xref: /linux/Documentation/crypto/asymmetric-keys.rst

338   1) Restrict using the kernel builtin trusted keyring
343      The kernel builtin trusted keyring will be searched for the signing key.
344      If the builtin trusted keyring is not configured, all links will be
354      signing key.  If the secondary trusted keyring is not configured, this
359   3) Restrict using a separate key or keyring
362        - "key_or_keyring:<key or keyring serial number>[:chain]"
368      serial number for a keyring.
371      within the destination keyring will also be searched for signing keys.
373      certificate in order (starting closest to the root) to a keyring.  For
374      instance, one keyring can be populated with links to a set of root
375      certificates, with a separate, restricted keyring set up for each
378 	# Create and populate a keyring for root certificates
379 	root_id=`keyctl add keyring root-certs "" @s`
383 	# Create and restrict a keyring for the certificate chain
384 	chain_id=`keyctl add keyring chain "" @s`
394      keyring, we can be certain that it has a valid signing chain going back to
397      A single keyring can be used to verify a chain of signatures by
398      restricting the keyring after linking the root certificate::
400 	# Create a keyring for the certificate chain and add the root
401 	chain2_id=`keyctl add keyring chain2 "" @s`
404 	# Restrict the keyring that already has root1.cert linked.  The cert
405 	# will remain linked by the keyring.
415      keyring, we can be certain that there is a valid signing chain going back
416      to the root certificate that was added before the keyring was restricted.
421 to the keyring only if the signature is successfully verified.  -ENOKEY is

Last Index update Sat Jun 03 09:59:21 CST 2023