On Sun, 2024-06-30 at 21:37 +0200, Lukas Wunner wrote:
> The upcoming support for PCI device authentication with CMA-SPDM
> (PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name
> in X.509 certificates.
>
> Store a pointer to the Subject Alternative Name upon parsing for
> consumption by CMA-SPDM.
>
> Signed-off-by: Lukas Wunner <lukas@xxxxxxxxx>
> Reviewed-by: Wilfred Mallawa <wilfred.mallawa@xxxxxxx>
> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@xxxxxxxxxxxxxxx>
> Reviewed-by: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx>
> Acked-by: Dan Williams <dan.j.williams@xxxxxxxxx>
Reviewed-by: Alistair Francis <alistair.francis@xxxxxxx>
Alistair
> ---
> crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++
> include/keys/x509-parser.h | 2 ++
> 2 files changed, 11 insertions(+)
>
> diff --git a/crypto/asymmetric_keys/x509_cert_parser.c
> b/crypto/asymmetric_keys/x509_cert_parser.c
> index 25cc4273472f..92314e4854f1 100644
> --- a/crypto/asymmetric_keys/x509_cert_parser.c
> +++ b/crypto/asymmetric_keys/x509_cert_parser.c
> @@ -588,6 +588,15 @@ int x509_process_extension(void *context, size_t
> hdrlen,
> return 0;
> }
>
> + if (ctx->last_oid == OID_subjectAltName) {
> + if (ctx->cert->raw_san)
> + return -EBADMSG;
> +
> + ctx->cert->raw_san = v;
> + ctx->cert->raw_san_size = vlen;
> + return 0;
> + }
> +
> if (ctx->last_oid == OID_keyUsage) {
> /*
> * Get hold of the keyUsage bit string
> diff --git a/include/keys/x509-parser.h b/include/keys/x509-parser.h
> index 37436a5c7526..8e450befe3b9 100644
> --- a/include/keys/x509-parser.h
> +++ b/include/keys/x509-parser.h
> @@ -36,6 +36,8 @@ struct x509_certificate {
> unsigned raw_subject_size;
> unsigned raw_skid_size;
> const void *raw_skid; /* Raw subjectKeyId
> in ASN.1 */
> + const void *raw_san; /* Raw
> subjectAltName in ASN.1 */
> + unsigned raw_san_size;
> unsigned index;
> bool seen; /* Infinite
> recursion prevention */
> bool verified;
