2016-02-11 21:34 GMT+08:00 Michal Marek <mmarek@xxxxxxxx>: > If either the Subject + subjectKeyId or the Issuer + Serial number > differs between the certificate and the CA, the certificate is not > self-signed. In practice, both will be equal for self-signed > certificates and both will differ for CA-signed certificates. It is only > an issue if the CA used the same serial number for its own self-signed > certificate and the certificate we are checking. This is probably not > valid / recommended, but we should not assume that the certificate is > self-signed because of that. > > Fixes: 4573b64a31cd ("X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier") > Signed-off-by: Michal Marek <mmarek@xxxxxxxx> Tested-by: Lee, Chun-Yi <jlee@xxxxxxxx> Regards Joey Lee > --- > crypto/asymmetric_keys/x509_public_key.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c > index 7092d5cbb5d3..2c46e022a2a3 100644 > --- a/crypto/asymmetric_keys/x509_public_key.c > +++ b/crypto/asymmetric_keys/x509_public_key.c > @@ -308,9 +308,10 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) > cert->pub->id_type = PKEY_ID_X509; > > /* Check the signature on the key if it appears to be self-signed */ > - if ((!cert->akid_skid && !cert->akid_id) || > - asymmetric_key_id_same(cert->skid, cert->akid_skid) || > - asymmetric_key_id_same(cert->id, cert->akid_id)) { > + if ((!cert->akid_skid || > + asymmetric_key_id_same(cert->skid, cert->akid_skid)) && > + (!cert->akid_id || > + asymmetric_key_id_same(cert->id, cert->akid_id))) { > ret = x509_check_signature(cert->pub, cert); /* self-signed */ > if (ret < 0) > goto error_free_cert; > -- > 2.1.4 > -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html