Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp3416463rdh;
        Thu, 28 Sep 2023 10:55:52 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IEj+EoN2yRDvU+9O/bOeszVwW8juAEGj7lDgtR1NurFEPxIOelrIgNZkM7CEOeuXDF0B/Ot
X-Received: by 2002:a05:6a20:12d1:b0:15e:7323:5bf3 with SMTP id v17-20020a056a2012d100b0015e73235bf3mr3253738pzg.26.1695923751875;
        Thu, 28 Sep 2023 10:55:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695923751; cv=none;
        d=google.com; s=arc-20160816;
        b=OeTS4yVYdn0il2ZoF1w8XM0Dqgm/AEyW7EloGpSkHS8aNTruum1dtRjkvPsB7/ECtQ
         hd72kkyHOVDOffCWlyIWWR7sjjLm/HUH6CAIF06auauuFp9AXdeHrM7C+nlCCt1h3BYx
         QTmb7P7GKKTYPCg7sjjNCVTs3c9U5W3g3BJAhIGXZzC47nn11boAHmx60PcyLSDjv8Y6
         xApata0bbyjoeRTiYyt7C2qrcSqCinU99E4BjtBg5cMp4LqbgBAxnyou38atoCXYo9xX
         j5DYc799wXes+IcP1KEPDNOGzC1gc/1/cLTiewgcXJ3qGyCZ1KvayACgvw/v2jRi+grw
         Fy7Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:date:from:references:in-reply-to
         :message-id;
        bh=CMeZhTJSV3hYwmY9GUvlMxgfIM2hO8x01H2BrHo6WEU=;
        fh=j94gzfSAT+8kF46ZvOkY3DNYs/HkghetT1vgREBUW1M=;
        b=QnfVuvNtdpG068t0qcrgQx1aWEdiJ0yOLQDV2Ar4ooukcK71RH59O74yjXmkcHtXn+
         6Mop1XsEtIlitH3Ub5KBuGLOp5p6Iq8FioAB/PlhJbBfzaTcsTMKkNXEX2Ya3gsoGr5X
         U9AghK2EKzgtxy+Lri1a1OLXkTQ8fHVYA2HPyQM3ns2vbRGCDt9Il236XIcC/1oBWb4A
         YWoqkPe4fXMymOoN8OPoK5ztES1KPkcB/JCK8iRgepmlQgfafu2TsHeUqW8dtoMT27RY
         q00JxvyG5TidIpzQ0JvniGX5PW7MqdfzlkrC0mWikmhC0svqE1GUVimSE1LJLzyAWmH4
         nHgg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3])
        by mx.google.com with ESMTPS id l3-20020a654c43000000b00573f116fba1si19946895pgr.870.2023.09.28.10.55.51
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 28 Sep 2023 10:55:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id F1A2F825CEF0;
	Thu, 28 Sep 2023 10:43:52 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231932AbjI1Rnv (ORCPT <rfc822;sbozturk97@gmail.com> + 99 others);
        Thu, 28 Sep 2023 13:43:51 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35548 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229478AbjI1Rnu (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Thu, 28 Sep 2023 13:43:50 -0400
Received: from mailout3.hostsharing.net (mailout3.hostsharing.net [IPv6:2a01:4f8:150:2161:1:b009:f236:0])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BEA0E199;
        Thu, 28 Sep 2023 10:43:48 -0700 (PDT)
Received: from h08.hostsharing.net (h08.hostsharing.net [IPv6:2a01:37:1000::53df:5f1c:0])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
         client-signature RSA-PSS (4096 bits) client-digest SHA256)
        (Client CN "*.hostsharing.net", Issuer "RapidSSL Global TLS RSA4096 SHA256 2022 CA1" (verified OK))
        by mailout3.hostsharing.net (Postfix) with ESMTPS id 8DD0110029AE0;
        Thu, 28 Sep 2023 19:43:46 +0200 (CEST)
Received: from localhost (unknown [89.246.108.87])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
        (No client certificate requested)
        by h08.hostsharing.net (Postfix) with ESMTPSA id 4305960E0037;
        Thu, 28 Sep 2023 19:43:46 +0200 (CEST)
X-Mailbox-Line: From 704291cbc90ca3aaaaa56b191017c1400963cf12 Mon Sep 17 00:00:00 2001
Message-Id: <704291cbc90ca3aaaaa56b191017c1400963cf12.1695921657.git.lukas@wunner.de>
In-Reply-To: <cover.1695921656.git.lukas@wunner.de>
References: <cover.1695921656.git.lukas@wunner.de>
From:   Lukas Wunner <lukas@wunner.de>
Date:   Thu, 28 Sep 2023 19:32:32 +0200
Subject: [PATCH 02/12] X.509: Parse Subject Alternative Name in certificates
To:     Bjorn Helgaas <helgaas@kernel.org>,
        David Howells <dhowells@redhat.com>,
        David Woodhouse <dwmw2@infradead.org>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        "David S. Miller" <davem@davemloft.net>,
        Alex Williamson <alex.williamson@redhat.com>,
        <linux-pci@vger.kernel.org>, <linux-cxl@vger.kernel.org>,
        <linux-coco@lists.linux.dev>, <keyrings@vger.kernel.org>,
        <linux-crypto@vger.kernel.org>, <kvm@vger.kernel.org>
Cc:     Jonathan Cameron <Jonathan.Cameron@huawei.com>,
        <linuxarm@huawei.com>, David Box <david.e.box@intel.com>,
        Dan Williams <dan.j.williams@intel.com>,
        Dave Jiang <dave.jiang@intel.com>,
        "Li, Ming" <ming4.li@intel.com>, Zhi Wang <zhi.a.wang@intel.com>,
        Alistair Francis <alistair.francis@wdc.com>,
        Wilfred Mallawa <wilfred.mallawa@wdc.com>,
        Alexey Kardashevskiy <aik@amd.com>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        Sean Christopherson <seanjc@google.com>,
        Alexander Graf <graf@amazon.com>
X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Thu, 28 Sep 2023 10:43:53 -0700 (PDT)

