diff options
| author | David Howells <dhowells@redhat.com> | 2016-04-06 11:13:33 -0400 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2016-04-06 11:13:33 -0400 |
| commit | 77d0910d153a7946df17cc15d3f423e534345f65 (patch) | |
| tree | 2b32d94de42a5a2003b5bd5966e3e73f78d04934 /crypto/asymmetric_keys | |
| parent | a022ec02691cf68e1fe237d5f79d54aa95446cc6 (diff) | |
X.509: Retain the key verification data
Retain the key verification data (ie. the struct public_key_signature)
including the digest and the key identifiers.
Note that this means that we need to take a separate copy of the digest in
x509_get_sig_params() rather than lumping it in with the crypto layer data.
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'crypto/asymmetric_keys')
| -rw-r--r-- | crypto/asymmetric_keys/pkcs7_trust.c | 8 | ||||
| -rw-r--r-- | crypto/asymmetric_keys/pkcs7_verify.c | 20 | ||||
| -rw-r--r-- | crypto/asymmetric_keys/x509_cert_parser.c | 40 | ||||
| -rw-r--r-- | crypto/asymmetric_keys/x509_parser.h | 4 | ||||
| -rw-r--r-- | crypto/asymmetric_keys/x509_public_key.c | 61 |
5 files changed, 67 insertions, 66 deletions
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c index 7d7a39b47c62..ed8128230dce 100644 --- a/crypto/asymmetric_keys/pkcs7_trust.c +++ b/crypto/asymmetric_keys/pkcs7_trust.c | |||
| @@ -80,16 +80,16 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, | |||
| 80 | 80 | ||
| 81 | might_sleep(); | 81 | might_sleep(); |
| 82 | last = x509; | 82 | last = x509; |
| 83 | sig = &last->sig; | 83 | sig = last->sig; |
| 84 | } | 84 | } |
| 85 | 85 | ||
| 86 | /* No match - see if the root certificate has a signer amongst the | 86 | /* No match - see if the root certificate has a signer amongst the |
| 87 | * trusted keys. | 87 | * trusted keys. |
| 88 | */ | 88 | */ |
| 89 | if (last && (last->akid_id || last->akid_skid)) { | 89 | if (last && (last->sig->auth_ids[0] || last->sig->auth_ids[1])) { |
| 90 | key = x509_request_asymmetric_key(trust_keyring, | 90 | key = x509_request_asymmetric_key(trust_keyring, |
| 91 | last->akid_id, | 91 | last->sig->auth_ids[0], |
| 92 | last->akid_skid, | 92 | last->sig->auth_ids[1], |
| 93 | false); | 93 | false); |
| 94 | if (!IS_ERR(key)) { | 94 | if (!IS_ERR(key)) { |
| 95 | x509 = last; | 95 | x509 = last; |
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c index 50be2a15e531..d8d8d234874e 100644 --- a/crypto/asymmetric_keys/pkcs7_verify.c +++ b/crypto/asymmetric_keys/pkcs7_verify.c | |||
| @@ -174,6 +174,7 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7, | |||
| 174 | static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, | 174 | static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, |
| 175 | struct pkcs7_signed_info *sinfo) | 175 | struct pkcs7_signed_info *sinfo) |
| 176 | { | 176 | { |
| 177 | struct public_key_signature *sig; | ||
| 177 | struct x509_certificate *x509 = sinfo->signer, *p; | 178 | struct x509_certificate *x509 = sinfo->signer, *p; |
| 178 | struct asymmetric_key_id *auth; | 179 | struct asymmetric_key_id *auth; |
| 179 | int ret; | 180 | int ret; |
| @@ -193,14 +194,15 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, | |||
| 193 | goto maybe_missing_crypto_in_x509; | 194 | goto maybe_missing_crypto_in_x509; |
| 194 | 195 | ||
| 195 | pr_debug("- issuer %s\n", x509->issuer); | 196 | pr_debug("- issuer %s\n", x509->issuer); |
| 196 | if (x509->akid_id) | 197 | sig = x509->sig; |
| 198 | if (sig->auth_ids[0]) | ||
| 197 | pr_debug("- authkeyid.id %*phN\n", | 199 | pr_debug("- authkeyid.id %*phN\n", |
| 198 | x509->akid_id->len, x509->akid_id->data); | 200 | sig->auth_ids[0]->len, sig->auth_ids[0]->data); |
| 199 | if (x509->akid_skid) | 201 | if (sig->auth_ids[1]) |
| 200 | pr_debug("- authkeyid.skid %*phN\n", | 202 | pr_debug("- authkeyid.skid %*phN\n", |
| 201 | x509->akid_skid->len, x509->akid_skid->data); | 203 | sig->auth_ids[1]->len, sig->auth_ids[1]->data); |
| 202 | 204 | ||
| 203 | if ((!x509->akid_id && !x509->akid_skid) || | 205 | if ((!x509->sig->auth_ids[0] && !x509->sig->auth_ids[1]) || |
| 204 | strcmp(x509->subject, x509->issuer) == 0) { | 206 | strcmp(x509->subject, x509->issuer) == 0) { |
| 205 | /* If there's no authority certificate specified, then | 207 | /* If there's no authority certificate specified, then |
| 206 | * the certificate must be self-signed and is the root | 208 | * the certificate must be self-signed and is the root |
| @@ -224,7 +226,7 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, | |||
| 224 | /* Look through the X.509 certificates in the PKCS#7 message's | 226 | /* Look through the X.509 certificates in the PKCS#7 message's |
| 225 | * list to see if the next one is there. | 227 | * list to see if the next one is there. |
| 226 | */ | 228 | */ |
| 227 | auth = x509->akid_id; | 229 | auth = sig->auth_ids[0]; |
| 228 | if (auth) { | 230 | if (auth) { |
| 229 | pr_debug("- want %*phN\n", auth->len, auth->data); | 231 | pr_debug("- want %*phN\n", auth->len, auth->data); |
| 230 | for (p = pkcs7->certs; p; p = p->next) { | 232 | for (p = pkcs7->certs; p; p = p->next) { |
| @@ -234,7 +236,7 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, | |||
| 234 | goto found_issuer_check_skid; | 236 | goto found_issuer_check_skid; |
| 235 | } | 237 | } |
| 236 | } else { | 238 | } else { |
| 237 | auth = x509->akid_skid; | 239 | auth = sig->auth_ids[1]; |
| 238 | pr_debug("- want %*phN\n", auth->len, auth->data); | 240 | pr_debug("- want %*phN\n", auth->len, auth->data); |
| 239 | for (p = pkcs7->certs; p; p = p->next) { | 241 | for (p = pkcs7->certs; p; p = p->next) { |
| 240 | if (!p->skid) | 242 | if (!p->skid) |
| @@ -254,8 +256,8 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, | |||
| 254 | /* We matched issuer + serialNumber, but if there's an | 256 | /* We matched issuer + serialNumber, but if there's an |
| 255 | * authKeyId.keyId, that must match the CA subjKeyId also. | 257 | * authKeyId.keyId, that must match the CA subjKeyId also. |
| 256 | */ | 258 | */ |
| 257 | if (x509->akid_skid && | 259 | if (sig->auth_ids[1] && |
| 258 | !asymmetric_key_id_same(p->skid, x509->akid_skid)) { | 260 | !asymmetric_key_id_same(p->skid, sig->auth_ids[1])) { |
| 259 | pr_warn("Sig %u: X.509 chain contains auth-skid nonmatch (%u->%u)\n", | 261 | pr_warn("Sig %u: X.509 chain contains auth-skid nonmatch (%u->%u)\n", |
