In the commit below we added support for use of the subKeyId rather than the raw serial number when forming the in kernel ID: commit dd2f6c4481debfa389c1f2b2b1d5bd6449c42611 Author: David Howells <dhowells@xxxxxxxxxx> Date: Fri Oct 3 16:17:02 2014 +0100 X.509: If available, use the raw subjKeyId to form the key description However as part of this we subject the subjKeyId to the below prefix strip: if (srlen > 1 && *q == 0) { srlen--; q++; } This leads us to truncate the id for kernel module signing keys and to fail to recognise our own modules: [ 1.572423] Loaded X.509 cert 'Build time autogenerated kernel key: 62a7c3d2da278be024da4af8652c071f3fea33' [ 1.646153] Request for unknown module key 'Build time autogenerated kernel key: 0062a7c3d2da278be024da4af8652c071f3fea33' err -11 Only apply the prefix strip to raw serial number. Signed-off-by: Andy Whitcroft <apw@xxxxxxxxxxxxx> --- crypto/asymmetric_keys/x509_public_key.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) While we are here the prefix strip seems pretty odd, only removing just one 0 byte. Is this meant to strip them all (as a while), or was the intent to strip leading 0s from the hex form? Do we have any background to this change? -apw diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 24f17e6..0e16d5e 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -306,10 +306,10 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) } else { srlen = cert->raw_serial_size; q = cert->raw_serial; - } - if (srlen > 1 && *q == 0) { - srlen--; - q++; + if (srlen > 1 && *q == 0) { + srlen--; + q++; + } } ret = -ENOMEM; -- 2.5.0 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html