[PATCH] X.509: Add messages for obsolete OIDs

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] X.509: Add messages for obsolete OIDs
@ 2019-03-22  6:27 Lee, Chun-Yi
  2019-03-27 19:36 ` Mimi Zohar
  0 siblings, 1 reply; 5+ messages in thread
From: Lee, Chun-Yi @ 2019-03-22  6:27 UTC (permalink / raw)
  To: David Howells, Herbert Xu, David S . Miller
  Cc: keyrings, linux-crypto, linux-kernel, Lee, Chun-Yi

We found that the db in Acer machine has self signed certificates
(CN=DisablePW or CN=ABO) that they used obsolete OID 1.3.14.3.2.29
sha1WithRSASignature and 2.5.29.1 subjectKeyIdentifier. Kernel
emits -65 error code when loading those certificates to platform
keyring:

[    1.484388] integrity: Loading X.509 certificate: UEFI:MokListRT
[    1.485557] integrity: Problem loading X.509 certificate -65
[    1.486100] Error adding keys to platform keyring UEFI:MokListRT

Because the -65 error code is not enough for appeasing user when
loading a outdated certificate. This patch add messages against
1.3.14.3.2.29 and 2.5.29.1 OIDs.

Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1129471
Cc: David Howells <dhowells@redhat.com> 
Cc: Herbert Xu <herbert@gondor.apana.org.au> 
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 crypto/asymmetric_keys/x509_cert_parser.c | 7 +++++++
 include/linux/oid_registry.h              | 2 ++
 2 files changed, 9 insertions(+)

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 991f4d735a4e..bbd22d5c5b5d 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -192,6 +192,8 @@ int x509_note_pkey_algo(void *context, size_t hdrlen,
 	pr_debug("PubKey Algo: %u\n", ctx->last_oid);
 
 	switch (ctx->last_oid) {
+	case OID_sha1WithRSASignature:
+		pr_info("1.3.14.3.2.29 sha1WithRSASignature is obsolete.\n");
 	case OID_md2WithRSAEncryption:
 	case OID_md3WithRSAEncryption:
 	default:
@@ -464,6 +466,11 @@ int x509_process_extension(void *context, size_t hdrlen,
 		return 0;
 	}
 
+	if (ctx->last_oid == OID_subjectKeyIdentifier_obsolete) {
+		pr_info("2.5.29.1 subjectKeyIdentifier OID is obsolete.\n");
+		return -ENOPKG;
+	}
+
 	return 0;
 }
 
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
index d2fa9ca42e9a..0641d5aa2251 100644
--- a/include/linux/oid_registry.h
+++ b/include/linux/oid_registry.h
@@ -62,6 +62,7 @@ enum OID {
 
 	OID_certAuthInfoAccess,		/* 1.3.6.1.5.5.7.1.1 */
 	OID_sha1,			/* 1.3.14.3.2.26 */
+	OID_sha1WithRSASignature,	/* 1.3.14.3.2.29 */
 	OID_sha256,			/* 2.16.840.1.101.3.4.2.1 */
 	OID_sha384,			/* 2.16.840.1.101.3.4.2.2 */
 	OID_sha512,			/* 2.16.840.1.101.3.4.2.3 */
@@ -83,6 +84,7 @@ enum OID {
 	OID_generationalQualifier,	/* 2.5.4.44 */
 
 	/* Certificate extension IDs */
+	OID_subjectKeyIdentifier_obsolete,	/* 2.5.29.1 */
 	OID_subjectKeyIdentifier,	/* 2.5.29.14 */
 	OID_keyUsage,			/* 2.5.29.15 */
 	OID_subjectAltName,		/* 2.5.29.17 */
-- 
2.16.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] X.509: Add messages for obsolete OIDs
  2019-03-22  6:27 [PATCH] X.509: Add messages for obsolete OIDs Lee, Chun-Yi
@ 2019-03-27 19:36 ` Mimi Zohar
  2019-03-29 17:47   ` jlee
  0 siblings, 1 reply; 5+ messages in thread
From: Mimi Zohar @ 2019-03-27 19:36 UTC (permalink / raw)
  To: Lee, Chun-Yi, David Howells, Herbert Xu, David S . Miller
  Cc: keyrings, linux-crypto, linux-kernel, Lee, Chun-Yi

On Fri, 2019-03-22 at 14:27 +0800, Lee, Chun-Yi wrote:
> We found that the db in Acer machine has self signed certificates
> (CN=DisablePW or CN=ABO) that they used obsolete OID 1.3.14.3.2.29
> sha1WithRSASignature and 2.5.29.1 subjectKeyIdentifier. Kernel
> emits -65 error code when loading those certificates to platform
> keyring:
> 
> [    1.484388] integrity: Loading X.509 certificate: UEFI:MokListRT
> [    1.485557] integrity: Problem loading X.509 certificate -65
> [    1.486100] Error adding keys to platform keyring UEFI:MokListRT
> 
> Because the -65 error code is not enough for appeasing user when
> loading a outdated certificate. This patch add messages against
> 1.3.14.3.2.29 and 2.5.29.1 OIDs.
> 
> Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1129471
> Cc: David Howells <dhowells@redhat.com> 
> Cc: Herbert Xu <herbert@gondor.apana.org.au> 
> Cc: "David S. Miller" <davem@davemloft.net>
> Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

> ---
>  crypto/asymmetric_keys/x509_cert_parser.c | 7 +++++++
>  include/linux/oid_registry.h              | 2 ++
>  2 files changed, 9 insertions(+)
> 
> diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
> index 991f4d735a4e..bbd22d5c5b5d 100644
> --- a/crypto/asymmetric_keys/x509_cert_parser.c
> +++ b/crypto/asymmetric_keys/x509_cert_parser.c
> @@ -192,6 +192,8 @@ int x509_note_pkey_algo(void *context, size_t hdrlen,
>  	pr_debug("PubKey Algo: %u\n", ctx->last_oid);
> 
>  	switch (ctx->last_oid) {
> +	case OID_sha1WithRSASignature:
> +		pr_info("1.3.14.3.2.29 sha1WithRSASignature is obsolete.\n");
>  	case OID_md2WithRSAEncryption:
>  	case OID_md3WithRSAEncryption:
>  	default:
> @@ -464,6 +466,11 @@ int x509_process_extension(void *context, size_t hdrlen,
>  		return 0;
>  	}
> 
> +	if (ctx->last_oid == OID_subjectKeyIdentifier_obsolete) {
> +		pr_info("2.5.29.1 subjectKeyIdentifier OID is obsolete.\n");
> +		return -ENOPKG;
> +	}
> +
>  	return 0;
>  }
> 
> diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
> index d2fa9ca42e9a..0641d5aa2251 100644
> --- a/include/linux/oid_registry.h
> +++ b/include/linux/oid_registry.h
> @@ -62,6 +62,7 @@ enum OID {
> 
>  	OID_certAuthInfoAccess,		/* 1.3.6.1.5.5.7.1.1 */
>  	OID_sha1,			/* 1.3.14.3.2.26 */
> +	OID_sha1WithRSASignature,	/* 1.3.14.3.2.29 */
>  	OID_sha256,			/* 2.16.840.1.101.3.4.2.1 */
>  	OID_sha384,			/* 2.16.840.1.101.3.4.2.2 */
>  	OID_sha512,			/* 2.16.840.1.101.3.4.2.3 */
> @@ -83,6 +84,7 @@ enum OID {
>  	OID_generationalQualifier,	/* 2.5.4.44 */
> 
>  	/* Certificate extension IDs */
> +	OID_subjectKeyIdentifier_obsolete,	/* 2.5.29.1 */
>  	OID_subjectKeyIdentifier,	/* 2.5.29.14 */
>  	OID_keyUsage,			/* 2.5.29.15 */
>  	OID_subjectAltName,		/* 2.5.29.17 */


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] X.509: Add messages for obsolete OIDs
  2019-03-27 19:36 ` Mimi Zohar
@ 2019-03-29 17:47   ` jlee
  0 siblings, 0 replies; 5+ messages in thread
From: jlee @ 2019-03-29 17:47 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: Lee, Chun-Yi, David Howells, Herbert Xu, David S . Miller,
	keyrings, linux-crypto, linux-kernel

Hi Mimi,

On Wed, Mar 27, 2019 at 03:36:04PM -0400, Mimi Zohar wrote:
> On Fri, 2019-03-22 at 14:27 +0800, Lee, Chun-Yi wrote:
> > We found that the db in Acer machine has self signed certificates
> > (CN=DisablePW or CN=ABO) that they used obsolete OID 1.3.14.3.2.29
> > sha1WithRSASignature and 2.5.29.1 subjectKeyIdentifier. Kernel
> > emits -65 error code when loading those certificates to platform
> > keyring:
> > 
> > [    1.484388] integrity: Loading X.509 certificate: UEFI:MokListRT
> > [    1.485557] integrity: Problem loading X.509 certificate -65
> > [    1.486100] Error adding keys to platform keyring UEFI:MokListRT
> > 
> > Because the -65 error code is not enough for appeasing user when
> > loading a outdated certificate. This patch add messages against
> > 1.3.14.3.2.29 and 2.5.29.1 OIDs.
> > 
> > Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1129471
> > Cc: David Howells <dhowells@redhat.com> 
> > Cc: Herbert Xu <herbert@gondor.apana.org.au> 
> > Cc: "David S. Miller" <davem@davemloft.net>
> > Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
> 
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Thanks for your review!

Joey Lee

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH] X.509: Add messages for obsolete OIDs
@ 2019-05-02  4:12 Lee, Chun-Yi
  2019-07-16  4:51 ` Joey Lee
  0 siblings, 1 reply; 5+ messages in thread
From: Lee, Chun-Yi @ 2019-05-02  4:12 UTC (permalink / raw)
  To: David Howells, Herbert Xu, David S . Miller, Mimi Zohar
  Cc: keyrings, linux-crypto, linux-kernel, Lee, Chun-Yi

We found that the db in Acer machine has self signed certificates
(CN=DisablePW or CN=ABO) that they used obsolete OID 1.3.14.3.2.29
sha1WithRSASignature and 2.5.29.1 subjectKeyIdentifier. Kernel
emits -65 error code when loading those certificates to platform
keyring:

[    1.484388] integrity: Loading X.509 certificate: UEFI:MokListRT
[    1.485557] integrity: Problem loading X.509 certificate -65
[    1.486100] Error adding keys to platform keyring UEFI:MokListRT

Because the -65 error code is not enough for appeasing user when
loading a outdated certificate. This patch add messages against
1.3.14.3.2.29 and 2.5.29.1 OIDs.

Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1129471
Cc: David Howells <dhowells@redhat.com> 
Cc: Herbert Xu <herbert@gondor.apana.org.au> 
Cc: "David S. Miller" <davem@davemloft.net>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 crypto/asymmetric_keys/x509_cert_parser.c | 7 +++++++
 include/linux/oid_registry.h              | 2 ++
 2 files changed, 9 insertions(+)

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 991f4d735a4e..bbd22d5c5b5d 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -192,6 +192,8 @@ int x509_note_pkey_algo(void *context, size_t hdrlen,
 	pr_debug("PubKey Algo: %u\n", ctx->last_oid);
 
 	switch (ctx->last_oid) {
+	case OID_sha1WithRSASignature:
+		pr_info("1.3.14.3.2.29 sha1WithRSASignature is obsolete.\n");
 	case OID_md2WithRSAEncryption:
 	case OID_md3WithRSAEncryption:
 	default:
@@ -464,6 +466,11 @@ int x509_process_extension(void *context, size_t hdrlen,
 		return 0;
 	}
 
+	if (ctx->last_oid == OID_subjectKeyIdentifier_obsolete) {
+		pr_info("2.5.29.1 subjectKeyIdentifier OID is obsolete.\n");
+		return -ENOPKG;
+	}
+
 	return 0;
 }
 
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
index d2fa9ca42e9a..0641d5aa2251 100644
--- a/include/linux/oid_registry.h
+++ b/include/linux/oid_registry.h
@@ -62,6 +62,7 @@ enum OID {
 
 	OID_certAuthInfoAccess,		/* 1.3.6.1.5.5.7.1.1 */
 	OID_sha1,			/* 1.3.14.3.2.26 */
+	OID_sha1WithRSASignature,	/* 1.3.14.3.2.29 */
 	OID_sha256,			/* 2.16.840.1.101.3.4.2.1 */
 	OID_sha384,			/* 2.16.840.1.101.3.4.2.2 */
 	OID_sha512,			/* 2.16.840.1.101.3.4.2.3 */
@@ -83,6 +84,7 @@ enum OID {
 	OID_generationalQualifier,	/* 2.5.4.44 */
 
 	/* Certificate extension IDs */
+	OID_subjectKeyIdentifier_obsolete,	/* 2.5.29.1 */
 	OID_subjectKeyIdentifier,	/* 2.5.29.14 */
 	OID_keyUsage,			/* 2.5.29.15 */
 	OID_subjectAltName,		/* 2.5.29.17 */
-- 
2.16.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] X.509: Add messages for obsolete OIDs
  2019-05-02  4:12 Lee, Chun-Yi
@ 2019-07-16  4:51 ` Joey Lee
  0 siblings, 0 replies; 5+ messages in thread
From: Joey Lee @ 2019-07-16  4:51 UTC (permalink / raw)
  To: Lee, Chun-Yi
  Cc: David Howells, Herbert Xu, David S . Miller, Mimi Zohar,
	keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org

