2019-05-20 19:08:01 +02:00
// SPDX-License-Identifier: GPL-2.0-or-later
2014-07-01 16:40:20 +01:00
/* Validate the trust chain of a PKCS#7 message.
*
* Copyright ( C ) 2012 Red Hat , Inc . All Rights Reserved .
* Written by David Howells ( dhowells @ redhat . com )
*/
# define pr_fmt(fmt) "PKCS7: "fmt
# include <linux/kernel.h>
# include <linux/export.h>
# include <linux/slab.h>
# include <linux/err.h>
# include <linux/asn1.h>
# include <linux/key.h>
# include <keys/asymmetric-type.h>
2016-02-02 10:08:53 -08:00
# include <crypto/public_key.h>
2014-07-01 16:40:20 +01:00
# include "pkcs7_parser.h"
2020-11-13 16:58:15 +08:00
/*
2014-07-01 16:40:20 +01:00
* Check the trust on one PKCS # 7 SignedInfo block .
*/
2014-09-16 17:07:07 +01:00
static int pkcs7_validate_trust_one ( struct pkcs7_message * pkcs7 ,
struct pkcs7_signed_info * sinfo ,
struct key * trust_keyring )
2014-07-01 16:40:20 +01:00
{
2016-04-06 16:13:33 +01:00
struct public_key_signature * sig = sinfo - > sig ;
2014-07-01 16:40:20 +01:00
struct x509_certificate * x509 , * last = NULL , * p ;
struct key * key ;
int ret ;
kenter ( " ,%u, " , sinfo - > index ) ;
2014-09-16 17:36:15 +01:00
if ( sinfo - > unsupported_crypto ) {
kleave ( " = -ENOPKG [cached] " ) ;
return - ENOPKG ;
}
2014-07-01 16:40:20 +01:00
for ( x509 = sinfo - > signer ; x509 ; x509 = x509 - > signer ) {
if ( x509 - > seen ) {
2016-04-06 16:14:24 +01:00
if ( x509 - > verified )
2014-07-01 16:40:20 +01:00
goto verified ;
kleave ( " = -ENOKEY [cached] " ) ;
return - ENOKEY ;
}
x509 - > seen = true ;
/* Look to see if this certificate is present in the trusted
* keys .
*/
2016-04-06 16:14:25 +01:00
key = find_asymmetric_key ( trust_keyring ,
2021-11-09 16:16:49 +01:00
x509 - > id , x509 - > skid , NULL , false ) ;
2014-09-16 17:36:17 +01:00
if ( ! IS_ERR ( key ) ) {
2014-07-01 16:40:20 +01:00
/* One of the X.509 certificates in the PKCS#7 message
* is apparently the same as one we already trust .
* Verify that the trusted variant can also validate
* the signature on the descendant .
*/
2014-09-16 17:36:17 +01:00
pr_devel ( " sinfo %u: Cert %u as key %x \n " ,
sinfo - > index , x509 - > index , key_serial ( key ) ) ;
2014-07-01 16:40:20 +01:00
goto matched ;
2014-09-16 17:36:17 +01:00
}
2014-07-01 16:40:20 +01:00
if ( key = = ERR_PTR ( - ENOMEM ) )
return - ENOMEM ;
/* Self-signed certificates form roots of their own, and if we
* don ' t know them , then we can ' t accept them .
*/
2017-12-08 15:13:28 +00:00
if ( x509 - > signer = = x509 ) {
2014-07-01 16:40:20 +01:00
kleave ( " = -ENOKEY [unknown self-signed] " ) ;
return - ENOKEY ;
}
might_sleep ( ) ;
last = x509 ;
2016-04-06 16:13:33 +01:00
sig = last - > sig ;
2014-07-01 16:40:20 +01:00
}
/* No match - see if the root certificate has a signer amongst the
* trusted keys .
*/
2016-04-06 16:13:33 +01:00
if ( last & & ( last - > sig - > auth_ids [ 0 ] | | last - > sig - > auth_ids [ 1 ] ) ) {
2016-04-06 16:14:25 +01:00
key = find_asymmetric_key ( trust_keyring ,
last - > sig - > auth_ids [ 0 ] ,
last - > sig - > auth_ids [ 1 ] ,
2021-11-09 16:16:49 +01:00
NULL , false ) ;
2014-09-16 17:36:17 +01:00
if ( ! IS_ERR ( key ) ) {
x509 = last ;
pr_devel ( " sinfo %u: Root cert %u signer is key %x \n " ,
sinfo - > index , x509 - > index , key_serial ( key ) ) ;
goto matched ;
}
if ( PTR_ERR ( key ) ! = - ENOKEY )
return PTR_ERR ( key ) ;
2014-07-01 16:40:20 +01:00
}
2014-09-16 17:36:17 +01:00
/* As a last resort, see if we have a trusted public key that matches
* the signed info directly .
*/
2016-04-06 16:14:25 +01:00
key = find_asymmetric_key ( trust_keyring ,
2021-11-09 16:16:49 +01:00
sinfo - > sig - > auth_ids [ 0 ] , NULL , NULL , false ) ;
2014-09-16 17:36:17 +01:00
if ( ! IS_ERR ( key ) ) {
pr_devel ( " sinfo %u: Direct signer is key %x \n " ,
sinfo - > index , key_serial ( key ) ) ;
x509 = NULL ;
2018-02-22 14:38:33 +00:00
sig = sinfo - > sig ;
2014-09-16 17:36:17 +01:00
goto matched ;
}
if ( PTR_ERR ( key ) ! = - ENOKEY )
return PTR_ERR ( key ) ;
kleave ( " = -ENOKEY [no backref] " ) ;
return - ENOKEY ;
2014-07-01 16:40:20 +01:00
matched :
ret = verify_signature ( key , sig ) ;
key_put ( key ) ;
if ( ret < 0 ) {
if ( ret = = - ENOMEM )
return ret ;
kleave ( " = -EKEYREJECTED [verify %d] " , ret ) ;
return - EKEYREJECTED ;
}
verified :
2014-09-16 17:36:17 +01:00
if ( x509 ) {
x509 - > verified = true ;
2016-04-06 16:14:24 +01:00
for ( p = sinfo - > signer ; p ! = x509 ; p = p - > signer )
2014-09-16 17:36:17 +01:00
p - > verified = true ;
2014-07-01 16:40:20 +01:00
}
kleave ( " = 0 " ) ;
return 0 ;
}
/**
* pkcs7_validate_trust - Validate PKCS # 7 trust chain
* @ pkcs7 : The PKCS # 7 certificate to validate
* @ trust_keyring : Signing certificates to use as starting points
*
* Validate that the certificate chain inside the PKCS # 7 message intersects
* keys we already know and trust .
*
* Returns , in order of descending priority :
*
* ( * ) - EKEYREJECTED if a signature failed to match for which we have a valid
* key , or :
*
* ( * ) 0 if at least one signature chain intersects with the keys in the trust
* keyring , or :
*
* ( * ) - ENOPKG if a suitable crypto module couldn ' t be found for a check on a
* chain .
*
* ( * ) - ENOKEY if we couldn ' t find a match for any of the signature chains in
* the message .
*
* May also return - ENOMEM .
*/
int pkcs7_validate_trust ( struct pkcs7_message * pkcs7 ,
2016-04-06 16:14:24 +01:00
struct key * trust_keyring )
2014-07-01 16:40:20 +01:00
{
struct pkcs7_signed_info * sinfo ;
struct x509_certificate * p ;
2014-09-16 17:36:15 +01:00
int cached_ret = - ENOKEY ;
int ret ;
2014-07-01 16:40:20 +01:00
for ( p = pkcs7 - > certs ; p ; p = p - > next )
p - > seen = false ;
for ( sinfo = pkcs7 - > signed_infos ; sinfo ; sinfo = sinfo - > next ) {
ret = pkcs7_validate_trust_one ( pkcs7 , sinfo , trust_keyring ) ;
2014-09-16 17:36:15 +01:00
switch ( ret ) {
case - ENOKEY :
continue ;
case - ENOPKG :
if ( cached_ret = = - ENOKEY )
2014-07-01 16:40:20 +01:00
cached_ret = - ENOPKG ;
2014-09-16 17:36:15 +01:00
continue ;
case 0 :
cached_ret = 0 ;
continue ;
default :
return ret ;
2014-07-01 16:40:20 +01:00
}
}
return cached_ret ;
}
EXPORT_SYMBOL_GPL ( pkcs7_validate_trust ) ;