Re: [PATCH 2/4] X.509: Parse Basic Constraints for CA

From: Stefan Berger
Date: Fri Mar 04 2022 - 10:10:59 EST



On 3/1/22 12:36, Eric Snowberg wrote:
Parse the X.509 Basic Constraints. The basic constraints extension
identifies whether the subject of the certificate is a CA.

BasicConstraints ::= SEQUENCE {
cA BOOLEAN DEFAULT FALSE,
pathLenConstraint INTEGER (0..MAX) OPTIONAL }

If the CA is true, store it in a new public_key field call key_is_ca.
This will be used in a follow on patch that requires knowing if the
public key is a CA.

Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
---
crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++
include/crypto/public_key.h | 1 +
2 files changed, 10 insertions(+)

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 2899ed80bb18..38c907f4ce27 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -583,6 +583,15 @@ int x509_process_extension(void *context, size_t hdrlen,
return 0;
}
+ if (ctx->last_oid == OID_basicConstraints) {

Don't you have to check whether you can access v[0] and v[1]?

if (vlen < 3)

    return -EBADMSG;

or should it even be

if (vlen != 3)

     return -EBADMSG;


+ if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ))
+ return -EBADMSG;
+ if (v[1] != vlen - 2)
+ return -EBADMSG;
+ if (v[1] != 0 && v[2] == ASN1_BOOL && v[3] == 1)
+ ctx->cert->pub->key_is_ca = true;
+ }
+
return 0;
}
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index 6d61695e1cde..0521241764b7 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -26,6 +26,7 @@ struct public_key {
void *params;
u32 paramlen;
bool key_is_private;
+ bool key_is_ca;
const char *id_type;
const char *pkey_algo;
};