From patchwork Mon Jan 4 16:40:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Zaborowski X-Patchwork-Id: 12020117 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 08C14C433E0 for ; Mon, 4 Jan 2021 16:41:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B68BE2225E for ; Mon, 4 Jan 2021 16:41:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727695AbhADQlg (ORCPT ); Mon, 4 Jan 2021 11:41:36 -0500 Received: from mail-wm1-f50.google.com ([209.85.128.50]:52879 "EHLO mail-wm1-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727535AbhADQlg (ORCPT ); Mon, 4 Jan 2021 11:41:36 -0500 Received: by mail-wm1-f50.google.com with SMTP id a6so19044801wmc.2 for ; Mon, 04 Jan 2021 08:41:19 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=5YadX0VnVdpMz++TTCsuhYT1LU32Pp6dnNCMT2ZiJZU=; b=mIQNGonEWmrPUU1+GSplLGA+V0Vtzr6zIC80Yufxi8NxEAFy7xaEbqLRpPknBxKZ+M 0HfR3gPvaGMjk91vGcAluPfmVXzrWhaYFgo4+Co/2kx/SsU0waFSUygdkkZzsQFWqQLI DyMgnv/fAYkXCOxFuFEQwFnIUtq5Z31baJ6Hm8D135DZFaxE7DhzzOtH6zqnGsjQ23hq xG9BGr6oiQc/w7x+SIpQO3+iKwroYAcCIvWJf6FlYBbgR0VqY3ex1dVycLAlmXPeGMH4 Ke6h3ii/nC1TUt/sOo2gbcu3orwAFVoGCifVV/mENl2q7KVt6MKD2xRgupnyetA7gAOU vSog== X-Gm-Message-State: AOAM530wEWfBOyHoWA5DSGDc2MafiLKQoyUr+1S+PCPJop65PRHKAaY6 eYbGsVROjnxW1o+x1I97cSeKvADawrZJ8w== X-Google-Smtp-Source: ABdhPJyQwAblGuohHWNM+tO0uAsoMFbj01FNFs+y080MIwllx65jo2F4KC69bFFIRCelKrsK4j6ThA== X-Received: by 2002:a7b:cd91:: with SMTP id y17mr27813446wmj.5.1609778453921; Mon, 04 Jan 2021 08:40:53 -0800 (PST) Received: from localhost.localdomain ([82.213.213.214]) by smtp.gmail.com with ESMTPSA id s20sm33810524wmj.46.2021.01.04.08.40.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Jan 2021 08:40:53 -0800 (PST) From: Andrew Zaborowski To: keyrings@vger.kernel.org Cc: David Howells Subject: [PATCH][RESEND#15] keys: Handle missing Authority Key Identifier X509 extension Date: Mon, 4 Jan 2021 17:40:47 +0100 Message-Id: <20210104164048.1378237-1-andrew.zaborowski@intel.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org In a self-signed certificate the subject and issuer are the same and so the Authority Key Identifier X.509 v3 extension is explicitly made optional in RFC5280 section 4.2.1.1. crypto/asymmetric_keys/x509_cert_parser.c can't handle this and makes (at least) the restrict.c functions refuse to work with certificates that don't include the AKID. Fix this by filling in the missing cert->sig->auth_ids with the certificate's own IDs after parsing and determinig the certificate is self-signed. The asymmetric_key_generate_id return value is not checked because it's already succeeded once at this point. There are root X.509 v3 certificates in use where this is the case, mostly oldish ones. Signed-off-by: Andrew Zaborowski Acked-by: Jarkko Sakkinen --- crypto/asymmetric_keys/x509_cert_parser.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 26ec20ef489..a5a2f93e242 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -136,6 +136,25 @@ struct x509_certificate *x509_cert_parse(const void *data, size_t datalen) if (ret < 0) goto error_decode; + if (cert->self_signed) { + if (!cert->sig->auth_ids[0]) { + /* Duplicate cert->id */ + kid = asymmetric_key_generate_id(cert->raw_serial, + cert->raw_serial_size, + cert->raw_issuer, + cert->raw_issuer_size); + cert->sig->auth_ids[0] = kid; + } + + if (!cert->sig->auth_ids[1] && cert->skid) { + /* Duplicate cert->skid */ + kid = asymmetric_key_generate_id(cert->raw_skid, + cert->raw_skid_size, + "", 0); + cert->sig->auth_ids[1] = kid; + } + } + kfree(ctx); return cert;