Message ID | b5e8ede319f374bd7be08c9963487e83cee3496b.1719771133.git.lukas@wunner.de |
---|---|
State | New, archived |
Headers | show |
Series | PCI device authentication | expand |
On Sun, 2024-06-30 at 21:37 +0200, Lukas Wunner wrote: > The upcoming support for PCI device authentication with CMA-SPDM > (PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name > in X.509 certificates. > > Store a pointer to the Subject Alternative Name upon parsing for > consumption by CMA-SPDM. > > Signed-off-by: Lukas Wunner <lukas@wunner.de> > Reviewed-by: Wilfred Mallawa <wilfred.mallawa@wdc.com> > Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> > Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> > Acked-by: Dan Williams <dan.j.williams@intel.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Alistair > --- > crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++ > include/keys/x509-parser.h | 2 ++ > 2 files changed, 11 insertions(+) > > diff --git a/crypto/asymmetric_keys/x509_cert_parser.c > b/crypto/asymmetric_keys/x509_cert_parser.c > index 25cc4273472f..92314e4854f1 100644 > --- a/crypto/asymmetric_keys/x509_cert_parser.c > +++ b/crypto/asymmetric_keys/x509_cert_parser.c > @@ -588,6 +588,15 @@ int x509_process_extension(void *context, size_t > hdrlen, > return 0; > } > > + if (ctx->last_oid == OID_subjectAltName) { > + if (ctx->cert->raw_san) > + return -EBADMSG; > + > + ctx->cert->raw_san = v; > + ctx->cert->raw_san_size = vlen; > + return 0; > + } > + > if (ctx->last_oid == OID_keyUsage) { > /* > * Get hold of the keyUsage bit string > diff --git a/include/keys/x509-parser.h b/include/keys/x509-parser.h > index 37436a5c7526..8e450befe3b9 100644 > --- a/include/keys/x509-parser.h > +++ b/include/keys/x509-parser.h > @@ -36,6 +36,8 @@ struct x509_certificate { > unsigned raw_subject_size; > unsigned raw_skid_size; > const void *raw_skid; /* Raw subjectKeyId > in ASN.1 */ > + const void *raw_san; /* Raw > subjectAltName in ASN.1 */ > + unsigned raw_san_size; > unsigned index; > bool seen; /* Infinite > recursion prevention */ > bool verified;
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 25cc4273472f..92314e4854f1 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -588,6 +588,15 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_subjectAltName) { + if (ctx->cert->raw_san) + return -EBADMSG; + + ctx->cert->raw_san = v; + ctx->cert->raw_san_size = vlen; + return 0; + } + if (ctx->last_oid == OID_keyUsage) { /* * Get hold of the keyUsage bit string diff --git a/include/keys/x509-parser.h b/include/keys/x509-parser.h index 37436a5c7526..8e450befe3b9 100644 --- a/include/keys/x509-parser.h +++ b/include/keys/x509-parser.h @@ -36,6 +36,8 @@ struct x509_certificate { unsigned raw_subject_size; unsigned raw_skid_size; const void *raw_skid; /* Raw subjectKeyId in ASN.1 */ + const void *raw_san; /* Raw subjectAltName in ASN.1 */ + unsigned raw_san_size; unsigned index; bool seen; /* Infinite recursion prevention */ bool verified;