X.509: Add bits needed for PKCS#7

PKCS#7 validation requires access to the serial number and the raw names in an
X.509 certificate.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Josh Boyer <jwboyer@redhat.com>

diff --git a/crypto/asymmetric_keys/x509.asn1 b/crypto/asymmetric_keys/x509.asn1
index bf32b3dff088c98cb97988db442724cddf55e03e..aae0cde414e2d8939c6f1c7ebc4c11117a275ec4 100644 (file)
--- a/crypto/asymmetric_keys/x509.asn1
+++ b/crypto/asymmetric_keys/x509.asn1
@@ -6,7 +6,7 @@ Certificate ::= SEQUENCE {
 
 TBSCertificate ::= SEQUENCE {
        version           [ 0 ] Version DEFAULT,
-       serialNumber            CertificateSerialNumber,
+       serialNumber            CertificateSerialNumber ({ x509_note_serial }),
        signature               AlgorithmIdentifier ({ x509_note_pkey_algo }),
        issuer                  Name ({ x509_note_issuer }),
        validity                Validity,

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index a583930c83fbd1f46b7f4f412d4af26b7406e1dc..08bebf1137a71c89673d8589d6cb5b46513e73bc 100644 (file)
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -208,6 +208,19 @@ int x509_note_signature(void *context, size_t hdrlen,
        return 0;
 }
 
+/*
+ * Note the certificate serial number
+ */
+int x509_note_serial(void *context, size_t hdrlen,
+                    unsigned char tag,
+                    const void *value, size_t vlen)
+{
+       struct x509_parse_context *ctx = context;
+       ctx->cert->raw_serial = value;
+       ctx->cert->raw_serial_size = vlen;
+       return 0;
+}
+
 /*
  * Note some of the name segments from which we'll fabricate a name.
  */
@@ -320,6 +333,8 @@ int x509_note_issuer(void *context, size_t hdrlen,
                     const void *value, size_t vlen)
 {
        struct x509_parse_context *ctx = context;
+       ctx->cert->raw_issuer = value;
+       ctx->cert->raw_issuer_size = vlen;
        return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->issuer, vlen);
 }
 
@@ -328,6 +343,8 @@ int x509_note_subject(void *context, size_t hdrlen,
                      const void *value, size_t vlen)
 {
        struct x509_parse_context *ctx = context;
+       ctx->cert->raw_subject = value;
+       ctx->cert->raw_subject_size = vlen;
        return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->subject, vlen);
 }
 

diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h
index 2d01182147703a551811cecad91f34ae5589d66f..a6ce46f81deea023facf0e96bbfcc45ad2e27f3b 100644 (file)
--- a/crypto/asymmetric_keys/x509_parser.h
+++ b/crypto/asymmetric_keys/x509_parser.h
@@ -24,9 +24,15 @@ struct x509_certificate {
        enum pkey_algo  sig_pkey_algo : 8;      /* Signature public key algorithm */
        enum pkey_hash_algo sig_hash_algo : 8;  /* Signature hash algorithm */
        const void      *tbs;                   /* Signed data */
-       size_t          tbs_size;               /* Size of signed data */
+       unsigned        tbs_size;               /* Size of signed data */
+       unsigned        sig_size;               /* Size of sigature */
        const void      *sig;                   /* Signature data */
-       size_t          sig_size;               /* Size of sigature */
+       const void      *raw_serial;            /* Raw serial number in ASN.1 */
+       unsigned        raw_serial_size;
+       unsigned        raw_issuer_size;
+       const void      *raw_issuer;            /* Raw issuer name in ASN.1 */
+       const void      *raw_subject;           /* Raw subject name in ASN.1 */
+       unsigned        raw_subject_size;
 };
 
 /*