1. 13 4月, 2016 6 次提交
  2. 11 4月, 2016 1 次提交
  3. 06 4月, 2016 7 次提交
    • D
      X.509: Fix self-signed determination · ad3043fd
      David Howells 提交于
      There's a bug in the code determining whether a certificate is self-signed
      or not: if they have neither AKID nor SKID then we just assume that the
      cert is self-signed, which may not be true.
      
      Fix this by checking that the raw subject name matches the raw issuer name
      and that the public key algorithm for the key and signature are both the
      same in addition to requiring that the AKID bits match.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      ad3043fd
    • D
      X.509: Extract signature digest and make self-signed cert checks earlier · 6c2dc5ae
      David Howells 提交于
      Extract the signature digest for an X.509 certificate earlier, at the end
      of x509_cert_parse() rather than leaving it to the callers thereof since it
      has to be called anyway.
      
      Further, immediately after that, check the signature on self-signed
      certificates, also rather in the callers of x509_cert_parse().
      
      We note in the x509_certificate struct the following bits of information:
      
       (1) Whether the signature is self-signed (even if we can't check the
           signature due to missing crypto).
      
       (2) Whether the key held in the certificate needs unsupported crypto to be
           used.  We may get a PKCS#7 message with X.509 certs that we can't make
           use of - we just ignore them and give ENOPKG at the end it we couldn't
           verify anything if at least one of these unusable certs are in the
           chain of trust.
      
       (3) Whether the signature held in the certificate needs unsupported crypto
           to be checked.  We can still use the key held in this certificate,
           even if we can't check the signature on it - if it is held in the
           system trusted keyring, for instance.  We just can't add it to a ring
           of trusted keys or follow it further up the chain of trust.
      
      Making these checks earlier allows x509_check_signature() to be removed and
      replaced with direct calls to public_key_verify_signature().
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      6c2dc5ae
    • D
      PKCS#7: Make the signature a pointer rather than embedding it · 566a117a
      David Howells 提交于
      Point to the public_key_signature struct from the pkcs7_signed_info struct
      rather than embedding it.  This makes the code consistent with the X.509
      signature handling and makes it possible to have a common cleanup function.
      
      We also save a copy of the digest in the signature without sharing the
      memory with the crypto layer metadata.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      566a117a
    • D
      X.509: Retain the key verification data · 77d0910d
      David Howells 提交于
      Retain the key verification data (ie. the struct public_key_signature)
      including the digest and the key identifiers.
      
      Note that this means that we need to take a separate copy of the digest in
      x509_get_sig_params() rather than lumping it in with the crypto layer data.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      77d0910d
    • D
      KEYS: Add identifier pointers to public_key_signature struct · a022ec02
      David Howells 提交于
      Add key identifier pointers to public_key_signature struct so that they can
      be used to retain the identifier of the key to be used to verify the
      signature in both PKCS#7 and X.509.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      a022ec02
    • D
      KEYS: Allow authentication data to be stored in an asymmetric key · 3b764563
      David Howells 提交于
      Allow authentication data to be stored in an asymmetric key in the 4th
      element of the key payload and provide a way for it to be destroyed.
      
      For the public key subtype, this will be a public_key_signature struct.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      3b764563
    • D
      X.509: Whitespace cleanup · 864e7a81
      David Howells 提交于
      Clean up some whitespace.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      864e7a81
  4. 03 4月, 2016 9 次提交
  5. 02 4月, 2016 17 次提交