From: David Howells <dhowells@redhat.com>
To: rusty@rustcorp.com.au
Cc: dhowells@redhat.com, pjones@redhat.com, jwboyer@redhat.com,
mjg@redhat.com, dmitry.kasatkin@intel.com,
zohar@linux.vnet.ibm.com, keescook@chromium.org,
keyrings@linux-nfs.org, linux-kernel@vger.kernel.org
Subject: [PATCH 21/23] PKCS#7: Find intersection between PKCS#7 message and known, trusted keys
Date: Tue, 30 Oct 2012 19:22:31 +0000 [thread overview]
Message-ID: <20121030192231.11000.99669.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <20121030191927.11000.68420.stgit@warthog.procyon.org.uk>
Find the intersection between the X.509 certificate chain contained in a PKCS#7
message and a set of keys that we already know and trust.
Signed-off-by: David Howells <dhowells@redhat.com>
---
crypto/asymmetric_keys/Makefile | 1
crypto/asymmetric_keys/pefile_parser.c | 6 +
crypto/asymmetric_keys/pkcs7_parser.h | 6 +
crypto/asymmetric_keys/pkcs7_trust.c | 145 ++++++++++++++++++++++++++++++++
kernel/modsign_pubkey.c | 1
5 files changed, 159 insertions(+)
create mode 100644 crypto/asymmetric_keys/pkcs7_trust.c
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index 566dd45..ddc64bb 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -33,6 +33,7 @@ obj-$(CONFIG_PKCS7_MESSAGE_PARSER) += pkcs7_message.o
pkcs7_message-y := \
pkcs7-asn1.o \
pkcs7_parser.o \
+ pkcs7_trust.o \
pkcs7_verify.o
$(obj)/pkcs7_parser.o: $(obj)/pkcs7-asn1.h
diff --git a/crypto/asymmetric_keys/pefile_parser.c b/crypto/asymmetric_keys/pefile_parser.c
index 9ede195..1ab1890 100644
--- a/crypto/asymmetric_keys/pefile_parser.c
+++ b/crypto/asymmetric_keys/pefile_parser.c
@@ -23,6 +23,8 @@
#include "public_key.h"
#include "pefile_parser.h"
+extern struct key *modsign_keyring;
+
/*
* Parse a PE binary.
*/
@@ -428,6 +430,10 @@ static int pefile_key_preparse(struct key_preparsed_payload *prep)
if (ret < 0)
goto error;
+ ret = pkcs7_validate_trust(pkcs7, modsign_keyring);
+ if (ret < 0)
+ goto error;
+
ret = -ENOANO; // Not yet complete
error:
diff --git a/crypto/asymmetric_keys/pkcs7_parser.h b/crypto/asymmetric_keys/pkcs7_parser.h
index 5415857..f6df500 100644
--- a/crypto/asymmetric_keys/pkcs7_parser.h
+++ b/crypto/asymmetric_keys/pkcs7_parser.h
@@ -60,6 +60,12 @@ extern struct pkcs7_message *pkcs7_parse_message(const void *data,
extern void pkcs7_free_message(struct pkcs7_message *pkcs7);
/*
+ * pkcs7_trust.c
+ */
+extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
+ struct key *trust_keyring);
+
+/*
* pkcs7_verify.c
*/
extern int pkcs7_verify(struct pkcs7_message *pkcs7);
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c
new file mode 100644
index 0000000..9abcb39
--- /dev/null
+++ b/crypto/asymmetric_keys/pkcs7_trust.c
@@ -0,0 +1,145 @@
+/* Validate the trust chain of a PKCS#7 message.
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#define pr_fmt(fmt) "PKCS7: "fmt
+#include <linux/kernel.h>
+#include <linux/export.h>
+#include <linux/slab.h>
+#include <linux/err.h>
+#include <linux/asn1.h>
+#include <linux/key.h>
+#include <keys/asymmetric-type.h>
+#include "public_key.h"
+#include "pkcs7_parser.h"
+
+/*
+ * Request an asymmetric key.
+ */
+static struct key *pkcs7_request_asymmetric_key(
+ struct key *keyring,
+ const char *signer, size_t signer_len,
+ const char *authority, size_t auth_len)
+{
+ key_ref_t key;
+ char *id;
+
+ kenter(",%zu,,%zu", signer_len, auth_len);
+
+ /* Construct an identifier. */
+ id = kmalloc(signer_len + 2 + auth_len + 1, GFP_KERNEL);
+ if (!id)
+ return ERR_PTR(-ENOMEM);
+
+ memcpy(id, signer, signer_len);
+ id[signer_len + 0] = ':';
+ id[signer_len + 1] = ' ';
+ memcpy(id + signer_len + 2, authority, auth_len);
+ id[signer_len + 2 + auth_len] = 0;
+
+ pr_debug("Look up: \"%s\"\n", id);
+
+ key = keyring_search(make_key_ref(keyring, 1),
+ &key_type_asymmetric, id);
+ if (IS_ERR(key))
+ pr_debug("Request for module key '%s' err %ld\n",
+ id, PTR_ERR(key));
+ kfree(id);
+
+ if (IS_ERR(key)) {
+ switch (PTR_ERR(key)) {
+ /* Hide some search errors */
+ case -EACCES:
+ case -ENOTDIR:
+ case -EAGAIN:
+ return ERR_PTR(-ENOKEY);
+ default:
+ return ERR_CAST(key);
+ }
+ }
+
+ pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key_ref_to_ptr(key)));
+ return key_ref_to_ptr(key);
+}
+
+/*
+ * Validate that the certificate chain inside the PKCS#7 message intersects
+ * keys we already know and trust.
+ */
+int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
+ struct key *trust_keyring)
+{
+ struct public_key_signature *sig = &pkcs7->sig;
+ struct x509_certificate *x509, *last = NULL;
+ struct key *key;
+ int ret;
+
+ kenter("");
+
+ for (x509 = pkcs7->signer; x509; x509 = x509->next) {
+ /* Look to see if this certificate is present in the trusted
+ * keys.
+ */
+ key = pkcs7_request_asymmetric_key(
+ trust_keyring,
+ x509->subject, strlen(x509->subject),
+ x509->fingerprint, strlen(x509->fingerprint));
+ if (!IS_ERR(key))
+ /* One of the X.509 certificates in the PKCS#7 message
+ * is apparently the same as one we already trust.
+ * Verify that the trusted variant can also validate
+ * the signature on the descendent.
+ */
+ goto matched;
+ if (key == ERR_PTR(-ENOMEM))
+ return -ENOMEM;
+
+ /* Self-signed certificates form roots of their own, and if we
+ * don't know them, then we can't accept them.
+ */
+ if (x509->next == x509) {
+ kleave(" = -EKEYREJECTED [unknown self-signed]");
+ return -EKEYREJECTED;
+ }
+
+ might_sleep();
+ last = x509;
+ sig = &last->sig;
+ }
+
+ /* No match - see if the root certificate has a signer amongst the
+ * trusted keys.
