[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1366604541.23707.97.camel@linux-s257.site>
Date: Mon, 22 Apr 2013 12:22:21 +0800
From: joeyli <jlee@...e.com>
To: Rusty Russell <rusty@...tcorp.com.au>
Cc: dhowells@...hat.com, linux-kernel@...r.kernel.org,
Josh Boyer <jwboyer@...hat.com>,
Randy Dunlap <rdunlap@...otime.net>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>
Subject: Re: [PATCH v3] X.509: Support parse long form of length octets in
Authority Key Identifier
於 一,2013-04-22 於 11:37 +0930,Rusty Russell 提到:
> "Lee, Chun-Yi" <joeyli.kernel@...il.com> writes:
> > From: Chun-Yi Lee <jlee@...e.com>
> >
> > Per X.509 spec in 4.2.1.1 section, the structure of Authority Key
> > Identifier Extension is:
> >
> > AuthorityKeyIdentifier ::= SEQUENCE {
> > keyIdentifier [0] KeyIdentifier OPTIONAL,
> > authorityCertIssuer [1] GeneralNames OPTIONAL,
> > authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
> >
> > KeyIdentifier ::= OCTET STRING
> >
> > When a certificate also provides
> > authorityCertIssuer and authorityCertSerialNumber then the length of
> > AuthorityKeyIdentifier SEQUENCE is likely to long form format.
> > e.g.
> > The example certificate demos/tunala/A-server.pem in openssl source:
> >
> > X509v3 Authority Key Identifier:
> > keyid:49:FB:45:72:12:C4:CC:E1:45:A1:D3:08:9E:95:C4:2C:6D:55:3F:17
> > DirName:/C=NZ/L=Wellington/O=Really Irresponsible Authorisation Authority (RIAA)/OU=Cert-stamping/CN=Jackov al-Trades/emailAddress=none@...e.domain
> > serial:00
> >
> > Current parsing rule of OID_authorityKeyIdentifier only take care the
> > short form format, it causes load certificate to modsign_keyring fail:
> >
> > [ 12.061147] X.509: Extension: 47
> > [ 12.075121] MODSIGN: Problem loading in-kernel X.509 certificate (-74)
> >
> > So, this patch add the parsing rule for support long form format against
> > Authority Key Identifier.
> >
> > v3:
> > Changed the size check in "Short Form length" case, we allow v[3] smaller
> > then (vlen - 4) because authorityCertIssuer and authorityCertSerialNumber
> > are also possible attach in AuthorityKeyIdentifier sequence.
> >
> > v2:
> > - Removed comma from author's name.
> > - Moved 'Short Form length' comment inside the if-body.
> > - Changed the type of sub to size_t.
> > - Use ASN1_INDEFINITE_LENGTH rather than writing 0x80 and 127.
> > - Moved the key_len's value assignment before alter v.
> > - Fixed the typo of octets.
> > - Add 2 to v before entering the loop for calculate the length.
> > - Removed the comment of check vlen.
> >
> > Cc: Rusty Russell <rusty@...tcorp.com.au>
> > Cc: Josh Boyer <jwboyer@...hat.com>
> > Cc: Randy Dunlap <rdunlap@...otime.net>
> > Cc: Herbert Xu <herbert@...dor.apana.org.au>
> > Cc: "David S. Miller" <davem@...emloft.net>
> > Acked-by: David Howells <dhowells@...hat.com>
> > Signed-off-by: Chun-Yi Lee <jlee@...e.com>
>
> Applied to modules-next.
>
> Thanks,
> Rusty.
>
Thanks for help!
Joey Lee
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists