[PATCH 19/27] X.509: Change recorded SKID & AKID to not include Subject or Issuer [ver #7]

From: David Howells
Date: Wed Aug 05 2015 - 09:46:50 EST

Next message: David Howells: "[PATCH 20/27] PKCS#7: Support CMS messages also [RFC5652] [ver #7]"
Previous message: David Howells: "[PATCH 18/27] PKCS#7: Check content type and versions [ver #7]"
In reply to: David Howells: "[PATCH 18/27] PKCS#7: Check content type and versions [ver #7]"
Next in thread: David Howells: "[PATCH 20/27] PKCS#7: Support CMS messages also [RFC5652] [ver #7]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The key identifiers fabricated from an X.509 certificate are currently:

(A) Concatenation of serial number and issuer

(B) Concatenation of subject and subjectKeyID (SKID)

When verifying one X.509 certificate with another, the AKID in the target
can be used to match the authoritative certificate. The AKID can specify
the match in one or both of two ways:

(1) Compare authorityCertSerialNumber and authorityCertIssuer from the AKID
to identifier (A) above.

(2) Compare keyIdentifier from the AKID plus the issuer from the target
certificate to identifier (B) above.

When verifying a PKCS#7 message, the only available comparison is between
the IssuerAndSerialNumber field and identifier (A) above.

However, a subsequent patch adds CMS support. Whilst CMS still supports a
match on IssuerAndSerialNumber as for PKCS#7, it also supports an
alternative - which is the SubjectKeyIdentifier field. This is used to
match to an X.509 certificate on the SKID alone. No subject information is
available to be used.

To this end change the fabrication of (B) above to be from the X.509 SKID
alone. The AKID in keyIdentifier form then only matches on that and does
not include the issuer.

Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
Reviewed-By: David Woodhouse <David.Woodhouse@xxxxxxxxx>
---

crypto/asymmetric_keys/x509_cert_parser.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 6c130dd56f35..849fd760923e 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -454,9 +454,7 @@ int x509_process_extension(void *context, size_t hdrlen,

ctx->cert->raw_skid_size = vlen;
ctx->cert->raw_skid = v;
- kid = asymmetric_key_generate_id(ctx->cert->raw_subject,
- ctx->cert->raw_subject_size,
- v, vlen);
+ kid = asymmetric_key_generate_id(v, vlen, "", 0);
if (IS_ERR(kid))
return PTR_ERR(kid);
ctx->cert->skid = kid;
@@ -553,9 +551,7 @@ int x509_akid_note_kid(void *context, size_t hdrlen,
if (ctx->cert->akid_skid)
return 0;

- kid = asymmetric_key_generate_id(ctx->cert->raw_issuer,
- ctx->cert->raw_issuer_size,
- value, vlen);
+ kid = asymmetric_key_generate_id(value, vlen, "", 0);
if (IS_ERR(kid))
return PTR_ERR(kid);
pr_debug("authkeyid %*phN\n", kid->len, kid->data);

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Howells: "[PATCH 20/27] PKCS#7: Support CMS messages also [RFC5652] [ver #7]"
Previous message: David Howells: "[PATCH 18/27] PKCS#7: Check content type and versions [ver #7]"
In reply to: David Howells: "[PATCH 18/27] PKCS#7: Check content type and versions [ver #7]"
Next in thread: David Howells: "[PATCH 20/27] PKCS#7: Support CMS messages also [RFC5652] [ver #7]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]