X.509: If available, use the raw subjKeyId to form the key description

Module signing matches keys by comparing against the key description exactly. However, the way the key description gets constructed got changed to be composed of the subject name plus the certificate serial number instead of the subject name and the subjectKeyId. I changed this to avoid problems with certificates that don't *have* a subjectKeyId. Instead, if available, use the raw subjectKeyId to form the key description and only use the serial number if the subjectKeyId doesn't exist. Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: David Howells <dhowells@redhat.com>
author: David Howells <dhowells@redhat.com> 2014-10-03 16:17:02 +0100
committer: David Howells <dhowells@redhat.com> 2014-10-03 16:17:02 +0100
commit: dd2f6c4481debfa389c1f2b2b1d5bd6449c42611 (patch)
tree: efdec24c56f02377b3edf6660d4775cf0c804e30 /crypto/asymmetric_keys/x509_parser.h
parent: 40b50e80c5ca78b3164d79d39b4889c4e58f462e (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h
index 4e1a384901ed..3f0f0f081621 100644
--- a/crypto/asymmetric_keys/x509_parser.h
+++ b/crypto/asymmetric_keys/x509_parser.h
@@ -34,6 +34,8 @@ struct x509_certificate {
 	const void	*raw_issuer;		/* Raw issuer name in ASN.1 */
 	const void	*raw_subject;		/* Raw subject name in ASN.1 */
 	unsigned	raw_subject_size;
+	unsigned	raw_skid_size;
+	const void	*raw_skid;		/* Raw subjectKeyId in ASN.1 */
 	unsigned	index;
 	bool		seen;			/* Infinite recursion prevention */
 	bool		verified;
author	David Howells <dhowells@redhat.com>	2014-10-03 16:17:02 +0100
committer	David Howells <dhowells@redhat.com>	2014-10-03 16:17:02 +0100
commit	dd2f6c4481debfa389c1f2b2b1d5bd6449c42611 (patch)
tree	efdec24c56f02377b3edf6660d4775cf0c804e30 /crypto/asymmetric_keys/x509_parser.h
parent	40b50e80c5ca78b3164d79d39b4889c4e58f462e (diff)