keyrings.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH][RESEND] keys: Handle missing Authority Key Identifier X509 extension
@ 2020-12-03 19:04 Andrew Zaborowski
  2020-12-03 19:04 ` [PATCH][RESEND] keys: Update comment for restrict_link_by_key_or_keyring_chain Andrew Zaborowski
  0 siblings, 1 reply; 4+ messages in thread
From: Andrew Zaborowski @ 2020-12-03 19:04 UTC (permalink / raw)
  To: keyrings; +Cc: David Howells

In a self-signed certificate the subject and issuer are the same and so
the Authority Key Identifier X.509 v3 extension is explicitly made
optional in RFC5280 section 4.2.1.1.
crypto/asymmetric_keys/x509_cert_parser.c can't handle this and makes
(at least) the restrict.c functions refuse to work with certificates
that don't include the AKID.  Fix this by filling in the missing
cert->sig->auth_ids with the certificate's own IDs after parsing and
determinig the certificate is self-signed.

The asymmetric_key_generate_id return value is not checked because it's
already succeeded once at this point.

There are root X.509 v3 certificates in use where this is the case,
mostly oldish ones.

Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
---
 crypto/asymmetric_keys/x509_cert_parser.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 26ec20ef489..a5a2f93e242 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -136,6 +136,25 @@ struct x509_certificate *x509_cert_parse(const void *data, size_t datalen)
 	if (ret < 0)
 		goto error_decode;
 
+	if (cert->self_signed) {
+		if (!cert->sig->auth_ids[0]) {
+			/* Duplicate cert->id */
+			kid = asymmetric_key_generate_id(cert->raw_serial,
+							 cert->raw_serial_size,
+							 cert->raw_issuer,
+							 cert->raw_issuer_size);
+			cert->sig->auth_ids[0] = kid;
+		}
+
+		if (!cert->sig->auth_ids[1] && cert->skid) {
+			/* Duplicate cert->skid */
+			kid = asymmetric_key_generate_id(cert->raw_skid,
+							 cert->raw_skid_size,
+							 "", 0);
+			cert->sig->auth_ids[1] = kid;
+		}
+	}
+
 	kfree(ctx);
 	return cert;
 
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH][RESEND] keys: Update comment for restrict_link_by_key_or_keyring_chain
  2020-12-03 19:04 [PATCH][RESEND] keys: Handle missing Authority Key Identifier X509 extension Andrew Zaborowski
@ 2020-12-03 19:04 ` Andrew Zaborowski
  0 siblings, 0 replies; 4+ messages in thread
From: Andrew Zaborowski @ 2020-12-03 19:04 UTC (permalink / raw)
  To: keyrings; +Cc: David Howells

Add the bit of information that makes
restrict_link_by_key_or_keyring_chain different from
restrict_link_by_key_or_keyring to the inline docs comment.

Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
---
 crypto/asymmetric_keys/restrict.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index 77ebebada29..84cefe3b358 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -244,9 +244,10 @@ int restrict_link_by_key_or_keyring(struct key *dest_keyring,
  * @payload: The payload of the new key.
  * @trusted: A key or ring of keys that can be used to vouch for the new cert.
  *
- * Check the new certificate only against the key or keys passed in the data
- * parameter. If one of those is the signing key and validates the new
- * certificate, then mark the new certificate as being ok to link.
+ * Check the new certificate against the key or keys passed in the data
+ * parameter and against the keys already linked to the destination keyring. If
+ * one of those is the signing key and validates the new certificate, then mark
+ * the new certificate as being ok to link.
  *
  * Returns 0 if the new certificate was accepted, -ENOKEY if we
  * couldn't find a matching parent certificate in the trusted list,
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH][RESEND] keys: Update comment for restrict_link_by_key_or_keyring_chain
  2021-01-04 16:40 ` [PATCH][RESEND] keys: Update comment for restrict_link_by_key_or_keyring_chain Andrew Zaborowski
@ 2021-01-10  4:51   ` Jarkko Sakkinen
  0 siblings, 0 replies; 4+ messages in thread
From: Jarkko Sakkinen @ 2021-01-10  4:51 UTC (permalink / raw)
  To: Andrew Zaborowski; +Cc: keyrings, David Howells

On Mon, Jan 04, 2021 at 05:40:48PM +0100, Andrew Zaborowski wrote:
> Add the bit of information that makes
> restrict_link_by_key_or_keyring_chain different from
> restrict_link_by_key_or_keyring to the inline docs comment.
> 
> Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
> Acked-by: Jarkko Sakkinen <jarkko@kernel.org>

Picked to git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git

/Jarkko


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH][RESEND] keys: Update comment for restrict_link_by_key_or_keyring_chain
  2021-01-04 16:40 [PATCH][RESEND#15] keys: Handle missing Authority Key Identifier X509 extension Andrew Zaborowski
@ 2021-01-04 16:40 ` Andrew Zaborowski
  2021-01-10  4:51   ` Jarkko Sakkinen
  0 siblings, 1 reply; 4+ messages in thread
From: Andrew Zaborowski @ 2021-01-04 16:40 UTC (permalink / raw)
  To: keyrings; +Cc: David Howells

Add the bit of information that makes
restrict_link_by_key_or_keyring_chain different from
restrict_link_by_key_or_keyring to the inline docs comment.

Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
---
 crypto/asymmetric_keys/restrict.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/crypto/asymmetric_keys/restrict.c b/crypto/asymmetric_keys/restrict.c
index 77ebebada29..84cefe3b358 100644
--- a/crypto/asymmetric_keys/restrict.c
+++ b/crypto/asymmetric_keys/restrict.c
@@ -244,9 +244,10 @@ int restrict_link_by_key_or_keyring(struct key *dest_keyring,
  * @payload: The payload of the new key.
  * @trusted: A key or ring of keys that can be used to vouch for the new cert.
  *
- * Check the new certificate only against the key or keys passed in the data
- * parameter. If one of those is the signing key and validates the new
- * certificate, then mark the new certificate as being ok to link.
+ * Check the new certificate against the key or keys passed in the data
+ * parameter and against the keys already linked to the destination keyring. If
+ * one of those is the signing key and validates the new certificate, then mark
+ * the new certificate as being ok to link.
  *
  * Returns 0 if the new certificate was accepted, -ENOKEY if we
  * couldn't find a matching parent certificate in the trusted list,
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-01-10  4:52 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-03 19:04 [PATCH][RESEND] keys: Handle missing Authority Key Identifier X509 extension Andrew Zaborowski
2020-12-03 19:04 ` [PATCH][RESEND] keys: Update comment for restrict_link_by_key_or_keyring_chain Andrew Zaborowski
2021-01-04 16:40 [PATCH][RESEND#15] keys: Handle missing Authority Key Identifier X509 extension Andrew Zaborowski
2021-01-04 16:40 ` [PATCH][RESEND] keys: Update comment for restrict_link_by_key_or_keyring_chain Andrew Zaborowski
2021-01-10  4:51   ` Jarkko Sakkinen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).