[PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier [ver #3]
Extract both parts of the AuthorityKeyIdentifier, not just the keyIdentifier, as the second part can be used to match X.509 certificates by issuer and serialNumber. Signed-off-by: David Howells Tested-by: Vivek Goyal --- crypto/asymmetric_keys/Makefile |8 +- crypto/asymmetric_keys/pkcs7_trust.c |4 - crypto/asymmetric_keys/pkcs7_verify.c | 12 +- crypto/asymmetric_keys/x509_akid.asn1 | 35 +++ crypto/asymmetric_keys/x509_cert_parser.c | 142 ++--- crypto/asymmetric_keys/x509_parser.h |5 + crypto/asymmetric_keys/x509_public_key.c |8 +- 7 files changed, 145 insertions(+), 69 deletions(-) create mode 100644 crypto/asymmetric_keys/x509_akid.asn1 diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile index e47fcd9ac5e8..cd1406f9b14a 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile @@ -15,15 +15,21 @@ obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o obj-$(CONFIG_X509_CERTIFICATE_PARSER) += x509_key_parser.o x509_key_parser-y := \ x509-asn1.o \ + x509_akid-asn1.o \ x509_rsakey-asn1.o \ x509_cert_parser.o \ x509_public_key.o -$(obj)/x509_cert_parser.o: $(obj)/x509-asn1.h $(obj)/x509_rsakey-asn1.h +$(obj)/x509_cert_parser.o: \ + $(obj)/x509-asn1.h \ + $(obj)/x509_akid-asn1.h \ + $(obj)/x509_rsakey-asn1.h $(obj)/x509-asn1.o: $(obj)/x509-asn1.c $(obj)/x509-asn1.h +$(obj)/x509_akid-asn1.o: $(obj)/x509_akid-asn1.c $(obj)/x509_akid-asn1.h $(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h clean-files+= x509-asn1.c x509-asn1.h +clean-files+= x509_akid-asn1.c x509_akid-asn1.h clean-files+= x509_rsakey-asn1.c x509_rsakey-asn1.h # diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index 1d29376072da..0f6463b6692b 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -85,8 +85,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, /* No match - see if the root certificate has a signer amongst the * trusted keys. */ - if (last && last->authority) { - key = x509_request_asymmetric_key(trust_keyring, last->authority, + if (last && last->akid_skid) { + key = x509_request_asymmetric_key(trust_keyring, last->akid_skid, false); if (!IS_ERR(key)) { x509 = last; diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index cd455450b069..a4d083f7e9e1 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -187,11 +187,11 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, goto maybe_missing_crypto_in_x509; pr_debug("- issuer %s\n", x509->issuer); - if (x509->authority) + if (x509->akid_skid) pr_debug("- authkeyid %*phN\n", -x509->authority->len, x509->authority->data); +x509->akid_skid->len, x509->akid_skid->data); - if (!x509->authority || + if (!x509->akid_skid || strcmp(x509->subject, x509->issuer) == 0) { /* If there's no authority certificate specified, then * the certificate must be self-signed and is the root @@ -216,13 +216,13 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, * list to see if the next one is there. */ pr_debug("- want %*phN\n", -x509->authority->len, x509->authority->data); +x509->akid_skid->len, x509->akid_skid->data); for (p = pkcs7->certs; p; p = p->next) { if (!p->skid) continue; pr_debug("- cmp [%u] %*phN\n", p->index, p->skid->len, p->skid->data); - if (asymmetric_key_id_same(p->skid, x509->authority)) + if (asymmetric_key_id_same(p->skid, x509->akid_skid)) goto found_issuer; } @@ -338,8 +338,6 @@ int pkcs7_verify(struct pkcs7_message *pkcs7) ret = x509_get_sig_params(x509); if (ret < 0) return ret; - pr_debug("X.509[%u] %*phN\n", -n, x509->authority->len, x509->authority->data); } for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { diff --git a/crypto/asymmetric_keys/x509_akid.asn1 b/crypto/asymmetric_keys/x509_akid.asn1 new file mode 100644 index ..1a33231a75a8 --- /dev/null +++
[PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier [ver #3]
Extract both parts of the AuthorityKeyIdentifier, not just the keyIdentifier, as the second part can be used to match X.509 certificates by issuer and serialNumber. Signed-off-by: David Howells dhowe...@redhat.com Tested-by: Vivek Goyal vgo...@redhat.com --- crypto/asymmetric_keys/Makefile |8 +- crypto/asymmetric_keys/pkcs7_trust.c |4 - crypto/asymmetric_keys/pkcs7_verify.c | 12 +- crypto/asymmetric_keys/x509_akid.asn1 | 35 +++ crypto/asymmetric_keys/x509_cert_parser.c | 142 ++--- crypto/asymmetric_keys/x509_parser.h |5 + crypto/asymmetric_keys/x509_public_key.c |8 +- 7 files changed, 145 insertions(+), 69 deletions(-) create mode 100644 crypto/asymmetric_keys/x509_akid.asn1 diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile index e47fcd9ac5e8..cd1406f9b14a 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile @@ -15,15 +15,21 @@ obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o obj-$(CONFIG_X509_CERTIFICATE_PARSER) += x509_key_parser.o x509_key_parser-y := \ x509-asn1.o \ + x509_akid-asn1.o \ x509_rsakey-asn1.o \ x509_cert_parser.o \ x509_public_key.o -$(obj)/x509_cert_parser.o: $(obj)/x509-asn1.h $(obj)/x509_rsakey-asn1.h +$(obj)/x509_cert_parser.o: \ + $(obj)/x509-asn1.h \ + $(obj)/x509_akid-asn1.h \ + $(obj)/x509_rsakey-asn1.h $(obj)/x509-asn1.o: $(obj)/x509-asn1.c $(obj)/x509-asn1.h +$(obj)/x509_akid-asn1.o: $(obj)/x509_akid-asn1.c $(obj)/x509_akid-asn1.h $(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h clean-files+= x509-asn1.c x509-asn1.h +clean-files+= x509_akid-asn1.c x509_akid-asn1.h clean-files+= x509_rsakey-asn1.c x509_rsakey-asn1.h # diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index 1d29376072da..0f6463b6692b 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -85,8 +85,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, /* No match - see if the root certificate has a signer amongst the * trusted keys. */ - if (last last-authority) { - key = x509_request_asymmetric_key(trust_keyring, last-authority, + if (last last-akid_skid) { + key = x509_request_asymmetric_key(trust_keyring, last-akid_skid, false); if (!IS_ERR(key)) { x509 = last; diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index cd455450b069..a4d083f7e9e1 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -187,11 +187,11 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, goto maybe_missing_crypto_in_x509; pr_debug(- issuer %s\n, x509-issuer); - if (x509-authority) + if (x509-akid_skid) pr_debug(- authkeyid %*phN\n, -x509-authority-len, x509-authority-data); +x509-akid_skid-len, x509-akid_skid-data); - if (!x509-authority || + if (!x509-akid_skid || strcmp(x509-subject, x509-issuer) == 0) { /* If there's no authority certificate specified, then * the certificate must be self-signed and is the root @@ -216,13 +216,13 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, * list to see if the next one is there. */ pr_debug(- want %*phN\n, -x509-authority-len, x509-authority-data); +x509-akid_skid-len, x509-akid_skid-data); for (p = pkcs7-certs; p; p = p-next) { if (!p-skid) continue; pr_debug(- cmp [%u] %*phN\n, p-index, p-skid-len, p-skid-data); - if (asymmetric_key_id_same(p-skid, x509-authority)) + if (asymmetric_key_id_same(p-skid, x509-akid_skid)) goto found_issuer; } @@ -338,8 +338,6 @@ int pkcs7_verify(struct pkcs7_message *pkcs7) ret = x509_get_sig_params(x509); if (ret 0) return ret; - pr_debug(X.509[%u] %*phN\n, -n, x509-authority-len, x509-authority-data); } for (sinfo = pkcs7-signed_infos; sinfo; sinfo = sinfo-next) { diff --git a/crypto/asymmetric_keys/x509_akid.asn1 b/crypto/asymmetric_keys/x509_akid.asn1 new file mode 100644 index ..1a33231a75a8 --- /dev/null +++ b/crypto/asymmetric_keys/x509_akid.asn1 @@
Re: [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier
Dmitry Kasatkin wrote: > >> - struct asymmetric_key_id *authority;/* Authority key identifier > >> (optional) */ > >> + struct asymmetric_key_id *auth_id; /* CA AuthKeyId matching ->id > >> (optional) */ > >> + struct asymmetric_key_id *auth_skid;/* CA AuthKeyId matching ->skid > >> (optional) */ > > A very minor nit. It might help if we put additional comment to explain what > > auth_id and auth_skid are composed of (like other key ids). > > > > auth_id /* akid issuer + akid serial */ > > auth_skid /* issuer + akid keyid */ > > > > Thanks > > Vivek > > > > Right, > > David did not address this in his v2 patchset... I decided against changing them on the basis that I'd prefer to show what they match over the way they are fabricated. The id and skid members do show how they are fabricated. If you really want, I can show both - but my thought is that if you look at how AuthorityKeyIdentifier is constructed, you can work it out reasonably easily. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier [ver #2]
Dmitry Kasatkin wrote: > > + struct asymmetric_key_id *auth_id; /* CA AuthKeyId matching ->id > > (optional) */ > > + struct asymmetric_key_id *auth_skid;/* CA AuthKeyId matching ->skid > > (optional) */ > > Hi David, > > Why do you call it "auth_skid", not just akid in similar way as 'skid'? > Why it is "auth & skid"? Because both auth_skid and auth_id derive from the akid. David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier
On 21/11/14 16:42, Vivek Goyal wrote: > On Thu, Nov 20, 2014 at 04:54:03PM +, David Howells wrote: > > [..] >> diff --git a/crypto/asymmetric_keys/x509_parser.h >> b/crypto/asymmetric_keys/x509_parser.h >> index 3dfe6b5d6f0b..223b72344060 100644 >> --- a/crypto/asymmetric_keys/x509_parser.h >> +++ b/crypto/asymmetric_keys/x509_parser.h >> @@ -21,7 +21,8 @@ struct x509_certificate { >> char*subject; /* Name of certificate subject >> */ >> struct asymmetric_key_id *id; /* Serial number + issuer */ >> struct asymmetric_key_id *skid; /* Subject + subjectKeyId >> (optional) */ >> -struct asymmetric_key_id *authority;/* Authority key identifier >> (optional) */ >> +struct asymmetric_key_id *auth_id; /* CA AuthKeyId matching ->id >> (optional) */ >> +struct asymmetric_key_id *auth_skid;/* CA AuthKeyId matching ->skid >> (optional) */ > A very minor nit. It might help if we put additional comment to explain what > auth_id and auth_skid are composed of (like other key ids). > > auth_id /* akid issuer + akid serial */ > auth_skid /* issuer + akid keyid */ > > Thanks > Vivek > Right, David did not address this in his v2 patchset... - Dmitry -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier [ver #2]
On 26/11/14 16:17, David Howells wrote: > Extract both parts of the AuthorityKeyIdentifier, not just the keyIdentifier, > as the second part can be used to match X.509 certificates by issuer and > serialNumber. > > Signed-off-by: David Howells > --- > > crypto/asymmetric_keys/Makefile |8 +- > crypto/asymmetric_keys/pkcs7_trust.c |4 - > crypto/asymmetric_keys/pkcs7_verify.c | 12 +- > crypto/asymmetric_keys/x509_akid.asn1 | 35 +++ > crypto/asymmetric_keys/x509_cert_parser.c | 142 > ++--- > crypto/asymmetric_keys/x509_parser.h |5 + > crypto/asymmetric_keys/x509_public_key.c |8 +- > 7 files changed, 145 insertions(+), 69 deletions(-) > create mode 100644 crypto/asymmetric_keys/x509_akid.asn1 > > diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile > index e47fcd9ac5e8..cd1406f9b14a 100644 > --- a/crypto/asymmetric_keys/Makefile > +++ b/crypto/asymmetric_keys/Makefile > @@ -15,15 +15,21 @@ obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o > obj-$(CONFIG_X509_CERTIFICATE_PARSER) += x509_key_parser.o > x509_key_parser-y := \ > x509-asn1.o \ > + x509_akid-asn1.o \ > x509_rsakey-asn1.o \ > x509_cert_parser.o \ > x509_public_key.o > > -$(obj)/x509_cert_parser.o: $(obj)/x509-asn1.h $(obj)/x509_rsakey-asn1.h > +$(obj)/x509_cert_parser.o: \ > + $(obj)/x509-asn1.h \ > + $(obj)/x509_akid-asn1.h \ > + $(obj)/x509_rsakey-asn1.h > $(obj)/x509-asn1.o: $(obj)/x509-asn1.c $(obj)/x509-asn1.h > +$(obj)/x509_akid-asn1.o: $(obj)/x509_akid-asn1.c $(obj)/x509_akid-asn1.h > $(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c > $(obj)/x509_rsakey-asn1.h > > clean-files += x509-asn1.c x509-asn1.h > +clean-files += x509_akid-asn1.c x509_akid-asn1.h > clean-files += x509_rsakey-asn1.c x509_rsakey-asn1.h > > # > diff --git a/crypto/asymmetric_keys/pkcs7_trust.c > b/crypto/asymmetric_keys/pkcs7_trust.c > index 1d29376072da..f802cf118053 100644 > --- a/crypto/asymmetric_keys/pkcs7_trust.c > +++ b/crypto/asymmetric_keys/pkcs7_trust.c > @@ -85,8 +85,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message > *pkcs7, > /* No match - see if the root certificate has a signer amongst the >* trusted keys. >*/ > - if (last && last->authority) { > - key = x509_request_asymmetric_key(trust_keyring, > last->authority, > + if (last && last->auth_skid) { > + key = x509_request_asymmetric_key(trust_keyring, > last->auth_skid, > false); > if (!IS_ERR(key)) { > x509 = last; > diff --git a/crypto/asymmetric_keys/pkcs7_verify.c > b/crypto/asymmetric_keys/pkcs7_verify.c > index cd455450b069..5e956c5b9071 100644 > --- a/crypto/asymmetric_keys/pkcs7_verify.c > +++ b/crypto/asymmetric_keys/pkcs7_verify.c > @@ -187,11 +187,11 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message > *pkcs7, > goto maybe_missing_crypto_in_x509; > > pr_debug("- issuer %s\n", x509->issuer); > - if (x509->authority) > + if (x509->auth_skid) > pr_debug("- authkeyid %*phN\n", > - x509->authority->len, x509->authority->data); > + x509->auth_skid->len, x509->auth_skid->data); > > - if (!x509->authority || > + if (!x509->auth_skid || > strcmp(x509->subject, x509->issuer) == 0) { > /* If there's no authority certificate specified, then >* the certificate must be self-signed and is the root > @@ -216,13 +216,13 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message > *pkcs7, >* list to see if the next one is there. >*/ > pr_debug("- want %*phN\n", > - x509->authority->len, x509->authority->data); > + x509->auth_skid->len, x509->auth_skid->data); > for (p = pkcs7->certs; p; p = p->next) { > if (!p->skid) > continue; > pr_debug("- cmp [%u] %*phN\n", >p->index, p->skid->len, p->skid->data); > - if (asymmetric_key_id_same(p->skid, x509->authority)) > + if (asymmetric_key_id_same(p->skid, x509->auth_skid)) > goto found_issuer; > } > > @@ -338,8 +338,6 @@ int pkcs7_verify(struct pkcs7_message *pkcs7) > ret = x509_get_sig_params(x509); > if (ret < 0) > return ret; > - pr_debug("X.509[%u] %*phN\n", > - n, x509->authority->len, x509->authority->data); > } > > for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { > diff --git a/crypto/asymmetric_keys/x509_akid.asn1
Re: [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier [ver #2]
