1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* X.509 certificate parser 3 * 4 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #define pr_fmt(fmt) "X.509: "fmt 9 #include <linux/kernel.h> 10 #include <linux/export.h> 11 #include <linux/slab.h> 12 #include <linux/err.h> 13 #include <linux/oid_registry.h> 14 #include <crypto/public_key.h> 15 #include "x509_parser.h" 16 #include "x509.asn1.h" 17 #include "x509_akid.asn1.h" 18 19 struct x509_parse_context { 20 struct x509_certificate *cert; /* Certificate being constructed */ 21 unsigned long data; /* Start of data */ 22 const void *key; /* Key data */ 23 size_t key_size; /* Size of key data */ 24 const void *params; /* Key parameters */ 25 size_t params_size; /* Size of key parameters */ 26 enum OID key_algo; /* Algorithm used by the cert's key */ 27 enum OID last_oid; /* Last OID encountered */ 28 enum OID sig_algo; /* Algorithm used to sign the cert */ 29 u8 o_size; /* Size of organizationName (O) */ 30 u8 cn_size; /* Size of commonName (CN) */ 31 u8 email_size; /* Size of emailAddress */ 32 u16 o_offset; /* Offset of organizationName (O) */ 33 u16 cn_offset; /* Offset of commonName (CN) */ 34 u16 email_offset; /* Offset of emailAddress */ 35 unsigned raw_akid_size; 36 const void *raw_akid; /* Raw authorityKeyId in ASN.1 */ 37 const void *akid_raw_issuer; /* Raw directoryName in authorityKeyId */ 38 unsigned akid_raw_issuer_size; 39 }; 40 41 /* 42 * Free an X.509 certificate 43 */ 44 void x509_free_certificate(struct x509_certificate *cert) 45 { 46 if (cert) { 47 public_key_free(cert->pub); 48 public_key_signature_free(cert->sig); 49 kfree(cert->issuer); 50 kfree(cert->subject); 51 kfree(cert->id); 52 kfree(cert->skid); 53 kfree(cert); 54 } 55 } 56 EXPORT_SYMBOL_GPL(x509_free_certificate); 57 58 /* 59 * Parse an X.509 certificate 60 */ 61 struct x509_certificate *x509_cert_parse(const void *data, size_t datalen) 62 { 63 struct x509_certificate *cert; 64 struct x509_parse_context *ctx; 65 struct asymmetric_key_id *kid; 66 long ret; 67 68 ret = -ENOMEM; 69 cert = kzalloc(sizeof(struct x509_certificate), GFP_KERNEL); 70 if (!cert) 71 goto error_no_cert; 72 cert->pub = kzalloc(sizeof(struct public_key), GFP_KERNEL); 73 if (!cert->pub) 74 goto error_no_ctx; 75 cert->sig = kzalloc(sizeof(struct public_key_signature), GFP_KERNEL); 76 if (!cert->sig) 77 goto error_no_ctx; 78 ctx = kzalloc(sizeof(struct x509_parse_context), GFP_KERNEL); 79 if (!ctx) 80 goto error_no_ctx; 81 82 ctx->cert = cert; 83 ctx->data = (unsigned long)data; 84 85 /* Attempt to decode the certificate */ 86 ret = asn1_ber_decoder(&x509_decoder, ctx, data, datalen); 87 if (ret < 0) 88 goto error_decode; 89 90 /* Decode the AuthorityKeyIdentifier */ 91 if (ctx->raw_akid) { 92 pr_devel("AKID: %u %*phN\n", 93 ctx->raw_akid_size, ctx->raw_akid_size, ctx->raw_akid); 94 ret = asn1_ber_decoder(&x509_akid_decoder, ctx, 95 ctx->raw_akid, ctx->raw_akid_size); 96 if (ret < 0) { 97 pr_warn("Couldn't decode AuthKeyIdentifier\n"); 