Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.4:Update
s390-tools.19914
s390-tools-sles15sp2-19-zkey-Allow-to-filter-li...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File s390-tools-sles15sp2-19-zkey-Allow-to-filter-list-output-by-key-type.patch of Package s390-tools.19914
Subject: zkey: Allow to filter list output by key type From: Ingo Franzki <ifranzki@linux.ibm.com> Summary: zkey: Add support for CCA AES CIPHER keys Description: With CCA 5 there is a new secure key type, the so called variable length symmetric cipher key token. This token format can hold AES keys with size 128, 192 and 256 bits together with additional attributes cryptographic bound to the key token. The attributes may limit the usage of the key, for example restrict export or usability scope. So this key type is considered to be even more secure than the traditional secure key token. This key token type is also called "CCA AES CIPHER key", where the formerly used key token is called "CCA AES DATA key". The zkey as well as the zkey-cryptsetup tools are enhanced to support AES CIPHER keys. That is, zkey can manage AES DATA keys, as well as AES CIPHER keys. The key type must be specified at key generation time, the default is to generate AED DATA keys. Upstream-ID: 91c35543ca7fd25691487c61ec2e308f2903a6b8 Problem-ID: SEC1717 Upstream-Description: zkey: Allow to filter list output by key type The zkey list command now accepts option --key-type|-K type to filter the displayed keys by key type. If not specified, then all key types are displayed. Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com> Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> --- zkey/keystore.c | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++------ zkey/keystore.h | 2 - zkey/zkey.1 | 9 ++++- zkey/zkey.c | 15 +++++++- 4 files changed, 112 insertions(+), 13 deletions(-) --- a/zkey/keystore.c +++ b/zkey/keystore.c @@ -315,6 +315,39 @@ static char *_keystore_get_volume_type(s } /** + * Returns the key type contained in the properties. If no key type + * property is contained, then 'CCA-AESDATA' is assumed (for backward + * compatibility). + * + * @returns a string containing the key type. Must be freed by the caller. + */ +static char *_keystore_get_key_type(struct properties *properties) +{ + char *type; + + type = properties_get(properties, PROP_NAME_KEY_TYPE); + if (type == NULL) + type = util_strdup(KEY_TYPE_CCA_AESDATA); + + return type; +} + +/** + * Checks if the key type is supported. + * + * @param[in] key_type the key type + * + * @returns 1 if the key type is valid, 0 otherwise + */ +static int _keystore_valid_key_type(const char *key_type) +{ + if (strcasecmp(key_type, KEY_TYPE_CCA_AESDATA) == 0) + return 1; + + return 0; +} + +/** * Prints a message followed by a list of associated volumes, if volumes are * associated and the volume-type matches (if specified) * @@ -817,6 +850,33 @@ static int _keystore_match_volume_type_p return rc; } +/** + * Checks if the key type property matches the specified key type. + * If the properties do not contain a key type property, then the default + * key type is assumed. + * + * @param[in] properties a properties object + * @param[in] key_type the key type to match. Can be NULL. In this case + * it always matches. + * + * @returns 1 for a match, 0 for not matched + */ +static int _keystore_match_key_type_property(struct properties *properties, + const char *key_type) +{ + char *type; + int rc = 0; + + if (key_type == NULL) + return 1; + + type = _keystore_get_key_type(properties); + if (strcasecmp(type, key_type) == 0) + rc = 1; + + free(type); + return rc; +} /** * Checks if a key name matches a name filter @@ -882,6 +942,7 @@ typedef int (*process_key_t)(struct keys * mutliple APQN filters separated by commas. * NULL means no APQN filter. * @param[in] volume_type If not NULL, specifies the volume type. + * @param[in] key_type The key type. NULL means no key type filter. * @param[in] process_func the callback function called for a matching key * @param[in/out] process_private private data passed to the process_func * @@ -894,6 +955,7 @@ static int _keystore_process_filtered(st const char *volume_filter, const char *apqn_filter, const char *volume_type, + const char *key_type, process_key_t process_func, void *process_private) { @@ -985,6 +1047,15 @@ static int _keystore_process_filtered(st goto free_prop; } + rc = _keystore_match_key_type_property(key_props, + key_type); + if (rc == 0) { + pr_verbose(keystore, + "Key '%s' filtered out due to key type", + name); + goto free_prop; + } + rc = process_func(keystore, name, key_props, &file_names, process_private); if (rc != 0) { @@ -1193,7 +1264,7 @@ static int _keystore_volume_check(const info->set = set; rc = _keystore_process_filtered(info->keystore, NULL, info->volume, - NULL, NULL, + NULL, NULL, NULL, _keystore_volume_check_process, info); out: free((void *)info->volume); @@ -1454,7 +1525,8 @@ static int _keystore_set_default_propert { int