forked from luck/tmp_suning_uos_patched
PKCS#7: Find intersection between PKCS#7 message and known, trusted keys
Find the intersection between the X.509 certificate chain contained in a PKCS#7 message and a set of keys that we already know and trust. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Vivek Goyal <vgoyal@redhat.com> Reviewed-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
parent
8c76d79393
commit
08815b62d7
|
@ -33,6 +33,7 @@ obj-$(CONFIG_PKCS7_MESSAGE_PARSER) += pkcs7_message.o
|
|||
pkcs7_message-y := \
|
||||
pkcs7-asn1.o \
|
||||
pkcs7_parser.o \
|
||||
pkcs7_trust.o \
|
||||
pkcs7_verify.o
|
||||
|
||||
$(obj)/pkcs7_parser.o: $(obj)/pkcs7-asn1.h
|
||||
|
|
219
crypto/asymmetric_keys/pkcs7_trust.c
Normal file
219
crypto/asymmetric_keys/pkcs7_trust.c
Normal file
|
@ -0,0 +1,219 @@
|
|||
/* Validate the trust chain of a PKCS#7 message.
|
||||
*
|
||||
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
|
||||
* Written by David Howells (dhowells@redhat.com)
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public Licence
|
||||
* as published by the Free Software Foundation; either version
|
||||
* 2 of the Licence, or (at your option) any later version.
|
||||
*/
|
||||
|
||||
#define pr_fmt(fmt) "PKCS7: "fmt
|
||||
#include <linux/kernel.h>
|
||||
#include <linux/export.h>
|
||||
#include <linux/slab.h>
|
||||
#include <linux/err.h>
|
||||
#include <linux/asn1.h>
|
||||
#include <linux/key.h>
|
||||
#include <keys/asymmetric-type.h>
|
||||
#include "public_key.h"
|
||||
#include "pkcs7_parser.h"
|
||||
|
||||
/*
|
||||
* Request an asymmetric key.
|
||||
*/
|
||||
static struct key *pkcs7_request_asymmetric_key(
|
||||
struct key *keyring,
|
||||
const char *signer, size_t signer_len,
|
||||
const char *authority, size_t auth_len)
|
||||
{
|
||||
key_ref_t key;
|
||||
char *id;
|
||||
|
||||
kenter(",%zu,,%zu", signer_len, auth_len);
|
||||
|
||||
/* Construct an identifier. */
|
||||
id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL);
|
||||
if (!id)
|
||||
return ERR_PTR(-ENOMEM);
|
||||
|
||||
memcpy(id, signer, signer_len);
|
||||
id[signer_len + 0] = ':';
|
||||
id[signer_len + 1] = ' ';
|
||||
memcpy(id + signer_len + 2, authority, auth_len);
|
||||
id[signer_len + 2 + auth_len] = 0;
|
||||
|
||||
pr_debug("Look up: \"%s\"\n", id);
|
||||
|
||||
key = keyring_search(make_key_ref(keyring, 1),
|
||||
&key_type_asymmetric, id);
|
||||
if (IS_ERR(key))
|
||||
pr_debug("Request for module key '%s' err %ld\n",
|
||||
id, PTR_ERR(key));
|
||||
kfree(id);
|
||||
|
||||
if (IS_ERR(key)) {
|
||||
switch (PTR_ERR(key)) {
|
||||
/* Hide some search errors */
|
||||
case -EACCES:
|
||||
case -ENOTDIR:
|
||||
case -EAGAIN:
|
||||
return ERR_PTR(-ENOKEY);
|
||||
default:
|
||||
return ERR_CAST(key);
|
||||
}
|
||||
}
|
||||
|
||||
pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key_ref_to_ptr(key)));
|
||||
return key_ref_to_ptr(key);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check the trust on one PKCS#7 SignedInfo block.
|
||||
*/
|
||||
int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
|
||||
struct pkcs7_signed_info *sinfo,
|
||||
struct key *trust_keyring)
|
||||
{
|
||||
struct public_key_signature *sig = &sinfo->sig;
|
||||
struct x509_certificate *x509, *last = NULL, *p;
|
||||
struct key *key;
|
||||
bool trusted;
|
||||
int ret;
|
||||
|
||||
kenter(",%u,", sinfo->index);
|
||||
|
||||
for (x509 = sinfo->signer; x509; x509 = x509->signer) {
|
||||
if (x509->seen) {
|
||||
if (x509->verified) {
|
||||
trusted = x509->trusted;
|
||||
goto verified;
|
||||
}
|
||||
kleave(" = -ENOKEY [cached]");
|
||||
return -ENOKEY;
|
||||
}
|
||||
x509->seen = true;
|
||||
|
||||
/* Look to see if this certificate is present in the trusted
|
||||
* keys.
|
||||
*/
|
||||
key = pkcs7_request_asymmetric_key(
|
||||
trust_keyring,
|
||||
x509->subject, strlen(x509->subject),
|
||||
x509->fingerprint, strlen(x509->fingerprint));
|
||||
if (!IS_ERR(key))
|
||||
/* One of the X.509 certificates in the PKCS#7 message
|
||||
* is apparently the same as one we already trust.
|
||||
* Verify that the trusted variant can also validate
|
||||
* the signature on the descendant.
|
||||
*/
|
||||
goto matched;
|
||||
if (key == ERR_PTR(-ENOMEM))
|
||||
return -ENOMEM;
|
||||
|
||||
/* Self-signed certificates form roots of their own, and if we
|
||||
* don't know them, then we can't accept them.
|
||||
*/
|
||||
if (x509->next == x509) {
|
||||
kleave(" = -ENOKEY [unknown self-signed]");
|
||||
return -ENOKEY;
|
||||
}
|
||||
|
||||
might_sleep();
|
||||
last = x509;
|
||||
sig = &last->sig;
|
||||
}
|
||||
|
||||
/* No match - see if the root certificate has a signer amongst the
|
||||
* trusted keys.
|
||||
*/
|
||||
if (!last || !last->issuer || !last->authority) {
|
||||
kleave(" = -ENOKEY [no backref]");
|
||||
return -ENOKEY;
|
||||
}
|
||||
|
||||
key = pkcs7_request_asymmetric_key(
|
||||
trust_keyring,
|
||||
last->issuer, strlen(last->issuer),
|
||||
last->authority, strlen(last->authority));
|
||||
if (IS_ERR(key))
|
||||
return PTR_ERR(key) == -ENOMEM ? -ENOMEM : -ENOKEY;
|
||||
x509 = last;
|
||||
|
||||
matched:
|
||||
ret = verify_signature(key, sig);
|
||||
trusted = test_bit(KEY_FLAG_TRUSTED, &key->flags);
|
||||
key_put(key);
|
||||
if (ret < 0) {
|
||||
if (ret == -ENOMEM)
|
||||
return ret;
|
||||
kleave(" = -EKEYREJECTED [verify %d]", ret);
|
||||
return -EKEYREJECTED;
|
||||
}
|
||||
|
||||
verified:
|
||||
x509->verified = true;
|
||||
for (p = sinfo->signer; p != x509; p = p->signer) {
|
||||
p->verified = true;
|
||||
p->trusted = trusted;
|
||||
}
|
||||
sinfo->trusted = trusted;
|
||||
kleave(" = 0");
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* pkcs7_validate_trust - Validate PKCS#7 trust chain
|
||||
* @pkcs7: The PKCS#7 certificate to validate
|
||||
* @trust_keyring: Signing certificates to use as starting points
|
||||
* @_trusted: Set to true if trustworth, false otherwise
|
||||
*
|
||||
* Validate that the certificate chain inside the PKCS#7 message intersects
|
||||
* keys we already know and trust.
|
||||
*
|
||||
* Returns, in order of descending priority:
|
||||
*
|
||||
* (*) -EKEYREJECTED if a signature failed to match for which we have a valid
|
||||
* key, or:
|
||||
*
|
||||
* (*) 0 if at least one signature chain intersects with the keys in the trust
|
||||
* keyring, or:
|
||||
*
|
||||
* (*) -ENOPKG if a suitable crypto module couldn't be found for a check on a
|
||||
* chain.
|
||||
*
|
||||
* (*) -ENOKEY if we couldn't find a match for any of the signature chains in
|
||||
* the message.
|
||||
*
|
||||
* May also return -ENOMEM.
|
||||
*/
|
||||
int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
|
||||
struct key *trust_keyring,
|
||||
bool *_trusted)
|
||||
{
|
||||
struct pkcs7_signed_info *sinfo;
|
||||
struct x509_certificate *p;
|
||||
int cached_ret = 0, ret;
|
||||
|
||||
for (p = pkcs7->certs; p; p = p->next)
|
||||
p->seen = false;
|
||||
|
||||
for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
|
||||
ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring);
|
||||
if (ret < 0) {
|
||||
if (ret == -ENOPKG) {
|
||||
cached_ret = -ENOPKG;
|
||||
} else if (ret == -ENOKEY) {
|
||||
if (cached_ret == 0)
|
||||
cached_ret = -ENOKEY;
|
||||
} else {
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
*_trusted |= sinfo->trusted;
|
||||
}
|
||||
|
||||
return cached_ret;
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(pkcs7_validate_trust);
|
|
@ -9,6 +9,7 @@
|
|||
* 2 of the Licence, or (at your option) any later version.
|
||||
*/
|
||||
|
||||
struct key;
|
||||
struct pkcs7_message;
|
||||
|
||||
/*
|
||||
|
@ -22,6 +23,13 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
|
|||
const void **_data, size_t *_datalen,
|
||||
bool want_wrapper);
|
||||
|
||||
/*
|
||||
* pkcs7_trust.c
|
||||
*/
|
||||
extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
|
||||
struct key *trust_keyring,
|
||||
bool *_trusted);
|
||||
|
||||
/*
|
||||
* pkcs7_verify.c
|
||||
*/
|
||||
|
|
Loading…
Reference in New Issue
Block a user