From: Mimi Zohar <zohar@linux.ibm.com>
To: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>,
David Howells <dhowells@redhat.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S . Miller" <davem@davemloft.net>
Cc: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org, "Lee, Chun-Yi" <jlee@suse.com>
Subject: Re: [PATCH] X.509: Add messages for obsolete OIDs
Date: Wed, 27 Mar 2019 19:36:04 +0000 [thread overview]
Message-ID: <1553715364.4608.36.camel@linux.ibm.com> (raw)
In-Reply-To: <20190322062738.19852-1-jlee@suse.com>
On Fri, 2019-03-22 at 14:27 +0800, Lee, Chun-Yi wrote:
> We found that the db in Acer machine has self signed certificates
> (CN=DisablePW or CN«O) that they used obsolete OID 1.3.14.3.2.29
> sha1WithRSASignature and 2.5.29.1 subjectKeyIdentifier. Kernel
> emits -65 error code when loading those certificates to platform
> keyring:
>
> [ 1.484388] integrity: Loading X.509 certificate: UEFI:MokListRT
> [ 1.485557] integrity: Problem loading X.509 certificate -65
> [ 1.486100] Error adding keys to platform keyring UEFI:MokListRT
>
> Because the -65 error code is not enough for appeasing user when
> loading a outdated certificate. This patch add messages against
> 1.3.14.3.2.29 and 2.5.29.1 OIDs.
>
> Link: https://bugzilla.opensuse.org/show_bug.cgi?id\x1129471
> Cc: David Howells <dhowells@redhat.com>
> Cc: Herbert Xu <herbert@gondor.apana.org.au>
> Cc: "David S. Miller" <davem@davemloft.net>
> Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> crypto/asymmetric_keys/x509_cert_parser.c | 7 +++++++
> include/linux/oid_registry.h | 2 ++
> 2 files changed, 9 insertions(+)
>
> diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
> index 991f4d735a4e..bbd22d5c5b5d 100644
> --- a/crypto/asymmetric_keys/x509_cert_parser.c
> +++ b/crypto/asymmetric_keys/x509_cert_parser.c
> @@ -192,6 +192,8 @@ int x509_note_pkey_algo(void *context, size_t hdrlen,
> pr_debug("PubKey Algo: %u\n", ctx->last_oid);
>
> switch (ctx->last_oid) {
> + case OID_sha1WithRSASignature:
> + pr_info("1.3.14.3.2.29 sha1WithRSASignature is obsolete.\n");
> case OID_md2WithRSAEncryption:
> case OID_md3WithRSAEncryption:
> default:
> @@ -464,6 +466,11 @@ int x509_process_extension(void *context, size_t hdrlen,
> return 0;
> }
>
> + if (ctx->last_oid = OID_subjectKeyIdentifier_obsolete) {
> + pr_info("2.5.29.1 subjectKeyIdentifier OID is obsolete.\n");
> + return -ENOPKG;
> + }
> +
> return 0;
> }
>
> diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
> index d2fa9ca42e9a..0641d5aa2251 100644
> --- a/include/linux/oid_registry.h
> +++ b/include/linux/oid_registry.h
> @@ -62,6 +62,7 @@ enum OID {
>
> OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */
> OID_sha1, /* 1.3.14.3.2.26 */
> + OID_sha1WithRSASignature, /* 1.3.14.3.2.29 */
> OID_sha256, /* 2.16.840.1.101.3.4.2.1 */
> OID_sha384, /* 2.16.840.1.101.3.4.2.2 */
> OID_sha512, /* 2.16.840.1.101.3.4.2.3 */
> @@ -83,6 +84,7 @@ enum OID {
> OID_generationalQualifier, /* 2.5.4.44 */
>
> /* Certificate extension IDs */
> + OID_subjectKeyIdentifier_obsolete, /* 2.5.29.1 */
> OID_subjectKeyIdentifier, /* 2.5.29.14 */
> OID_keyUsage, /* 2.5.29.15 */
> OID_subjectAltName, /* 2.5.29.17 */
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>,
David Howells <dhowells@redhat.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S . Miller" <davem@davemloft.net>
Cc: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org, "Lee, Chun-Yi" <jlee@suse.com>
Subject: Re: [PATCH] X.509: Add messages for obsolete OIDs
Date: Wed, 27 Mar 2019 15:36:04 -0400 [thread overview]
Message-ID: <1553715364.4608.36.camel@linux.ibm.com> (raw)
In-Reply-To: <20190322062738.19852-1-jlee@suse.com>
On Fri, 2019-03-22 at 14:27 +0800, Lee, Chun-Yi wrote:
> We found that the db in Acer machine has self signed certificates
> (CN=DisablePW or CN=ABO) that they used obsolete OID 1.3.14.3.2.29
> sha1WithRSASignature and 2.5.29.1 subjectKeyIdentifier. Kernel
> emits -65 error code when loading those certificates to platform
> keyring:
>
> [ 1.484388] integrity: Loading X.509 certificate: UEFI:MokListRT
> [ 1.485557] integrity: Problem loading X.509 certificate -65
> [ 1.486100] Error adding keys to platform keyring UEFI:MokListRT
>
> Because the -65 error code is not enough for appeasing user when
> loading a outdated certificate. This patch add messages against
> 1.3.14.3.2.29 and 2.5.29.1 OIDs.
