Skip to content

Commit

Permalink
KEYS: use swapped SKID for performing partial matching
Browse files Browse the repository at this point in the history
Earlier KEYS code used pure subject key identifiers (fingerprint)
for searching keys. Latest merged code removed that and broke
compatibility with integrity subsytem signatures and original
format of module signatures.

This patch returns back partial matching on SKID.

Reported-by: Dmitry Kasatkin <[email protected]>
Signed-off-by: Dmitry Kasatkin <[email protected]>
Signed-off-by: David Howells <[email protected]>
  • Loading branch information
Dmitry Kasatkin authored and dhowells committed Oct 6, 2014
1 parent f1b731d commit 8dd6098
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 9 deletions.
12 changes: 6 additions & 6 deletions crypto/asymmetric_keys/x509_cert_parser.c
Original file line number Diff line number Diff line change
Expand Up @@ -437,9 +437,9 @@ int x509_process_extension(void *context, size_t hdrlen,

ctx->cert->raw_skid_size = vlen;
ctx->cert->raw_skid = v;
kid = asymmetric_key_generate_id(v, vlen,
ctx->cert->raw_subject,
ctx->cert->raw_subject_size);
kid = asymmetric_key_generate_id(ctx->cert->raw_subject,
ctx->cert->raw_subject_size,
v, vlen);
if (IS_ERR(kid))
return PTR_ERR(kid);
ctx->cert->skid = kid;
Expand Down Expand Up @@ -493,9 +493,9 @@ int x509_process_extension(void *context, size_t hdrlen,
v += (sub + 2);
}

kid = asymmetric_key_generate_id(v, vlen,
ctx->cert->raw_issuer,
ctx->cert->raw_issuer_size);
kid = asymmetric_key_generate_id(ctx->cert->raw_issuer,
ctx->cert->raw_issuer_size,
v, vlen);
if (IS_ERR(kid))
return PTR_ERR(kid);
pr_debug("authkeyid %*phN\n", kid->len, kid->data);
Expand Down
6 changes: 3 additions & 3 deletions crypto/asymmetric_keys/x509_parser.h
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,9 @@ struct x509_certificate {
struct public_key_signature sig; /* Signature parameters */
char *issuer; /* Name of certificate issuer */
char *subject; /* Name of certificate subject */
struct asymmetric_key_id *id; /* Issuer + serial number */
struct asymmetric_key_id *skid; /* Subject key identifier */
struct asymmetric_key_id *authority; /* Authority key identifier */
struct asymmetric_key_id *id; /* Serial number + issuer */
struct asymmetric_key_id *skid; /* Subject + subjectKeyId (optional) */
struct asymmetric_key_id *authority; /* Authority key identifier (optional) */
struct tm valid_from;
struct tm valid_to;
const void *tbs; /* Signed data */
Expand Down

0 comments on commit 8dd6098

Please sign in to comment.