diff options
| author | David Howells <dhowells@redhat.com> | 2014-07-01 11:40:19 -0400 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2014-07-01 11:40:19 -0400 |
| commit | 84aabd46bf8791d0c6fc8db4dc65d45093f70aab (patch) | |
| tree | 70e6a4b4ba4c6a215d4e86f8f11d3c1301b0727d | |
| parent | 16874b2cb867d3eb63ed838f2847143e11556708 (diff) | |
X.509: Add bits needed for PKCS#7
PKCS#7 validation requires access to the serial number and the raw names in an
X.509 certificate.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Josh Boyer <jwboyer@redhat.com>
| -rw-r--r-- | crypto/asymmetric_keys/x509.asn1 | 2 | ||||
| -rw-r--r-- | crypto/asymmetric_keys/x509_cert_parser.c | 17 | ||||
| -rw-r--r-- | crypto/asymmetric_keys/x509_parser.h | 13 |
3 files changed, 30 insertions, 2 deletions
diff --git a/crypto/asymmetric_keys/x509.asn1 b/crypto/asymmetric_keys/x509.asn1 index bf32b3dff088..aae0cde414e2 100644 --- a/crypto/asymmetric_keys/x509.asn1 +++ b/crypto/asymmetric_keys/x509.asn1 | |||
| @@ -6,7 +6,7 @@ Certificate ::= SEQUENCE { | |||
| 6 | 6 | ||
| 7 | TBSCertificate ::= SEQUENCE { | 7 | TBSCertificate ::= SEQUENCE { |
| 8 | version [ 0 ] Version DEFAULT, | 8 | version [ 0 ] Version DEFAULT, |
| 9 | serialNumber CertificateSerialNumber, | 9 | serialNumber CertificateSerialNumber ({ x509_note_serial }), |
| 10 | signature AlgorithmIdentifier ({ x509_note_pkey_algo }), | 10 | signature AlgorithmIdentifier ({ x509_note_pkey_algo }), |
| 11 | issuer Name ({ x509_note_issuer }), | 11 | issuer Name ({ x509_note_issuer }), |
| 12 | validity Validity, | 12 | validity Validity, |
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 29893162497c..4a8df29ab713 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c | |||
| @@ -211,6 +211,19 @@ int x509_note_signature(void *context, size_t hdrlen, | |||
| 211 | } | 211 | } |
| 212 | 212 | ||
| 213 | /* | 213 | /* |
| 214 | * Note the certificate serial number | ||
| 215 | */ | ||
| 216 | int x509_note_serial(void *context, size_t hdrlen, | ||
| 217 | unsigned char tag, | ||
| 218 | const void *value, size_t vlen) | ||
| 219 | { | ||
| 220 | struct x509_parse_context *ctx = context; | ||
| 221 | ctx->cert->raw_serial = value; | ||
| 222 | ctx->cert->raw_serial_size = vlen; | ||
| 223 | return 0; | ||
| 224 | } | ||
| 225 | |||
| 226 | /* | ||
| 214 | * Note some of the name segments from which we'll fabricate a name. | 227 | * Note some of the name segments from which we'll fabricate a name. |
| 215 | */ | 228 | */ |
| 216 | int x509_extract_name_segment(void *context, size_t hdrlen, | 229 | int x509_extract_name_segment(void *context, size_t hdrlen, |
| @@ -322,6 +335,8 @@ int x509_note_issuer(void *context, size_t hdrlen, | |||
| 322 | const void *value, size_t vlen) | 335 | const void *value, size_t vlen) |
| 323 | { | 336 | { |
| 324 | struct x509_parse_context *ctx = context; | 337 | struct x509_parse_context *ctx = context; |
| 338 | ctx->cert->raw_issuer = value; | ||
| 339 | ctx->cert->raw_issuer_size = vlen; | ||
| 325 | return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->issuer, vlen); | 340 | return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->issuer, vlen); |
| 326 | } | 341 | } |
| 327 | 342 | ||
| @@ -330,6 +345,8 @@ int x509_note_subject(void *context, size_t hdrlen, | |||
| 330 | const void *value, size_t vlen) | 345 | const void *value, size_t vlen) |
| 331 | { | 346 | { |
| 332 | struct x509_parse_context *ctx = context; | 347 | struct x509_parse_context *ctx = context; |
| 348 | ctx->cert->raw_subject = value; | ||
| 349 | ctx->cert->raw_subject_size = vlen; | ||
| 333 | return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->subject, vlen); | 350 | return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->subject, vlen); |
| 334 | } | 351 | } |
| 335 | 352 | ||
diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index 87d9cc26f630..1b76f207c1f3 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h | |||
| @@ -14,7 +14,9 @@ | |||
| 14 | 14 | ||
| 15 | struct x509_certificate { | 15 | struct x509_certificate { |
| 16 | struct x509_certificate *next; | 16 | struct x509_certificate *next; |
| 17 | struct x509_certificate *signer; /* Certificate that signed this one */ | ||
| 17 | struct public_key *pub; /* Public key details */ | 18 | struct public_key *pub; /* Public key details */ |
| 19 | struct public_key_signature sig; /* Signature parameters */ | ||
| 18 | char *issuer; /* Name of certificate issuer */ | 20 | char *issuer; /* Name of certificate issuer */ |
| 19 | char *subject; /* Name of certificate subject */ | 21 | char *subject; /* Name of certificate subject */ |
| 20 | char *fingerprint; /* Key fingerprint as hex */ | 22 | char *fingerprint; /* Key fingerprint as hex */ |
| @@ -25,7 +27,16 @@ struct x509_certificate { | |||
| 25 | unsigned tbs_size; /* Size of signed data */ | 27 | unsigned tbs_size; /* Size of signed data */ |
| 26 | unsigned raw_sig_size; /* Size of sigature */ | 28 | unsigned raw_sig_size; /* Size of sigature */ |
| 27 | const void *raw_sig; /* Signature data */ | 29 | const void *raw_sig; /* Signature data */ |
| 28 | struct public_key_signature sig; /* Signature parameters */ | 30 | const void *raw_serial; /* Raw serial number in ASN.1 */ |
| 31 | unsigned raw_serial_size; | ||
| 32 | unsigned raw_issuer_size; | ||
| 33 | const void *raw_issuer; /* Raw issuer name in ASN.1 */ | ||
| 34 | const void *raw_subject; /* Raw subject name in ASN.1 */ | ||
| 35 | unsigned raw_subject_size; | ||
| 36 | unsigned index; | ||
| 37 | bool seen; /* Infinite recursion prevention */ | ||
| 38 | bool verified; | ||
| 39 | bool trusted; | ||
| 29 | }; | 40 | }; |
| 30 | 41 | ||
| 31 | /* | 42 | /* |