Commit 46963b77 authored by David Howells's avatar David Howells

KEYS: Overhaul key identification when searching for asymmetric keys

Make use of the new match string preparsing to overhaul key identification
when searching for asymmetric keys.  The following changes are made:

 (1) Use the previously created asymmetric_key_id struct to hold the following
     key IDs derived from the X.509 certificate or PKCS#7 message:

	id: serial number + issuer
	skid: subjKeyId + subject
	authority: authKeyId + issuer

 (2) Replace the hex fingerprint attached to key->type_data[1] with an
     asymmetric_key_ids struct containing the id and the skid (if present).

 (3) Make the asymmetric_type match data preparse select one of two searches:

     (a) An iterative search for the key ID given if prefixed with "id:".  The
     	 prefix is expected to be followed by a hex string giving the ID to
     	 search for.  The criterion key ID is checked against all key IDs
     	 recorded on the key.

     (b) A direct search if the key ID is not prefixed with "id:".  This will
     	 look for an exact match on the key description.

 (4) Make x509_request_asymmetric_key() take a key ID.  This is then converted
     into "id:<hex>" and passed into keyring_search() where match preparsing
     will turn it back into a binary ID.

 (5) X.509 certificate verification then takes the authority key ID and looks
     up a key that matches it to find the public key for the certificate
     signature.

 (6) PKCS#7 certificate verification then takes the id key ID and looks up a
     key that matches it to find the public key for the signed information
     block signature.

Additional changes:

 (1) Multiple subjKeyId and authKeyId values on an X.509 certificate cause the
     cert to be rejected with -EBADMSG.

 (2) The 'fingerprint' ID is gone.  This was primarily intended to convey PGP
     public key fingerprints.  If PGP is supported in future, this should
     generate a key ID that carries the fingerprint.

