{"id":2234737,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2234737/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-pci/patch/20260508031710.514574-3-alistair.francis@wdc.com/","project":{"id":28,"url":"http://patchwork.ozlabs.org/api/1.2/projects/28/?format=json","name":"Linux PCI development","link_name":"linux-pci","list_id":"linux-pci.vger.kernel.org","list_email":"linux-pci@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260508031710.514574-3-alistair.francis@wdc.com>","list_archive_url":null,"date":"2026-05-08T03:16:54","name":"[02/18] X.509: Make certificate parser public","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"dbe76bd20ce2fe530644bd9f821ef735c5084269","submitter":{"id":64571,"url":"http://patchwork.ozlabs.org/api/1.2/people/64571/?format=json","name":"Alistair Francis","email":"alistair23@gmail.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-pci/patch/20260508031710.514574-3-alistair.francis@wdc.com/mbox/","series":[{"id":503312,"url":"http://patchwork.ozlabs.org/api/1.2/series/503312/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-pci/list/?series=503312","date":"2026-05-08T03:16:52","name":"lib: Rust implementation of SPDM","version":1,"mbox":"http://patchwork.ozlabs.org/series/503312/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2234737/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2234737/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n <linux-pci+bounces-54157-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-pci@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=Y3J9ZhQD;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.105.105.114; helo=tor.lore.kernel.org;\n envelope-from=linux-pci+bounces-54157-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"Y3J9ZhQD\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.214.170","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org [172.105.105.114])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4gBZ835Gk3z1yCg\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 08 May 2026 13:18:27 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 9694E305AF2B\n\tfor <incoming@patchwork.ozlabs.org>; Fri,  8 May 2026 03:17:43 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 5B4A62E8B64;\n\tFri,  8 May 2026 03:17:41 +0000 (UTC)","from mail-pl1-f170.google.com (mail-pl1-f170.google.com\n [209.85.214.170])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 0CF872EBB99\n\tfor <linux-pci@vger.kernel.org>; Fri,  8 May 2026 03:17:38 +0000 (UTC)","by mail-pl1-f170.google.com with SMTP id\n d9443c01a7336-2ba21d32776so11073725ad.2\n        for <linux-pci@vger.kernel.org>; Thu, 07 May 2026 20:17:38 -0700 (PDT)","from toolbx.alistair23.me ([2403:581e:fdf9:0:6209:4521:6813:45b7])\n        by smtp.gmail.com with ESMTPSA id\n d9443c01a7336-2baf1eafa62sm3220685ad.74.2026.05.07.20.17.30\n        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n        Thu, 07 May 2026 20:17:37 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1778210261; cv=none;\n b=Y5y6nZSHbcoptQVSq6BpdsFs6P1/CtgHYqVOi7SW+VIQHmcr8JBqwjlRNWUYAv89GRAt4pyTaQzD7ZY7e2O+S9ouOK/lW3rLrQHaNJb3wc2EEBkAgR5zbL3D4D+/L5L0148/bLkevjPqe228+dfuzLXg4+vqSGyjA98PEqiaVpc=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1778210261; c=relaxed/simple;\n\tbh=z5H7IwFWyQ0i2GyTWoOMohX8+M5T1CFBH5xA9uQkq98=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version:Content-Type;\n