aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/asymmetric_keys
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2013-08-30 11:18:31 -0400
committerDavid Howells <dhowells@redhat.com>2013-09-25 12:17:01 -0400
commit17334cabc814f8847975cddc0e29291af6093464 (patch)
tree0f4574a955b501557c04c4381d51dbaa439c9473 /crypto/asymmetric_keys
parent2ecdb23b8c545fbee95caad0f2e45082787563ee (diff)
X.509: Handle certificates that lack an authorityKeyIdentifier field
Handle certificates that lack an authorityKeyIdentifier field by assuming they're self-signed and checking their signatures against themselves. Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Josh Boyer <jwboyer@redhat.com>
Diffstat (limited to 'crypto/asymmetric_keys')
-rw-r--r--crypto/asymmetric_keys/x509_public_key.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index eb368d4c632c..0f55e3b027a0 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -143,8 +143,8 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
143 pkey_algo_name[cert->sig.pkey_algo], 143 pkey_algo_name[cert->sig.pkey_algo],
144 pkey_hash_algo_name[cert->sig.pkey_hash_algo]); 144 pkey_hash_algo_name[cert->sig.pkey_hash_algo]);
145 145
146 if (!cert->fingerprint || !cert->authority) { 146 if (!cert->fingerprint) {
147 pr_warn("Cert for '%s' must have SubjKeyId and AuthKeyId extensions\n", 147 pr_warn("Cert for '%s' must have a SubjKeyId extension\n",
148 cert->subject); 148 cert->subject);
149 ret = -EKEYREJECTED; 149 ret = -EKEYREJECTED;
150 goto error_free_cert; 150 goto error_free_cert;
@@ -190,8 +190,9 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
190 cert->pub->algo = pkey_algo[cert->pub->pkey_algo]; 190 cert->pub->algo = pkey_algo[cert->pub->pkey_algo];
191 cert->pub->id_type = PKEY_ID_X509; 191 cert->pub->id_type = PKEY_ID_X509;
192 192
193 /* Check the signature on the key */ 193 /* Check the signature on the key if it appears to be self-signed */
194 if (strcmp(cert->fingerprint, cert->authority) == 0) { 194 if (!cert->authority ||
195 strcmp(cert->fingerprint, cert->authority) == 0) {
195 ret = x509_check_signature(cert->pub, cert); 196 ret = x509_check_signature(cert->pub, cert);
196 if (ret < 0) 197 if (ret < 0)
197 goto error_free_cert; 198 goto error_free_cert;