subject:"\[PATCH\] X.509\: Fix test for self\-signed certificate"

Re: [PATCH] X.509: Fix test for self-signed certificate

2016-02-26 Thread Michal Marek

On 2016-02-24 15:54, David Howells wrote:
> Hi Michal,
> 
> I have the attached patch already in my queue.
> 
> David
> ---
> commit d19fcb825912c67e09e0575b95accaa42899e07f
> Author: David Howells 
> Date:   Wed Feb 24 14:37:54 2016 +
> 
> X.509: Don't treat self-signed keys specially

Hi David,

this solves my problem too, obviously. I thought the signature check for
self-signed certificates was a sort of consistency check.

Thanks,
Michal

Re: [PATCH] X.509: Fix test for self-signed certificate

2016-02-26 Thread Michal Marek

On 2016-02-24 15:54, David Howells wrote:
> Hi Michal,
> 
> I have the attached patch already in my queue.
> 
> David
> ---
> commit d19fcb825912c67e09e0575b95accaa42899e07f
> Author: David Howells 
> Date:   Wed Feb 24 14:37:54 2016 +
> 
> X.509: Don't treat self-signed keys specially

Hi David,

this solves my problem too, obviously. I thought the signature check for
self-signed certificates was a sort of consistency check.

Thanks,
Michal

Re: [PATCH] X.509: Fix test for self-signed certificate

2016-02-24 Thread David Howells

Hi Michal,

I have the attached patch already in my queue.

David
---
commit d19fcb825912c67e09e0575b95accaa42899e07f
Author: David Howells 
Date:   Wed Feb 24 14:37:54 2016 +

X.509: Don't treat self-signed keys specially

Trust for a self-signed certificate can normally only be determined by
whether we obtained it from a trusted location (ie. it was built into the
kernel at compile time), so there's not really any point in checking it -
we could verify that the signature is valid, but it doesn't really tell us
anything if the signature checks out.

However, there's a bug in the code determining whether a certificate is
self-signed or not - if they have neither AKID nor SKID then we just assume
that the cert is self-signed, which may not be true.

Given this, remove the code that treats self-signed certs specially when it
comes to evaluating trustability and attempt to evaluate them as ordinary
signed certificates.  We then expect self-signed certificates to fail the
trustability check and be marked as untrustworthy in x509_key_preparse().

Note that there is the possibility of the trustability check on a
self-signed cert then succeeding.  This is most likely to happen when a
duplicate of the certificate is already on the trust keyring - in which
case it shouldn't be a problem.

Signed-off-by: David Howells 
Acked-by: Mimi Zohar 
cc: David Woodhouse 

diff --git a/crypto/asymmetric_keys/x509_public_key.c 
b/crypto/asymmetric_keys/x509_public_key.c
index 9e9e5a6a9ed6..fd76eca902b8 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -255,6 +255,9 @@ static int x509_validate_trust(struct x509_certificate 
*cert,
struct key *key;
int ret = 1;
 
+   if (!cert->akid_id || !cert->akid_skid)
+   return 1;
+
if (!trust_keyring)
return -EOPNOTSUPP;
 
@@ -312,19 +315,23 @@ static int x509_key_preparse(struct key_preparsed_payload 
*prep)
cert->pub->algo = pkey_algo[cert->pub->pkey_algo];
cert->pub->id_type = PKEY_ID_X509;
 
-   /* Check the signature on the key if it appears to be self-signed */
-   if ((!cert->akid_skid && !cert->akid_id) ||
-   asymmetric_key_id_same(cert->skid, cert->akid_skid) ||
-   asymmetric_key_id_same(cert->id, cert->akid_id)) {
-   ret = x509_check_signature(cert->pub, cert); /* self-signed */
-   if (ret < 0)
-   goto error_free_cert;
-   } else if (!prep->trusted) {
+   /* See if we can derive the trustability of this certificate.
+*
+* When it comes to self-signed certificates, we cannot evaluate
+* trustedness except by the fact that we obtained it from a trusted
+* location.  So we just rely on x509_validate_trust() failing in this
+* case.
+*
+* Note that there's a possibility of a self-signed cert matching a
+* cert that we have (most likely a duplicate that we already trust) -
+* in which case it will be marked trusted.
+*/
+   if (!prep->trusted) {
ret = x509_validate_trust(cert, get_system_trusted_keyring());
if (ret)
ret = x509_validate_trust(cert, get_ima_mok_keyring());
if (!ret)
-   prep->trusted = 1;
+   prep->trusted = true;
}
 