b=azmK3HymdE4njBBZ0OdmBrEJR81urGCaYiO0uj79KKNWAOZC1u8hIKKuCPDDGrUpB77T0h9lBPUK+2POTk/3HcHTiuYKX0mUH9Fwn/R6pKEuv1TcKy0KOLDibY5jR/QV6NhFfHPUIMbeR9UhqdCF7JG2p//CRigpzyIfOWa5g+8=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=Y3J9ZhQD; arc=none smtp.client-ip=209.85.214.170","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=gmail.com; s=20251104; t=1778210258; x=1778815058;\n darn=vger.kernel.org;\n        h=content-transfer-encoding:mime-version:references:in-reply-to\n         :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n         :message-id:reply-to;\n        bh=WNztetKq9XMpM5m+98P429Tts0AUJfNMeagdulZTgAo=;\n        b=Y3J9ZhQDAFQUR9WNkcoL7BK/wimN/GK/b4PIa2EaSphEsW0hBaalXoc4/w/XtQmF1I\n         K+7zoz9nWZBwM0iqoxh8faf678FELgVXjMN44M9A4IFk6TLoUHW7CXu6YAIY3WNG/jjV\n         q+EZx8kYEw9Ky7Z6dA1Iz2I8PnUYzzqjULVpqGmuN0r6IClNjP/SLftN0W8RaRprrF/O\n         dtP1hr5yateyftfmFIjqXl2c+sF2Js4zZ6GJHv8coeodROKEnF4YTAVE4OYRZIW3Yfvj\n         UCGmT+4hhXk/GHyOTrUM74eszY+FwwZpb6YsLFtjRNlI2xAyUUgq0hExDZ/p7zvedflM\n         atXA==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=1e100.net; s=20251104; t=1778210258; x=1778815058;\n        h=content-transfer-encoding:mime-version:references:in-reply-to\n         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n         :to:cc:subject:date:message-id:reply-to;\n        bh=WNztetKq9XMpM5m+98P429Tts0AUJfNMeagdulZTgAo=;\n        b=FK//K/sNBW4O/HpzNTyq9bqOSlwy0DifMWZM1uQKJvg61uBQEh3TrmPxaAiJxaLgcM\n         ngAHO7IHvyYrUofuAwanehPJEsHcbuQsQTQQWo+RqaCYKnx6hwdd/J1s8r7mOn9O1LXw\n         j7ryRKjKiE5TLwQFq5zQNmHomDba40vni+U3/ADzjiIZEyIXCLImkNeujTe5tf35p9KL\n         uloW7OJxCBwx2kBzOQ6rBRuUwSEiomPqexVazJv6dcRVuW6tnUPrwBZYNK4xlzdXBP7V\n         T/3OHCwyriFSPb4UVRIgCHXJ9suFQHYctK8+eEp4+BhZ7kZY6DZwWaNPCk7vJTkEAywb\n         k4Xw==","X-Forwarded-Encrypted":"i=1;\n AFNElJ8OUgorh0SUY2LMaQWh8Vds7K0n/RmUDlCXFvP8yRMxo0TsnEzr9AAIpiHFzZH8EQqm6zxccDo0Iv8=@vger.kernel.org","X-Gm-Message-State":"AOJu0YxZYOXingjPY8Hp3SV2JpjB3actiJKaGOevSqT5D+mA5p0vcSan\n\t7QlakliWwfmutxsjh4GS8WpPgAkmoYVkU+9a5eIzuZ/JNLfYx9IuDsXQ","X-Gm-Gg":"Acq92OHXS4afWouRkJpWGZYUlUgDNX1ABz7lhw+xP8e6I1Wetg54IxOMX4G6dlrPHXY\n\tTgArx4oJiEtc1Y6wJ2K/4vIky3hejiKXHeXtPF2AXela2e0z5sL04cwGycICbhaMovJHp/+EKtE\n\tdwNOV9dgPpafHViL0D+H7iC2ouBn3flGC3GN/e9J8nkIrQducTQZ5qJHrB6jkuQiiT7Hsw70gVl\n\tIvZQaLgrrK8jg1JIkd7cuEcLcKtMtB10upbZNDxgUl1zoXIv8GmIZFN2+vt0Bj5hiKeBqwOrjLi\n\tpFc5AwtWRXTLZnIP6fYYXS/YJddeuiN9cQg6jifXbi19fUuDDdpE1Jy1W2saTif8HUhw2vCU/YW\n\tleBdxOJ08fLbOM5oPJBXEd1W8hSINZRy7865zV9roL2YwuBLnhqi0XoUyRs8K16KvLDOQKx9zWd\n\tKRwKdCOEBkSStfGCG2Ftznr27wJCDG4GOepXYojteMMaAAU8Ni0iI=","X-Received":"by 2002:a17:903:124f:b0:2b4:5c0d:314b with SMTP id\n d9443c01a7336-2ba798a8fc5mr108654285ad.38.1778210258226;\n        Thu, 07 May 2026 20:17:38 -0700 (PDT)","From":"alistair23@gmail.com","X-Google-Original-From":"alistair.francis@wdc.com","To":"alistair@alistair23.me,\n\tlinux-kernel@vger.kernel.org,\n\tlukas@wunner.de,\n\tJonathan.Cameron@huawei.com,\n\tbhelgaas@google.com,\n\trust-for-linux@vger.kernel.org,\n\takpm@linux-foundation.org,\n\tlinux-cxl@vger.kernel.org,\n\tdjbw@kernel.org,\n\tlinux-pci@vger.kernel.org","Cc":"alex.gaynor@gmail.com, wilfred.mallawa@wdc.com, gary@garyguo.net,\n bjorn3_gh@protonmail.com, benno.lossin@proton.me, aliceryhl@google.com,\n boqun.feng@gmail.com, a.hindborg@kernel.org, tmgross@umich.edu,\n ojeda@kernel.org, alistair23@gmail.com,\n Dan Williams <dan.j.williams@intel.com>,\n Alistair Francis <alistair.francis@wdc.com>,\n =?utf-8?q?Ilpo_J=C3=A4rvinen?= <ilpo.jarvinen@linux.intel.com>","Subject":"[PATCH 02/18] X.509: Make certificate parser public","Date":"Fri,  8 May 2026 13:16:54 +1000","Message-ID":"<20260508031710.514574-3-alistair.francis@wdc.com>","X-Mailer":"git-send-email 2.52.0","In-Reply-To":"<20260508031710.514574-1-alistair.francis@wdc.com>","References":"<20260508031710.514574-1-alistair.francis@wdc.com>","Precedence":"bulk","X-Mailing-List":"linux-pci@vger.kernel.org","List-Id":"<linux-pci.vger.kernel.org>","List-Subscribe":"<mailto:linux-pci+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-pci+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=UTF-8","Content-Transfer-Encoding":"8bit"},"content":"From: Lukas Wunner <lukas@wunner.de>\n\nThe upcoming support for PCI device authentication with CMA-SPDM\n(PCIe r6.1 sec 6.31) requires validating the Subject Alternative Name\nin X.509 certificates.\n\nHigh-level functions for X.509 parsing such as key_create_or_update()\nthrow away the internal, low-level struct x509_certificate after\nextracting the struct public_key and public_key_signature from it.\nThe Subject Alternative Name is thus inaccessible when using those\nfunctions.\n\nAfford CMA-SPDM access to the Subject Alternative Name by making struct\nx509_certificate public, together with the functions for parsing an\nX.509 certificate into such a struct and freeing such a struct.\n\nThe private header file x509_parser.h previously included <linux/time.h>\nfor the definition of time64_t.  That definition was since moved to\n<linux/time64.h> by commit 361a3bf00582 (\"time64: Add time64.h header\nand define struct timespec64\"), so adjust the #include directive as part\nof the move to the new public header file <keys/x509-parser.h>.\n\nNo functional change intended.\n\nSigned-off-by: Lukas Wunner <lukas@wunner.de>\nReviewed-by: Dan Williams <dan.j.williams@intel.com>\nReviewed-by: Alistair Francis <alistair.francis@wdc.com>\nReviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>\nReviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>\n---\n crypto/asymmetric_keys/x509_parser.h | 42 +--------------------\n include/keys/x509-parser.h           | 55 ++++++++++++++++++++++++++++\n 2 files changed, 56 insertions(+), 41 deletions(-)\n create mode 100644 include/keys/x509-parser.h","diff":"diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h\nindex b7aeebdddb36..39f1521b773d 100644\n--- a/crypto/asymmetric_keys/x509_parser.h\n+++ b/crypto/asymmetric_keys/x509_parser.h\n@@ -5,51 +5,11 @@\n  * Written by David Howells (dhowells@redhat.com)\n  */\n \n-#include <linux/cleanup.h>\n-#include <linux/time.h>\n-#include <crypto/public_key.h>\n-#include <keys/asymmetric-type.h>\n-#include <crypto/sha2.h>\n-\n-struct x509_certificate {\n-\tstruct x509_certificate *next;\n-\tstruct x509_certificate *signer;\t/* Certificate that signed this one */\n-\tstruct public_key *pub;\t\t\t/* Public key details */\n-\tstruct public_key_signature *sig;\t/* Signature parameters */\n-\tu8\t\tsha256[SHA256_DIGEST_SIZE]; /* Hash for blacklist purposes */\n-\tchar\t\t*issuer;\t\t/* Name of certificate issuer */\n-\tchar\t\t*subject;\t\t/* Name of certificate subject */\n-\tstruct asymmetric_key_id *id;\t\t/* Issuer + Serial number */\n-\tstruct asymmetric_key_id *skid;\t\t/* Subject + subjectKeyId (optional) */\n-\ttime64_t\tvalid_from;\n-\ttime64_t\tvalid_to;\n-\tconst void\t*tbs;\t\t\t/* Signed data */\n-\tunsigned\ttbs_size;\t\t/* Size of signed data */\n-\tunsigned\traw_sig_size;\t\t/* Size of signature */\n-\tconst void\t*raw_sig;\t\t/* Signature data */\n-\tconst void\t*raw_serial;\t\t/* Raw serial number in ASN.1 */\n-\tunsigned\traw_serial_size;\n-\tunsigned\traw_issuer_size;\n-\tconst void\t*raw_issuer;\t\t/* Raw issuer name in ASN.1 */\n-\tconst void\t*raw_subject;\t\t/* Raw subject name in ASN.1 */\n-\tunsigned\traw_subject_size;\n-\tunsigned\traw_skid_size;\n-\tconst void\t*raw_skid;\t\t/* Raw subjectKeyId in ASN.1 */\n-\tunsigned\tindex;\n-\tbool\t\tseen;\t\t\t/* Infinite recursion prevention */\n-\tbool\t\tverified;\n-\tbool\t\tself_signed;\t\t/* T if self-signed (check unsupported_sig too) */\n-\tbool\t\tunsupported_sig;\t/* T if signature uses unsupported crypto */\n-\tbool\t\tblacklisted;\n-};\n+#include <keys/x509-parser.h>\n \n /*\n  * x509_cert_parser.c\n  */\n-extern void x509_free_certificate(struct x509_certificate *cert);\n-DEFINE_FREE(x509_free_certificate, struct x509_certificate *,\n-\t    if (!IS_ERR(_T)) x509_free_certificate(_T))\n-extern struct x509_certificate *x509_cert_parse(const void *data, size_t datalen);\n extern int x509_decode_time(time64_t *_t,  size_t hdrlen,\n \t\t\t    unsigned char tag,\n \t\t\t    const unsigned char *value, size_t vlen);\ndiff --git a/include/keys/x509-parser.h b/include/keys/x509-parser.h\nnew file mode 100644\nindex 000000000000..8b68e720693a\n--- /dev/null\n+++ b/include/keys/x509-parser.h\n@@ -0,0 +1,55 @@\n+/* SPDX-License-Identifier: GPL-2.0-or-later */\n+/* X.509 certificate parser\n+ *\n+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.\n+ * Written by David Howells (dhowells@redhat.com)\n+ */\n+\n+#ifndef _KEYS_X509_PARSER_H\n+#define _KEYS_X509_PARSER_H\n+\n+#include <linux/cleanup.h>\n+#include <linux/time.h>\n+#include <crypto/public_key.h>\n+#include <keys/asymmetric-type.h>\n+#include <crypto/sha2.h>\n+\n+struct x509_certificate {\n+\tstruct x509_certificate *next;\n+\tstruct x509_certificate *signer;\t/* Certificate that signed this one */\n+\tstruct public_key *pub;\t\t\t/* Public key details */\n+\tstruct public_key_signature *sig;\t/* Signature parameters */\n+\tu8\t\tsha256[SHA256_DIGEST_SIZE]; /* Hash for blacklist purposes */\n+\tchar\t\t*issuer;\t\t/* Name of certificate issuer */\n+\tchar\t\t*subject;\t\t/* Name of certificate subject */\n+\tstruct asymmetric_key_id *id;\t\t/* Issuer + Serial number */\n+\tstruct asymmetric_key_id *skid;\t\t/* Subject + subjectKeyId (optional) */\n+\ttime64_t\tvalid_from;\n+\ttime64_t\tvalid_to;\n+\tconst void\t*tbs;\t\t\t/* Signed data */\n+\tunsigned\ttbs_size;\t\t/* Size of signed data */\n+\tunsigned\traw_sig_size;\t\t/* Size of signature */\n+\tconst void\t*raw_sig;\t\t/* Signature data */\n+\tconst void\t*raw_serial;\t\t/* Raw serial number in ASN.1 */\n+\tunsigned\traw_serial_size;\n+\tunsigned\traw_issuer_size;\n+\tconst void\t*raw_issuer;\t\t/* Raw issuer name in ASN.1 */\n+\tconst void\t*raw_subject;\t\t/* Raw subject name in ASN.1 */\n+\tunsigned\traw_subject_size;\n+\tunsigned\traw_skid_size;\n+\tconst void\t*raw_skid;\t\t/* Raw subjectKeyId in ASN.1 */\n+\tunsigned\tindex;\n+\tbool\t\tseen;\t\t\t/* Infinite recursion prevention */\n+\tbool\t\tverified;\n+\tbool\t\tself_signed;\t\t/* T if self-signed (check unsupported_sig too) */\n+\tbool\t\tunsupported_sig;\t/* T if signature uses unsupported crypto */\n+\tbool\t\tblacklisted;\n+};\n+\n+struct x509_certificate *x509_cert_parse(const void *data, size_t datalen);\n+void x509_free_certificate(struct x509_certificate *cert);\n+\n+DEFINE_FREE(x509_free_certificate, struct x509_certificate *,\n+\t    if (!IS_ERR(_T)) x509_free_certificate(_T))\n+\n+#endif /* _KEYS_X509_PARSER_H */\n","prefixes":["02/18"]}