Doug / smarc-fsl-linux-kernel

22 Apr, 2013

1 commit

  • 04b00bdb4   X.509: Support parse long form of length octets in Authority Key Identifier ... Browse Code »

    Per X.509 spec in 4.2.1.1 section, the structure of Authority Key
    Identifier Extension is:

    AuthorityKeyIdentifier ::= SEQUENCE {
    keyIdentifier [0] KeyIdentifier OPTIONAL,
    authorityCertIssuer [1] GeneralNames OPTIONAL,
    authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }

    KeyIdentifier ::= OCTET STRING

    When a certificate also provides
    authorityCertIssuer and authorityCertSerialNumber then the length of
    AuthorityKeyIdentifier SEQUENCE is likely to long form format.
    e.g.
    The example certificate demos/tunala/A-server.pem in openssl source:

    X509v3 Authority Key Identifier:
    keyid:49:FB:45:72:12:C4:CC:E1:45:A1:D3:08:9E:95:C4:2C:6D:55:3F:17
    DirName:/C=NZ/L=Wellington/O=Really Irresponsible Authorisation Authority (RIAA)/OU=Cert-stamping/CN=Jackov al-Trades/emailAddress=none@fake.domain
    serial:00

    Current parsing rule of OID_authorityKeyIdentifier only take care the
    short form format, it causes load certificate to modsign_keyring fail:

    [ 12.061147] X.509: Extension: 47
    [ 12.075121] MODSIGN: Problem loading in-kernel X.509 certificate (-74)

    So, this patch add the parsing rule for support long form format against
    Authority Key Identifier.

    v3:
    Changed the size check in "Short Form length" case, we allow v[3] smaller
    then (vlen - 4) because authorityCertIssuer and authorityCertSerialNumber
    are also possible attach in AuthorityKeyIdentifier sequence.

    v2:
    - Removed comma from author's name.
    - Moved 'Short Form length' comment inside the if-body.
    - Changed the type of sub to size_t.
    - Use ASN1_INDEFINITE_LENGTH rather than writing 0x80 and 127.
    - Moved the key_len's value assignment before alter v.
    - Fixed the typo of octets.
    - Add 2 to v before entering the loop for calculate the length.
    - Removed the comment of check vlen.

    Cc: Rusty Russell
    Cc: Josh Boyer
    Cc: Randy Dunlap
    Cc: Herbert Xu
    Cc: "David S. Miller"
    Acked-by: David Howells
    Signed-off-by: Chun-Yi Lee
    Signed-off-by: Rusty Russell

    Chun-Yi Lee
     

10 Oct, 2012

2 commits

  • cf75446e6   asymmetric keys: fix printk format warning ... Browse Code »

    Fix printk format warning in x509_cert_parser.c:

    crypto/asymmetric_keys/x509_cert_parser.c: In function 'x509_note_OID':
    crypto/asymmetric_keys/x509_cert_parser.c:113:3: warning: format '%zu' expects type 'size_t', but argument 2 has type 'long unsigned int'

    Builds cleanly on i386 and x86_64.

    Signed-off-by: Randy Dunlap
    Cc: David Howells
    Cc: Herbert Xu
    Cc: linux-crypto@vger.kernel.org
    Signed-off-by: Rusty Russell

    Randy Dunlap
     
  • a5752d11b   MODSIGN: Fix 32-bit overflow in X.509 certificate validity date checking ... Browse Code »

    The current choice of lifetime for the autogenerated X.509 of 100 years,
    putting the validTo date in 2112, causes problems on 32-bit systems where a
    32-bit time_t wraps in 2106. 64-bit x86_64 systems seem to be unaffected.

    This can result in something like:

    Loading module verification certificates
    X.509: Cert 6e03943da0f3b015ba6ed7f5e0cac4fe48680994 has expired
    MODSIGN: Problem loading in-kernel X.509 certificate (-127)

    Or:

    X.509: Cert 6e03943da0f3b015ba6ed7f5e0cac4fe48680994 is not yet valid
    MODSIGN: Problem loading in-kernel X.509 certificate (-129)

    Instead of turning the dates into time_t values and comparing, turn the system
    clock and the ASN.1 dates into tm structs and compare those piecemeal instead.

    Reported-by: Rusty Russell
    Signed-off-by: David Howells
    Acked-by: Josh Boyer
    Signed-off-by: Rusty Russell

    David Howells
     

08 Oct, 2012

1 commit