diff options
author | David Howells <dhowells@redhat.com> | 2013-08-30 17:18:31 +0200 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2013-09-25 18:17:01 +0200 |
commit | 17334cabc814f8847975cddc0e29291af6093464 (patch) | |
tree | 0f4574a955b501557c04c4381d51dbaa439c9473 /crypto | |
parent | X.509: Check the algorithm IDs obtained from parsing an X.509 certificate (diff) | |
download | linux-17334cabc814f8847975cddc0e29291af6093464.tar.xz linux-17334cabc814f8847975cddc0e29291af6093464.zip |
X.509: Handle certificates that lack an authorityKeyIdentifier field
Handle certificates that lack an authorityKeyIdentifier field by assuming
they're self-signed and checking their signatures against themselves.
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Josh Boyer <jwboyer@redhat.com>
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/asymmetric_keys/x509_public_key.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index eb368d4c632c..0f55e3b027a0 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -143,8 +143,8 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) pkey_algo_name[cert->sig.pkey_algo], pkey_hash_algo_name[cert->sig.pkey_hash_algo]); - if (!cert->fingerprint || !cert->authority) { - pr_warn("Cert for '%s' must have SubjKeyId and AuthKeyId extensions\n", + if (!cert->fingerprint) { + pr_warn("Cert for '%s' must have a SubjKeyId extension\n", cert->subject); ret = -EKEYREJECTED; goto error_free_cert; @@ -190,8 +190,9 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) cert->pub->algo = pkey_algo[cert->pub->pkey_algo]; cert->pub->id_type = PKEY_ID_X509; - /* Check the signature on the key */ - if (strcmp(cert->fingerprint, cert->authority) == 0) { + /* Check the signature on the key if it appears to be self-signed */ + if (!cert->authority || + strcmp(cert->fingerprint, cert->authority) == 0) { ret = x509_check_signature(cert->pub, cert); if (ret < 0) goto error_free_cert; |