From: Jarkko Sakkinen <jarkko@kernel.org>
To: Andrew Zaborowski <andrew.zaborowski@intel.com>,
konstantin@linuxfoundation.org,
David Howells <dhowells@redhat.com>
Cc: keyrings@vger.kernel.org
Subject: Re: [PATCH] keys: X.509 public key issuer lookup without AKID
Date: Thu, 14 Jan 2021 05:23:06 +0200 [thread overview]
Message-ID: <X/+5GkmrxN5WwTjL@kernel.org> (raw)
In-Reply-To: <20210113142340.1963770-1-andrew.zaborowski@intel.com>
On Wed, Jan 13, 2021 at 03:23:40PM +0100, Andrew Zaborowski wrote:
> There are non-root X.509 v3 certificates in use there that contain no
> Authority Key Identifier extension (RFC5280 section 4.2.1.1) which the
> kernel asymmetric key code relies on for any lookup and verification.
> Such certificates are generated by openssl if you don't explicitly tell
> it to include the extension.
>
> Looking at RFC5280 4.2.1.1 it says:
>
> "This extension is used where an issuer has multiple signing keys [...]"
>
> making it sound like the extension is optional if the issuer uses only
> one signing key. It also says:
>
> "The keyIdentifier field of the authorityKeyIdentifier extension MUST
> be included in all certificates [...]"
>
> now making it sound like it's mandatory for everyone. It doesn't say it
> as explicitly as it does for the Subject Key Identifier extension though
> (4.2.1.2). Openssl offers no code comments explaining why neither of
> the two is included by default. It marks a certificate as V3 as soon as
> *any* extension is included.
>
> In this patch I add lookups by just the Distinguished Names in the
> certificate to handle this, I believe this is what (2) in the struct
> asymmetric_key_id (include/keys/asymmetric-type.h) talks about. I add a
> third key ID in asymmetric_key_ids and I attempt to keep the logic
> intact whenever either of the first two IDs is present in the subject
> key (the ones derived from the AKID in the case of the the x509 public
> key subtype.)
>
> Lookups are still unambiguous provided that the CAs respect the condition
> that the AKID may only be omitted if they use a single signing key.
> I didn't apply the third ID logic to the certificate chain veritification
> in pkcs7_verify.c, the AKID extensions is still required there.
>
> Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
David, Konstantin, any ideas why the patchwork is jammed, and how
to get it up and running again.
https://patchwork.kernel.org/project/keyrings/list/
I mainly would like to have it working because of git-pw, which is
really nice tool for applying patches for testing.
/Jarkko
next prev parent reply other threads:[~2021-01-14 3:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-13 14:23 [PATCH] keys: X.509 public key issuer lookup without AKID Andrew Zaborowski
2021-01-14 3:23 ` Jarkko Sakkinen [this message]
2021-01-14 16:18 ` Konstantin Ryabitsev
2021-01-15 9:29 ` Jarkko Sakkinen
2021-01-14 3:47 ` Jarkko Sakkinen
2021-01-14 3:48 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=X/+5GkmrxN5WwTjL@kernel.org \
--to=jarkko@kernel.org \
--cc=andrew.zaborowski@intel.com \
--cc=dhowells@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=konstantin@linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.