summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDmitry Kasatkin <d.kasatkin@samsung.com>2014-10-06 16:52:12 +0100
committerDavid Howells <dhowells@redhat.com>2014-10-06 16:56:08 +0100
commit8dd609805b87923a700a2fad646390a58013cdb9 (patch)
treec6f4d35bfbcf6a905054e3448bf54bd3e5f92189
parentf1b731dbc2530cab93fcfc5fcb18c9f3a100feeb (diff)
downloadop-kernel-dev-8dd609805b87923a700a2fad646390a58013cdb9.zip
op-kernel-dev-8dd609805b87923a700a2fad646390a58013cdb9.tar.gz
KEYS: use swapped SKID for performing partial matching
Earlier KEYS code used pure subject key identifiers (fingerprint) for searching keys. Latest merged code removed that and broke compatibility with integrity subsytem signatures and original format of module signatures. This patch returns back partial matching on SKID. Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: David Howells <dhowells@redhat.com>
-rw-r--r--crypto/asymmetric_keys/x509_cert_parser.c12
-rw-r--r--crypto/asymmetric_keys/x509_parser.h6
2 files changed, 9 insertions, 9 deletions
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 393706f..a668d90 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -437,9 +437,9 @@ int x509_process_extension(void *context, size_t hdrlen,
ctx->cert->raw_skid_size = vlen;
ctx->cert->raw_skid = v;
- kid = asymmetric_key_generate_id(v, vlen,
- ctx->cert->raw_subject,
- ctx->cert->raw_subject_size);
+ kid = asymmetric_key_generate_id(ctx->cert->raw_subject,
+ ctx->cert->raw_subject_size,
+ v, vlen);
if (IS_ERR(kid))
return PTR_ERR(kid);
ctx->cert->skid = kid;
@@ -493,9 +493,9 @@ int x509_process_extension(void *context, size_t hdrlen,
v += (sub + 2);
}
- kid = asymmetric_key_generate_id(v, vlen,
- ctx->cert->raw_issuer,
- ctx->cert->raw_issuer_size);
+ kid = asymmetric_key_generate_id(ctx->cert->raw_issuer,
+ ctx->cert->raw_issuer_size,
+ v, vlen);
if (IS_ERR(kid))
return PTR_ERR(kid);
pr_debug("authkeyid %*phN\n", kid->len, kid->data);
diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h
index 3f0f0f0..3dfe6b5 100644
--- a/crypto/asymmetric_keys/x509_parser.h
+++ b/crypto/asymmetric_keys/x509_parser.h
@@ -19,9 +19,9 @@ struct x509_certificate {
struct public_key_signature sig; /* Signature parameters */
char *issuer; /* Name of certificate issuer */
char *subject; /* Name of certificate subject */
- struct asymmetric_key_id *id; /* Issuer + serial number */
- struct asymmetric_key_id *skid; /* Subject key identifier */
- struct asymmetric_key_id *authority; /* Authority key identifier */
+ struct asymmetric_key_id *id; /* Serial number + issuer */
+ struct asymmetric_key_id *skid; /* Subject + subjectKeyId (optional) */
+ struct asymmetric_key_id *authority; /* Authority key identifier (optional) */
struct tm valid_from;
struct tm valid_to;
const void *tbs; /* Signed data */
OpenPOWER on IntegriCloud