[PATCH] KEYS: X.509: Fix Basic Constraints CA flag parsing

Keyrings Archive mirror
 help / color / mirror / Atom feed

From: wufan@kernel.org
To: dhowells@redhat.com, lukas@wunner.de, ignat@cloudflare.com,
	herbert@gondor.apana.org.au, davem@davemloft.net,
	jarkko@kernel.org, zohar@linux.ibm.com, eric.snowberg@oracle.com
Cc: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org, Fan Wu <wufan@kernel.org>
Subject: [PATCH] KEYS: X.509: Fix Basic Constraints CA flag parsing
Date: Thu, 11 Sep 2025 22:53:56 +0000	[thread overview]
Message-ID: <20250911225356.2678-1-wufan@kernel.org> (raw)

From: Fan Wu <wufan@kernel.org>

Fix the X.509 Basic Constraints CA flag parsing to correctly handle
the ASN.1 DER encoded structure. The parser was incorrectly treating
the length field as the boolean value.

According to ITU-T X.690 section 8.2, a BOOLEAN is encoded as:

Tag (0x01), Length (0x01), Value (0x00 for FALSE, non-zero for TRUE)

The basicConstraints extension with CA:TRUE is encoded as:

  SEQUENCE (0x30) | Length | BOOLEAN (0x01) | Length (0x01) | Value (0xFF)
                             ^-- v[2]         ^-- v[3]        ^-- v[4]

The parser was checking v[3] (the length field, always 0x01) instead
of v[4] (the actual boolean value, 0xFF for TRUE).

Per ITU-T X.690-02/2021 section 8.2.2:
"If the boolean value is TRUE, the octet shall have any non-zero
value, as a sender's option."

Most implementations, including OpenSSL, encode TRUE as 0xFF.

Link: https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
Fixes: 30eae2b037af ("KEYS: X.509: Parse Basic Constraints for CA")
Signed-off-by: Fan Wu <wufan@kernel.org>
---
 crypto/asymmetric_keys/x509_cert_parser.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 2ffe4ae90bea..4dfec6c45772 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -613,8 +613,10 @@ int x509_process_extension(void *context, size_t hdrlen,
 		 *	(Expect 0x2 or greater, making it 1 or more bytes)
 		 * v[2] is the encoding type
 		 *	(Expect an ASN1_BOOL for the CA)
-		 * v[3] is the contents of the ASN1_BOOL
-		 *      (Expect 1 if the CA is TRUE)
+		 * v[3] is the length of the ASN1_BOOL
+		 *	(Expect 1 for a single byte boolean)
+		 * v[4] is the contents of the ASN1_BOOL
+		 *	(Expect non-zero if the CA is TRUE, typically 0xFF)
 		 * vlen should match the entire extension size
 		 */
 		if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ))
@@ -623,7 +625,7 @@ int x509_process_extension(void *context, size_t hdrlen,
 			return -EBADMSG;
 		if (v[1] != vlen - 2)
 			return -EBADMSG;
-		if (vlen >= 4 && v[1] != 0 && v[2] == ASN1_BOOL && v[3] == 1)
+		if (vlen >= 5 && v[1] != 0 && v[2] == ASN1_BOOL && v[3] == 1 && v[4] != 0)
 			ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_CA;
 		return 0;
 	}
-- 
2.50.1

next             reply	other threads:[~2025-09-11 22:54 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-11 22:53 wufan [this message]
2025-09-12 13:14 ` [PATCH] KEYS: X.509: Fix Basic Constraints CA flag parsing Lukas Wunner
2025-09-12 21:14   ` Fan Wu
2025-09-13  4:38     ` Lukas Wunner
2025-09-13  5:37       ` Fan Wu
2025-09-15 21:15 ` [PATCH v2] " wufan
2025-09-16 14:52   ` Lukas Wunner
2025-09-28  3:56   ` Herbert Xu

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2ffe4ae90be dfblob:4dfec6c4577 )
 OR (
bs:"[PATCH] KEYS: X.509: Fix Basic Constraints CA flag parsing" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250911225356.2678-1-wufan@kernel.org \
    --to=wufan@kernel.org \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=eric.snowberg@oracle.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=ignat@cloudflare.com \
    --cc=jarkko@kernel.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lukas@wunner.de \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).