Re: [PATCH 02/12] X.509: Parse Subject Alternative Name in certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2023-10-03 at 11:31 +0300, Ilpo Järvinen wrote:
> On Thu, 28 Sep 2023, Lukas Wunner wrote:
> 
> > The upcoming support for PCI device authentication with CMA-SPDM
> > (PCIe r6.1 sec 6.31) requires validating the Subject Alternative
> > Name
> > in X.509 certificates.
> > 
> > Store a pointer to the Subject Alternative Name upon parsing for
> > consumption by CMA-SPDM.
> > 
> > Signed-off-by: Lukas Wunner <lukas@xxxxxxxxx>
> > ---
> >  crypto/asymmetric_keys/x509_cert_parser.c | 15 +++++++++++++++
> >  include/keys/x509-parser.h                |  2 ++
> >  2 files changed, 17 insertions(+)
> > 
> > diff --git a/crypto/asymmetric_keys/x509_cert_parser.c
> > b/crypto/asymmetric_keys/x509_cert_parser.c
> > index 0a7049b470c1..18dfd564740b 100644
> > --- a/crypto/asymmetric_keys/x509_cert_parser.c
> > +++ b/crypto/asymmetric_keys/x509_cert_parser.c
> > @@ -579,6 +579,21 @@ int x509_process_extension(void *context,
> > size_t hdrlen,
> >                 return 0;
> >         }
> >  
> > +       if (ctx->last_oid == OID_subjectAltName) {
> > +               /*
> > +                * A certificate MUST NOT include more than one
> > instance
> > +                * of a particular extension (RFC 5280 sec 4.2).
> > +                */
> > +               if (ctx->cert->raw_san) {
> > +                       pr_err("Duplicate Subject Alternative
> > Name\n");
> > +                       return -EINVAL;
> > +               }
> > +
> > +               ctx->cert->raw_san = v;
> > +               ctx->cert->raw_san_size = vlen;
> > +               return 0;
> > +       }
> > +
> >         if (ctx->last_oid == OID_keyUsage) {
> >                 /*
> >                  * Get hold of the keyUsage bit string
> > diff --git a/include/keys/x509-parser.h b/include/keys/x509-
> > parser.h
> > index 7c2ebc84791f..9c6e7cdf4870 100644
> > --- a/include/keys/x509-parser.h
> > +++ b/include/keys/x509-parser.h
> > @@ -32,6 +32,8 @@ struct x509_certificate {
> >         unsigned        raw_subject_size;
> >         unsigned        raw_skid_size;
> >         const void      *raw_skid;              /* Raw subjectKeyId
> > in ASN.1 */
> > +       const void      *raw_san;               /* Raw
> > subjectAltName in ASN.1 */
> > +       unsigned        raw_san_size;
> >         unsigned        index;
> >         bool            seen;                   /* Infinite
> > recursion prevention */
> >         bool            verified;
> > 
> 
> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@xxxxxxxxxxxxxxx>
Reviewed-by: Wilfred Mallawa <wilfred.mallawa@xxxxxxx>
> 





[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux