From: David Howells <dhowells@redhat.com>
To: rusty@rustcorp.com.au
Cc: dhowells@redhat.com, pjones@redhat.com, jwboyer@redhat.com,
mjg@redhat.com, dmitry.kasatkin@intel.com,
zohar@linux.vnet.ibm.com, keescook@chromium.org,
keyrings@linux-nfs.org, linux-kernel@vger.kernel.org
Subject: [PATCH 14/23] PKCS#7: Verify internal certificate chain
Date: Tue, 30 Oct 2012 19:21:31 +0000 [thread overview]
Message-ID: <20121030192131.11000.1482.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <20121030191927.11000.68420.stgit@warthog.procyon.org.uk>
Verify certificate chain in the X.509 certificates contained within the PKCS#7
message as far as possible. If any signature that we should be able to verify
fails, we reject the whole lot.
Signed-off-by: David Howells <dhowells@redhat.com>
---
crypto/asymmetric_keys/pkcs7_verify.c | 67 +++++++++++++++++++++++++++++++++
crypto/asymmetric_keys/x509_parser.h | 1
2 files changed, 67 insertions(+), 1 deletion(-)
diff --git a/crypto/asymmetric_keys/pkcs7_verify.c b/crypto/asymmetric_keys/pkcs7_verify.c
index 614f2b6..2d729a6 100644
--- a/crypto/asymmetric_keys/pkcs7_verify.c
+++ b/crypto/asymmetric_keys/pkcs7_verify.c
@@ -161,6 +161,70 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7)
}
/*
+ * Verify the internal certificate chain as best we can.
+ */
+static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7)
+{
+ struct x509_certificate *x509 = pkcs7->signer, *p;
+ int ret;
+
+ kenter("");
+
+ for (;;) {
+ pr_debug("verify %s: %s\n", x509->subject, x509->fingerprint);
+ ret = x509_get_sig_params(x509);
+ if (ret < 0)
+ return ret;
+
+ if (x509->issuer)
+ pr_debug("- issuer %s\n", x509->issuer);
+ if (x509->authority)
+ pr_debug("- authkeyid %s\n", x509->authority);
+
+ if (!x509->authority ||
+ (x509->subject &&
+ strcmp(x509->subject, x509->authority) == 0)) {
+ /* If there's no authority certificate specified, then
+ * the certificate must be self-signed and is the root
+ * of the chain. Likewise if the cert is its own
+ * authority.
+ */
+ pr_debug("- no auth?\n");
+ if (x509->raw_subject_size != x509->raw_issuer_size ||
+ memcmp(x509->raw_subject, x509->raw_issuer,
+ x509->raw_issuer_size) != 0)
+ return 0;
+
+ ret = x509_check_signature(x509->pub, x509);
+ if (ret < 0)
+ return ret;
+ x509->signer = x509;
+ pr_debug("- self-signed\n");
+ return 0;
+ }
+
+ for (p = pkcs7->certs; p; p = p->next)
+ if (!p->signer &&
+ p->raw_subject_size == x509->raw_issuer_size &&
+ strcmp(p->fingerprint, x509->authority) == 0 &&
+ memcmp(p->raw_subject, x509->raw_issuer,
+ x509->raw_issuer_size) == 0)
+ goto found_issuer;
+ pr_debug("- top\n");
+ return 0;
+
+ found_issuer:
+ pr_debug("- issuer %s\n", p->subject);
+ ret = x509_check_signature(p->pub, x509);
+ if (ret < 0)
+ return ret;
+ x509->signer = p;
+ x509 = p;
+ might_sleep();
+ }
+}
+
+/*
* Verify a PKCS#7 message
*/
int pkcs7_verify(struct pkcs7_message *pkcs7)
@@ -186,6 +250,7 @@ int pkcs7_verify(struct pkcs7_message *pkcs7)
pr_devel("Verified signature\n");
- return 0;
+ /* Verify the internal certificate chain */
+ return pkcs7_verify_sig_chain(pkcs7);
}
EXPORT_SYMBOL_GPL(pkcs7_verify);
diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h
index 6b1d877..5e35fba 100644
--- a/crypto/asymmetric_keys/x509_parser.h
+++ b/crypto/asymmetric_keys/x509_parser.h
@@ -14,6 +14,7 @@
struct x509_certificate {
struct x509_certificate *next;
+ const struct x509_certificate *signer; /* Certificate that signed this one */
