linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: David Howells <dhowells@redhat.com>
To: Dmitry Kasatkin <d.kasatkin@samsung.com>
Cc: dhowells@redhat.com, zohar@linux.vnet.ibm.com,
	linux-ima-devel@lists.sourceforge.net,
	linux-security-module@vger.kernel.org, jmorris@namei.org,
	rusty@rustcorp.com.au, keyrings@linux-nfs.org,
	linux-kernel@vger.kernel.org, dmitry.kasatkin@gmail.com
Subject: [PATCH] X.509: If available, use the raw subjKeyId to form the key description
Date: Fri, 03 Oct 2014 16:54:29 +0100	[thread overview]
Message-ID: <2341.1412351669@warthog.procyon.org.uk> (raw)
In-Reply-To: cover.1412327306.git.d.kasatkin@samsung.com

Module signing matches keys by comparing against the key description exactly.
However, the way the key description gets constructed got changed to be
composed of the subject name plus the certificate serial number instead of the
subject name and the subjectKeyId.  I changed this to avoid problems with
certificates that don't *have* a subjectKeyId.

Instead, if available, use the raw subjectKeyId to form the key description
and only use the serial number if the subjectKeyId doesn't exist.

Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: David Howells <dhowells@redhat.com>
---
 x509_cert_parser.c |    2 ++
 x509_parser.h      |    2 ++
 x509_public_key.c  |    9 +++++++--
 3 files changed, 11 insertions(+), 2 deletions(-)


diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 96151b2b91a2..393706f33fa5 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -435,6 +435,8 @@ int x509_process_extension(void *context, size_t hdrlen,
 		v += 2;
 		vlen -= 2;
 
+		ctx->cert->raw_skid_size = vlen;
+		ctx->cert->raw_skid = v;
 		kid = asymmetric_key_generate_id(v, vlen,
 						 ctx->cert->raw_subject,
 						 ctx->cert->raw_subject_size);
diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h
index 4e1a384901ed..3f0f0f081621 100644
--- a/crypto/asymmetric_keys/x509_parser.h
+++ b/crypto/asymmetric_keys/x509_parser.h
@@ -34,6 +34,8 @@ struct x509_certificate {
 	const void	*raw_issuer;		/* Raw issuer name in ASN.1 */
 	const void	*raw_subject;		/* Raw subject name in ASN.1 */
 	unsigned	raw_subject_size;
+	unsigned	raw_skid_size;
+	const void	*raw_skid;		/* Raw subjectKeyId in ASN.1 */
 	unsigned	index;
 	bool		seen;			/* Infinite recursion prevention */
 	bool		verified;
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 1d9a4c555376..8bffb06b2683 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -279,8 +279,13 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
 
 	/* Propose a description */
 	sulen = strlen(cert->subject);
-	srlen = cert->raw_serial_size;
-	q = cert->raw_serial;
+	if (cert->raw_skid) {
+		srlen = cert->raw_skid_size;
+		q = cert->raw_skid;
+	} else {
+		srlen = cert->raw_serial_size;
+		q = cert->raw_serial;
+	}
 	if (srlen > 1 && *q == 0) {
 		srlen--;
 		q++;


  parent reply	other threads:[~2014-10-03 15:55 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-10-03  9:09 [PATCH 0/4] KEYS fixes Dmitry Kasatkin
2014-10-03  9:09 ` [PATCH 1/4] KEYS: handle error code encoded in pointer Dmitry Kasatkin
2014-10-03  9:09 ` [PATCH 2/4] KEYS: provide pure subject key identifier (fingerprint) as key id Dmitry Kasatkin
2014-10-03  9:09 ` [PATCH 3/4] module: search the key only by keyid Dmitry Kasatkin
2014-10-03  9:09 ` [PATCH 4/4] integrity: do zero padding of the key id Dmitry Kasatkin
2014-10-03 10:43 ` [PATCH 0/4] KEYS fixes Dmitry Kasatkin
2014-10-03 12:46 ` [PATCH 3/4] module: search the key only by keyid David Howells
2014-10-03 12:49   ` Dmitry Kasatkin
2014-10-03 12:53     ` Dmitry Kasatkin
2014-10-03 13:08       ` Dmitry Kasatkin
2014-10-03 13:40       ` David Howells
2014-10-03 14:00         ` Dmitry Kasatkin
2014-10-06 12:44         ` James Morris
2014-10-06 17:14           ` Dmitry Kasatkin
2014-10-06 19:39           ` Mimi Zohar
2014-10-03 12:46 ` [PATCH 1/4] KEYS: handle error code encoded in pointer David Howells
2014-10-03 14:19 ` [PATCH 0/4] KEYS fixes Mimi Zohar
2014-10-03 15:54 ` David Howells [this message]
2014-10-06 13:51 ` [PATCH 2/4] KEYS: provide pure subject key identifier (fingerprint) as key id David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2341.1412351669@warthog.procyon.org.uk \
    --to=dhowells@redhat.com \
    --cc=d.kasatkin@samsung.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=jmorris@namei.org \
    --cc=keyrings@linux-nfs.org \
    --cc=linux-ima-devel@lists.sourceforge.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=rusty@rustcorp.com.au \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).