linux/crypto/asymmetric_keys
David Howells a4c6e57f4f X.509: Change recorded SKID & AKID to not include Subject or Issuer
The key identifiers fabricated from an X.509 certificate are currently:

 (A) Concatenation of serial number and issuer

 (B) Concatenation of subject and subjectKeyID (SKID)

When verifying one X.509 certificate with another, the AKID in the target
can be used to match the authoritative certificate.  The AKID can specify
the match in one or both of two ways:

 (1) Compare authorityCertSerialNumber and authorityCertIssuer from the AKID
     to identifier (A) above.

 (2) Compare keyIdentifier from the AKID plus the issuer from the target
     certificate to identifier (B) above.

When verifying a PKCS#7 message, the only available comparison is between
the IssuerAndSerialNumber field and identifier (A) above.

However, a subsequent patch adds CMS support.  Whilst CMS still supports a
match on IssuerAndSerialNumber as for PKCS#7, it also supports an
alternative - which is the SubjectKeyIdentifier field.  This is used to
match to an X.509 certificate on the SKID alone.  No subject information is
available to be used.

To this end change the fabrication of (B) above to be from the X.509 SKID
alone.  The AKID in keyIdentifier form then only matches on that and does
not include the issuer.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-By: David Woodhouse <David.Woodhouse@intel.com>
2015-08-12 17:01:01 +01:00
..
.gitignore X.509: Add a crypto key parser for binary (DER) X.509 certificates 2012-10-08 13:50:22 +10:30
asymmetric_keys.h KEYS: fix "ca_keys=" partial key matching 2015-05-21 13:58:59 -04:00
asymmetric_type.c KEYS: fix "ca_keys=" partial key matching 2015-05-21 13:58:59 -04:00
Kconfig Merge branch 'keys-fixes' into keys-next 2014-07-22 21:55:45 +01:00
Makefile X.509: Extract both parts of the AuthorityKeyIdentifier 2015-08-07 16:26:13 +01:00
mscode_parser.c pefile: Handle pesign using the wrong OID 2014-07-09 14:58:37 +01:00
mscode.asn1 pefile: Parse the "Microsoft individual code signing" data blob 2014-07-09 14:58:37 +01:00
pkcs7_key_type.c crypto/asymmetric_keys: pkcs7_key_type needs module.h 2015-06-16 14:12:26 -04:00
pkcs7_parser.c PKCS#7: Check content type and versions 2015-08-12 17:01:00 +01:00
pkcs7_parser.h PKCS#7: Better handling of unsupported crypto 2014-09-16 17:36:15 +01:00
pkcs7_trust.c X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier 2015-08-07 16:26:13 +01:00
pkcs7_verify.c PKCS#7: Allow detached data to be supplied for signature checking purposes 2015-08-07 16:26:13 +01:00
pkcs7.asn1 PKCS#7: Check content type and versions 2015-08-12 17:01:00 +01:00
public_key.c KEYS: Fix public_key asymmetric key subtype name 2014-09-03 10:27:28 +10:00
public_key.h KEYS: Split public_key_verify_signature() and make available 2013-09-25 17:17:00 +01:00
rsa.c crypto: asymmetric_keys/rsa - Use non-conflicting variable name 2015-06-25 23:18:33 +08:00
signature.c KEYS: Set pr_fmt() in asymmetric key signature handling 2014-09-03 11:08:45 +10:00
verify_pefile.c PEFILE: Relax the check on the length of the PKCS#7 cert 2014-09-03 10:30:24 +10:00
verify_pefile.h pefile: Parse the "Microsoft individual code signing" data blob 2014-07-09 14:58:37 +01:00
x509_akid.asn1 X.509: Extract both parts of the AuthorityKeyIdentifier 2015-08-07 16:26:13 +01:00
x509_cert_parser.c X.509: Change recorded SKID & AKID to not include Subject or Issuer 2015-08-12 17:01:01 +01:00
x509_parser.h X.509: Extract both parts of the AuthorityKeyIdentifier 2015-08-07 16:26:13 +01:00
x509_public_key.c X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier 2015-08-07 16:26:13 +01:00
x509_rsakey.asn1 X.509: Add a crypto key parser for binary (DER) X.509 certificates 2012-10-08 13:50:22 +10:30
x509.asn1 X.509: Add bits needed for PKCS#7 2014-07-01 16:40:19 +01:00