Commit 8e65edaa authored by David Howells's avatar David Howells

PKCS#7: Check content type and versions

We only support PKCS#7 signed-data [RFC2315 sec 9] content at the top level,
so reject anything else.  Further, check that the version numbers in
SignedData and SignerInfo are 1 in both cases.

Note that we don't restrict the inner content type.  In the PKCS#7 code we
don't parse the data attached there, but merely verify the signature over
it.
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Reviewed-By: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
parent c3477659
PKCS7ContentInfo ::= SEQUENCE { PKCS7ContentInfo ::= SEQUENCE {
contentType ContentType, contentType ContentType ({ pkcs7_check_content_type }),
content [0] EXPLICIT SignedData OPTIONAL content [0] EXPLICIT SignedData OPTIONAL
} }
ContentType ::= OBJECT IDENTIFIER ({ pkcs7_note_OID }) ContentType ::= OBJECT IDENTIFIER ({ pkcs7_note_OID })
SignedData ::= SEQUENCE { SignedData ::= SEQUENCE {
version INTEGER, version INTEGER ({ pkcs7_note_signeddata_version }),
digestAlgorithms DigestAlgorithmIdentifiers, digestAlgorithms DigestAlgorithmIdentifiers,
contentInfo ContentInfo, contentInfo ContentInfo,
certificates CHOICE { certificates CHOICE {
...@@ -68,7 +68,7 @@ SignerInfos ::= CHOICE { ...@@ -68,7 +68,7 @@ SignerInfos ::= CHOICE {
} }
SignerInfo ::= SEQUENCE { SignerInfo ::= SEQUENCE {
version INTEGER, version INTEGER ({ pkcs7_note_signerinfo_version }),
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
digestAlgorithm DigestAlgorithmIdentifier ({ pkcs7_sig_note_digest_algo }), digestAlgorithm DigestAlgorithmIdentifier ({ pkcs7_sig_note_digest_algo }),
authenticatedAttributes CHOICE { authenticatedAttributes CHOICE {
......
...@@ -225,6 +225,79 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen, ...@@ -225,6 +225,79 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
return 0; return 0;
} }
/*
* We only support signed data [RFC2315 sec 9].
*/
int pkcs7_check_content_type(void *context, size_t hdrlen,
unsigned char tag,
const void *value, size_t vlen)
{
struct pkcs7_parse_context *ctx = context;
if (ctx->last_oid != OID_signed_data) {
pr_warn("Only support pkcs7_signedData type\n");
return -EINVAL;
}
return 0;
}
/*
* Note the SignedData version
*/
int pkcs7_note_signeddata_version(void *context, size_t hdrlen,
unsigned char tag,
const void *value, size_t vlen)
{
unsigned version;
if (vlen != 1)
goto unsupported;
version = *(const u8 *)value;
switch (version) {
case 1:
/* PKCS#7 SignedData [RFC2315 sec 9.1] */
break;
default:
goto unsupported;
}
return 0;
unsupported:
pr_warn("Unsupported SignedData version\n");
return -EINVAL;
}
/*
* Note the SignerInfo version
*/
int pkcs7_note_signerinfo_version(void *context, size_t hdrlen,
unsigned char tag,
const void *value, size_t vlen)
{
unsigned version;
if (vlen != 1)
goto unsupported;
version = *(const u8 *)value;
switch (version) {
case 1:
/* PKCS#7 SignerInfo [RFC2315 sec 9.2] */
break;
default:
goto unsupported;
}
return 0;
unsupported:
pr_warn("Unsupported SignerInfo version\n");
return -EINVAL;
}
/* /*
* Extract a certificate and store it in the context. * Extract a certificate and store it in the context.
*/ */
...@@ -326,7 +399,7 @@ int pkcs7_sig_note_authenticated_attr(void *context, size_t hdrlen, ...@@ -326,7 +399,7 @@ int pkcs7_sig_note_authenticated_attr(void *context, size_t hdrlen,
} }
/* /*
* Note the set of auth attributes for digestion purposes [RFC2315 9.3] * Note the set of auth attributes for digestion purposes [RFC2315 sec 9.3]
*/ */
int pkcs7_sig_note_set_of_authattrs(void *context, size_t hdrlen, int pkcs7_sig_note_set_of_authattrs(void *context, size_t hdrlen,
unsigned char tag, unsigned char tag,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment