x509: Add support for parsing x509 certs with ECDSA keys

Add support for parsing of x509 certificates that contain ECDSA keys, such as NIST P256, that have been signed by a CA using any of the current SHA hash algorithms. Cc: David Howells <dhowells@redhat.com> Cc: keyrings@vger.kernel.org Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
author: Stefan Berger <stefanb@linux.ibm.com> 2021-03-17 00:07:37 +0300
committer: Herbert Xu <herbert@gondor.apana.org.au> 2021-03-26 11:41:59 +0300
commit: 299f561a66939debba70e6d7c67aa01ed32613d9 (patch)
tree: 490234c55e82ab9c0d1009e1a0db5fd73fb0064f /crypto/asymmetric_keys/x509_public_key.c
parent: d1a303e8616c5ba1260722bb9068bbc0d1704847 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index ae450eb8be14..3d45161b271a 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -129,7 +129,9 @@ int x509_check_for_self_signed(struct x509_certificate *cert)
 	}
 
 	ret = -EKEYREJECTED;
-	if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0)
+	if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0 &&
+	    (strncmp(cert->pub->pkey_algo, "ecdsa-", 6) != 0 ||
+	     strcmp(cert->sig->pkey_algo, "ecdsa") != 0))
 		goto out;
 
 	ret = public_key_verify_signature(cert->pub, cert->sig);
author	Stefan Berger <stefanb@linux.ibm.com>	2021-03-17 00:07:37 +0300
committer	Herbert Xu <herbert@gondor.apana.org.au>	2021-03-26 11:41:59 +0300
commit	299f561a66939debba70e6d7c67aa01ed32613d9 (patch)
tree	490234c55e82ab9c0d1009e1a0db5fd73fb0064f /crypto/asymmetric_keys/x509_public_key.c
parent	d1a303e8616c5ba1260722bb9068bbc0d1704847 (diff)