All of lore.kernel.org
 help / color / mirror / Atom feed
From: Vivek Goyal <vgoyal@redhat.com>
To: David Howells <dhowells@redhat.com>
Cc: mmarek@suse.cz, d.kasatkin@samsung.com, rusty@rustcorp.com.au,
	keyrings@linux-nfs.org, linux-security-module@vger.kernel.org,
	zohar@linux.vnet.ibm.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/5] X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier
Date: Fri, 21 Nov 2014 10:33:20 -0500	[thread overview]
Message-ID: <20141121153320.GB22306@redhat.com> (raw)
In-Reply-To: <20141120165414.5264.95354.stgit@warthog.procyon.org.uk>

On Thu, Nov 20, 2014 at 04:54:14PM +0000, David Howells wrote:

[..]
> @@ -215,21 +219,42 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
>  		/* Look through the X.509 certificates in the PKCS#7 message's
>  		 * list to see if the next one is there.
>  		 */
> -		pr_debug("- want %*phN\n",
> -			 x509->auth_skid->len, x509->auth_skid->data);
> -		for (p = pkcs7->certs; p; p = p->next) {
> -			if (!p->skid)
> -				continue;
> -			pr_debug("- cmp [%u] %*phN\n",
> -				 p->index, p->skid->len, p->skid->data);
> -			if (asymmetric_key_id_same(p->skid, x509->auth_skid))
> -				goto found_issuer;
> +		auth = x509->auth_id;
> +		if (auth) {
> +			pr_debug("- want %*phN\n", auth->len, auth->data);
> +			for (p = pkcs7->certs; p; p = p->next) {
> +				pr_debug("- cmp [%u] %*phN\n",
> +					 p->index, p->id->len, p->id->data);
> +				if (asymmetric_key_id_same(p->id, auth))
> +					goto found_issuer_check_skid;
> +			}
> +		} else {
> +			auth = x509->auth_skid;
> +			pr_debug("- want %*phN\n", auth->len, auth->data);
> +			for (p = pkcs7->certs; p; p = p->next) {
> +				if (!p->skid)
> +					continue;
> +				pr_debug("- cmp [%u] %*phN\n",
> +					 p->index, p->skid->len, p->skid->data);
> +				if (asymmetric_key_id_same(p->skid, auth))
> +					goto found_issuer;
> +			}
>  		}
>  
>  		/* We didn't find the root of this chain */
>  		pr_debug("- top\n");
>  		return 0;
>  
> +	found_issuer_check_skid:
> +		/* We matched issuer + serialNumber, but if there's an
> +		 * authKeyId.keyId, that must match the CA subjKeyId also.
> +		 */
> +		if (x509->auth_skid &&
> +		    !asymmetric_key_id_same(p->skid, x509->auth_skid)) {
> +			pr_warn("Sig %u: X.509 chain contains auth-skid nonmatch (%u->%u)\n",
> +				sinfo->index, x509->index, p->index);
> +			return -EKEYREJECTED;
> +		}

Hi David,

A minor nit.

pkcs7_verify_sig_chain() is getting big with multiple goto labels. Will
it make sense to introduce a helper function to see if cert B is authority
cert of cert A or not. And then we should be able to get rid of labels
like found_issuer_check_skid() and some of the inline code also go away.

Thanks
Vivek

  reply	other threads:[~2014-11-21 15:33 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-11-20 16:53 [PATCH 0/5] MODSIGN: Use PKCS#7 for module signatures David Howells
2014-11-20 16:54 ` [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier David Howells
2014-11-21 14:42   ` Vivek Goyal
2014-12-04 12:24     ` Dmitry Kasatkin
2014-12-04 13:02     ` David Howells
2014-11-24 13:35   ` David Howells
2014-11-20 16:54 ` [PATCH 2/5] X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier David Howells
2014-11-21 15:33   ` Vivek Goyal [this message]
2014-11-24  0:00   ` Mimi Zohar
2014-11-24 11:58     ` [Keyrings] " Mimi Zohar
2014-11-24 16:55     ` David Howells
2014-11-24 17:12       ` Mimi Zohar
2014-11-24 16:58     ` David Howells
2014-11-24 17:33       ` Mimi Zohar
2014-11-24 19:36       ` David Howells
2014-11-20 16:54 ` [PATCH 3/5] PKCS#7: Allow detached data to be supplied for signature checking purposes David Howells
2014-11-24 11:52   ` Mimi Zohar
2014-11-24 12:48   ` David Howells
2014-11-24 13:43     ` Mimi Zohar
2014-11-24 14:41     ` David Howells
2014-11-24 14:59       ` Mimi Zohar
2014-11-24 15:14       ` David Howells
2014-11-20 16:54 ` [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module David Howells
2014-11-20 16:54 ` [PATCH 5/5] MODSIGN: Use PKCS#7 messages as module signatures David Howells
2014-11-24 14:06   ` Mimi Zohar
2014-11-21 12:59 ` [PATCH 0/5] MODSIGN: Use PKCS#7 for " Dmitry Kasatkin
2014-11-24  9:19   ` Dmitry Kasatkin
2014-11-24 12:52   ` David Howells
2014-11-24 16:13   ` David Howells
2014-11-24 17:14     ` Mimi Zohar
2014-11-24 12:33 ` Dmitry Kasatkin
2014-11-24 12:51 ` David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20141121153320.GB22306@redhat.com \
    --to=vgoyal@redhat.com \
    --cc=d.kasatkin@samsung.com \
    --cc=dhowells@redhat.com \
    --cc=keyrings@linux-nfs.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mmarek@suse.cz \
    --cc=rusty@rustcorp.com.au \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.