Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp630882rdb; Fri, 8 Sep 2023 11:04:39 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEwB1EviGbcvk3buMPs4Xn8WHcGy1c0heiayEgKzx/jjAKz4HC6JAtNoUCKltcLzVw8lN1a X-Received: by 2002:a17:906:150:b0:9a9:f761:b289 with SMTP id 16-20020a170906015000b009a9f761b289mr2116088ejh.74.1694196279229; Fri, 08 Sep 2023 11:04:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694196279; cv=none; d=google.com; s=arc-20160816; b=G9XYYDw1WwN/6VJb+n4XUkjKDLPIq2rXeZ6CIYIgLBgQxxXlRJHLZiZm/zfxtkYvTt AJHm0qPzaYHlRiAR72oYxNseLpEgrI4+5S/f/3Gceu0e8PJqAfJTud+C4/o3gIQzMuZR EZ8m1Wks9pgzkNWvvaEU0gLNCG0yhvle/YMPoLr8Ag8Guh51e4oDoutwpPZjjzd9kzA8 vEl1bjXstESxrf9P6e9hruEBfUAKvai+xxuo5rr0jcJTQfb5zs3NiWWd74O7DxEtA3tX KcdLqc2i6R5PBa7YdV5sGeI1JXrYYaJ4goE34f5lfM34G6YRoyv/cxssnK2dcXi9Iv/b H/RQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-id:content-language:accept-language:in-reply-to:references :message-id:date:thread-index:thread-topic:subject:cc:to:from; bh=KfDXaxIg6k+CNh7Jr4oo1hzUrWIfbNj/bBQO3buH35g=; fh=q/hiQiNcNZPwsHLzQ0oh13bYzfv4nHN6NvnxLxcijgM=; b=ZzyKx2VQM8b4fxztWEcOj6l3SvT9l3iDn6TEyREs9TRUdZh62R9V/WFfGGRaFn3j0h vCF1uxENxdFWTbjEStv2l0doNQtUMs5Ntd5C019yGEmygn5WXl8Xn2rDF8Ezlhbue8Gk Gq9aohVLDOoMutzPcZ+VoTxVv+MBsM7PL/7X+gjjlpzfyvDG8U7TIBUJToRpM7v6O02i h1/GCw+7PqeKWB9MB/mYu1omEl7QddKHa881T+L3DD/qzRibBNJVNTa0aaT28zCG1KJj FoITuI9tjINRB8dDANw+NUtazzilTh116+euiYgwf5piN14fM+0+2bQKcvu9FG98B17d C6wQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sb18-20020a170906edd200b009930294ae72si1707178ejb.293.2023.09.08.11.04.12; Fri, 08 Sep 2023 11:04:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237372AbjIHMOh (ORCPT + 99 others); Fri, 8 Sep 2023 08:14:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34408 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229713AbjIHMOg (ORCPT ); Fri, 8 Sep 2023 08:14:36 -0400 Received: from mx01.omp.ru (mx01.omp.ru [90.154.21.10]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5EB921BC5; Fri, 8 Sep 2023 05:14:31 -0700 (PDT) Received: from msexch01.omp.ru (10.188.4.12) by msexch02.omp.ru (10.188.4.