David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 1 | /* Instantiate a public key crypto key from an X.509 Certificate |
| 2 | * |
| 3 | * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. |
| 4 | * Written by David Howells (dhowells@redhat.com) |
| 5 | * |
| 6 | * This program is free software; you can redistribute it and/or |
| 7 | * modify it under the terms of the GNU General Public Licence |
| 8 | * as published by the Free Software Foundation; either version |
| 9 | * 2 of the Licence, or (at your option) any later version. |
| 10 | */ |
| 11 | |
| 12 | #define pr_fmt(fmt) "X.509: "fmt |
| 13 | #include <linux/module.h> |
| 14 | #include <linux/kernel.h> |
| 15 | #include <linux/slab.h> |
| 16 | #include <linux/err.h> |
| 17 | #include <linux/mpi.h> |
| 18 | #include <linux/asn1_decoder.h> |
| 19 | #include <keys/asymmetric-subtype.h> |
| 20 | #include <keys/asymmetric-parser.h> |
| 21 | #include <crypto/hash.h> |
| 22 | #include "asymmetric_keys.h" |
| 23 | #include "public_key.h" |
| 24 | #include "x509_parser.h" |
| 25 | |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 26 | /* |
David Howells | b426beb | 2013-08-30 16:18:02 +0100 | [diff] [blame] | 27 | * Set up the signature parameters in an X.509 certificate. This involves |
| 28 | * digesting the signed data and extracting the signature. |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 29 | */ |
David Howells | b426beb | 2013-08-30 16:18:02 +0100 | [diff] [blame] | 30 | int x509_get_sig_params(struct x509_certificate *cert) |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 31 | { |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 32 | struct crypto_shash *tfm; |
| 33 | struct shash_desc *desc; |
| 34 | size_t digest_size, desc_size; |
David Howells | b426beb | 2013-08-30 16:18:02 +0100 | [diff] [blame] | 35 | void *digest; |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 36 | int ret; |
| 37 | |
| 38 | pr_devel("==>%s()\n", __func__); |
David Howells | b426beb | 2013-08-30 16:18:02 +0100 | [diff] [blame] | 39 | |
| 40 | if (cert->sig.rsa.s) |
| 41 | return 0; |
| 42 | |
| 43 | cert->sig.rsa.s = mpi_read_raw_data(cert->raw_sig, cert->raw_sig_size); |
| 44 | if (!cert->sig.rsa.s) |
| 45 | return -ENOMEM; |
| 46 | cert->sig.nr_mpi = 1; |
| 47 | |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 48 | /* Allocate the hashing algorithm we're going to need and find out how |
| 49 | * big the hash operational data will be. |
| 50 | */ |
David Howells | b426beb | 2013-08-30 16:18:02 +0100 | [diff] [blame] | 51 | tfm = crypto_alloc_shash(pkey_hash_algo_name[cert->sig.pkey_hash_algo], 0, 0); |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 52 | if (IS_ERR(tfm)) |
| 53 | return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm); |
| 54 | |
| 55 | desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); |
| 56 | digest_size = crypto_shash_digestsize(tfm); |
| 57 | |
David Howells | b426beb | 2013-08-30 16:18:02 +0100 | [diff] [blame] | 58 | /* We allocate the hash operational data storage on the end of the |
| 59 | * digest storage space. |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 60 | */ |
| 61 | ret = -ENOMEM; |
David Howells | b426beb | 2013-08-30 16:18:02 +0100 | [diff] [blame] | 62 | digest = kzalloc(digest_size + desc_size, GFP_KERNEL); |
| 63 | if (!digest) |
| 64 | goto error; |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 65 | |
David Howells | b426beb | 2013-08-30 16:18:02 +0100 | [diff] [blame] | 66 | cert->sig.digest = digest; |
| 67 | cert->sig.digest_size = digest_size; |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 68 | |
David Howells | b426beb | 2013-08-30 16:18:02 +0100 | [diff] [blame] | 69 | desc = digest + digest_size; |
| 70 | desc->tfm = tfm; |
| 71 | desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 72 | |
| 73 | ret = crypto_shash_init(desc); |
| 74 | if (ret < 0) |
| 75 | goto error; |
David Howells | b426beb | 2013-08-30 16:18:02 +0100 | [diff] [blame] | 76 | might_sleep(); |
| 77 | ret = crypto_shash_finup(desc, cert->tbs, cert->tbs_size, digest); |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 78 | error: |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 79 | crypto_free_shash(tfm); |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 80 | pr_devel("<==%s() = %d\n", __func__, ret); |
| 81 | return ret; |
| 82 | } |
David Howells | b426beb | 2013-08-30 16:18:02 +0100 | [diff] [blame] | 83 | EXPORT_SYMBOL_GPL(x509_get_sig_params); |
| 84 | |
| 85 | /* |
| 86 | * Check the signature on a certificate using the provided public key |
| 87 | */ |
| 88 | int x509_check_signature(const struct public_key *pub, |
| 89 | struct x509_certificate *cert) |
| 90 | { |
| 91 | int ret; |
| 92 | |
| 93 | pr_devel("==>%s()\n", __func__); |
| 94 | |
| 95 | ret = x509_get_sig_params(cert); |
| 96 | if (ret < 0) |
| 97 | return ret; |
| 98 | |
| 99 | ret = public_key_verify_signature(pub, &cert->sig); |
| 100 | pr_debug("Cert Verification: %d\n", ret); |
| 101 | return ret; |
| 102 | } |
| 103 | EXPORT_SYMBOL_GPL(x509_check_signature); |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 104 | |
| 105 | /* |
| 106 | * Attempt to parse a data blob for a key as an X509 certificate. |
| 107 | */ |
| 108 | static int x509_key_preparse(struct key_preparsed_payload *prep) |
| 109 | { |
| 110 | struct x509_certificate *cert; |
David Howells | a5752d1 | 2012-10-02 14:36:16 +0100 | [diff] [blame] | 111 | struct tm now; |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 112 | size_t srlen, sulen; |
| 113 | char *desc = NULL; |
| 114 | int ret; |
| 115 | |
| 116 | cert = x509_cert_parse(prep->data, prep->datalen); |
| 117 | if (IS_ERR(cert)) |
| 118 | return PTR_ERR(cert); |
| 119 | |
| 120 | pr_devel("Cert Issuer: %s\n", cert->issuer); |
| 121 | pr_devel("Cert Subject: %s\n", cert->subject); |
David Howells | 2ecdb23 | 2013-08-30 16:18:15 +0100 | [diff] [blame] | 122 | |
| 123 | if (cert->pub->pkey_algo >= PKEY_ALGO__LAST || |
| 124 | cert->sig.pkey_algo >= PKEY_ALGO__LAST || |
| 125 | cert->sig.pkey_hash_algo >= PKEY_HASH__LAST || |
| 126 | !pkey_algo[cert->pub->pkey_algo] || |
| 127 | !pkey_algo[cert->sig.pkey_algo] || |
| 128 | !pkey_hash_algo_name[cert->sig.pkey_hash_algo]) { |
| 129 | ret = -ENOPKG; |
| 130 | goto error_free_cert; |
| 131 | } |
| 132 | |
David Howells | 67f7d60b | 2013-08-30 16:15:24 +0100 | [diff] [blame] | 133 | pr_devel("Cert Key Algo: %s\n", pkey_algo_name[cert->pub->pkey_algo]); |
David Howells | 2f1c4fe | 2012-10-04 14:21:23 +0100 | [diff] [blame] | 134 | pr_devel("Cert Valid From: %04ld-%02d-%02d %02d:%02d:%02d\n", |
David Howells | a5752d1 | 2012-10-02 14:36:16 +0100 | [diff] [blame] | 135 | cert->valid_from.tm_year + 1900, cert->valid_from.tm_mon + 1, |
| 136 | cert->valid_from.tm_mday, cert->valid_from.tm_hour, |
| 137 | cert->valid_from.tm_min, cert->valid_from.tm_sec); |
David Howells | 2f1c4fe | 2012-10-04 14:21:23 +0100 | [diff] [blame] | 138 | pr_devel("Cert Valid To: %04ld-%02d-%02d %02d:%02d:%02d\n", |
David Howells | a5752d1 | 2012-10-02 14:36:16 +0100 | [diff] [blame] | 139 | cert->valid_to.tm_year + 1900, cert->valid_to.tm_mon + 1, |
| 140 | cert->valid_to.tm_mday, cert->valid_to.tm_hour, |
| 141 | cert->valid_to.tm_min, cert->valid_to.tm_sec); |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 142 | pr_devel("Cert Signature: %s + %s\n", |
David Howells | b426beb | 2013-08-30 16:18:02 +0100 | [diff] [blame] | 143 | pkey_algo_name[cert->sig.pkey_algo], |
| 144 | pkey_hash_algo_name[cert->sig.pkey_hash_algo]); |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 145 | |
David Howells | 17334ca | 2013-08-30 16:18:31 +0100 | [diff] [blame^] | 146 | if (!cert->fingerprint) { |
| 147 | pr_warn("Cert for '%s' must have a SubjKeyId extension\n", |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 148 | cert->subject); |
| 149 | ret = -EKEYREJECTED; |
| 150 | goto error_free_cert; |
| 151 | } |
| 152 | |
David Howells | a5752d1 | 2012-10-02 14:36:16 +0100 | [diff] [blame] | 153 | time_to_tm(CURRENT_TIME.tv_sec, 0, &now); |
David Howells | 2f1c4fe | 2012-10-04 14:21:23 +0100 | [diff] [blame] | 154 | pr_devel("Now: %04ld-%02d-%02d %02d:%02d:%02d\n", |
David Howells | a5752d1 | 2012-10-02 14:36:16 +0100 | [diff] [blame] | 155 | now.tm_year + 1900, now.tm_mon + 1, now.tm_mday, |
| 156 | now.tm_hour, now.tm_min, now.tm_sec); |
| 157 | if (now.tm_year < cert->valid_from.tm_year || |
| 158 | (now.tm_year == cert->valid_from.tm_year && |
| 159 | (now.tm_mon < cert->valid_from.tm_mon || |
| 160 | (now.tm_mon == cert->valid_from.tm_mon && |
| 161 | (now.tm_mday < cert->valid_from.tm_mday || |
| 162 | (now.tm_mday == cert->valid_from.tm_mday && |
| 163 | (now.tm_hour < cert->valid_from.tm_hour || |
| 164 | (now.tm_hour == cert->valid_from.tm_hour && |
| 165 | (now.tm_min < cert->valid_from.tm_min || |
| 166 | (now.tm_min == cert->valid_from.tm_min && |
| 167 | (now.tm_sec < cert->valid_from.tm_sec |
| 168 | ))))))))))) { |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 169 | pr_warn("Cert %s is not yet valid\n", cert->fingerprint); |
| 170 | ret = -EKEYREJECTED; |
| 171 | goto error_free_cert; |
| 172 | } |
David Howells | a5752d1 | 2012-10-02 14:36:16 +0100 | [diff] [blame] | 173 | if (now.tm_year > cert->valid_to.tm_year || |
| 174 | (now.tm_year == cert->valid_to.tm_year && |
| 175 | (now.tm_mon > cert->valid_to.tm_mon || |
| 176 | (now.tm_mon == cert->valid_to.tm_mon && |
| 177 | (now.tm_mday > cert->valid_to.tm_mday || |
| 178 | (now.tm_mday == cert->valid_to.tm_mday && |
| 179 | (now.tm_hour > cert->valid_to.tm_hour || |
| 180 | (now.tm_hour == cert->valid_to.tm_hour && |
| 181 | (now.tm_min > cert->valid_to.tm_min || |
| 182 | (now.tm_min == cert->valid_to.tm_min && |
| 183 | (now.tm_sec > cert->valid_to.tm_sec |
| 184 | ))))))))))) { |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 185 | pr_warn("Cert %s has expired\n", cert->fingerprint); |
| 186 | ret = -EKEYEXPIRED; |
| 187 | goto error_free_cert; |
| 188 | } |
| 189 | |
David Howells | 67f7d60b | 2013-08-30 16:15:24 +0100 | [diff] [blame] | 190 | cert->pub->algo = pkey_algo[cert->pub->pkey_algo]; |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 191 | cert->pub->id_type = PKEY_ID_X509; |
| 192 | |
David Howells | 17334ca | 2013-08-30 16:18:31 +0100 | [diff] [blame^] | 193 | /* Check the signature on the key if it appears to be self-signed */ |
| 194 | if (!cert->authority || |
| 195 | strcmp(cert->fingerprint, cert->authority) == 0) { |
David Howells | c26fd69 | 2012-09-24 17:11:48 +0100 | [diff] [blame] | 196 | ret = x509_check_signature(cert->pub, cert); |
| 197 | if (ret < 0) |
| 198 | goto error_free_cert; |
| 199 | } |
| 200 | |
| 201 | /* Propose a description */ |
| 202 | sulen = strlen(cert->subject); |
| 203 | srlen = strlen(cert->fingerprint); |
| 204 | ret = -ENOMEM; |
| 205 | desc = kmalloc(sulen + 2 + srlen + 1, GFP_KERNEL); |
| 206 | if (!desc) |
| 207 | goto error_free_cert; |
| 208 | memcpy(desc, cert->subject, sulen); |
| 209 | desc[sulen] = ':'; |
| 210 | desc[sulen + 1] = ' '; |
| 211 | memcpy(desc + sulen + 2, cert->fingerprint, srlen); |
| 212 | desc[sulen + 2 + srlen] = 0; |
| 213 | |
| 214 | /* We're pinning the module by being linked against it */ |
| 215 | __module_get(public_key_subtype.owner); |
| 216 | prep->type_data[0] = &public_key_subtype; |
| 217 | prep->type_data[1] = cert->fingerprint; |
| 218 | prep->payload = cert->pub; |
| 219 | prep->description = desc; |
| 220 | prep->quotalen = 100; |
| 221 | |
| 222 | /* We've finished with the certificate */ |
| 223 | cert->pub = NULL; |
| 224 | cert->fingerprint = NULL; |
| 225 | desc = NULL; |
| 226 | ret = 0; |
| 227 | |
| 228 | error_free_cert: |
| 229 | x509_free_certificate(cert); |
| 230 | return ret; |
| 231 | } |
| 232 | |
| 233 | static struct asymmetric_key_parser x509_key_parser = { |
| 234 | .owner = THIS_MODULE, |
| 235 | .name = "x509", |
| 236 | .parse = x509_key_preparse, |
| 237 | }; |
| 238 | |
| 239 | /* |
| 240 | * Module stuff |
| 241 | */ |
| 242 | static int __init x509_key_init(void) |
| 243 | { |
| 244 | return register_asymmetric_key_parser(&x509_key_parser); |
| 245 | } |
| 246 | |
| 247 | static void __exit x509_key_exit(void) |
| 248 | { |
| 249 | unregister_asymmetric_key_parser(&x509_key_parser); |
| 250 | } |
| 251 | |
| 252 | module_init(x509_key_init); |
| 253 | module_exit(x509_key_exit); |