Re: [PATCH 2/4] X.509: Parse Basic Constraints for CA
From: Stefan Berger <stefanb@linux.ibm.com>
Date: 2022-03-04 15:10:59
Also in:
keyrings, linux-crypto, lkml
On 3/1/22 12:36, Eric Snowberg wrote:
quoted hunk ↗ jump to hunk
Parse the X.509 Basic Constraints. The basic constraints extension identifies whether the subject of the certificate is a CA. BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL } If the CA is true, store it in a new public_key field call key_is_ca. This will be used in a follow on patch that requires knowing if the public key is a CA. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++ include/crypto/public_key.h | 1 + 2 files changed, 10 insertions(+)diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 2899ed80bb18..38c907f4ce27 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c@@ -583,6 +583,15 @@ int x509_process_extension(void *context, size_t hdrlen, return 0; } + if (ctx->last_oid == OID_basicConstraints) {
Don't you have to check whether you can access v[0] and v[1]? if (vlen < 3) return -EBADMSG; or should it even be if (vlen != 3) return -EBADMSG;
quoted hunk ↗ jump to hunk
+ if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ)) + return -EBADMSG; + if (v[1] != vlen - 2) + return -EBADMSG; + if (v[1] != 0 && v[2] == ASN1_BOOL && v[3] == 1) + ctx->cert->pub->key_is_ca = true; + } + return 0; }diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 6d61695e1cde..0521241764b7 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h@@ -26,6 +26,7 @@ struct public_key { void *params; u32 paramlen; bool key_is_private; + bool key_is_ca; const char *id_type; const char *pkey_algo; };