 (3) Th ca_keyid= kernel command line option is now converted to a key ID and
     used to match the authority key ID.  Possibly this should only match the
     actual authKeyId part and not the issuer as well.
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Acked-by: default avatarVivek Goyal <vgoyal@redhat.com>
parent 7901c1a8
...@@ -9,13 +9,13 @@ ...@@ -9,13 +9,13 @@
* 2 of the Licence, or (at your option) any later version. * 2 of the Licence, or (at your option) any later version.
*/ */
int asymmetric_keyid_match(const char *kid, const char *id);
extern bool asymmetric_match_key_ids(const struct asymmetric_key_ids *kids, extern bool asymmetric_match_key_ids(const struct asymmetric_key_ids *kids,
const struct asymmetric_key_id *match_id); const struct asymmetric_key_id *match_id);
extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id); extern struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id);
static inline const char *asymmetric_key_id(const struct key *key) static inline
const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key)
{ {
return key->type_data.p[1]; return key->type_data.p[1];
} }
...@@ -112,76 +112,15 @@ struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id) ...@@ -112,76 +112,15 @@ struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id)
} }
/* /*
* Match asymmetric key id with partial match * Match asymmetric keys by ID.
* @id: key id to match in a form "id:<id>"
*/
int asymmetric_keyid_match(const char *kid, const char *id)
{
size_t idlen, kidlen;
if (!kid || !id)
return 0;
/* make it possible to use id as in the request: "id:<id>" */
if (strncmp(id, "id:", 3) == 0)
id += 3;
/* Anything after here requires a partial match on the ID string */
idlen = strlen(id);
kidlen = strlen(kid);
if (idlen > kidlen)
return 0;
kid += kidlen - idlen;
if (strcasecmp(id, kid) != 0)
return 0;
return 1;
}
EXPORT_SYMBOL_GPL(asymmetric_keyid_match);
/*
* Match asymmetric keys on (part of) their name
* We have some shorthand methods for matching keys. We allow:
*
* "<desc>" - request a key by description
* "id:<id>" - request a key matching the ID
* "<subtype>:<id>" - request a key of a subtype
*/ */
static bool asymmetric_key_cmp(const struct key *key, static bool asymmetric_key_cmp(const struct key *key,
const struct key_match_data *match_data) const struct key_match_data *match_data)
{ {
const struct asymmetric_key_subtype *subtype = asymmetric_key_subtype(key); const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
const char *description = match_data->raw_data; const struct asymmetric_key_id *match_id = match_data->preparsed;
const char *spec = description;
const char *id;
ptrdiff_t speclen;
if (!subtype || !spec || !*spec)
return 0;
/* See if the full key description matches as is */
if (key->description && strcmp(key->description, description) == 0)
return 1;
/* All tests from here on break the criterion description into a
* specifier, a colon and then an identifier.
*/
id = strchr(spec, ':');
if (!id)
return 0;
speclen = id - spec;
id++;
if (speclen == 2 && memcmp(spec, "id", 2) == 0)
return asymmetric_keyid_match(asymmetric_key_id(key), id);
if (speclen == subtype->name_len && return asymmetric_match_key_ids(kids, match_id);
memcmp(spec, subtype->name, speclen) == 0)
return 1;
return 0;
} }
/* /*
...@@ -198,8 +137,30 @@ static bool asymmetric_key_cmp(const struct key *key, ...@@ -198,8 +137,30 @@ static bool asymmetric_key_cmp(const struct key *key,
*/ */
static int asymmetric_key_match_preparse(struct key_match_data *match_data) static int asymmetric_key_match_preparse(struct key_match_data *match_data)
{ {
match_data->lookup_type = KEYRING_SEARCH_LOOKUP_ITERATE; struct asymmetric_key_id *match_id;
const char *spec = match_data->raw_data;
const char *id;
if (!spec || !*spec)
return -EINVAL;
if (spec[0] == 'i' &&
spec[1] == 'd' &&
spec[2] == ':') {
id = spec + 3;
} else {
goto default_match;
}
match_id = asymmetric_key_hex_to_key_id(id);
if (!match_id)
return -ENOMEM;
match_data->preparsed = match_id;
match_data->cmp = asymmetric_key_cmp; match_data->cmp = asymmetric_key_cmp;
match_data->lookup_type = KEYRING_SEARCH_LOOKUP_ITERATE;
return 0;
default_match:
return 0; return 0;
} }
...@@ -208,6 +169,7 @@ static int asymmetric_key_match_preparse(struct key_match_data *match_data) ...@@ -208,6 +169,7 @@ static int asymmetric_key_match_preparse(struct key_match_data *match_data)
*/ */
static void asymmetric_key_match_free(struct key_match_data *match_data) static void asymmetric_key_match_free(struct key_match_data *match_data)
{ {
kfree(match_data->preparsed);
} }
/* /*
...@@ -216,8 +178,10 @@ static void asymmetric_key_match_free(struct key_match_data *match_data) ...@@ -216,8 +178,10 @@ static void asymmetric_key_match_free(struct key_match_data *match_data)
static void asymmetric_key_describe(const struct key *key, struct seq_file *m) static void asymmetric_key_describe(const struct key *key, struct seq_file *m)
{ {
const struct asymmetric_key_subtype *subtype = asymmetric_key_subtype(key); const struct asymmetric_key_subtype *subtype = asymmetric_key_subtype(key);
const char *kid = asymmetric_key_id(key); const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
size_t n; const struct asymmetric_key_id *kid;
const unsigned char *p;
int n;
seq_puts(m, key->description); seq_puts(m, key->description);
...@@ -225,13 +189,16 @@ static void asymmetric_key_describe(const struct key *key, struct seq_file *m) ...@@ -225,13 +189,16 @@ static void asymmetric_key_describe(const struct key *key, struct seq_file *m)
seq_puts(m, ": "); seq_puts(m, ": ");
subtype->describe(key, m); subtype->describe(key, m);
if (kid) { if (kids && kids->id[0]) {
kid = kids->id[0];
seq_putc(m, ' '); seq_putc(m, ' ');
n = strlen(kid); n = kid->len;
if (n <= 8) p = kid->data;
seq_puts(m, kid); if (n > 8) {
else p += n - 8;
seq_puts(m, kid + n - 8); n = 8;
}
seq_printf(m, "%*phN", n, p);
} }
seq_puts(m, " ["); seq_puts(m, " [");
...@@ -282,6 +249,7 @@ static int asymmetric_key_preparse(struct key_preparsed_payload *prep) ...@@ -282,6 +249,7 @@ static int asymmetric_key_preparse(struct key_preparsed_payload *prep)
static void asymmetric_key_free_preparse(struct key_preparsed_payload *prep) static void asymmetric_key_free_preparse(struct key_preparsed_payload *prep)
{ {
struct asymmetric_key_subtype *subtype = prep->type_data[0]; struct asymmetric_key_subtype *subtype = prep->type_data[0];
struct asymmetric_key_ids *kids = prep->type_data[1];
pr_devel("==>%s()\n", __func__); pr_devel("==>%s()\n", __func__);
...@@ -289,7 +257,11 @@ static void asymmetric_key_free_preparse(struct key_preparsed_payload *prep) ...@@ -289,7 +257,11 @@ static void asymmetric_key_free_preparse(struct key_preparsed_payload *prep)
subtype->destroy(prep->payload[0]); subtype->destroy(prep->payload[0]);
module_put(subtype->owner); module_put(subtype->owner);
} }
kfree(prep->type_data[1]); if (kids) {
kfree(kids->id[0]);
kfree(kids->id[1]);
kfree(kids);
}
kfree(prep->description); kfree(prep->description);
} }
...@@ -299,13 +271,20 @@ static void asymmetric_key_free_preparse(struct key_preparsed_payload *prep) ...@@ -299,13 +271,20 @@ static void asymmetric_key_free_preparse(struct key_preparsed_payload *prep)
static void asymmetric_key_destroy(struct key *key) static void asymmetric_key_destroy(struct key *key)
{ {
struct asymmetric_key_subtype *subtype = asymmetric_key_subtype(key); struct asymmetric_key_subtype *subtype = asymmetric_key_subtype(key);
struct asymmetric_key_ids *kids = key->type_data.p[1];
if (subtype) { if (subtype) {
subtype->destroy(key->payload.data); subtype->destroy(key->payload.data);
module_put(subtype->owner); module_put(subtype->owner);
key->type_data.p[0] = NULL; key->type_data.p[0] = NULL;
} }
kfree(key->type_data.p[1]);
key->type_data.p[1] = NULL; if (kids) {
kfree(kids->id[0]);
kfree(kids->id[1]);
kfree(kids);
key->type_data.p[1] = NULL;
}
} }
struct key_type key_type_asymmetric = { struct key_type key_type_asymmetric = {
......
...@@ -29,6 +29,10 @@ struct pkcs7_parse_context { ...@@ -29,6 +29,10 @@ struct pkcs7_parse_context {
enum OID last_oid; /* Last OID encountered */ enum OID last_oid; /* Last OID encountered */
unsigned x509_index; unsigned x509_index;
unsigned sinfo_index; unsigned sinfo_index;
const void *raw_serial;
unsigned raw_serial_size;
unsigned raw_issuer_size;
const void *raw_issuer;
}; };
/* /*
...@@ -39,6 +43,7 @@ static void pkcs7_free_signed_info(struct pkcs7_signed_info *sinfo) ...@@ -39,6 +43,7 @@ static void pkcs7_free_signed_info(struct pkcs7_signed_info *sinfo)
if (sinfo) { if (sinfo) {
mpi_free(sinfo->sig.mpi[0]); mpi_free(sinfo->sig.mpi[0]);
kfree(sinfo->sig.digest); kfree(sinfo->sig.digest);
kfree(sinfo->signing_cert_id);
kfree(sinfo); kfree(sinfo);
} }
} }
...@@ -251,10 +256,10 @@ int pkcs7_extract_cert(void *context, size_t hdrlen, ...@@ -251,10 +256,10 @@ int pkcs7_extract_cert(void *context, size_t hdrlen,
if (IS_ERR(x509)) if (IS_ERR(x509))
return PTR_ERR(x509); return PTR_ERR(x509);
