git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commit

author	David Howells <dhowells@redhat.com>
	Mon, 20 Jul 2015 20:16:26 +0000 (21:16 +0100)
committer	David Howells <dhowells@redhat.com>
	Fri, 7 Aug 2015 15:26:13 +0000 (16:26 +0100)
commit	4573b64a31cd8cb4cfeb1d1b95536cfe71980cf4
tree	0c019ea809c625e90a5f4b34f48831ed64c9565a	tree
parent	b92e6570a992c7d793a209db282f68159368201c	commit \| diff

X.509: Support X.509 lookup by Issuer+Serial form AuthorityKeyIdentifier

If an X.509 certificate has an AuthorityKeyIdentifier extension that provides
an issuer and serialNumber, then make it so that these are used in preference
to the keyIdentifier field also held therein for searching for the signing
certificate.

If both the issuer+serialNumber and the keyIdentifier are supplied, then the
certificate is looked up by the former but the latter is checked as well. If
the latter doesn't match the subjectKeyIdentifier of the parent certificate,
EKEYREJECTED is returned.

This makes it possible to chain X.509 certificates based on the issuer and
serialNumber fields rather than on subjectKeyIdentifier. This is necessary as
we are having to deal with keys that are represented by X.509 certificates
that lack a subjectKeyIdentifier.

Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Vivek Goyal <vgoyal@redhat.com>

crypto/asymmetric_keys/pkcs7_trust.c		diff \| blob \| blame \| history
crypto/asymmetric_keys/pkcs7_verify.c		diff \| blob \| blame \| history
crypto/asymmetric_keys/x509_public_key.c		diff \| blob \| blame \| history
include/crypto/public_key.h		diff \| blob \| blame \| history