x509_public_key.c 5.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207
  1. /* Instantiate a public key crypto key from an X.509 Certificate
  2. *
  3. * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
  4. * Written by David Howells (dhowells@redhat.com)
  5. *
  6. * This program is free software; you can redistribute it and/or
  7. * modify it under the terms of the GNU General Public Licence
  8. * as published by the Free Software Foundation; either version
  9. * 2 of the Licence, or (at your option) any later version.
  10. */
  11. #define pr_fmt(fmt) "X.509: "fmt
  12. #include <linux/module.h>
  13. #include <linux/kernel.h>
  14. #include <linux/slab.h>
  15. #include <linux/err.h>
  16. #include <linux/mpi.h>
  17. #include <linux/asn1_decoder.h>
  18. #include <keys/asymmetric-subtype.h>
  19. #include <keys/asymmetric-parser.h>
  20. #include <crypto/hash.h>
  21. #include "asymmetric_keys.h"
  22. #include "public_key.h"
  23. #include "x509_parser.h"
  24. static const
  25. struct public_key_algorithm *x509_public_key_algorithms[PKEY_ALGO__LAST] = {
  26. [PKEY_ALGO_DSA] = NULL,
  27. #if defined(CONFIG_PUBLIC_KEY_ALGO_RSA) || \
  28. defined(CONFIG_PUBLIC_KEY_ALGO_RSA_MODULE)
  29. [PKEY_ALGO_RSA] = &RSA_public_key_algorithm,
  30. #endif
  31. };
  32. /*
  33. * Check the signature on a certificate using the provided public key
  34. */
  35. static int x509_check_signature(const struct public_key *pub,
  36. const struct x509_certificate *cert)
  37. {
  38. struct public_key_signature *sig;
  39. struct crypto_shash *tfm;
  40. struct shash_desc *desc;
  41. size_t digest_size, desc_size;
  42. int ret;
  43. pr_devel("==>%s()\n", __func__);
  44. /* Allocate the hashing algorithm we're going to need and find out how
  45. * big the hash operational data will be.
  46. */
  47. tfm = crypto_alloc_shash(pkey_hash_algo[cert->sig_hash_algo], 0, 0);
  48. if (IS_ERR(tfm))
  49. return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm);
  50. desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
  51. digest_size = crypto_shash_digestsize(tfm);
  52. /* We allocate the hash operational data storage on the end of our
  53. * context data.
  54. */
  55. ret = -ENOMEM;
  56. sig = kzalloc(sizeof(*sig) + desc_size + digest_size, GFP_KERNEL);
  57. if (!sig)
  58. goto error_no_sig;
  59. sig->pkey_hash_algo = cert->sig_hash_algo;
  60. sig->digest = (u8 *)sig + sizeof(*sig) + desc_size;
  61. sig->digest_size = digest_size;
  62. desc = (void *)sig + sizeof(*sig);
  63. desc->tfm = tfm;
  64. desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
  65. ret = crypto_shash_init(desc);
  66. if (ret < 0)
  67. goto error;
  68. ret = -ENOMEM;
  69. sig->rsa.s = mpi_read_raw_data(cert->sig, cert->sig_size);
  70. if (!sig->rsa.s)
  71. goto error;
  72. ret = crypto_shash_finup(desc, cert->tbs, cert->tbs_size, sig->digest);
  73. if (ret < 0)
  74. goto error_mpi;
  75. ret = pub->algo->verify_signature(pub, sig);
  76. pr_debug("Cert Verification: %d\n", ret);
  77. error_mpi:
  78. mpi_free(sig->rsa.s);
  79. error:
  80. kfree(sig);
  81. error_no_sig:
  82. crypto_free_shash(tfm);
  83. pr_devel("<==%s() = %d\n", __func__, ret);
  84. return ret;
  85. }
  86. /*
  87. * Attempt to parse a data blob for a key as an X509 certificate.
  88. */
  89. static int x509_key_preparse(struct key_preparsed_payload *prep)
  90. {
  91. struct x509_certificate *cert;
  92. time_t now;
  93. size_t srlen, sulen;
  94. char *desc = NULL;
  95. int ret;
  96. cert = x509_cert_parse(prep->data, prep->datalen);
  97. if (IS_ERR(cert))
  98. return PTR_ERR(cert);
  99. pr_devel("Cert Issuer: %s\n", cert->issuer);
  100. pr_devel("Cert Subject: %s\n", cert->subject);
  101. pr_devel("Cert Key Algo: %s\n", pkey_algo[cert->pkey_algo]);
  102. pr_devel("Cert Valid: %lu - %lu\n", cert->valid_from, cert->valid_to);
  103. pr_devel("Cert Signature: %s + %s\n",
  104. pkey_algo[cert->sig_pkey_algo],
  105. pkey_hash_algo[cert->sig_hash_algo]);
  106. if (!cert->fingerprint || !cert->authority) {
  107. pr_warn("Cert for '%s' must have SubjKeyId and AuthKeyId extensions\n",
  108. cert->subject);
  109. ret = -EKEYREJECTED;
  110. goto error_free_cert;
  111. }
  112. now = CURRENT_TIME.tv_sec;
  113. if (now < cert->valid_from) {
  114. pr_warn("Cert %s is not yet valid\n", cert->fingerprint);
  115. ret = -EKEYREJECTED;
  116. goto error_free_cert;
  117. }
  118. if (now >= cert->valid_to) {
  119. pr_warn("Cert %s has expired\n", cert->fingerprint);
  120. ret = -EKEYEXPIRED;
  121. goto error_free_cert;
  122. }
  123. cert->pub->algo = x509_public_key_algorithms[cert->pkey_algo];
  124. cert->pub->id_type = PKEY_ID_X509;
  125. /* Check the signature on the key */
  126. if (strcmp(cert->fingerprint, cert->authority) == 0) {
  127. ret = x509_check_signature(cert->pub, cert);
  128. if (ret < 0)
  129. goto error_free_cert;
  130. }
  131. /* Propose a description */
  132. sulen = strlen(cert->subject);
  133. srlen = strlen(cert->fingerprint);
  134. ret = -ENOMEM;
  135. desc = kmalloc(sulen + 2 + srlen + 1, GFP_KERNEL);
  136. if (!desc)
  137. goto error_free_cert;
  138. memcpy(desc, cert->subject, sulen);
  139. desc[sulen] = ':';
  140. desc[sulen + 1] = ' ';
  141. memcpy(desc + sulen + 2, cert->fingerprint, srlen);
  142. desc[sulen + 2 + srlen] = 0;
  143. /* We're pinning the module by being linked against it */
  144. __module_get(public_key_subtype.owner);
  145. prep->type_data[0] = &public_key_subtype;
  146. prep->type_data[1] = cert->fingerprint;
  147. prep->payload = cert->pub;
  148. prep->description = desc;
  149. prep->quotalen = 100;
  150. /* We've finished with the certificate */
  151. cert->pub = NULL;
  152. cert->fingerprint = NULL;
  153. desc = NULL;
  154. ret = 0;
  155. error_free_cert:
  156. x509_free_certificate(cert);
  157. return ret;
  158. }
  159. static struct asymmetric_key_parser x509_key_parser = {
  160. .owner = THIS_MODULE,
  161. .name = "x509",
  162. .parse = x509_key_preparse,
  163. };
  164. /*
  165. * Module stuff
  166. */
  167. static int __init x509_key_init(void)
  168. {
  169. return register_asymmetric_key_parser(&x509_key_parser);
  170. }
  171. static void __exit x509_key_exit(void)
  172. {
  173. unregister_asymmetric_key_parser(&x509_key_parser);
  174. }
  175. module_init(x509_key_init);
  176. module_exit(x509_key_exit);