/* Propose a description */

Re: [PATCH] X.509: Fix test for self-signed certificate

2016-02-24 Thread David Howells

Hi Michal,

I have the attached patch already in my queue.

David
---
commit d19fcb825912c67e09e0575b95accaa42899e07f
Author: David Howells 
Date:   Wed Feb 24 14:37:54 2016 +

X.509: Don't treat self-signed keys specially

Trust for a self-signed certificate can normally only be determined by
whether we obtained it from a trusted location (ie. it was built into the
kernel at compile time), so there's not really any point in checking it -
we could verify that the signature is valid, but it doesn't really tell us
anything if the signature checks out.

However, there's a bug in the code determining whether a certificate is
self-signed or not - if they have neither AKID nor SKID then we just assume
that the cert is self-signed, which may not be true.

Given this, remove the code that treats self-signed certs specially when it
comes to evaluating trustability and attempt to evaluate them as ordinary
signed certificates.  We then expect self-signed certificates to fail the
trustability check and be marked as untrustworthy in x509_key_preparse().

Note that there is the possibility of the trustability check on a
self-signed cert then succeeding.  This is most likely to happen when a
duplicate of the certificate is already on the trust keyring - in which
case it shouldn't be a problem.

Signed-off-by: David Howells 
Acked-by: Mimi Zohar 
cc: David Woodhouse 

diff --git a/crypto/asymmetric_keys/x509_public_key.c 
b/crypto/asymmetric_keys/x509_public_key.c
index 9e9e5a6a9ed6..fd76eca902b8 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -255,6 +255,9 @@ static int x509_validate_trust(struct x509_certificate 
*cert,
struct key *key;
int ret = 1;
 
+   if (!cert->akid_id || !cert->akid_skid)
+   return 1;
+
if (!trust_keyring)
return -EOPNOTSUPP;
 
@@ -312,19 +315,23 @@ static int x509_key_preparse(struct key_preparsed_payload 
*prep)
cert->pub->algo = pkey_algo[cert->pub->pkey_algo];
cert->pub->id_type = PKEY_ID_X509;
 
-   /* Check the signature on the key if it appears to be self-signed */
-   if ((!cert->akid_skid && !cert->akid_id) ||
-   asymmetric_key_id_same(cert->skid, cert->akid_skid) ||
-   asymmetric_key_id_same(cert->id, cert->akid_id)) {
-   ret = x509_check_signature(cert->pub, cert); /* self-signed */
-   if (ret < 0)
-   goto error_free_cert;
-   } else if (!prep->trusted) {
+   /* See if we can derive the trustability of this certificate.
+*
+* When it comes to self-signed certificates, we cannot evaluate
+* trustedness except by the fact that we obtained it from a trusted
+* location.  So we just rely on x509_validate_trust() failing in this
+* case.
+*
+* Note that there's a possibility of a self-signed cert matching a
+* cert that we have (most likely a duplicate that we already trust) -
+* in which case it will be marked trusted.
+*/
+   if (!prep->trusted) {
ret = x509_validate_trust(cert, get_system_trusted_keyring());
if (ret)
ret = x509_validate_trust(cert, get_ima_mok_keyring());
if (!ret)
-   prep->trusted = 1;
+   prep->trusted = true;
}
 
/* Propose a description */

Re: [PATCH] X.509: Fix test for self-signed certificate

2016-02-16 Thread lee joey

2016-02-11 21:34 GMT+08:00 Michal Marek :
> If either the Subject + subjectKeyId or the Issuer + Serial number
> differs between the certificate and the CA, the certificate is not
> self-signed. In practice, both will be equal for self-signed
> certificates and both will differ for CA-signed certificates. It is only
> an issue if the CA used the same serial number for its own self-signed
> certificate and the certificate we are checking. This is probably not
> valid / recommended, but we should not assume that the certificate is
> self-signed because of that.
>
> Fixes: 4573b64a31cd ("X.509: Support X.509 lookup by Issuer+Serial form 
> AuthorityKeyIdentifier")
> Signed-off-by: Michal Marek 

Tested-by: Lee, Chun-Yi 


Regards

Joey Lee

> ---
>  crypto/asymmetric_keys/x509_public_key.c | 7 ---
>  1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/crypto/asymmetric_keys/x509_public_key.c 
> b/crypto/asymmetric_keys/x509_public_key.c
> index 7092d5cbb5d3..2c46e022a2a3 100644
> --- a/crypto/asymmetric_keys/x509_public_key.c
> +++ b/crypto/asymmetric_keys/x509_public_key.c
> @@ -308,9 +308,10 @@ static int x509_key_preparse(struct 
> key_preparsed_payload *prep)
> cert->pub->id_type = PKEY_ID_X509;
>
> /* Check the signature on the key if it appears to be self-signed */
> -   if ((!cert->akid_skid && !cert->akid_id) ||
> -   asymmetric_key_id_same(cert->skid, cert->akid_skid) ||
> -   asymmetric_key_id_same(cert->id, cert->akid_id)) {
> +   if ((!cert->akid_skid ||
> +   asymmetric_key_id_same(cert->skid, cert->akid_skid)) 
> &&
> +   (!cert->akid_id ||
> +   asymmetric_key_id_same(cert->id, cert->akid_id))) {
> ret = x509_check_signature(cert->pub, cert); /* self-signed */
> if (ret < 0)
> goto error_free_cert;
> --
> 2.1.4
>

Re: [PATCH] X.509: Fix test for self-signed certificate

2016-02-16 Thread lee joey

2016-02-11 21:34 GMT+08:00 Michal Marek :
> If either the Subject + subjectKeyId or the Issuer + Serial number
> differs between the certificate and the CA, the certificate is not
> self-signed. In practice, both will be equal for self-signed
> certificates and both will differ for CA-signed certificates. It is only
> an issue if the CA used the same serial number for its own self-signed
> certificate and the certificate we are checking. This is probably not
> valid / recommended, but we should not assume that the certificate is
> self-signed because of that.
>
> Fixes: 4573b64a31cd ("X.509: Support X.509 lookup by Issuer+Serial form 
> AuthorityKeyIdentifier")
> Signed-off-by: Michal Marek 

Tested-by: Lee, Chun-Yi 


Regards

Joey Lee

> ---
>  crypto/asymmetric_keys/x509_public_key.c | 7 ---
>  1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/crypto/asymmetric_keys/x509_public_key.c 
> b/crypto/asymmetric_keys/x509_public_key.c
> index 7092d5cbb5d3..2c46e022a2a3 100644
> --- a/crypto/asymmetric_keys/x509_public_key.c
> +++ b/crypto/asymmetric_keys/x509_public_key.c
> @@ -308,9 +308,10 @@ static int x509_key_preparse(struct 
> key_preparsed_payload *prep)
> cert->pub->id_type = PKEY_ID_X509;
>
> /* Check the signature on the key if it appears to be self-signed */
> -   if ((!cert->akid_skid && !cert->akid_id) ||
> -   asymmetric_key_id_same(cert->skid, cert->akid_skid) ||
> -   asymmetric_key_id_same(cert->id, cert->akid_id)) {
> +   if ((!cert->akid_skid ||
> +   asymmetric_key_id_same(cert->skid, cert->akid_skid)) 
> &&
> +   (!cert->akid_id ||
> +   asymmetric_key_id_same(cert->id, cert->akid_id))) {
> ret = x509_check_signature(cert->pub, cert); /* self-signed */
> if (ret < 0)
> goto error_free_cert;
> --
> 2.1.4
>

[PATCH] X.509: Fix test for self-signed certificate

2016-02-11 Thread Michal Marek

If either the Subject + subjectKeyId or the Issuer + Serial number
differs between the certificate and the CA, the certificate is not
self-signed. In practice, both will be equal for self-signed
certificates and both will differ for CA-signed certificates. It is only
an issue if the CA used the same serial number for its own self-signed
certificate and the certificate we are checking. This is probably not
valid / recommended, but we should not assume that the certificate is
self-signed because of that.

Fixes: 4573b64a31cd ("X.509: Support X.509 lookup by Issuer+Serial form 
AuthorityKeyIdentifier")
Signed-off-by: Michal Marek 
---
 crypto/asymmetric_keys/x509_public_key.c | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/crypto/asymmetric_keys/x509_public_key.c 
b/crypto/asymmetric_keys/x509_public_key.c
index 7092d5cbb5d3..2c46e022a2a3 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -308,9 +308,10 @@ static int x509_key_preparse(struct key_preparsed_payload 
*prep)
cert->pub->id_type = PKEY_ID_X509;
 
/* Check the signature on the key if it appears to be self-signed */
-   if ((!cert->akid_skid && !cert->akid_id) ||
-   asymmetric_key_id_same(cert->skid, cert->akid_skid) ||
-   asymmetric_key_id_same(cert->id, cert->akid_id)) {
+   if ((!cert->akid_skid ||
+   asymmetric_key_id_same(cert->skid, cert->akid_skid)) &&
+   (!cert->akid_id ||
+   asymmetric_key_id_same(cert->id, cert->akid_id))) {
ret = x509_check_signature(cert->pub, cert); /* self-signed */
if (ret < 0)
goto error_free_cert;
-- 
2.1.4

[PATCH] X.509: Fix test for self-signed certificate

2016-02-11 Thread Michal Marek

If either the Subject + subjectKeyId or the Issuer + Serial number
differs between the certificate and the CA, the certificate is not
self-signed. In practice, both will be equal for self-signed
certificates and both will differ for CA-signed certificates. It is only
an issue if the CA used the same serial number for its own self-signed
certificate and the certificate we are checking. This is probably not
valid / recommended, but we should not assume that the certificate is
self-signed because of that.

Fixes: 4573b64a31cd ("X.509: Support X.509 lookup by Issuer+Serial form 
AuthorityKeyIdentifier")
Signed-off-by: Michal Marek 
---
 crypto/asymmetric_keys/x509_public_key.c | 7 ---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/crypto/asymmetric_keys/x509_public_key.c 
b/crypto/asymmetric_keys/x509_public_key.c
index 7092d5cbb5d3..2c46e022a2a3 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -308,9 +308,10 @@ static int x509_key_preparse(struct key_preparsed_payload 
*prep)
cert->pub->id_type = PKEY_ID_X509;
 
/* Check the signature on the key if it appears to be self-signed */
-   if ((!cert->akid_skid && !cert->akid_id) ||
-   asymmetric_key_id_same(cert->skid, cert->akid_skid) ||
-   asymmetric_key_id_same(cert->id, cert->akid_id)) {
+   if ((!cert->akid_skid ||
+   asymmetric_key_id_same(cert->skid, cert->akid_skid)) &&
+   (!cert->akid_id ||
+   asymmetric_key_id_same(cert->id, cert->akid_id))) {
ret = x509_check_signature(cert->pub, cert); /* self-signed */
if (ret < 0)
goto error_free_cert;
-- 
2.1.4

Re: [PATCH] X.509: Fix test for self-signed certificate

Re: [PATCH] X.509: Fix test for self-signed certificate

Re: [PATCH] X.509: Fix test for self-signed certificate

Re: [PATCH] X.509: Fix test for self-signed certificate

Re: [PATCH] X.509: Fix test for self-signed certificate

Re: [PATCH] X.509: Fix test for self-signed certificate

[PATCH] X.509: Fix test for self-signed certificate

[PATCH] X.509: Fix test for self-signed certificate

8 matches

Site Navigation

Mail list logo

Footer information