The upcoming support for PCI device authentication with CMA-SPDM
(PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name
in X.509 certificates.
Store a pointer to the Subject Alternative Name upon parsing for
consumption by CMA-SPDM.
Signed-off-by: Lukas Wunner <lukas@xxxxxxxxx>
---
crypto/asymmetric_keys/x509_cert_parser.c | 15 +++++++++++++++
include/keys/x509-parser.h | 2 ++
2 files changed, 17 insertions(+)
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 0a7049b470c1..18dfd564740b 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -579,6 +579,21 @@ int x509_process_extension(void *context, size_t hdrlen,
return 0;
}
+ if (ctx->last_oid == OID_subjectAltName) {
+ /*
+ * A certificate MUST NOT include more than one instance
+ * of a particular extension (RFC 5280 sec 4.2).
+ */
+ if (ctx->cert->raw_san) {
+ pr_err("Duplicate Subject Alternative Name\n");
+ return -EINVAL;
+ }
+
+ ctx->cert->raw_san = v;
+ ctx->cert->raw_san_size = vlen;
+ return 0;
+ }
+
if (ctx->last_oid == OID_keyUsage) {
/*
* Get hold of the keyUsage bit string
diff --git a/include/keys/x509-parser.h b/include/keys/x509-parser.h
index 7c2ebc84791f..9c6e7cdf4870 100644
--- a/include/keys/x509-parser.h
+++ b/include/keys/x509-parser.h
@@ -32,6 +32,8 @@ struct x509_certificate {
unsigned raw_subject_size;
unsigned raw_skid_size;
const void *raw_skid; /* Raw subjectKeyId in ASN.1 */
+ const void *raw_san; /* Raw subjectAltName in ASN.1 */
+ unsigned raw_san_size;
unsigned index;
bool seen; /* Infinite recursion prevention */
bool verified;
--
2.40.1
