Re: [PATCH v7 3/4] x509: Add support for parsing x509 certs with ECDSA keys
From: Stefan Berger
Date: Thu Feb 11 2021 - 13:26:36 EST
On 2/11/21 12:30 PM, Stefan Berger wrote:
On 2/11/21 3:03 AM, kernel test robot wrote:
Hi Stefan,
Thank you for the patch! Yet something to improve:
crypto/asymmetric_keys/public_key.c:97: undefined reference to
`parse_OID'
So the issue is that only ASYMMETRIC_PUBLIC_KEY_SUBTYPE is selected
in this config and the selection of OID_REGISTRY is missing. I am not
sure whether ASYMMETRIC_PUBLIC_KEY_SUBTYPE should/could select
OID_REGISTRY or whether that would be wrong... ?
David,
if the above is not desired then the following change would let us
get rid of the offending parse_OID(). The below change is only for NIST
p192 in this experiment but shows that we need to add additional
strcmp() cases in x509_check_for_self_signed() since
cert->sig->pkey_algo is set to "ecdsa". I am not sure whether we should
derive from the signature which curve was used to create the signature
so that cert->sig->pkey_algo could be more specific and the simple
existing strcmp() would pass. So two possible ways to go forward. Which
way should we go?
Stefan
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c
b/crypto/asymmetric_keys/x509_cert_parser.c
index 0aff4e584b11..71d83bb345c4 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -505,6 +505,8 @@ int x509_extract_key_data(void *context, size_t hdrlen,
ctx->cert->pub->pkey_algo = "sm2";
break;
case OID_id_prime192v1:
+ ctx->cert->pub->pkey_algo = "ecdsa-nist-p192";
+ break;
case OID_id_prime256v1:
ctx->cert->pub->pkey_algo = "ecdsa";
break;
diff --git a/crypto/asymmetric_keys/x509_public_key.c
b/crypto/asymmetric_keys/x509_public_key.c
index ae450eb8be14..3ebeed195b61 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -129,7 +129,10 @@ int x509_check_for_self_signed(struct
x509_certificate *cert)
}
ret = -EKEYREJECTED;
- if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0)
+printk(KERN_INFO "%s: %s ==? %s\n", __func__, cert->pub->pkey_algo,
cert->sig->pkey_algo);
+ if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0 &&
+ strncmp(cert->pub->pkey_algo, "ecdsa-nist-p", 12) != 0 &&
+ strcmp(cert->sig->pkey_algo, "ecdsa") != 0)
goto out;
ret = public_key_verify_signature(cert->pub, cert->sig);
Stefan