KEYS: use swapped SKID for performing partial matching

Earlier KEYS code used pure subject key identifiers (fingerprint) for searching keys. Latest merged code removed that and broke compatibility with integrity subsytem signatures and original format of module signatures. This patch returns back partial matching on SKID. Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: David Howells <dhowells@redhat.com>

KEYS: use swapped SKID for performing partial matching
Earlier KEYS code used pure subject key identifiers (fingerprint) for searching keys. Latest merged code removed that and broke compatibility with integrity subsytem signatures and original format of module signatures. This patch returns back partial matching on SKID. Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: David Howells <dhowells@redhat.com>
8dd60980 · Dmitry Kasatkin · David Howells · f1b731db · 8dd60980 · 8dd60980
Commit 8dd60980 authored Oct 06, 2014 by Dmitry Kasatkin Committed by David Howells Oct 06, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 9 deletions

crypto/asymmetric_keys/x509_cert_parser.c crypto/asymmetric_keys/x509_cert_parser.c +6 -6

crypto/asymmetric_keys/x509_parser.h crypto/asymmetric_keys/x509_parser.h +3 -3

No files found.
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -437,9 +437,9 @@ int x509_process_extension(void *context, size_t hdrlen,
 		ctx->cert->raw_skid_size = vlen;
 		ctx->cert->raw_skid = v;
-		kid = asymmetric_key_generate_id(v, vlen,
+		kid = asymmetric_key_generate_id(ctx->cert->raw_subject,
-						 ctx->cert->raw_subject,
+						 ctx->cert->raw_subject_size,
-						 ctx->cert->raw_subject_size);
+						 v, vlen);
 		if (IS_ERR(kid))
 			return PTR_ERR(kid);
 		ctx->cert->skid = kid;
@@ -493,9 +493,9 @@ int x509_process_extension(void *context, size_t hdrlen,
 			v += (sub + 2);
 		}
-		kid = asymmetric_key_generate_id(v, vlen,
+		kid = asymmetric_key_generate_id(ctx->cert->raw_issuer,
-						 ctx->cert->raw_issuer,
+						 ctx->cert->raw_issuer_size,
-						 ctx->cert->raw_issuer_size);
+						 v, vlen);
 		if (IS_ERR(kid))
 			return PTR_ERR(kid);
 		pr_debug("authkeyid %*phN\n", kid->len, kid->data);

--- a/crypto/asymmetric_keys/x509_parser.h
+++ b/crypto/asymmetric_keys/x509_parser.h
@@ -19,9 +19,9 @@ struct x509_certificate {
 	struct public_key_signature sig;	/* Signature parameters */
 	char		*issuer;		/* Name of certificate issuer */
 	char		*subject;		/* Name of certificate subject */
-	struct asymmetric_key_id *id;		/* Issuer + serial number */
+	struct asymmetric_key_id *id;		/* Serial number + issuer */
-	struct asymmetric_key_id *skid;		/* Subject key identifier */
+	struct asymmetric_key_id *skid;		/* Subject + subjectKeyId (optional) */
-	struct asymmetric_key_id *authority;	/* Authority key identifier */
+	struct asymmetric_key_id *authority;	/* Authority key identifier (optional) */
 	struct tm	valid_from;
 	struct tm	valid_to;
 	const void	*tbs;			/* Signed data */