From: Andy Whitcroft Subject: [PATCH 1/1] x509: only prefix strip raw serial numbers Date: Mon, 14 Sep 2015 09:13:37 +0100 Message-ID: <1442218417-24897-1-git-send-email-apw@canonical.com> Cc: David Howells , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org To: Herbert Xu , "David S. Miller" Return-path: Sender: linux-kernel-owner@vger.kernel.org List-Id: linux-crypto.vger.kernel.org In the commit below we added support for use of the subKeyId rather than the raw serial number when forming the in kernel ID: commit dd2f6c4481debfa389c1f2b2b1d5bd6449c42611 Author: David Howells Date: Fri Oct 3 16:17:02 2014 +0100 X.509: If available, use the raw subjKeyId to form the key description However as part of this we subject the subjKeyId to the below prefix strip: if (srlen > 1 && *q == 0) { srlen--; q++; } This leads us to truncate the id for kernel module signing keys and to fail to recognise our own modules: [ 1.572423] Loaded X.509 cert 'Build time autogenerated kernel key: 62a7c3d2da278be024da4af8652c071f3fea33' [ 1.646153] Request for unknown module key 'Build time autogenerated kernel key: 0062a7c3d2da278be024da4af8652c071f3fea33' err -11 Only apply the prefix strip to raw serial number. Signed-off-by: Andy Whitcroft --- crypto/asymmetric_keys/x509_public_key.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) While we are here the prefix strip seems pretty odd, only removing just one 0 byte. Is this meant to strip them all (as a while), or was the intent to strip leading 0s from the hex form? Do we have any background to this change? -apw diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 24f17e6..0e16d5e 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -306,10 +306,10 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) } else { srlen = cert->raw_serial_size; q = cert->raw_serial; - } - if (srlen > 1 && *q == 0) { - srlen--; - q++; + if (srlen > 1 && *q == 0) { + srlen--; + q++; + } } ret = -ENOMEM; -- 2.5.0