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.986.14; Fri, 8 Sep 2023 15:14:25 +0300 Received: from msexch01.omp.ru ([fe80::4020:d881:621a:6b6b]) by msexch01.omp.ru ([fe80::4020:d881:621a:6b6b%5]) with mapi id 15.02.0986.014; Fri, 8 Sep 2023 15:14:25 +0300 From: Denis Glazkov To: Sergey Shtylyov CC: Denis Glazkov , "dhowells@redhat.com" , "dwmw2@infradead.org" , "keyrings@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: [PATCH v2] certs: Add option to disallow non-CA certificates in secondary trusted keying Thread-Topic: [PATCH v2] certs: Add option to disallow non-CA certificates in secondary trusted keying Thread-Index: AQHZ4k4BzqaMvMEYP0mVw3ughXalxQ== Date: Fri, 8 Sep 2023 12:14:25 +0000 Message-ID: <20230908121330.4076-1-d.glazkov@omp.ru> References: In-Reply-To: Accept-Language: ru-RU, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.188.4.40] x-kse-serverinfo: msexch02.omp.ru, 9 x-kse-attachmentfiltering-interceptor-info: protection disabled x-kse-antivirus-interceptor-info: scan successful x-kse-antivirus-info: Clean, bases: 7/15/2023 3:35:00 AM x-kse-bulkmessagesfiltering-scan-result: sender external Content-Type: text/plain; charset="utf-8" Content-ID: <3039DAFBA7E16F4FBD26143DC4E2FCD5@omp.ru> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org VGhlIExpbnV4IGtlcm5lbCBoYXMgYW4gSU1BIChJbnRlZ3JpdHkgTWVhc3VyZW1lbnQgQXJjaGl0 ZWN0dXJlKQ0Kc3Vic3lzdGVtIHRvIGNoZWNrIHRoZSBpbnRlZ3JpdHkgb2YgdGhlIGZpbGUgc3lz dGVtIGJhc2VkIG9uIGRpZ2l0YWwNCnNpZ25hdHVyZXMuIElNQSB1c2VzIGNlcnRpZmljYXRlcyBp biBgLmltYWAga2V5aW5nIHRvIGNoZWNrIGludGVncml0eS4NCg0KT25seSBjZXJ0aWZpY2F0ZXMg aXNzdWVkIGJ5IG9uZSBvZiB0aGUgdHJ1c3RlZCBDQSAoQ2VydGlmaWNhdGUgQXV0aG9yaXR5KQ0K Y2VydGlmaWNhdGVzIGNhbiBiZSBhZGRlZCB0byB0aGUgYC5pbWFgIGtleWluZy4NCg0KVGhlIExp bnV4IGtlcm5lbCBub3cgaGFzIGEgc2Vjb25kYXJ5IHRydXN0ZWQga2V5aW5nIHRvIHdoaWNoIHRy dXN0ZWQNCmNlcnRpZmljYXRlcyBmcm9tIHVzZXIgc3BhY2UgY2FuIGJlIGFkZGVkIGlmIHlvdSBo YXZlIHN1cGVydXNlcg0KcHJpdmlsZWdlcy4gUHJldmlvdXNseSwgYWxsIHRydXN0ZWQgY2VydGlm aWNhdGVzIHdlcmUgaW4gdGhlIGJ1aWx0LWluDQp0cnVzdGVkIGtleWluZywgd2hpY2ggY291bGQg bm90IGJlIG1vZGlmaWVkIGZyb20gdXNlciBzcGFjZS4NClRydXN0ZWQgY2VydGlmaWNhdGVzIHdl cmUgcGxhY2VkIGluIHRoZSBidWlsdC1pbiB0cnVzdGVkIGtleWluZyBhdA0Ka2VybmVsIGNvbXBp