Received: by 2002:a05:7412:3784:b0:e2:908c:2ebd with SMTP id jk4csp2028889rdb; Tue, 3 Oct 2023 08:14:18 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGlbExPIC0Qn04FrZvbHRnJLgmw091JA8NK5MptwP/i6LPrwxZyq7v8VF36PuDSPWevhdci X-Received: by 2002:a05:6830:1d43:b0:6c4:81d6:171b with SMTP id p3-20020a0568301d4300b006c481d6171bmr15617738oth.21.1696346057951; Tue, 03 Oct 2023 08:14:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696346057; cv=none; d=google.com; s=arc-20160816; b=rtKT5ZsPMME/rcBdNlWezF993rEMseFz1i+WtF9qnvvp6S8UuSXkgXCVyhN+YdrCMp J31NZ8NqUAen9ywRgftNrqANCuSC7N9GaxFtqfDhxTJ1K8qNq2DSX9/BDeVHynHmD67d bG3MQ9Evb+u8u/ObQmM9EDDs2UFdM4F2gMdG59aTV3x0WviXC0QVd8pjCw6SmssonZwT 1D4SRzGm3Sry9cmyN/XmwNsLz/QfsMF+KgmRXgD0RPV46ut6v0KyM+rP9q+UayLuTSBW K9lyIzyZOphKjbT8bMOBRsV4rZoLwyNJSKOg1nr7jg1qkOZfXDYMOuOImYizsgCR8J1V v70w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date; bh=PceQ65pO2GlqNsq5ECbO8PogcEvj1ODkbvP6lohJxeU=; fh=VytaWnrtIe6rQzSTidyaXKVP21CYVB05Erb1vcNmZ/4=; b=XHQ6xJzLZeXeQ5+PahHHGnf75KXd6yOrCKJkEZwyq3iQdOsRUV62Bc4maePRmTa0gS gghHogcnmsIunu8CatfA5FOIftDPFlNqDub6Hk/b926aEz1S8XUGVq1qNCW1R6/w9mmc +2OOXRslc0lX5K7FlnZPfJrMe1HEMNeArQh+OAG3z37nFliC0VTY0Ut2sjtouf7s9Vtk MNhhC82PV1rAl4mUhFK5sMv/w3tXA9wPu3OexjD6RHo5O5bhEij0hWH/7boNyIcMceAO QwtjDTyma2JYpUyKjwQRTnay+lmXm4IvOKCegLje0uN2V5NvSVYpGO0Fm4LBhdFtOOIc sJMg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id g9-20020a636b09000000b0057458518e21si1571777pgc.630.2023.10.03.08.14.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Oct 2023 08:14:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id BA9A781A1E94; Tue, 3 Oct 2023 08:14:16 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240261AbjJCPOR (ORCPT + 99 others); Tue, 3 Oct 2023 11:14:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35622 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239475AbjJCPOR (ORCPT ); Tue, 3 Oct 2023 11:14:17 -0400 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B9BA0A1; Tue, 3 Oct 2023 08:14:14 -0700 (PDT) Received: from lhrpeml500005.china.huawei.com (unknown [172.18.147.206]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4S0LvG41k7z6K7KY; Tue, 3 Oct 2023 23:14:02 +0800 (CST) Received: from localhost (10.202.227.76) by lhrpeml500005.china.huawei.com (7.191.163.240) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.31; Tue, 3 Oct 2023 16:14:11 +0100 Date: Tue, 3 Oct 2023 16:14:10 +0100 From: Jonathan Cameron To: Lukas Wunner CC: Bjorn Helgaas , David Howells , David Woodhouse , Herbert Xu , "David S. Miller" , Alex Williamson , , , , , , , , David Box , Dan Williams , Dave Jiang , "Li, Ming" , Zhi Wang , Alistair Francis , Wilfred Mallawa , Alexey Kardashevskiy , Tom Lendacky , Sean Christopherson , Alexander Graf Subject: Re: [PATCH 02/12] X.509: Parse Subject Alternative Name in certificates Message-ID: <20231003161410.00000d2c@Huawei.com> In-Reply-To: <704291cbc90ca3aaaaa56b191017c1400963cf12.1695921657.git.lukas@wunner.de> References: <704291cbc90ca3aaaaa56b191017c1400963cf12.1695921657.git.lukas@wunner.de> Organization: Huawei Technologies Research and Development (UK) Ltd. X-Mailer: Claws Mail 4.1.0 (GTK 3.24.33; x86_64-w64-mingw32) MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.202.227.76] X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To lhrpeml500005.china.huawei.com (7.191.163.240) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Tue, 03 Oct 2023 08:14:16 -0700 (PDT) On Thu, 28 Sep 2023 19:32:32 +0200 Lukas Wunner wrote: > The upcoming support for PCI device authentication with CMA-SPDM > (PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name > in X.509 certificates. > > Store a pointer to the Subject Alternative Name upon parsing for > consumption by CMA-SPDM. > > Signed-off-by: Lukas Wunner Reviewed-by: Jonathan Cameron > --- > crypto/asymmetric_keys/x509_cert_parser.c | 15 +++++++++++++++ > include/keys/x509-parser.h | 2 ++ > 2 files changed, 17 insertions(+) > > diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c > index 0a7049b470c1..18dfd564740b 100644 > --- a/crypto/asymmetric_keys/x509_cert_parser.c > +++ b/crypto/asymmetric_keys/x509_cert_parser.c > @@ -579,6 +579,21 @@ int x509_process_extension(void *context, size_t hdrlen, > return 0; > } > > + if (ctx->last_oid == OID_subjectAltName) { > + /* > + * A certificate MUST NOT include more than one instance > + * of a particular extension (RFC 5280 sec 4.2). > + */ > + if (ctx->cert->raw_san) { > + pr_err("Duplicate Subject Alternative Name\n"); > + return -EINVAL; > + } > + > + ctx->cert->raw_san = v; > + ctx->cert->raw_san_size = vlen; > + return 0; > + } > + > if (ctx->last_oid == OID_keyUsage) { > /* > * Get hold of the keyUsage bit string > diff --git a/include/keys/x509-parser.h b/include/keys/x509-parser.h > index 7c2ebc84791f..9c6e7cdf4870 100644 > --- a/include/keys/x509-parser.h > +++ b/include/keys/x509-parser.h > @@ -32,6 +32,8 @@ struct x509_certificate { > unsigned raw_subject_size; > unsigned raw_skid_size; > const void *raw_skid; /* Raw subjectKeyId in ASN.1 */ > + const void *raw_san; /* Raw subjectAltName in ASN.1 */ > + unsigned raw_san_size; > unsigned index; > bool seen; /* Infinite recursion prevention */ > bool verified;