PKCS#7: Make trust determination dependent on contents of trust keyring
Make the determination of the trustworthiness of a key dependent on whether a key that can verify it is present in the supplied ring of trusted keys rather than whether or not the verifying key has KEY_FLAG_TRUSTED set. verify_pkcs7_signature() will return -ENOKEY if the PKCS#7 message trust chain cannot be verified. Signed-off-by: David Howells <dhowells@redhat.com>
This commit is contained in:
parent
e68503bd68
commit
bda850cd21
|
@ -121,7 +121,6 @@ late_initcall(load_system_certificate_list);
|
||||||
int verify_pkcs7_signature(const void *data, size_t len,
|
int verify_pkcs7_signature(const void *data, size_t len,
|
||||||
const void *raw_pkcs7, size_t pkcs7_len,
|
const void *raw_pkcs7, size_t pkcs7_len,
|
||||||
struct key *trusted_keys,
|
struct key *trusted_keys,
|
||||||
int untrusted_error,
|
|
||||||
enum key_being_used_for usage,
|
enum key_being_used_for usage,
|
||||||
int (*view_content)(void *ctx,
|
int (*view_content)(void *ctx,
|
||||||
const void *data, size_t len,
|
const void *data, size_t len,
|
||||||
|
@ -129,7 +128,6 @@ int verify_pkcs7_signature(const void *data, size_t len,
|
||||||
void *ctx)
|
void *ctx)
|
||||||
{
|
{
|
||||||
struct pkcs7_message *pkcs7;
|
struct pkcs7_message *pkcs7;
|
||||||
bool trusted;
|
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
|
pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
|
||||||
|
@ -149,13 +147,10 @@ int verify_pkcs7_signature(const void *data, size_t len,
|
||||||
|
|
||||||
if (!trusted_keys)
|
if (!trusted_keys)
|
||||||
trusted_keys = system_trusted_keyring;
|
trusted_keys = system_trusted_keyring;
|
||||||
ret = pkcs7_validate_trust(pkcs7, trusted_keys, &trusted);
|
ret = pkcs7_validate_trust(pkcs7, trusted_keys);
|
||||||
if (ret < 0)
|
if (ret < 0) {
|
||||||
goto error;
|
if (ret == -ENOKEY)
|
||||||
|
pr_err("PKCS#7 signature not signed with a trusted key\n");
|
||||||
if (!trusted && untrusted_error) {
|
|
||||||
pr_err("PKCS#7 signature not signed with a trusted key\n");
|
|
||||||
ret = untrusted_error;
|
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -62,7 +62,7 @@ static int pkcs7_preparse(struct key_preparsed_payload *prep)
|
||||||
|
|
||||||
return verify_pkcs7_signature(NULL, 0,
|
return verify_pkcs7_signature(NULL, 0,
|
||||||
prep->data, prep->datalen,
|
prep->data, prep->datalen,
|
||||||
NULL, -ENOKEY, usage,
|
NULL, usage,
|
||||||
pkcs7_view_content, prep);
|
pkcs7_view_content, prep);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -22,7 +22,6 @@ struct pkcs7_signed_info {
|
||||||
struct pkcs7_signed_info *next;
|
struct pkcs7_signed_info *next;
|
||||||
struct x509_certificate *signer; /* Signing certificate (in msg->certs) */
|
struct x509_certificate *signer; /* Signing certificate (in msg->certs) */
|
||||||
unsigned index;
|
unsigned index;
|
||||||
bool trusted;
|
|
||||||
bool unsupported_crypto; /* T if not usable due to missing crypto */
|
bool unsupported_crypto; /* T if not usable due to missing crypto */
|
||||||
|
|
||||||
/* Message digest - the digest of the Content Data (or NULL) */
|
/* Message digest - the digest of the Content Data (or NULL) */
|
||||||
|
|
|
@ -30,7 +30,6 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
|
||||||
struct public_key_signature *sig = sinfo->sig;
|
struct public_key_signature *sig = sinfo->sig;
|
||||||
struct x509_certificate *x509, *last = NULL, *p;
|
struct x509_certificate *x509, *last = NULL, *p;
|
||||||
struct key *key;
|
struct key *key;
|
||||||
bool trusted;
|
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
kenter(",%u,", sinfo->index);
|
kenter(",%u,", sinfo->index);
|
||||||
|
@ -42,10 +41,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
|
||||||
|
|
||||||
for (x509 = sinfo->signer; x509; x509 = x509->signer) {
|
for (x509 = sinfo->signer; x509; x509 = x509->signer) {
|
||||||
if (x509->seen) {
|
if (x509->seen) {
|
||||||
if (x509->verified) {
|
if (x509->verified)
|
||||||
trusted = x509->trusted;
|
|
||||||
goto verified;
|
goto verified;
|
||||||
}
|
|
||||||
kleave(" = -ENOKEY [cached]");
|
kleave(" = -ENOKEY [cached]");
|
||||||
return -ENOKEY;
|
return -ENOKEY;
|
||||||
}
|
}
|
||||||
|
@ -122,7 +119,6 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
|
||||||
|
|
||||||
matched:
|
matched:
|
||||||
ret = verify_signature(key, sig);
|
ret = verify_signature(key, sig);
|
||||||
trusted = test_bit(KEY_FLAG_TRUSTED, &key->flags);
|
|
||||||
key_put(key);
|
key_put(key);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
if (ret == -ENOMEM)
|
if (ret == -ENOMEM)
|
||||||
|
@ -134,12 +130,9 @@ matched:
|
||||||
verified:
|
verified:
|
||||||
if (x509) {
|
if (x509) {
|
||||||
x509->verified = true;
|
x509->verified = true;
|
||||||
for (p = sinfo->signer; p != x509; p = p->signer) {
|
for (p = sinfo->signer; p != x509; p = p->signer)
|
||||||
p->verified = true;
|
p->verified = true;
|
||||||
p->trusted = trusted;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
sinfo->trusted = trusted;
|
|
||||||
kleave(" = 0");
|
kleave(" = 0");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -148,7 +141,6 @@ verified:
|
||||||
* pkcs7_validate_trust - Validate PKCS#7 trust chain
|
* pkcs7_validate_trust - Validate PKCS#7 trust chain
|
||||||
* @pkcs7: The PKCS#7 certificate to validate
|
* @pkcs7: The PKCS#7 certificate to validate
|
||||||
* @trust_keyring: Signing certificates to use as starting points
|
* @trust_keyring: Signing certificates to use as starting points
|
||||||
* @_trusted: Set to true if trustworth, false otherwise
|
|
||||||
*
|
*
|
||||||
* Validate that the certificate chain inside the PKCS#7 message intersects
|
* Validate that the certificate chain inside the PKCS#7 message intersects
|
||||||
* keys we already know and trust.