98 goto error_decode; 99 } 100 } 101 102 ret = -ENOMEM; 103 cert->pub->key = kmemdup(ctx->key, ctx->key_size, GFP_KERNEL); 104 if (!cert->pub->key) 105 goto error_decode; 106 107 cert->pub->keylen = ctx->key_size; 108 109 cert->pub->params = kmemdup(ctx->params, ctx->params_size, GFP_KERNEL); 110 if (!cert->pub->params) 111 goto error_decode; 112 113 cert->pub->paramlen = ctx->params_size; 114 cert->pub->algo = ctx->key_algo; 115 116 /* Grab the signature bits */ 117 ret = x509_get_sig_params(cert); 118 if (ret < 0) 119 goto error_decode; 120 121 /* Generate cert issuer + serial number key ID */ 122 kid = asymmetric_key_generate_id(cert->raw_serial, 123 cert->raw_serial_size, 124 cert->raw_issuer, 125 cert->raw_issuer_size); 126 if (IS_ERR(kid)) { 127 ret = PTR_ERR(kid); 128 goto error_decode; 129 } 130 cert->id = kid; 131 132 /* Detect self-signed certificates */ 133 ret = x509_check_for_self_signed(cert); 134 if (ret < 0) 135 goto error_decode; 136 137 kfree(ctx); 138 return cert; 139 140 error_decode: 141 kfree(ctx); 142 error_no_ctx: 143 x509_free_certificate(cert); 144 error_no_cert: 145 return ERR_PTR(ret); 146 } 147 EXPORT_SYMBOL_GPL(x509_cert_parse); 148 149 /* 150 * Note an OID when we find one for later processing when we know how 151 * to interpret it. 152 */ 153 int x509_note_OID(void *context, size_t hdrlen, 154 unsigned char tag, 155 const void *value, size_t vlen) 156 { 157 struct x509_parse_context *ctx = context; 158 159 ctx->last_oid = look_up_OID(value, vlen); 160 if (ctx->last_oid == OID__NR) { 161 char buffer[50]; 162 sprint_oid(value, vlen, buffer, sizeof(buffer)); 163 pr_debug("Unknown OID: [%lu] %s\n", 164 (unsigned long)value - ctx->data, buffer); 165 } 166 return 0; 167 } 168 169 /* 170 * Save the position of the TBS data so that we can check the signature over it 171 * later. 172 */ 173 int x509_note_tbs_certificate(void *context, size_t hdrlen, 174 unsigned char tag, 175 const void *value, size_t vlen) 176 { 177 struct x509_parse_context *ctx = context; 178 179 pr_debug("x509_note_tbs_certificate(,%zu,%02x,%ld,%zu)!\n", 180 hdrlen, tag, (unsigned long)value - ctx->data, vlen); 181 182 ctx->cert->tbs = value - hdrlen; 183 ctx->cert->tbs_size = vlen + hdrlen; 184 return 0; 185 } 186 187 /* 188 * Record the algorithm that was used to sign this certificate. 189 */ 190 int x509_note_sig_algo(void *context, size_t hdrlen, unsigned char tag, 191 const void *value, size_t vlen) 192 { 193 struct x509_parse_context *ctx = context; 194 195 pr_debug("PubKey Algo: %u\n", ctx->last_oid); 196 197 switch (ctx->last_oid) { 198 case OID_md2WithRSAEncryption: 199 case OID_md3WithRSAEncryption: 200 default: 201 return -ENOPKG; /* Unsupported combination */ 202 203 case OID_md4WithRSAEncryption: 204 ctx->cert->sig->hash_algo = "md4"; 205 goto rsa_pkcs1; 206 207 case OID_sha1WithRSAEncryption: 208 ctx->cert->sig->hash_algo = "sha1"; 209 goto rsa_pkcs1; 210 211 case OID_sha256WithRSAEncryption: 212 ctx->cert->sig->hash_algo = "sha256"; 213 goto rsa_pkcs1; 214 215 case OID_sha384WithRSAEncryption: 216 ctx->cert->sig->hash_algo = "sha384"; 217 goto rsa_pkcs1; 218 219 case OID_sha512WithRSAEncryption: 220 ctx->cert->sig->hash_algo = "sha512"; 221 goto rsa_pkcs1; 222 223 case OID_sha224WithRSAEncryption: 224 ctx->cert->sig->hash_algo = "sha224"; 225 goto rsa_pkcs1; 226 227 case OID_id_ecdsa_with_sha1: 228 ctx->cert->sig->hash_algo = "sha1"; 229 goto ecdsa; 230 231 case OID_id_ecdsa_with_sha224: 232 ctx->cert->sig->hash_algo = "sha224"; 233 goto ecdsa; 234 235 case OID_id_ecdsa_with_sha256: 236 ctx->cert->sig->hash_algo = "sha256"; 237 goto ecdsa; 238 239 case OID_id_ecdsa_with_sha384: 240 ctx->cert->sig->hash_algo = "sha384"; 241 goto ecdsa; 242 243 case OID_id_ecdsa_with_sha512: 244 ctx->cert->sig->hash_algo = "sha512"; 245 goto ecdsa; 246 247 case OID_gost2012Signature256: 248 ctx->cert->sig->hash_algo = "streebog256"; 249 goto ecrdsa; 250 251 case OID_gost2012Signature512: 252 ctx->cert->sig->hash_algo = "streebog512"; 253 goto ecrdsa; 254 255 case OID_SM2_with_SM3: 256 ctx->cert->sig->hash_algo = "sm3"; 257 goto sm2; 258 } 259 260 rsa_pkcs1: 261 ctx->cert->sig->pkey_algo = "rsa"; 262 ctx->cert->sig->encoding = "pkcs1"; 263 ctx->sig_algo = ctx->last_oid; 264 return 0; 265 ecrdsa: 266 ctx->cert->sig->pkey_algo = "ecrdsa"; 267 ctx->cert->sig->encoding = "raw"; 268 ctx->sig_algo = ctx->last_oid; 269 return 0; 270 sm2: 271 ctx->cert->sig->pkey_algo = "sm2"; 272 ctx->cert->sig->encoding = "raw"; 273 ctx->sig_algo = ctx->last_oid; 274 return 0; 275 ecdsa: 276 ctx->cert->sig->pkey_algo = "ecdsa"; 277 ctx->cert->sig->encoding = "x962"; 278 ctx->sig_algo = ctx->last_oid; 279 return 0; 280 } 281 282 /* 283 * Note the whereabouts and type of the signature. 284 */ 285 int x509_note_signature(void *context, size_t hdrlen, 286 unsigned char tag, 287 const void *value, size_t vlen) 288 { 289 struct x509_parse_context *ctx = context; 290 291 pr_debug("Signature: alg=%u, size=%zu\n", ctx->last_oid, vlen); 292 293 /* 294 * In X.509 certificates, the signature's algorithm is stored in two 295 * places: inside the TBSCertificate (the data that is signed), and 296 * alongside the signature. These *must* match. 297 */ 298 if (ctx->last_oid != ctx->sig_algo) { 299 pr_warn("signatureAlgorithm (%u) differs from tbsCertificate.signature (%u)\n", 300 ctx->last_oid, ctx->sig_algo); 301 return -EINVAL; 302 } 303 304 if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0 || 305 strcmp(ctx->cert->sig->pkey_algo, "ecrdsa") == 0 || 306 strcmp(ctx->cert->sig->pkey_algo, "sm2") == 0 || 307 strcmp(ctx->cert->sig->pkey_algo, "ecdsa") == 0) { 308 /* Discard the BIT STRING metadata */ 309 if (vlen < 1 || *(const u8 *)value != 0) 310 return -EBADMSG; 311 312 value++; 313 vlen--; 314 } 315 316 ctx->cert->raw_sig = value; 317 ctx->cert->raw_sig_size = vlen; 318 return 0; 319 } 320 321 /* 322 * Note the certificate serial number 323 */ 324 int x509_note_serial(void *context, size_t hdrlen, 325 unsigned char tag, 326 const void *value, size_t vlen) 327 { 328 struct x509_parse_context *ctx = context; 329 ctx->cert->raw_serial = value; 330 ctx->cert->raw_serial_size = vlen; 331 return 0; 332 } 333 334 /* 335 * Note some of the name segments from which we'll fabricate a name. 336 */ 337 int x509_extract_name_segment(void *context, size_t hdrlen, 338 unsigned char tag, 339 const void *value, size_t vlen) 340 { 341 struct x509_parse_context *ctx = context; 342 343 switch (ctx->last_oid) { 344 case OID_commonName: 345 ctx->cn_size = vlen; 346 ctx->cn_offset = (unsigned long)value - ctx->data; 347 break; 348 case OID_organizationName: 349 ctx->o_size = vlen; 350 ctx->o_offset = (unsigned long)value - ctx->data; 351 break; 352 case OID_email_address: 353 ctx->email_size = vlen; 354 ctx->email_offset = (unsigned long)value - ctx->data; 355 break; 356 default: 357 break; 358 } 359 360 return 0; 361 } 362 363 /* 364 * Fabricate and save the issuer and subject names 365 */ 366 static int x509_fabricate_name(struct x509_parse_context *ctx, size_t hdrlen, 367 unsigned char tag, 368 char **_name, size_t vlen) 369 { 370 const void *name, *data = (const void *)ctx->data; 371 size_t namesize; 372 char *buffer; 373 374 if (*_name) 375 return -EINVAL; 376 377 /* Empty name string if no material */ 378 if (!ctx->cn_size && !ctx->o_size && !ctx->email_size) { 379 buffer = kmalloc(1, GFP_KERNEL); 380 if (!buffer) 381 return -ENOMEM; 382 buffer[0] = 0; 383 goto done; 384 } 385 386 if (ctx->cn_size && ctx->o_size) { 387 /* Consider combining O and CN, but use only the CN if it is 388 * prefixed by the O, or a significant portion thereof. 389 */ 390 namesize = ctx->cn_size; 391 name = data + ctx->cn_offset; 392 if (ctx->cn_size >= ctx->o_size && 393 memcmp(data + ctx->cn_offset, data + ctx->o_offset, 394 ctx->o_size) == 0) 395 goto single_component; 396 if (ctx->cn_size >= 7 && 397 ctx->o_size >= 7 && 398 memcmp(data + ctx->cn_offset, data + ctx->o_offset, 7) == 0) 399 goto single_component; 400 401 buffer = kmalloc(ctx->o_size + 2 + ctx->cn_size + 1, 402 GFP_KERNEL); 403 if (!buffer) 404 return -ENOMEM; 405 406 memcpy(buffer, 407 data + ctx->o_offset, ctx->o_size); 408 buffer[ctx->o_size + 0] = ':'; 409 buffer[ctx->o_size + 1] = ' '; 410 memcpy(buffer + ctx->o_size + 2, 411 data + ctx->cn_offset, ctx->cn_size); 412 buffer[ctx->o_size + 2 + ctx->cn_size] = 0; 413 goto done; 414 415 } else if (ctx->cn_size) { 416 namesize = ctx->cn_size; 417 name = data + ctx->cn_offset; 418 } else if (ctx->o_size) { 419 namesize = ctx->o_size; 420 name = data + ctx->o_offset; 421 } else { 422 namesize = ctx->email_size; 423 name = data + ctx->email_offset; 424 } 425 426 single_component: 427 buffer = kmalloc(namesize + 1, GFP_KERNEL); 428 if (!buffer) 429 return -ENOMEM; 430 memcpy(buffer, name, namesize); 431 buffer[namesize] = 0; 432 433 done: 434 *_name = buffer; 435 ctx->cn_size = 0; 436 ctx->o_size = 0; 437 ctx->email_size = 0; 438 return 0; 439 } 440 441 int x509_note_issuer(void *context, size_t hdrlen, 442 unsigned char tag, 443 const void *value, size_t vlen) 444 { 445 struct x509_parse_context *ctx = context; 446 struct asymmetric_key_id *kid; 447 448 ctx->cert->raw_issuer = value; 449 ctx->cert->raw_issuer_size = vlen; 450 451 if (!ctx->cert->sig->auth_ids[2]) { 452 kid = asymmetric_key_generate_id(value, vlen, "", 0); 453 if (IS_ERR(kid)) 454 return PTR_ERR(kid); 455 ctx->cert->sig->auth_ids[2] = kid; 456 } 457 458 return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->issuer, vlen); 459 } 460 461 int x509_note_subject(void *context, size_t hdrlen, 462 unsigned char tag, 463 const void *value, size_t vlen) 464 { 465 struct x509_parse_context *ctx = context; 466 ctx->cert->raw_subject = value; 467 ctx->cert->raw_subject_size = vlen; 468 return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->subject, vlen); 469 } 470 471 /* 472 * Extract the parameters for the public key 473 */ 474 int x509_note_params(void *context, size_t hdrlen, 475 unsigned char tag, 476 const void *value, size_t vlen) 477 { 478 struct x509_parse_context *ctx = context; 479 480 /* 481 * AlgorithmIdentifier is used three times in the x509, we should skip 482 * first and ignore third, using second one which is after subject and 483 * before subjectPublicKey. 484 */ 485 if (!ctx->cert->raw_subject || ctx->key) 486 return 0; 487 ctx->params = value - hdrlen; 488 ctx->params_size = vlen + hdrlen; 489 return 0; 490 } 491 492 /* 493 * Extract the data for the public key algorithm 494 */ 495 int x509_extract_key_data(void *context, size_t hdrlen, 496 unsigned char tag, 497 const void *value, size_t vlen) 498 { 499 struct x509_parse_context *ctx = context; 500 enum OID oid; 501 502 ctx->key_algo = ctx->last_oid; 503 switch (ctx->last_oid) { 504 case OID_rsaEncryption: 505 ctx->cert->pub->pkey_algo = "rsa"; 506 break; 507 case OID_gost2012PKey256: 508 case OID_gost2012PKey512: 509 ctx->cert->pub->pkey_algo = "ecrdsa"; 510 break; 511 case OID_id_ecPublicKey: 512 if (parse_OID(ctx->params, ctx->params_size, &oid) != 0) 513 return -EBADMSG; 514 515 switch (oid) { 516 case OID_sm2: 517 ctx->cert->pub->pkey_algo = "sm2"; 518 break; 519 case OID_id_prime192v1: 520 ctx->cert->pub->pkey_algo = "ecdsa-nist-p192"; 521 break; 522 case OID_id_prime256v1: 523 ctx->cert->pub->pkey_algo = "ecdsa-nist-p256"; 524 break; 525 case OID_id_ansip384r1: 526 ctx->cert->pub->pkey_algo = "ecdsa-nist-p384"; 527 break; 528 default: 529 return -ENOPKG; 530 } 531 break; 532 default: 533 return -ENOPKG; 534 } 535 536 /* Discard the BIT STRING metadata */ 537 if (vlen < 1 || *(const u8 *)value != 0) 538 return -EBADMSG; 539 ctx->key = value + 1; 540 ctx->key_size = vlen - 1; 541 return 0; 542 } 543 544 /* The keyIdentifier in AuthorityKeyIdentifier SEQUENCE is tag(CONT,PRIM,0) */ 545 #define SEQ_TAG_KEYID (ASN1_CONT << 6) 546 547 /* 548 * Process certificate extensions that are used to qualify the certificate. 549 */ 550 int x509_process_extension(void *context, size_t hdrlen, 551 unsigned char tag, 552 const void *value, size_t vlen) 553 { 554 struct x509_parse_context *ctx = context; 555 struct asymmetric_key_id *kid; 556 const unsigned char *v = value; 557 558 pr_debug("Extension: %u\n", ctx->last_oid); 559 560 if (ctx->last_oid == OID_subjectKeyIdentifier) { 561 /* Get hold of the key fingerprint */ 562 if (ctx->cert->skid || vlen < 3) 563 return -EBADMSG; 564 if (v[0] != ASN1_OTS || v[1] != vlen - 2) 565 return -EBADMSG; 566 v += 2; 567 vlen -= 2; 568 569 ctx->cert->raw_skid_size = vlen; 570 ctx->cert->raw_skid = v; 571 kid = asymmetric_key_generate_id(v, vlen, "", 0); 572 if (IS_ERR(kid)) 573 return PTR_ERR(kid); 574 ctx->cert->skid = kid; 575 pr_debug("subjkeyid %*phN\n", kid->len, kid->data); 576 return 0; 577 } 578 579 if (ctx->last_oid == OID_authorityKeyIdentifier) { 580 /* Get hold of the CA key fingerprint */ 581 ctx->raw_akid = v; 582 ctx->raw_akid_size = vlen; 583 return 0; 584 } 585 586 return 0; 587 } 588 589 /** 590 * x509_decode_time - Decode an X.509 time ASN.1 object 591 * @_t: The time to fill in 592 * @hdrlen: The length of the object header 593 * @tag: The object tag 594 * @value: The object value 595 * @vlen: The size of the object value 596 * 597 * Decode an ASN.1 universal time or generalised time field into a struct the 598 * kernel can handle and check it for validity. The time is decoded thus: 599 * 600 * [RFC5280 §4.1.2.5] 601 * CAs conforming to this profile MUST always encode certificate validity 602 * dates through the year 2049 as UTCTime; certificate validity dates in 603 * 2050 or later MUST be encoded as GeneralizedTime. Conforming 604 * applications MUST be able to process validity dates that are encoded in 605 * either UTCTime or GeneralizedTime. 606 */ 607 int x509_decode_time(time64_t *_t, size_t hdrlen, 608 unsigned char tag, 609 const unsigned char *value, size_t vlen) 610 { 611 static const unsigned char month_lengths[] = { 31, 28, 31, 30, 31, 30, 612 31, 31, 30, 31, 30, 31 }; 613 const unsigned char *p = value; 614 unsigned year, mon, day, hour, min, sec, mon_len; 615 616 #define dec2bin(X) ({ unsigned char x = (X) - '0'; if (x > 9) goto invalid_time; x; }) 617 #define DD2bin(P) ({ unsigned x = dec2bin(P[0]) * 10 + dec2bin(P[1]); P += 2; x; }) 618 619 if (tag == ASN1_UNITIM) { 620 /* UTCTime: YYMMDDHHMMSSZ */ 621 if (vlen != 13) 622 goto unsupported_time; 623 year = DD2bin(p); 624 if (year >= 50) 625 year += 1900; 626 else 627 year += 2000; 628 } else if (tag == ASN1_GENTIM) { 629 /* GenTime: YYYYMMDDHHMMSSZ */ 630 if (vlen != 15) 631 goto unsupported_time; 632 year = DD2bin(p) * 100 + DD2bin(p); 633 if (year >= 1950 && year <= 2049) 634 goto invalid_time; 635 } else { 636 goto unsupported_time; 637 } 638 639 mon = DD2bin(p); 640 day = DD2bin(p); 641 hour = DD2bin(p); 642 min = DD2bin(p); 643 sec = DD2bin(p); 644 645 if (*p != 'Z') 646 goto unsupported_time; 647 648 if (year < 1970 || 649 mon < 1 || mon > 12) 650 goto invalid_time; 651 652 mon_len = month_lengths[mon - 1]; 653 if (mon == 2) { 654 if (year % 4 == 0) { 655 mon_len = 29; 656 if (year % 100 == 0) { 657 mon_len = 28; 658 if (year % 400 == 0) 659 mon_len = 29; 660 } 661 } 662 } 663 664 if (day < 1 || day > mon_len || 665 hour > 24 || /* ISO 8601 permits 24:00:00 as midnight tomorrow */ 666 min > 59 || 667 sec > 60) /* ISO 8601 permits leap seconds [X.680 46.3] */ 668 goto invalid_time; 669 670 *_t = mktime64(year, mon, day, hour, min, sec); 671 return 0; 672 673 unsupported_time: 674 pr_debug("Got unsupported time [tag %02x]: '%*phN'\n", 675 tag, (int)vlen, value); 676 return -EBADMSG; 677 invalid_time: 678 pr_debug("Got invalid time [tag %02x]: '%*phN'\n", 679 tag, (int)vlen, value); 680 return -EBADMSG; 681 } 682 EXPORT_SYMBOL_GPL(x509_decode_time); 683 684 int x509_note_not_before(void *context, size_t hdrlen, 685 unsigned char tag, 686 const void *value, size_t vlen) 687 { 688 struct x509_parse_context *ctx = context; 689 return x509_decode_time(&ctx->cert->valid_from, hdrlen, tag, value, vlen); 690 } 691 692 int x509_note_not_after(void *context, size_t hdrlen, 693 unsigned char tag, 694 const void *value, size_t vlen) 695 { 696 struct x509_parse_context *ctx = context; 697 return x509_decode_time(&ctx->cert->valid_to, hdrlen, tag, value, vlen); 698 } 699 700 /* 701 * Note a key identifier-based AuthorityKeyIdentifier 702 */ 703 int x509_akid_note_kid(void *context, size_t hdrlen, 704 unsigned char tag, 705 const void *value, size_t vlen) 706 { 707 struct x509_parse_context *ctx = context; 708 struct asymmetric_key_id *kid; 709 710 pr_debug("AKID: keyid: %*phN\n", (int)vlen, value); 711 712 if (ctx->cert->sig->auth_ids[1]) 713 return 0; 714 715 kid = asymmetric_key_generate_id(value, vlen, "", 0); 716 if (IS_ERR(kid)) 717 return PTR_ERR(kid); 718 pr_debug("authkeyid %*phN\n", kid->len, kid->data); 719 ctx->cert->sig->auth_ids[1] = kid; 720 return 0; 721 } 722 723 /* 724 * Note a directoryName in an AuthorityKeyIdentifier 725 */ 726 int x509_akid_note_name(void *context, size_t hdrlen, 727 unsigned char tag, 728 const void *value, size_t vlen) 729 { 730 struct x509_parse_context *ctx = context; 731 732 pr_debug("AKID: name: %*phN\n", (int)vlen, value); 733 734 ctx->akid_raw_issuer = value; 735 ctx->akid_raw_issuer_size = vlen; 736 return 0; 737 } 738 739 /* 740 * Note a serial number in an AuthorityKeyIdentifier 741 */ 742 int x509_akid_note_serial(void *context, size_t hdrlen, 743 unsigned char tag, 744 const void *value, size_t vlen) 745 { 746 struct x509_parse_context *ctx = context; 747 struct asymmetric_key_id *kid; 748 749 pr_debug("AKID: serial: %*phN\n", (int)vlen, value); 750 751 if (!ctx->akid_raw_issuer || ctx->cert->sig->auth_ids[0]) 752 return 0; 753 754 kid = asymmetric_key_generate_id(value, 755 vlen, 756 ctx->akid_raw_issuer, 757 ctx->akid_raw_issuer_size); 758 if (IS_ERR(kid)) 759 return PTR_ERR(kid); 760 761 pr_debug("authkeyid %*phN\n", kid->len, kid->data); 762 ctx->cert->sig->auth_ids[0] = kid; 763 return 0; 764 } 765