diff options
| author | David Howells <dhowells@redhat.com> | 2014-09-16 17:38:07 +0100 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2014-09-16 17:38:07 +0100 |
| commit | e8ad2d9b5ee05ffc5c49d1dc2731330ad276ae20 (patch) | |
| tree | ea50915321b345c3d2973fe5259038ccfceda9f8 /crypto/asymmetric_keys/x509_parser.h | |
| parent | 59d384b06776928f95a18d22efc1b9dfad4cc36e (diff) | |
| parent | 4fa8d06586307c5403958f1c67120957b0d1ee81 (diff) | |
| download | linux-crypto-e8ad2d9b5ee05ffc5c49d1dc2731330ad276ae20.tar.gz linux-crypto-e8ad2d9b5ee05ffc5c49d1dc2731330ad276ae20.zip | |
Merge tag 'keys-pkcs7-20140916' into keys-next
Changes for next to improve the matching of asymmetric keys and to improve the
handling of PKCS#7 certificates:
(1) Provide a method to preparse the data supplied for matching a key. This
permits they key type to extract out the bits it needs for matching once
only.
Further, the type of search (direct lookup or iterative) can be set and
the function used to actually check the match can be set by preparse
rather than being hard coded for the type.
(2) Improves asymmetric keys identification.
Keys derived from X.509 certs now get labelled with IDs derived from their
issuer and certificate number (required to match PKCS#7) and from their
SKID and subject (required to match X.509).
IDs are now binary and match criterion preparsing is provided so that
criteria can be turned into binary blobs to make matching faster.
(3) Improves PKCS#7 message handling to permit PKCS#7 messages without X.509
cert lists to be matched to trusted keys, thereby allowing minimally sized
PKCS#7 certs to be used.
(4) Improves PKCS#7 message handling to better handle certificate chains that
are broken due to unsupported crypto that can otherwise by used to
intersect a trust keyring.
These must go on top of the PKCS#7 parser cleanup fixes.
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'crypto/asymmetric_keys/x509_parser.h')
| -rw-r--r-- | crypto/asymmetric_keys/x509_parser.h | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index 1b76f207..4e1a3849 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -19,8 +19,9 @@ struct x509_certificate { struct public_key_signature sig; /* Signature parameters */ char *issuer; /* Name of certificate issuer */ char *subject; /* Name of certificate subject */ - char *fingerprint; /* Key fingerprint as hex */ - char *authority; /* Authority key fingerprint as hex */ + struct asymmetric_key_id *id; /* Issuer + serial number */ + struct asymmetric_key_id *skid; /* Subject key identifier */ + struct asymmetric_key_id *authority; /* Authority key identifier */ struct tm valid_from; struct tm valid_to; const void *tbs; /* Signed data */ @@ -37,6 +38,7 @@ struct x509_certificate { bool seen; /* Infinite recursion prevention */ bool verified; bool trusted; + bool unsupported_crypto; /* T if can't be verified due to missing crypto */ }; /* |