On 26/11/14 16:17, David Howells wrote: Extract both parts of the AuthorityKeyIdentifier, not just the keyIdentifier, as the second part can be used to match X.509 certificates by issuer and serialNumber. Signed-off-by: David Howells dhowe...@redhat.com --- crypto/asymmetric_keys/Makefile |8 +- crypto/asymmetric_keys/pkcs7_trust.c |4 - crypto/asymmetric_keys/pkcs7_verify.c | 12 +- crypto/asymmetric_keys/x509_akid.asn1 | 35 +++ crypto/asymmetric_keys/x509_cert_parser.c | 142 ++--- crypto/asymmetric_keys/x509_parser.h |5 + crypto/asymmetric_keys/x509_public_key.c |8 +- 7 files changed, 145 insertions(+), 69 deletions(-) create mode 100644 crypto/asymmetric_keys/x509_akid.asn1 diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile index e47fcd9ac5e8..cd1406f9b14a 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile @@ -15,15 +15,21 @@ obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o obj-$(CONFIG_X509_CERTIFICATE_PARSER) += x509_key_parser.o x509_key_parser-y := \ x509-asn1.o \ + x509_akid-asn1.o \ x509_rsakey-asn1.o \ x509_cert_parser.o \ x509_public_key.o -$(obj)/x509_cert_parser.o: $(obj)/x509-asn1.h $(obj)/x509_rsakey-asn1.h +$(obj)/x509_cert_parser.o: \ + $(obj)/x509-asn1.h \ + $(obj)/x509_akid-asn1.h \ + $(obj)/x509_rsakey-asn1.h $(obj)/x509-asn1.o: $(obj)/x509-asn1.c $(obj)/x509-asn1.h +$(obj)/x509_akid-asn1.o: $(obj)/x509_akid-asn1.c $(obj)/x509_akid-asn1.h $(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h clean-files += x509-asn1.c x509-asn1.h +clean-files += x509_akid-asn1.c x509_akid-asn1.h clean-files += x509_rsakey-asn1.c x509_rsakey-asn1.h # diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index 1d29376072da..f802cf118053 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -85,8 +85,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, /* No match - see if the root certificate has a signer amongst the * trusted keys. */ - if (last last-authority) { - key = x509_request_asymmetric_key(trust_keyring, last-authority, + if (last last-auth_skid) { + key = x509_request_asymmetric_key(trust_keyring, last-auth_skid, false); if (!IS_ERR(key)) { x509 = last; diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index cd455450b069..5e956c5b9071 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -187,11 +187,11 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, goto maybe_missing_crypto_in_x509; pr_debug(- issuer %s\n, x509-issuer); - if (x509-authority) + if (x509-auth_skid) pr_debug(- authkeyid %*phN\n, - x509-authority-len, x509-authority-data); + x509-auth_skid-len, x509-auth_skid-data); - if (!x509-authority || + if (!x509-auth_skid || strcmp(x509-subject, x509-issuer) == 0) { /* If there's no authority certificate specified, then * the certificate must be self-signed and is the root @@ -216,13 +216,13 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, * list to see if the next one is there. */ pr_debug(- want %*phN\n, - x509-authority-len, x509-authority-data); + x509-auth_skid-len, x509-auth_skid-data); for (p = pkcs7-certs; p; p = p-next) { if (!p-skid) continue; pr_debug(- cmp [%u] %*phN\n, p-index, p-skid-len, p-skid-data); - if (asymmetric_key_id_same(p-skid, x509-authority)) + if (asymmetric_key_id_same(p-skid, x509-auth_skid)) goto found_issuer; } @@ -338,8 +338,6 @@ int pkcs7_verify(struct pkcs7_message *pkcs7) ret = x509_get_sig_params(x509); if (ret 0) return ret; - pr_debug(X.509[%u] %*phN\n, - n, x509-authority-len, x509-authority-data); } for (sinfo = pkcs7-signed_infos; sinfo; sinfo = sinfo-next) { diff --git a/crypto/asymmetric_keys/x509_akid.asn1 b/crypto/asymmetric_keys/x509_akid.asn1 new file mode 100644 index ..1a33231a75a8 --- /dev/null +++
Re: [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier
On 21/11/14 16:42, Vivek Goyal wrote: On Thu, Nov 20, 2014 at 04:54:03PM +, David Howells wrote: [..] diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index 3dfe6b5d6f0b..223b72344060 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -21,7 +21,8 @@ struct x509_certificate { char*subject; /* Name of certificate subject */ struct asymmetric_key_id *id; /* Serial number + issuer */ struct asymmetric_key_id *skid; /* Subject + subjectKeyId (optional) */ -struct asymmetric_key_id *authority;/* Authority key identifier (optional) */ +struct asymmetric_key_id *auth_id; /* CA AuthKeyId matching -id (optional) */ +struct asymmetric_key_id *auth_skid;/* CA AuthKeyId matching -skid (optional) */ A very minor nit. It might help if we put additional comment to explain what auth_id and auth_skid are composed of (like other key ids). auth_id /* akid issuer + akid serial */ auth_skid /* issuer + akid keyid */ Thanks Vivek Right, David did not address this in his v2 patchset... - Dmitry -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier [ver #2]
Dmitry Kasatkin d.kasat...@samsung.com wrote: + struct asymmetric_key_id *auth_id; /* CA AuthKeyId matching -id (optional) */ + struct asymmetric_key_id *auth_skid;/* CA AuthKeyId matching -skid (optional) */ Hi David, Why do you call it auth_skid, not just akid in similar way as 'skid'? Why it is auth skid? Because both auth_skid and auth_id derive from the akid. David -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier
Dmitry Kasatkin d.kasat...@samsung.com wrote: - struct asymmetric_key_id *authority;/* Authority key identifier (optional) */ + struct asymmetric_key_id *auth_id; /* CA AuthKeyId matching -id (optional) */ + struct asymmetric_key_id *auth_skid;/* CA AuthKeyId matching -skid (optional) */ A very minor nit. It might help if we put additional comment to explain what auth_id and auth_skid are composed of (like other key ids). auth_id /* akid issuer + akid serial */ auth_skid /* issuer + akid keyid */ Thanks Vivek Right, David did not address this in his v2 patchset... I decided against changing them on the basis that I'd prefer to show what they match over the way they are fabricated. The id and skid members do show how they are fabricated. If you really want, I can show both - but my thought is that if you look at how AuthorityKeyIdentifier is constructed, you can work it out reasonably easily. David -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier [ver #2]
Extract both parts of the AuthorityKeyIdentifier, not just the keyIdentifier, as the second part can be used to match X.509 certificates by issuer and serialNumber. Signed-off-by: David Howells --- crypto/asymmetric_keys/Makefile |8 +- crypto/asymmetric_keys/pkcs7_trust.c |4 - crypto/asymmetric_keys/pkcs7_verify.c | 12 +- crypto/asymmetric_keys/x509_akid.asn1 | 35 +++ crypto/asymmetric_keys/x509_cert_parser.c | 142 ++--- crypto/asymmetric_keys/x509_parser.h |5 + crypto/asymmetric_keys/x509_public_key.c |8 +- 7 files changed, 145 insertions(+), 69 deletions(-) create mode 100644 crypto/asymmetric_keys/x509_akid.asn1 diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile index e47fcd9ac5e8..cd1406f9b14a 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile @@ -15,15 +15,21 @@ obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o obj-$(CONFIG_X509_CERTIFICATE_PARSER) += x509_key_parser.o x509_key_parser-y := \ x509-asn1.o \ + x509_akid-asn1.o \ x509_rsakey-asn1.o \ x509_cert_parser.o \ x509_public_key.o -$(obj)/x509_cert_parser.o: $(obj)/x509-asn1.h $(obj)/x509_rsakey-asn1.h +$(obj)/x509_cert_parser.o: \ + $(obj)/x509-asn1.h \ + $(obj)/x509_akid-asn1.h \ + $(obj)/x509_rsakey-asn1.h $(obj)/x509-asn1.o: $(obj)/x509-asn1.c $(obj)/x509-asn1.h +$(obj)/x509_akid-asn1.o: $(obj)/x509_akid-asn1.c $(obj)/x509_akid-asn1.h $(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h clean-files+= x509-asn1.c x509-asn1.h +clean-files+= x509_akid-asn1.c x509_akid-asn1.h clean-files+= x509_rsakey-asn1.c x509_rsakey-asn1.h # diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index 1d29376072da..f802cf118053 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -85,8 +85,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, /* No match - see if the root certificate has a signer amongst the * trusted keys. */ - if (last && last->authority) { - key = x509_request_asymmetric_key(trust_keyring, last->authority, + if (last && last->auth_skid) { + key = x509_request_asymmetric_key(trust_keyring, last->auth_skid, false); if (!IS_ERR(key)) { x509 = last; diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index cd455450b069..5e956c5b9071 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -187,11 +187,11 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, goto maybe_missing_crypto_in_x509; pr_debug("- issuer %s\n", x509->issuer); - if (x509->authority) + if (x509->auth_skid) pr_debug("- authkeyid %*phN\n", -x509->authority->len, x509->authority->data); +x509->auth_skid->len, x509->auth_skid->data); - if (!x509->authority || + if (!x509->auth_skid || strcmp(x509->subject, x509->issuer) == 0) { /* If there's no authority certificate specified, then * the certificate must be self-signed and is the root @@ -216,13 +216,13 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, * list to see if the next one is there. */ pr_debug("- want %*phN\n", -x509->authority->len, x509->authority->data); +x509->auth_skid->len, x509->auth_skid->data); for (p = pkcs7->certs; p; p = p->next) { if (!p->skid) continue; pr_debug("- cmp [%u] %*phN\n", p->index, p->skid->len, p->skid->data); - if (asymmetric_key_id_same(p->skid, x509->authority)) + if (asymmetric_key_id_same(p->skid, x509->auth_skid)) goto found_issuer; } @@ -338,8 +338,6 @@ int pkcs7_verify(struct pkcs7_message *pkcs7) ret = x509_get_sig_params(x509); if (ret < 0) return ret; - pr_debug("X.509[%u] %*phN\n", -n, x509->authority->len, x509->authority->data); } for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { diff --git a/crypto/asymmetric_keys/x509_akid.asn1 b/crypto/asymmetric_keys/x509_akid.asn1 new file mode 100644 index ..1a33231a75a8 --- /dev/null +++ b/crypto/asymmetric_keys/x509_akid.asn1 @@
[PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier [ver #2]
Extract both parts of the AuthorityKeyIdentifier, not just the keyIdentifier, as the second part can be used to match X.509 certificates by issuer and serialNumber. Signed-off-by: David Howells dhowe...@redhat.com --- crypto/asymmetric_keys/Makefile |8 +- crypto/asymmetric_keys/pkcs7_trust.c |4 - crypto/asymmetric_keys/pkcs7_verify.c | 12 +- crypto/asymmetric_keys/x509_akid.asn1 | 35 +++ crypto/asymmetric_keys/x509_cert_parser.c | 142 ++--- crypto/asymmetric_keys/x509_parser.h |5 + crypto/asymmetric_keys/x509_public_key.c |8 +- 7 files changed, 145 insertions(+), 69 deletions(-) create mode 100644 crypto/asymmetric_keys/x509_akid.asn1 diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile index e47fcd9ac5e8..cd1406f9b14a 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile @@ -15,15 +15,21 @@ obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o obj-$(CONFIG_X509_CERTIFICATE_PARSER) += x509_key_parser.o x509_key_parser-y := \ x509-asn1.o \ + x509_akid-asn1.o \ x509_rsakey-asn1.o \ x509_cert_parser.o \ x509_public_key.o -$(obj)/x509_cert_parser.o: $(obj)/x509-asn1.h $(obj)/x509_rsakey-asn1.h +$(obj)/x509_cert_parser.o: \ + $(obj)/x509-asn1.h \ + $(obj)/x509_akid-asn1.h \ + $(obj)/x509_rsakey-asn1.h $(obj)/x509-asn1.o: $(obj)/x509-asn1.c $(obj)/x509-asn1.h +$(obj)/x509_akid-asn1.o: $(obj)/x509_akid-asn1.c $(obj)/x509_akid-asn1.h $(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h clean-files+= x509-asn1.c x509-asn1.h +clean-files+= x509_akid-asn1.c x509_akid-asn1.h clean-files+= x509_rsakey-asn1.c x509_rsakey-asn1.h # diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index 1d29376072da..f802cf118053 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -85,8 +85,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, /* No match - see if the root certificate has a signer amongst the * trusted keys. */ - if (last last-authority) { - key = x509_request_asymmetric_key(trust_keyring, last-authority, + if (last last-auth_skid) { + key = x509_request_asymmetric_key(trust_keyring, last-auth_skid, false); if (!IS_ERR(key)) { x509 = last; diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index cd455450b069..5e956c5b9071 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -187,11 +187,11 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, goto maybe_missing_crypto_in_x509; pr_debug(- issuer %s\n, x509-issuer); - if (x509-authority) + if (x509-auth_skid) pr_debug(- authkeyid %*phN\n, -x509-authority-len, x509-authority-data); +x509-auth_skid-len, x509-auth_skid-data); - if (!x509-authority || + if (!x509-auth_skid || strcmp(x509-subject, x509-issuer) == 0) { /* If there's no authority certificate specified, then * the certificate must be self-signed and is the root @@ -216,13 +216,13 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, * list to see if the next one is there. */ pr_debug(- want %*phN\n, -x509-authority-len, x509-authority-data); +x509-auth_skid-len, x509-auth_skid-data); for (p = pkcs7-certs; p; p = p-next) { if (!p-skid) continue; pr_debug(- cmp [%u] %*phN\n, p-index, p-skid-len, p-skid-data); - if (asymmetric_key_id_same(p-skid, x509-authority)) + if (asymmetric_key_id_same(p-skid, x509-auth_skid)) goto found_issuer; } @@ -338,8 +338,6 @@ int pkcs7_verify(struct pkcs7_message *pkcs7) ret = x509_get_sig_params(x509); if (ret 0) return ret; - pr_debug(X.509[%u] %*phN\n, -n, x509-authority-len, x509-authority-data); } for (sinfo = pkcs7-signed_infos; sinfo; sinfo = sinfo-next) { diff --git a/crypto/asymmetric_keys/x509_akid.asn1 b/crypto/asymmetric_keys/x509_akid.asn1 new file mode 100644 index ..1a33231a75a8 --- /dev/null +++ b/crypto/asymmetric_keys/x509_akid.asn1 @@ -0,0 +1,35 @@ +-- X.509
Re: [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier
Vivek Goyal wrote: > A very minor nit. It might help if we put additional comment to explain what > auth_id and auth_skid are composed of (like other key ids). I thought it better to show what they match - ie. auth_id matches id and auth_skid matches skid from the same structure. The id and skid members show their composition (and I should fix the comment on id so that the bits are the right way round). David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier
Vivek Goyal vgo...@redhat.com wrote: A very minor nit. It might help if we put additional comment to explain what auth_id and auth_skid are composed of (like other key ids). I thought it better to show what they match - ie. auth_id matches id and auth_skid matches skid from the same structure. The id and skid members show their composition (and I should fix the comment on id so that the bits are the right way round). David -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier
On Thu, Nov 20, 2014 at 04:54:03PM +, David Howells wrote: [..] > diff --git a/crypto/asymmetric_keys/x509_parser.h > b/crypto/asymmetric_keys/x509_parser.h > index 3dfe6b5d6f0b..223b72344060 100644 > --- a/crypto/asymmetric_keys/x509_parser.h > +++ b/crypto/asymmetric_keys/x509_parser.h > @@ -21,7 +21,8 @@ struct x509_certificate { > char*subject; /* Name of certificate subject > */ > struct asymmetric_key_id *id; /* Serial number + issuer */ > struct asymmetric_key_id *skid; /* Subject + subjectKeyId > (optional) */ > - struct asymmetric_key_id *authority;/* Authority key identifier > (optional) */ > + struct asymmetric_key_id *auth_id; /* CA AuthKeyId matching ->id > (optional) */ > + struct asymmetric_key_id *auth_skid;/* CA AuthKeyId matching ->skid > (optional) */ A very minor nit. It might help if we put additional comment to explain what auth_id and auth_skid are composed of (like other key ids). auth_id /* akid issuer + akid serial */ auth_skid /* issuer + akid keyid */ Thanks Vivek -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier
On Thu, Nov 20, 2014 at 04:54:03PM +, David Howells wrote: [..] diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index 3dfe6b5d6f0b..223b72344060 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -21,7 +21,8 @@ struct x509_certificate { char*subject; /* Name of certificate subject */ struct asymmetric_key_id *id; /* Serial number + issuer */ struct asymmetric_key_id *skid; /* Subject + subjectKeyId (optional) */ - struct asymmetric_key_id *authority;/* Authority key identifier (optional) */ + struct asymmetric_key_id *auth_id; /* CA AuthKeyId matching -id (optional) */ + struct asymmetric_key_id *auth_skid;/* CA AuthKeyId matching -skid (optional) */ A very minor nit. It might help if we put additional comment to explain what auth_id and auth_skid are composed of (like other key ids). auth_id /* akid issuer + akid serial */ auth_skid /* issuer + akid keyid */ Thanks Vivek -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier
Extract both parts of the AuthorityKeyIdentifier, not just the keyIdentifier, as the second part can be used to match X.509 certificates by issuer and serialNumber. Signed-off-by: David Howells --- crypto/asymmetric_keys/Makefile |8 +- crypto/asymmetric_keys/pkcs7_trust.c |4 - crypto/asymmetric_keys/pkcs7_verify.c | 12 +- crypto/asymmetric_keys/x509_akid.asn1 | 35 +++ crypto/asymmetric_keys/x509_cert_parser.c | 142 ++--- crypto/asymmetric_keys/x509_parser.h |3 - crypto/asymmetric_keys/x509_public_key.c |8 +- 7 files changed, 144 insertions(+), 68 deletions(-) create mode 100644 crypto/asymmetric_keys/x509_akid.asn1 diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile index e47fcd9ac5e8..cd1406f9b14a 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile @@ -15,15 +15,21 @@ obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o obj-$(CONFIG_X509_CERTIFICATE_PARSER) += x509_key_parser.o x509_key_parser-y := \ x509-asn1.o \ + x509_akid-asn1.o \ x509_rsakey-asn1.o \ x509_cert_parser.o \ x509_public_key.o -$(obj)/x509_cert_parser.o: $(obj)/x509-asn1.h $(obj)/x509_rsakey-asn1.h +$(obj)/x509_cert_parser.o: \ + $(obj)/x509-asn1.h \ + $(obj)/x509_akid-asn1.h \ + $(obj)/x509_rsakey-asn1.h $(obj)/x509-asn1.o: $(obj)/x509-asn1.c $(obj)/x509-asn1.h +$(obj)/x509_akid-asn1.o: $(obj)/x509_akid-asn1.c $(obj)/x509_akid-asn1.h $(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h clean-files+= x509-asn1.c x509-asn1.h +clean-files+= x509_akid-asn1.c x509_akid-asn1.h clean-files+= x509_rsakey-asn1.c x509_rsakey-asn1.h # diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index 1d29376072da..f802cf118053 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -85,8 +85,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, /* No match - see if the root certificate has a signer amongst the * trusted keys. */ - if (last && last->authority) { - key = x509_request_asymmetric_key(trust_keyring, last->authority, + if (last && last->auth_skid) { + key = x509_request_asymmetric_key(trust_keyring, last->auth_skid, false); if (!IS_ERR(key)) { x509 = last; diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index cd455450b069..5e956c5b9071 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -187,11 +187,11 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, goto maybe_missing_crypto_in_x509; pr_debug("- issuer %s\n", x509->issuer); - if (x509->authority) + if (x509->auth_skid) pr_debug("- authkeyid %*phN\n", -x509->authority->len, x509->authority->data); +x509->auth_skid->len, x509->auth_skid->data); - if (!x509->authority || + if (!x509->auth_skid || strcmp(x509->subject, x509->issuer) == 0) { /* If there's no authority certificate specified, then * the certificate must be self-signed and is the root @@ -216,13 +216,13 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, * list to see if the next one is there. */ pr_debug("- want %*phN\n", -x509->authority->len, x509->authority->data); +x509->auth_skid->len, x509->auth_skid->data); for (p = pkcs7->certs; p; p = p->next) { if (!p->skid) continue; pr_debug("- cmp [%u] %*phN\n", p->index, p->skid->len, p->skid->data); - if (asymmetric_key_id_same(p->skid, x509->authority)) + if (asymmetric_key_id_same(p->skid, x509->auth_skid)) goto found_issuer; } @@ -338,8 +338,6 @@ int pkcs7_verify(struct pkcs7_message *pkcs7) ret = x509_get_sig_params(x509); if (ret < 0) return ret; - pr_debug("X.509[%u] %*phN\n", -n, x509->authority->len, x509->authority->data); } for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { diff --git a/crypto/asymmetric_keys/x509_akid.asn1 b/crypto/asymmetric_keys/x509_akid.asn1 new file mode 100644 index ..1a33231a75a8 --- /dev/null +++ b/crypto/asymmetric_keys/x509_akid.asn1 @@
[PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier
Extract both parts of the AuthorityKeyIdentifier, not just the keyIdentifier, as the second part can be used to match X.509 certificates by issuer and serialNumber. Signed-off-by: David Howells dhowe...@redhat.com --- crypto/asymmetric_keys/Makefile |8 +- crypto/asymmetric_keys/pkcs7_trust.c |4 - crypto/asymmetric_keys/pkcs7_verify.c | 12 +- crypto/asymmetric_keys/x509_akid.asn1 | 35 +++ crypto/asymmetric_keys/x509_cert_parser.c | 142 ++--- crypto/asymmetric_keys/x509_parser.h |3 - crypto/asymmetric_keys/x509_public_key.c |8 +- 7 files changed, 144 insertions(+), 68 deletions(-) create mode 100644 crypto/asymmetric_keys/x509_akid.asn1 diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile index e47fcd9ac5e8..cd1406f9b14a 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile @@ -15,15 +15,21 @@ obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o obj-$(CONFIG_X509_CERTIFICATE_PARSER) += x509_key_parser.o x509_key_parser-y := \ x509-asn1.o \ + x509_akid-asn1.o \ x509_rsakey-asn1.o \ x509_cert_parser.o \ x509_public_key.o -$(obj)/x509_cert_parser.o: $(obj)/x509-asn1.h $(obj)/x509_rsakey-asn1.h +$(obj)/x509_cert_parser.o: \ + $(obj)/x509-asn1.h \ + $(obj)/x509_akid-asn1.h \ + $(obj)/x509_rsakey-asn1.h $(obj)/x509-asn1.o: $(obj)/x509-asn1.c $(obj)/x509-asn1.h +$(obj)/x509_akid-asn1.o: $(obj)/x509_akid-asn1.c $(obj)/x509_akid-asn1.h $(obj)/x509_rsakey-asn1.o: $(obj)/x509_rsakey-asn1.c $(obj)/x509_rsakey-asn1.h clean-files+= x509-asn1.c x509-asn1.h +clean-files+= x509_akid-asn1.c x509_akid-asn1.h clean-files+= x509_rsakey-asn1.c x509_rsakey-asn1.h # diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index 1d29376072da..f802cf118053 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c @@ -85,8 +85,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, /* No match - see if the root certificate has a signer amongst the * trusted keys. */ - if (last last-authority) { - key = x509_request_asymmetric_key(trust_keyring, last-authority, + if (last last-auth_skid) { + key = x509_request_asymmetric_key(trust_keyring, last-auth_skid, false); if (!IS_ERR(key)) { x509 = last; diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index cd455450b069..5e956c5b9071 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c @@ -187,11 +187,11 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, goto maybe_missing_crypto_in_x509; pr_debug(- issuer %s\n, x509-issuer); - if (x509-authority) + if (x509-auth_skid) pr_debug(- authkeyid %*phN\n, -x509-authority-len, x509-authority-data); +x509-auth_skid-len, x509-auth_skid-data); - if (!x509-authority || + if (!x509-auth_skid || strcmp(x509-subject, x509-issuer) == 0) { /* If there's no authority certificate specified, then * the certificate must be self-signed and is the root @@ -216,13 +216,13 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, * list to see if the next one is there. */ pr_debug(- want %*phN\n, -x509-authority-len, x509-authority-data); +x509-auth_skid-len, x509-auth_skid-data); for (p = pkcs7-certs; p; p = p-next) { if (!p-skid) continue; pr_debug(- cmp [%u] %*phN\n, p-index, p-skid-len, p-skid-data); - if (asymmetric_key_id_same(p-skid, x509-authority)) + if (asymmetric_key_id_same(p-skid, x509-auth_skid)) goto found_issuer; } @@ -338,8 +338,6 @@ int pkcs7_verify(struct pkcs7_message *pkcs7) ret = x509_get_sig_params(x509); if (ret 0) return ret; - pr_debug(X.509[%u] %*phN\n, -n, x509-authority-len, x509-authority-data); } for (sinfo = pkcs7-signed_infos; sinfo; sinfo = sinfo-next) { diff --git a/crypto/asymmetric_keys/x509_akid.asn1 b/crypto/asymmetric_keys/x509_akid.asn1 new file mode 100644 index ..1a33231a75a8 --- /dev/null +++ b/crypto/asymmetric_keys/x509_akid.asn1 @@ -0,0 +1,35 @@ +-- X.509