struct public_key *pub; /* Public key details */
char *issuer; /* Name of certificate issuer */
char *subject; /* Name of certificate subject */
next prev parent reply other threads:[~2012-10-30 19:22 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-30 19:19 [RFC][PATCH 00/23] Load keys from signed PE binaries David Howells
2012-10-30 19:19 ` [PATCH 01/23] KEYS: Rename public key parameter name arrays David Howells
2012-10-30 19:19 ` [PATCH 02/23] KEYS: Move the algorithm pointer array from x509 to public_key.c David Howells
2012-10-30 19:19 ` [PATCH 03/23] KEYS: Store public key algo ID in public_key struct David Howells
2012-10-30 19:20 ` [PATCH 04/23] KEYS: Split public_key_verify_signature() and make available David Howells
2012-10-30 19:20 ` [PATCH 05/23] KEYS: Store public key algo ID in public_key_signature struct David Howells
2012-10-30 19:20 ` [PATCH 06/23] x509: struct x509_certificate needs struct tm declaring David Howells
2012-10-30 19:20 ` [PATCH 07/23] X.509: Add bits needed for PKCS#7 David Howells
2012-10-30 19:20 ` [PATCH 08/23] X.509: Embed public_key_signature struct and create filler function David Howells
2012-10-30 19:20 ` [PATCH 09/23] X.509: Handle certificates that lack an authorityKeyIdentifier field David Howells
2012-10-30 19:20 ` [PATCH 10/23] X.509: Export certificate parse and free functions David Howells
2012-10-30 19:21 ` [PATCH 11/23] PKCS#7: Implement a parser [RFC 2315] David Howells
2012-10-30 19:21 ` [PATCH 12/23] PKCS#7: Digest the data in a signed-data message David Howells
2012-10-30 19:21 ` [PATCH 13/23] PKCS#7: Find the right key in the PKCS#7 key list and verify the signature David Howells
2012-10-30 19:21 ` David Howells [this message]
2012-10-30 19:21 ` [PATCH 15/23] Provide PE binary definitions David Howells
2012-10-30 19:21 ` [PATCH 16/23] pefile: Parse a PE binary to find a key and a signature contained therein David Howells
2012-10-30 21:11 ` Kees Cook
2012-10-31 0:59 ` David Howells
2012-10-31 1:06 ` Kees Cook
2012-10-31 12:31 ` David Howells
2012-10-31 19:48 ` Kees Cook
2012-10-30 19:21 ` [PATCH 17/23] pefile: Strip the wrapper off of the cert data block David Howells
2012-10-30 21:14 ` Kees Cook
2012-10-31 1:03 ` David Howells
2012-10-30 19:22 ` [PATCH 18/23] pefile: Parse the presumed PKCS#7 content of the certificate blob David Howells
2012-10-30 19:22 ` [PATCH 19/23] pefile: Parse the "Microsoft individual code signing" data blob David Howells
2012-10-30 19:22 ` [PATCH 20/23] pefile: Digest the PE binary and compare to the PKCS#7 data David Howells
2012-10-30 21:44 ` Kees Cook
2012-10-30 19:22 ` [PATCH 21/23] PKCS#7: Find intersection between PKCS#7 message and known, trusted keys David Howells
2012-10-30 19:22 ` [PATCH 22/23] PEFILE: Load the contained key if we consider the container to be validly signed David Howells
2012-10-30 19:22 ` [PATCH 23/23] KEYS: Add a 'trusted' flag and a 'trusted only' flag David Howells
2012-10-31 2:20 ` [RFC][PATCH 00/23] Load keys from signed PE binaries Rusty Russell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121030192131.11000.1482.stgit@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=dmitry.kasatkin@intel.com \
--cc=jwboyer@redhat.com \
--cc=keescook@chromium.org \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mjg@redhat.com \
--cc=pjones@redhat.com \
--cc=rusty@rustcorp.com.au \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox