Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp1800553rdb; Tue, 3 Oct 2023 00:57:35 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFAs6IW6OoZH/RG/txqjDOjkjAFILA20UcXuGUtwIpheTCKUVJEBbgtl50Mlu3Pp8lJkiZ4 X-Received: by 2002:a05:6358:4297:b0:13a:a85b:a4ce with SMTP id s23-20020a056358429700b0013aa85ba4cemr14553336rwc.16.1696319854677; Tue, 03 Oct 2023 00:57:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696319854; cv=none; d=google.com; s=arc-20160816; b=ZuYwOtKn6QGvHu/xReXUgX9CMM86lHgFpAtum9gU3BWRvn6C0MBOQhCkuaq0Hnv2QH c9zm0fSOSI2puuqNkDCUD4Nti00E5tijOJv26QMsptwE3yBnDE254kFwO/a6gji8a+Cd FN68BMD/EyhdIyXy/DPZsLgY8t+0aNQ5y+ghKZHFGOUH6H+84hX2C/Pi7oZouvDlV+ff 6LeuCnyZ1v6cUnbtBQESc4b9Fysm+7tDpG1yMalFNI00Mb31YcUP5TgcmlZ6txoYvX1F d/fpR5j7X0+Nffv+E2lKdIrk73hyI0wJIwlCYRUwDHEX+u8na0EOBkUQnGCxLG6lHD2r Bh5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:message-id:in-reply-to :subject:cc:to:from:date:dkim-signature; bh=Ace8wWS9zBranwD5oFJ/QZJIp8iMpLzAPOiPuhgq7Uc=; fh=g62NcDT+ivL79B1aZ0R8nTeuoXyNDXdlohxxgMsnpNA=; b=JYol6hLiuzBgjIt36vGte05ETWv8AbMjMkHRkO57ywhxSbGj0sJTCe5K5J8yqCQ2Lr NSr0yyau/n/QU8f1AezR8D8pcJu2M6mVy24OHcRvctOmOiTkOvc7xV9yPQJ779K5ufvJ x6AMEBldEp/gPDFQojHPxB8Vp+X6O3V1LMjBZl4VZsmTuc/x442i7n4MVOpo9Y9JDOWC UwlS0RQFr1U12EdKtPil5ABNeHNfnlhRDcPYuRAVBale2kZKVgh3mJYIp5HQt4KNOujL j/1MV3desoCBDXMq9FL5y6E/QnytMjdwZYlRISMpro1Sr9a0PcCfGaVpKd5t7czRIMxD wP3A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=ELtAYsqv; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4]) by mx.google.com with ESMTPS id p10-20020a056a000a0a00b0068feb1cf986si975818pfh.241.2023.10.03.00.57.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Oct 2023 00:57:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=ELtAYsqv; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 8AC458055AC3; Tue, 3 Oct 2023 00:57:33 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231328AbjJCH5d (ORCPT + 99 others); Tue, 3 Oct 2023 03:57:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44430 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231274AbjJCH5c (ORCPT ); Tue, 3 Oct 2023 03:57:32 -0400 Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D504EA1; Tue, 3 Oct 2023 00:57:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1696319848; x=1727855848; h=date:from:to:cc:subject:in-reply-to:message-id: references:mime-version; bh=Jaw97fwQTJRMgjyL+30NMvRWupub7HmLVrt/CGiEHHM=; b=ELtAYsqvFnsET2tin/9Bn7vJ3urxNmyQwhLCDXtDZsgTZIviOdrm5Knu pQr2lExssC5gQ326YNgM3NQdutu+fSMdHZMjYm/rQE4oPgJ977fdaFYTJ UbPAzjWD+z8WPQdJqvskKGFxFZZ3XcJ7diWzxKug/Bikr+oxjfgi1u36g RuhQb3inrsObFTy4O7qUeJ8KLGzVfqUXEeS0rc2EoXZOXx0DpPq5ASLuZ s9Gl9v8ShdGYckEhEISl+QflYDQfYEcAOIrzrYcrSm6/ld2alShGKDAPh 61dx2tcxDQCjR4yL3VESHxHRjsDGPsn36sOQjzw8cl7AOj4akbjCMZ1dt g==; X-IronPort-AV: E=McAfee;i="6600,9927,10851"; a="446977348" X-IronPort-AV: E=Sophos;i="6.03,196,1694761200"; d="scan'208";a="446977348" Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Oct 2023 00:57:27 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10851"; a="821142123" X-IronPort-AV: E=Sophos;i="6.03,196,1694761200"; d="scan'208";a="821142123" Received: from tciutacu-mobl.ger.corp.intel.com ([10.252.40.114]) by fmsmga004-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Oct 2023 00:57:15 -0700 Date: Tue, 3 Oct 2023 10:57:10 +0300 (EEST) From: =?ISO-8859-15?Q?Ilpo_J=E4rvinen?= To: Lukas Wunner cc: Bjorn Helgaas , David Howells , David Woodhouse , Herbert Xu , "David S. Miller" , Alex Williamson , linux-pci@vger.kernel.org, linux-cxl@vger.kernel.org, linux-coco@lists.linux.dev, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, kvm@vger.kernel.org, Jonathan Cameron , linuxarm@huawei.com, David Box , Dan Williams , Dave Jiang , "Li, Ming" , Zhi Wang , Alistair Francis , Wilfred Mallawa , Alexey Kardashevskiy , Tom Lendacky , Sean Christopherson , Alexander Graf Subject: Re: [PATCH 01/12] X.509: Make certificate parser public In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="8323329-1636035145-1696319842=:2030" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Tue, 03 Oct 2023 00:57:33 -0700 (PDT) This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --8323329-1636035145-1696319842=:2030 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8BIT On Thu, 28 Sep 2023, Lukas Wunner wrote: > The upcoming support for PCI device authentication with CMA-SPDM > (PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name > in X.509 certificates. > > High-level functions for X.509 parsing such as key_create_or_update() > throw away the internal, low-level struct x509_certificate after > extracting the struct public_key and public_key_signature from it. > The Subject Alternative Name is thus inaccessible when using those > functions. > > Afford CMA-SPDM access to the Subject Alternative Name by making struct > x509_certificate public, together with the functions for parsing an > X.509 certificate into such a struct and freeing such a struct. > > The private header file x509_parser.h previously included > for the definition of time64_t. That definition was since moved to > by commit 361a3bf00582 ("time64: Add time64.h header > and define struct timespec64"), so adjust the #include directive as part > of the move to the new public header file . > > No functional change intended. > > Signed-off-by: Lukas Wunner > --- > crypto/asymmetric_keys/x509_parser.h | 37 +---------------------- > include/keys/x509-parser.h | 44 ++++++++++++++++++++++++++++ > 2 files changed, 45 insertions(+), 36 deletions(-) > create mode 100644 include/keys/x509-parser.h > > diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h > index a299c9c56f40..a7ef43c39002 100644 > --- a/crypto/asymmetric_keys/x509_parser.h > +++ b/crypto/asymmetric_keys/x509_parser.h > @@ -5,40 +5,7 @@ > * Written by David Howells (dhowells@redhat.com) > */ > > -#include > -#include > -#include > - > -struct x509_certificate { > - struct x509_certificate *next; > - struct x509_certificate *signer; /* Certificate that signed this one */ > - struct public_key *pub; /* Public key details */ > - struct public_key_signature *sig; /* Signature parameters */ > - char *issuer; /* Name of certificate issuer */ > - char *subject; /* Name of certificate subject */ > - struct asymmetric_key_id *id; /* Issuer + Serial number */ > - struct asymmetric_key_id *skid; /* Subject + subjectKeyId (optional) */ > - time64_t valid_from; > - time64_t valid_to; > - const void *tbs; /* Signed data */ > - unsigned tbs_size; /* Size of signed data */ > - unsigned raw_sig_size; /* Size of signature */ > - const void *raw_sig; /* Signature data */ > - const void *raw_serial; /* Raw serial number in ASN.1 */ > - unsigned raw_serial_size; > - unsigned raw_issuer_size; > - const void *raw_issuer; /* Raw issuer name in ASN.1 */ > - const void *raw_subject; /* Raw subject name in ASN.1 */ > - unsigned raw_subject_size; > - unsigned raw_skid_size; > - const void *raw_skid; /* Raw subjectKeyId in ASN.1 */ > - unsigned index; > - bool seen; /* Infinite recursion prevention */ > - bool verified; > - bool self_signed; /* T if self-signed (check unsupported_sig too) */ > - bool unsupported_sig; /* T if signature uses unsupported crypto */ > - bool blacklisted; > -}; > +#include > > /* > * selftest.c > @@ -52,8 +19,6 @@ static inline int fips_signature_selftest(void) { return 0; } > /* > * x509_cert_parser.c > */ > -extern void x509_free_certificate(struct x509_certificate *cert); > -extern struct x509_certificate *x509_cert_parse(const void *data, size_t datalen); > extern int x509_decode_time(time64_t *_t, size_t hdrlen, > unsigned char tag, > const unsigned char *value, size_t vlen); > diff --git a/include/keys/x509-parser.h b/include/keys/x509-parser.h > new file mode 100644 > index 000000000000..7c2ebc84791f > --- /dev/null > +++ b/include/keys/x509-parser.h > @@ -0,0 +1,44 @@ > +/* SPDX-License-Identifier: GPL-2.0-or-later */ > +/* X.509 certificate parser > + * > + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. > + * Written by David Howells (dhowells@redhat.com) > + */ Please add the include guard #ifndef + #define. Other than that, this looks okay, Reviewed-by: Ilpo J?rvinen -- i. > + > +#include > +#include > +#include > + > +struct x509_certificate { > + struct x509_certificate *next; > + struct x509_certificate *signer; /* Certificate that signed this one */ > + struct public_key *pub; /* Public key details */ > + struct public_key_signature *sig; /* Signature parameters */ > + char *issuer; /* Name of certificate issuer */ > + char *subject; /* Name of certificate subject */ > + struct asymmetric_key_id *id; /* Issuer + Serial number */ > + struct asymmetric_key_id *skid; /* Subject + subjectKeyId (optional) */ > + time64_t valid_from; > + time64_t valid_to; > + const void *tbs; /* Signed data */ > + unsigned tbs_size; /* Size of signed data */ > + unsigned raw_sig_size; /* Size of signature */ > + const void *raw_sig; /* Signature data */ > + const void *raw_serial; /* Raw serial number in ASN.1 */ > + unsigned raw_serial_size; > + unsigned raw_issuer_size; > + const void *raw_issuer; /* Raw issuer name in ASN.1 */ > + const void *raw_subject; /* Raw subject name in ASN.1 */ > + unsigned raw_subject_size; > + unsigned raw_skid_size; > + const void *raw_skid; /* Raw subjectKeyId in ASN.1 */ > + unsigned index; > + bool seen; /* Infinite recursion prevention */ > + bool verified; > + bool self_signed; /* T if self-signed (check unsupported_sig too) */ > + bool unsupported_sig; /* T if signature uses unsupported crypto */ > + bool blacklisted; > +}; > + > +struct x509_certificate *x509_cert_parse(const void *data, size_t datalen); > +void x509_free_certificate(struct x509_certificate *cert); --8323329-1636035145-1696319842=:2030--