Snapshot at kernel version 4.19-rc2 (linux-security next-testing branch)
KEYS: Handle missing Authority Key Identifier x509 extension

If the certificate is self-signed and the Key Identifier is not present
in the Authority Key Identifier extension (RFC5280, fill in the
sig->auth_ids values with the certificate's own key IDs since they need
to be the same anyway.  This is noted in as an exception for
self-signed certificates where the keyIdentifier field may be empty.

There are root certificates in use where this is the case.  This affects
the checks in the restrict functions in
crypto/asymmetric_keys/restrict.c but at the point the restrict functions
run we have no access to the certificate struct to be able to do this
substitution there.  A self-signed certificate with the auth_ids NULL
will fail the restrict checks while other self-signed certificates will
be verified against themselves and pass.

Signed-off-by: Andrew Zaborowski <>
1 file changed