From nobody Thu Apr  2 17:17:50 2026
Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com
 [209.85.215.174])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A74A8344DB8
	for <linux-kernel@vger.kernel.org>; Wed, 11 Feb 2026 03:30:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.174
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770780605; cv=none;
 b=UfYHbk9fQoIIPO5VrBsCb5aqOiSR3p+HlJ4HlMRVG6s8WBZ3g0E7S2Whja6XIc9vLwN2GzNyVpiFpt12LOBB35I2RoWrJlcYWalKbuDYeOmB+EeIkebiKP6B/A40VZyE0+H7R4mhDnVUPXHH9ngiIUNGLBfC8CynsKj/vaECUnM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770780605; c=relaxed/simple;
	bh=z5H7IwFWyQ0i2GyTWoOMohX8+M5T1CFBH5xA9uQkq98=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=m1po/b6POfSa02v2yuU2YbTCvXmxOKoEtuw0pgXqSzjwvHLHY8wAi6Pk32QQJTDZAvwZKHiNLr3bENl4ryiqyVY8PplpIQuQjc5k5FIIL1jbSQ/zo+2XxAgGSU8BxVCjhGu89WxRcUypj7plw6BDuoLD31eEH+nAs6DxhLmkX/Q=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=CqbBJRg5; arc=none smtp.client-ip=209.85.215.174
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="CqbBJRg5"
Received: by mail-pg1-f174.google.com with SMTP id
 41be03b00d2f7-c6e167e3051so128583a12.2
        for <linux-kernel@vger.kernel.org>;
 Tue, 10 Feb 2026 19:30:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770780601; x=1771385401;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WNztetKq9XMpM5m+98P429Tts0AUJfNMeagdulZTgAo=;
        b=CqbBJRg5eOrR1wC0PwQZUFUFwDfUR08HA+votC+wxakVbLHWeZEnqb9Mxt8lldghyt
         Vf8NxLIdJX3as1z7GCZz+iO1CA+o5Ei4gGk0YbHBYkOjKFVCIXRZsokIPWdp9pIe6ob3
         Ur85ARnjFLYL4a/bmflMd/VVdh2q41jjPyybT/3RaXu6F6gw00eqlTf28MzsqoIqAPut
         d6Z6tyhr6Tcv+TTfXqxFLk3MBDki83qSToAIxtp4r5mCfsVE6JK5Ncbwr4eh9pwAZ1xe
         ekjRo4WGsH69F3RU2RfBepdaHBOIUy5ExUCzuaQF47VtUi0EyN38vFISTvb65cX9wKsg
         mk8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770780601; x=1771385401;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=WNztetKq9XMpM5m+98P429Tts0AUJfNMeagdulZTgAo=;
        b=wy5EwsZvzQDmARBTNOsXvGHnoZGHSBlEDqOaHJnlXCKqsJfbIT19LziE6xKMRS47Os
         BWP1xsheUsDM2lGFQW+L26N8dFbx9ft243W7v+YFArLsAaBdCIPjbO8cxwg9Jo6peVqF
         Qiah/iIU/S6oYQhX2p4U3W93SWvmKkfehUA2/SNj1Mem+IHKuDIhSYvx0IaGB3ClLstK
         WZ7jmSuS7XRTKzrJMsy9NbtwGhlbdJ6E7xh//8eEJSMZy6sLzoYFqERxSGQ72uZ/2tep
         miDewHUVimjxLMd2ZcCs1mRy/XQ7TzcxEYKlfCAd/DJ5FyJZ6HoNpqjSqwemfqLJwQAw
