X.509: Handle certificates that lack an authorityKeyIdentifier field
Handle certificates that lack an authorityKeyIdentifier field by assuming they're self-signed and checking their signatures against themselves. Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Josh Boyer <jwboyer@redhat.com>
This commit is contained in:
parent
2ecdb23b8c
commit
17334cabc8
|
@ -143,8 +143,8 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
|
|||
pkey_algo_name[cert->sig.pkey_algo],
|
||||
pkey_hash_algo_name[cert->sig.pkey_hash_algo]);
|
||||
|
||||
if (!cert->fingerprint || !cert->authority) {
|
||||
pr_warn("Cert for '%s' must have SubjKeyId and AuthKeyId extensions\n",
|
||||
if (!cert->fingerprint) {
|
||||
pr_warn("Cert for '%s' must have a SubjKeyId extension\n",
|
||||
cert->subject);
|
||||
ret = -EKEYREJECTED;
|
||||
goto error_free_cert;
|
||||
|
@ -190,8 +190,9 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
|
|||
cert->pub->algo = pkey_algo[cert->pub->pkey_algo];
|
||||
cert->pub->id_type = PKEY_ID_X509;
|
||||
|
||||
/* Check the signature on the key */
|
||||
if (strcmp(cert->fingerprint, cert->authority) == 0) {
|
||||
/* Check the signature on the key if it appears to be self-signed */
|
||||
if (!cert->authority ||
|
||||
strcmp(cert->fingerprint, cert->authority) == 0) {
|
||||
ret = x509_check_signature(cert->pub, cert);
|
||||
if (ret < 0)
|
||||
goto error_free_cert;
|
||||
|
|
Loading…
Reference in New Issue