David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 1 | /* Instantiate a public key crypto key from an X.509 Certificate |
| 2 | * |
David Howells | a511e1a | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 3 | * Copyright (C) 2012, 2016 Red Hat, Inc. All Rights Reserved. |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 4 | * Written by David Howells (dhowells@redhat.com) |
| 5 | * |
| 6 | * This program is free software; you can redistribute it and/or |
| 7 | * modify it under the terms of the GNU General Public Licence |
| 8 | * as published by the Free Software Foundation; either version |
| 9 | * 2 of the Licence, or (at your option) any later version. |
| 10 | */ |
| 11 | |
David Howells | a511e1a | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 12 | #define pr_fmt(fmt) "ASYM: "fmt |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 13 | #include <linux/module.h> |
| 14 | #include <linux/kernel.h> |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 15 | #include <linux/err.h> |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 16 | #include <crypto/public_key.h> |
| 17 | #include "asymmetric_keys.h" |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 18 | |
| 19 | static bool use_builtin_keys; |
| 20 | static struct asymmetric_key_id *ca_keyid; |
| 21 | |
| 22 | #ifndef MODULE |
| 23 | static struct { |
| 24 | struct asymmetric_key_id id; |
| 25 | unsigned char data[10]; |
| 26 | } cakey; |
| 27 | |
| 28 | static int __init ca_keys_setup(char *str) |
| 29 | { |
| 30 | if (!str) /* default system keyring */ |
| 31 | return 1; |
| 32 | |
| 33 | if (strncmp(str, "id:", 3) == 0) { |
| 34 | struct asymmetric_key_id *p = &cakey.id; |
| 35 | size_t hexlen = (strlen(str) - 3) / 2; |
| 36 | int ret; |
| 37 | |
| 38 | if (hexlen == 0 || hexlen > sizeof(cakey.data)) { |
| 39 | pr_err("Missing or invalid ca_keys id\n"); |
| 40 | return 1; |
| 41 | } |
| 42 | |
| 43 | ret = __asymmetric_key_hex_to_key_id(str + 3, p, hexlen); |
| 44 | if (ret < 0) |
| 45 | pr_err("Unparsable ca_keys id hex string\n"); |
| 46 | else |
| 47 | ca_keyid = p; /* owner key 'id:xxxxxx' */ |
| 48 | } else if (strcmp(str, "builtin") == 0) { |
| 49 | use_builtin_keys = true; |
| 50 | } |
| 51 | |
| 52 | return 1; |
| 53 | } |
| 54 | __setup("ca_keys=", ca_keys_setup); |
| 55 | #endif |
| 56 | |
David Howells | a511e1a | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 57 | /** |
| 58 | * restrict_link_by_signature - Restrict additions to a ring of public keys |
| 59 | * @trust_keyring: A ring of keys that can be used to vouch for the new cert. |
| 60 | * @type: The type of key being added. |
| 61 | * @payload: The payload of the new key. |
| 62 | * |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 63 | * Check the new certificate against the ones in the trust keyring. If one of |
| 64 | * those is the signing key and validates the new certificate, then mark the |
| 65 | * new certificate as being trusted. |
| 66 | * |
David Howells | a511e1a | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 67 | * Returns 0 if the new certificate was accepted, -ENOKEY if we couldn't find a |
| 68 | * matching parent certificate in the trusted list, -EKEYREJECTED if the |
| 69 | * signature check fails or the key is blacklisted and some other error if |
| 70 | * there is a matching certificate but the signature check cannot be performed. |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 71 | */ |
David Howells | a511e1a | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 72 | int restrict_link_by_signature(struct key *trust_keyring, |
| 73 | const struct key_type *type, |
| 74 | const union key_payload *payload) |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 75 | { |
David Howells | a511e1a | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 76 | const struct public_key_signature *sig; |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 77 | struct key *key; |
David Howells | a511e1a | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 78 | int ret; |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 79 | |
David Howells | a511e1a | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 80 | pr_devel("==>%s()\n", __func__); |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 81 | |
| 82 | if (!trust_keyring) |
David Howells | a511e1a | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 83 | return -ENOKEY; |
| 84 | |
| 85 | if (type != &key_type_asymmetric) |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 86 | return -EOPNOTSUPP; |
David Howells | a511e1a | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 87 | |
| 88 | sig = payload->data[asym_auth]; |
| 89 | if (!sig->auth_ids[0] && !sig->auth_ids[1]) |
| 90 | return 0; |
| 91 | |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 92 | if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid)) |
| 93 | return -EPERM; |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 94 | |
David Howells | a511e1a | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 95 | /* See if we have a key that signed this one. */ |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 96 | key = find_asymmetric_key(trust_keyring, |
| 97 | sig->auth_ids[0], sig->auth_ids[1], |
| 98 | false); |
| 99 | if (IS_ERR(key)) |
David Howells | a511e1a | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 100 | return -ENOKEY; |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 101 | |
David Howells | a511e1a | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 102 | if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags)) |
| 103 | ret = -ENOKEY; |
| 104 | else |
| 105 | ret = verify_signature(key, sig); |
David Howells | cfb664f | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 106 | key_put(key); |
| 107 | return ret; |
| 108 | } |