diff options
author | David Howells <dhowells@redhat.com> | 2013-08-30 11:18:31 -0400 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2013-09-25 12:17:01 -0400 |
commit | 17334cabc814f8847975cddc0e29291af6093464 (patch) | |
tree | 0f4574a955b501557c04c4381d51dbaa439c9473 /crypto/asymmetric_keys | |
parent | 2ecdb23b8c545fbee95caad0f2e45082787563ee (diff) |
X.509: Handle certificates that lack an authorityKeyIdentifier field
Handle certificates that lack an authorityKeyIdentifier field by assuming
they're self-signed and checking their signatures against themselves.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Josh Boyer <jwboyer@redhat.com>
Diffstat (limited to 'crypto/asymmetric_keys')
-rw-r--r-- | crypto/asymmetric_keys/x509_public_key.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index eb368d4c632c..0f55e3b027a0 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c | |||
@@ -143,8 +143,8 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) | |||
143 | pkey_algo_name[cert->sig.pkey_algo], | 143 | pkey_algo_name[cert->sig.pkey_algo], |
144 | pkey_hash_algo_name[cert->sig.pkey_hash_algo]); | 144 | pkey_hash_algo_name[cert->sig.pkey_hash_algo]); |
145 | 145 | ||
146 | if (!cert->fingerprint || !cert->authority) { | 146 | if (!cert->fingerprint) { |
147 | pr_warn("Cert for '%s' must have SubjKeyId and AuthKeyId extensions\n", | 147 | pr_warn("Cert for '%s' must have a SubjKeyId extension\n", |
148 | cert->subject); | 148 | cert->subject); |
149 | ret = -EKEYREJECTED; | 149 | ret = -EKEYREJECTED; |
150 | goto error_free_cert; | 150 | goto error_free_cert; |
@@ -190,8 +190,9 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) | |||
190 | cert->pub->algo = pkey_algo[cert->pub->pkey_algo]; | 190 | cert->pub->algo = pkey_algo[cert->pub->pkey_algo]; |
191 | cert->pub->id_type = PKEY_ID_X509; | 191 | cert->pub->id_type = PKEY_ID_X509; |
192 | 192 | ||
193 | /* Check the signature on the key */ | 193 | /* Check the signature on the key if it appears to be self-signed */ |
194 | if (strcmp(cert->fingerprint, cert->authority) == 0) { | 194 | if (!cert->authority || |
195 | strcmp(cert->fingerprint, cert->authority) == 0) { | ||
195 | ret = x509_check_signature(cert->pub, cert); | 196 | ret = x509_check_signature(cert->pub, cert); |
196 | if (ret < 0) | 197 | if (ret < 0) |
197 | goto error_free_cert; | 198 | goto error_free_cert; |