Blame view
crypto/asymmetric_keys/pkcs7_verify.c
13 KB
b4d0d230c treewide: Replace... |
1 |
// SPDX-License-Identifier: GPL-2.0-or-later |
9f0d33146 PKCS#7: Digest th... |
2 3 4 5 |
/* Verify the signature on a PKCS#7 message. * * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. * Written by David Howells (dhowells@redhat.com) |
9f0d33146 PKCS#7: Digest th... |
6 7 8 9 10 11 12 13 14 |
*/ #define pr_fmt(fmt) "PKCS7: "fmt #include <linux/kernel.h> #include <linux/export.h> #include <linux/slab.h> #include <linux/err.h> #include <linux/asn1.h> #include <crypto/hash.h> |
e201af16d PKCS#7: Introduce... |
15 |
#include <crypto/hash_info.h> |
db6c43bd2 crypto: KEYS: con... |
16 |
#include <crypto/public_key.h> |
9f0d33146 PKCS#7: Digest th... |
17 18 19 20 21 22 23 24 |
#include "pkcs7_parser.h" /* * Digest the relevant parts of the PKCS#7 data */ static int pkcs7_digest(struct pkcs7_message *pkcs7, struct pkcs7_signed_info *sinfo) { |
566a117a8 PKCS#7: Make the ... |
25 |
struct public_key_signature *sig = sinfo->sig; |
9f0d33146 PKCS#7: Digest th... |
26 27 |
struct crypto_shash *tfm; struct shash_desc *desc; |
566a117a8 PKCS#7: Make the ... |
28 |
size_t desc_size; |
9f0d33146 PKCS#7: Digest th... |
29 |
int ret; |
566a117a8 PKCS#7: Make the ... |
30 |
kenter(",%u,%s", sinfo->index, sinfo->sig->hash_algo); |
9f0d33146 PKCS#7: Digest th... |
31 |
|
e201af16d PKCS#7: Introduce... |
32 33 34 |
/* The digest was calculated already. */ if (sig->digest) return 0; |
566a117a8 PKCS#7: Make the ... |
35 |
if (!sinfo->sig->hash_algo) |
9f0d33146 PKCS#7: Digest th... |
36 37 38 39 40 |
return -ENOPKG; /* Allocate the hashing algorithm we're going to need and find out how * big the hash operational data will be. */ |
566a117a8 PKCS#7: Make the ... |
41 |
tfm = crypto_alloc_shash(sinfo->sig->hash_algo, 0, 0); |
9f0d33146 PKCS#7: Digest th... |
42 43 44 45 |
if (IS_ERR(tfm)) return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm); desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); |
566a117a8 PKCS#7: Make the ... |
46 |
sig->digest_size = crypto_shash_digestsize(tfm); |
9f0d33146 PKCS#7: Digest th... |
47 48 |
ret = -ENOMEM; |
566a117a8 PKCS#7: Make the ... |
49 50 51 52 53 54 |
sig->digest = kmalloc(sig->digest_size, GFP_KERNEL); if (!sig->digest) goto error_no_desc; desc = kzalloc(desc_size, GFP_KERNEL); if (!desc) |
9f0d33146 PKCS#7: Digest th... |
55 |
goto error_no_desc; |
9f0d33146 PKCS#7: Digest th... |
56 |
desc->tfm = tfm; |
9f0d33146 PKCS#7: Digest th... |
57 58 |
/* Digest the message [RFC2315 9.3] */ |
a80745a6d pkcs7: use crypto... |
59 60 |
ret = crypto_shash_digest(desc, pkcs7->data, pkcs7->data_len, sig->digest); |
9f0d33146 PKCS#7: Digest th... |
61 62 |
if (ret < 0) goto error; |
566a117a8 PKCS#7: Make the ... |
63 64 |
pr_devel("MsgDigest = [%*ph] ", 8, sig->digest); |
9f0d33146 PKCS#7: Digest th... |
65 66 67 68 69 |
/* However, if there are authenticated attributes, there must be a * message digest attribute amongst them which corresponds to the * digest we just calculated. */ |
99db44350 PKCS#7: Appropria... |
70 |
if (sinfo->authattrs) { |
9f0d33146 PKCS#7: Digest th... |
71 |
u8 tag; |
99db44350 PKCS#7: Appropria... |
72 73 74 75 76 77 |
if (!sinfo->msgdigest) { pr_warn("Sig %u: No messageDigest ", sinfo->index); ret = -EKEYREJECTED; goto error; } |
566a117a8 PKCS#7: Make the ... |
78 |
if (sinfo->msgdigest_len != sig->digest_size) { |
9f0d33146 PKCS#7: Digest th... |
79 80 81 82 83 84 |
pr_debug("Sig %u: Invalid digest size (%u) ", sinfo->index, sinfo->msgdigest_len); ret = -EBADMSG; goto error; } |
566a117a8 PKCS#7: Make the ... |
85 86 |
if (memcmp(sig->digest, sinfo->msgdigest, sinfo->msgdigest_len) != 0) { |
9f0d33146 PKCS#7: Digest th... |
87 88 89 90 91 92 93 94 95 96 97 98 |
pr_debug("Sig %u: Message digest doesn't match ", sinfo->index); ret = -EKEYREJECTED; goto error; } /* We then calculate anew, using the authenticated attributes * as the contents of the digest instead. Note that we need to * convert the attributes from a CONT.0 into a SET before we * hash it. */ |
566a117a8 PKCS#7: Make the ... |
99 |
memset(sig->digest, 0, sig->digest_size); |
9f0d33146 PKCS#7: Digest th... |
100 101 102 103 104 105 106 107 108 |
ret = crypto_shash_init(desc); if (ret < 0) goto error; tag = ASN1_CONS_BIT | ASN1_SET; ret = crypto_shash_update(desc, &tag, 1); if (ret < 0) goto error; ret = crypto_shash_finup(desc, sinfo->authattrs, |
566a117a8 PKCS#7: Make the ... |
109 |
sinfo->authattrs_len, sig->digest); |
9f0d33146 PKCS#7: Digest th... |
110 111 |
if (ret < 0) goto error; |
566a117a8 PKCS#7: Make the ... |
112 113 |
pr_devel("AADigest = [%*ph] ", 8, sig->digest); |
9f0d33146 PKCS#7: Digest th... |
114 |
} |
9f0d33146 PKCS#7: Digest th... |
115 |
error: |
566a117a8 PKCS#7: Make the ... |
116 |
kfree(desc); |
9f0d33146 PKCS#7: Digest th... |
117 118 119 120 121 |
error_no_desc: crypto_free_shash(tfm); kleave(" = %d", ret); return ret; } |
e201af16d PKCS#7: Introduce... |
122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 |
int pkcs7_get_digest(struct pkcs7_message *pkcs7, const u8 **buf, u32 *len, enum hash_algo *hash_algo) { struct pkcs7_signed_info *sinfo = pkcs7->signed_infos; int i, ret; /* * This function doesn't support messages with more than one signature. */ if (sinfo == NULL || sinfo->next != NULL) return -EBADMSG; ret = pkcs7_digest(pkcs7, sinfo); if (ret) return ret; *buf = sinfo->sig->digest; *len = sinfo->sig->digest_size; |
3c0940c4f crypto: pkcs7: Us... |
140 141 142 143 |
i = match_string(hash_algo_name, HASH_ALGO__LAST, sinfo->sig->hash_algo); if (i >= 0) *hash_algo = i; |
e201af16d PKCS#7: Introduce... |
144 145 146 |
return 0; } |
9f0d33146 PKCS#7: Digest th... |
147 |
/* |
a4730357e PKCS#7: Find the ... |
148 149 150 151 152 153 154 155 156 157 |
* Find the key (X.509 certificate) to use to verify a PKCS#7 message. PKCS#7 * uses the issuer's name and the issuing certificate serial number for * matching purposes. These must match the certificate issuer's name (not * subject's name) and the certificate serial number [RFC 2315 6.7]. */ static int pkcs7_find_key(struct pkcs7_message *pkcs7, struct pkcs7_signed_info *sinfo) { struct x509_certificate *x509; unsigned certix = 1; |
46963b774 KEYS: Overhaul ke... |
158 |
kenter("%u", sinfo->index); |
a4730357e PKCS#7: Find the ... |
159 160 161 162 163 164 165 |
for (x509 = pkcs7->certs; x509; x509 = x509->next, certix++) { /* I'm _assuming_ that the generator of the PKCS#7 message will * encode the fields from the X.509 cert in the same way in the * PKCS#7 message - but I can't be 100% sure of that. It's * possible this will need element-by-element comparison. */ |
566a117a8 PKCS#7: Make the ... |
166 |
if (!asymmetric_key_id_same(x509->id, sinfo->sig->auth_ids[0])) |
a4730357e PKCS#7: Find the ... |
167 168 169 170 |
continue; pr_devel("Sig %u: Found cert serial match X.509[%u] ", sinfo->index, certix); |
a4730357e PKCS#7: Find the ... |
171 172 173 |
sinfo->signer = x509; return 0; } |
46963b774 KEYS: Overhaul ke... |
174 |
|
757932e6d PKCS#7: Handle PK... |
175 176 177 178 179 180 |
/* The relevant X.509 cert isn't found here, but it might be found in * the trust keyring. */ pr_debug("Sig %u: Issuing X.509 cert not found (#%*phN) ", sinfo->index, |
566a117a8 PKCS#7: Make the ... |
181 |
sinfo->sig->auth_ids[0]->len, sinfo->sig->auth_ids[0]->data); |
757932e6d PKCS#7: Handle PK... |
182 |
return 0; |
a4730357e PKCS#7: Find the ... |
183 |
} |
9f0d33146 PKCS#7: Digest th... |
184 |
/* |
8c76d7939 PKCS#7: Verify in... |
185 186 187 188 189 |
* Verify the internal certificate chain as best we can. */ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, struct pkcs7_signed_info *sinfo) { |
77d0910d1 X.509: Retain the... |
190 |
struct public_key_signature *sig; |
8c76d7939 PKCS#7: Verify in... |
191 |
struct x509_certificate *x509 = sinfo->signer, *p; |
4573b64a3 X.509: Support X.... |
192 |
struct asymmetric_key_id *auth; |
8c76d7939 PKCS#7: Verify in... |
193 194 195 196 197 198 199 200 |
int ret; kenter(""); for (p = pkcs7->certs; p; p = p->next) p->seen = false; for (;;) { |
46963b774 KEYS: Overhaul ke... |
201 202 203 204 |
pr_debug("verify %s: %*phN ", x509->subject, x509->raw_serial_size, x509->raw_serial); |
8c76d7939 PKCS#7: Verify in... |
205 |
x509->seen = true; |
03bb79315 PKCS#7: Handle bl... |
206 207 208 209 210 211 212 213 214 215 216 217 |
if (x509->blacklisted) { /* If this cert is blacklisted, then mark everything * that depends on this as blacklisted too. */ sinfo->blacklisted = true; for (p = sinfo->signer; p != x509; p = p->signer) p->blacklisted = true; pr_debug("- blacklisted "); return 0; } |
6c2dc5ae4 X.509: Extract si... |
218 219 |
if (x509->unsupported_key) goto unsupported_crypto_in_x509; |
8c76d7939 PKCS#7: Verify in... |
220 |
|
412eccbad PKCS#7: X.509 cer... |
221 222 |
pr_debug("- issuer %s ", x509->issuer); |
77d0910d1 X.509: Retain the... |
223 224 |
sig = x509->sig; if (sig->auth_ids[0]) |
4573b64a3 X.509: Support X.... |
225 226 |
pr_debug("- authkeyid.id %*phN ", |
77d0910d1 X.509: Retain the... |
227 228 |
sig->auth_ids[0]->len, sig->auth_ids[0]->data); if (sig->auth_ids[1]) |
4573b64a3 X.509: Support X.... |
229 230 |
pr_debug("- authkeyid.skid %*phN ", |
77d0910d1 X.509: Retain the... |
231 |
sig->auth_ids[1]->len, sig->auth_ids[1]->data); |
8c76d7939 PKCS#7: Verify in... |
232 |
|
6c2dc5ae4 X.509: Extract si... |
233 |
if (x509->self_signed) { |
8c76d7939 PKCS#7: Verify in... |
234 235 236 237 238 |
/* If there's no authority certificate specified, then * the certificate must be self-signed and is the root * of the chain. Likewise if the cert is its own * authority. */ |
6c2dc5ae4 X.509: Extract si... |
239 240 |
if (x509->unsupported_sig) goto unsupported_crypto_in_x509; |
8c76d7939 PKCS#7: Verify in... |
241 242 243 244 245 246 247 248 249 |
x509->signer = x509; pr_debug("- self-signed "); return 0; } /* Look through the X.509 certificates in the PKCS#7 message's * list to see if the next one is there. */ |
77d0910d1 X.509: Retain the... |
250 |
auth = sig->auth_ids[0]; |
4573b64a3 X.509: Support X.... |
251 252 253 254 255 256 257 258 259 260 |
if (auth) { pr_debug("- want %*phN ", auth->len, auth->data); for (p = pkcs7->certs; p; p = p->next) { pr_debug("- cmp [%u] %*phN ", p->index, p->id->len, p->id->data); if (asymmetric_key_id_same(p->id, auth)) goto found_issuer_check_skid; } |
a46e66788 PKCS#7: Fix panic... |
261 |
} else if (sig->auth_ids[1]) { |
77d0910d1 X.509: Retain the... |
262 |
auth = sig->auth_ids[1]; |
4573b64a3 X.509: Support X.... |
263 264 265 266 267 268 269 270 271 272 273 |
pr_debug("- want %*phN ", auth->len, auth->data); for (p = pkcs7->certs; p; p = p->next) { if (!p->skid) continue; pr_debug("- cmp [%u] %*phN ", p->index, p->skid->len, p->skid->data); if (asymmetric_key_id_same(p->skid, auth)) goto found_issuer; } |
8c76d7939 PKCS#7: Verify in... |
274 275 276 277 278 279 |
} /* We didn't find the root of this chain */ pr_debug("- top "); return 0; |
4573b64a3 X.509: Support X.... |
280 281 282 283 |
found_issuer_check_skid: /* We matched issuer + serialNumber, but if there's an * authKeyId.keyId, that must match the CA subjKeyId also. */ |
77d0910d1 X.509: Retain the... |
284 285 |
if (sig->auth_ids[1] && !asymmetric_key_id_same(p->skid, sig->auth_ids[1])) { |
4573b64a3 X.509: Support X.... |
286 287 288 289 290 |
pr_warn("Sig %u: X.509 chain contains auth-skid nonmatch (%u->%u) ", sinfo->index, x509->index, p->index); return -EKEYREJECTED; } |
8c76d7939 PKCS#7: Verify in... |
291 |
found_issuer: |
46963b774 KEYS: Overhaul ke... |
292 293 |
pr_debug("- subject %s ", p->subject); |
8c76d7939 PKCS#7: Verify in... |
294 295 296 297 298 299 |
if (p->seen) { pr_warn("Sig %u: X.509 chain contains loop ", sinfo->index); return 0; } |
971b42c03 PKCS#7: fix certi... |
300 |
ret = public_key_verify_signature(p->pub, x509->sig); |
8c76d7939 PKCS#7: Verify in... |
301 302 303 304 305 306 307 308 309 310 311 |
if (ret < 0) return ret; x509->signer = p; if (x509 == p) { pr_debug("- self-signed "); return 0; } x509 = p; might_sleep(); } |
415594200 PKCS#7: Better ha... |
312 |
|
6c2dc5ae4 X.509: Extract si... |
313 |
unsupported_crypto_in_x509: |
415594200 PKCS#7: Better ha... |
314 315 |
/* Just prune the certificate chain at this point if we lack some * crypto module to go further. Note, however, we don't want to set |
6c2dc5ae4 X.509: Extract si... |
316 |
* sinfo->unsupported_crypto as the signed info block may still be |
415594200 PKCS#7: Better ha... |
317 318 319 |
* validatable against an X.509 cert lower in the chain that we have a * trusted copy of. */ |
6c2dc5ae4 X.509: Extract si... |
320 |
return 0; |
8c76d7939 PKCS#7: Verify in... |
321 322 323 |
} /* |
9f0d33146 PKCS#7: Digest th... |
324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 |
* Verify one signed information block from a PKCS#7 message. */ static int pkcs7_verify_one(struct pkcs7_message *pkcs7, struct pkcs7_signed_info *sinfo) { int ret; kenter(",%u", sinfo->index); /* First of all, digest the data in the PKCS#7 message and the * signed information block */ ret = pkcs7_digest(pkcs7, sinfo); if (ret < 0) return ret; |
757932e6d PKCS#7: Handle PK... |
339 |
/* Find the key for the signature if there is one */ |
a4730357e PKCS#7: Find the ... |
340 341 342 |
ret = pkcs7_find_key(pkcs7, sinfo); if (ret < 0) return ret; |
757932e6d PKCS#7: Handle PK... |
343 344 |
if (!sinfo->signer) return 0; |
a4730357e PKCS#7: Find the ... |
345 346 347 |
pr_devel("Using X.509[%u] for sig %u ", sinfo->signer->index, sinfo->index); |
99db44350 PKCS#7: Appropria... |
348 349 350 351 352 353 354 355 356 357 358 359 |
/* Check that the PKCS#7 signing time is valid according to the X.509 * certificate. We can't, however, check against the system clock * since that may not have been set yet and may be wrong. */ if (test_bit(sinfo_has_signing_time, &sinfo->aa_set)) { if (sinfo->signing_time < sinfo->signer->valid_from || sinfo->signing_time > sinfo->signer->valid_to) { pr_warn("Message signed outside of X.509 validity window "); return -EKEYREJECTED; } } |
a4730357e PKCS#7: Find the ... |
360 |
/* Verify the PKCS#7 binary against the key */ |
566a117a8 PKCS#7: Make the ... |
361 |
ret = public_key_verify_signature(sinfo->signer->pub, sinfo->sig); |
a4730357e PKCS#7: Find the ... |
362 363 364 365 366 |
if (ret < 0) return ret; pr_devel("Verified signature %u ", sinfo->index); |
8c76d7939 PKCS#7: Verify in... |
367 368 |
/* Verify the internal certificate chain */ return pkcs7_verify_sig_chain(pkcs7, sinfo); |
9f0d33146 PKCS#7: Digest th... |
369 370 371 372 373 |
} /** * pkcs7_verify - Verify a PKCS#7 message * @pkcs7: The PKCS#7 message to be verified |
99db44350 PKCS#7: Appropria... |
374 |
* @usage: The use to which the key is being put |
415594200 PKCS#7: Better ha... |
375 376 377 378 379 380 381 382 383 384 385 |
* * Verify a PKCS#7 message is internally consistent - that is, the data digest * matches the digest in the AuthAttrs and any signature in the message or one * of the X.509 certificates it carries that matches another X.509 cert in the * message can be verified. * * This does not look to match the contents of the PKCS#7 message against any * external public keys. * * Returns, in order of descending priority: * |
99db44350 PKCS#7: Appropria... |
386 387 388 |
* (*) -EKEYREJECTED if a key was selected that had a usage restriction at * odds with the specified usage, or: * |
415594200 PKCS#7: Better ha... |
389 390 391 392 393 |
* (*) -EKEYREJECTED if a signature failed to match for which we found an * appropriate X.509 certificate, or: * * (*) -EBADMSG if some part of the message was invalid, or: * |
29f4a67c1 PKCS#7: fix certi... |
394 |
* (*) 0 if a signature chain passed verification, or: |
415594200 PKCS#7: Better ha... |
395 |
* |
03bb79315 PKCS#7: Handle bl... |
396 397 398 399 |
* (*) -EKEYREJECTED if a blacklisted key was encountered, or: * * (*) -ENOPKG if none of the signature chains are verifiable because suitable * crypto modules couldn't be found. |
9f0d33146 PKCS#7: Digest th... |
400 |
*/ |
99db44350 PKCS#7: Appropria... |
401 402 |
int pkcs7_verify(struct pkcs7_message *pkcs7, enum key_being_used_for usage) |
9f0d33146 PKCS#7: Digest th... |
403 404 |
{ struct pkcs7_signed_info *sinfo; |
03bb79315 PKCS#7: Handle bl... |
405 |
int actual_ret = -ENOPKG; |
6c2dc5ae4 X.509: Extract si... |
406 |
int ret; |
9f0d33146 PKCS#7: Digest th... |
407 408 |
kenter(""); |
99db44350 PKCS#7: Appropria... |
409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 |
switch (usage) { case VERIFYING_MODULE_SIGNATURE: if (pkcs7->data_type != OID_data) { pr_warn("Invalid module sig (not pkcs7-data) "); return -EKEYREJECTED; } if (pkcs7->have_authattrs) { pr_warn("Invalid module sig (has authattrs) "); return -EKEYREJECTED; } break; case VERIFYING_FIRMWARE_SIGNATURE: if (pkcs7->data_type != OID_data) { pr_warn("Invalid firmware sig (not pkcs7-data) "); return -EKEYREJECTED; } if (!pkcs7->have_authattrs) { pr_warn("Invalid firmware sig (missing authattrs) "); return -EKEYREJECTED; } break; case VERIFYING_KEXEC_PE_SIGNATURE: if (pkcs7->data_type != OID_msIndirectData) { pr_warn("Invalid kexec sig (not Authenticode) "); return -EKEYREJECTED; } /* Authattr presence checked in parser */ break; case VERIFYING_UNSPECIFIED_SIGNATURE: if (pkcs7->data_type != OID_data) { pr_warn("Invalid unspecified sig (not pkcs7-data) "); return -EKEYREJECTED; } break; default: return -EINVAL; } |
9f0d33146 PKCS#7: Digest th... |
452 453 |
for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { ret = pkcs7_verify_one(pkcs7, sinfo); |
29f4a67c1 PKCS#7: fix certi... |
454 455 456 457 458 |
if (sinfo->blacklisted) { if (actual_ret == -ENOPKG) actual_ret = -EKEYREJECTED; continue; } |
9f0d33146 PKCS#7: Digest th... |
459 |
if (ret < 0) { |
415594200 PKCS#7: Better ha... |
460 461 462 463 |
if (ret == -ENOPKG) { sinfo->unsupported_crypto = true; continue; } |
9f0d33146 PKCS#7: Digest th... |
464 465 466 |
kleave(" = %d", ret); return ret; } |
03bb79315 PKCS#7: Handle bl... |
467 |
actual_ret = 0; |
9f0d33146 PKCS#7: Digest th... |
468 |
} |
03bb79315 PKCS#7: Handle bl... |
469 470 |
kleave(" = %d", actual_ret); return actual_ret; |
9f0d33146 PKCS#7: Digest th... |
471 472 |
} EXPORT_SYMBOL_GPL(pkcs7_verify); |
4ebdb76f7 PKCS#7: Allow det... |
473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 |
/** * pkcs7_supply_detached_data - Supply the data needed to verify a PKCS#7 message * @pkcs7: The PKCS#7 message * @data: The data to be verified * @datalen: The amount of data * * Supply the detached data needed to verify a PKCS#7 message. Note that no * attempt to retain/pin the data is made. That is left to the caller. The * data will not be modified by pkcs7_verify() and will not be freed when the * PKCS#7 message is freed. * * Returns -EINVAL if data is already supplied in the message, 0 otherwise. */ int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7, const void *data, size_t datalen) { if (pkcs7->data) { pr_debug("Data already supplied "); return -EINVAL; } pkcs7->data = data; pkcs7->data_len = datalen; return 0; } |