|
* keys we already know and trust.
|
||||||
|
@ -170,16 +162,13 @@ verified:
|
||||||
* May also return -ENOMEM.
|
* May also return -ENOMEM.
|
||||||
*/
|
*/
|
||||||
int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
|
int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
|
||||||
struct key *trust_keyring,
|
struct key *trust_keyring)
|
||||||
bool *_trusted)
|
|
||||||
{
|
{
|
||||||
struct pkcs7_signed_info *sinfo;
|
struct pkcs7_signed_info *sinfo;
|
||||||
struct x509_certificate *p;
|
struct x509_certificate *p;
|
||||||
int cached_ret = -ENOKEY;
|
int cached_ret = -ENOKEY;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
*_trusted = false;
|
|
||||||
|
|
||||||
for (p = pkcs7->certs; p; p = p->next)
|
for (p = pkcs7->certs; p; p = p->next)
|
||||||
p->seen = false;
|
p->seen = false;
|
||||||
|
|
||||||
|
@ -193,7 +182,6 @@ int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
|
||||||
cached_ret = -ENOPKG;
|
cached_ret = -ENOPKG;
|
||||||
continue;
|
continue;
|
||||||
case 0:
|
case 0:
|
||||||
*_trusted |= sinfo->trusted;
|
|
||||||
cached_ret = 0;
|
cached_ret = 0;
|
||||||
continue;
|
continue;
|
||||||
default:
|
default:
|
||||||
|
|
|
@ -436,7 +436,7 @@ int verify_pefile_signature(const void *pebuf, unsigned pelen,
|
||||||
|
|
||||||
ret = verify_pkcs7_signature(NULL, 0,
|
ret = verify_pkcs7_signature(NULL, 0,
|
||||||
pebuf + ctx.sig_offset, ctx.sig_len,
|
pebuf + ctx.sig_offset, ctx.sig_len,
|
||||||
trusted_keys, -EKEYREJECTED, usage,
|
trusted_keys, usage,
|
||||||
mscode_parse, &ctx);
|
mscode_parse, &ctx);
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
goto error;
|
goto error;
|
||||||
|
|
|
@ -39,7 +39,6 @@ struct x509_certificate {
|
||||||
unsigned index;
|
unsigned index;
|
||||||
bool seen; /* Infinite recursion prevention */
|
bool seen; /* Infinite recursion prevention */
|
||||||
bool verified;
|
bool verified;
|
||||||
bool trusted;
|
|
||||||
bool self_signed; /* T if self-signed (check unsupported_sig too) */
|
bool self_signed; /* T if self-signed (check unsupported_sig too) */
|
||||||
bool unsupported_key; /* T if key uses unsupported crypto */
|
bool unsupported_key; /* T if key uses unsupported crypto */
|
||||||
bool unsupported_sig; /* T if signature uses unsupported crypto */
|
bool unsupported_sig; /* T if signature uses unsupported crypto */
|
||||||
|
|
|
@ -33,8 +33,7 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
|
||||||
* pkcs7_trust.c
|
* pkcs7_trust.c
|
||||||
*/
|
*/
|
||||||
extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
|
extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
|
||||||
struct key *trust_keyring,
|
struct key *trust_keyring);
|
||||||
bool *_trusted);
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* pkcs7_verify.c
|
* pkcs7_verify.c
|
||||||
|
|
|
@ -33,7 +33,6 @@ struct key;
|
||||||
extern int verify_pkcs7_signature(const void *data, size_t len,
|
extern int verify_pkcs7_signature(const void *data, size_t len,
|
||||||
const void *raw_pkcs7, size_t pkcs7_len,
|
const void *raw_pkcs7, size_t pkcs7_len,
|
||||||
struct key *trusted_keys,
|
struct key *trusted_keys,
|
||||||
int untrusted_error,
|
|
||||||
enum key_being_used_for usage,
|
enum key_being_used_for usage,
|
||||||
int (*view_content)(void *ctx,
|
int (*view_content)(void *ctx,
|
||||||
const void *data, size_t len,
|
const void *data, size_t len,
|
||||||
|
|
|
@ -81,6 +81,6 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen)
|
||||||
}
|
}
|
||||||
|
|
||||||
return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
|
return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
|
||||||
NULL, -ENOKEY, VERIFYING_MODULE_SIGNATURE,
|
NULL, VERIFYING_MODULE_SIGNATURE,
|
||||||
NULL, NULL);
|
NULL, NULL);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue