X.509: Handle certificates that lack an authorityKeyIdentifier field

Handle certificates that lack an authorityKeyIdentifier field by assuming
they're self-signed and checking their signatures against themselves.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Josh Boyer <jwboyer@redhat.com>
This commit is contained in:
David Howells 2013-08-30 16:18:31 +01:00
parent 2ecdb23b8c
commit 17334cabc8
1 changed files with 5 additions and 4 deletions

View File

@ -143,8 +143,8 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
pkey_algo_name[cert->sig.pkey_algo],
pkey_hash_algo_name[cert->sig.pkey_hash_algo]);
if (!cert->fingerprint || !cert->authority) {
pr_warn("Cert for '%s' must have SubjKeyId and AuthKeyId extensions\n",
if (!cert->fingerprint) {
pr_warn("Cert for '%s' must have a SubjKeyId extension\n",
cert->subject);
ret = -EKEYREJECTED;
goto error_free_cert;
@ -190,8 +190,9 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
cert->pub->algo = pkey_algo[cert->pub->pkey_algo];
cert->pub->id_type = PKEY_ID_X509;
/* Check the signature on the key */
if (strcmp(cert->fingerprint, cert->authority) == 0) {
/* Check the signature on the key if it appears to be self-signed */
if (!cert->authority ||
strcmp(cert->fingerprint, cert->authority) == 0) {
ret = x509_check_signature(cert->pub, cert);
if (ret < 0)
goto error_free_cert;