Commit 8dd60980 authored by Dmitry Kasatkin's avatar Dmitry Kasatkin Committed by David Howells

KEYS: use swapped SKID for performing partial matching

Earlier KEYS code used pure subject key identifiers (fingerprint)
for searching keys. Latest merged code removed that and broke
compatibility with integrity subsytem signatures and original
format of module signatures.

This patch returns back partial matching on SKID.
Reported-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: default avatarDmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
parent f1b731db
...@@ -437,9 +437,9 @@ int x509_process_extension(void *context, size_t hdrlen, ...@@ -437,9 +437,9 @@ int x509_process_extension(void *context, size_t hdrlen,
ctx->cert->raw_skid_size = vlen; ctx->cert->raw_skid_size = vlen;
ctx->cert->raw_skid = v; ctx->cert->raw_skid = v;
kid = asymmetric_key_generate_id(v, vlen, kid = asymmetric_key_generate_id(ctx->cert->raw_subject,
ctx->cert->raw_subject, ctx->cert->raw_subject_size,
ctx->cert->raw_subject_size); v, vlen);
if (IS_ERR(kid)) if (IS_ERR(kid))
return PTR_ERR(kid); return PTR_ERR(kid);
ctx->cert->skid = kid; ctx->cert->skid = kid;
...@@ -493,9 +493,9 @@ int x509_process_extension(void *context, size_t hdrlen, ...@@ -493,9 +493,9 @@ int x509_process_extension(void *context, size_t hdrlen,
v += (sub + 2); v += (sub + 2);
} }
kid = asymmetric_key_generate_id(v, vlen, kid = asymmetric_key_generate_id(ctx->cert->raw_issuer,
ctx->cert->raw_issuer, ctx->cert->raw_issuer_size,
ctx->cert->raw_issuer_size); v, vlen);
if (IS_ERR(kid)) if (IS_ERR(kid))
return PTR_ERR(kid); return PTR_ERR(kid);
pr_debug("authkeyid %*phN\n", kid->len, kid->data); pr_debug("authkeyid %*phN\n", kid->len, kid->data);
......
...@@ -19,9 +19,9 @@ struct x509_certificate { ...@@ -19,9 +19,9 @@ struct x509_certificate {
struct public_key_signature sig; /* Signature parameters */ struct public_key_signature sig; /* Signature parameters */
char *issuer; /* Name of certificate issuer */ char *issuer; /* Name of certificate issuer */
char *subject; /* Name of certificate subject */ char *subject; /* Name of certificate subject */
struct asymmetric_key_id *id; /* Issuer + serial number */ struct asymmetric_key_id *id; /* Serial number + issuer */
struct asymmetric_key_id *skid; /* Subject key identifier */ struct asymmetric_key_id *skid; /* Subject + subjectKeyId (optional) */
struct asymmetric_key_id *authority; /* Authority key identifier */ struct asymmetric_key_id *authority; /* Authority key identifier (optional) */
struct tm valid_from; struct tm valid_from;
struct tm valid_to; struct tm valid_to;
const void *tbs; /* Signed data */ const void *tbs; /* Signed data */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment