Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / kernel / shift / mainline / 60d65cacd7c2d84a6dcad69bcb57bbf0220c8643 / . / crypto / asymmetric_keys / pkcs7_parser.c
blob: 826e2f3f507bd8b233ccd428f3b78bb550dfa67b [file] [log] [blame]
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]1/* PKCS#7 parser
2 *
3 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12#define pr_fmt(fmt) "PKCS7: "fmt
13#include <linux/kernel.h>
14#include <linux/export.h>
15#include <linux/slab.h>
16#include <linux/err.h>
17#include <linux/oid_registry.h>
18#include "public_key.h"
19#include "pkcs7_parser.h"
20#include "pkcs7-asn1.h"
21
22struct pkcs7_parse_context {
23 struct pkcs7_message *msg; /* Message being constructed */
24 struct pkcs7_signed_info *sinfo; /* SignedInfo being constructed */
25 struct pkcs7_signed_info **ppsinfo;
26 struct x509_certificate *certs; /* Certificate cache */
27 struct x509_certificate **ppcerts;
28 unsigned long data; /* Start of data */
29 enum OID last_oid; /* Last OID encountered */
30 unsigned x509_index;
31 unsigned sinfo_index;
David Howells46963b72014-09-16 17:36:13 +0100[diff] [blame]32 const void *raw_serial;
33 unsigned raw_serial_size;
34 unsigned raw_issuer_size;
35 const void *raw_issuer;
David Howells60d65ca2015-07-20 21:16:33 +0100[diff] [blame^]36 const void *raw_skid;
37 unsigned raw_skid_size;
38 bool expect_skid;
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]39};
40
David Howells3cd09202014-09-16 17:29:03 +0100[diff] [blame]41/*
42 * Free a signed information block.
43 */
44static void pkcs7_free_signed_info(struct pkcs7_signed_info *sinfo)
45{
46 if (sinfo) {
47 mpi_free(sinfo->sig.mpi[0]);
48 kfree(sinfo->sig.digest);
David Howells46963b72014-09-16 17:36:13 +0100[diff] [blame]49 kfree(sinfo->signing_cert_id);
David Howells3cd09202014-09-16 17:29:03 +0100[diff] [blame]50 kfree(sinfo);
51 }
52}
53
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]54/**
55 * pkcs7_free_message - Free a PKCS#7 message
56 * @pkcs7: The PKCS#7 message to free
57 */
58void pkcs7_free_message(struct pkcs7_message *pkcs7)
59{
60 struct x509_certificate *cert;
61 struct pkcs7_signed_info *sinfo;
62
63 if (pkcs7) {
64 while (pkcs7->certs) {
65 cert = pkcs7->certs;
66 pkcs7->certs = cert->next;
67 x509_free_certificate(cert);
68 }
69 while (pkcs7->crl) {
70 cert = pkcs7->crl;
71 pkcs7->crl = cert->next;
72 x509_free_certificate(cert);
73 }
74 while (pkcs7->signed_infos) {
75 sinfo = pkcs7->signed_infos;
76 pkcs7->signed_infos = sinfo->next;
David Howells3cd09202014-09-16 17:29:03 +0100[diff] [blame]77 pkcs7_free_signed_info(sinfo);
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]78 }
79 kfree(pkcs7);
80 }
81}
82EXPORT_SYMBOL_GPL(pkcs7_free_message);
83
84/**
85 * pkcs7_parse_message - Parse a PKCS#7 message
86 * @data: The raw binary ASN.1 encoded message to be parsed
87 * @datalen: The size of the encoded message
88 */
89struct pkcs7_message *pkcs7_parse_message(const void *data, size_t datalen)
90{
91 struct pkcs7_parse_context *ctx;
David Howellscecf5d2e2014-09-16 17:29:03 +0100[diff] [blame]92 struct pkcs7_message *msg = ERR_PTR(-ENOMEM);
93 int ret;
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]94
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]95 ctx = kzalloc(sizeof(struct pkcs7_parse_context), GFP_KERNEL);
96 if (!ctx)
David Howellscecf5d2e2014-09-16 17:29:03 +0100[diff] [blame]97 goto out_no_ctx;
98 ctx->msg = kzalloc(sizeof(struct pkcs7_message), GFP_KERNEL);
99 if (!ctx->msg)
100 goto out_no_msg;
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]101 ctx->sinfo = kzalloc(sizeof(struct pkcs7_signed_info), GFP_KERNEL);
102 if (!ctx->sinfo)
David Howellscecf5d2e2014-09-16 17:29:03 +0100[diff] [blame]103 goto out_no_sinfo;
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]104
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]105 ctx->data = (unsigned long)data;
106 ctx->ppcerts = &ctx->certs;
107 ctx->ppsinfo = &ctx->msg->signed_infos;
108
109 /* Attempt to decode the signature */
110 ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen);
David Howellscecf5d2e2014-09-16 17:29:03 +0100[diff] [blame]111 if (ret < 0) {
112 msg = ERR_PTR(ret);
113 goto out;
114 }
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]115
David Howellscecf5d2e2014-09-16 17:29:03 +0100[diff] [blame]116 msg = ctx->msg;
117 ctx->msg = NULL;
118
119out:
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]120 while (ctx->certs) {
121 struct x509_certificate *cert = ctx->certs;
122 ctx->certs = cert->next;
123 x509_free_certificate(cert);
124 }
David Howells3cd09202014-09-16 17:29:03 +0100[diff] [blame]125 pkcs7_free_signed_info(ctx->sinfo);
David Howellscecf5d2e2014-09-16 17:29:03 +0100[diff] [blame]126out_no_sinfo:
127 pkcs7_free_message(ctx->msg);
128out_no_msg:
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]129 kfree(ctx);
David Howellscecf5d2e2014-09-16 17:29:03 +0100[diff] [blame]130out_no_ctx:
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]131 return msg;
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]132}
133EXPORT_SYMBOL_GPL(pkcs7_parse_message);
134
135/**
136 * pkcs7_get_content_data - Get access to the PKCS#7 content
137 * @pkcs7: The preparsed PKCS#7 message to access
138 * @_data: Place to return a pointer to the data
139 * @_data_len: Place to return the data length
140 * @want_wrapper: True if the ASN.1 object header should be included in the data
141 *
142 * Get access to the data content of the PKCS#7 message, including, optionally,
143 * the header of the ASN.1 object that contains it. Returns -ENODATA if the
144 * data object was missing from the message.
145 */
146int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
147 const void **_data, size_t *_data_len,
148 bool want_wrapper)
149{
150 size_t wrapper;
151
152 if (!pkcs7->data)
153 return -ENODATA;
154
155 wrapper = want_wrapper ? pkcs7->data_hdrlen : 0;
156 *_data = pkcs7->data - wrapper;
157 *_data_len = pkcs7->data_len + wrapper;
158 return 0;
159}
160EXPORT_SYMBOL_GPL(pkcs7_get_content_data);
161
162/*
163 * Note an OID when we find one for later processing when we know how
164 * to interpret it.
165 */
166int pkcs7_note_OID(void *context, size_t hdrlen,
167 unsigned char tag,
168 const void *value, size_t vlen)
169{
170 struct pkcs7_parse_context *ctx = context;
171
172 ctx->last_oid = look_up_OID(value, vlen);
173 if (ctx->last_oid == OID__NR) {
174 char buffer[50];
175 sprint_oid(value, vlen, buffer, sizeof(buffer));
176 printk("PKCS7: Unknown OID: [%lu] %s\n",
177 (unsigned long)value - ctx->data, buffer);
178 }
179 return 0;
180}
181
182/*
183 * Note the digest algorithm for the signature.
184 */
185int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
186 unsigned char tag,
187 const void *value, size_t vlen)
188{
189 struct pkcs7_parse_context *ctx = context;
190
191 switch (ctx->last_oid) {
192 case OID_md4:
193 ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_MD4;
194 break;
195 case OID_md5:
196 ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_MD5;
197 break;
198 case OID_sha1:
199 ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_SHA1;
200 break;
201 case OID_sha256:
202 ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_SHA256;
203 break;
204 default:
205 printk("Unsupported digest algo: %u\n", ctx->last_oid);
206 return -ENOPKG;
207 }
208 return 0;
209}
210
211/*
212 * Note the public key algorithm for the signature.
213 */
214int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
215 unsigned char tag,
216 const void *value, size_t vlen)
217{
218 struct pkcs7_parse_context *ctx = context;
219
220 switch (ctx->last_oid) {
221 case OID_rsaEncryption:
222 ctx->sinfo->sig.pkey_algo = PKEY_ALGO_RSA;
223 break;
224 default:
225 printk("Unsupported pkey algo: %u\n", ctx->last_oid);
226 return -ENOPKG;
227 }
228 return 0;
229}
230
231/*
David Howells2c7fd362015-07-20 21:16:31 +0100[diff] [blame]232 * We only support signed data [RFC2315 sec 9].
233 */
234int pkcs7_check_content_type(void *context, size_t hdrlen,
235 unsigned char tag,
236 const void *value, size_t vlen)
237{
238 struct pkcs7_parse_context *ctx = context;
239
240 if (ctx->last_oid != OID_signed_data) {
241 pr_warn("Only support pkcs7_signedData type\n");
242 return -EINVAL;
243 }
244
245 return 0;
246}
247
248/*
249 * Note the SignedData version
250 */
251int pkcs7_note_signeddata_version(void *context, size_t hdrlen,
252 unsigned char tag,
253 const void *value, size_t vlen)
254{
David Howells60d65ca2015-07-20 21:16:33 +0100[diff] [blame^]255 struct pkcs7_parse_context *ctx = context;
David Howells2c7fd362015-07-20 21:16:31 +0100[diff] [blame]256 unsigned version;
257
258 if (vlen != 1)
259 goto unsupported;
260
David Howells60d65ca2015-07-20 21:16:33 +0100[diff] [blame^]261 ctx->msg->version = version = *(const u8 *)value;
David Howells2c7fd362015-07-20 21:16:31 +0100[diff] [blame]262 switch (version) {
263 case 1:
David Howells60d65ca2015-07-20 21:16:33 +0100[diff] [blame^]264 /* PKCS#7 SignedData [RFC2315 sec 9.1]
265 * CMS ver 1 SignedData [RFC5652 sec 5.1]
266 */
267 break;
268 case 3:
269 /* CMS ver 3 SignedData [RFC2315 sec 5.1] */
David Howells2c7fd362015-07-20 21:16:31 +0100[diff] [blame]270 break;
271 default:
272 goto unsupported;
273 }
274
275 return 0;
276
277unsupported:
278 pr_warn("Unsupported SignedData version\n");
279 return -EINVAL;
280}
281
282/*
283 * Note the SignerInfo version
284 */
285int pkcs7_note_signerinfo_version(void *context, size_t hdrlen,
286 unsigned char tag,
287 const void *value, size_t vlen)
288{
David Howells60d65ca2015-07-20 21:16:33 +0100[diff] [blame^]289 struct pkcs7_parse_context *ctx = context;
David Howells2c7fd362015-07-20 21:16:31 +0100[diff] [blame]290 unsigned version;
291
292 if (vlen != 1)
293 goto unsupported;
294
295 version = *(const u8 *)value;
296 switch (version) {
297 case 1:
David Howells60d65ca2015-07-20 21:16:33 +0100[diff] [blame^]298 /* PKCS#7 SignerInfo [RFC2315 sec 9.2]
299 * CMS ver 1 SignerInfo [RFC5652 sec 5.3]
300 */
301 if (ctx->msg->version != 1)
302 goto version_mismatch;
303 ctx->expect_skid = false;
304 break;
305 case 3:
306 /* CMS ver 3 SignerInfo [RFC2315 sec 5.3] */
307 if (ctx->msg->version == 1)
308 goto version_mismatch;
309 ctx->expect_skid = true;
David Howells2c7fd362015-07-20 21:16:31 +0100[diff] [blame]310 break;
311 default:
312 goto unsupported;
313 }
314
315 return 0;
316
317unsupported:
318 pr_warn("Unsupported SignerInfo version\n");
319 return -EINVAL;
David Howells60d65ca2015-07-20 21:16:33 +0100[diff] [blame^]320version_mismatch:
321 pr_warn("SignedData-SignerInfo version mismatch\n");
322 return -EBADMSG;
David Howells2c7fd362015-07-20 21:16:31 +0100[diff] [blame]323}
324
325/*
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]326 * Extract a certificate and store it in the context.
327 */
328int pkcs7_extract_cert(void *context, size_t hdrlen,
329 unsigned char tag,
330 const void *value, size_t vlen)
331{
332 struct pkcs7_parse_context *ctx = context;
333 struct x509_certificate *x509;
334
335 if (tag != ((ASN1_UNIV << 6) | ASN1_CONS_BIT | ASN1_SEQ)) {
336 pr_debug("Cert began with tag %02x at %lu\n",
337 tag, (unsigned long)ctx - ctx->data);
338 return -EBADMSG;
339 }
340
341 /* We have to correct for the header so that the X.509 parser can start
342 * from the beginning. Note that since X.509 stipulates DER, there
343 * probably shouldn't be an EOC trailer - but it is in PKCS#7 (which
344 * stipulates BER).
345 */
346 value -= hdrlen;
347 vlen += hdrlen;
348
349 if (((u8*)value)[1] == 0x80)
350 vlen += 2; /* Indefinite length - there should be an EOC */
351
352 x509 = x509_cert_parse(value, vlen);
353 if (IS_ERR(x509))
354 return PTR_ERR(x509);
355
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]356 x509->index = ++ctx->x509_index;
David Howells46963b72014-09-16 17:36:13 +0100[diff] [blame]357 pr_debug("Got cert %u for %s\n", x509->index, x509->subject);
358 pr_debug("- fingerprint %*phN\n", x509->id->len, x509->id->data);
359
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]360 *ctx->ppcerts = x509;
361 ctx->ppcerts = &x509->next;
362 return 0;
363}
364
365/*
366 * Save the certificate list
367 */
368int pkcs7_note_certificate_list(void *context, size_t hdrlen,
369 unsigned char tag,
370 const void *value, size_t vlen)
371{
372 struct pkcs7_parse_context *ctx = context;
373
374 pr_devel("Got cert list (%02x)\n", tag);
375
376 *ctx->ppcerts = ctx->msg->certs;
377 ctx->msg->certs = ctx->certs;
378 ctx->certs = NULL;
379 ctx->ppcerts = &ctx->certs;
380 return 0;
381}
382
383/*
384 * Extract the data from the message and store that and its content type OID in
385 * the context.
386 */
387int pkcs7_note_data(void *context, size_t hdrlen,
388 unsigned char tag,
389 const void *value, size_t vlen)
390{
391 struct pkcs7_parse_context *ctx = context;
392
393 pr_debug("Got data\n");
394
395 ctx->msg->data = value;
396 ctx->msg->data_len = vlen;
397 ctx->msg->data_hdrlen = hdrlen;
398 ctx->msg->data_type = ctx->last_oid;
399 return 0;
400}
401
402/*
403 * Parse authenticated attributes
404 */
405int pkcs7_sig_note_authenticated_attr(void *context, size_t hdrlen,
406 unsigned char tag,
407 const void *value, size_t vlen)
408{
409 struct pkcs7_parse_context *ctx = context;
410
411 pr_devel("AuthAttr: %02x %zu [%*ph]\n", tag, vlen, (unsigned)vlen, value);
412
413 switch (ctx->last_oid) {
414 case OID_messageDigest:
415 if (tag != ASN1_OTS)
416 return -EBADMSG;
417 ctx->sinfo->msgdigest = value;
418 ctx->sinfo->msgdigest_len = vlen;
419 return 0;
420 default:
421 return 0;
422 }
423}
424
425/*
David Howells2c7fd362015-07-20 21:16:31 +0100[diff] [blame]426 * Note the set of auth attributes for digestion purposes [RFC2315 sec 9.3]
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]427 */
428int pkcs7_sig_note_set_of_authattrs(void *context, size_t hdrlen,
429 unsigned char tag,
430 const void *value, size_t vlen)
431{
432 struct pkcs7_parse_context *ctx = context;
433
434 /* We need to switch the 'CONT 0' to a 'SET OF' when we digest */
435 ctx->sinfo->authattrs = value - (hdrlen - 1);
436 ctx->sinfo->authattrs_len = vlen + (hdrlen - 1);
437 return 0;
438}
439
440/*
441 * Note the issuing certificate serial number
442 */
443int pkcs7_sig_note_serial(void *context, size_t hdrlen,
444 unsigned char tag,
445 const void *value, size_t vlen)
446{
447 struct pkcs7_parse_context *ctx = context;
David Howells46963b72014-09-16 17:36:13 +0100[diff] [blame]448 ctx->raw_serial = value;
449 ctx->raw_serial_size = vlen;
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]450 return 0;
451}
452
453/*
454 * Note the issuer's name
455 */
456int pkcs7_sig_note_issuer(void *context, size_t hdrlen,
457 unsigned char tag,
458 const void *value, size_t vlen)
459{
460 struct pkcs7_parse_context *ctx = context;
David Howells46963b72014-09-16 17:36:13 +0100[diff] [blame]461 ctx->raw_issuer = value;
462 ctx->raw_issuer_size = vlen;
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]463 return 0;
464}
465
466/*
David Howells60d65ca2015-07-20 21:16:33 +0100[diff] [blame^]467 * Note the issuing cert's subjectKeyIdentifier
468 */
469int pkcs7_sig_note_skid(void *context, size_t hdrlen,
470 unsigned char tag,
471 const void *value, size_t vlen)
472{
473 struct pkcs7_parse_context *ctx = context;
474
475 pr_devel("SKID: %02x %zu [%*ph]\n", tag, vlen, (unsigned)vlen, value);
476
477 ctx->raw_skid = value;
478 ctx->raw_skid_size = vlen;
479 return 0;
480}
481
482/*
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]483 * Note the signature data
484 */
485int pkcs7_sig_note_signature(void *context, size_t hdrlen,
486 unsigned char tag,
487 const void *value, size_t vlen)
488{
489 struct pkcs7_parse_context *ctx = context;
490 MPI mpi;
491
492 BUG_ON(ctx->sinfo->sig.pkey_algo != PKEY_ALGO_RSA);
493
494 mpi = mpi_read_raw_data(value, vlen);
495 if (!mpi)
496 return -ENOMEM;
497
498 ctx->sinfo->sig.mpi[0] = mpi;
499 ctx->sinfo->sig.nr_mpi = 1;
500 return 0;
501}
502
503/*
504 * Note a signature information block
505 */
506int pkcs7_note_signed_info(void *context, size_t hdrlen,
507 unsigned char tag,
508 const void *value, size_t vlen)
509{
510 struct pkcs7_parse_context *ctx = context;
David Howells46963b72014-09-16 17:36:13 +0100[diff] [blame]511 struct pkcs7_signed_info *sinfo = ctx->sinfo;
512 struct asymmetric_key_id *kid;
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]513
David Howells46963b72014-09-16 17:36:13 +0100[diff] [blame]514 /* Generate cert issuer + serial number key ID */
David Howells60d65ca2015-07-20 21:16:33 +0100[diff] [blame^]515 if (!ctx->expect_skid) {
516 kid = asymmetric_key_generate_id(ctx->raw_serial,
517 ctx->raw_serial_size,
518 ctx->raw_issuer,
519 ctx->raw_issuer_size);
520 } else {
521 kid = asymmetric_key_generate_id(ctx->raw_skid,
522 ctx->raw_skid_size,
523 "", 0);
524 }
David Howells46963b72014-09-16 17:36:13 +0100[diff] [blame]525 if (IS_ERR(kid))
526 return PTR_ERR(kid);
527
David Howells60d65ca2015-07-20 21:16:33 +0100[diff] [blame^]528 pr_devel("SINFO KID: %u [%*phN]\n", kid->len, kid->len, kid->data);
529
David Howells46963b72014-09-16 17:36:13 +0100[diff] [blame]530 sinfo->signing_cert_id = kid;
531 sinfo->index = ++ctx->sinfo_index;
532 *ctx->ppsinfo = sinfo;
533 ctx->ppsinfo = &sinfo->next;
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]534 ctx->sinfo = kzalloc(sizeof(struct pkcs7_signed_info), GFP_KERNEL);
535 if (!ctx->sinfo)
536 return -ENOMEM;
537 return 0;
538}