diff options
author | David Howells <dhowells@redhat.com> | 2014-10-03 16:17:02 +0100 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2014-10-03 16:17:02 +0100 |
commit | dd2f6c4481debfa389c1f2b2b1d5bd6449c42611 (patch) | |
tree | efdec24c56f02377b3edf6660d4775cf0c804e30 | |
parent | 40b50e80c5ca78b3164d79d39b4889c4e58f462e (diff) | |
download | op-kernel-dev-dd2f6c4481debfa389c1f2b2b1d5bd6449c42611.zip op-kernel-dev-dd2f6c4481debfa389c1f2b2b1d5bd6449c42611.tar.gz |
X.509: If available, use the raw subjKeyId to form the key description
Module signing matches keys by comparing against the key description exactly.
However, the way the key description gets constructed got changed to be
composed of the subject name plus the certificate serial number instead of the
subject name and the subjectKeyId. I changed this to avoid problems with
certificates that don't *have* a subjectKeyId.
Instead, if available, use the raw subjectKeyId to form the key description
and only use the serial number if the subjectKeyId doesn't exist.
Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: David Howells <dhowells@redhat.com>
-rw-r--r-- | crypto/asymmetric_keys/x509_cert_parser.c | 2 | ||||
-rw-r--r-- | crypto/asymmetric_keys/x509_parser.h | 2 | ||||
-rw-r--r-- | crypto/asymmetric_keys/x509_public_key.c | 9 |
3 files changed, 11 insertions, 2 deletions
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 96151b2..393706f 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -435,6 +435,8 @@ int x509_process_extension(void *context, size_t hdrlen, v += 2; vlen -= 2; + ctx->cert->raw_skid_size = vlen; + ctx->cert->raw_skid = v; kid = asymmetric_key_generate_id(v, vlen, ctx->cert->raw_subject, ctx->cert->raw_subject_size); diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index 4e1a384..3f0f0f0 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -34,6 +34,8 @@ struct x509_certificate { const void *raw_issuer; /* Raw issuer name in ASN.1 */ const void *raw_subject; /* Raw subject name in ASN.1 */ unsigned raw_subject_size; + unsigned raw_skid_size; + const void *raw_skid; /* Raw subjectKeyId in ASN.1 */ unsigned index; bool seen; /* Infinite recursion prevention */ bool verified; diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 1d9a4c5..8bffb06 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -279,8 +279,13 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) /* Propose a description */ sulen = strlen(cert->subject); - srlen = cert->raw_serial_size; - q = cert->raw_serial; + if (cert->raw_skid) { + srlen = cert->raw_skid_size; + q = cert->raw_skid; + } else { + srlen = cert->raw_serial_size; + q = cert->raw_serial; + } if (srlen > 1 && *q == 0) { srlen--; q++; |