>
> Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1129471
> Cc: David Howells <dhowells@redhat.com>
> Cc: Herbert Xu <herbert@gondor.apana.org.au>
> Cc: "David S. Miller" <davem@davemloft.net>
> Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> crypto/asymmetric_keys/x509_cert_parser.c | 7 +++++++
> include/linux/oid_registry.h | 2 ++
> 2 files changed, 9 insertions(+)
>
> diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
> index 991f4d735a4e..bbd22d5c5b5d 100644
> --- a/crypto/asymmetric_keys/x509_cert_parser.c
> +++ b/crypto/asymmetric_keys/x509_cert_parser.c
> @@ -192,6 +192,8 @@ int x509_note_pkey_algo(void *context, size_t hdrlen,
> pr_debug("PubKey Algo: %u\n", ctx->last_oid);
>
> switch (ctx->last_oid) {
> + case OID_sha1WithRSASignature:
> + pr_info("1.3.14.3.2.29 sha1WithRSASignature is obsolete.\n");
> case OID_md2WithRSAEncryption:
> case OID_md3WithRSAEncryption:
> default:
> @@ -464,6 +466,11 @@ int x509_process_extension(void *context, size_t hdrlen,
> return 0;
> }
>
> + if (ctx->last_oid == OID_subjectKeyIdentifier_obsolete) {
> + pr_info("2.5.29.1 subjectKeyIdentifier OID is obsolete.\n");
> + return -ENOPKG;
> + }
> +
> return 0;
> }
>
> diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
> index d2fa9ca42e9a..0641d5aa2251 100644
> --- a/include/linux/oid_registry.h
> +++ b/include/linux/oid_registry.h
> @@ -62,6 +62,7 @@ enum OID {
>
> OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */
> OID_sha1, /* 1.3.14.3.2.26 */
> + OID_sha1WithRSASignature, /* 1.3.14.3.2.29 */
> OID_sha256, /* 2.16.840.1.101.3.4.2.1 */
> OID_sha384, /* 2.16.840.1.101.3.4.2.2 */
> OID_sha512, /* 2.16.840.1.101.3.4.2.3 */
> @@ -83,6 +84,7 @@ enum OID {
> OID_generationalQualifier, /* 2.5.4.44 */
>
> /* Certificate extension IDs */
> + OID_subjectKeyIdentifier_obsolete, /* 2.5.29.1 */
> OID_subjectKeyIdentifier, /* 2.5.29.14 */
> OID_keyUsage, /* 2.5.29.15 */
> OID_subjectAltName, /* 2.5.29.17 */
next prev parent reply other threads:[~2019-03-27 19:36 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-22 6:27 [PATCH] X.509: Add messages for obsolete OIDs Lee, Chun-Yi
2019-03-22 6:27 ` Lee, Chun-Yi
2019-03-27 19:36 ` Mimi Zohar [this message]
2019-03-27 19:36 ` Mimi Zohar
2019-03-29 17:47 ` jlee
2019-03-29 17:47 ` jlee
-- strict thread matches above, loose matches on Subject: below --
2019-05-02 4:12 Lee, Chun-Yi
2019-05-02 4:12 ` Lee, Chun-Yi
2019-07-16 4:51 ` Joey Lee
2019-07-16 4:51 ` Joey Lee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1553715364.4608.36.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=jlee@suse.com \
--cc=joeyli.kernel@gmail.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.