[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <32191.1452009340@warthog.procyon.org.uk>
Date: Tue, 05 Jan 2016 15:55:40 +0000
From: David Howells <dhowells@...hat.com>
To: unlisted-recipients:; (no To-header on input)
Cc: dhowells@...hat.com, dwmw2@...radead.org,
David Woodhouse <David.Woodhouse@...el.com>,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
Mimi Zohar <zohar@...ux.vnet.ibm.com>
Subject: Re: [RFC PATCH] X.509: Don't check the signature on apparently self-signed keys [ver #2]
David Howells <dhowells@...hat.com> wrote:
> If a certificate is self-signed, don't bother checking the validity of the
> signature. The cert cannot be checked by validation against the next one
> in the chain as this is the root of the chain. Trust for this certificate
> can only be determined by whether we obtained it from a trusted location
> (ie. it was built into the kernel at compile time).
>
> This also fixes a bug whereby certificates were being assumed to be
> self-signed if they had neither AKID nor SKID, the symptoms of which show
> up as an attempt to load a certificate failing with -ERANGE or -EBADMSG.
> This is produced from the RSA module when the result of calculating "m =
> s^e mod n" is checked.
Oops - I forgot to change the patch description.
David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists