diff mbox series

[02/12] X.509: Parse Subject Alternative Name in certificates

Message ID 704291cbc90ca3aaaaa56b191017c1400963cf12.1695921657.git.lukas@wunner.de (mailing list archive)
State Changes Requested
Delegated to: Bjorn Helgaas
Headers show
Series PCI device authentication | expand

Commit Message

Lukas Wunner Sept. 28, 2023, 5:32 p.m. UTC
The upcoming support for PCI device authentication with CMA-SPDM
(PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name
in X.509 certificates.

Store a pointer to the Subject Alternative Name upon parsing for
consumption by CMA-SPDM.

Signed-off-by: Lukas Wunner <lukas@wunner.de>
---
 crypto/asymmetric_keys/x509_cert_parser.c | 15 +++++++++++++++
 include/keys/x509-parser.h                |  2 ++
 2 files changed, 17 insertions(+)

Comments

Ilpo Järvinen Oct. 3, 2023, 8:31 a.m. UTC | #1
On Thu, 28 Sep 2023, Lukas Wunner wrote:

> The upcoming support for PCI device authentication with CMA-SPDM
> (PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name
> in X.509 certificates.
> 
> Store a pointer to the Subject Alternative Name upon parsing for
> consumption by CMA-SPDM.
> 
> Signed-off-by: Lukas Wunner <lukas@wunner.de>
> ---
>  crypto/asymmetric_keys/x509_cert_parser.c | 15 +++++++++++++++
>  include/keys/x509-parser.h                |  2 ++
>  2 files changed, 17 insertions(+)
> 
> diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
> index 0a7049b470c1..18dfd564740b 100644
> --- a/crypto/asymmetric_keys/x509_cert_parser.c
> +++ b/crypto/asymmetric_keys/x509_cert_parser.c
> @@ -579,6 +579,21 @@ int x509_process_extension(void *context, size_t hdrlen,
>  		return 0;
>  	}
>  
> +	if (ctx->last_oid == OID_subjectAltName) {
> +		/*
> +		 * A certificate MUST NOT include more than one instance
> +		 * of a particular extension (RFC 5280 sec 4.2).
> +		 */
> +		if (ctx->cert->raw_san) {
> +			pr_err("Duplicate Subject Alternative Name\n");
> +			return -EINVAL;
> +		}
> +
> +		ctx->cert->raw_san = v;
> +		ctx->cert->raw_san_size = vlen;
> +		return 0;
> +	}
> +
>  	if (ctx->last_oid == OID_keyUsage) {
>  		/*
>  		 * Get hold of the keyUsage bit string
> diff --git a/include/keys/x509-parser.h b/include/keys/x509-parser.h
> index 7c2ebc84791f..9c6e7cdf4870 100644
> --- a/include/keys/x509-parser.h
> +++ b/include/keys/x509-parser.h
> @@ -32,6 +32,8 @@ struct x509_certificate {
>  	unsigned	raw_subject_size;
>  	unsigned	raw_skid_size;
>  	const void	*raw_skid;		/* Raw subjectKeyId in ASN.1 */
> +	const void	*raw_san;		/* Raw subjectAltName in ASN.1 */
> +	unsigned	raw_san_size;
>  	unsigned	index;
>  	bool		seen;			/* Infinite recursion prevention */
>  	bool		verified;
> 

Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Jonathan Cameron Oct. 3, 2023, 3:14 p.m. UTC | #2
On Thu, 28 Sep 2023 19:32:32 +0200
Lukas Wunner <lukas@wunner.de> wrote:

> The upcoming support for PCI device authentication with CMA-SPDM
> (PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name
> in X.509 certificates.
> 
> Store a pointer to the Subject Alternative Name upon parsing for
> consumption by CMA-SPDM.
> 
> Signed-off-by: Lukas Wunner <lukas@wunner.de>

Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>

> ---
>  crypto/asymmetric_keys/x509_cert_parser.c | 15 +++++++++++++++
>  include/keys/x509-parser.h                |  2 ++
>  2 files changed, 17 insertions(+)
> 
> diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
> index 0a7049b470c1..18dfd564740b 100644
> --- a/crypto/asymmetric_keys/x509_cert_parser.c
> +++ b/crypto/asymmetric_keys/x509_cert_parser.c
> @@ -579,6 +579,21 @@ int x509_process_extension(void *context, size_t hdrlen,
>  		return 0;
>  	}
>  
> +	if (ctx->last_oid == OID_subjectAltName) {
> +		/*
> +		 * A certificate MUST NOT include more than one instance
> +		 * of a particular extension (RFC 5280 sec 4.2).
> +		 */
> +		if (ctx->cert->raw_san) {
> +			pr_err("Duplicate Subject Alternative Name\n");
> +			return -EINVAL;
> +		}
> +
> +		ctx->cert->raw_san = v;
> +		ctx->cert->raw_san_size = vlen;
> +		return 0;
> +	}
> +
>  	if (ctx->last_oid == OID_keyUsage) {
>  		/*
>  		 * Get hold of the keyUsage bit string
> diff --git a/include/keys/x509-parser.h b/include/keys/x509-parser.h
> index 7c2ebc84791f..9c6e7cdf4870 100644
> --- a/include/keys/x509-parser.h
> +++ b/include/keys/x509-parser.h
> @@ -32,6 +32,8 @@ struct x509_certificate {
>  	unsigned	raw_subject_size;
>  	unsigned	raw_skid_size;
>  	const void	*raw_skid;		/* Raw subjectKeyId in ASN.1 */
> +	const void	*raw_san;		/* Raw subjectAltName in ASN.1 */
> +	unsigned	raw_san_size;
>  	unsigned	index;
>  	bool		seen;			/* Infinite recursion prevention */
>  	bool		verified;
Wilfred Mallawa Oct. 3, 2023, 10:52 p.m. UTC | #3
On Tue, 2023-10-03 at 11:31 +0300, Ilpo Järvinen wrote:
> On Thu, 28 Sep 2023, Lukas Wunner wrote:
> 
> > The upcoming support for PCI device authentication with CMA-SPDM
> > (PCIe r6.1 sec 6.31) requires validating the Subject Alternative
> > Name
> > in X.509 certificates.
> > 
> > Store a pointer to the Subject Alternative Name upon parsing for
> > consumption by CMA-SPDM.
> > 
> > Signed-off-by: Lukas Wunner <lukas@wunner.de>
> > ---
> >  crypto/asymmetric_keys/x509_cert_parser.c | 15 +++++++++++++++
> >  include/keys/x509-parser.h                |  2 ++
> >  2 files changed, 17 insertions(+)
> > 
> > diff --git a/crypto/asymmetric_keys/x509_cert_parser.c
> > b/crypto/asymmetric_keys/x509_cert_parser.c
> > index 0a7049b470c1..18dfd564740b 100644
> > --- a/crypto/asymmetric_keys/x509_cert_parser.c
> > +++ b/crypto/asymmetric_keys/x509_cert_parser.c
> > @@ -579,6 +579,21 @@ int x509_process_extension(void *context,
> > size_t hdrlen,
> >                 return 0;
> >         }
> >  
> > +       if (ctx->last_oid == OID_subjectAltName) {
> > +               /*
> > +                * A certificate MUST NOT include more than one
> > instance
> > +                * of a particular extension (RFC 5280 sec 4.2).
> > +                */
> > +               if (ctx->cert->raw_san) {
> > +                       pr_err("Duplicate Subject Alternative
> > Name\n");
> > +                       return -EINVAL;
> > +               }
> > +
> > +               ctx->cert->raw_san = v;
> > +               ctx->cert->raw_san_size = vlen;
> > +               return 0;
> > +       }
> > +
> >         if (ctx->last_oid == OID_keyUsage) {
> >                 /*
> >                  * Get hold of the keyUsage bit string
> > diff --git a/include/keys/x509-parser.h b/include/keys/x509-
> > parser.h
> > index 7c2ebc84791f..9c6e7cdf4870 100644
> > --- a/include/keys/x509-parser.h
> > +++ b/include/keys/x509-parser.h
> > @@ -32,6 +32,8 @@ struct x509_certificate {
> >         unsigned        raw_subject_size;
> >         unsigned        raw_skid_size;
> >         const void      *raw_skid;              /* Raw subjectKeyId
> > in ASN.1 */
> > +       const void      *raw_san;               /* Raw
> > subjectAltName in ASN.1 */
> > +       unsigned        raw_san_size;
> >         unsigned        index;
> >         bool            seen;                   /* Infinite
> > recursion prevention */
> >         bool            verified;
> > 
> 
> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Reviewed-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
>
Dan Williams Oct. 6, 2023, 7:09 p.m. UTC | #4
Lukas Wunner wrote:
> The upcoming support for PCI device authentication with CMA-SPDM
> (PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name
> in X.509 certificates.
> 
> Store a pointer to the Subject Alternative Name upon parsing for
> consumption by CMA-SPDM.
> 
> Signed-off-by: Lukas Wunner <lukas@wunner.de>
> ---
>  crypto/asymmetric_keys/x509_cert_parser.c | 15 +++++++++++++++
>  include/keys/x509-parser.h                |  2 ++
>  2 files changed, 17 insertions(+)

Looks ok to me,

Acked-by: Dan Williams <dan.j.williams@intel.com>
diff mbox series

Patch

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 0a7049b470c1..18dfd564740b 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -579,6 +579,21 @@  int x509_process_extension(void *context, size_t hdrlen,
 		return 0;
 	}
 
+	if (ctx->last_oid == OID_subjectAltName) {
+		/*
+		 * A certificate MUST NOT include more than one instance
+		 * of a particular extension (RFC 5280 sec 4.2).
+		 */
+		if (ctx->cert->raw_san) {
+			pr_err("Duplicate Subject Alternative Name\n");
+			return -EINVAL;
+		}
+
+		ctx->cert->raw_san = v;
+		ctx->cert->raw_san_size = vlen;
+		return 0;
+	}
+
 	if (ctx->last_oid == OID_keyUsage) {
 		/*
 		 * Get hold of the keyUsage bit string
diff --git a/include/keys/x509-parser.h b/include/keys/x509-parser.h
index 7c2ebc84791f..9c6e7cdf4870 100644
--- a/include/keys/x509-parser.h
+++ b/include/keys/x509-parser.h
@@ -32,6 +32,8 @@  struct x509_certificate {
 	unsigned	raw_subject_size;
 	unsigned	raw_skid_size;
 	const void	*raw_skid;		/* Raw subjectKeyId in ASN.1 */
+	const void	*raw_san;		/* Raw subjectAltName in ASN.1 */
+	unsigned	raw_san_size;
 	unsigned	index;
 	bool		seen;			/* Infinite recursion prevention */
 	bool		verified;