bGUgdGltZS4NCg0KVGhlIHNlY29uZGFyeSB0cnVzdGVkIGtleWluZyBpcyBkZXNpZ25lZCBzbyB0 aGF0IGFueSBjZXJ0aWZpY2F0ZXMgdGhhdA0KYXJlIHNpZ25lZCBieSBvbmUgb2YgdGhlIHRydXN0 ZWQgQ0EgY2VydGlmaWNhdGVzIGluIHRoZSBidWlsdC1pbiBvcg0Kc2Vjb25kYXJ5IHRydXN0ZWQg a2V5cmluZyBjYW4gYmUgYWRkZWQgdG8gaXQuDQoNCkxldCdzIGltYWdpbmUgdGhhdCB3ZSBoYXZl IHRoZSBmb2xsb3dpbmcgY2VydGlmaWNhdGUgdHJ1c3QgY2hhaW46DQoNCiAgICAgICAgICAgICDi lIzilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDi lIDilIDilIDilIDilIDilIDilIDilIDilIDilKzilIDilIDilIDilIDilIDilIDilIDilIDilIDi lIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilJANCiAgICAgICAgICAgICDilIIg ICAgICAgICAgICAgICAgICAgICAgICAgICDilIIgICAgIOKUjOKUgOKUgOKUgOKUgOKUgOKUgOKU gOKUkCAgICAgICDilIINCiAgICAgICAgICAgICDilIIgICAgICAgICAgICAgICAgICAgICAgICAg ICDilIIgICAgIOKUgiAgICAgICDilIIgICAgICAg4pSCDQrilIzilIDilIDilIDilIDilIDilIDi lIDilIDilIDilIDilIDilIDilrzilIDilIDilIDilIDilIDilIDilIDilIDilJAgICAg4pSM4pSA 4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pa84pSA4pSA4pSA4pSA4pSA4pa8 4pSA4pSA4pSA4pSA4pSQICDilIIg4pSM4pSA4pSA4pSA4pSA4pSA4pS04pSA4pSA4pSA4pSA4pSA 4pSQDQrilIIuYnVpbHRpbl90cnVzdGVkX2tleXPilILil4TilIDilIDilIDilKQuc2Vjb25kYXJ5 X3RydXN0ZWRfa2V5cyDilJzilIDilIDilJgg4pSCICAgLmltYSAgICDilIINCuKUnOKUgOKUgOKU gOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKU pCAgICDilJzilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDi lIDilIDilIDilIDilIDilIDilIDilIDilKQgICAg4pSc4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA 4pSA4pSA4pSA4pSkDQrilIIgICAgIFJvb3QgQ0EgQ2VydCAgICDilIItLS0tLeKWuiBJbnRlcm1l ZGlhdGUgQ0EgQ2VydCAg4pSCLS0tLS3ilrogSU1BIENlcnQg4pSCDQrilJTilIDilIDilIDilIDi lIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilJggICAg 4pSU4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA4pSA 4pSA4pSA4pSA4pSA4pSA4pSA4pSYICAgIOKUlOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKUgOKU gOKUgOKUmA0KDQogICAgICAgICAgICAgICAgSXNzdWVzICAgICAgICAgICAgICAgICAgUmVzdHJp Y3RlZCBieQ0KICAgICAgICAgICAgLS0tLS0tLS0tLS0tLeKWuiAgICAgICAgICAgICDilIDilIDi lIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilIDilroNCg0KU2luY2UgdGhlIElNQSBj