         Td6w==
X-Forwarded-Encrypted: i=1;
 AJvYcCVJHXiKaTSgzBaP+PQL6p8wLdcJBeqL7tkZDZ1pVwukeacBFh07LfbmM1c4M2Br8gBqLpzidgRH7I/rzv4=@vger.kernel.org
X-Gm-Message-State: AOJu0YyjomzOnjJSQM/JVpnxOKnGGbzepX9QJz8GaslDAabVhtYaIO7N
	7g4Cgs1cbuZa5TFXGC03WmokOlCbrIz+9cDBqiKMr4B7pDiiIYRadOle
X-Gm-Gg: AZuq6aIdFL/SipqODp5+E3bN6z4L3/fCxv1WXDVT6umjVuyalw4pGUCbYRyXy1FFBo0
	R7pMmmCsn2I5mRdcHeO/e1fgGEZS8KYE4d+zI427u05/gqtkzvrINwA1VtbM11mYOm+y4lyGnE9
	gsdU5MxpGXIZbNGpvB6DVBmSAW0bvbJI7mH46izjt3og55SKzP2B+3a5xRl2ZyJBHzQsDKOeoD2
	vYvpVnHt3XIU0Jpeh/VqAzlOpo6oI00PLc86+W/XbJ4NDx4eN4/X6zsZkwi/sFWzlTUPA2rq+rl
	6356lijgoesYuBppDFkx23nFnkkn9o3uPiVzZ6DsU5sEtM1Iy0lapYnjGrajYauAXNCQ3sRfsDC
	KlbPIhvVxt+yeL5GCesTK+qhGF+RrkzDXuSJFEqTX3LOBFuEJ79W+EACluT2lt2Wz7lwFOkARPU
	vzUkaVUmPCd/qgj8xuyf4CBIsBEbPABifO2GM+9RZhMg==
X-Received: by 2002:a05:6a21:3988:b0:387:9522:b667 with SMTP id
 adf61e73a8af0-393ad4398edmr16857908637.78.1770780600697;
        Tue, 10 Feb 2026 19:30:00 -0800 (PST)
Received: from toolbx.alistair23.me ([2403:581e:fdf9:0:6209:4521:6813:45b7])
        by smtp.gmail.com with ESMTPSA id
 41be03b00d2f7-c6e197d63c9sm464856a12.20.2026.02.10.19.29.53
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 10 Feb 2026 19:30:00 -0800 (PST)
From: alistair23@gmail.com
X-Google-Original-From: alistair.francis@wdc.com
To: bhelgaas@google.com,
	lukas@wunner.de,
	rust-for-linux@vger.kernel.org,
	akpm@linux-foundation.org,
	linux-pci@vger.kernel.org,
	Jonathan.Cameron@huawei.com,
	linux-cxl@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: alex.gaynor@gmail.com,
	benno.lossin@proton.me,
	boqun.feng@gmail.com,
	a.hindborg@kernel.org,
	gary@garyguo.net,
	bjorn3_gh@protonmail.com,
	tmgross@umich.edu,
	alistair23@gmail.com,
	ojeda@kernel.org,
	wilfred.mallawa@wdc.com,
	aliceryhl@google.com,
	Dan Williams <dan.j.williams@intel.com>,
	Alistair Francis <alistair.francis@wdc.com>,
	=?UTF-8?q?Ilpo=20J=C3=A4rvinen?= <ilpo.jarvinen@linux.intel.com>
Subject: [RFC v3 02/27] X.509: Make certificate parser public
Date: Wed, 11 Feb 2026 13:29:09 +1000
Message-ID: <20260211032935.2705841-3-alistair.francis@wdc.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260211032935.2705841-1-alistair.francis@wdc.com>
References: <20260211032935.2705841-1-alistair.francis@wdc.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

From: Lukas Wunner <lukas@wunner.de>

The upcoming support for PCI device authentication with CMA-SPDM
(PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name
in X.509 certificates.

High-level functions for X.509 parsing such as key_create_or_update()
throw away the internal, low-level struct x509_certificate after
extracting the struct public_key and public_key_signature from it.
The Subject Alternative Name is thus inaccessible when using those
functions.

Afford CMA-SPDM access to the Subject Alternative Name by making struct
x509_certificate public, together with the functions for parsing an
X.509 certificate into such a struct and freeing such a struct.

The private header file x509_parser.h previously included <linux/time.h>
for the definition of time64_t.  That definition was since moved to
<linux/time64.h> by commit 361a3bf00582 ("time64: Add time64.h header
and define struct timespec64"), so adjust the #include directive as part
of the move to the new public header file <keys/x509-parser.h>.

No functional change intended.

Signed-off-by: Lukas Wunner <lukas@wunner.de>
Reviewed-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Ilpo J=C3=A4rvinen <ilpo.jarvinen@linux.intel.com>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
---
 crypto/asymmetric_keys/x509_parser.h | 42 +--------------------
 include/keys/x509-parser.h           | 55 ++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+), 41 deletions(-)
 create mode 100644 include/keys/x509-parser.h

diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/=
x509_parser.h
index b7aeebdddb36..39f1521b773d 100644
--- a/crypto/asymmetric_keys/x509_parser.h
+++ b/crypto/asymmetric_keys/x509_parser.h
@@ -5,51 +5,11 @@
  * Written by David Howells (dhowells@redhat.com)
  */
=20
-#include <linux/cleanup.h>
-#include <linux/time.h>
-#include <crypto/public_key.h>
-#include <keys/asymmetric-type.h>
-#include <crypto/sha2.h>
-
-struct x509_certificate {
-	struct x509_certificate *next;
-	struct x509_certificate *signer;	/* Certificate that signed this one */
-	struct public_key *pub;			/* Public key details */
-	struct public_key_signature *sig;	/* Signature parameters */
-	u8		sha256[SHA256_DIGEST_SIZE]; /* Hash for blacklist purposes */
-	char		*issuer;		/* Name of certificate issuer */
-	char		*subject;		/* Name of certificate subject */
-	struct asymmetric_key_id *id;		/* Issuer + Serial number */
-	struct asymmetric_key_id *skid;		/* Subject + subjectKeyId (optional) */
-	time64_t	valid_from;
-	time64_t	valid_to;
-	const void	*tbs;			/* Signed data */
-	unsigned	tbs_size;		/* Size of signed data */
-	unsigned	raw_sig_size;		/* Size of signature */
-	const void	*raw_sig;		/* Signature data */
-	const void	*raw_serial;		/* Raw serial number in ASN.1 */
-	unsigned	raw_serial_size;
-	unsigned	raw_issuer_size;
-	const void	*raw_issuer;		/* Raw issuer name in ASN.1 */
-	const void	*raw_subject;		/* Raw subject name in ASN.1 */
-	unsigned	raw_subject_size;
-	unsigned	raw_skid_size;
-	const void	*raw_skid;		/* Raw subjectKeyId in ASN.1 */
-	unsigned	index;
-	bool		seen;			/* Infinite recursion prevention */
-	bool		verified;
-	bool		self_signed;		/* T if self-signed (check unsupported_sig too) */
-	bool		unsupported_sig;	/* T if signature uses unsupported crypto */
-	bool		blacklisted;
-};
+#include <keys/x509-parser.h>
=20
 /*
  * x509_cert_parser.c
  */
-extern void x509_free_certificate(struct x509_certificate *cert);
-DEFINE_FREE(x509_free_certificate, struct x509_certificate *,
-	    if (!IS_ERR(_T)) x509_free_certificate(_T))
-extern struct x509_certificate *x509_cert_parse(const void *data, size_t d=
atalen);
 extern int x509_decode_time(time64_t *_t,  size_t hdrlen,
 			    unsigned char tag,
 			    const unsigned char *value, size_t vlen);
diff --git a/include/keys/x509-parser.h b/include/keys/x509-parser.h
new file mode 100644
index 000000000000..8b68e720693a
--- /dev/null
+++ b/include/keys/x509-parser.h
@@ -0,0 +1,55 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/* X.509 certificate parser
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ */
+
+#ifndef _KEYS_X509_PARSER_H
+#define _KEYS_X509_PARSER_H
+
+#include <linux/cleanup.h>
+#include <linux/time.h>
+#include <crypto/public_key.h>
+#include <keys/asymmetric-type.h>
+#include <crypto/sha2.h>
+
+struct x509_certificate {
+	struct x509_certificate *next;
+	struct x509_certificate *signer;	/* Certificate that signed this one */
+	struct public_key *pub;			/* Public key details */
+	struct public_key_signature *sig;	/* Signature parameters */
+	u8		sha256[SHA256_DIGEST_SIZE]; /* Hash for blacklist purposes */
+	char		*issuer;		/* Name of certificate issuer */
+	char		*subject;		/* Name of certificate subject */
+	struct asymmetric_key_id *id;		/* Issuer + Serial number */
+	struct asymmetric_key_id *skid;		/* Subject + subjectKeyId (optional) */
+	time64_t	valid_from;
+	time64_t	valid_to;
+	const void	*tbs;			/* Signed data */
+	unsigned	tbs_size;		/* Size of signed data */
+	unsigned	raw_sig_size;		/* Size of signature */
+	const void	*raw_sig;		/* Signature data */
+	const void	*raw_serial;		/* Raw serial number in ASN.1 */
+	unsigned	raw_serial_size;
+	unsigned	raw_issuer_size;
+	const void	*raw_issuer;		/* Raw issuer name in ASN.1 */
+	const void	*raw_subject;		/* Raw subject name in ASN.1 */
+	unsigned	raw_subject_size;
+	unsigned	raw_skid_size;
+	const void	*raw_skid;		/* Raw subjectKeyId in ASN.1 */
+	unsigned	index;
+	bool		seen;			/* Infinite recursion prevention */
+	bool		verified;
+	bool		self_signed;		/* T if self-signed (check unsupported_sig too) */
+	bool		unsupported_sig;	/* T if signature uses unsupported crypto */
+	bool		blacklisted;
+};
+
+struct x509_certificate *x509_cert_parse(const void *data, size_t datalen);
+void x509_free_certificate(struct x509_certificate *cert);
+
+DEFINE_FREE(x509_free_certificate, struct x509_certificate *,
+	    if (!IS_ERR(_T)) x509_free_certificate(_T))
+
+#endif /* _KEYS_X509_PARSER_H */
--=20
2.52.0