keyrings.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [RESEND][PATCH] keys: Update comment for restrict_link_by_key_or_keyring_chain
@ 2020-05-04  9:08 Andrew Zaborowski
  2020-10-18 20:25 ` Jarkko Sakkinen
  0 siblings, 1 reply; 19+ messages in thread
From: Andrew Zaborowski @ 2020-05-04  9:08 UTC (permalink / raw)
  To: keyrings

Add the bit of information that makes
restrict_link_by_key_or_keyring_chain different from
restrict_link_by_key_or_keyring to the inline docs comment.

Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
---
 crypto/asymmetric_keys/restrict.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index 77ebebada29..84cefe3b358 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -244,9 +244,10 @@ int restrict_link_by_key_or_keyring(struct key *dest_keyring,
  * @payload: The payload of the new key.
  * @trusted: A key or ring of keys that can be used to vouch for the new cert.
  *
- * Check the new certificate only against the key or keys passed in the data
- * parameter. If one of those is the signing key and validates the new
- * certificate, then mark the new certificate as being ok to link.
+ * Check the new certificate against the key or keys passed in the data
+ * parameter and against the keys already linked to the destination keyring. If
+ * one of those is the signing key and validates the new certificate, then mark
+ * the new certificate as being ok to link.
  *
  * Returns 0 if the new certificate was accepted, -ENOKEY if we
  * couldn't find a matching parent certificate in the trusted list,
-- 
2.20.1

^ permalink raw reply related	[flat|nested] 19+ messages in thread
* [RESEND][PATCH] KEYS: Handle missing Authority Key Identifier x509 extension
@ 2018-05-05  6:01 Andrew Zaborowski
  2018-08-18  0:11 ` Andrew Zaborowski
                   ` (9 more replies)
  0 siblings, 10 replies; 19+ messages in thread
From: Andrew Zaborowski @ 2018-05-05  6:01 UTC (permalink / raw)
  To: keyrings

If the certificate is self-signed and the Key Identifier is not present
in the Authority Key Identifier extension (RFC5280 4.2.1.1), fill in the
sig->auth_ids values with the certificate's own key IDs since they need
to be the same anyway.  This is noted in 4.2.1.1 as an exception for
self-signed certificates where the keyIdentifier field may be empty.

There are root certificates in use where this is the case.  This affects
the checks in the restrict functions in
crypto/asymmetric_keys/restrict.c but at the point the restrict functions
run we have no access to the certificate struct to be able to do this
substitution there.  A self-signed certificate with the auth_ids NULL
will fail the restrict checks while other self-signed certificates will
be verified against themselves and pass.

Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
---
 crypto/asymmetric_keys/x509_cert_parser.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index ce2df8c9c5..b6d05f17f6 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -130,6 +130,25 @@ struct x509_certificate *x509_cert_parse(const void *data, size_t datalen)
 	if (ret < 0)
 		goto error_decode;
 
+	if (cert->self_signed) {
+		if (!cert->sig->auth_ids[0]) {
+			/* Duplicate cert->id */
+			kid = asymmetric_key_generate_id(cert->raw_serial,
+							 cert->raw_serial_size,
+							 cert->raw_issuer,
+							 cert->raw_issuer_size);
+			cert->sig->auth_ids[0] = kid;
+		}
+
+		if (!cert->sig->auth_ids[1] && cert->skid) {
+			/* Duplicate cert->skid */
+			kid = asymmetric_key_generate_id(cert->raw_skid,
+							 cert->raw_skid_size,
+							 "", 0);
+			cert->sig->auth_ids[1] = kid;
+		}
+	}
+
 	kfree(ctx);
 	return cert;
 
-- 
2.14.1


^ permalink raw reply related	[flat|nested] 19+ messages in thread
end of thread, other threads:[~2020-10-18 20:25 UTC | newest]

Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-04  9:08 [RESEND][PATCH] keys: Update comment for restrict_link_by_key_or_keyring_chain Andrew Zaborowski
2020-10-18 20:25 ` Jarkko Sakkinen
2020-10-18 20:25   ` Jarkko Sakkinen
  -- strict thread matches above, loose matches on Subject: below --
2018-05-05  6:01 [RESEND][PATCH] KEYS: Handle missing Authority Key Identifier x509 extension Andrew Zaborowski
2018-08-18  0:11 ` Andrew Zaborowski
2018-10-19 22:13 ` Andrew Zaborowski
2019-02-08 14:35 ` Andrew Zaborowski
2020-04-07  0:25 ` [RESEND][PATCH] keys: Handle missing Authority Key Identifier X509 extension Andrew Zaborowski
2020-05-04  8:51 ` Andrew Zaborowski
2020-06-25 22:10 ` Andrew Zaborowski
2020-06-25 22:10   ` [RESEND][PATCH] keys: Update comment for restrict_link_by_key_or_keyring_chain Andrew Zaborowski
2020-07-29 23:49 ` [RESEND][PATCH] keys: Handle missing Authority Key Identifier X509 extension Andrew Zaborowski
2020-07-29 23:50   ` [RESEND][PATCH] keys: Update comment for restrict_link_by_key_or_keyring_chain Andrew Zaborowski
2020-09-07 10:39 ` [RESEND][PATCH] keys: Handle missing Authority Key Identifier X509 extension Andrew Zaborowski
2020-09-07 10:39   ` [RESEND][PATCH] keys: Update comment for restrict_link_by_key_or_keyring_chain Andrew Zaborowski
2020-10-13 13:39 ` [RESEND][PATCH] keys: Handle missing Authority Key Identifier X509 extension Andrew Zaborowski
2020-10-13 13:39   ` [RESEND][PATCH] keys: Update comment for restrict_link_by_key_or_keyring_chain Andrew Zaborowski
2020-10-18 20:22 ` [RESEND][PATCH] keys: Handle missing Authority Key Identifier X509 extension Jarkko Sakkinen
2020-10-18 20:22   ` Jarkko Sakkinen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).