rc; - rc = properties_set(key_props, PROP_NAME_KEY_TYPE, "CCA-AESDATA"); + rc = properties_set(key_props, PROP_NAME_KEY_TYPE, + KEY_TYPE_CCA_AESDATA); if (rc != 0) return rc; @@ -2498,7 +2570,7 @@ int keystore_validate_key(struct keystor info.num_warnings = 0; rc = _keystore_process_filtered(keystore, name_filter, NULL, - apqn_filter, NULL, + apqn_filter, NULL, NULL, _keystore_process_validate, &info); util_rec_free(rec); @@ -2877,7 +2949,7 @@ int keystore_reencipher_key(struct keyst info.num_skipped = 0; rc = _keystore_process_filtered(keystore, name_filter, NULL, - apqn_filter, NULL, + apqn_filter, NULL, NULL, _keystore_process_reencipher, &info); if (rc != 0) { @@ -3258,12 +3330,13 @@ out: * mutliple APQN filters separated by commas. * NULL means no APQN filter. * @param[in] volume_type The volume type. NULL means no volume type filter. + * @param[in] key_type The key type. NULL means no key type filter. * * @returns 0 for success or a negative errno in case of an error */ int keystore_list_keys(struct keystore *keystore, const char *name_filter, const char *volume_filter, const char *apqn_filter, - const char *volume_type) + const char *volume_type, const char *key_type) { struct util_rec *rec; int rc; @@ -3276,10 +3349,16 @@ int keystore_list_keys(struct keystore * return -EINVAL; } + if (key_type != NULL && + !_keystore_valid_key_type(key_type)) { + warnx("Invalid key-type specified"); + return -EINVAL; + } + rec = _keystore_setup_record(0); rc = _keystore_process_filtered(keystore, name_filter, volume_filter, - apqn_filter, volume_type, + apqn_filter, volume_type, key_type, _keystore_display_key, rec); util_rec_free(rec); @@ -3773,8 +3852,8 @@ int keystore_cryptsetup(struct keystore info.process_func = _keystore_process_cryptsetup; rc = _keystore_process_filtered(keystore, NULL, volume_filter, NULL, - volume_type, _keystore_process_crypt, - &info); + volume_type, NULL, + _keystore_process_crypt, &info); str_list_free_string_array(info.volume_filter); @@ -3834,8 +3913,8 @@ int keystore_crypttab(struct keystore *k info.process_func = _keystore_process_crypttab; rc = _keystore_process_filtered(keystore, NULL, volume_filter, NULL, - volume_type, _keystore_process_crypt, - &info); + volume_type, NULL, + _keystore_process_crypt, &info); str_list_free_string_array(info.volume_filter); --- a/zkey/keystore.h +++ b/zkey/keystore.h @@ -68,7 +68,7 @@ int keystore_remove_key(struct keystore int keystore_list_keys(struct keystore *keystore, const char *name_filter, const char *volume_filter, const char *apqn_filter, - const char *volume_type); + const char *volume_type, const char *key_type); int keystore_cryptsetup(struct keystore *keystore, const char *volume_filter, bool execute, const char *volume_type, --- a/zkey/zkey.1 +++ b/zkey/zkey.1 @@ -368,6 +368,8 @@ The exported secure key also remains in .IR card1.domain1[,card2.domain2[,...]] ] .RB [ \-\-volume-type | \-t .IR type ] +.RB [ \-\-key-type | \-K +.IR type ] .RB [ \-\-verbose | \-V ] . .PP @@ -382,7 +384,7 @@ listed that are associated with the spec .PP The .B list -command displays the attributes of the secure keys, such as key sizes, +command displays the attributes of the secure keys, such as key sizes, key type, whether it is a secure key that can be used for the XTS cipher mode, the textual description, associated cryptographic adapters (APQNs) and volumes, the sector size, the key verification pattern, and timestamps for key creation, last @@ -907,6 +909,11 @@ This option is only available if .B zkey has been compiled with LUKS2 support enabled. This option is only used for secure keys contained in the secure key repository. +.TP +.BR \-K ", " \-\-key-type\~\fItype\fP +Specifies the key type of the secure key. Possible values are \fBCCA-AESDATA\fP. +Only keys with the specified key type are listed. +This option is only used for secure keys contained in the secure key repository. . . . --- a/zkey/zkey.c +++ b/zkey/zkey.c @@ -73,6 +73,7 @@ static struct zkey_globals { long int sector_size; char *volume_type; char *newname; + char *key_type; bool run; bool batch_mode; char *keyfile; @@ -432,6 +433,15 @@ static struct util_opt opt_vec[] = { .command = COMMAND_LIST, }, #endif + { + .option = { "key-type", required_argument, NULL, 'K'}, + .argument = "type", + .desc = "The type of the key. Possible values are '" + KEY_TYPE_CCA_AESDATA"'. " + "Use this option to list all keys with the specified " + "key type.", + .command = COMMAND_LIST, + }, /***********************************************************/ { .flags = UTIL_OPT_FLAG_SECTION, @@ -1532,7 +1542,7 @@ static int command_list(void) int rc; rc = keystore_list_keys(g.keystore, g.name, g.volumes, g.apqns, - g.volume_type); + g.volume_type, g.key_type); return rc != 0 ? EXIT_FAILURE : EXIT_SUCCESS; } @@ -1853,6 +1863,9 @@ int main(int argc, char *argv[]) case 'r': g.run = 1; break; + case 'K': + g.key_type = optarg; + break; case 'F': g.force = 1; break;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor