Commit | Line | Data |
---|---|---|
c26fd69f DH |
1 | /* Instantiate a public key crypto key from an X.509 Certificate |
2 | * | |
3 | * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. | |
4 | * Written by David Howells (dhowells@redhat.com) | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or | |
7 | * modify it under the terms of the GNU General Public Licence | |
8 | * as published by the Free Software Foundation; either version | |
9 | * 2 of the Licence, or (at your option) any later version. | |
10 | */ | |
11 | ||
12 | #define pr_fmt(fmt) "X.509: "fmt | |
13 | #include <linux/module.h> | |
14 | #include <linux/kernel.h> | |
15 | #include <linux/slab.h> | |
16 | #include <linux/err.h> | |
17 | #include <linux/mpi.h> | |
18 | #include <linux/asn1_decoder.h> | |
19 | #include <keys/asymmetric-subtype.h> | |
20 | #include <keys/asymmetric-parser.h> | |
21 | #include <crypto/hash.h> | |
22 | #include "asymmetric_keys.h" | |
23 | #include "public_key.h" | |
24 | #include "x509_parser.h" | |
25 | ||
26 | static const | |
27 | struct public_key_algorithm *x509_public_key_algorithms[PKEY_ALGO__LAST] = { | |
28 | [PKEY_ALGO_DSA] = NULL, | |
29 | #if defined(CONFIG_PUBLIC_KEY_ALGO_RSA) || \ | |
30 | defined(CONFIG_PUBLIC_KEY_ALGO_RSA_MODULE) | |
31 | [PKEY_ALGO_RSA] = &RSA_public_key_algorithm, | |
32 | #endif | |
33 | }; | |
34 | ||
35 | /* | |
36 | * Check the signature on a certificate using the provided public key | |
37 | */ | |
38 | static int x509_check_signature(const struct public_key *pub, | |
39 | const struct x509_certificate *cert) | |
40 | { | |
41 | struct public_key_signature *sig; | |
42 | struct crypto_shash *tfm; | |
43 | struct shash_desc *desc; | |
44 | size_t digest_size, desc_size; | |
45 | int ret; | |
46 | ||
47 | pr_devel("==>%s()\n", __func__); | |
48 | ||
49 | /* Allocate the hashing algorithm we're going to need and find out how | |
50 | * big the hash operational data will be. | |
51 | */ | |
52 | tfm = crypto_alloc_shash(pkey_hash_algo[cert->sig_hash_algo], 0, 0); | |
53 | if (IS_ERR(tfm)) | |
54 | return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm); | |
55 | ||
56 | desc_size = crypto_shash_descsize(tfm) + sizeof(*desc); | |
57 | digest_size = crypto_shash_digestsize(tfm); | |
58 | ||
59 | /* We allocate the hash operational data storage on the end of our | |
60 | * context data. | |
61 | */ | |
62 | ret = -ENOMEM; | |
63 | sig = kzalloc(sizeof(*sig) + desc_size + digest_size, GFP_KERNEL); | |
64 | if (!sig) | |
65 | goto error_no_sig; | |
66 | ||
67 | sig->pkey_hash_algo = cert->sig_hash_algo; | |
68 | sig->digest = (u8 *)sig + sizeof(*sig) + desc_size; | |
69 | sig->digest_size = digest_size; | |
70 | ||
71 | desc = (void *)sig + sizeof(*sig); | |
72 | desc->tfm = tfm; | |
73 | desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP; | |
74 | ||
75 | ret = crypto_shash_init(desc); | |
76 | if (ret < 0) | |
77 | goto error; | |
78 | ||
79 | ret = -ENOMEM; | |
80 | sig->rsa.s = mpi_read_raw_data(cert->sig, cert->sig_size); | |
81 | if (!sig->rsa.s) | |
82 | goto error; | |
83 | ||
84 | ret = crypto_shash_finup(desc, cert->tbs, cert->tbs_size, sig->digest); | |
85 | if (ret < 0) | |
86 | goto error_mpi; | |
87 | ||
88 | ret = pub->algo->verify_signature(pub, sig); | |
89 | ||
90 | pr_debug("Cert Verification: %d\n", ret); | |
91 | ||
92 | error_mpi: | |
93 | mpi_free(sig->rsa.s); | |
94 | error: | |
95 | kfree(sig); | |
96 | error_no_sig: | |
97 | crypto_free_shash(tfm); | |
98 | ||
99 | pr_devel("<==%s() = %d\n", __func__, ret); | |
100 | return ret; | |
101 | } | |
102 | ||
103 | /* | |
104 | * Attempt to parse a data blob for a key as an X509 certificate. | |
105 | */ | |
106 | static int x509_key_preparse(struct key_preparsed_payload *prep) | |
107 | { | |
108 | struct x509_certificate *cert; | |
109 | time_t now; | |
110 | size_t srlen, sulen; | |
111 | char *desc = NULL; | |
112 | int ret; | |
113 | ||
114 | cert = x509_cert_parse(prep->data, prep->datalen); | |
115 | if (IS_ERR(cert)) | |
116 | return PTR_ERR(cert); | |
117 | ||
118 | pr_devel("Cert Issuer: %s\n", cert->issuer); | |
119 | pr_devel("Cert Subject: %s\n", cert->subject); | |
120 | pr_devel("Cert Key Algo: %s\n", pkey_algo[cert->pkey_algo]); | |
121 | pr_devel("Cert Valid: %lu - %lu\n", cert->valid_from, cert->valid_to); | |
122 | pr_devel("Cert Signature: %s + %s\n", | |
123 | pkey_algo[cert->sig_pkey_algo], | |
124 | pkey_hash_algo[cert->sig_hash_algo]); | |
125 | ||
126 | if (!cert->fingerprint || !cert->authority) { | |
127 | pr_warn("Cert for '%s' must have SubjKeyId and AuthKeyId extensions\n", | |
128 | cert->subject); | |
129 | ret = -EKEYREJECTED; | |
130 | goto error_free_cert; | |
131 | } | |
132 | ||
133 | now = CURRENT_TIME.tv_sec; | |
134 | if (now < cert->valid_from) { | |
135 | pr_warn("Cert %s is not yet valid\n", cert->fingerprint); | |
136 | ret = -EKEYREJECTED; | |
137 | goto error_free_cert; | |
138 | } | |
139 | if (now >= cert->valid_to) { | |
140 | pr_warn("Cert %s has expired\n", cert->fingerprint); | |
141 | ret = -EKEYEXPIRED; | |
142 | goto error_free_cert; | |
143 | } | |
144 | ||
145 | cert->pub->algo = x509_public_key_algorithms[cert->pkey_algo]; | |
146 | cert->pub->id_type = PKEY_ID_X509; | |
147 | ||
148 | /* Check the signature on the key */ | |
149 | if (strcmp(cert->fingerprint, cert->authority) == 0) { | |
150 | ret = x509_check_signature(cert->pub, cert); | |
151 | if (ret < 0) | |
152 | goto error_free_cert; | |
153 | } | |
154 | ||
155 | /* Propose a description */ | |
156 | sulen = strlen(cert->subject); | |
157 | srlen = strlen(cert->fingerprint); | |
158 | ret = -ENOMEM; | |
159 | desc = kmalloc(sulen + 2 + srlen + 1, GFP_KERNEL); | |
160 | if (!desc) | |
161 | goto error_free_cert; | |
162 | memcpy(desc, cert->subject, sulen); | |
163 | desc[sulen] = ':'; | |
164 | desc[sulen + 1] = ' '; | |
165 | memcpy(desc + sulen + 2, cert->fingerprint, srlen); | |
166 | desc[sulen + 2 + srlen] = 0; | |
167 | ||
168 | /* We're pinning the module by being linked against it */ | |
169 | __module_get(public_key_subtype.owner); | |
170 | prep->type_data[0] = &public_key_subtype; | |
171 | prep->type_data[1] = cert->fingerprint; | |
172 | prep->payload = cert->pub; | |
173 | prep->description = desc; | |
174 | prep->quotalen = 100; | |
175 | ||
176 | /* We've finished with the certificate */ | |
177 | cert->pub = NULL; | |
178 | cert->fingerprint = NULL; | |
179 | desc = NULL; | |
180 | ret = 0; | |
181 | ||
182 | error_free_cert: | |
183 | x509_free_certificate(cert); | |
184 | return ret; | |
185 | } | |
186 | ||
187 | static struct asymmetric_key_parser x509_key_parser = { | |
188 | .owner = THIS_MODULE, | |
189 | .name = "x509", | |
190 | .parse = x509_key_preparse, | |
191 | }; | |
192 | ||
193 | /* | |
194 | * Module stuff | |
195 | */ | |
196 | static int __init x509_key_init(void) | |
197 | { | |
198 | return register_asymmetric_key_parser(&x509_key_parser); | |
199 | } | |
200 | ||
201 | static void __exit x509_key_exit(void) | |
202 | { | |
203 | unregister_asymmetric_key_parser(&x509_key_parser); | |
204 | } | |
205 | ||
206 | module_init(x509_key_init); | |
207 | module_exit(x509_key_exit); |