Commit | Line | Data |
---|---|---|
2e3fadbf DH |
1 | /* PKCS#7 parser |
2 | * | |
3 | * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. | |
4 | * Written by David Howells (dhowells@redhat.com) | |
5 | * | |
6 | * This program is free software; you can redistribute it and/or | |
7 | * modify it under the terms of the GNU General Public Licence | |
8 | * as published by the Free Software Foundation; either version | |
9 | * 2 of the Licence, or (at your option) any later version. | |
10 | */ | |
11 | ||
12 | #define pr_fmt(fmt) "PKCS7: "fmt | |
13 | #include <linux/kernel.h> | |
14 | #include <linux/export.h> | |
15 | #include <linux/slab.h> | |
16 | #include <linux/err.h> | |
17 | #include <linux/oid_registry.h> | |
db6c43bd | 18 | #include <crypto/public_key.h> |
2e3fadbf DH |
19 | #include "pkcs7_parser.h" |
20 | #include "pkcs7-asn1.h" | |
21 | ||
22 | struct pkcs7_parse_context { | |
23 | struct pkcs7_message *msg; /* Message being constructed */ | |
24 | struct pkcs7_signed_info *sinfo; /* SignedInfo being constructed */ | |
25 | struct pkcs7_signed_info **ppsinfo; | |
26 | struct x509_certificate *certs; /* Certificate cache */ | |
27 | struct x509_certificate **ppcerts; | |
28 | unsigned long data; /* Start of data */ | |
29 | enum OID last_oid; /* Last OID encountered */ | |
30 | unsigned x509_index; | |
31 | unsigned sinfo_index; | |
46963b77 DH |
32 | const void *raw_serial; |
33 | unsigned raw_serial_size; | |
34 | unsigned raw_issuer_size; | |
35 | const void *raw_issuer; | |
60d65cac DH |
36 | const void *raw_skid; |
37 | unsigned raw_skid_size; | |
38 | bool expect_skid; | |
2e3fadbf DH |
39 | }; |
40 | ||
3cd0920c DH |
41 | /* |
42 | * Free a signed information block. | |
43 | */ | |
44 | static void pkcs7_free_signed_info(struct pkcs7_signed_info *sinfo) | |
45 | { | |
46 | if (sinfo) { | |
db6c43bd | 47 | kfree(sinfo->sig.s); |
3cd0920c | 48 | kfree(sinfo->sig.digest); |
46963b77 | 49 | kfree(sinfo->signing_cert_id); |
3cd0920c DH |
50 | kfree(sinfo); |
51 | } | |
52 | } | |
53 | ||
2e3fadbf DH |
54 | /** |
55 | * pkcs7_free_message - Free a PKCS#7 message | |
56 | * @pkcs7: The PKCS#7 message to free | |
57 | */ | |
58 | void pkcs7_free_message(struct pkcs7_message *pkcs7) | |
59 | { | |
60 | struct x509_certificate *cert; | |
61 | struct pkcs7_signed_info *sinfo; | |
62 | ||
63 | if (pkcs7) { | |
64 | while (pkcs7->certs) { | |
65 | cert = pkcs7->certs; | |
66 | pkcs7->certs = cert->next; | |
67 | x509_free_certificate(cert); | |
68 | } | |
69 | while (pkcs7->crl) { | |
70 | cert = pkcs7->crl; | |
71 | pkcs7->crl = cert->next; | |
72 | x509_free_certificate(cert); | |
73 | } | |
74 | while (pkcs7->signed_infos) { | |
75 | sinfo = pkcs7->signed_infos; | |
76 | pkcs7->signed_infos = sinfo->next; | |
3cd0920c | 77 | pkcs7_free_signed_info(sinfo); |
2e3fadbf DH |
78 | } |
79 | kfree(pkcs7); | |
80 | } | |
81 | } | |
82 | EXPORT_SYMBOL_GPL(pkcs7_free_message); | |
83 | ||
99db4435 DH |
84 | /* |
85 | * Check authenticatedAttributes are provided or not provided consistently. | |
86 | */ | |
87 | static int pkcs7_check_authattrs(struct pkcs7_message *msg) | |
88 | { | |
89 | struct pkcs7_signed_info *sinfo; | |
90 | bool want; | |
91 | ||
92 | sinfo = msg->signed_infos; | |
93 | if (sinfo->authattrs) { | |
94 | want = true; | |
95 | msg->have_authattrs = true; | |
96 | } | |
97 | ||
98 | for (sinfo = sinfo->next; sinfo; sinfo = sinfo->next) | |
99 | if (!!sinfo->authattrs != want) | |
100 | goto inconsistent; | |
101 | return 0; | |
102 | ||
103 | inconsistent: | |
104 | pr_warn("Inconsistently supplied authAttrs\n"); | |
105 | return -EINVAL; | |
106 | } | |
107 | ||
2e3fadbf DH |
108 | /** |
109 | * pkcs7_parse_message - Parse a PKCS#7 message | |
110 | * @data: The raw binary ASN.1 encoded message to be parsed | |
111 | * @datalen: The size of the encoded message | |
112 | */ | |
113 | struct pkcs7_message *pkcs7_parse_message(const void *data, size_t datalen) | |
114 | { | |
115 | struct pkcs7_parse_context *ctx; | |
cecf5d2e DH |
116 | struct pkcs7_message *msg = ERR_PTR(-ENOMEM); |
117 | int ret; | |
2e3fadbf | 118 | |
2e3fadbf DH |
119 | ctx = kzalloc(sizeof(struct pkcs7_parse_context), GFP_KERNEL); |
120 | if (!ctx) | |
cecf5d2e DH |
121 | goto out_no_ctx; |
122 | ctx->msg = kzalloc(sizeof(struct pkcs7_message), GFP_KERNEL); | |
123 | if (!ctx->msg) | |
124 | goto out_no_msg; | |
2e3fadbf DH |
125 | ctx->sinfo = kzalloc(sizeof(struct pkcs7_signed_info), GFP_KERNEL); |
126 | if (!ctx->sinfo) | |
cecf5d2e | 127 | goto out_no_sinfo; |
2e3fadbf | 128 | |
2e3fadbf DH |
129 | ctx->data = (unsigned long)data; |
130 | ctx->ppcerts = &ctx->certs; | |
131 | ctx->ppsinfo = &ctx->msg->signed_infos; | |
132 | ||
133 | /* Attempt to decode the signature */ | |
134 | ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen); | |
cecf5d2e DH |
135 | if (ret < 0) { |
136 | msg = ERR_PTR(ret); | |
137 | goto out; | |
138 | } | |
139 | ||
99db4435 DH |
140 | ret = pkcs7_check_authattrs(ctx->msg); |
141 | if (ret < 0) | |
142 | goto out; | |
143 | ||
cecf5d2e DH |
144 | msg = ctx->msg; |
145 | ctx->msg = NULL; | |
2e3fadbf | 146 | |
cecf5d2e | 147 | out: |
2e3fadbf DH |
148 | while (ctx->certs) { |
149 | struct x509_certificate *cert = ctx->certs; | |
150 | ctx->certs = cert->next; | |
151 | x509_free_certificate(cert); | |
152 | } | |
3cd0920c | 153 | pkcs7_free_signed_info(ctx->sinfo); |
cecf5d2e DH |
154 | out_no_sinfo: |
155 | pkcs7_free_message(ctx->msg); | |
156 | out_no_msg: | |
2e3fadbf | 157 | kfree(ctx); |
cecf5d2e | 158 | out_no_ctx: |
2e3fadbf | 159 | return msg; |
2e3fadbf DH |
160 | } |
161 | EXPORT_SYMBOL_GPL(pkcs7_parse_message); | |
162 | ||
163 | /** | |
164 | * pkcs7_get_content_data - Get access to the PKCS#7 content | |
165 | * @pkcs7: The preparsed PKCS#7 message to access | |
166 | * @_data: Place to return a pointer to the data | |
167 | * @_data_len: Place to return the data length | |
168 | * @want_wrapper: True if the ASN.1 object header should be included in the data | |
169 | * | |
170 | * Get access to the data content of the PKCS#7 message, including, optionally, | |
171 | * the header of the ASN.1 object that contains it. Returns -ENODATA if the | |
172 | * data object was missing from the message. | |
173 | */ | |
174 | int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, | |
175 | const void **_data, size_t *_data_len, | |
176 | bool want_wrapper) | |
177 | { | |
178 | size_t wrapper; | |
179 | ||
180 | if (!pkcs7->data) | |
181 | return -ENODATA; | |
182 | ||
183 | wrapper = want_wrapper ? pkcs7->data_hdrlen : 0; | |
184 | *_data = pkcs7->data - wrapper; | |
185 | *_data_len = pkcs7->data_len + wrapper; | |
186 | return 0; | |
187 | } | |
188 | EXPORT_SYMBOL_GPL(pkcs7_get_content_data); | |
189 | ||
190 | /* | |
191 | * Note an OID when we find one for later processing when we know how | |
192 | * to interpret it. | |
193 | */ | |
194 | int pkcs7_note_OID(void *context, size_t hdrlen, | |
195 | unsigned char tag, | |
196 | const void *value, size_t vlen) | |
197 | { | |
198 | struct pkcs7_parse_context *ctx = context; | |
199 | ||
200 | ctx->last_oid = look_up_OID(value, vlen); | |
201 | if (ctx->last_oid == OID__NR) { | |
202 | char buffer[50]; | |
203 | sprint_oid(value, vlen, buffer, sizeof(buffer)); | |
204 | printk("PKCS7: Unknown OID: [%lu] %s\n", | |
205 | (unsigned long)value - ctx->data, buffer); | |
206 | } | |
207 | return 0; | |
208 | } | |
209 | ||
210 | /* | |
211 | * Note the digest algorithm for the signature. | |
212 | */ | |
213 | int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen, | |
214 | unsigned char tag, | |
215 | const void *value, size_t vlen) | |
216 | { | |
217 | struct pkcs7_parse_context *ctx = context; | |
218 | ||
219 | switch (ctx->last_oid) { | |
220 | case OID_md4: | |
221 | ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_MD4; | |
222 | break; | |
223 | case OID_md5: | |
224 | ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_MD5; | |
225 | break; | |
226 | case OID_sha1: | |
227 | ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_SHA1; | |
228 | break; | |
229 | case OID_sha256: | |
230 | ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_SHA256; | |
231 | break; | |
07f081fb DH |
232 | case OID_sha384: |
233 | ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_SHA384; | |
234 | break; | |
235 | case OID_sha512: | |
236 | ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_SHA512; | |
237 | break; | |
238 | case OID_sha224: | |
239 | ctx->sinfo->sig.pkey_hash_algo = HASH_ALGO_SHA224; | |
2e3fadbf DH |
240 | default: |
241 | printk("Unsupported digest algo: %u\n", ctx->last_oid); | |
242 | return -ENOPKG; | |
243 | } | |
244 | return 0; | |
245 | } | |
246 | ||
247 | /* | |
248 | * Note the public key algorithm for the signature. | |
249 | */ | |
250 | int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen, | |
251 | unsigned char tag, | |
252 | const void *value, size_t vlen) | |
253 | { | |
254 | struct pkcs7_parse_context *ctx = context; | |
255 | ||
256 | switch (ctx->last_oid) { | |
257 | case OID_rsaEncryption: | |
258 | ctx->sinfo->sig.pkey_algo = PKEY_ALGO_RSA; | |
259 | break; | |
260 | default: | |
261 | printk("Unsupported pkey algo: %u\n", ctx->last_oid); | |
262 | return -ENOPKG; | |
263 | } | |
264 | return 0; | |
265 | } | |
266 | ||
2c7fd367 DH |
267 | /* |
268 | * We only support signed data [RFC2315 sec 9]. | |
269 | */ | |
270 | int pkcs7_check_content_type(void *context, size_t hdrlen, | |
271 | unsigned char tag, | |
272 | const void *value, size_t vlen) | |
273 | { | |
274 | struct pkcs7_parse_context *ctx = context; | |
275 | ||
276 | if (ctx->last_oid != OID_signed_data) { | |
277 | pr_warn("Only support pkcs7_signedData type\n"); | |
278 | return -EINVAL; | |
279 | } | |
280 | ||
281 | return 0; | |
282 | } | |
283 | ||
284 | /* | |
285 | * Note the SignedData version | |
286 | */ | |
287 | int pkcs7_note_signeddata_version(void *context, size_t hdrlen, | |
288 | unsigned char tag, | |
289 | const void *value, size_t vlen) | |
290 | { | |
60d65cac | 291 | struct pkcs7_parse_context *ctx = context; |
2c7fd367 DH |
292 | unsigned version; |
293 | ||
294 | if (vlen != 1) | |
295 | goto unsupported; | |
296 | ||
60d65cac | 297 | ctx->msg->version = version = *(const u8 *)value; |
2c7fd367 DH |
298 | switch (version) { |
299 | case 1: | |
60d65cac DH |
300 | /* PKCS#7 SignedData [RFC2315 sec 9.1] |
301 | * CMS ver 1 SignedData [RFC5652 sec 5.1] | |
302 | */ | |
303 | break; | |
304 | case 3: | |
305 | /* CMS ver 3 SignedData [RFC2315 sec 5.1] */ | |
2c7fd367 DH |
306 | break; |
307 | default: | |
308 | goto unsupported; | |
309 | } | |
310 | ||
311 | return 0; | |
312 | ||
313 | unsupported: | |
314 | pr_warn("Unsupported SignedData version\n"); | |
315 | return -EINVAL; | |
316 | } | |
317 | ||
318 | /* | |
319 | * Note the SignerInfo version | |
320 | */ | |
321 | int pkcs7_note_signerinfo_version(void *context, size_t hdrlen, | |
322 | unsigned char tag, | |
323 | const void *value, size_t vlen) | |
324 | { | |
60d65cac | 325 | struct pkcs7_parse_context *ctx = context; |
2c7fd367 DH |
326 | unsigned version; |
327 | ||
328 | if (vlen != 1) | |
329 | goto unsupported; | |
330 | ||
331 | version = *(const u8 *)value; | |
332 | switch (version) { | |
333 | case 1: | |
60d65cac DH |
334 | /* PKCS#7 SignerInfo [RFC2315 sec 9.2] |
335 | * CMS ver 1 SignerInfo [RFC5652 sec 5.3] | |
336 | */ | |
337 | if (ctx->msg->version != 1) | |
338 | goto version_mismatch; | |
339 | ctx->expect_skid = false; | |
340 | break; | |
341 | case 3: | |
342 | /* CMS ver 3 SignerInfo [RFC2315 sec 5.3] */ | |
343 | if (ctx->msg->version == 1) | |
344 | goto version_mismatch; | |
345 | ctx->expect_skid = true; | |
2c7fd367 DH |
346 | break; |
347 | default: | |
348 | goto unsupported; | |
349 | } | |
350 | ||
351 | return 0; | |
352 | ||
353 | unsupported: | |
354 | pr_warn("Unsupported SignerInfo version\n"); | |
355 | return -EINVAL; | |
60d65cac DH |
356 | version_mismatch: |
357 | pr_warn("SignedData-SignerInfo version mismatch\n"); | |
358 | return -EBADMSG; | |
2c7fd367 DH |
359 | } |
360 | ||
2e3fadbf DH |
361 | /* |
362 | * Extract a certificate and store it in the context. | |
363 | */ | |
364 | int pkcs7_extract_cert(void *context, size_t hdrlen, | |
365 | unsigned char tag, | |
366 | const void *value, size_t vlen) | |
367 | { | |
368 | struct pkcs7_parse_context *ctx = context; | |
369 | struct x509_certificate *x509; | |
370 | ||
371 | if (tag != ((ASN1_UNIV << 6) | ASN1_CONS_BIT | ASN1_SEQ)) { | |
372 | pr_debug("Cert began with tag %02x at %lu\n", | |
373 | tag, (unsigned long)ctx - ctx->data); | |
374 | return -EBADMSG; | |
375 | } | |
376 | ||
377 | /* We have to correct for the header so that the X.509 parser can start | |
378 | * from the beginning. Note that since X.509 stipulates DER, there | |
379 | * probably shouldn't be an EOC trailer - but it is in PKCS#7 (which | |
380 | * stipulates BER). | |
381 | */ | |
382 | value -= hdrlen; | |
383 | vlen += hdrlen; | |
384 | ||
385 | if (((u8*)value)[1] == 0x80) | |
386 | vlen += 2; /* Indefinite length - there should be an EOC */ | |
387 | ||
388 | x509 = x509_cert_parse(value, vlen); | |
389 | if (IS_ERR(x509)) | |
390 | return PTR_ERR(x509); | |
391 | ||
2e3fadbf | 392 | x509->index = ++ctx->x509_index; |
46963b77 DH |
393 | pr_debug("Got cert %u for %s\n", x509->index, x509->subject); |
394 | pr_debug("- fingerprint %*phN\n", x509->id->len, x509->id->data); | |
395 | ||
2e3fadbf DH |
396 | *ctx->ppcerts = x509; |
397 | ctx->ppcerts = &x509->next; | |
398 | return 0; | |
399 | } | |
400 | ||
401 | /* | |
402 | * Save the certificate list | |
403 | */ | |
404 | int pkcs7_note_certificate_list(void *context, size_t hdrlen, | |
405 | unsigned char tag, | |
406 | const void *value, size_t vlen) | |
407 | { | |
408 | struct pkcs7_parse_context *ctx = context; | |
409 | ||
410 | pr_devel("Got cert list (%02x)\n", tag); | |
411 | ||
412 | *ctx->ppcerts = ctx->msg->certs; | |
413 | ctx->msg->certs = ctx->certs; | |
414 | ctx->certs = NULL; | |
415 | ctx->ppcerts = &ctx->certs; | |
416 | return 0; | |
417 | } | |
418 | ||
99db4435 DH |
419 | /* |
420 | * Note the content type. | |
421 | */ | |
422 | int pkcs7_note_content(void *context, size_t hdrlen, | |
423 | unsigned char tag, | |
424 | const void *value, size_t vlen) | |
425 | { | |
426 | struct pkcs7_parse_context *ctx = context; | |
427 | ||
428 | if (ctx->last_oid != OID_data && | |
429 | ctx->last_oid != OID_msIndirectData) { | |
430 | pr_warn("Unsupported data type %d\n", ctx->last_oid); | |
431 | return -EINVAL; | |
432 | } | |
433 | ||
434 | ctx->msg->data_type = ctx->last_oid; | |
435 | return 0; | |
436 | } | |
437 | ||
2e3fadbf DH |
438 | /* |
439 | * Extract the data from the message and store that and its content type OID in | |
440 | * the context. | |
441 | */ | |
442 | int pkcs7_note_data(void *context, size_t hdrlen, | |
443 | unsigned char tag, | |
444 | const void *value, size_t vlen) | |
445 | { | |
446 | struct pkcs7_parse_context *ctx = context; | |
447 | ||
448 | pr_debug("Got data\n"); | |
449 | ||
450 | ctx->msg->data = value; | |
451 | ctx->msg->data_len = vlen; | |
452 | ctx->msg->data_hdrlen = hdrlen; | |
2e3fadbf DH |
453 | return 0; |
454 | } | |
455 | ||
456 | /* | |
99db4435 | 457 | * Parse authenticated attributes. |
2e3fadbf DH |
458 | */ |
459 | int pkcs7_sig_note_authenticated_attr(void *context, size_t hdrlen, | |
460 | unsigned char tag, | |
461 | const void *value, size_t vlen) | |
462 | { | |
463 | struct pkcs7_parse_context *ctx = context; | |
99db4435 DH |
464 | struct pkcs7_signed_info *sinfo = ctx->sinfo; |
465 | enum OID content_type; | |
2e3fadbf DH |
466 | |
467 | pr_devel("AuthAttr: %02x %zu [%*ph]\n", tag, vlen, (unsigned)vlen, value); | |
468 | ||
469 | switch (ctx->last_oid) { | |
99db4435 DH |
470 | case OID_contentType: |
471 | if (__test_and_set_bit(sinfo_has_content_type, &sinfo->aa_set)) | |
472 | goto repeated; | |
473 | content_type = look_up_OID(value, vlen); | |
474 | if (content_type != ctx->msg->data_type) { | |
475 | pr_warn("Mismatch between global data type (%d) and sinfo %u (%d)\n", | |
476 | ctx->msg->data_type, sinfo->index, | |
477 | content_type); | |
478 | return -EBADMSG; | |
479 | } | |
480 | return 0; | |
481 | ||
482 | case OID_signingTime: | |
483 | if (__test_and_set_bit(sinfo_has_signing_time, &sinfo->aa_set)) | |
484 | goto repeated; | |
485 | /* Should we check that the signing time is consistent | |
486 | * with the signer's X.509 cert? | |
487 | */ | |
488 | return x509_decode_time(&sinfo->signing_time, | |
489 | hdrlen, tag, value, vlen); | |
490 | ||
2e3fadbf | 491 | case OID_messageDigest: |
99db4435 DH |
492 | if (__test_and_set_bit(sinfo_has_message_digest, &sinfo->aa_set)) |
493 | goto repeated; | |
2e3fadbf DH |
494 | if (tag != ASN1_OTS) |
495 | return -EBADMSG; | |
99db4435 DH |
496 | sinfo->msgdigest = value; |
497 | sinfo->msgdigest_len = vlen; | |
498 | return 0; | |
499 | ||
500 | case OID_smimeCapabilites: | |
501 | if (__test_and_set_bit(sinfo_has_smime_caps, &sinfo->aa_set)) | |
502 | goto repeated; | |
503 | if (ctx->msg->data_type != OID_msIndirectData) { | |
504 | pr_warn("S/MIME Caps only allowed with Authenticode\n"); | |
505 | return -EKEYREJECTED; | |
506 | } | |
507 | return 0; | |
508 | ||
509 | /* Microsoft SpOpusInfo seems to be contain cont[0] 16-bit BE | |
510 | * char URLs and cont[1] 8-bit char URLs. | |
511 | * | |
512 | * Microsoft StatementType seems to contain a list of OIDs that | |
513 | * are also used as extendedKeyUsage types in X.509 certs. | |
514 | */ | |
515 | case OID_msSpOpusInfo: | |
516 | if (__test_and_set_bit(sinfo_has_ms_opus_info, &sinfo->aa_set)) | |
517 | goto repeated; | |
518 | goto authenticode_check; | |
519 | case OID_msStatementType: | |
520 | if (__test_and_set_bit(sinfo_has_ms_statement_type, &sinfo->aa_set)) | |
521 | goto repeated; | |
522 | authenticode_check: | |
523 | if (ctx->msg->data_type != OID_msIndirectData) { | |
524 | pr_warn("Authenticode AuthAttrs only allowed with Authenticode\n"); | |
525 | return -EKEYREJECTED; | |
526 | } | |
527 | /* I'm not sure how to validate these */ | |
2e3fadbf DH |
528 | return 0; |
529 | default: | |
530 | return 0; | |
531 | } | |
99db4435 DH |
532 | |
533 | repeated: | |
534 | /* We permit max one item per AuthenticatedAttribute and no repeats */ | |
535 | pr_warn("Repeated/multivalue AuthAttrs not permitted\n"); | |
536 | return -EKEYREJECTED; | |
2e3fadbf DH |
537 | } |
538 | ||
539 | /* | |
2c7fd367 | 540 | * Note the set of auth attributes for digestion purposes [RFC2315 sec 9.3] |
2e3fadbf DH |
541 | */ |
542 | int pkcs7_sig_note_set_of_authattrs(void *context, size_t hdrlen, | |
543 | unsigned char tag, | |
544 | const void *value, size_t vlen) | |
545 | { | |
546 | struct pkcs7_parse_context *ctx = context; | |
99db4435 DH |
547 | struct pkcs7_signed_info *sinfo = ctx->sinfo; |
548 | ||
549 | if (!test_bit(sinfo_has_content_type, &sinfo->aa_set) || | |
7ee7014d | 550 | !test_bit(sinfo_has_message_digest, &sinfo->aa_set)) { |
99db4435 DH |
551 | pr_warn("Missing required AuthAttr\n"); |
552 | return -EBADMSG; | |
553 | } | |
554 | ||
555 | if (ctx->msg->data_type != OID_msIndirectData && | |
556 | test_bit(sinfo_has_ms_opus_info, &sinfo->aa_set)) { | |
557 | pr_warn("Unexpected Authenticode AuthAttr\n"); | |
558 | return -EBADMSG; | |
559 | } | |
2e3fadbf DH |
560 | |
561 | /* We need to switch the 'CONT 0' to a 'SET OF' when we digest */ | |
99db4435 DH |
562 | sinfo->authattrs = value - (hdrlen - 1); |
563 | sinfo->authattrs_len = vlen + (hdrlen - 1); | |
2e3fadbf DH |
564 | return 0; |
565 | } | |
566 | ||
567 | /* | |
568 | * Note the issuing certificate serial number | |
569 | */ | |
570 | int pkcs7_sig_note_serial(void *context, size_t hdrlen, | |
571 | unsigned char tag, | |
572 | const void *value, size_t vlen) | |
573 | { | |
574 | struct pkcs7_parse_context *ctx = context; | |
46963b77 DH |
575 | ctx->raw_serial = value; |
576 | ctx->raw_serial_size = vlen; | |
2e3fadbf DH |
577 | return 0; |
578 | } | |
579 | ||
580 | /* | |
581 | * Note the issuer's name | |
582 | */ | |
583 | int pkcs7_sig_note_issuer(void *context, size_t hdrlen, | |
584 | unsigned char tag, | |
585 | const void *value, size_t vlen) | |
586 | { | |
587 | struct pkcs7_parse_context *ctx = context; | |
46963b77 DH |
588 | ctx->raw_issuer = value; |
589 | ctx->raw_issuer_size = vlen; | |
2e3fadbf DH |
590 | return 0; |
591 | } | |
592 | ||
60d65cac DH |
593 | /* |
594 | * Note the issuing cert's subjectKeyIdentifier | |
595 | */ | |
596 | int pkcs7_sig_note_skid(void *context, size_t hdrlen, | |
597 | unsigned char tag, | |
598 | const void *value, size_t vlen) | |
599 | { | |
600 | struct pkcs7_parse_context *ctx = context; | |
601 | ||
602 | pr_devel("SKID: %02x %zu [%*ph]\n", tag, vlen, (unsigned)vlen, value); | |
603 | ||
604 | ctx->raw_skid = value; | |
605 | ctx->raw_skid_size = vlen; | |
606 | return 0; | |
607 | } | |
608 | ||
2e3fadbf DH |
609 | /* |
610 | * Note the signature data | |
611 | */ | |
612 | int pkcs7_sig_note_signature(void *context, size_t hdrlen, | |
613 | unsigned char tag, | |
614 | const void *value, size_t vlen) | |
615 | { | |
616 | struct pkcs7_parse_context *ctx = context; | |
2e3fadbf DH |
617 | |
618 | BUG_ON(ctx->sinfo->sig.pkey_algo != PKEY_ALGO_RSA); | |
619 | ||
db6c43bd TS |
620 | ctx->sinfo->sig.s = kmemdup(value, vlen, GFP_KERNEL); |
621 | if (!ctx->sinfo->sig.s) | |
2e3fadbf DH |
622 | return -ENOMEM; |
623 | ||
db6c43bd | 624 | ctx->sinfo->sig.s_size = vlen; |
2e3fadbf DH |
625 | return 0; |
626 | } | |
627 | ||
628 | /* | |
629 | * Note a signature information block | |
630 | */ | |
631 | int pkcs7_note_signed_info(void *context, size_t hdrlen, | |
632 | unsigned char tag, | |
633 | const void *value, size_t vlen) | |
634 | { | |
635 | struct pkcs7_parse_context *ctx = context; | |
46963b77 DH |
636 | struct pkcs7_signed_info *sinfo = ctx->sinfo; |
637 | struct asymmetric_key_id *kid; | |
638 | ||
99db4435 DH |
639 | if (ctx->msg->data_type == OID_msIndirectData && !sinfo->authattrs) { |
640 | pr_warn("Authenticode requires AuthAttrs\n"); | |
641 | return -EBADMSG; | |
642 | } | |
643 | ||
46963b77 | 644 | /* Generate cert issuer + serial number key ID */ |
60d65cac DH |
645 | if (!ctx->expect_skid) { |
646 | kid = asymmetric_key_generate_id(ctx->raw_serial, | |
647 | ctx->raw_serial_size, | |
648 | ctx->raw_issuer, | |
649 | ctx->raw_issuer_size); | |
650 | } else { | |
651 | kid = asymmetric_key_generate_id(ctx->raw_skid, | |
652 | ctx->raw_skid_size, | |
653 | "", 0); | |
654 | } | |
46963b77 DH |
655 | if (IS_ERR(kid)) |
656 | return PTR_ERR(kid); | |
657 | ||
60d65cac DH |
658 | pr_devel("SINFO KID: %u [%*phN]\n", kid->len, kid->len, kid->data); |
659 | ||
46963b77 DH |
660 | sinfo->signing_cert_id = kid; |
661 | sinfo->index = ++ctx->sinfo_index; | |
662 | *ctx->ppsinfo = sinfo; | |
663 | ctx->ppsinfo = &sinfo->next; | |
2e3fadbf DH |
664 | ctx->sinfo = kzalloc(sizeof(struct pkcs7_signed_info), GFP_KERNEL); |
665 | if (!ctx->sinfo) | |
666 | return -ENOMEM; | |
667 | return 0; | |
668 | } |