diff options
| author | David Howells <dhowells@redhat.com> | 2014-07-22 16:52:33 -0400 |
|---|---|---|
| committer | David Howells <dhowells@redhat.com> | 2014-07-22 16:53:21 -0400 |
| commit | 1ca72c96dbad332ebd89b5756640f881ff0e6e9e (patch) | |
| tree | e256d23f3ed8217b18bd36e78fdda242954d2d60 /crypto/asymmetric_keys/pkcs7.asn1 | |
| parent | a19e3c22b34ae599eafd9fd05c887fc8e7ec2e3a (diff) | |
| parent | 22d01afb210ff77fc480a1fc531cd59a4f32157a (diff) | |
Merge tag 'keys-pkcs7-20140708' into keys-next
Here's a set of changes that implement a PKCS#7 message parser in the kernel.
The PKCS#7 message parsing will then be used to limit kexec to authenticated
kernels only if so configured.
The changes provide the following facilities:
(1) Parse an ASN.1 PKCS#7 message and pick out useful bits such as the data
content and the X.509 certificates used to sign it and all the data
signatures.
(2) Verify all the data signatures against the set of X.509 certificates
available in the message.
(3) Follow the certificate chains and verify that:
(a) for every self-signed X.509 certificate, check that it validly signed
itself, and:
(b) for every non-self-signed certificate, if we have a 'parent'
certificate, the former is validly signed by the latter.
(4) Look for intersections between the certificate chains and the trusted
keyring, if any intersections are found, verify that the trusted
certificates signed the intersection point in the chain.
(5) For testing purposes, a key type can be made available that will take a
PKCS#7 message, check that the message is trustworthy, and if so, add its
data content into the key.
Note that (5) has to be altered to take account of the preparsing patches
already committed to this branch.
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'crypto/asymmetric_keys/pkcs7.asn1')
| -rw-r--r-- | crypto/asymmetric_keys/pkcs7.asn1 | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/crypto/asymmetric_keys/pkcs7.asn1 b/crypto/asymmetric_keys/pkcs7.asn1 new file mode 100644 index 000000000000..a5a14ef28c86 --- /dev/null +++ b/crypto/asymmetric_keys/pkcs7.asn1 | |||
| @@ -0,0 +1,127 @@ | |||
| 1 | PKCS7ContentInfo ::= SEQUENCE { | ||
| 2 | contentType ContentType, | ||
| 3 | content [0] EXPLICIT SignedData OPTIONAL | ||
| 4 | } | ||
| 5 | |||
| 6 | ContentType ::= OBJECT IDENTIFIER ({ pkcs7_note_OID }) | ||
| 7 | |||
| 8 | SignedData ::= SEQUENCE { | ||
| 9 | version INTEGER, | ||
| 10 | digestAlgorithms DigestAlgorithmIdentifiers, | ||
| 11 | contentInfo ContentInfo, | ||
| 12 | certificates CHOICE { | ||
| 13 | certSet [0] IMPLICIT ExtendedCertificatesAndCertificates, | ||
| 14 | certSequence [2] IMPLICIT Certificates | ||
| 15 | } OPTIONAL ({ pkcs7_note_certificate_list }), | ||
| 16 | crls CHOICE { | ||
| 17 | crlSet [1] IMPLICIT CertificateRevocationLists, | ||
| 18 | crlSequence [3] IMPLICIT CRLSequence | ||
| 19 | } OPTIONAL, | ||
| 20 | signerInfos SignerInfos | ||
| 21 | } | ||
| 22 | |||
| 23 | ContentInfo ::= SEQUENCE { | ||
| 24 | contentType ContentType, | ||
| 25 | content [0] EXPLICIT Data OPTIONAL | ||
| 26 | } | ||
| 27 | |||
| 28 | Data ::= ANY ({ pkcs7_note_data }) | ||
| 29 | |||
| 30 | DigestAlgorithmIdentifiers ::= CHOICE { | ||
| 31 | daSet SET OF DigestAlgorithmIdentifier, | ||
| 32 | daSequence SEQUENCE OF DigestAlgorithmIdentifier | ||
| 33 | } | ||
| 34 | |||
| 35 | DigestAlgorithmIdentifier ::= SEQUENCE { | ||
| 36 | algorithm OBJECT IDENTIFIER ({ pkcs7_note_OID }), | ||
| 37 | parameters ANY OPTIONAL | ||
| 38 | } | ||
| 39 | |||
| 40 | -- | ||
| 41 | -- Certificates and certificate lists | ||
| 42 | -- | ||
| 43 | ExtendedCertificatesAndCertificates ::= SET OF ExtendedCertificateOrCertificate | ||
| 44 | |||
| 45 | ExtendedCertificateOrCertificate ::= CHOICE { | ||
| 46 | certificate Certificate, -- X.509 | ||
| 47 | extendedCertificate [0] IMPLICIT ExtendedCertificate -- PKCS#6 | ||
| 48 | } | ||
| 49 | |||
| 50 | ExtendedCertificate ::= Certificate -- cheating | ||
| 51 | |||
| 52 | Certificates ::= SEQUENCE OF Certificate | ||
| 53 | |||
| 54 | CertificateRevocationLists ::= SET OF CertificateList | ||
| 55 | |||
| 56 | CertificateList ::= SEQUENCE OF Certificate -- This may be defined incorrectly | ||
| 57 | |||
| 58 | CRLSequence ::= SEQUENCE OF CertificateList | ||
| 59 | |||
| 60 | Certificate ::= ANY ({ pkcs7_extract_cert }) -- X.509 | ||
| 61 | |||
| 62 | -- | ||
| 63 | -- Signer information | ||
| 64 | -- | ||
| 65 | SignerInfos ::= CHOICE { | ||
| 66 | siSet SET OF SignerInfo, | ||
| 67 | siSequence SEQUENCE OF SignerInfo | ||
| 68 | } | ||
| 69 | |||
| 70 | SignerInfo ::= SEQUENCE { | ||
| 71 | version INTEGER, | ||
| 72 | issuerAndSerialNumber IssuerAndSerialNumber, | ||
| 73 | digestAlgorithm DigestAlgorithmIdentifier ({ pkcs7_sig_note_digest_algo }), | ||
| 74 | authenticatedAttributes CHOICE { | ||
| 75 | aaSet [0] IMPLICIT SetOfAuthenticatedAttribute | ||
| 76 | ({ pkcs7_sig_note_set_of_authattrs }), | ||
| 77 | aaSequence [2] EXPLICIT SEQUENCE OF AuthenticatedAttribute | ||
| 78 | -- Explicit because easier to compute digest on | ||
| 79 | -- sequence of attributes and then reuse encoded | ||
| 80 | -- sequence in aaSequence. | ||
| 81 | } OPTIONAL, | ||
| 82 | digestEncryptionAlgorithm | ||
| 83 | DigestEncryptionAlgorithmIdentifier ({ pkcs7_sig_note_pkey_algo }), | ||
| 84 | encryptedDigest EncryptedDigest, | ||
| 85 | unauthenticatedAttributes CHOICE { | ||
| 86 | uaSet [1] IMPLICIT SET OF UnauthenticatedAttribute, | ||
| 87 | uaSequence [3] IMPLICIT SEQUENCE OF UnauthenticatedAttribute | ||
| 88 | } OPTIONAL | ||
| 89 | } ({ pkcs7_note_signed_info }) | ||
| 90 | |||
| 91 | IssuerAndSerialNumber ::= SEQUENCE { | ||
| 92 | issuer Name ({ pkcs7_sig_note_issuer }), | ||
| 93 | serialNumber CertificateSerialNumber ({ pkcs7_sig_note_serial }) | ||
| 94 | } | ||
| 95 | |||
| 96 | CertificateSerialNumber ::= INTEGER | ||
| 97 | |||
| 98 | SetOfAuthenticatedAttribute ::= SET OF AuthenticatedAttribute | ||
| 99 | |||
| 100 | AuthenticatedAttribute ::= SEQUENCE { | ||
| 101 | type OBJECT IDENTIFIER ({ pkcs7_note_OID }), | ||
| 102 | values SET OF ANY ({ pkcs7_sig_note_authenticated_attr }) | ||
| 103 | } | ||
| 104 | |||
| 105 | UnauthenticatedAttribute ::= SEQUENCE { | ||
| 106 | type OBJECT IDENTIFIER ({ pkcs7_note_OID }), | ||
| 107 | values SET OF ANY | ||
| 108 | } | ||
| 109 | |||
| 110 | DigestEncryptionAlgorithmIdentifier ::= SEQUENCE { | ||
| 111 | algorithm OBJECT IDENTIFIER ({ pkcs7_note_OID }), | ||
| 112 | parameters ANY OPTIONAL | ||
| 113 | } | ||
| 114 | |||
| 115 | EncryptedDigest ::= OCTET STRING ({ pkcs7_sig_note_signature }) | ||
| 116 | |||
| 117 | --- | ||
| 118 | --- X.500 Name | ||
| 119 | --- | ||
| 120 | Name ::= SEQUENCE OF RelativeDistinguishedName | ||
| 121 | |||
| 122 | RelativeDistinguishedName ::= SET OF AttributeValueAssertion | ||
| 123 | |||
| 124 | AttributeValueAssertion ::= SEQUENCE { | ||
| 125 | attributeType OBJECT IDENTIFIER ({ pkcs7_note_OID }), | ||
| 126 | attributeValue ANY | ||
| 127 | } | ||