From nobody Thu Apr 2 17:17:50 2026 Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DDA2A345CAF for ; Wed, 11 Feb 2026 03:30:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770780610; cv=none; b=juvTfF0pP1jUDDdVBfUrPeiPLnZaWAIu7o/pzn4MjsJ20+dr/MSviOJj9wIU3ukDMcdavZgDC97m0NeGOfSi73nhgEbSQ7CA5IKcYQngRLWdp23quuvsTL3Bmw8/y3kBmTOdanBODvolL7CKZv9Ver6Qnt0Bj+H5zZaUirJXdAM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770780610; c=relaxed/simple; bh=ozbIZy3q85Dwef2HPMNXXszYSCcI73lO3Bhup+v9oFs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=BHwL+NE7zMJawIkizKjU2UokdUQdAvuhvwVtWvrPkcqzIDB++WvJsvG1XQbwPXbQVg3CTnyMO+GrdoEYooXGOA5JP5wMo9hyx+bhNzgoFcYNINwY1scvNftFvKNBZAkAlANN6oFYc7KdU/tu8T+OkbShwapAFVsHKAHnzMcNoBc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Srje6/uh; arc=none smtp.client-ip=209.85.215.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Srje6/uh" Received: by mail-pg1-f171.google.com with SMTP id 41be03b00d2f7-c648bc907ebso4095875a12.3 for ; Tue, 10 Feb 2026 19:30:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1770780608; x=1771385408; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Fa0FmCWNCDjXutoddDzbqHV8AHD3cr+ph1+8htfRvzI=; b=Srje6/uhIfA5S2tYOicqviw7lqiEUIzTSW093J/3rzJBjj2IfwI10j2jKx4L2HS3Sh Wa2TX2Jp/CBejexUsJcJzEbqcWwYnautmAAub+0swK3PGzcikj0wUzw/5woki4M7hHY2 GYDB4SKNQNirHbrquo56wg2zfiDaRVi+BjUm7wb4WT/rdtcJ2ZpMubJ2f5R95ZGYWMSd EyDJPkdzm86Ef7t3iVNL36AWHBP97qLAV4wnYQDvcEK932HQTtgs8I03xalLbl++vyZJ iLdDayrCqKwX1oN3z3rxi7BLSZUDJWsHDXT5M8rxByvjQ4brFjCjWsiRLP3wm5/AIZzX +AuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770780608; x=1771385408; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Fa0FmCWNCDjXutoddDzbqHV8AHD3cr+ph1+8htfRvzI=; b=wIMTEw35VNP+3gcOaWTZOPXu3sufxYRa6U8DBjnHXseumWB09YtxNxOmC9NT7b+qbK FzEMvwe94H4fUUQEOMyDksKmgVmIsMb7i04fNQlpCje0kWevBz9kqLMlkpv4+QHu2dbw d4cV8YRwxAF9aHZhMiRdHicFg9Xic5HiIdiSs7mhK2kT/Nc5S47ZSwDFT+PF2iYdt/by 0w1WifbtsRywq4Tcb/rqoxCsYyMhZLJdpZpM2mrIMV0iOPMKQxSHDQiRsf48lByz2JoS HyQPnOmTgnQ+5ci7gDcTd7M/xIRPXB2ddl9oaNtDaIYeWlfpTMWd7jM1bYXu7tmCaGzV XMCg== X-Forwarded-Encrypted: i=1; AJvYcCWUYESxgcovasZQvkVvdOvdxYIITGUKStwAbAsGzC11WnWXnGuHX1LdBFGd33sQIilA835PBWZ+A1GPzL4=@vger.kernel.org X-Gm-Message-State: AOJu0YzAhoV7IJfsocdRYAtyQnk+f2V/JasIo0fQVI0dyTBnTcczY+Hj NdDov3Uvh/5XnsGohUCIwSlHmFpplHMkScKpvL2DSQFOnirkqlN1tdJD X-Gm-Gg: AZuq6aJbZXWmPtstUb6YLrZk6Od712l90Kvq2U8GnHI0Z+2KpAa8yQp8Y8RREwxTim3 yjqME2ouL1yGSeBQv1aUZE9xxPvSCgUBNEQTN4lQxHB3QtmGUEcYBv7rIhOEVA9KKe5aW7VyYiI Vap5VTW1a/3642YXwpDA4sesenC26mXgiZhnn5Ck9Mf15ebJOQhDcMOYId/3B1Z3+mDPS5pIe4a ibC/zGpcQvre6DLiyIF0sjymoROMhuVlOTp9iLsqIVlYSJ0OVRo+K26XCPY/czJZFhdYtoDFavO EuDNi+uJ00602Osn2eiaSZ5wG+K8d4eh9wl/3EQQxBqFBJ4WpL6dpItm6ktxq1sScTz6wZIOlNP fDyc37zNk+3Ag9EeSXxsfhkMYvyHaHzvAO9hTROe8XBOWGIzpadMEXECzSPdtvMAhc5ZtL4tXts Ex+Pzy92XeFR03JlCQmkdBgxRM07tDaZukhutC3dFDXw== X-Received: by 2002:a05:6a21:4592:b0:366:1934:5234 with SMTP id adf61e73a8af0-3943229a8c9mr549814637.2.1770780608223; Tue, 10 Feb 2026 19:30:08 -0800 (PST) Received: from toolbx.alistair23.me ([2403:581e:fdf9:0:6209:4521:6813:45b7]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c6e197d63c9sm464856a12.20.2026.02.10.19.30.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Feb 2026 19:30:07 -0800 (PST) From: alistair23@gmail.com X-Google-Original-From: alistair.francis@wdc.com To: bhelgaas@google.com, lukas@wunner.de, rust-for-linux@vger.kernel.org, akpm@linux-foundation.org, linux-pci@vger.kernel.org, Jonathan.Cameron@huawei.com, linux-cxl@vger.kernel.org, linux-kernel@vger.kernel.org Cc: alex.gaynor@gmail.com, benno.lossin@proton.me, boqun.feng@gmail.com, a.hindborg@kernel.org, gary@garyguo.net, bjorn3_gh@protonmail.com, tmgross@umich.edu, alistair23@gmail.com, ojeda@kernel.org, wilfred.mallawa@wdc.com, aliceryhl@google.com, Alistair Francis , =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= , Dan Williams Subject: [RFC v3 03/27] X.509: Parse Subject Alternative Name in certificates Date: Wed, 11 Feb 2026 13:29:10 +1000 Message-ID: <20260211032935.2705841-4-alistair.francis@wdc.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260211032935.2705841-1-alistair.francis@wdc.com> References: <20260211032935.2705841-1-alistair.francis@wdc.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: Lukas Wunner The upcoming support for PCI device authentication with CMA-SPDM (PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name in X.509 certificates. Store a pointer to the Subject Alternative Name upon parsing for consumption by CMA-SPDM. Signed-off-by: Lukas Wunner Reviewed-by: Wilfred Mallawa Reviewed-by: Alistair Francis Reviewed-by: Ilpo J=C3=A4rvinen Reviewed-by: Jonathan Cameron Acked-by: Dan Williams --- crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++ include/keys/x509-parser.h | 2 ++ 2 files changed, 11 insertions(+) diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_= keys/x509_cert_parser.c index 2fe094f5caf3..363acd87dba1 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -596,6 +596,15 @@ int x509_process_extension(void *context, size_t hdrle= n, return 0; } =20 + if (ctx->last_oid =3D=3D OID_subjectAltName) { + if (ctx->cert->raw_san) + return -EBADMSG; + + ctx->cert->raw_san =3D v; + ctx->cert->raw_san_size =3D vlen; + return 0; + } + if (ctx->last_oid =3D=3D OID_keyUsage) { /* * Get hold of the keyUsage bit string diff --git a/include/keys/x509-parser.h b/include/keys/x509-parser.h index 8b68e720693a..4e6a05a8c7a6 100644 --- a/include/keys/x509-parser.h +++ b/include/keys/x509-parser.h @@ -38,6 +38,8 @@ struct x509_certificate { unsigned raw_subject_size; unsigned raw_skid_size; const void *raw_skid; /* Raw subjectKeyId in ASN.1 */ + const void *raw_san; /* Raw subjectAltName in ASN.1 */ + unsigned raw_san_size; unsigned index; bool seen; /* Infinite recursion prevention */ bool verified; --=20 2.52.0