| 260 | sinfo->index, x509->index, p->index); | 262 | sinfo->index, x509->index, p->index); |
| 261 | return -EKEYREJECTED; | 263 | return -EKEYREJECTED; |
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c index 05251c7f9a03..a2fefa713614 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c | |||
| @@ -48,14 +48,11 @@ void x509_free_certificate(struct x509_certificate *cert) | |||
| 48 | { | 48 | { |
| 49 | if (cert) { | 49 | if (cert) { |
| 50 | public_key_free(cert->pub); | 50 | public_key_free(cert->pub); |
| 51 | public_key_signature_free(cert->sig); | ||
| 51 | kfree(cert->issuer); | 52 | kfree(cert->issuer); |
| 52 | kfree(cert->subject); | 53 | kfree(cert->subject); |
| 53 | kfree(cert->id); | 54 | kfree(cert->id); |
| 54 | kfree(cert->skid); | 55 | kfree(cert->skid); |
| 55 | kfree(cert->akid_id); | ||
| 56 | kfree(cert->akid_skid); | ||
| 57 | kfree(cert->sig.digest); | ||
| 58 | kfree(cert->sig.s); | ||
| 59 | kfree(cert); | 56 | kfree(cert); |
| 60 | } | 57 | } |
| 61 | } | 58 | } |
| @@ -78,6 +75,9 @@ struct x509_certificate *x509_cert_parse(const void *data, size_t datalen) | |||
| 78 | cert->pub = kzalloc(sizeof(struct public_key), GFP_KERNEL); | 75 | cert->pub = kzalloc(sizeof(struct public_key), GFP_KERNEL); |
| 79 | if (!cert->pub) | 76 | if (!cert->pub) |
| 80 | goto error_no_ctx; | 77 | goto error_no_ctx; |
| 78 | cert->sig = kzalloc(sizeof(struct public_key_signature), GFP_KERNEL); | ||
| 79 | if (!cert->sig) | ||
| 80 | goto error_no_ctx; | ||
| 81 | ctx = kzalloc(sizeof(struct x509_parse_context), GFP_KERNEL); | 81 | ctx = kzalloc(sizeof(struct x509_parse_context), GFP_KERNEL); |
| 82 | if (!ctx) | 82 | if (!ctx) |
| 83 | goto error_no_ctx; | 83 | goto error_no_ctx; |
| @@ -188,33 +188,33 @@ int x509_note_pkey_algo(void *context, size_t hdrlen, | |||
| 188 | return -ENOPKG; /* Unsupported combination */ | 188 | return -ENOPKG; /* Unsupported combination */ |
| 189 | 189 | ||
| 190 | case OID_md4WithRSAEncryption: | 190 | case OID_md4WithRSAEncryption: |
| 191 | ctx->cert->sig.hash_algo = "md4"; | 191 | ctx->cert->sig->hash_algo = "md4"; |
| 192 | ctx->cert->sig.pkey_algo = "rsa"; | 192 | ctx->cert->sig->pkey_algo = "rsa"; |
| 193 | break; | 193 | break; |
| 194 | 194 | ||
| 195 | case OID_sha1WithRSAEncryption: | 195 | case OID_sha1WithRSAEncryption: |
| 196 | ctx->cert->sig.hash_algo = "sha1"; | 196 | ctx->cert->sig->hash_algo = "sha1"; |
| 197 | ctx->cert->sig.pkey_algo = "rsa"; | 197 | ctx->cert->sig->pkey_algo = "rsa"; |
| 198 | break; | 198 | break; |
| 199 | 199 | ||
| 200 | case OID_sha256WithRSAEncryption: | 200 | case OID_sha256WithRSAEncryption: |
| 201 | ctx->cert->sig.hash_algo = "sha256"; | 201 | ctx->cert->sig->hash_algo = "sha256"; |
| 202 | ctx->cert->sig.pkey_algo = "rsa"; | 202 | ctx->cert->sig->pkey_algo = "rsa"; |
| 203 | break; | 203 | break; |
| 204 | 204 | ||
| 205 | case OID_sha384WithRSAEncryption: | 205 | case OID_sha384WithRSAEncryption: |
| 206 | ctx->cert->sig.hash_algo = "sha384"; | 206 | ctx->cert->sig->hash_algo = "sha384"; |
| 207 | ctx->cert->sig.pkey_algo = "rsa"; | 207 | ctx->cert->sig->pkey_algo = "rsa"; |
| 208 | break; | 208 | break; |
| 209 | 209 | ||
| 210 | case OID_sha512WithRSAEncryption: | 210 | case OID_sha512WithRSAEncryption: |
| 211 | ctx->cert->sig.hash_algo = "sha512"; | 211 | ctx->cert->sig->hash_algo = "sha512"; |
| 212 | ctx->cert->sig.pkey_algo = "rsa"; | 212 | ctx->cert->sig->pkey_algo = "rsa"; |
| 213 | break; | 213 | break; |
| 214 | 214 | ||
| 215 | case OID_sha224WithRSAEncryption: | 215 | case OID_sha224WithRSAEncryption: |
| 216 | ctx->cert->sig.hash_algo = "sha224"; | 216 | ctx->cert->sig->hash_algo = "sha224"; |
| 217 | ctx->cert->sig.pkey_algo = "rsa"; | 217 | ctx->cert->sig->pkey_algo = "rsa"; |
| 218 | break; | 218 | break; |
| 219 | } | 219 | } |
| 220 | 220 | ||
| @@ -572,14 +572,14 @@ int x509_akid_note_kid(void *context, size_t hdrlen, | |||
| 572 | 572 | ||
| 573 | pr_debug("AKID: keyid: %*phN\n", (int)vlen, value); | 573 | pr_debug("AKID: keyid: %*phN\n", (int)vlen, value); |
| 574 | 574 | ||
| 575 | if (ctx->cert->akid_skid) | 575 | if (ctx->cert->sig->auth_ids[1]) |
| 576 | return 0; | 576 | return 0; |
| 577 | 577 | ||
| 578 | kid = asymmetric_key_generate_id(value, vlen, "", 0); | 578 | kid = asymmetric_key_generate_id(value, vlen, "", 0); |
| 579 | if (IS_ERR(kid)) | 579 | if (IS_ERR(kid)) |
| 580 | return PTR_ERR(kid); | 580 | return PTR_ERR(kid); |
| 581 | pr_debug("authkeyid %*phN\n", kid->len, kid->data); | 581 | pr_debug("authkeyid %*phN\n", kid->len, kid->data); |
| 582 | ctx->cert->akid_skid = kid; | 582 | ctx->cert->sig->auth_ids[1] = kid; |
| 583 | return 0; | 583 | return 0; |
| 584 | } | 584 | } |
| 585 | 585 | ||
| @@ -611,7 +611,7 @@ int x509_akid_note_serial(void *context, size_t hdrlen, | |||
| 611 | 611 | ||
| 612 | pr_debug("AKID: serial: %*phN\n", (int)vlen, value); | 612 | pr_debug("AKID: serial: %*phN\n", (int)vlen, value); |
| 613 | 613 | ||
| 614 | if (!ctx->akid_raw_issuer || ctx->cert->akid_id) | 614 | if (!ctx->akid_raw_issuer || ctx->cert->sig->auth_ids[0]) |
| 615 | return 0; | 615 | return 0; |
| 616 | 616 | ||
| 617 | kid = asymmetric_key_generate_id(value, | 617 | kid = asymmetric_key_generate_id(value, |
| @@ -622,6 +622,6 @@ int x509_akid_note_serial(void *context, size_t hdrlen, | |||
| 622 | return PTR_ERR(kid); | 622 | return PTR_ERR(kid); |
| 623 | 623 | ||
| 624 | pr_debug("authkeyid %*phN\n", kid->len, kid->data); | 624 | pr_debug("authkeyid %*phN\n", kid->len, kid->data); |
| 625 | ctx->cert->akid_id = kid; | 625 | ctx->cert->sig->auth_ids[0] = kid; |
| 626 | return 0; | 626 | return 0; |
| 627 | } | 627 | } |
diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h index dbeed6018e63..26a4d83e4e6d 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h | |||
| @@ -17,13 +17,11 @@ struct x509_certificate { | |||
| 17 | struct x509_certificate *next; | 17 | struct x509_certificate *next; |
| 18 | struct x509_certificate *signer; /* Certificate that signed this one */ | 18 | struct x509_certificate *signer; /* Certificate that signed this one */ |
| 19 | struct public_key *pub; /* Public key details */ | 19 | struct public_key *pub; /* Public key details */ |
| 20 | struct public_key_signature sig; /* Signature parameters */ | 20 | struct public_key_signature *sig; /* Signature parameters */ |
| 21 | char *issuer; /* Name of certificate issuer */ | 21 | char *issuer; /* Name of certificate issuer */ |
| 22 | char *subject; /* Name of certificate subject */ | 22 | char *subject; /* Name of certificate subject */ |
| 23 | struct asymmetric_key_id *id; /* Issuer + Serial number */ | 23 | struct asymmetric_key_id *id; /* Issuer + Serial number */ |
| 24 | struct asymmetric_key_id *skid; /* Subject + subjectKeyId (optional) */ | 24 | struct asymmetric_key_id *skid; /* Subject + subjectKeyId (optional) */ |
| 25 | struct asymmetric_key_id *akid_id; /* CA AuthKeyId matching ->id (optional) */ | ||
| 26 | struct asymmetric_key_id *akid_skid; /* CA AuthKeyId matching ->skid (optional) */ | ||
| 27 | time64_t valid_from; | 25 | time64_t valid_from; |
| 28 | time64_t valid_to; | 26 | time64_t valid_to; |
| 29 | const void *tbs; /* Signed data */ | 27 | const void *tbs; /* Signed data */ |
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 2fcf707fb208..4cd102de174c 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c | |||
| @@ -153,30 +153,29 @@ EXPORT_SYMBOL_GPL(x509_request_asymmetric_key); | |||
| 153 | */ | 153 | */ |
| 154 | int x509_get_sig_params(struct x509_certificate *cert) | 154 | int x509_get_sig_params(struct x509_certificate *cert) |
| 155 | { | 155 | { |
| 156 | struct public_key_signature *sig = cert->sig; | ||
| 156 | struct crypto_shash *tfm; | 157 | struct crypto_shash *tfm; |
| 157 | struct shash_desc *desc; | 158 | struct shash_desc *desc; |
| 158 | size_t digest_size, desc_size; | 159 | size_t desc_size; |
| 159 | void *digest; | ||
| 160 | int ret; | 160 | int ret; |
| 161 | 161 | ||
| 162 | pr_devel("==>%s()\n", __func__); | 162 | pr_devel("==>%s()\n", __func__); |
| 163 | 163 | ||
| 164 | if (cert->unsupported_crypto) | 164 | if (cert->unsupported_crypto) |
| 165 | return -ENOPKG; | 165 | return -ENOPKG; |
| 166 | if (cert->sig.s) | 166 | if (sig->s) |
| 167 | return 0; | 167 | return 0; |
| 168 | 168 | ||
| 169 | cert->sig.s = kmemdup(cert->raw_sig, cert->raw_sig_size, | 169 | sig->s = kmemdup(cert->raw_sig, cert->raw_sig_size, GFP_KERNEL); |
| 170 | GFP_KERNEL); | 170 | if (!sig->s) |
| 171 | if (!cert->sig.s) | ||
| 172 | return -ENOMEM; | 171 | return -ENOMEM; |
| 173 | 172 | ||
| 174 | cert->sig.s_size = cert->raw_sig_size; | 173 | sig->s_size = cert->raw_sig_size; |
| 175 | 174 | ||
| 176 | /* Allocate the hashing algorithm we're going to need and find out how | 175 | /* Allocate the hashing algorithm we're going to need and find out how |
| 177 | * big the hash operational data will be. | 176 | * big the hash operational data will be. |
| 178 | */ | 177 | */ |
| 179 | tfm = crypto_alloc_shash(cert->sig.hash_algo, 0, 0); | 178 | tfm = crypto_alloc_shash(sig->hash_algo, 0, 0); |
| 180 | if (IS_ERR(tfm)) { | 179 | if (IS_ERR(tfm)) { |
| 181 | if (PTR_ERR(tfm) == -ENOENT) { | 180 | if (PTR_ERR(tfm) == -ENOENT) { |
| 182 | cert->unsupported_crypto = true; | 181 | cert->unsupported_crypto = true; |
| @@ -186,29 +185,28 @@ int x509_get_sig_params(struct x509_certificate *cert) | |||
| 186 | } | 185 | } |
| 187 | 186 | ||
| 188 | desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); | 187 | desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); |
| 189 | digest_size = crypto_shash_digestsize(tfm); | 188 | sig->digest_size = crypto_shash_digestsize(tfm); |
| 190 | 189 | ||
| 191 | /* We allocate the hash operational data storage on the end of the | ||
| 192 | * digest storage space. | ||
| 193 | */ | ||
| 194 | ret = -ENOMEM; | 190 | ret = -ENOMEM; |
| 195 | digest = kzalloc(ALIGN(digest_size, __alignof__(*desc)) + desc_size, | 191 | sig->digest = kmalloc(sig->digest_size, GFP_KERNEL); |
| 196 | GFP_KERNEL); | 192 | if (!sig->digest) |
| 197 | if (!digest) | ||
| 198 | goto error; | 193 | goto error; |
| 199 | 194 | ||
| 200 | cert->sig.digest = digest; | 195 | desc = kzalloc(desc_size, GFP_KERNEL); |
| 201 | cert->sig.digest_size = digest_size; | 196 | if (!desc) |
| 197 | goto error; | ||
| 202 | 198 | ||
| 203 | desc = PTR_ALIGN(digest + digest_size, __alignof__(*desc)); | ||
| 204 | desc->tfm = tfm; | 199 | desc->tfm = tfm; |
| 205 | desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; | 200 | desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; |
| 206 | 201 | ||
| 207 | ret = crypto_shash_init(desc); | 202 | ret = crypto_shash_init(desc); |
| 208 | if (ret < 0) | 203 | if (ret < 0) |
| 209 | goto error; | 204 | goto error_2; |
| 210 | might_sleep(); | 205 | might_sleep(); |
| 211 | ret = crypto_shash_finup(desc, cert->tbs, cert->tbs_size, digest); | 206 | ret = crypto_shash_finup(desc, cert->tbs, cert->tbs_size, sig->digest); |
| 207 | |||
| 208 | error_2: | ||
| 209 | kfree(desc); | ||
| 212 | error: | 210 | error: |
| 213 | crypto_free_shash(tfm); | 211 | crypto_free_shash(tfm); |
| 214 | pr_devel("<==%s() = %d\n", __func__, ret); | 212 | pr_devel("<==%s() = %d\n", __func__, ret); |
| @@ -230,7 +228,7 @@ int x509_check_signature(const struct public_key *pub, | |||
| 230 | if (ret < 0) | 228 | if (ret < 0) |
| 231 | return ret; | 229 | return ret; |
| 232 | 230 | ||
| 233 | ret = public_key_verify_signature(pub, &cert->sig); | 231 | ret = public_key_verify_signature(pub, cert->sig); |
| 234 | if (ret == -ENOPKG) | 232 | if (ret == -ENOPKG) |
| 235 | cert->unsupported_crypto = true; | 233 | cert->unsupported_crypto = true; |
| 236 | pr_debug("Cert Verification: %d\n", ret); | 234 | pr_debug("Cert Verification: %d\n", ret); |
| @@ -250,17 +248,18 @@ EXPORT_SYMBOL_GPL(x509_check_signature); | |||
| 250 | static int x509_validate_trust(struct x509_certificate *cert, | 248 | static int x509_validate_trust(struct x509_certificate *cert, |
| 251 | struct key *trust_keyring) | 249 | struct key *trust_keyring) |
| 252 | { | 250 | { |
| 251 | struct public_key_signature *sig = cert->sig; | ||
| 253 | struct key *key; | 252 | struct key *key; |
| 254 | int ret = 1; | 253 | int ret = 1; |
| 255 | 254 | ||
| 256 | if (!trust_keyring) | 255 | if (!trust_keyring) |
| 257 | return -EOPNOTSUPP; | 256 | return -EOPNOTSUPP; |
| 258 | 257 | ||
| 259 | if (ca_keyid && !asymmetric_key_id_partial(cert->akid_skid, ca_keyid)) | 258 | if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid)) |
| 260 | return -EPERM; | 259 | return -EPERM; |
| 261 | 260 | ||
| 262 | key = x509_request_asymmetric_key(trust_keyring, | 261 | key = x509_request_asymmetric_key(trust_keyring, |
| 263 | cert->akid_id, cert->akid_skid, | 262 | sig->auth_ids[0], sig->auth_ids[1], |
