From: Vivek Goyal <vgoyal@redhat.com>
To: David Howells <dhowells@redhat.com>
Cc: mmarek@suse.cz, d.kasatkin@samsung.com, rusty@rustcorp.com.au,
keyrings@linux-nfs.org, linux-security-module@vger.kernel.org,
zohar@linux.vnet.ibm.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/5] X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier
Date: Fri, 21 Nov 2014 10:33:20 -0500 [thread overview]
Message-ID: <20141121153320.GB22306@redhat.com> (raw)
In-Reply-To: <20141120165414.5264.95354.stgit@warthog.procyon.org.uk>
On Thu, Nov 20, 2014 at 04:54:14PM +0000, David Howells wrote:
[..]
> @@ -215,21 +219,42 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
> /* Look through the X.509 certificates in the PKCS#7 message's
> * list to see if the next one is there.
> */
> - pr_debug("- want %*phN\n",
> - x509->auth_skid->len, x509->auth_skid->data);
> - for (p = pkcs7->certs; p; p = p->next) {
> - if (!p->skid)
> - continue;
> - pr_debug("- cmp [%u] %*phN\n",
> - p->index, p->skid->len, p->skid->data);
> - if (asymmetric_key_id_same(p->skid, x509->auth_skid))
> - goto found_issuer;
> + auth = x509->auth_id;
> + if (auth) {
> + pr_debug("- want %*phN\n", auth->len, auth->data);
> + for (p = pkcs7->certs; p; p = p->next) {
> + pr_debug("- cmp [%u] %*phN\n",
> + p->index, p->id->len, p->id->data);
> + if (asymmetric_key_id_same(p->id, auth))
> + goto found_issuer_check_skid;
> + }
> + } else {
> + auth = x509->auth_skid;
> + pr_debug("- want %*phN\n", auth->len, auth->data);
> + for (p = pkcs7->certs; p; p = p->next) {
> + if (!p->skid)
> + continue;
> + pr_debug("- cmp [%u] %*phN\n",
> + p->index, p->skid->len, p->skid->data);
> + if (asymmetric_key_id_same(p->skid, auth))
> + goto found_issuer;
> + }
> }
>
> /* We didn't find the root of this chain */
> pr_debug("- top\n");
> return 0;
>
> + found_issuer_check_skid:
> + /* We matched issuer + serialNumber, but if there's an
> + * authKeyId.keyId, that must match the CA subjKeyId also.
> + */
> + if (x509->auth_skid &&
> + !asymmetric_key_id_same(p->skid, x509->auth_skid)) {
> + pr_warn("Sig %u: X.509 chain contains auth-skid nonmatch (%u->%u)\n",
> + sinfo->index, x509->index, p->index);
> + return -EKEYREJECTED;
> + }
Hi David,
A minor nit.
pkcs7_verify_sig_chain() is getting big with multiple goto labels. Will
it make sense to introduce a helper function to see if cert B is authority
cert of cert A or not. And then we should be able to get rid of labels
like found_issuer_check_skid() and some of the inline code also go away.
Thanks
Vivek
next prev parent reply other threads:[~2014-11-21 15:33 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-20 16:53 [PATCH 0/5] MODSIGN: Use PKCS#7 for module signatures David Howells
2014-11-20 16:54 ` [PATCH 1/5] X.509: Extract both parts of the AuthorityKeyIdentifier David Howells
2014-11-21 14:42 ` Vivek Goyal
2014-11-24 13:35 ` David Howells
2014-12-04 12:24 ` Dmitry Kasatkin
2014-12-04 13:02 ` David Howells
2014-11-20 16:54 ` [PATCH 2/5] X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier David Howells
2014-11-21 15:33 ` Vivek Goyal [this message]
2014-11-24 0:00 ` Mimi Zohar
2014-11-24 11:58 ` [Keyrings] " Mimi Zohar
2014-11-24 16:55 ` David Howells
2014-11-24 17:12 ` Mimi Zohar
2014-11-24 16:58 ` David Howells
2014-11-24 17:33 ` Mimi Zohar
2014-11-24 19:36 ` David Howells
2014-11-20 16:54 ` [PATCH 3/5] PKCS#7: Allow detached data to be supplied for signature checking purposes David Howells
2014-11-24 11:52 ` Mimi Zohar
2014-11-24 12:48 ` David Howells
2014-11-24 13:43 ` Mimi Zohar
2014-11-24 14:41 ` David Howells
2014-11-24 14:59 ` Mimi Zohar
2014-11-24 15:14 ` David Howells
2014-11-20 16:54 ` [PATCH 4/5] MODSIGN: Provide a utility to append a PKCS#7 signature to a module David Howells
2014-11-20 16:54 ` [PATCH 5/5] MODSIGN: Use PKCS#7 messages as module signatures David Howells
2014-11-24 14:06 ` Mimi Zohar
2014-11-21 12:59 ` [PATCH 0/5] MODSIGN: Use PKCS#7 for " Dmitry Kasatkin
2014-11-24 9:19 ` Dmitry Kasatkin
2014-11-24 12:52 ` David Howells
2014-11-24 16:13 ` David Howells
2014-11-24 17:14 ` Mimi Zohar
2014-11-24 12:33 ` Dmitry Kasatkin
2014-11-24 12:51 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141121153320.GB22306@redhat.com \
--to=vgoyal@redhat.com \
--cc=d.kasatkin@samsung.com \
--cc=dhowells@redhat.com \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mmarek@suse.cz \
--cc=rusty@rustcorp.com.au \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox