Re: [PATCH v7 3/4] x509: Add support for parsing x509 certs with ECDSA keys

From: Stefan Berger
Date: Thu Feb 11 2021 - 13:26:36 EST


On 2/11/21 12:30 PM, Stefan Berger wrote:
On 2/11/21 3:03 AM, kernel test robot wrote:
Hi Stefan,

Thank you for the patch! Yet something to improve:

crypto/asymmetric_keys/public_key.c:97: undefined reference to `parse_OID'


So the issue is that  only ASYMMETRIC_PUBLIC_KEY_SUBTYPE is selected in this config and the selection of OID_REGISTRY is missing. I am not sure whether ASYMMETRIC_PUBLIC_KEY_SUBTYPE should/could select OID_REGISTRY or whether that would be wrong... ?


David,

  if the above is not desired then the following change would let us get rid of the offending parse_OID(). The below change is only for NIST p192 in this experiment but shows that we need to add additional strcmp() cases in x509_check_for_self_signed() since cert->sig->pkey_algo is set to "ecdsa". I am not sure whether we should derive from the signature which curve was used to create the signature so that cert->sig->pkey_algo could be more specific and the simple existing strcmp() would pass. So two possible ways to go forward. Which way should we go?

   Stefan


diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 0aff4e584b11..71d83bb345c4 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -505,6 +505,8 @@ int x509_extract_key_data(void *context, size_t hdrlen,
                        ctx->cert->pub->pkey_algo = "sm2";
                        break;
                case OID_id_prime192v1:
+                       ctx->cert->pub->pkey_algo = "ecdsa-nist-p192";
+                       break;
                case OID_id_prime256v1:
                        ctx->cert->pub->pkey_algo = "ecdsa";
                        break;
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index ae450eb8be14..3ebeed195b61 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -129,7 +129,10 @@ int x509_check_for_self_signed(struct x509_certificate *cert)
        }

        ret = -EKEYREJECTED;
-       if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0)
+printk(KERN_INFO "%s: %s ==? %s\n", __func__, cert->pub->pkey_algo, cert->sig->pkey_algo);
+       if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0 &&
+           strncmp(cert->pub->pkey_algo, "ecdsa-nist-p", 12) != 0 &&
+           strcmp(cert->sig->pkey_algo, "ecdsa") != 0)
                goto out;

        ret = public_key_verify_signature(cert->pub, cert->sig);




    Stefan