: Provide keyctls to drive the new key type ops for asymmetric keys

Provide five keyctl functions that permit userspace to make use of the new
key type ops for accessing and driving asymmetric keys.

 (*) Query an asymmetric key.

long keyctl(KEYCTL_PKEY_QUERY,
    key_serial_t key, unsigned long reserved,
    struct keyctl_pkey_query *info);

     Get information about an asymmetric key.  The information is returned
     in the keyctl_pkey_query struct:

__u32 supported_ops;

     A bit mask of flags indicating which ops are supported.  This is
     constructed from a bitwise-OR of:

KEYCTL_SUPPORTS_{ENCRYPT,DECRYPT,SIGN,VERIFY}

__u32 key_size;

     The size in bits of the key.

__u16 max_data_size;
__u16 max_sig_size;
__u16 max_enc_size;
__u16 max_dec_size;

     The maximum sizes in bytes of a blob of data to be signed, a signature
     blob, a blob to be encrypted and a blob to be decrypted.

     reserved must be set to 0.  This is intended for future use to hand
     over one or more passphrases needed unlock a key.

     If successful, 0 is returned.  If the key is not an asymmetric key,
     EOPNOTSUPP is returned.

 (*) Encrypt, decrypt, sign or verify a blob using an asymmetric key.

long keyctl(KEYCTL_PKEY_ENCRYPT,
    const struct keyctl_pkey_params *params,
    const char *info,
    const void *in,
    void *out);

long keyctl(KEYCTL_PKEY_DECRYPT,
    const struct keyctl_pkey_params *params,
    const char *info,
    const void *in,
    void *out);

long keyctl(KEYCTL_PKEY_SIGN,
    const struct keyctl_pkey_params *params,
    const char *info,
    const void *in,
    void *out);

long keyctl(KEYCTL_PKEY_VERIFY,
    const struct keyctl_pkey_params *params,
    const char *info,
    const void *in,
    const void *in2);

     Use an asymmetric key to perform a public-key cryptographic operation
     a blob of data.

     The parameter block pointed to by params contains a number of integer
     values:

__s32 key_id;
__u32 in_len;
__u32 out_len;
__u32 in2_len;

     For a given operation, the in and out buffers are used as follows:

Operation ID in,in_len out,out_len in2,in2_len
======================= =============== =============== ===========
KEYCTL_PKEY_ENCRYPT Raw data Encrypted data -
KEYCTL_PKEY_DECRYPT Encrypted data Raw data -
KEYCTL_PKEY_SIGN Raw data Signature -
KEYCTL_PKEY_VERIFY Raw data - Signature

     info is a string of key=value pairs that supply supplementary
     information.

     The __spare space in the parameter block must be set to 0.  This is
     intended, amongst other things, to allow the passing of passphrases
     required to unlock a key.

     If successful, encrypt, decrypt and sign all return the amount of data
     written into the output buffer.  Verification returns 0 on success.

Signed-off-by: David Howells <dhowells@redhat.com>
Documentation/security/keys.txt diff | blob | blame | history
include/uapi/linux/keyctl.h diff | blob | blame | history
security/keys/Makefile diff | blob | blame | history
security/keys/compat.c diff | blob | blame | history
security/keys/internal.h diff | blob | blame | history
security/keys/keyctl.c diff | blob | blame | history
security/keys/keyctl_pkey.c [new file with mode: 0644] blob
Linux kernel - Deliverables
This page took 0.026472 seconds and 5 git commands to generate.