lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu,  2 May 2019 12:12:02 +0800
From:   "Lee, Chun-Yi" <joeyli.kernel@...il.com>
To:     David Howells <dhowells@...hat.com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S . Miller" <davem@...emloft.net>,
        Mimi Zohar <zohar@...ux.ibm.com>
Cc:     keyrings@...r.kernel.org, linux-crypto@...r.kernel.org,
        linux-kernel@...r.kernel.org, "Lee, Chun-Yi" <jlee@...e.com>
Subject: [PATCH] X.509: Add messages for obsolete OIDs

We found that the db in Acer machine has self signed certificates
(CN=DisablePW or CN=ABO) that they used obsolete OID 1.3.14.3.2.29
sha1WithRSASignature and 2.5.29.1 subjectKeyIdentifier. Kernel
emits -65 error code when loading those certificates to platform
keyring:

[    1.484388] integrity: Loading X.509 certificate: UEFI:MokListRT
[    1.485557] integrity: Problem loading X.509 certificate -65
[    1.486100] Error adding keys to platform keyring UEFI:MokListRT

Because the -65 error code is not enough for appeasing user when
loading a outdated certificate. This patch add messages against
1.3.14.3.2.29 and 2.5.29.1 OIDs.

Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1129471
Cc: David Howells <dhowells@...hat.com> 
Cc: Herbert Xu <herbert@...dor.apana.org.au> 
Cc: "David S. Miller" <davem@...emloft.net>
Reviewed-by: Mimi Zohar <zohar@...ux.ibm.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@...e.com>
---
 crypto/asymmetric_keys/x509_cert_parser.c | 7 +++++++
 include/linux/oid_registry.h              | 2 ++
 2 files changed, 9 insertions(+)

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 991f4d735a4e..bbd22d5c5b5d 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -192,6 +192,8 @@ int x509_note_pkey_algo(void *context, size_t hdrlen,
 	pr_debug("PubKey Algo: %u\n", ctx->last_oid);
 
 	switch (ctx->last_oid) {
+	case OID_sha1WithRSASignature:
+		pr_info("1.3.14.3.2.29 sha1WithRSASignature is obsolete.\n");
 	case OID_md2WithRSAEncryption:
 	case OID_md3WithRSAEncryption:
 	default:
@@ -464,6 +466,11 @@ int x509_process_extension(void *context, size_t hdrlen,
 		return 0;
 	}
 
+	if (ctx->last_oid == OID_subjectKeyIdentifier_obsolete) {
+		pr_info("2.5.29.1 subjectKeyIdentifier OID is obsolete.\n");
+		return -ENOPKG;
+	}
+
 	return 0;
 }
 
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
index d2fa9ca42e9a..0641d5aa2251 100644
--- a/include/linux/oid_registry.h
+++ b/include/linux/oid_registry.h
@@ -62,6 +62,7 @@ enum OID {
 
 	OID_certAuthInfoAccess,		/* 1.3.6.1.5.5.7.1.1 */
 	OID_sha1,			/* 1.3.14.3.2.26 */
+	OID_sha1WithRSASignature,	/* 1.3.14.3.2.29 */
 	OID_sha256,			/* 2.16.840.1.101.3.4.2.1 */
 	OID_sha384,			/* 2.16.840.1.101.3.4.2.2 */
 	OID_sha512,			/* 2.16.840.1.101.3.4.2.3 */
@@ -83,6 +84,7 @@ enum OID {
 	OID_generationalQualifier,	/* 2.5.4.44 */
 
 	/* Certificate extension IDs */
+	OID_subjectKeyIdentifier_obsolete,	/* 2.5.29.1 */
 	OID_subjectKeyIdentifier,	/* 2.5.29.14 */
 	OID_keyUsage,			/* 2.5.29.15 */
 	OID_subjectAltName,		/* 2.5.29.17 */
-- 
2.16.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