KEYS: use swapped SKID for performing partial matching

Earlier KEYS code used pure subject key identifiers (fingerprint)
for searching keys. Latest merged code removed that and broke
compatibility with integrity subsytem signatures and original
format of module signatures.

This patch returns back partial matching on SKID.

Reported-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: David Howells <dhowells@redhat.com>

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 393706f33fa5491392e8c14e8b0be698a50e125e..a668d90302d38c541fb5a78aa5442019cc739b21 100644 (file)
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -437,9 +437,9 @@ int x509_process_extension(void *context, size_t hdrlen,
 
                ctx->cert->raw_skid_size = vlen;
                ctx->cert->raw_skid = v;
-               kid = asymmetric_key_generate_id(v, vlen,
-                                                ctx->cert->raw_subject,
-                                                ctx->cert->raw_subject_size);
+               kid = asymmetric_key_generate_id(ctx->cert->raw_subject,
+                                                ctx->cert->raw_subject_size,
+                                                v, vlen);
                if (IS_ERR(kid))
                        return PTR_ERR(kid);
                ctx->cert->skid = kid;
@@ -493,9 +493,9 @@ int x509_process_extension(void *context, size_t hdrlen,
                        v += (sub + 2);
                }
 
-               kid = asymmetric_key_generate_id(v, vlen,
-                                                ctx->cert->raw_issuer,
-                                                ctx->cert->raw_issuer_size);
+               kid = asymmetric_key_generate_id(ctx->cert->raw_issuer,
+                                                ctx->cert->raw_issuer_size,
+                                                v, vlen);
                if (IS_ERR(kid))
                        return PTR_ERR(kid);
                pr_debug("authkeyid %*phN\n", kid->len, kid->data);

diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h
index 3f0f0f08162150a7edc8ff81cbf3c2005a8f0b2d..3dfe6b5d6f0b90433d9aefb2a627d70068f4d928 100644 (file)
--- a/crypto/asymmetric_keys/x509_parser.h
+++ b/crypto/asymmetric_keys/x509_parser.h
@@ -19,9 +19,9 @@ struct x509_certificate {
        struct public_key_signature sig;        /* Signature parameters */
        char            *issuer;                /* Name of certificate issuer */
        char            *subject;               /* Name of certificate subject */
-       struct asymmetric_key_id *id;           /* Issuer + serial number */
-       struct asymmetric_key_id *skid;         /* Subject key identifier */
-       struct asymmetric_key_id *authority;    /* Authority key identifier */
+       struct asymmetric_key_id *id;           /* Serial number + issuer */
+       struct asymmetric_key_id *skid;         /* Subject + subjectKeyId (optional) */
+       struct asymmetric_key_id *authority;    /* Authority key identifier (optional) */
        struct tm       valid_from;
        struct tm       valid_to;
        const void      *tbs;                   /* Signed data */