pr_debug("Got cert for %s\n", x509->subject);
pr_debug("- fingerprint %s\n", x509->fingerprint);
x509->index = ++ctx->x509_index; x509->index = ++ctx->x509_index;
pr_debug("Got cert %u for %s\n", x509->index, x509->subject);
pr_debug("- fingerprint %*phN\n", x509->id->len, x509->id->data);
*ctx->ppcerts = x509; *ctx->ppcerts = x509;
ctx->ppcerts = &x509->next; ctx->ppcerts = &x509->next;
return 0; return 0;
...@@ -343,8 +348,8 @@ int pkcs7_sig_note_serial(void *context, size_t hdrlen, ...@@ -343,8 +348,8 @@ int pkcs7_sig_note_serial(void *context, size_t hdrlen,
const void *value, size_t vlen) const void *value, size_t vlen)
{ {
struct pkcs7_parse_context *ctx = context; struct pkcs7_parse_context *ctx = context;
ctx->sinfo->raw_serial = value; ctx->raw_serial = value;
ctx->sinfo->raw_serial_size = vlen; ctx->raw_serial_size = vlen;
return 0; return 0;
} }
...@@ -356,8 +361,8 @@ int pkcs7_sig_note_issuer(void *context, size_t hdrlen, ...@@ -356,8 +361,8 @@ int pkcs7_sig_note_issuer(void *context, size_t hdrlen,
const void *value, size_t vlen) const void *value, size_t vlen)
{ {
struct pkcs7_parse_context *ctx = context; struct pkcs7_parse_context *ctx = context;
ctx->sinfo->raw_issuer = value; ctx->raw_issuer = value;
ctx->sinfo->raw_issuer_size = vlen; ctx->raw_issuer_size = vlen;
return 0; return 0;
} }
...@@ -390,10 +395,21 @@ int pkcs7_note_signed_info(void *context, size_t hdrlen, ...@@ -390,10 +395,21 @@ int pkcs7_note_signed_info(void *context, size_t hdrlen,
const void *value, size_t vlen) const void *value, size_t vlen)
{ {
struct pkcs7_parse_context *ctx = context; struct pkcs7_parse_context *ctx = context;
struct pkcs7_signed_info *sinfo = ctx->sinfo;
ctx->sinfo->index = ++ctx->sinfo_index; struct asymmetric_key_id *kid;
*ctx->ppsinfo = ctx->sinfo;
ctx->ppsinfo = &ctx->sinfo->next; /* Generate cert issuer + serial number key ID */
kid = asymmetric_key_generate_id(ctx->raw_serial,
ctx->raw_serial_size,
ctx->raw_issuer,
ctx->raw_issuer_size);
if (IS_ERR(kid))
return PTR_ERR(kid);
sinfo->signing_cert_id = kid;
sinfo->index = ++ctx->sinfo_index;
*ctx->ppsinfo = sinfo;
ctx->ppsinfo = &sinfo->next;
ctx->sinfo = kzalloc(sizeof(struct pkcs7_signed_info), GFP_KERNEL); ctx->sinfo = kzalloc(sizeof(struct pkcs7_signed_info), GFP_KERNEL);
if (!ctx->sinfo) if (!ctx->sinfo)
return -ENOMEM; return -ENOMEM;
......
...@@ -33,10 +33,7 @@ struct pkcs7_signed_info { ...@@ -33,10 +33,7 @@ struct pkcs7_signed_info {
const void *authattrs; const void *authattrs;
/* Issuing cert serial number and issuer's name */ /* Issuing cert serial number and issuer's name */
const void *raw_serial; struct asymmetric_key_id *signing_cert_id;
unsigned raw_serial_size;
unsigned raw_issuer_size;
const void *raw_issuer;
/* Message signature. /* Message signature.
* *
......
...@@ -49,8 +49,7 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, ...@@ -49,8 +49,7 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
/* Look to see if this certificate is present in the trusted /* Look to see if this certificate is present in the trusted
* keys. * keys.
*/ */
key = x509_request_asymmetric_key(trust_keyring, x509->subject, key = x509_request_asymmetric_key(trust_keyring, x509->id);
x509->fingerprint);
if (!IS_ERR(key)) if (!IS_ERR(key))
/* One of the X.509 certificates in the PKCS#7 message /* One of the X.509 certificates in the PKCS#7 message
* is apparently the same as one we already trust. * is apparently the same as one we already trust.
...@@ -82,8 +81,7 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, ...@@ -82,8 +81,7 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
return -ENOKEY; return -ENOKEY;
} }
key = x509_request_asymmetric_key(trust_keyring, last->issuer, key = x509_request_asymmetric_key(trust_keyring, last->authority);
last->authority);
if (IS_ERR(key)) if (IS_ERR(key))
return PTR_ERR(key) == -ENOMEM ? -ENOMEM : -ENOKEY; return PTR_ERR(key) == -ENOMEM ? -ENOMEM : -ENOKEY;
x509 = last; x509 = last;
......
...@@ -131,8 +131,7 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7, ...@@ -131,8 +131,7 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7,
struct x509_certificate *x509; struct x509_certificate *x509;
unsigned certix = 1; unsigned certix = 1;
kenter("%u,%u,%u", kenter("%u", sinfo->index);
sinfo->index, sinfo->raw_serial_size, sinfo->raw_issuer_size);
for (x509 = pkcs7->certs; x509; x509 = x509->next, certix++) { for (x509 = pkcs7->certs; x509; x509 = x509->next, certix++) {
/* I'm _assuming_ that the generator of the PKCS#7 message will /* I'm _assuming_ that the generator of the PKCS#7 message will
...@@ -140,21 +139,11 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7, ...@@ -140,21 +139,11 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7,
* PKCS#7 message - but I can't be 100% sure of that. It's * PKCS#7 message - but I can't be 100% sure of that. It's
* possible this will need element-by-element comparison. * possible this will need element-by-element comparison.
*/ */
if (x509->raw_serial_size != sinfo->raw_serial_size || if (!asymmetric_key_id_same(x509->id, sinfo->signing_cert_id))
memcmp(x509->raw_serial, sinfo->raw_serial,
sinfo->raw_serial_size) != 0)
continue; continue;
pr_devel("Sig %u: Found cert serial match X.509[%u]\n", pr_devel("Sig %u: Found cert serial match X.509[%u]\n",
sinfo->index, certix); sinfo->index, certix);
if (x509->raw_issuer_size != sinfo->raw_issuer_size ||
memcmp(x509->raw_issuer, sinfo->raw_issuer,
sinfo->raw_issuer_size) != 0) {
pr_warn("Sig %u: X.509 subject and PKCS#7 issuer don't match\n",
sinfo->index);
continue;
}
if (x509->pub->pkey_algo != sinfo->sig.pkey_algo) { if (x509->pub->pkey_algo != sinfo->sig.pkey_algo) {
pr_warn("Sig %u: X.509 algo and PKCS#7 sig algo don't match\n", pr_warn("Sig %u: X.509 algo and PKCS#7 sig algo don't match\n",
sinfo->index); sinfo->index);
...@@ -164,8 +153,10 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7, ...@@ -164,8 +153,10 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7,
sinfo->signer = x509; sinfo->signer = x509;
return 0; return 0;
} }
pr_warn("Sig %u: Issuing X.509 cert not found (#%*ph)\n", pr_warn("Sig %u: Issuing X.509 cert not found (#%*ph)\n",
sinfo->index, sinfo->raw_serial_size, sinfo->raw_serial); sinfo->index,
sinfo->signing_cert_id->len, sinfo->signing_cert_id->data);
return -ENOKEY; return -ENOKEY;
} }
...@@ -184,7 +175,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, ...@@ -184,7 +175,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
p->seen = false; p->seen = false;
for (;;) { for (;;) {
pr_debug("verify %s: %s\n", x509->subject, x509->fingerprint); pr_debug("verify %s: %*phN\n",
x509->subject,
x509->raw_serial_size, x509->raw_serial);
x509->seen = true; x509->seen = true;
ret = x509_get_sig_params(x509); ret = x509_get_sig_params(x509);
if (ret < 0) if (ret < 0)
...@@ -192,7 +185,8 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, ...@@ -192,7 +185,8 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
pr_debug("- issuer %s\n", x509->issuer); pr_debug("- issuer %s\n", x509->issuer);
if (x509->authority) if (x509->authority)
pr_debug("- authkeyid %s\n", x509->authority); pr_debug("- authkeyid %*phN\n",
x509->authority->len, x509->authority->data);
if (!x509->authority || if (!x509->authority ||
strcmp(x509->subject, x509->issuer) == 0) { strcmp(x509->subject, x509->issuer) == 0) {
...@@ -218,13 +212,14 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, ...@@ -218,13 +212,14 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
/* Look through the X.509 certificates in the PKCS#7 message's /* Look through the X.509 certificates in the PKCS#7 message's
* list to see if the next one is there. * list to see if the next one is there.
*/ */
pr_debug("- want %s\n", x509->authority); pr_debug("- want %*phN\n",
x509->authority->len, x509->authority->data);
for (p = pkcs7->certs; p; p = p->next) { for (p = pkcs7->certs; p; p = p->next) {
pr_debug("- cmp [%u] %s\n", p->index, p->fingerprint); if (!p->skid)
if (p->raw_subject_size == x509->raw_issuer_size && continue;
strcmp(p->fingerprint, x509->authority) == 0 && pr_debug("- cmp [%u] %*phN\n",
memcmp(p->raw_subject, x509->raw_issuer, p->index, p->skid->len, p->skid->data);
x509->raw_issuer_size) == 0) if (asymmetric_key_id_same(p->skid, x509->authority))
goto found_issuer; goto found_issuer;
} }
...@@ -233,7 +228,7 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, ...@@ -233,7 +228,7 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
return 0; return 0;
found_issuer: found_issuer:
pr_debug("- issuer %s\n", p->subject); pr_debug("- subject %s\n", p->subject);
if (p->seen) { if (p->seen) {
pr_warn("Sig %u: X.509 chain contains loop\n", pr_warn("Sig %u: X.509 chain contains loop\n",
sinfo->index); sinfo->index);
...@@ -304,7 +299,8 @@ int pkcs7_verify(struct pkcs7_message *pkcs7) ...@@ -304,7 +299,8 @@ int pkcs7_verify(struct pkcs7_message *pkcs7)
ret = x509_get_sig_params(x509); ret = x509_get_sig_params(x509);
if (ret < 0) if (ret < 0)
return ret; return ret;
pr_debug("X.509[%u] %s\n", n, x509->authority); pr_debug("X.509[%u] %*phN\n",
n, x509->authority->len, x509->authority->data);
} }
for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) { for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
......
...@@ -46,7 +46,8 @@ void x509_free_certificate(struct x509_certificate *cert) ...@@ -46,7 +46,8 @@ void x509_free_certificate(struct x509_certificate *cert)
public_key_destroy(cert->pub); public_key_destroy(cert->pub);
kfree(cert->issuer); kfree(cert->issuer);
kfree(cert->subject); kfree(cert->subject);
kfree(cert->fingerprint); kfree(cert->id);
kfree(cert->skid);
kfree(cert->authority); kfree(cert->authority);
kfree(cert->sig.digest); kfree(cert->sig.digest);
mpi_free(cert->sig.rsa.s); mpi_free(cert->sig.rsa.s);
...@@ -62,6 +63,7 @@ struct x509_certificate *x509_cert_parse(const void *data, size_t datalen) ...@@ -62,6 +63,7 @@ struct x509_certificate *x509_cert_parse(const void *data, size_t datalen)
{ {
struct x509_certificate *cert; struct x509_certificate *cert;
struct x509_parse_context *ctx; struct x509_parse_context *ctx;
struct asymmetric_key_id *kid;
long ret; long ret;
ret = -ENOMEM; ret = -ENOMEM;
...@@ -89,6 +91,17 @@ struct x509_certificate *x509_cert_parse(const void *data, size_t datalen) ...@@ -89,6 +91,17 @@ struct x509_certificate *x509_cert_parse(const void *data, size_t datalen)
if (ret < 0) if (ret < 0)
goto error_decode; goto error_decode;
/* Generate cert issuer + serial number key ID */
kid = asymmetric_key_generate_id(cert->raw_serial,
cert->raw_serial_size,
cert->raw_issuer,
cert->raw_issuer_size);
if (IS_ERR(kid)) {
ret = PTR_ERR(kid);
goto error_decode;
}
cert->id = kid;
kfree(ctx); kfree(ctx);
return cert; return cert;
...@@ -407,36 +420,34 @@ int x509_process_extension(void *context, size_t hdrlen, ...@@ -407,36 +420,34 @@ int x509_process_extension(void *context, size_t hdrlen,
const void *value, size_t vlen) const void *value, size_t vlen)
{ {
struct x509_parse_context *ctx = context; struct x509_parse_context *ctx = context;
struct asymmetric_key_id *kid;
const unsigned char *v = value; const unsigned char *v = value;
char *f;
int i; int i;
pr_debug("Extension: %u\n", ctx->last_oid); pr_debug("Extension: %u\n", ctx->last_oid);
if (ctx->last_oid == OID_subjectKeyIdentifier) { if (ctx->last_oid == OID_subjectKeyIdentifier) {
/* Get hold of the key fingerprint */ /* Get hold of the key fingerprint */
if (vlen < 3) if (ctx->cert->skid || vlen < 3)
return -EBADMSG; return -EBADMSG;
if (v[0] != ASN1_OTS || v[1] != vlen - 2) if (v[0] != ASN1_OTS || v[1] != vlen - 2)
return -EBADMSG; return -EBADMSG;
v += 2; v += 2;
vlen -= 2; vlen -= 2;
f = kmalloc(vlen * 2 + 1, GFP_KERNEL); kid = asymmetric_key_generate_id(v, vlen,
if (!f) ctx->cert->raw_subject,
return -ENOMEM; ctx->cert->raw_subject_size);
for (i = 0; i < vlen; i++) if (IS_ERR(kid))
sprintf(f + i * 2, "%02x", v[i]); return PTR_ERR(kid);
pr_debug("fingerprint %s\n", f); ctx->cert->skid = kid;
ctx->cert->fingerprint = f; pr_debug("subjkeyid %*phN\n", kid->len, kid->data);
return 0; return 0;
} }
if (ctx->last_oid == OID_authorityKeyIdentifier) { if (ctx->last_oid == OID_authorityKeyIdentifier) {
size_t key_len;
/* Get hold of the CA key fingerprint */ /* Get hold of the CA key fingerprint */
if (vlen < 5) if (ctx->cert->authority || vlen < 5)
return -EBADMSG; return -EBADMSG;
/* Authority Key Identifier must be a Constructed SEQUENCE */ /* Authority Key Identifier must be a Constructed SEQUENCE */
...@@ -454,7 +465,7 @@ int x509_process_extension(void *context, size_t hdrlen, ...@@ -454,7 +465,7 @@ int x509_process_extension(void *context, size_t hdrlen,
v[3] > vlen - 4) v[3] > vlen - 4)
return -EBADMSG; return -EBADMSG;
key_len = v[3]; vlen = v[3];
v += 4; v += 4;
} else { } else {
/* Long Form length */ /* Long Form length */
...@@ -476,17 +487,17 @@ int x509_process_extension(void *context, size_t hdrlen, ...@@ -476,17 +487,17 @@ int x509_process_extension(void *context, size_t hdrlen,
v[sub + 1] > vlen - 4 - sub) v[sub + 1] > vlen - 4 - sub)
return -EBADMSG; return -EBADMSG;
key_len = v[sub + 1]; vlen = v[sub + 1];
v += (sub + 2); v += (sub + 2);
} }
f = kmalloc(key_len * 2 + 1, GFP_KERNEL); kid = asymmetric_key_generate_id(v, vlen,
if (!f) ctx->cert->raw_issuer,
return -ENOMEM; ctx->cert->raw_issuer_size);
for (i = 0; i < key_len; i++) if (IS_ERR(kid))
sprintf(f + i * 2, "%02x", v[i]); return PTR_ERR(kid);
pr_debug("authority %s\n", f); pr_debug("authkeyid %*phN\n", kid->len, kid->data);
ctx->cert->authority = f; ctx->cert->authority = kid;
return 0; return 0;
} }
......
...@@ -19,8 +19,9 @@ struct x509_certificate { ...@@ -19,8 +19,9 @@ struct x509_certificate {
struct public_key_signature sig; /* Signature parameters */ struct public_key_signature sig; /* Signature parameters */
char *issuer; /* Name of certificate issuer */ char *issuer; /* Name of certificate issuer */
char *subject; /* Name of certificate subject */ char *subject; /* Name of certificate subject */
char *fingerprint; /* Key fingerprint as hex */ struct asymmetric_key_id *id; /* Issuer + serial number */
char *authority; /* Authority key fingerprint as hex */ struct asymmetric_key_id *skid; /* Subject key identifier */
struct asymmetric_key_id *authority; /* Authority key identifier */
struct tm valid_from; struct tm valid_from;
struct tm valid_to; struct tm valid_to;
const void *tbs; /* Signed data */ const void *tbs; /* Signed data */
......
...@@ -25,7 +25,7 @@ ...@@ -25,7 +25,7 @@
#include "x509_parser.h" #include "x509_parser.h"
static bool use_builtin_keys; static bool use_builtin_keys;
static char *ca_keyid; static struct asymmetric_key_id *ca_keyid;
#ifndef MODULE #ifndef MODULE
static int __init ca_keys_setup(char *str) static int __init ca_keys_setup(char *str)
...@@ -33,10 +33,16 @@ static int __init ca_keys_setup(char *str) ...@@ -33,10 +33,16 @@ static int __init ca_keys_setup(char *str)
if (!str) /* default system keyring */ if (!str) /* default system keyring */
return 1; return 1;
if (strncmp(str, "id:", 3) == 0) if (strncmp(str, "id:", 3) == 0) {
ca_keyid = str; /* owner key 'id:xxxxxx' */ struct asymmetric_key_id *p;
else if (strcmp(str, "builtin") == 0) p = asymmetric_key_hex_to_key_id(str);
if (p == ERR_PTR(-EINVAL))
pr_err("Unparsable hex string in ca_keys\n");
else if (!IS_ERR(p))
ca_keyid = p; /* owner key 'id:xxxxxx' */
} else if (strcmp(str, "builtin") == 0) {
use_builtin_keys = true; use_builtin_keys = true;
}
return 1; return 1;
} }
...@@ -46,31 +52,28 @@ __setup("ca_keys=", ca_keys_setup); ...@@ -46,31 +52,28 @@ __setup("ca_keys=", ca_keys_setup);
/** /**
* x509_request_asymmetric_key - Request a key by X.509 certificate params. * x509_request_asymmetric_key - Request a key by X.509 certificate params.
* @keyring: The keys to search. * @keyring: The keys to search.
* @subject: The name of the subject to whom the key belongs. * @kid: The key ID.
* @key_id: The subject key ID as a hex string.
* *
* Find a key in the given keyring by subject name and key ID. These might, * Find a key in the given keyring by subject name and key ID. These might,
* for instance, be the issuer name and the authority key ID of an X.509 * for instance, be the issuer name and the authority key ID of an X.509
* certificate that needs to be verified. * certificate that needs to be verified.
*/ */
struct key *x509_request_asymmetric_key(struct key *keyring, struct key *x509_request_asymmetric_key(struct key *keyring,
const char *subject, const struct asymmetric_key_id *kid)
const char *key_id)
{ {
key_ref_t key; key_ref_t key;
size_t subject_len = strlen(subject), key_id_len = strlen(key_id); char *id, *p;
char *id;
/* Construct an identifier "<subjname>:<keyid>". */ /* Construct an identifier "id:<keyid>". */
id = kmalloc(subject_len + 2 + key_id_len + 1, GFP_KERNEL); p = id = kmalloc(2 + 1 + kid->len * 2 + 1, GFP_KERNEL);
if (!id) if (!id)
return ERR_PTR(-ENOMEM); return ERR_PTR(-ENOMEM);
memcpy(id, subject, subject_len); *p++ = 'i';
id[subject_len + 0] = ':'; *p++ = 'd';
id[subject_len + 1] = ' '; *p++ = ':';
memcpy(id + subject_len + 2, key_id, key_id_len); p = bin2hex(p, kid->data, kid->len);
id[subject_len + 2 + key_id_len] = 0; *p = 0;
pr_debug("Look up: \"%s\"\n", id); pr_debug("Look up: \"%s\"\n", id);
...@@ -195,11 +198,10 @@ static int x509_validate_trust(struct x509_certificate *cert, ...@@ -195,11 +198,10 @@ static int x509_validate_trust(struct x509_certificate *cert,
if (!trust_keyring) if (!trust_keyring)
return -EOPNOTSUPP; return -EOPNOTSUPP;
if (ca_keyid && !asymmetric_keyid_match(cert->authority, ca_keyid)) if (ca_keyid && !asymmetric_key_id_same(cert->authority, ca_keyid))
return -EPERM; return -EPERM;
key = x509_request_asymmetric_key(trust_keyring, key = x509_request_asymmetric_key(trust_keyring, cert->authority);
cert->issuer, cert->authority);
if (!IS_ERR(key)) { if (!IS_ERR(key)) {
if (!use_builtin_keys if (!use_builtin_keys
|| test_bit(KEY_FLAG_BUILTIN, &key->flags)) || test_bit(KEY_FLAG_BUILTIN, &key->flags))
...@@ -214,9 +216,11 @@ static int x509_validate_trust(struct x509_certificate *cert, ...@@ -214,9 +216,11 @@ static int x509_validate_trust(struct x509_certificate *cert,
*/ */
static int x509_key_preparse(struct key_preparsed_payload *prep) static int x509_key_preparse(struct key_preparsed_payload *prep)
{ {
struct asymmetric_key_ids *kids;
struct x509_certificate *cert; struct x509_certificate *cert;
const char *q;
size_t srlen, sulen; size_t srlen, sulen;
char *desc = NULL; char *desc = NULL, *p;
int ret; int ret;
cert = x509_cert_parse(prep->data, prep->datalen); cert = x509_cert_parse(prep->data, prep->datalen);
...@@ -249,19 +253,12 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) ...@@ -249,19 +253,12 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
pkey_algo_name[cert->sig.pkey_algo], pkey_algo_name[cert->sig.pkey_algo],
hash_algo_name[cert->sig.pkey_hash_algo]); hash_algo_name[cert->sig.pkey_hash_algo]);
if (!cert->fingerprint) {
pr_warn("Cert for '%s' must have a SubjKeyId extension\n",
cert->subject);
ret = -EKEYREJECTED;
goto error_free_cert;
}
cert->pub->algo = pkey_algo[cert->pub->pkey_algo]; cert->pub->algo = pkey_algo[cert->pub->pkey_algo];
cert->pub->id_type = PKEY_ID_X509; cert->pub->id_type = PKEY_ID_X509;
/* Check the signature on the key if it appears to be self-signed */ /* Check the signature on the key if it appears to be self-signed */
if (!cert->authority || if (!cert->authority ||
strcmp(cert->fingerprint, cert->authority) == 0) { asymmetric_key_id_same(cert->skid, cert->authority)) {
ret = x509_check_signature(cert->pub, cert); /* self-signed */ ret = x509_check_signature(cert->pub, cert); /* self-signed */
if (ret < 0) if (ret < 0)
goto error_free_cert; goto error_free_cert;
...@@ -273,31 +270,47 @@ static int x509_key_preparse(struct key_preparsed_payload *prep) ...@@ -273,31 +270,47 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
/* Propose a description */ /* Propose a description */
sulen = strlen(cert->subject); sulen = strlen(cert->subject);
srlen = strlen(cert->fingerprint); srlen = cert->raw_serial_size;
q = cert->raw_serial;
if (srlen > 1 && *q == 0) {
srlen--;
q++;
}
ret = -ENOMEM; ret = -ENOMEM;
desc = kmalloc(sulen + 2 + srlen + 1, GFP_KERNEL); desc = kmalloc(sulen + 2 + srlen * 2 + 1, GFP_KERNEL);
if (!desc) if (!desc)
goto error_free_cert; goto error_free_cert;
memcpy(desc, cert->subject, sulen); p = memcpy(desc, cert->subject, sulen);
desc[sulen] = ':'; p += sulen;
desc[sulen + 1] = ' '; *p++ = ':';
memcpy(desc + sulen + 2, cert->fingerprint, srlen); *p++ = ' ';
desc[sulen + 2 + srlen] = 0; p = bin2hex(p, q, srlen);
*p = 0;
kids = kmalloc(sizeof(struct asymmetric_key_ids), GFP_KERNEL);
if (!kids)
goto error_free_desc;
kids->id[0] = cert->id;
kids->id[1] = cert->skid;
/* We're pinning the module by being linked against it */ /* We're pinning the module by being linked against it */
__module_get(public_key_subtype.owner); __module_get(public_key_subtype.owner);
prep->type_data[0] = &public_key_subtype; prep->type_data[0] = &public_key_subtype;
prep->type_data[1] = cert->fingerprint; prep->type_data[1] = kids;
prep->payload[0] = cert->pub; prep->payload[0] = cert->pub;
prep->description = desc; prep->description = desc;
prep->quotalen = 100; prep->quotalen = 100;
/* We've finished with the certificate */ /* We've finished with the certificate */
cert->pub = NULL; cert->pub = NULL;
cert->fingerprint = NULL; cert->id = NULL;
cert->skid = NULL;
desc = NULL; desc = NULL;
ret = 0; ret = 0;
error_free_desc:
kfree(desc);
error_free_cert: error_free_cert:
x509_free_certificate(cert); x509_free_certificate(cert);
return ret; return ret;
......
...@@ -15,6 +15,7 @@ ...@@ -15,6 +15,7 @@
#define _LINUX_PUBLIC_KEY_H #define _LINUX_PUBLIC_KEY_H
#include <linux/mpi.h> #include <linux/mpi.h>
#include <keys/asymmetric-type.h>
#include <crypto/hash_info.h> #include <crypto/hash_info.h>
enum pkey_algo { enum pkey_algo {
...@@ -98,8 +99,8 @@ struct key; ...@@ -98,8 +99,8 @@ struct key;
extern int verify_signature(const struct key *key, extern int verify_signature(const struct key *key,
const struct public_key_signature *sig); const struct public_key_signature *sig);
struct asymmetric_key_id;
extern struct key *x509_request_asymmetric_key(struct key *keyring, extern struct key *x509_request_asymmetric_key(struct key *keyring,
const char *issuer, const struct asymmetric_key_id *kid);
const char *key_id);
#endif /* _LINUX_PUBLIC_KEY_H */ #endif /* _LINUX_PUBLIC_KEY_H */
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment