Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / mainline / linux / 7901c1a8effbe5f89673bfc09d6e37b8f334f1a7 / . / crypto / asymmetric_keys / pkcs7_parser.c
blob: 1e9861da7ee4daeaa9d3bff0d666d028995ff92d [file] [log] [blame]
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]1/* PKCS#7 parser
2 *
3 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public Licence
8 * as published by the Free Software Foundation; either version
9 * 2 of the Licence, or (at your option) any later version.
10 */
11
12#define pr_fmt(fmt) "PKCS7: "fmt
13#include <linux/kernel.h>
14#include <linux/export.h>
15#include <linux/slab.h>
16#include <linux/err.h>
17#include <linux/oid_registry.h>
18#include "public_key.h"
19#include "pkcs7_parser.h"
20#include "pkcs7-asn1.h"
21
22struct pkcs7_parse_context {
23 struct pkcs7_message *msg; /* Message being constructed */
24 struct pkcs7_signed_info *sinfo; /* SignedInfo being constructed */
25 struct pkcs7_signed_info **ppsinfo;
26 struct x509_certificate *certs; /* Certificate cache */
27 struct x509_certificate **ppcerts;
28 unsigned long data; /* Start of data */
29 enum OID last_oid; /* Last OID encountered */
30 unsigned x509_index;
31 unsigned sinfo_index;
32};
33
David Howells3cd09202014-09-16 17:29:03 +0100[diff] [blame]34/*
35 * Free a signed information block.
36 */
37static void pkcs7_free_signed_info(struct pkcs7_signed_info *sinfo)
38{
39 if (sinfo) {
40 mpi_free(sinfo->sig.mpi[0]);
41 kfree(sinfo->sig.digest);
42 kfree(sinfo);
43 }
44}
45
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]46/**
47 * pkcs7_free_message - Free a PKCS#7 message
48 * @pkcs7: The PKCS#7 message to free
49 */
50void pkcs7_free_message(struct pkcs7_message *pkcs7)
51{
52 struct x509_certificate *cert;
53 struct pkcs7_signed_info *sinfo;
54
55 if (pkcs7) {
56 while (pkcs7->certs) {
57 cert = pkcs7->certs;
58 pkcs7->certs = cert->next;
59 x509_free_certificate(cert);
60 }
61 while (pkcs7->crl) {
62 cert = pkcs7->crl;
63 pkcs7->crl = cert->next;
64 x509_free_certificate(cert);
65 }
66 while (pkcs7->signed_infos) {
67 sinfo = pkcs7->signed_infos;
68 pkcs7->signed_infos = sinfo->next;
David Howells3cd09202014-09-16 17:29:03 +0100[diff] [blame]69 pkcs7_free_signed_info(sinfo);
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]70 }
71 kfree(pkcs7);
72 }
73}
74EXPORT_SYMBOL_GPL(pkcs7_free_message);
75
76/**
77 * pkcs7_parse_message - Parse a PKCS#7 message
78 * @data: The raw binary ASN.1 encoded message to be parsed
79 * @datalen: The size of the encoded message
80 */
81struct pkcs7_message *pkcs7_parse_message(const void *data, size_t datalen)
82{
83 struct pkcs7_parse_context *ctx;
David Howellscecf5d2e2014-09-16 17:29:03 +0100[diff] [blame]84 struct pkcs7_message *msg = ERR_PTR(-ENOMEM);
85 int ret;
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]86
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]87 ctx = kzalloc(sizeof(struct pkcs7_parse_context), GFP_KERNEL);
88 if (!ctx)
David Howellscecf5d2e2014-09-16 17:29:03 +0100[diff] [blame]89 goto out_no_ctx;
90 ctx->msg = kzalloc(sizeof(struct pkcs7_message), GFP_KERNEL);
91 if (!ctx->msg)
92 goto out_no_msg;
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]93 ctx->sinfo = kzalloc(sizeof(struct pkcs7_signed_info), GFP_KERNEL);
94 if (!ctx->sinfo)
David Howellscecf5d2e2014-09-16 17:29:03 +0100[diff] [blame]95 goto out_no_sinfo;
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]96
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]97 ctx->data = (unsigned long)data;
98 ctx->ppcerts = &ctx->certs;
99 ctx->ppsinfo = &ctx->msg->signed_infos;
100
101 /* Attempt to decode the signature */
102 ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen);
David Howellscecf5d2e2014-09-16 17:29:03 +0100[diff] [blame]103 if (ret < 0) {
104 msg = ERR_PTR(ret);
105 goto out;
106 }
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]107
David Howellscecf5d2e2014-09-16 17:29:03 +0100[diff] [blame]108 msg = ctx->msg;
109 ctx->msg = NULL;
110
111out:
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]112 while (ctx->certs) {
113 struct x509_certificate *cert = ctx->certs;
114 ctx->certs = cert->next;
115 x509_free_certificate(cert);
116 }
David Howells3cd09202014-09-16 17:29:03 +0100[diff] [blame]117 pkcs7_free_signed_info(ctx->sinfo);
David Howellscecf5d2e2014-09-16 17:29:03 +0100[diff] [blame]118out_no_sinfo:
119 pkcs7_free_message(ctx->msg);
120out_no_msg:
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]121 kfree(ctx);
David Howellscecf5d2e2014-09-16 17:29:03 +0100[diff] [blame]122out_no_ctx:
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]123 return msg;
David Howells2e3fadb2014-07-01 16:40:19 +0100[diff] [blame]124}
125EXPORT_SYMBOL_GPL(pkcs7_parse_message);
126
127/**
128 * pkcs7_get_content_data - Get access to the PKCS#7 content
129 * @pkcs7: The preparsed PKCS#7 message to access
130 * @_data: Place to return a pointer to the data
131 * @_data_len: Place to return the data length
132 * @want_wrapper: True if the ASN.1 object header should be included in the data
133 *
134 * Get access to the data content of the PKCS#7 message, including, optionally,
135 * the header of the ASN.1 object that contains it. Returns -ENODATA if the
136 * data object was missing from the message.
137 */
138int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
139 const void **_data, size_t *_data_len,
140 bool want_wrapper)
141{
142 size_t wrapper;
143
144 if (!pkcs7->data)
145 return -ENODATA;
146
147 wrapper = want_wrapper ? pkcs7->data_hdrlen : 0;
148 *_data = pkcs7->data - wrapper;
149 *_data_len = pkcs7->data_len + wrapper;
150 return 0;
151}
152EXPORT_SYMBOL_GPL(pkcs7_get_content_data);
153
154/*
155 * Note an OID when we find one for later processing when we know how
156 * to interpret it.
157 */
158int pkcs7_note_OID(void *context, size_t hdrlen,
159 unsigned char tag,
160 const void *value, size_t vlen)
161{
162 struct pkcs7_parse_context *ctx = context;
163
164 ctx->last_oid = look_up_OID(value, vlen);
165 if (ctx->last_oid == OID__NR) {
166 char buffer[50];
167 sprint_oid(value, vlen, buffer, sizeof(buffer));
168 printk("PKCS7: Unknown OID: [%lu] %s\n",
169 (unsigned long)value - ctx->data, buffer);
170 }
171 return 0;
172}
173
174/*
175 * Note the digest algorithm for the signature.
176 */
177int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
178 unsigned char tag,
179 const void *value, size_t vlen)
180{
181 struct pkcs7_parse_context *ctx = context;
182
183 switch (ctx->last_oid) {
184 case OID_md4:
185 ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_MD4;
186 break;
187 case OID_md5:
188 ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_MD5;
189 break;
190 case OID_sha1:
191 ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_SHA1;
192 break;
193 case OID_sha256:
194 ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_SHA256;
195 break;
196 default:
197 printk("Unsupported digest algo: %u\n", ctx->last_oid);
198 return -ENOPKG;
199 }
200 return 0;
201}
202
203/*
204 * Note the public key algorithm for the signature.
205 */
206int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
207 unsigned char tag,
208 const void *value, size_t vlen)
209{
210 struct pkcs7_parse_context *ctx = context;
211
212 switch (ctx->last_oid) {
213 case OID_rsaEncryption:
214 ctx->sinfo->sig.pkey_algo = PKEY_ALGO_RSA;
215 break;
216 default:
217 printk("Unsupported pkey algo: %u\n", ctx->last_oid);
218 return -ENOPKG;
219 }
220 return 0;
221}
222
223/*
224 * Extract a certificate and store it in the context.
225 */
226int pkcs7_extract_cert(void *context, size_t hdrlen,
227 unsigned char tag,
228 const void *value, size_t vlen)
229{
230 struct pkcs7_parse_context *ctx = context;
231 struct x509_certificate *x509;
232
233 if (tag != ((ASN1_UNIV << 6) | ASN1_CONS_BIT | ASN1_SEQ)) {
234 pr_debug("Cert began with tag %02x at %lu\n",
235 tag, (unsigned long)ctx - ctx->data);
236 return -EBADMSG;
237 }
238
239 /* We have to correct for the header so that the X.509 parser can start
240 * from the beginning. Note that since X.509 stipulates DER, there
241 * probably shouldn't be an EOC trailer - but it is in PKCS#7 (which
242 * stipulates BER).
243 */
244 value -= hdrlen;
245 vlen += hdrlen;
246
247 if (((u8*)value)[1] == 0x80)
248 vlen += 2; /* Indefinite length - there should be an EOC */
249
250 x509 = x509_cert_parse(value, vlen);
251 if (IS_ERR(x509))
252 return PTR_ERR(x509);
253
254 pr_debug("Got cert for %s\n", x509->subject);
255 pr_debug("- fingerprint %s\n", x509->fingerprint);
256
257 x509->index = ++ctx->x509_index;
258 *ctx->ppcerts = x509;
259 ctx->ppcerts = &x509->next;
260 return 0;
261}
262
263/*
264 * Save the certificate list
265 */
266int pkcs7_note_certificate_list(void *context, size_t hdrlen,
267 unsigned char tag,
268 const void *value, size_t vlen)
269{
270 struct pkcs7_parse_context *ctx = context;
271
272 pr_devel("Got cert list (%02x)\n", tag);
273
274 *ctx->ppcerts = ctx->msg->certs;
275 ctx->msg->certs = ctx->certs;
276 ctx->certs = NULL;
277 ctx->ppcerts = &ctx->certs;
278 return 0;
279}
280
281/*
282 * Extract the data from the message and store that and its content type OID in
283 * the context.
284 */
285int pkcs7_note_data(void *context, size_t hdrlen,
286 unsigned char tag,
287 const void *value, size_t vlen)
288{
289 struct pkcs7_parse_context *ctx = context;
290
291 pr_debug("Got data\n");
292
293 ctx->msg->data = value;
294 ctx->msg->data_len = vlen;
295 ctx->msg->data_hdrlen = hdrlen;
296 ctx->msg->data_type = ctx->last_oid;
297 return 0;
298}
299
300/*
301 * Parse authenticated attributes
302 */
303int pkcs7_sig_note_authenticated_attr(void *context, size_t hdrlen,
304 unsigned char tag,
305 const void *value, size_t vlen)
306{
307 struct pkcs7_parse_context *ctx = context;
308
309 pr_devel("AuthAttr: %02x %zu [%*ph]\n", tag, vlen, (unsigned)vlen, value);
310
311 switch (ctx->last_oid) {
312 case OID_messageDigest:
313 if (tag != ASN1_OTS)
314 return -EBADMSG;
315 ctx->sinfo->msgdigest = value;
316 ctx->sinfo->msgdigest_len = vlen;
317 return 0;
318 default:
319 return 0;
320 }
321}
322
323/*
324 * Note the set of auth attributes for digestion purposes [RFC2315 9.3]
325 */
326int pkcs7_sig_note_set_of_authattrs(void *context, size_t hdrlen,
327 unsigned char tag,
328 const void *value, size_t vlen)
329{
330 struct pkcs7_parse_context *ctx = context;
331
332 /* We need to switch the 'CONT 0' to a 'SET OF' when we digest */
333 ctx->sinfo->authattrs = value - (hdrlen - 1);
334 ctx->sinfo->authattrs_len = vlen + (hdrlen - 1);
335 return 0;
336}
337
338/*
339 * Note the issuing certificate serial number
340 */
341int pkcs7_sig_note_serial(void *context, size_t hdrlen,
342 unsigned char tag,
343 const void *value, size_t vlen)
344{
345 struct pkcs7_parse_context *ctx = context;
346 ctx->sinfo->raw_serial = value;
347 ctx->sinfo->raw_serial_size = vlen;
348 return 0;
349}
350
351/*
352 * Note the issuer's name
353 */
354int pkcs7_sig_note_issuer(void *context, size_t hdrlen,
355 unsigned char tag,
356 const void *value, size_t vlen)
357{
358 struct pkcs7_parse_context *ctx = context;
359 ctx->sinfo->raw_issuer = value;
360 ctx->sinfo->raw_issuer_size = vlen;
361 return 0;
362}
363
364/*
365 * Note the signature data
366 */
367int pkcs7_sig_note_signature(void *context, size_t hdrlen,
368 unsigned char tag,
369 const void *value, size_t vlen)
370{
371 struct pkcs7_parse_context *ctx = context;
372 MPI mpi;
373
374 BUG_ON(ctx->sinfo->sig.pkey_algo != PKEY_ALGO_RSA);
375
376 mpi = mpi_read_raw_data(value, vlen);
377 if (!mpi)
378 return -ENOMEM;
379
380 ctx->sinfo->sig.mpi[0] = mpi;
381 ctx->sinfo->sig.nr_mpi = 1;
382 return 0;
383}
384
385/*
386 * Note a signature information block
387 */
388int pkcs7_note_signed_info(void *context, size_t hdrlen,
389 unsigned char tag,
390 const void *value, size_t vlen)
391{
392 struct pkcs7_parse_context *ctx = context;
393
394 ctx->sinfo->index = ++ctx->sinfo_index;
395 *ctx->ppsinfo = ctx->sinfo;
396 ctx->ppsinfo = &ctx->sinfo->next;
397 ctx->sinfo = kzalloc(sizeof(struct pkcs7_signed_info), GFP_KERNEL);
398 if (!ctx->sinfo)
399 return -ENOMEM;
400 return 0;
401}