From: joeyli <jlee@suse.com>
To: David Howells <dhowells@redhat.com>
Cc: rusty@rustcorp.com.au, linux-kernel@vger.kernel.org,
Josh Boyer <jwboyer@redhat.com>,
Randy Dunlap <rdunlap@xenotime.net>,
Herbert Xu <herbert@gondor.hengli.com.au>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH v2] X.509: Support parse long form of length octets in Authority Key Identifier
Date: Thu, 21 Feb 2013 11:33:34 +0800 [thread overview]
Message-ID: <1361417614.8705.27.camel@linux-s257.site> (raw)
In-Reply-To: <1794.1361364586@warthog.procyon.org.uk>
於 三,2013-02-20 於 12:49 +0000,David Howells 提到:
> Chun-Yi Lee <joeyli.kernel@gmail.com> wrote:
>
> > Per X.509 spec in 4.2.1.1 section, the structure of Authority Key
> > Identifier Extension is:
> >
> > AuthorityKeyIdentifier ::= SEQUENCE {
> > keyIdentifier [0] KeyIdentifier OPTIONAL,
> > authorityCertIssuer [1] GeneralNames OPTIONAL,
> > authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
> >
> > KeyIdentifier ::= OCTET STRING
> >
> > When a certificate also provides
> > authorityCertIssuer and authorityCertSerialNumber then the length of
> > AuthorityKeyIdentifier SEQUENCE is likely to long form format.
> > e.g.
> > The example certificate demos/tunala/A-server.pem in openssl source:
> >
> > X509v3 Authority Key Identifier:
> > keyid:49:FB:45:72:12:C4:CC:E1:45:A1:D3:08:9E:95:C4:2C:6D:55:3F:17
> > DirName:/C=NZ/L=Wellington/O=Really Irresponsible Authorisation Authority (RIAA)/OU=Cert-stamping/CN=Jackov al-Trades/emailAddress=none@fake.domain
> > serial:00
> >
> > Current parsing rule of OID_authorityKeyIdentifier only take care the
> > short form format, it causes load certificate to modsign_keyring fail:
> >
> > [ 12.061147] X.509: Extension: 47
> > [ 12.075121] MODSIGN: Problem loading in-kernel X.509 certificate (-74)
> >
> > So, this patch add the parsing rule for support long form format against
> > Authority Key Identifier.
> >
> > v2:
> > - Removed comma from author's name.
> > - Moved 'Short Form length' comment inside the if-body.
> > - Changed the type of sub to size_t.
> > - Use ASN1_INDEFINITE_LENGTH rather than writing 0x80 and 127.
> > - Moved the key_len's value assignment before alter v.
> > - Fixed the typo of octets.
> > - Add 2 to v before entering the loop for calculate the length.
> > - Removed the comment of check vlen.
> >
> > Cc: Rusty Russell <rusty@rustcorp.com.au>
> > Cc: Josh Boyer <jwboyer@redhat.com>
> > Cc: Randy Dunlap <rdunlap@xenotime.net>
> > Cc: Herbert Xu <herbert@gondor.apana.org.au>
> > Cc: "David S. Miller" <davem@davemloft.net>
> > Signed-off-by: Chun-Yi Lee <jlee@suse.com>
>
> Acked-by: David Howells <dhowells@redhat.com>
>
Thanks for David's review and confirm.
Joey Lee
next prev parent reply other threads:[~2013-02-21 3:34 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-20 6:17 [PATCH v2] X.509: Support parse long form of length octets in Authority Key Identifier Chun-Yi Lee
2013-02-20 12:49 ` David Howells
2013-02-21 3:33 ` joeyli [this message]
2013-02-21 5:05 ` Rusty Russell
2013-02-21 10:07 ` joeyli
-- strict thread matches above, loose matches on Subject: below --
2013-03-14 7:34 Lee, Chun-Yi
2013-03-26 4:44 ` joeyli
2013-03-29 8:51 ` joeyli
2013-02-14 13:29 Lee, Chun-Yi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1361417614.8705.27.camel@linux-s257.site \
--to=jlee@suse.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.hengli.com.au \
--cc=jwboyer@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rdunlap@xenotime.net \
--cc=rusty@rustcorp.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox