| Message ID | 20220406015337.4000739-4-eric.snowberg@oracle.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Add CA enforcement keyring restrictions | expand |
On Tue, 2022-04-05 at 21:53 -0400, Eric Snowberg wrote: > Parse the X.509 Key Usage. The key usage extension defines the purpose of > the key contained in the certificate. > > id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } > > KeyUsage ::= BIT STRING { > digitalSignature (0), > contentCommitment (1), > keyEncipherment (2), > dataEncipherment (3), > keyAgreement (4), > keyCertSign (5), > cRLSign (6), > encipherOnly (7), > decipherOnly (8) } > > If the keyCertSign is set, store it in the x509_certificate structure. > This will be used in a follow on patch that requires knowing the > certificate key usage type. > > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > --- > crypto/asymmetric_keys/x509_cert_parser.c | 20 ++++++++++++++++++++ > crypto/asymmetric_keys/x509_parser.h | 1 + > 2 files changed, 21 insertions(+) > > diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c > index 30f7374ea9c0..a89f1e0c8a0f 100644 > --- a/crypto/asymmetric_keys/x509_cert_parser.c > +++ b/crypto/asymmetric_keys/x509_cert_parser.c > @@ -576,6 +576,26 @@ int x509_process_extension(void *context, size_t hdrlen, > return 0; > } > > + if (ctx->last_oid == OID_keyUsage) { > + /* > + * Get hold of the keyUsage bit string to validate keyCertSign > + * v[1] is the encoding size > + * (Expect either 0x02 or 0x03, making it 1 or 2 bytes) > + * v[2] is the number of unused bits in the bit string > + * (If >= 3 keyCertSign is missing) > + * v[3] and possibly v[4] contain the bit string > + * 0x04 is where KeyCertSign lands in this bit string (from > + * RFC 5280 4.2.1.3) > + */ > + if (v[0] != ASN1_BTS || vlen < 4) > + return -EBADMSG; > + if (v[1] == 0x02 && v[2] <= 2 && (v[3] & 0x04)) > + ctx->cert->is_kcs_set = true; > + else if (vlen > 4 && v[1] == 0x03 && (v[3] & 0x04)) > + ctx->cert->is_kcs_set = true; > + return 0; > + } > + > if (ctx->last_oid == OID_authorityKeyIdentifier) { > /* Get hold of the CA key fingerprint */ > ctx->raw_akid = v; > diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h > index dc45df9f6594..d6ac0985d8a5 100644 > --- a/crypto/asymmetric_keys/x509_parser.h > +++ b/crypto/asymmetric_keys/x509_parser.h > @@ -39,6 +39,7 @@ struct x509_certificate { > bool unsupported_sig; /* T if signature uses unsupported crypto */ > bool blacklisted; > bool is_root_ca; /* T if basic constraints CA is set */ > + bool is_kcs_set; /* T if keyCertSign is set */ > }; Again there is no need to prefix the variable with "is_" or suffix it with "set". Simply naming the variable "cert_signing" or "keycertsign", like "self_signed", will improve code readability. thanks, Mimi
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 30f7374ea9c0..a89f1e0c8a0f 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -576,6 +576,26 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_keyUsage) { + /* + * Get hold of the keyUsage bit string to validate keyCertSign + * v[1] is the encoding size + * (Expect either 0x02 or 0x03, making it 1 or 2 bytes) + * v[2] is the number of unused bits in the bit string + * (If >= 3 keyCertSign is missing) + * v[3] and possibly v[4] contain the bit string + * 0x04 is where KeyCertSign lands in this bit string (from + * RFC 5280 4.2.1.3) + */ + if (v[0] != ASN1_BTS || vlen < 4) + return -EBADMSG; + if (v[1] == 0x02 && v[2] <= 2 && (v[3] & 0x04)) + ctx->cert->is_kcs_set = true; + else if (vlen > 4 && v[1] == 0x03 && (v[3] & 0x04)) + ctx->cert->is_kcs_set = true; + return 0; + } + if (ctx->last_oid == OID_authorityKeyIdentifier) { /* Get hold of the CA key fingerprint */ ctx->raw_akid = v; diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index dc45df9f6594..d6ac0985d8a5 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -39,6 +39,7 @@ struct x509_certificate { bool unsupported_sig; /* T if signature uses unsupported crypto */ bool blacklisted; bool is_root_ca; /* T if basic constraints CA is set */ + bool is_kcs_set; /* T if keyCertSign is set */ }; /*
Parse the X.509 Key Usage. The key usage extension defines the purpose of the key contained in the certificate. id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } KeyUsage ::= BIT STRING { digitalSignature (0), contentCommitment (1), keyEncipherment (2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) } If the keyCertSign is set, store it in the x509_certificate structure. This will be used in a follow on patch that requires knowing the certificate key usage type. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- crypto/asymmetric_keys/x509_cert_parser.c | 20 ++++++++++++++++++++ crypto/asymmetric_keys/x509_parser.h | 1 + 2 files changed, 21 insertions(+)