Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751909Ab3DVEXg (ORCPT ); Mon, 22 Apr 2013 00:23:36 -0400 Received: from smtp.nue.novell.com ([195.135.221.5]:55974 "EHLO smtp.nue.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750825Ab3DVEXf (ORCPT ); Mon, 22 Apr 2013 00:23:35 -0400 Subject: Re: [PATCH v3] X.509: Support parse long form of length octets in Authority Key Identifier From: joeyli To: Rusty Russell Cc: dhowells@redhat.com, linux-kernel@vger.kernel.org, Josh Boyer , Randy Dunlap , Herbert Xu , "David S. Miller" In-Reply-To: <878v4bb9nq.fsf@rustcorp.com.au> References: <1364547153-1416-1-git-send-email-jlee@suse.com> <878v4bb9nq.fsf@rustcorp.com.au> Content-Type: text/plain; charset="UTF-8" Date: Mon, 22 Apr 2013 12:22:21 +0800 Message-ID: <1366604541.23707.97.camel@linux-s257.site> Mime-Version: 1.0 X-Mailer: Evolution 2.28.2 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2829 Lines: 72 於 一,2013-04-22 於 11:37 +0930,Rusty Russell 提到: > "Lee, Chun-Yi" writes: > > From: Chun-Yi Lee > > > > Per X.509 spec in 4.2.1.1 section, the structure of Authority Key > > Identifier Extension is: > > > > AuthorityKeyIdentifier ::= SEQUENCE { > > keyIdentifier [0] KeyIdentifier OPTIONAL, > > authorityCertIssuer [1] GeneralNames OPTIONAL, > > authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } > > > > KeyIdentifier ::= OCTET STRING > > > > When a certificate also provides > > authorityCertIssuer and authorityCertSerialNumber then the length of > > AuthorityKeyIdentifier SEQUENCE is likely to long form format. > > e.g. > > The example certificate demos/tunala/A-server.pem in openssl source: > > > > X509v3 Authority Key Identifier: > > keyid:49:FB:45:72:12:C4:CC:E1:45:A1:D3:08:9E:95:C4:2C:6D:55:3F:17 > > DirName:/C=NZ/L=Wellington/O=Really Irresponsible Authorisation Authority (RIAA)/OU=Cert-stamping/CN=Jackov al-Trades/emailAddress=none@fake.domain > > serial:00 > > > > Current parsing rule of OID_authorityKeyIdentifier only take care the > > short form format, it causes load certificate to modsign_keyring fail: > > > > [ 12.061147] X.509: Extension: 47 > > [ 12.075121] MODSIGN: Problem loading in-kernel X.509 certificate (-74) > > > > So, this patch add the parsing rule for support long form format against > > Authority Key Identifier. > > > > v3: > > Changed the size check in "Short Form length" case, we allow v[3] smaller > > then (vlen - 4) because authorityCertIssuer and authorityCertSerialNumber > > are also possible attach in AuthorityKeyIdentifier sequence. > > > > v2: > > - Removed comma from author's name. > > - Moved 'Short Form length' comment inside the if-body. > > - Changed the type of sub to size_t. > > - Use ASN1_INDEFINITE_LENGTH rather than writing 0x80 and 127. > > - Moved the key_len's value assignment before alter v. > > - Fixed the typo of octets. > > - Add 2 to v before entering the loop for calculate the length. > > - Removed the comment of check vlen. > > > > Cc: Rusty Russell > > Cc: Josh Boyer > > Cc: Randy Dunlap > > Cc: Herbert Xu > > Cc: "David S. Miller" > > Acked-by: David Howells > > Signed-off-by: Chun-Yi Lee > > Applied to modules-next. > > Thanks, > Rusty. > Thanks for help! Joey Lee -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/