The upcoming support for PCI device authentication with CMA-SPDM
(PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name
in X.509 certificates.

Store a pointer to the Subject Alternative Name upon parsing for
consumption by CMA-SPDM.

Signed-off-by: Lukas Wunner <lukas@wunner.de>
---
 crypto/asymmetric_keys/x509_cert_parser.c | 15 +++++++++++++++
 include/keys/x509-parser.h                |  2 ++
 2 files changed, 17 insertions(+)

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 0a7049b470c1..18dfd564740b 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -579,6 +579,21 @@ int x509_process_extension(void *context, size_t hdrlen,
 		return 0;
 	}
 
+	if (ctx->last_oid == OID_subjectAltName) {
+		/*
+		 * A certificate MUST NOT include more than one instance
+		 * of a particular extension (RFC 5280 sec 4.2).
+		 */
+		if (ctx->cert->raw_san) {
+			pr_err("Duplicate Subject Alternative Name\n");
+			return -EINVAL;
+		}
+
+		ctx->cert->raw_san = v;
+		ctx->cert->raw_san_size = vlen;
+		return 0;
+	}
+
 	if (ctx->last_oid == OID_keyUsage) {
 		/*
 		 * Get hold of the keyUsage bit string
diff --git a/include/keys/x509-parser.h b/include/keys/x509-parser.h
index 7c2ebc84791f..9c6e7cdf4870 100644
--- a/include/keys/x509-parser.h
+++ b/include/keys/x509-parser.h
@@ -32,6 +32,8 @@ struct x509_certificate {
 	unsigned	raw_subject_size;
 	unsigned	raw_skid_size;
 	const void	*raw_skid;		/* Raw subjectKeyId in ASN.1 */
+	const void	*raw_san;		/* Raw subjectAltName in ASN.1 */
+	unsigned	raw_san_size;
 	unsigned	index;
 	bool		seen;			/* Infinite recursion prevention */
 	bool		verified;
-- 
2.40.1