• David Howells's avatar
    X.509: Change recorded SKID & AKID to not include Subject or Issuer · 34c6e4cc
    David Howells authored
    The key identifiers fabricated from an X.509 certificate are currently:
    
     (A) Concatenation of serial number and issuer
    
     (B) Concatenation of subject and subjectKeyID (SKID)
    
    When verifying one X.509 certificate with another, the AKID in the target
    can be used to match the authoritative certificate.  The AKID can specify
    the match in one or both of two ways:
    
     (1) Compare authorityCertSerialNumber and authorityCertIssuer from the AKID
         to identifier (A) above.
    
     (2) Compare keyIdentifier from the AKID plus the issuer from the target
         certificate to identifier (B) above.
    
    When verifying a PKCS#7 message, the only available comparison is between
    the IssuerAndSerialNumber field and identifier (A) above.
    
    However, a subsequent patch adds CMS support.  Whilst CMS still supports a
    match on IssuerAndSerialNumber as for PKCS#7, it also supports an
    alternative - which is the SubjectKeyIdentifier field.  This is used to
    match to an X.509 certificate on the SKID alone.  No subject information is
    available to be used.
    
    To this end change the fabrication of (B) above to be from the X.509 SKID
    alone.  The AKID in keyIdentifier form then only matches on that and does
    not include the issuer.
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Reviewed-By: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
    34c6e4cc
x509_cert_parser.c 14.6 KB