forge/linux-pinenote
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

X.509: Extract both parts of the AuthorityKeyIdentifier

Browse source 
Extract both parts of the AuthorityKeyIdentifier, not just the keyIdentifier,
as the second part can be used to match X.509 certificates by issuer and
serialNumber.

Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Vivek Goyal <vgoyal@redhat.com>
This commit is contained in:
David Howells 2015-07-20 21:16:26 +01:00
parent c05cae9a58
commit b92e6570a9
7 changed files with 145 additions and 69 deletions
Download patch file Download diff file Expand all files Collapse all files

8
crypto/asymmetric_keys/x509_public_key.c
View file

@ -227,10 +227,10 @@ static int x509_validate_trust(struct x509_certificate *cert,
if (!trust_keyring)
return -EOPNOTSUPP;
if (ca_keyid && !asymmetric_key_id_partial(cert->authority, ca_keyid))
if (ca_keyid && !asymmetric_key_id_partial(cert->akid_skid, ca_keyid))
return -EPERM;
key = x509_request_asymmetric_key(trust_keyring, cert->authority,
key = x509_request_asymmetric_key(trust_keyring, cert->akid_skid,
false);
if (!IS_ERR(key)) {
if (!use_builtin_keys
@ -287,8 +287,8 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
cert->pub->id_type = PKEY_ID_X509;
/* Check the signature on the key if it appears to be self-signed */
if (!cert->authority ||
asymmetric_key_id_same(cert->skid, cert->authority)) {
if (!cert->akid_skid ||
asymmetric_key_id_same(cert->skid, cert->akid_skid)) {
ret = x509_check_signature(cert->pub, cert); /* self-signed */
if (ret < 0)
goto error_free_cert;