ZXJ0aWZpY2F0ZSBpcyBzaWduZWQgYnkgYSBDQSBjZXJ0aWZpY2F0ZSBmcm9tIGEgc2Vjb25kYXJ5 DQp0cnVzdGVkIGtleWluZywgYW4gYXR0YWNrZXIgd2l0aCBzdXBlcnVzZXIgcHJpdmlsZWdlcyB3 aWxsIGJlIGFibGUgdG8NCmFkZCB0aGUgSU1BIGNlcnRpZmljYXRlIHRvIHRoZSBzZWNvbmRhcnkg dHJ1c3RlZCBrZXlpbmcuIFRoYXQgaXMsIHRoZSBJTUENCmNlcnRpZmljYXRlIHdpbGwgYmVjb21l IHRydXN0ZWQuDQoNClNpbmNlLCB3aXRoIGBDT05GSUdfTU9EVUxFX1NJR2Agb3B0aW9uIGVuYWJs ZWQsIG1vZHVsZXMgY2FuIG9ubHkgYmUNCmxvYWRlZCBpbnRvIGtlcm5lbCBzcGFjZSBpZiB0aGV5 IGFyZSBzaWduZWQgd2l0aCBvbmUgb2YgdGhlIHRydXN0ZWQNCmNlcnRpZmljYXRlcywgYW4gYXR0 YWNrZXIgY291bGQgc2lnbiB1bnRydXN0ZWQga2VybmVsIG1vZHVsZXMgd2l0aA0KdGhlIHByaXZh dGUga2V5IGNvcnJlc3BvbmRpbmcgdG8gdGhlIElNQSBjZXJ0aWZpY2F0ZSBhbmQgc3VjY2Vzc2Z1 bGx5DQpsb2FkIHRoZSB1bnRydXN0ZWQgbW9kdWxlcyBpbnRvIGtlcm5lbCBzcGFjZS4NCg0KVGhp cyBwYXRjaCBhZGRzIHRoZSBjb25maWd1cmF0aW9uIHRoYXQgb25jZSBlbmFibGVkLCBvbmx5DQpj ZXJ0aWZpY2F0ZXMgdGhhdCBtZWV0IHRoZSBmb2xsb3dpbmcgcmVxdWlyZW1lbnRzIGNhbiBiZSBh ZGRlZA0KdG8gdGhlIHNlY29uZGFyeSB0cnVzdGVkIGtleWluZzoNCg0KMS4gVGhlIGNlcnRpZmlj YXRlIGlzIGEgQ0EgKENlcnRpZmljYXRlIEF1dGhvcml0eSkNCjIuIFRoZSBjZXJ0aWZpY2F0ZSBt dXN0IGJlIHVzZWQgZm9yIHZlcmlmeWluZyBhIENBJ3Mgc2lnbmF0dXJlcw0KMy4gVGhlIGNlcnRp ZmljYXRlIG11c3Qgbm90IGJlIHVzZWQgZm9yIGRpZ2l0YWwgc2lnbmF0dXJlcw0KDQpTaWduZWQt b2ZmLWJ5OiBEZW5pcyBHbGF6a292IDxkLmdsYXprb3ZAb21wLnJ1Pg0KLS0tDQp2MSAtPiB2MjoN CiAtIFJlYmFzZSB0aGUgcGF0Y2ggZnJvbSBgbGludXgtbmV4dGAgdG8gdGhlIG1haW4gYGxpbnV4 YCByZXBvIG1hc3RlciBicmFuY2gNCiAtIE1ha2UgdGhlIGNvbW1pdCBtZXNzYWdlIG1vcmUgZGV0 YWlsZWQNCiAtIE1vdmUgdGhlIHZhcmlhYmxlIGRlY2xhcmF0aW9uIHRvIHRoZSBgaWZgIGJsb2Nr DQogLSBSZXBsYWNlIGAjaWZkZWZgIHdpdGggYElTX0VOQUJMRURgIG1hY3JvDQotLS0NCiBjZXJ0 cy9LY29uZmlnICAgICAgICAgIHwgIDkgKysrKysrKysrDQogY2VydHMvc3lzdGVtX2tleXJpbmcu YyB8IDE2ICsrKysrKysrKysrKysrKysNCiAyIGZpbGVzIGNoYW5nZWQsIDI1IGluc2VydGlvbnMo KykNCg0KZGlmZiAtLWdpdCBhL2NlcnRzL0tjb25maWcgYi9jZXJ0cy9LY29uZmlnDQppbmRleCAx ZjEwOWIwNzA4NzcuLjRhNGRjOGFhYjg5MiAxMDA2NDQNCi0tLSBhL2NlcnRzL0tjb25maWcNCisr KyBiL2NlcnRzL0tjb25maWcNCkBAIC05MCw2ICs5MCwxNSBAQCBjb25maWcgU0VDT05EQVJZX1RS VVNURURfS0VZUklORw0KIAkgIHRob3NlIGtleXMgYXJlIG5vdCBibGFja2xpc3RlZCBhbmQgYXJl IHZvdWNoZWQgZm9yIGJ5IGEga2V5IGJ1aWx0DQogCSAgaW50byB0aGUga2VybmVsIG9yIGFscmVh