+ */
+ if (!last || !last->issuer || !last->authority) {
+ kleave(" = -EKEYREJECTED [no backref]");
+ return -EKEYREJECTED;
+ }
+
+ key = pkcs7_request_asymmetric_key(
+ trust_keyring,
+ last->issuer, strlen(last->issuer),
+ last->authority, strlen(last->authority));
+ if (IS_ERR(key))
+ return PTR_ERR(key) == -ENOMEM ? -ENOMEM : -EKEYREJECTED;
+
+matched:
+ ret = verify_signature(key, sig);
+ key_put(key);
+ if (ret < 0) {
+ if (ret == -ENOMEM)
+ return ret;
+ kleave(" = -EKEYREJECTED [verify %d]", ret);
+ return -EKEYREJECTED;
+ }
+
+ kleave(" = 0");
+ return 0;
+}
+EXPORT_SYMBOL_GPL(pkcs7_validate_trust);
diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c
index 4646eb2..602be22 100644
--- a/kernel/modsign_pubkey.c
+++ b/kernel/modsign_pubkey.c
@@ -17,6 +17,7 @@
#include "module-internal.h"
struct key *modsign_keyring;
+EXPORT_SYMBOL_GPL(modsign_keyring);
extern __initdata const u8 modsign_certificate_list[];
extern __initdata const u8 modsign_certificate_list_end[];
next prev parent reply other threads:[~2012-10-30 19:22 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-30 19:19 [RFC][PATCH 00/23] Load keys from signed PE binaries David Howells
2012-10-30 19:19 ` [PATCH 01/23] KEYS: Rename public key parameter name arrays David Howells
2012-10-30 19:19 ` [PATCH 02/23] KEYS: Move the algorithm pointer array from x509 to public_key.c David Howells
2012-10-30 19:19 ` [PATCH 03/23] KEYS: Store public key algo ID in public_key struct David Howells
2012-10-30 19:20 ` [PATCH 04/23] KEYS: Split public_key_verify_signature() and make available David Howells
2012-10-30 19:20 ` [PATCH 05/23] KEYS: Store public key algo ID in public_key_signature struct David Howells
2012-10-30 19:20 ` [PATCH 06/23] x509: struct x509_certificate needs struct tm declaring David Howells
2012-10-30 19:20 ` [PATCH 07/23] X.509: Add bits needed for PKCS#7 David Howells
2012-10-30 19:20 ` [PATCH 08/23] X.509: Embed public_key_signature struct and create filler function David Howells
2012-10-30 19:20 ` [PATCH 09/23] X.509: Handle certificates that lack an authorityKeyIdentifier field David Howells
2012-10-30 19:20 ` [PATCH 10/23] X.509: Export certificate parse and free functions David Howells
2012-10-30 19:21 ` [PATCH 11/23] PKCS#7: Implement a parser [RFC 2315] David Howells
2012-10-30 19:21 ` [PATCH 12/23] PKCS#7: Digest the data in a signed-data message David Howells
2012-10-30 19:21 ` [PATCH 13/23] PKCS#7: Find the right key in the PKCS#7 key list and verify the signature David Howells
2012-10-30 19:21 ` [PATCH 14/23] PKCS#7: Verify internal certificate chain David Howells
2012-10-30 19:21 ` [PATCH 15/23] Provide PE binary definitions David Howells
2012-10-30 19:21 ` [PATCH 16/23] pefile: Parse a PE binary to find a key and a signature contained therein David Howells
2012-10-30 21:11 ` Kees Cook
2012-10-31 0:59 ` David Howells
2012-10-31 1:06 ` Kees Cook
2012-10-31 12:31 ` David Howells
2012-10-31 19:48 ` Kees Cook
2012-10-30 19:21 ` [PATCH 17/23] pefile: Strip the wrapper off of the cert data block David Howells
2012-10-30 21:14 ` Kees Cook
2012-10-31 1:03 ` David Howells
2012-10-30 19:22 ` [PATCH 18/23] pefile: Parse the presumed PKCS#7 content of the certificate blob David Howells
2012-10-30 19:22 ` [PATCH 19/23] pefile: Parse the "Microsoft individual code signing" data blob David Howells
2012-10-30 19:22 ` [PATCH 20/23] pefile: Digest the PE binary and compare to the PKCS#7 data David Howells
2012-10-30 21:44 ` Kees Cook
2012-10-30 19:22 ` David Howells [this message]
2012-10-30 19:22 ` [PATCH 22/23] PEFILE: Load the contained key if we consider the container to be validly signed David Howells
2012-10-30 19:22 ` [PATCH 23/23] KEYS: Add a 'trusted' flag and a 'trusted only' flag David Howells
2012-10-31 2:20 ` [RFC][PATCH 00/23] Load keys from signed PE binaries Rusty Russell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121030192231.11000.99669.stgit@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=dmitry.kasatkin@intel.com \
--cc=jwboyer@redhat.com \
--cc=keescook@chromium.org \
--cc=keyrings@linux-nfs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mjg@redhat.com \
--cc=pjones@redhat.com \
--cc=rusty@rustcorp.com.au \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox