Message ID | 704291cbc90ca3aaaaa56b191017c1400963cf12.1695921657.git.lukas@wunner.de (mailing list archive) |
---|---|
State | Changes Requested |
Delegated to: | Herbert Xu |
Headers | show |
Series | PCI device authentication | expand |
On Thu, 28 Sep 2023, Lukas Wunner wrote: > The upcoming support for PCI device authentication with CMA-SPDM > (PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name > in X.509 certificates. > > Store a pointer to the Subject Alternative Name upon parsing for > consumption by CMA-SPDM. > > Signed-off-by: Lukas Wunner <lukas@wunner.de> > --- > crypto/asymmetric_keys/x509_cert_parser.c | 15 +++++++++++++++ > include/keys/x509-parser.h | 2 ++ > 2 files changed, 17 insertions(+) > > diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c > index 0a7049b470c1..18dfd564740b 100644 > --- a/crypto/asymmetric_keys/x509_cert_parser.c > +++ b/crypto/asymmetric_keys/x509_cert_parser.c > @@ -579,6 +579,21 @@ int x509_process_extension(void *context, size_t hdrlen, > return 0; > } > > + if (ctx->last_oid == OID_subjectAltName) { > + /* > + * A certificate MUST NOT include more than one instance > + * of a particular extension (RFC 5280 sec 4.2). > + */ > + if (ctx->cert->raw_san) { > + pr_err("Duplicate Subject Alternative Name\n"); > + return -EINVAL; > + } > + > + ctx->cert->raw_san = v; > + ctx->cert->raw_san_size = vlen; > + return 0; > + } > + > if (ctx->last_oid == OID_keyUsage) { > /* > * Get hold of the keyUsage bit string > diff --git a/include/keys/x509-parser.h b/include/keys/x509-parser.h > index 7c2ebc84791f..9c6e7cdf4870 100644 > --- a/include/keys/x509-parser.h > +++ b/include/keys/x509-parser.h > @@ -32,6 +32,8 @@ struct x509_certificate { > unsigned raw_subject_size; > unsigned raw_skid_size; > const void *raw_skid; /* Raw subjectKeyId in ASN.1 */ > + const void *raw_san; /* Raw subjectAltName in ASN.1 */ > + unsigned raw_san_size; > unsigned index; > bool seen; /* Infinite recursion prevention */ > bool verified; > Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
On Thu, 28 Sep 2023 19:32:32 +0200 Lukas Wunner <lukas@wunner.de> wrote: > The upcoming support for PCI device authentication with CMA-SPDM > (PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name > in X.509 certificates. > > Store a pointer to the Subject Alternative Name upon parsing for > consumption by CMA-SPDM. > > Signed-off-by: Lukas Wunner <lukas@wunner.de> Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> > --- > crypto/asymmetric_keys/x509_cert_parser.c | 15 +++++++++++++++ > include/keys/x509-parser.h | 2 ++ > 2 files changed, 17 insertions(+) > > diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c > index 0a7049b470c1..18dfd564740b 100644 > --- a/crypto/asymmetric_keys/x509_cert_parser.c > +++ b/crypto/asymmetric_keys/x509_cert_parser.c > @@ -579,6 +579,21 @@ int x509_process_extension(void *context, size_t hdrlen, > return 0; > } > > + if (ctx->last_oid == OID_subjectAltName) { > + /* > + * A certificate MUST NOT include more than one instance > + * of a particular extension (RFC 5280 sec 4.2). > + */ > + if (ctx->cert->raw_san) { > + pr_err("Duplicate Subject Alternative Name\n"); > + return -EINVAL; > + } > + > + ctx->cert->raw_san = v; > + ctx->cert->raw_san_size = vlen; > + return 0; > + } > + > if (ctx->last_oid == OID_keyUsage) { > /* > * Get hold of the keyUsage bit string > diff --git a/include/keys/x509-parser.h b/include/keys/x509-parser.h > index 7c2ebc84791f..9c6e7cdf4870 100644 > --- a/include/keys/x509-parser.h > +++ b/include/keys/x509-parser.h > @@ -32,6 +32,8 @@ struct x509_certificate { > unsigned raw_subject_size; > unsigned raw_skid_size; > const void *raw_skid; /* Raw subjectKeyId in ASN.1 */ > + const void *raw_san; /* Raw subjectAltName in ASN.1 */ > + unsigned raw_san_size; > unsigned index; > bool seen; /* Infinite recursion prevention */ > bool verified;
On Tue, 2023-10-03 at 11:31 +0300, Ilpo Järvinen wrote: > On Thu, 28 Sep 2023, Lukas Wunner wrote: > > > The upcoming support for PCI device authentication with CMA-SPDM > > (PCIe r6.1 sec 6.31) requires validating the Subject Alternative > > Name > > in X.509 certificates. > > > > Store a pointer to the Subject Alternative Name upon parsing for > > consumption by CMA-SPDM. > > > > Signed-off-by: Lukas Wunner <lukas@wunner.de> > > --- > > crypto/asymmetric_keys/x509_cert_parser.c | 15 +++++++++++++++ > > include/keys/x509-parser.h | 2 ++ > > 2 files changed, 17 insertions(+) > > > > diff --git a/crypto/asymmetric_keys/x509_cert_parser.c > > b/crypto/asymmetric_keys/x509_cert_parser.c > > index 0a7049b470c1..18dfd564740b 100644 > > --- a/crypto/asymmetric_keys/x509_cert_parser.c > > +++ b/crypto/asymmetric_keys/x509_cert_parser.c > > @@ -579,6 +579,21 @@ int x509_process_extension(void *context, > > size_t hdrlen, > > return 0; > > } > > > > + if (ctx->last_oid == OID_subjectAltName) { > > + /* > > + * A certificate MUST NOT include more than one > > instance > > + * of a particular extension (RFC 5280 sec 4.2). > > + */ > > + if (ctx->cert->raw_san) { > > + pr_err("Duplicate Subject Alternative > > Name\n"); > > + return -EINVAL; > > + } > > + > > + ctx->cert->raw_san = v; > > + ctx->cert->raw_san_size = vlen; > > + return 0; > > + } > > + > > if (ctx->last_oid == OID_keyUsage) { > > /* > > * Get hold of the keyUsage bit string > > diff --git a/include/keys/x509-parser.h b/include/keys/x509- > > parser.h > > index 7c2ebc84791f..9c6e7cdf4870 100644 > > --- a/include/keys/x509-parser.h > > +++ b/include/keys/x509-parser.h > > @@ -32,6 +32,8 @@ struct x509_certificate { > > unsigned raw_subject_size; > > unsigned raw_skid_size; > > const void *raw_skid; /* Raw subjectKeyId > > in ASN.1 */ > > + const void *raw_san; /* Raw > > subjectAltName in ASN.1 */ > > + unsigned raw_san_size; > > unsigned index; > > bool seen; /* Infinite > > recursion prevention */ > > bool verified; > > > > Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com> Reviewed-by: Wilfred Mallawa <wilfred.mallawa@wdc.com> >
Lukas Wunner wrote: > The upcoming support for PCI device authentication with CMA-SPDM > (PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name > in X.509 certificates. > > Store a pointer to the Subject Alternative Name upon parsing for > consumption by CMA-SPDM. > > Signed-off-by: Lukas Wunner <lukas@wunner.de> > --- > crypto/asymmetric_keys/x509_cert_parser.c | 15 +++++++++++++++ > include/keys/x509-parser.h | 2 ++ > 2 files changed, 17 insertions(+) Looks ok to me, Acked-by: Dan Williams <dan.j.williams@intel.com>
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 0a7049b470c1..18dfd564740b 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -579,6 +579,21 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_subjectAltName) { + /* + * A certificate MUST NOT include more than one instance + * of a particular extension (RFC 5280 sec 4.2). + */ + if (ctx->cert->raw_san) { + pr_err("Duplicate Subject Alternative Name\n"); + return -EINVAL; + } + + ctx->cert->raw_san = v; + ctx->cert->raw_san_size = vlen; + return 0; + } + if (ctx->last_oid == OID_keyUsage) { /* * Get hold of the keyUsage bit string diff --git a/include/keys/x509-parser.h b/include/keys/x509-parser.h index 7c2ebc84791f..9c6e7cdf4870 100644 --- a/include/keys/x509-parser.h +++ b/include/keys/x509-parser.h @@ -32,6 +32,8 @@ struct x509_certificate { unsigned raw_subject_size; unsigned raw_skid_size; const void *raw_skid; /* Raw subjectKeyId in ASN.1 */ + const void *raw_san; /* Raw subjectAltName in ASN.1 */ + unsigned raw_san_size; unsigned index; bool seen; /* Infinite recursion prevention */ bool verified;
The upcoming support for PCI device authentication with CMA-SPDM (PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name in X.509 certificates. Store a pointer to the Subject Alternative Name upon parsing for consumption by CMA-SPDM. Signed-off-by: Lukas Wunner <lukas@wunner.de> --- crypto/asymmetric_keys/x509_cert_parser.c | 15 +++++++++++++++ include/keys/x509-parser.h | 2 ++ 2 files changed, 17 insertions(+)