ZHkgaW4gdGhlIHNlY29uZGFyeSB0cnVzdGVkIGtleXJpbmcuDQogDQorY29uZmlnIFNFQ09OREFS WV9UUlVTVEVEX0tFWVJJTkdfRk9SX0NBX0NFUlRJRklDQVRFU19PTkxZDQorCWJvb2wgIkFsbG93 IG9ubHkgQ0EgY2VydGlmaWNhdGVzIHRvIGJlIGFkZGVkIHRvIHRoZSBzZWNvbmRhcnkgdHJ1c3Rl ZCBrZXlyaW5nIg0KKwlkZXBlbmRzIG9uIFNFQ09OREFSWV9UUlVTVEVEX0tFWVJJTkcNCisJaGVs cA0KKwkgIElmIHNldCwgb25seSBDQSBjZXJ0aWZpY2F0ZXMgY2FuIGJlIGFkZGVkIHRvIHRoZSBz ZWNvbmRhcnkgdHJ1c3RlZCBrZXlyaW5nLg0KKwkgIEFuIGFjY2VwdGFibGUgQ0EgY2VydGlmaWNh dGUgbXVzdCBpbmNsdWRlIHRoZSBga2V5Q2VydFNpZ25gIHZhbHVlIGluDQorCSAgdGhlIGBrZXlV c2FnZWAgZmllbGQuIENBIGNlcnRpZmljYXRlcyB0aGF0IGluY2x1ZGUgdGhlIGBkaWdpdGFsU2ln bmF0dXJlYA0KKwkgIHZhbHVlIGluIHRoZSBga2V5VXNhZ2VgIGZpZWxkIHdpbGwgbm90IGJlIGFj Y2VwdGVkLg0KKw0KIGNvbmZpZyBTWVNURU1fQkxBQ0tMSVNUX0tFWVJJTkcNCiAJYm9vbCAiUHJv dmlkZSBzeXN0ZW0td2lkZSByaW5nIG9mIGJsYWNrbGlzdGVkIGtleXMiDQogCWRlcGVuZHMgb24g S0VZUw0KZGlmZiAtLWdpdCBhL2NlcnRzL3N5c3RlbV9rZXlyaW5nLmMgYi9jZXJ0cy9zeXN0ZW1f a2V5cmluZy5jDQppbmRleCA5ZGU2MTBiZjFmNGIuLmVlMTQ0NDczNzRlNyAxMDA2NDQNCi0tLSBh L2NlcnRzL3N5c3RlbV9rZXlyaW5nLmMNCisrKyBiL2NlcnRzL3N5c3RlbV9rZXlyaW5nLmMNCkBA IC05OSw2ICs5OSwyMiBAQCBpbnQgcmVzdHJpY3RfbGlua19ieV9idWlsdGluX2FuZF9zZWNvbmRh cnlfdHJ1c3RlZCgNCiAJCS8qIEFsbG93IHRoZSBidWlsdGluIGtleXJpbmcgdG8gYmUgYWRkZWQg dG8gdGhlIHNlY29uZGFyeSAqLw0KIAkJcmV0dXJuIDA7DQogDQorCWlmIChJU19FTkFCTEVEKENP TkZJR19TRUNPTkRBUllfVFJVU1RFRF9LRVlSSU5HX0ZPUl9DQV9DRVJUSUZJQ0FURVNfT05MWSkg JiYNCisJICAgIGRlc3Rfa2V5cmluZyA9PSBzZWNvbmRhcnlfdHJ1c3RlZF9rZXlzKSB7DQorCQlj b25zdCBzdHJ1Y3QgcHVibGljX2tleSAqcHViID0gcGF5bG9hZC0+ZGF0YVthc3ltX2NyeXB0b107 DQorDQorCQlpZiAodHlwZSAhPSAma2V5X3R5cGVfYXN5bW1ldHJpYykNCisJCQlyZXR1cm4gLUVP UE5PVFNVUFA7DQorCQlpZiAoIXB1YikNCisJCQlyZXR1cm4gLUVOT1BLRzsNCisJCWlmICghdGVz dF9iaXQoS0VZX0VGTEFHX0NBLCAmcHViLT5rZXlfZWZsYWdzKSkNCisJCQlyZXR1cm4gLUVQRVJN Ow0KKwkJaWYgKCF0ZXN0X2JpdChLRVlfRUZMQUdfS0VZQ0VSVFNJR04sICZwdWItPmtleV9lZmxh Z3MpKQ0KKwkJCXJldHVybiAtRVBFUk07DQorCQlpZiAodGVzdF9iaXQoS0VZX0VGTEFHX0RJR0lU QUxTSUcsICZwdWItPmtleV9lZmxhZ3MpKQ0KKwkJCXJldHVybiAtRVBFUk07DQorCX0NCisNCiAJ cmV0dXJuIHJlc3RyaWN0X2xpbmtfYnlfc2lnbmF0dXJlKGRlc3Rfa2V5cmluZywgdHlwZSwgcGF5 bG9hZCwNCiAJCQkJCSAgc2Vjb25kYXJ5X3RydXN0ZWRfa2V5cyk7DQogfQ0KLS0gDQoyLjM0LjEN Cg==