aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/asymmetric_keys
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2014-10-03 11:17:02 -0400
committerDavid Howells <dhowells@redhat.com>2014-10-03 11:17:02 -0400
commitdd2f6c4481debfa389c1f2b2b1d5bd6449c42611 (patch)
treeefdec24c56f02377b3edf6660d4775cf0c804e30 /crypto/asymmetric_keys
parent40b50e80c5ca78b3164d79d39b4889c4e58f462e (diff)
X.509: If available, use the raw subjKeyId to form the key description
Module signing matches keys by comparing against the key description exactly. However, the way the key description gets constructed got changed to be composed of the subject name plus the certificate serial number instead of the subject name and the subjectKeyId. I changed this to avoid problems with certificates that don't *have* a subjectKeyId. Instead, if available, use the raw subjectKeyId to form the key description and only use the serial number if the subjectKeyId doesn't exist. Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'crypto/asymmetric_keys')
-rw-r--r--crypto/asymmetric_keys/x509_cert_parser.c2
-rw-r--r--crypto/asymmetric_keys/x509_parser.h2
-rw-r--r--crypto/asymmetric_keys/x509_public_key.c9
3 files changed, 11 insertions, 2 deletions
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 96151b2b91a2..393706f33fa5 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -435,6 +435,8 @@ int x509_process_extension(void *context, size_t hdrlen,
435 v += 2; 435 v += 2;
436 vlen -= 2; 436 vlen -= 2;
437 437
438 ctx->cert->raw_skid_size = vlen;
439 ctx->cert->raw_skid = v;
438 kid = asymmetric_key_generate_id(v, vlen, 440 kid = asymmetric_key_generate_id(v, vlen,
439 ctx->cert->raw_subject, 441 ctx->cert->raw_subject,
440 ctx->cert->raw_subject_size); 442 ctx->cert->raw_subject_size);
diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h
index 4e1a384901ed..3f0f0f081621 100644
--- a/crypto/asymmetric_keys/x509_parser.h
+++ b/crypto/asymmetric_keys/x509_parser.h
@@ -34,6 +34,8 @@ struct x509_certificate {
34 const void *raw_issuer; /* Raw issuer name in ASN.1 */ 34 const void *raw_issuer; /* Raw issuer name in ASN.1 */
35 const void *raw_subject; /* Raw subject name in ASN.1 */ 35 const void *raw_subject; /* Raw subject name in ASN.1 */
36 unsigned raw_subject_size; 36 unsigned raw_subject_size;
37 unsigned raw_skid_size;
38 const void *raw_skid; /* Raw subjectKeyId in ASN.1 */
37 unsigned index; 39 unsigned index;
38 bool seen; /* Infinite recursion prevention */ 40 bool seen; /* Infinite recursion prevention */
39 bool verified; 41 bool verified;
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 1d9a4c555376..8bffb06b2683 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -279,8 +279,13 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
279 279
280 /* Propose a description */ 280 /* Propose a description */
281 sulen = strlen(cert->subject); 281 sulen = strlen(cert->subject);
282 srlen = cert->raw_serial_size; 282 if (cert->raw_skid) {
283 q = cert->raw_serial; 283 srlen = cert->raw_skid_size;
284 q = cert->raw_skid;
285 } else {
286 srlen = cert->raw_serial_size;
287 q = cert->raw_serial;
288 }
284 if (srlen > 1 && *q == 0) { 289 if (srlen > 1 && *q == 0) {
285 srlen--; 290 srlen--;
286 q++; 291 q++;