KEYS: use swapped SKID for performing partial matching

Earlier KEYS code used pure subject key identifiers (fingerprint) for searching keys. Latest merged code removed that and broke compatibility with integrity subsytem signatures and original format of module signatures. This patch returns back partial matching on SKID. Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: David Howells <dhowells@redhat.com>
author: Dmitry Kasatkin <d.kasatkin@samsung.com> 2014-10-06 11:52:12 -0400
committer: David Howells <dhowells@redhat.com> 2014-10-06 11:56:08 -0400
commit: 8dd609805b87923a700a2fad646390a58013cdb9 (patch)
tree: c6f4d35bfbcf6a905054e3448bf54bd3e5f92189
parent: f1b731dbc2530cab93fcfc5fcb18c9f3a100feeb (diff)
2 files changed, 9 insertions, 9 deletions
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 393706f33fa5..a668d90302d3 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -437,9 +437,9 @@ int x509_process_extension(void *context, size_t hdrlen,
                ctx->cert->raw_skid_size = vlen;
                ctx->cert->raw_skid = v;
-                kid = asymmetric_key_generate_id(v, vlen,
+                kid = asymmetric_key_generate_id(ctx->cert->raw_subject,
-                                                 ctx->cert->raw_subject,
+                                                 ctx->cert->raw_subject_size,
-                                                 ctx->cert->raw_subject_size);
+                                                 v, vlen);
                if (IS_ERR(kid))
                        return PTR_ERR(kid);
                ctx->cert->skid = kid;
@@ -493,9 +493,9 @@ int x509_process_extension(void *context, size_t hdrlen,
                        v += (sub + 2);
                }
-                kid = asymmetric_key_generate_id(v, vlen,
+                kid = asymmetric_key_generate_id(ctx->cert->raw_issuer,
-                                                 ctx->cert->raw_issuer,
+                                                 ctx->cert->raw_issuer_size,
-                                                 ctx->cert->raw_issuer_size);
+                                                 v, vlen);
                if (IS_ERR(kid))
                        return PTR_ERR(kid);
                pr_debug("authkeyid %*phN\n", kid->len, kid->data);
diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h
index 3f0f0f081621..3dfe6b5d6f0b 100644
--- a/crypto/asymmetric_keys/x509_parser.h
+++ b/crypto/asymmetric_keys/x509_parser.h
@@ -19,9 +19,9 @@ struct x509_certificate {
        struct public_key_signature sig;        /* Signature parameters */
        char            *issuer;                /* Name of certificate issuer */
        char            *subject;               /* Name of certificate subject */
-        struct asymmetric_key_id *id;           /* Issuer + serial number */
+        struct asymmetric_key_id *id;           /* Serial number + issuer */
-        struct asymmetric_key_id *skid;         /* Subject key identifier */
+        struct asymmetric_key_id *skid;         /* Subject + subjectKeyId (optional) */
-        struct asymmetric_key_id *authority;    /* Authority key identifier */
+        struct asymmetric_key_id *authority;    /* Authority key identifier (optional) */
        struct tm       valid_from;
        struct tm       valid_to;
        const void      *tbs;                   /* Signed data */
author	Dmitry Kasatkin <d.kasatkin@samsung.com>	2014-10-06 11:52:12 -0400
committer	David Howells <dhowells@redhat.com>	2014-10-06 11:56:08 -0400
commit	8dd609805b87923a700a2fad646390a58013cdb9 (patch)
tree	c6f4d35bfbcf6a905054e3448bf54bd3e5f92189
parent	f1b731dbc2530cab93fcfc5fcb18c9f3a100feeb (diff)

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 393706f33fa5..a668d90302d3 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -437,9 +437,9 @@ int x509_process_extension(void *context, size_t hdrlen,
437		437
438	ctx->cert->raw_skid_size = vlen;	438	ctx->cert->raw_skid_size = vlen;
439	ctx->cert->raw_skid = v;	439	ctx->cert->raw_skid = v;
440	kid = asymmetric_key_generate_id(v, vlen,	440	kid = asymmetric_key_generate_id(ctx->cert->raw_subject,
441	ctx->cert->raw_subject,	441	ctx->cert->raw_subject_size,
442	ctx->cert->raw_subject_size);	442	v, vlen);
443	if (IS_ERR(kid))	443	if (IS_ERR(kid))
444	return PTR_ERR(kid);	444	return PTR_ERR(kid);
445	ctx->cert->skid = kid;	445	ctx->cert->skid = kid;
@@ -493,9 +493,9 @@ int x509_process_extension(void *context, size_t hdrlen,
493	v += (sub + 2);	493	v += (sub + 2);
494	}	494	}
495		495
496	kid = asymmetric_key_generate_id(v, vlen,	496	kid = asymmetric_key_generate_id(ctx->cert->raw_issuer,
497	ctx->cert->raw_issuer,	497	ctx->cert->raw_issuer_size,
498	ctx->cert->raw_issuer_size);	498	v, vlen);
499	if (IS_ERR(kid))	499	if (IS_ERR(kid))
500	return PTR_ERR(kid);	500	return PTR_ERR(kid);
501	pr_debug("authkeyid %*phN\n", kid->len, kid->data);	501	pr_debug("authkeyid %*phN\n", kid->len, kid->data);


diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index 3f0f0f081621..3dfe6b5d6f0b 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h
@@ -19,9 +19,9 @@ struct x509_certificate {
19	struct public_key_signature sig; /* Signature parameters */	19	struct public_key_signature sig; /* Signature parameters */
20	char issuer; / Name of certificate issuer */	20	char issuer; / Name of certificate issuer */
21	char subject; / Name of certificate subject */	21	char subject; / Name of certificate subject */
22	struct asymmetric_key_id id; / Issuer + serial number */	22	struct asymmetric_key_id id; / Serial number + issuer */
23	struct asymmetric_key_id skid; / Subject key identifier */	23	struct asymmetric_key_id skid; / Subject + subjectKeyId (optional) */
24	struct asymmetric_key_id authority; / Authority key identifier */	24	struct asymmetric_key_id authority; / Authority key identifier (optional) */
25	struct tm valid_from;	25	struct tm valid_from;
26	struct tm valid_to;	26	struct tm valid_to;
27	const void tbs; / Signed data */	27	const void tbs; / Signed data */