1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Instantiate a public key crypto key from an X.509 Certificate
3 *
4 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
6 */
7
8 #define pr_fmt(fmt) "X.509: "fmt
9 #ifdef __UBOOT__
10 #include <image.h>
11 #include <dm/devres.h>
12 #include <linux/compat.h>
13 #include <linux/err.h>
14 #include <linux/errno.h>
15 #include <linux/printk.h>
16 #else
17 #include <linux/module.h>
18 #endif
19 #include <linux/kernel.h>
20 #ifdef __UBOOT__
21 #include <crypto/x509_parser.h>
22 #include <u-boot/hash-checksum.h>
23 #else
24 #include <linux/slab.h>
25 #include <keys/asymmetric-subtype.h>
26 #include <keys/asymmetric-parser.h>
27 #include <keys/system_keyring.h>
28 #include <crypto/hash.h>
29 #include "asymmetric_keys.h"
30 #include "x509_parser.h"
31 #endif
32
33 #if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
34
35 /*
36 * Set up the signature parameters in an X.509 certificate. This involves
37 * digesting the signed data and extracting the signature.
38 */
x509_get_sig_params(struct x509_certificate * cert)39 int x509_get_sig_params(struct x509_certificate *cert)
40 {
41 struct public_key_signature *sig = cert->sig;
42 #ifdef __UBOOT__
43 struct image_region region;
44 #else
45 struct crypto_shash *tfm;
46 struct shash_desc *desc;
47 size_t desc_size;
48 #endif
49 int ret;
50
51 pr_devel("==>%s()\n", __func__);
52
53 if (!cert->pub->pkey_algo)
54 cert->unsupported_key = true;
55
56 if (!sig->pkey_algo)
57 cert->unsupported_sig = true;
58
59 /* We check the hash if we can - even if we can't then verify it */
60 if (!sig->hash_algo) {
61 cert->unsupported_sig = true;
62 return 0;
63 }
64
65 sig->s = kmemdup(cert->raw_sig, cert->raw_sig_size, GFP_KERNEL);
66 if (!sig->s)
67 return -ENOMEM;
68
69 sig->s_size = cert->raw_sig_size;
70
71 #ifdef __UBOOT__
72 if (!sig->hash_algo)
73 return -ENOPKG;
74 if (!strcmp(sig->hash_algo, "sha256"))
75 sig->digest_size = SHA256_SUM_LEN;
76 else if (!strcmp(sig->hash_algo, "sha384"))
77 sig->digest_size = SHA384_SUM_LEN;
78 else if (!strcmp(sig->hash_algo, "sha512"))
79 sig->digest_size = SHA512_SUM_LEN;
80 else if (!strcmp(sig->hash_algo, "sha1"))
81 sig->digest_size = SHA1_SUM_LEN;
82 else
83 return -ENOPKG;
84
85 sig->digest = calloc(1, sig->digest_size);
86 if (!sig->digest)
87 return -ENOMEM;
88
89 region.data = cert->tbs;
90 region.size = cert->tbs_size;
91 hash_calculate(sig->hash_algo, ®ion, 1, sig->digest);
92
93 /* TODO: is_hash_blacklisted()? */
94
95 ret = 0;
96 #else
97 /* Allocate the hashing algorithm we're going to need and find out how
98 * big the hash operational data will be.
99 */
100 tfm = crypto_alloc_shash(sig->hash_algo, 0, 0);
101 if (IS_ERR(tfm)) {
102 if (PTR_ERR(tfm) == -ENOENT) {
103 cert->unsupported_sig = true;
104 return 0;
105 }
106 return PTR_ERR(tfm);
107 }
108
109 desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
110 sig->digest_size = crypto_shash_digestsize(tfm);
111
112 ret = -ENOMEM;
113 sig->digest = kmalloc(sig->digest_size, GFP_KERNEL);
114 if (!sig->digest)
115 goto error;
116
117 desc = kzalloc(desc_size, GFP_KERNEL);
118 if (!desc)
119 goto error;
120
121 desc->tfm = tfm;
122
123 ret = crypto_shash_digest(desc, cert->tbs, cert->tbs_size, sig->digest);
124 if (ret < 0)
125 goto error_2;
126
127 ret = is_hash_blacklisted(sig->digest, sig->digest_size, "tbs");
128 if (ret == -EKEYREJECTED) {
129 pr_err("Cert %*phN is blacklisted\n",
130 sig->digest_size, sig->digest);
131 cert->blacklisted = true;
132 ret = 0;
133 }
134
135 error_2:
136 kfree(desc);
137 error:
138 crypto_free_shash(tfm);
139 #endif /* __UBOOT__ */
140 pr_devel("<==%s() = %d\n", __func__, ret);
141 return ret;
142 }
143
144 #endif /* !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) */
145
146 #ifndef __UBOOT__
147 /*
148 * Attempt to parse a data blob for a key as an X509 certificate.
149 */
x509_key_preparse(struct key_preparsed_payload * prep)150 static int x509_key_preparse(struct key_preparsed_payload *prep)
151 {
152 struct asymmetric_key_ids *kids;
153 struct x509_certificate *cert;
154 const char *q;
155 size_t srlen, sulen;
156 char *desc = NULL, *p;
157 int ret;
158
159 cert = x509_cert_parse(prep->data, prep->datalen);
160 if (IS_ERR(cert))
161 return PTR_ERR(cert);
162
163 pr_devel("Cert Issuer: %s\n", cert->issuer);
164 pr_devel("Cert Subject: %s\n", cert->subject);
165
166 if (cert->unsupported_key) {
167 ret = -ENOPKG;
168 goto error_free_cert;
169 }
170
171 pr_devel("Cert Key Algo: %s\n", cert->pub->pkey_algo);
172 pr_devel("Cert Valid period: %lld-%lld\n", cert->valid_from, cert->valid_to);
173
174 cert->pub->id_type = "X509";
175
176 if (cert->unsupported_sig) {
177 public_key_signature_free(cert->sig);
178 cert->sig = NULL;
179 } else {
180 pr_devel("Cert Signature: %s + %s\n",
181 cert->sig->pkey_algo, cert->sig->hash_algo);
182 }
183
184 /* Don't permit addition of blacklisted keys */
185 ret = -EKEYREJECTED;
186 if (cert->blacklisted)
187 goto error_free_cert;
188
189 /* Propose a description */
190 sulen = strlen(cert->subject);
191 if (cert->raw_skid) {
192 srlen = cert->raw_skid_size;
193 q = cert->raw_skid;
194 } else {
195 srlen = cert->raw_serial_size;
196 q = cert->raw_serial;
197 }
198
199 ret = -ENOMEM;
200 desc = kmalloc(sulen + 2 + srlen * 2 + 1, GFP_KERNEL);
201 if (!desc)
202 goto error_free_cert;
203 p = memcpy(desc, cert->subject, sulen);
204 p += sulen;
205 *p++ = ':';
206 *p++ = ' ';
207 p = bin2hex(p, q, srlen);
208 *p = 0;
209
210 kids = kmalloc(sizeof(struct asymmetric_key_ids), GFP_KERNEL);
211 if (!kids)
212 goto error_free_desc;
213 kids->id[0] = cert->id;
214 kids->id[1] = cert->skid;
215
216 /* We're pinning the module by being linked against it */
217 __module_get(public_key_subtype.owner);
218 prep->payload.data[asym_subtype] = &public_key_subtype;
219 prep->payload.data[asym_key_ids] = kids;
220 prep->payload.data[asym_crypto] = cert->pub;
221 prep->payload.data[asym_auth] = cert->sig;
222 prep->description = desc;
223 prep->quotalen = 100;
224
225 /* We've finished with the certificate */
226 cert->pub = NULL;
227 cert->id = NULL;
228 cert->skid = NULL;
229 cert->sig = NULL;
230 desc = NULL;
231 ret = 0;
232
233 error_free_desc:
234 kfree(desc);
235 error_free_cert:
236 x509_free_certificate(cert);
237 return ret;
238 }
239
240 static struct asymmetric_key_parser x509_key_parser = {
241 .owner = THIS_MODULE,
242 .name = "x509",
243 .parse = x509_key_preparse,
244 };
245
246 /*
247 * Module stuff
248 */
x509_key_init(void)249 static int __init x509_key_init(void)
250 {
251 return register_asymmetric_key_parser(&x509_key_parser);
252 }
253
x509_key_exit(void)254 static void __exit x509_key_exit(void)
255 {
256 unregister_asymmetric_key_parser(&x509_key_parser);
257 }
258
259 module_init(x509_key_init);
260 module_exit(x509_key_exit);
261 #endif /* !__UBOOT__ */
262
263 MODULE_DESCRIPTION("X.509 certificate parser");
264 MODULE_AUTHOR("Red Hat, Inc.");
265 MODULE_LICENSE("GPL");
266