[PATCH v6 03/13] KEYS: CA link restriction
Nayna
nayna at linux.vnet.ibm.com
Thu Sep 16 20:05:01 UTC 2021
On 9/14/21 5:14 PM, Eric Snowberg wrote:
> Add a new link restriction. Restrict the addition of keys in a keyring
> based on the key to be added being a CA (self-signed).
A self-signed cert can be a root CA cert or a code-signing cert. The way
to differentiate a CA cert is by checking BasicConstraints CA:TRUE and
keyUsage:keyCertSign. Refer to Section Basic Constraints and Key Usage
in the document - https://datatracker.ietf.org/doc/html/rfc5280.
Thanks & Regards,
- Nayna
More information about the Linux-security-module-archive
mailing list