Hi experts, 

On Thu, May 02, 2019 at 12:12:02PM +0800, Lee, Chun-Yi wrote:
> We found that the db in Acer machine has self signed certificates
> (CN=DisablePW or CN=ABO) that they used obsolete OID 1.3.14.3.2.29
> sha1WithRSASignature and 2.5.29.1 subjectKeyIdentifier. Kernel
> emits -65 error code when loading those certificates to platform
> keyring:
> 
> [    1.484388] integrity: Loading X.509 certificate: UEFI:MokListRT
> [    1.485557] integrity: Problem loading X.509 certificate -65
> [    1.486100] Error adding keys to platform keyring UEFI:MokListRT
> 
> Because the -65 error code is not enough for appeasing user when
> loading a outdated certificate. This patch add messages against
> 1.3.14.3.2.29 and 2.5.29.1 OIDs.
> 
> Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1129471
> Cc: David Howells <dhowells@redhat.com> 
> Cc: Herbert Xu <herbert@gondor.apana.org.au> 
> Cc: "David S. Miller" <davem@davemloft.net>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>

Have any update or comment for this patch? 

Thanks
Joey Lee

> ---
>  crypto/asymmetric_keys/x509_cert_parser.c | 7 +++++++
>  include/linux/oid_registry.h              | 2 ++
>  2 files changed, 9 insertions(+)
> 
> diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
> index 991f4d735a4e..bbd22d5c5b5d 100644
> --- a/crypto/asymmetric_keys/x509_cert_parser.c
> +++ b/crypto/asymmetric_keys/x509_cert_parser.c
> @@ -192,6 +192,8 @@ int x509_note_pkey_algo(void *context, size_t hdrlen,
>  	pr_debug("PubKey Algo: %u\n", ctx->last_oid);
>  
>  	switch (ctx->last_oid) {
> +	case OID_sha1WithRSASignature:
> +		pr_info("1.3.14.3.2.29 sha1WithRSASignature is obsolete.\n");
>  	case OID_md2WithRSAEncryption:
>  	case OID_md3WithRSAEncryption:
>  	default:
> @@ -464,6 +466,11 @@ int x509_process_extension(void *context, size_t hdrlen,
>  		return 0;
>  	}
>  
> +	if (ctx->last_oid == OID_subjectKeyIdentifier_obsolete) {
> +		pr_info("2.5.29.1 subjectKeyIdentifier OID is obsolete.\n");
> +		return -ENOPKG;
> +	}
> +
>  	return 0;
>  }
>  
> diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
> index d2fa9ca42e9a..0641d5aa2251 100644
> --- a/include/linux/oid_registry.h
> +++ b/include/linux/oid_registry.h
> @@ -62,6 +62,7 @@ enum OID {
>  
>  	OID_certAuthInfoAccess,		/* 1.3.6.1.5.5.7.1.1 */
>  	OID_sha1,			/* 1.3.14.3.2.26 */
> +	OID_sha1WithRSASignature,	/* 1.3.14.3.2.29 */
>  	OID_sha256,			/* 2.16.840.1.101.3.4.2.1 */
>  	OID_sha384,			/* 2.16.840.1.101.3.4.2.2 */
>  	OID_sha512,			/* 2.16.840.1.101.3.4.2.3 */
> @@ -83,6 +84,7 @@ enum OID {
>  	OID_generationalQualifier,	/* 2.5.4.44 */
>  
>  	/* Certificate extension IDs */
> +	OID_subjectKeyIdentifier_obsolete,	/* 2.5.29.1 */
>  	OID_subjectKeyIdentifier,	/* 2.5.29.14 */
>  	OID_keyUsage,			/* 2.5.29.15 */
>  	OID_subjectAltName,		/* 2.5.29.17 */
> -- 
> 2.16.4
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2019-07-16  4:52 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-03-22  6:27 [PATCH] X.509: Add messages for obsolete OIDs Lee, Chun-Yi
2019-03-27 19:36 ` Mimi Zohar
2019-03-29 17:47   ` jlee
  -- strict thread matches above, loose matches on Subject: below --
2019-05-02  4:12 Lee, Chun-Yi
2019-07-16  4:51 ` Joey Lee

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).