| 264 | false); | 263 | false); |
| 265 | if (!IS_ERR(key)) { | 264 | if (!IS_ERR(key)) { |
| 266 | if (!use_builtin_keys | 265 | if (!use_builtin_keys |
| @@ -292,8 +291,8 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) | |||
| 292 | pr_devel("Cert Subject: %s\n", cert->subject); | 291 | pr_devel("Cert Subject: %s\n", cert->subject); |
| 293 | 292 | ||
| 294 | if (!cert->pub->pkey_algo || | 293 | if (!cert->pub->pkey_algo || |
| 295 | !cert->sig.pkey_algo || | 294 | !cert->sig->pkey_algo || |
| 296 | !cert->sig.hash_algo) { | 295 | !cert->sig->hash_algo) { |
| 297 | ret = -ENOPKG; | 296 | ret = -ENOPKG; |
| 298 | goto error_free_cert; | 297 | goto error_free_cert; |
| 299 | } | 298 | } |
| @@ -301,15 +300,15 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) | |||
| 301 | pr_devel("Cert Key Algo: %s\n", cert->pub->pkey_algo); | 300 | pr_devel("Cert Key Algo: %s\n", cert->pub->pkey_algo); |
| 302 | pr_devel("Cert Valid period: %lld-%lld\n", cert->valid_from, cert->valid_to); | 301 | pr_devel("Cert Valid period: %lld-%lld\n", cert->valid_from, cert->valid_to); |
| 303 | pr_devel("Cert Signature: %s + %s\n", | 302 | pr_devel("Cert Signature: %s + %s\n", |
| 304 | cert->sig.pkey_algo, | 303 | cert->sig->pkey_algo, |
| 305 | cert->sig.hash_algo); | 304 | cert->sig->hash_algo); |
| 306 | 305 | ||
| 307 | cert->pub->id_type = "X509"; | 306 | cert->pub->id_type = "X509"; |
| 308 | 307 | ||
| 309 | /* Check the signature on the key if it appears to be self-signed */ | 308 | /* Check the signature on the key if it appears to be self-signed */ |
| 310 | if ((!cert->akid_skid && !cert->akid_id) || | 309 | if ((!cert->sig->auth_ids[0] && !cert->sig->auth_ids[1]) || |
| 311 | asymmetric_key_id_same(cert->skid, cert->akid_skid) || | 310 | asymmetric_key_id_same(cert->skid, cert->sig->auth_ids[1]) || |
| 312 | asymmetric_key_id_same(cert->id, cert->akid_id)) { | 311 | asymmetric_key_id_same(cert->id, cert->sig->auth_ids[0])) { |
| 313 | ret = x509_check_signature(cert->pub, cert); /* self-signed */ | 312 | ret = x509_check_signature(cert->pub, cert); /* self-signed */ |
| 314 | if (ret < 0) | 313 | if (ret < 0) |
| 315 | goto error_free_cert; | 314 | goto error_free_cert; |
| @@ -353,6 +352,7 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) | |||
| 353 | prep->payload.data[asym_subtype] = &public_key_subtype; | 352 | prep->payload.data[asym_subtype] = &public_key_subtype; |
| 354 | prep->payload.data[asym_key_ids] = kids; | 353 | prep->payload.data[asym_key_ids] = kids; |
| 355 | prep->payload.data[asym_crypto] = cert->pub; | 354 | prep->payload.data[asym_crypto] = cert->pub; |
| 355 | prep->payload.data[asym_auth] = cert->sig; | ||
| 356 | prep->description = desc; | 356 | prep->description = desc; |
| 357 | prep->quotalen = 100; | 357 | prep->quotalen = 100; |
| 358 | 358 | ||
| @@ -360,6 +360,7 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) | |||
| 360 | cert->pub = NULL; | 360 | cert->pub = NULL; |
| 361 | cert->id = NULL; | 361 | cert->id = NULL; |
| 362 | cert->skid = NULL; | 362 | cert->skid = NULL; |
| 363 | cert->sig = NULL; | ||
| 363 | desc = NULL; | 364 | desc = NULL; |
| 364 | ret = 0; | 365 | ret = 0; |
| 365 | 366 | ||