X.509: Add bits needed for PKCS#7
authorDavid Howells <dhowells@redhat.com>
Tue, 1 Jul 2014 15:40:19 +0000 (16:40 +0100)
committerDavid Howells <dhowells@redhat.com>
Tue, 1 Jul 2014 15:40:19 +0000 (16:40 +0100)
PKCS#7 validation requires access to the serial number and the raw names in an
X.509 certificate.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Josh Boyer <jwboyer@redhat.com>
crypto/asymmetric_keys/x509.asn1
crypto/asymmetric_keys/x509_cert_parser.c
crypto/asymmetric_keys/x509_parser.h

index bf32b3dff088c98cb97988db442724cddf55e03e..aae0cde414e2d8939c6f1c7ebc4c11117a275ec4 100644 (file)
@@ -6,7 +6,7 @@ Certificate ::= SEQUENCE {
 
 TBSCertificate ::= SEQUENCE {
        version           [ 0 ] Version DEFAULT,
-       serialNumber            CertificateSerialNumber,
+       serialNumber            CertificateSerialNumber ({ x509_note_serial }),
        signature               AlgorithmIdentifier ({ x509_note_pkey_algo }),
        issuer                  Name ({ x509_note_issuer }),
        validity                Validity,
index 29893162497ca352101b4d2126a0d03590e50ed1..4a8df29ab71379f490ec737334298c33747592a2 100644 (file)
@@ -210,6 +210,19 @@ int x509_note_signature(void *context, size_t hdrlen,
        return 0;
 }
 
+/*
+ * Note the certificate serial number
+ */
+int x509_note_serial(void *context, size_t hdrlen,
+                    unsigned char tag,
+                    const void *value, size_t vlen)
+{
+       struct x509_parse_context *ctx = context;
+       ctx->cert->raw_serial = value;
+       ctx->cert->raw_serial_size = vlen;
+       return 0;
+}
+
 /*
  * Note some of the name segments from which we'll fabricate a name.
  */
@@ -322,6 +335,8 @@ int x509_note_issuer(void *context, size_t hdrlen,
                     const void *value, size_t vlen)
 {
        struct x509_parse_context *ctx = context;
+       ctx->cert->raw_issuer = value;
+       ctx->cert->raw_issuer_size = vlen;
        return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->issuer, vlen);
 }
 
@@ -330,6 +345,8 @@ int x509_note_subject(void *context, size_t hdrlen,
                      const void *value, size_t vlen)
 {
        struct x509_parse_context *ctx = context;
+       ctx->cert->raw_subject = value;
+       ctx->cert->raw_subject_size = vlen;
        return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->subject, vlen);
 }
 
index 87d9cc26f630625d7c57e3309456de2a356a46b5..1b76f207c1f3aeb3f8a5ade16979675aecd1c397 100644 (file)
@@ -14,7 +14,9 @@
 
 struct x509_certificate {
        struct x509_certificate *next;
+       struct x509_certificate *signer;        /* Certificate that signed this one */
        struct public_key *pub;                 /* Public key details */
+       struct public_key_signature sig;        /* Signature parameters */
        char            *issuer;                /* Name of certificate issuer */
        char            *subject;               /* Name of certificate subject */
        char            *fingerprint;           /* Key fingerprint as hex */
@@ -25,7 +27,16 @@ struct x509_certificate {
        unsigned        tbs_size;               /* Size of signed data */
        unsigned        raw_sig_size;           /* Size of sigature */
        const void      *raw_sig;               /* Signature data */
-       struct public_key_signature sig;        /* Signature parameters */
+       const void      *raw_serial;            /* Raw serial number in ASN.1 */
+       unsigned        raw_serial_size;
+       unsigned        raw_issuer_size;
+       const void      *raw_issuer;            /* Raw issuer name in ASN.1 */
+       const void      *raw_subject;           /* Raw subject name in ASN.1 */
+       unsigned        raw_subject_size;
+       unsigned        index;
+       bool            seen;                   /* Infinite recursion prevention */
+       bool            verified;
+       bool            trusted;
 };
 
 /*