aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/asymmetric_keys
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2014-09-16 12:36:13 -0400
committerDavid Howells <dhowells@redhat.com>2014-09-16 12:36:13 -0400
commit46963b774d441c833afc1535f6d84b3df2a94204 (patch)
tree335cbd163ef2581b72d462f49984a6809609a58b /crypto/asymmetric_keys
parent7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 (diff)
KEYS: Overhaul key identification when searching for asymmetric keys
Make use of the new match string preparsing to overhaul key identification when searching for asymmetric keys. The following changes are made: (1) Use the previously created asymmetric_key_id struct to hold the following key IDs derived from the X.509 certificate or PKCS#7 message: id: serial number + issuer skid: subjKeyId + subject authority: authKeyId + issuer (2) Replace the hex fingerprint attached to key->type_data[1] with an asymmetric_key_ids struct containing the id and the skid (if present). (3) Make the asymmetric_type match data preparse select one of two searches: (a) An iterative search for the key ID given if prefixed with "id:". The prefix is expected to be followed by a hex string giving the ID to search for. The criterion key ID is checked against all key IDs recorded on the key. (b) A direct search if the key ID is not prefixed with "id:". This will look for an exact match on the key description. (4) Make x509_request_asymmetric_key() take a key ID. This is then converted into "id:<hex>" and passed into keyring_search() where match preparsing will turn it back into a binary ID. (5) X.509 certificate verification then takes the authority key ID and looks up a key that matches it to find the public key for the certificate signature. (6) PKCS#7 certificate verification then takes the id key ID and looks up a key that matches it to find the public key for the signed information block signature. Additional changes: (1) Multiple subjKeyId and authKeyId values on an X.509 certificate cause the cert to be rejected with -EBADMSG. (2) The 'fingerprint' ID is gone. This was primarily intended to convey PGP public key fingerprints. If PGP is supported in future, this should generate a key ID that carries the fingerprint. (3) Th ca_keyid= kernel command line option is now converted to a key ID and used to match the authority key ID. Possibly this should only match the actual authKeyId part and not the issuer as well. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Vivek Goyal <vgoyal@redhat.com>
Diffstat (limited to 'crypto/asymmetric_keys')
-rw-r--r--crypto/asymmetric_keys/asymmetric_keys.h4
-rw-r--r--crypto/asymmetric_keys/asymmetric_type.c133
-rw-r--r--crypto/asymmetric_keys/pkcs7_parser.c38
-rw-r--r--crypto/asymmetric_keys/pkcs7_parser.h5
-rw-r--r--crypto/asymmetric_keys/pkcs7_trust.c6
-rw-r--r--crypto/asymmetric_keys/pkcs7_verify.c44
-rw-r--r--crypto/asymmetric_keys/x509_cert_parser.c55
-rw-r--r--crypto/asymmetric_keys/x509_parser.h5
-rw-r--r--crypto/asymmetric_keys/x509_public_key.c89
9 files changed, 195 insertions, 184 deletions
diff --git a/crypto/asymmetric_keys/asymmetric_keys.h b/crypto/asymmetric_keys/asymmetric_keys.h
index 917be6b985e7..fd21ac28e0a0 100644
--- a/crypto/asymmetric_keys/asymmetric_keys.h
+++ b/crypto/asymmetric_keys/asymmetric_keys.h
@@ -9,13 +9,13 @@
9 * 2 of the Licence, or (at your option) any later version. 9 * 2 of the Licence, or (at your option) any later version.
10 */ 10 */
11 11
12int asymmetric_keyid_match(const char *kid, const char *id);
13extern bool asymmetric_match_key_ids(const struct asymmetric_key_ids *kids, 12extern bool asymmetric_match_key_ids(const struct asymmetric_key_ids *kids,
14 const struct asymmetric_key_id *match_id); 13 const struct asymmetric_key_id *match_id);
15 14
16extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id); 15extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id);
17 16
18static inline const char *asymmetric_key_id(const struct key *key) 17static inline
18const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key)
19{ 19{
20 return key->type_data.p[1]; 20 return key->type_data.p[1];
21} 21}
diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c
index 92bfc438dd1d..718e779a010e 100644
--- a/crypto/asymmetric_keys/asymmetric_type.c
+++ b/crypto/asymmetric_keys/asymmetric_type.c
@@ -112,76 +112,15 @@ struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id)
112} 112}
113 113
114/* 114/*
115 * Match asymmetric key id with partial match 115 * Match asymmetric keys by ID.
116 * @id: key id to match in a form "id:<id>"
117 */
118int asymmetric_keyid_match(const char *kid, const char *id)
119{
120 size_t idlen, kidlen;
121
122 if (!kid || !id)
123 return 0;
124
125 /* make it possible to use id as in the request: "id:<id>" */
126 if (strncmp(id, "id:", 3) == 0)
127 id += 3;
128
129 /* Anything after here requires a partial match on the ID string */
130 idlen = strlen(id);
131 kidlen = strlen(kid);
132 if (idlen > kidlen)
133 return 0;
134
135 kid += kidlen - idlen;
136 if (strcasecmp(id, kid) != 0)
137 return 0;
138
139 return 1;
140}
141EXPORT_SYMBOL_GPL(asymmetric_keyid_match);
142
143/*
144 * Match asymmetric keys on (part of) their name
145 * We have some shorthand methods for matching keys. We allow:
146 *
147 * "<desc>" - request a key by description
148 * "id:<id>" - request a key matching the ID
149 * "<subtype>:<id>" - request a key of a subtype
150 */ 116 */
151static bool asymmetric_key_cmp(const struct key *key, 117static bool asymmetric_key_cmp(const struct key *key,
152 const struct key_match_data *match_data) 118 const struct key_match_data *match_data)
153{ 119{
154 const struct asymmetric_key_subtype *subtype = asymmetric_key_subtype(key); 120 const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
155 const char *description = match_data->raw_data; 121 const struct asymmetric_key_id *match_id = match_data->preparsed;
156 const char *spec = description;
157 const char *id;
158 ptrdiff_t speclen;
159
160 if (!subtype || !spec || !*spec)
161 return 0;
162
163 /* See if the full key description matches as is */
164 if (key->description && strcmp(key->description, description) == 0)
165 return 1;
166
167 /* All tests from here on break the criterion description into a
168 * specifier, a colon and then an identifier.
169 */
170 id = strchr(spec, ':');
171 if (!id)
172 return 0;
173
174 speclen = id - spec;
175 id++;
176
177 if (speclen == 2 && memcmp(spec, "id", 2) == 0)
178 return asymmetric_keyid_match(asymmetric_key_id(key), id);
179 122
180 if (speclen == subtype->name_len && 123 return asymmetric_match_key_ids(kids, match_id);
181 memcmp(spec, subtype->name, speclen) == 0)
182 return 1;
183
184 return 0;
185} 124}
186 125
187/* 126/*
@@ -198,8 +137,30 @@ static bool asymmetric_key_cmp(const struct key *key,
198 */ 137 */
199static int asymmetric_key_match_preparse(struct key_match_data *match_data) 138static int asymmetric_key_match_preparse(struct key_match_data *match_data)
200{ 139{
201 match_data->lookup_type = KEYRING_SEARCH_LOOKUP_ITERATE; 140 struct asymmetric_key_id *match_id;
141 const char *spec = match_data->raw_data;
142 const char *id;
143
144 if (!spec || !*spec)
145 return -EINVAL;
146 if (spec[0] == 'i' &&
147 spec[1] == 'd' &&
148 spec[2] == ':') {
149 id = spec + 3;
150 } else {
151 goto default_match;
152 }
153
154 match_id = asymmetric_key_hex_to_key_id(id);
155 if (!match_id)
156 return -ENOMEM;
157
158 match_data->preparsed = match_id;
202 match_data->cmp = asymmetric_key_cmp; 159 match_data->cmp = asymmetric_key_cmp;
160 match_data->lookup_type = KEYRING_SEARCH_LOOKUP_ITERATE;
161 return 0;
162
163default_match:
203 return 0; 164 return 0;
204} 165}
205 166
@@ -208,6 +169,7 @@ static int asymmetric_key_match_preparse(struct key_match_data *match_data)
208 */ 169 */
209static void asymmetric_key_match_free(struct key_match_data *match_data) 170static void asymmetric_key_match_free(struct key_match_data *match_data)
210{ 171{
172 kfree(match_data->preparsed);
211} 173}
212 174
213/* 175/*
@@ -216,8 +178,10 @@ static void asymmetric_key_match_free(struct key_match_data *match_data)
216static void asymmetric_key_describe(const struct key *key, struct seq_file *m) 178static void asymmetric_key_describe(const struct key *key, struct seq_file *m)
217{ 179{
218 const struct asymmetric_key_subtype *subtype = asymmetric_key_subtype(key); 180 const struct asymmetric_key_subtype *subtype = asymmetric_key_subtype(key);
219 const char *kid = asymmetric_key_id(key); 181 const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
220 size_t n; 182 const struct asymmetric_key_id *kid;
183 const unsigned char *p;
184 int n;
221 185
222 seq_puts(m, key->description); 186 seq_puts(m, key->description);
223 187
@@ -225,13 +189,16 @@ static void asymmetric_key_describe(const struct key *key, struct seq_file *m)
225 seq_puts(m, ": "); 189 seq_puts(m, ": ");
226 subtype->describe(key, m); 190 subtype->describe(key, m);
227 191
228 if (kid) { 192 if (kids && kids->id[0]) {
193 kid = kids->id[0];
229 seq_putc(m, ' '); 194 seq_putc(m, ' ');
230 n = strlen(kid); 195 n = kid->len;
231 if (n <= 8) 196 p = kid->data;
232 seq_puts(m, kid); 197 if (n > 8) {
233 else 198 p += n - 8;
234 seq_puts(m, kid + n - 8); 199 n = 8;
200 }
201 seq_printf(m, "%*phN", n, p);
235 } 202 }
236 203
237 seq_puts(m, " ["); 204 seq_puts(m, " [");
@@ -282,6 +249,7 @@ static int asymmetric_key_preparse(struct key_preparsed_payload *prep)
282static void asymmetric_key_free_preparse(struct key_preparsed_payload *prep) 249static void asymmetric_key_free_preparse(struct key_preparsed_payload *prep)
283{ 250{
284 struct asymmetric_key_subtype *subtype = prep->type_data[0]; 251 struct asymmetric_key_subtype *subtype = prep->type_data[0];
252 struct asymmetric_key_ids *kids = prep->type_data[1];
285 253
286 pr_devel("==>%s()\n", __func__); 254 pr_devel("==>%s()\n", __func__);
287 255
@@ -289,7 +257,11 @@ static void asymmetric_key_free_preparse(struct key_preparsed_payload *prep)
289 subtype->destroy(prep->payload[0]); 257 subtype->destroy(prep->payload[0]);
290 module_put(subtype->owner); 258 module_put(subtype->owner);
291 } 259 }
292 kfree(prep->type_data[1]); 260 if (kids) {
261 kfree(kids->id[0]);
262 kfree(kids->id[1]);
263 kfree(kids);
264 }
293 kfree(prep->description); 265 kfree(prep->description);
294} 266}
295 267
@@ -299,13 +271,20 @@ static void asymmetric_key_free_preparse(struct key_preparsed_payload *prep)
299static void asymmetric_key_destroy(struct key *key) 271static void asymmetric_key_destroy(struct key *key)
300{ 272{
301 struct asymmetric_key_subtype *subtype = asymmetric_key_subtype(key); 273 struct asymmetric_key_subtype *subtype = asymmetric_key_subtype(key);
274 struct asymmetric_key_ids *kids = key->type_data.p[1];
275
302 if (subtype) { 276 if (subtype) {
303 subtype->destroy(key->payload.data); 277 subtype->destroy(key->payload.data);
304 module_put(subtype->owner); 278 module_put(subtype->owner);
305 key->type_data.p[0] = NULL; 279 key->type_data.p[0] = NULL;
306 } 280 }
307 kfree(key->type_data.p[1]); 281
308 key->type_data.p[1] = NULL; 282 if (kids) {
283 kfree(kids->id[0]);
284 kfree(kids->id[1]);
285 kfree(kids);
286 key->type_data.p[1] = NULL;
287 }
309} 288}
310 289
311struct key_type key_type_asymmetric = { 290struct key_type key_type_asymmetric = {
diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys/pkcs7_parser.c
index 1e9861da7ee4..3bd5a1e4c493 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.c
+++ b/crypto/asymmetric_keys/pkcs7_parser.c
@@ -29,6 +29,10 @@ struct pkcs7_parse_context {
29 enum OID last_oid; /* Last OID encountered */ 29 enum OID last_oid; /* Last OID encountered */
30 unsigned x509_index; 30 unsigned x509_index;
31 unsigned sinfo_index; 31 unsigned sinfo_index;
32 const void *raw_serial;
33 unsigned raw_serial_size;
34 unsigned raw_issuer_size;
35 const void *raw_issuer;
32}; 36};
33 37
34/* 38/*
@@ -39,6 +43,7 @@ static void pkcs7_free_signed_info(struct pkcs7_signed_info *sinfo)
39 if (sinfo) { 43 if (sinfo) {
40 mpi_free(sinfo->sig.mpi[0]); 44 mpi_free(sinfo->sig.mpi[0]);
41 kfree(sinfo->sig.digest); 45 kfree(sinfo->sig.digest);
46 kfree(sinfo->signing_cert_id);
42 kfree(sinfo); 47 kfree(sinfo);
43 } 48 }
44} 49}
@@ -251,10 +256,10 @@ int pkcs7_extract_cert(void *context, size_t hdrlen,
251 if (IS_ERR(x509)) 256 if (IS_ERR(x509))
252 return PTR_ERR(x509); 257 return PTR_ERR(x509);
253 258
254 pr_debug("Got cert for %s\n", x509->subject);
255 pr_debug("- fingerprint %s\n", x509->fingerprint);
256
257 x509->index = ++ctx->x509_index; 259 x509->index = ++ctx->x509_index;
260 pr_debug("Got cert %u for %s\n", x509->index, x509->subject);
261 pr_debug("- fingerprint %*phN\n", x509->id->len, x509->id->data);
262
258 *ctx->ppcerts = x509; 263 *ctx->ppcerts = x509;
259 ctx->ppcerts = &x509->next; 264 ctx->ppcerts = &x509->next;
260 return 0; 265 return 0;
@@ -343,8 +348,8 @@ int pkcs7_sig_note_serial(void *context, size_t hdrlen,
343 const void *value, size_t vlen) 348 const void *value, size_t vlen)
344{ 349{
345 struct pkcs7_parse_context *ctx = context; 350 struct pkcs7_parse_context *ctx = context;
346 ctx->sinfo->raw_serial = value; 351 ctx->raw_serial = value;
347 ctx->sinfo->raw_serial_size = vlen; 352 ctx->raw_serial_size = vlen;
348 return 0; 353 return 0;
349} 354}
350 355
@@ -356,8 +361,8 @@ int pkcs7_sig_note_issuer(void *context, size_t hdrlen,
356 const void *value, size_t vlen) 361 const void *value, size_t vlen)
357{ 362{
358 struct pkcs7_parse_context *ctx = context; 363 struct pkcs7_parse_context *ctx = context;
359 ctx->sinfo->raw_issuer = value; 364 ctx->raw_issuer = value;
360 ctx->sinfo->raw_issuer_size = vlen; 365 ctx->raw_issuer_size = vlen;
361 return 0; 366 return 0;
362} 367}
363 368
@@ -390,10 +395,21 @@ int pkcs7_note_signed_info(void *context, size_t hdrlen,
390 const void *value, size_t vlen) 395 const void *value, size_t vlen)
391{ 396{
392 struct pkcs7_parse_context *ctx = context; 397 struct pkcs7_parse_context *ctx = context;
393 398 struct pkcs7_signed_info *sinfo = ctx->sinfo;
394 ctx->sinfo->index = ++ctx->sinfo_index; 399 struct asymmetric_key_id *kid;
395 *ctx->ppsinfo = ctx->sinfo; 400
396 ctx->ppsinfo = &ctx->sinfo->next; 401 /* Generate cert issuer + serial number key ID */
402 kid = asymmetric_key_generate_id(ctx->raw_serial,
403 ctx->raw_serial_size,
404 ctx->raw_issuer,
405 ctx->raw_issuer_size);
406 if (IS_ERR(kid))
407 return PTR_ERR(kid);
408
409 sinfo->signing_cert_id = kid;
410 sinfo->index = ++ctx->sinfo_index;
411 *ctx->ppsinfo = sinfo;
412 ctx->ppsinfo = &sinfo->next;
397 ctx->sinfo = kzalloc(sizeof(struct pkcs7_signed_info), GFP_KERNEL); 413 ctx->sinfo = kzalloc(sizeof(struct pkcs7_signed_info), GFP_KERNEL);
398 if (!ctx->sinfo) 414 if (!ctx->sinfo)
399 return -ENOMEM; 415 return -ENOMEM;
diff --git a/crypto/asymmetric_keys/pkcs7_parser.h b/crypto/asymmetric_keys/pkcs7_parser.h
index d25f4d15370f..91949f92bc72 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.h
+++ b/crypto/asymmetric_keys/pkcs7_parser.h
@@ -33,10 +33,7 @@ struct pkcs7_signed_info {
33 const void *authattrs; 33 const void *authattrs;
34 34
35 /* Issuing cert serial number and issuer's name */ 35 /* Issuing cert serial number and issuer's name */
36 const void *raw_serial; 36 struct asymmetric_key_id *signing_cert_id;
37 unsigned raw_serial_size;
38 unsigned raw_issuer_size;
39 const void *raw_issuer;
40 37
41 /* Message signature. 38 /* Message signature.
42 * 39 *
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c
index fad888ea4fad..09197e50fa82 100644
--- a/crypto/asymmetric_keys/pkcs7_trust.c
+++ b/crypto/asymmetric_keys/pkcs7_trust.c
@@ -49,8 +49,7 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
49 /* Look to see if this certificate is present in the trusted 49 /* Look to see if this certificate is present in the trusted
50 * keys. 50 * keys.
51 */ 51 */
52 key = x509_request_asymmetric_key(trust_keyring, x509->subject, 52 key = x509_request_asymmetric_key(trust_keyring, x509->id);
53 x509->fingerprint);
54 if (!IS_ERR(key)) 53 if (!IS_ERR(key))
55 /* One of the X.509 certificates in the PKCS#7 message 54 /* One of the X.509 certificates in the PKCS#7 message
56 * is apparently the same as one we already trust. 55 * is apparently the same as one we already trust.
@@ -82,8 +81,7 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
82 return -ENOKEY; 81 return -ENOKEY;
83 } 82 }
84 83
85 key = x509_request_asymmetric_key(trust_keyring, last->issuer, 84 key = x509_request_asymmetric_key(trust_keyring, last->authority);
86 last->authority);
87 if (IS_ERR(key)) 85 if (IS_ERR(key))
88 return PTR_ERR(key) == -ENOMEM ? -ENOMEM : -ENOKEY; 86 return PTR_ERR(key) == -ENOMEM ? -ENOMEM : -ENOKEY;
89 x509 = last; 87 x509 = last;
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
index c62cf8006e1f..57e90fa17f2b 100644
--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -131,8 +131,7 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7,
131 struct x509_certificate *x509; 131 struct x509_certificate *x509;
132 unsigned certix = 1; 132 unsigned certix = 1;
133 133
134 kenter("%u,%u,%u", 134 kenter("%u", sinfo->index);
135 sinfo->index, sinfo->raw_serial_size, sinfo->raw_issuer_size);
136 135
137 for (x509 = pkcs7->certs; x509; x509 = x509->next, certix++) { 136 for (x509 = pkcs7->certs; x509; x509 = x509->next, certix++) {
138 /* I'm _assuming_ that the generator of the PKCS#7 message will 137 /* I'm _assuming_ that the generator of the PKCS#7 message will
@@ -140,21 +139,11 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7,
140 * PKCS#7 message - but I can't be 100% sure of that. It's 139 * PKCS#7 message - but I can't be 100% sure of that. It's
141 * possible this will need element-by-element comparison. 140 * possible this will need element-by-element comparison.
142 */ 141 */
143 if (x509->raw_serial_size != sinfo->raw_serial_size || 142 if (!asymmetric_key_id_same(x509->id, sinfo->signing_cert_id))
144 memcmp(x509->raw_serial, sinfo->raw_serial,
145 sinfo->raw_serial_size) != 0)
146 continue; 143 continue;
147 pr_devel("Sig %u: Found cert serial match X.509[%u]\n", 144 pr_devel("Sig %u: Found cert serial match X.509[%u]\n",
148 sinfo->index, certix); 145 sinfo->index, certix);
149 146
150 if (x509->raw_issuer_size != sinfo->raw_issuer_size ||
151 memcmp(x509->raw_issuer, sinfo->raw_issuer,
152 sinfo->raw_issuer_size) != 0) {
153 pr_warn("Sig %u: X.509 subject and PKCS#7 issuer don't match\n",
154 sinfo->index);
155 continue;
156 }
157
158 if (x509->pub->pkey_algo != sinfo->sig.pkey_algo) { 147 if (x509->pub->pkey_algo != sinfo->sig.pkey_algo) {
159 pr_warn("Sig %u: X.509 algo and PKCS#7 sig algo don't match\n", 148 pr_warn("Sig %u: X.509 algo and PKCS#7 sig algo don't match\n",
160 sinfo->index); 149 sinfo->index);
@@ -164,8 +153,10 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7,
164 sinfo->signer = x509; 153 sinfo->signer = x509;
165 return 0; 154 return 0;
166 } 155 }
156
167 pr_warn("Sig %u: Issuing X.509 cert not found (#%*ph)\n", 157 pr_warn("Sig %u: Issuing X.509 cert not found (#%*ph)\n",
168 sinfo->index, sinfo->raw_serial_size, sinfo->raw_serial); 158 sinfo->index,
159 sinfo->signing_cert_id->len, sinfo->signing_cert_id->data);
169 return -ENOKEY; 160 return -ENOKEY;
170} 161}
171 162
@@ -184,7 +175,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
184 p->seen = false; 175 p->seen = false;
185 176
186 for (;;) { 177 for (;;) {
187 pr_debug("verify %s: %s\n", x509->subject, x509->fingerprint); 178 pr_debug("verify %s: %*phN\n",
179 x509->subject,
180 x509->raw_serial_size, x509->raw_serial);
188 x509->seen = true; 181 x509->seen = true;
189 ret = x509_get_sig_params(x509); 182 ret = x509_get_sig_params(x509);
190 if (ret < 0) 183 if (ret < 0)
@@ -192,7 +185,8 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
192 185
193 pr_debug("- issuer %s\n", x509->issuer); 186 pr_debug("- issuer %s\n", x509->issuer);
194 if (x509->authority) 187 if (x509->authority)
195 pr_debug("- authkeyid %s\n", x509->authority); 188 pr_debug("- authkeyid %*phN\n",
189 x509->authority->len, x509->authority->data);
196 190
197 if (!x509->authority || 191 if (!x509->authority ||
198 strcmp(x509->subject, x509->issuer) == 0) { 192 strcmp(x509->subject, x509->issuer) == 0) {
@@ -218,13 +212,14 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
218 /* Look through the X.509 certificates in the PKCS#7 message's 212 /* Look through the X.509 certificates in the PKCS#7 message's
219 * list to see if the next one is there. 213 * list to see if the next one is there.
220 */ 214 */
221 pr_debug("- want %s\n", x509->authority); 215 pr_debug("- want %*phN\n",
216 x509->authority->len, x509->authority->data);
222 for (p = pkcs7->certs; p; p = p->next) { 217 for (p = pkcs7->certs; p; p = p->next) {
223 pr_debug("- cmp [%u] %s\n", p->index, p->fingerprint); 218 if (!p->skid)
224 if (p->raw_subject_size == x509->raw_issuer_size && 219 continue;
225 strcmp(p->fingerprint, x509->authority) == 0 && 220 pr_debug("- cmp [%u] %*phN\n",
226 memcmp(p->raw_subject, x509->raw_issuer, 221 p->index, p->skid->len, p->skid->data);
227 x509->raw_issuer_size) == 0) 222 if (asymmetric_key_id_same(p->skid, x509->authority))
228 goto found_issuer; 223 goto found_issuer;
229 } 224 }
230 225
@@ -233,7 +228,7 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
233 return 0; 228 return 0;
234 229
235 found_issuer: 230 found_issuer:
236 pr_debug("- issuer %s\n", p->subject); 231 pr_debug("- subject %s\n", p->subject);
237 if (p->seen) { 232 if (p->seen) {
238 pr_warn("Sig %u: X.509 chain contains loop\n", 233 pr_warn("Sig %u: X.509 chain contains loop\n",
239 sinfo->index); 234 sinfo->index);
@@ -304,7 +299,8 @@ int pkcs7_verify(struct pkcs7_message *pkcs7)
304 ret = x509_get_sig_params(x509); 299 ret = x509_get_sig_params(x509);
305 if (ret < 0) 300 if (ret < 0)
306 return ret; 301 return ret;
307 pr_debug("X.509[%u] %s\n", n, x509->authority); 302 pr_debug("X.509[%u] %*phN\n",
303 n, x509->authority->len, x509->authority->data);
308 } 304 }
309 305
310 for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { 306 for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index ac72348c186a..96151b2b91a2 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -46,7 +46,8 @@ void x509_free_certificate(struct x509_certificate *cert)
46 public_key_destroy(cert->pub); 46 public_key_destroy(cert->pub);
47 kfree(cert->issuer); 47 kfree(cert->issuer);
48 kfree(cert->subject); 48 kfree(cert->subject);
49 kfree(cert->fingerprint); 49 kfree(cert->id);
50 kfree(cert->skid);
50 kfree(cert->authority); 51 kfree(cert->authority);
51 kfree(cert->sig.digest); 52 kfree(cert->sig.digest);
52 mpi_free(cert->sig.rsa.s); 53 mpi_free(cert->sig.rsa.s);
@@ -62,6 +63,7 @@ struct x509_certificate *x509_cert_parse(const void *data, size_t datalen)
62{ 63{
63 struct x509_certificate *cert; 64 struct x509_certificate *cert;
64 struct x509_parse_context *ctx; 65 struct x509_parse_context *ctx;
66 struct asymmetric_key_id *kid;
65 long ret; 67 long ret;
66 68
67 ret = -ENOMEM; 69 ret = -ENOMEM;
@@ -89,6 +91,17 @@ struct x509_certificate *x509_cert_parse(const void *data, size_t datalen)
89 if (ret < 0) 91 if (ret < 0)
90 goto error_decode; 92 goto error_decode;
91 93
94 /* Generate cert issuer + serial number key ID */
95 kid = asymmetric_key_generate_id(cert->raw_serial,
96 cert->raw_serial_size,
97 cert->raw_issuer,
98 cert->raw_issuer_size);
99 if (IS_ERR(kid)) {
100 ret = PTR_ERR(kid);
101 goto error_decode;
102 }
103 cert->id = kid;
104
92 kfree(ctx); 105 kfree(ctx);
93 return cert; 106 return cert;
94 107
@@ -407,36 +420,34 @@ int x509_process_extension(void *context, size_t hdrlen,
407 const void *value, size_t vlen) 420 const void *value, size_t vlen)
408{ 421{
409 struct x509_parse_context *ctx = context; 422 struct x509_parse_context *ctx = context;
423 struct asymmetric_key_id *kid;
410 const unsigned char *v = value; 424 const unsigned char *v = value;
411 char *f;
412 int i; 425 int i;
413 426
414 pr_debug("Extension: %u\n", ctx->last_oid); 427 pr_debug("Extension: %u\n", ctx->last_oid);
415 428
416 if (ctx->last_oid == OID_subjectKeyIdentifier) { 429 if (ctx->last_oid == OID_subjectKeyIdentifier) {
417 /* Get hold of the key fingerprint */ 430 /* Get hold of the key fingerprint */
418 if (vlen < 3) 431 if (ctx->cert->skid || vlen < 3)
419 return -EBADMSG; 432 return -EBADMSG;
420 if (v[0] != ASN1_OTS || v[1] != vlen - 2) 433 if (v[0] != ASN1_OTS || v[1] != vlen - 2)
421 return -EBADMSG; 434 return -EBADMSG;
422 v += 2; 435 v += 2;
423 vlen -= 2; 436 vlen -= 2;
424 437
425 f = kmalloc(vlen * 2 + 1, GFP_KERNEL); 438 kid = asymmetric_key_generate_id(v, vlen,
426 if (!f) 439 ctx->cert->raw_subject,
427 return -ENOMEM; 440 ctx->cert->raw_subject_size);
428 for (i = 0; i < vlen; i++) 441 if (IS_ERR(kid))
429 sprintf(f + i * 2, "%02x", v[i]); 442 return PTR_ERR(kid);
430 pr_debug("fingerprint %s\n", f); 443 ctx->cert->skid = kid;
431 ctx->cert->fingerprint = f; 444 pr_debug("subjkeyid %*phN\n", kid->len, kid->data);
432 return 0; 445 return 0;
433 } 446 }
434 447
435 if (ctx->last_oid == OID_authorityKeyIdentifier) { 448 if (ctx->last_oid == OID_authorityKeyIdentifier) {
436 size_t key_len;
437
438 /* Get hold of the CA key fingerprint */ 449 /* Get hold of the CA key fingerprint */
439 if (vlen < 5) 450 if (ctx->cert->authority || vlen < 5)
440 return -EBADMSG; 451 return -EBADMSG;
441 452
442 /* Authority Key Identifier must be a Constructed SEQUENCE */ 453 /* Authority Key Identifier must be a Constructed SEQUENCE */
@@ -454,7 +465,7 @@ int x509_process_extension(void *context, size_t hdrlen,
454 v[3] > vlen - 4) 465 v[3] > vlen - 4)
455 return -EBADMSG; 466 return -EBADMSG;
456 467
457 key_len = v[3]; 468 vlen = v[3];
458 v += 4; 469 v += 4;
459 } else { 470 } else {
460 /* Long Form length */ 471 /* Long Form length */
@@ -476,17 +487,17 @@ int x509_process_extension(void *context, size_t hdrlen,
476 v[sub + 1] > vlen - 4 - sub) 487 v[sub + 1] > vlen - 4 - sub)
477 return -EBADMSG; 488 return -EBADMSG;
478 489
479 key_len = v[sub + 1]; 490 vlen = v[sub + 1];
480 v += (sub + 2); 491 v += (sub + 2);
481 } 492 }
482 493
483 f = kmalloc(key_len * 2 + 1, GFP_KERNEL); 494 kid = asymmetric_key_generate_id(v, vlen,
484 if (!f) 495 ctx->cert->raw_issuer,
485 return -ENOMEM; 496 ctx->cert->raw_issuer_size);
486 for (i = 0; i < key_len; i++) 497 if (IS_ERR(kid))
487 sprintf(f + i * 2, "%02x", v[i]); 498 return PTR_ERR(kid);
488 pr_debug("authority %s\n", f); 499 pr_debug("authkeyid %*phN\n", kid->len, kid->data);
489 ctx->cert->authority = f; 500 ctx->cert->authority = kid;
490 return 0; 501 return 0;
491 } 502 }
492 503
diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h
index 1b76f207c1f3..0e8d59b010fb 100644
--- a/crypto/asymmetric_keys/x509_parser.h
+++ b/crypto/asymmetric_keys/x509_parser.h
@@ -19,8 +19,9 @@ struct x509_certificate {
19 struct public_key_signature sig; /* Signature parameters */ 19 struct public_key_signature sig; /* Signature parameters */
20 char *issuer; /* Name of certificate issuer */ 20 char *issuer; /* Name of certificate issuer */
21 char *subject; /* Name of certificate subject */ 21 char *subject; /* Name of certificate subject */
22 char *fingerprint; /* Key fingerprint as hex */ 22 struct asymmetric_key_id *id; /* Issuer + serial number */
23 char *authority; /* Authority key fingerprint as hex */ 23 struct asymmetric_key_id *skid; /* Subject key identifier */
24 struct asymmetric_key_id *authority; /* Authority key identifier */
24 struct tm valid_from; 25 struct tm valid_from;
25 struct tm valid_to; 26 struct tm valid_to;
26 const void *tbs; /* Signed data */ 27 const void *tbs; /* Signed data */
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index f3d62307e6ee..c60905c3f4d2 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -25,7 +25,7 @@
25#include "x509_parser.h" 25#include "x509_parser.h"
26 26
27static bool use_builtin_keys; 27static bool use_builtin_keys;
28static char *ca_keyid; 28static struct asymmetric_key_id *ca_keyid;
29 29
30#ifndef MODULE 30#ifndef MODULE
31static int __init ca_keys_setup(char *str) 31static int __init ca_keys_setup(char *str)
@@ -33,10 +33,16 @@ static int __init ca_keys_setup(char *str)
33 if (!str) /* default system keyring */ 33 if (!str) /* default system keyring */
34 return 1; 34 return 1;
35 35
36 if (strncmp(str, "id:", 3) == 0) 36 if (strncmp(str, "id:", 3) == 0) {
37 ca_keyid = str; /* owner key 'id:xxxxxx' */ 37 struct asymmetric_key_id *p;
38 else if (strcmp(str, "builtin") == 0) 38 p = asymmetric_key_hex_to_key_id(str);
39 if (p == ERR_PTR(-EINVAL))
40 pr_err("Unparsable hex string in ca_keys\n");
41 else if (!IS_ERR(p))
42 ca_keyid = p; /* owner key 'id:xxxxxx' */
43 } else if (strcmp(str, "builtin") == 0) {
39 use_builtin_keys = true; 44 use_builtin_keys = true;
45 }
40 46
41 return 1; 47 return 1;
42} 48}
@@ -46,31 +52,28 @@ __setup("ca_keys=", ca_keys_setup);
46/** 52/**
47 * x509_request_asymmetric_key - Request a key by X.509 certificate params. 53 * x509_request_asymmetric_key - Request a key by X.509 certificate params.
48 * @keyring: The keys to search. 54 * @keyring: The keys to search.
49 * @subject: The name of the subject to whom the key belongs. 55 * @kid: The key ID.
50 * @key_id: The subject key ID as a hex string.
51 * 56 *
52 * Find a key in the given keyring by subject name and key ID. These might, 57 * Find a key in the given keyring by subject name and key ID. These might,
53 * for instance, be the issuer name and the authority key ID of an X.509 58 * for instance, be the issuer name and the authority key ID of an X.509
54 * certificate that needs to be verified. 59 * certificate that needs to be verified.
55 */ 60 */
56struct key *x509_request_asymmetric_key(struct key *keyring, 61struct key *x509_request_asymmetric_key(struct key *keyring,
57 const char *subject, 62 const struct asymmetric_key_id *kid)
58 const char *key_id)
59{ 63{
60 key_ref_t key; 64 key_ref_t key;
61 size_t subject_len = strlen(subject), key_id_len = strlen(key_id); 65 char *id, *p;
62 char *id;
63 66
64 /* Construct an identifier "<subjname>:<keyid>". */ 67 /* Construct an identifier "id:<keyid>". */
65 id = kmalloc(subject_len + 2 + key_id_len + 1, GFP_KERNEL); 68 p = id = kmalloc(2 + 1 + kid->len * 2 + 1, GFP_KERNEL);
66 if (!id) 69 if (!id)
67 return ERR_PTR(-ENOMEM); 70 return ERR_PTR(-ENOMEM);
68 71
69 memcpy(id, subject, subject_len); 72 *p++ = 'i';
70 id[subject_len + 0] = ':'; 73 *p++ = 'd';
71 id[subject_len + 1] = ' '; 74 *p++ = ':';
72 memcpy(id + subject_len + 2, key_id, key_id_len); 75 p = bin2hex(p, kid->data, kid->len);
73 id[subject_len + 2 + key_id_len] = 0; 76 *p = 0;
74 77
75 pr_debug("Look up: \"%s\"\n", id); 78 pr_debug("Look up: \"%s\"\n", id);
76 79
@@ -195,11 +198,10 @@ static int x509_validate_trust(struct x509_certificate *cert,
195 if (!trust_keyring) 198 if (!trust_keyring)
196 return -EOPNOTSUPP; 199 return -EOPNOTSUPP;
197 200
198 if (ca_keyid && !asymmetric_keyid_match(cert->authority, ca_keyid)) 201 if (ca_keyid && !asymmetric_key_id_same(cert->authority, ca_keyid))
199 return -EPERM; 202 return -EPERM;
200 203
201 key = x509_request_asymmetric_key(trust_keyring, 204 key = x509_request_asymmetric_key(trust_keyring, cert->authority);
202 cert->issuer, cert->authority);
203 if (!IS_ERR(key)) { 205 if (!IS_ERR(key)) {
204 if (!use_builtin_keys 206 if (!use_builtin_keys
205 || test_bit(KEY_FLAG_BUILTIN, &key->flags)) 207 || test_bit(KEY_FLAG_BUILTIN, &key->flags))
@@ -214,9 +216,11 @@ static int x509_validate_trust(struct x509_certificate *cert,
214 */ 216 */
215static int x509_key_preparse(struct key_preparsed_payload *prep) 217static int x509_key_preparse(struct key_preparsed_payload *prep)
216{ 218{
219 struct asymmetric_key_ids *kids;
217 struct x509_certificate *cert; 220 struct x509_certificate *cert;
221 const char *q;
218 size_t srlen, sulen; 222 size_t srlen, sulen;
219 char *desc = NULL; 223 char *desc = NULL, *p;
220 int ret; 224 int ret;
221 225
222 cert = x509_cert_parse(prep->data, prep->datalen); 226 cert = x509_cert_parse(prep->data, prep->datalen);
@@ -249,19 +253,12 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
249 pkey_algo_name[cert->sig.pkey_algo], 253 pkey_algo_name[cert->sig.pkey_algo],
250 hash_algo_name[cert->sig.pkey_hash_algo]); 254 hash_algo_name[cert->sig.pkey_hash_algo]);
251 255
252 if (!cert->fingerprint) {
253 pr_warn("Cert for '%s' must have a SubjKeyId extension\n",
254 cert->subject);
255 ret = -EKEYREJECTED;
256 goto error_free_cert;
257 }
258
259 cert->pub->algo = pkey_algo[cert->pub->pkey_algo]; 256 cert->pub->algo = pkey_algo[cert->pub->pkey_algo];
260 cert->pub->id_type = PKEY_ID_X509; 257 cert->pub->id_type = PKEY_ID_X509;
261 258
262 /* Check the signature on the key if it appears to be self-signed */ 259 /* Check the signature on the key if it appears to be self-signed */
263 if (!cert->authority || 260 if (!cert->authority ||
264 strcmp(cert->fingerprint, cert->authority) == 0) { 261 asymmetric_key_id_same(cert->skid, cert->authority)) {
265 ret = x509_check_signature(cert->pub, cert); /* self-signed */ 262 ret = x509_check_signature(cert->pub, cert); /* self-signed */
266 if (ret < 0) 263 if (ret < 0)
267 goto error_free_cert; 264 goto error_free_cert;
@@ -273,31 +270,47 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
273 270
274 /* Propose a description */ 271 /* Propose a description */
275 sulen = strlen(cert->subject); 272 sulen = strlen(cert->subject);
276 srlen = strlen(cert->fingerprint); 273 srlen = cert->raw_serial_size;
274 q = cert->raw_serial;
275 if (srlen > 1 && *q == 0) {
276 srlen--;
277 q++;
278 }
279
277 ret = -ENOMEM; 280 ret = -ENOMEM;
278 desc = kmalloc(sulen + 2 + srlen + 1, GFP_KERNEL); 281 desc = kmalloc(sulen + 2 + srlen * 2 + 1, GFP_KERNEL);
279 if (!desc) 282 if (!desc)
280 goto error_free_cert; 283 goto error_free_cert;
281 memcpy(desc, cert->subject, sulen); 284 p = memcpy(desc, cert->subject, sulen);
282 desc[sulen] = ':'; 285 p += sulen;
283 desc[sulen + 1] = ' '; 286 *p++ = ':';
284 memcpy(desc + sulen + 2, cert->fingerprint, srlen); 287 *p++ = ' ';
285 desc[sulen + 2 + srlen] = 0; 288 p = bin2hex(p, q, srlen);
289 *p = 0;
290
291 kids = kmalloc(sizeof(struct asymmetric_key_ids), GFP_KERNEL);
292 if (!kids)
293 goto error_free_desc;
294 kids->id[0] = cert->id;
295 kids->id[1] = cert->skid;
286 296
287 /* We're pinning the module by being linked against it */ 297 /* We're pinning the module by being linked against it */
288 __module_get(public_key_subtype.owner); 298 __module_get(public_key_subtype.owner);
289 prep->type_data[0] = &public_key_subtype; 299 prep->type_data[0] = &public_key_subtype;
290 prep->type_data[1] = cert->fingerprint; 300 prep->type_data[1] = kids;
291 prep->payload[0] = cert->pub; 301 prep->payload[0] = cert->pub;
292 prep->description = desc; 302 prep->description = desc;
293 prep->quotalen = 100; 303 prep->quotalen = 100;
294 304
295 /* We've finished with the certificate */ 305 /* We've finished with the certificate */
296 cert->pub = NULL; 306 cert->pub = NULL;
297 cert->fingerprint = NULL; 307 cert->id = NULL;
308 cert->skid = NULL;
298 desc = NULL; 309 desc = NULL;
299 ret = 0; 310 ret = 0;
300 311
312error_free_desc:
313 kfree(desc);
301error_free_cert: 314error_free_cert:
302 x509_free_certificate(cert); 315 x509_free_certificate(cert);
303 return ret; 316 return ret;
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-02 13:48:45 -0500