mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	PKCS#7: Handle PKCS#7 messages that contain no X.509 certs
The X.509 certificate list in a PKCS#7 message is optional. To save space, we can omit the inclusion of any X.509 certificates if we are sure that we can look the relevant public key up by the serial number and issuer given in a signed info block. This also supports use of a signed info block for which we can't find a matching X.509 cert in the certificate list, though it be populated. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Vivek Goyal <vgoyal@redhat.com>
This commit is contained in:
		
							parent
							
								
									4155942000
								
							
						
					
					
						commit
						757932e6da
					
				| @ -55,13 +55,16 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, | |||||||
| 		 * keys. | 		 * keys. | ||||||
| 		 */ | 		 */ | ||||||
| 		key = x509_request_asymmetric_key(trust_keyring, x509->id); | 		key = x509_request_asymmetric_key(trust_keyring, x509->id); | ||||||
| 		if (!IS_ERR(key)) | 		if (!IS_ERR(key)) { | ||||||
| 			/* One of the X.509 certificates in the PKCS#7 message
 | 			/* One of the X.509 certificates in the PKCS#7 message
 | ||||||
| 			 * is apparently the same as one we already trust. | 			 * is apparently the same as one we already trust. | ||||||
| 			 * Verify that the trusted variant can also validate | 			 * Verify that the trusted variant can also validate | ||||||
| 			 * the signature on the descendant. | 			 * the signature on the descendant. | ||||||
| 			 */ | 			 */ | ||||||
|  | 			pr_devel("sinfo %u: Cert %u as key %x\n", | ||||||
|  | 				 sinfo->index, x509->index, key_serial(key)); | ||||||
| 			goto matched; | 			goto matched; | ||||||
|  | 		} | ||||||
| 		if (key == ERR_PTR(-ENOMEM)) | 		if (key == ERR_PTR(-ENOMEM)) | ||||||
| 			return -ENOMEM; | 			return -ENOMEM; | ||||||
| 
 | 
 | ||||||
| @ -81,15 +84,34 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, | |||||||
| 	/* No match - see if the root certificate has a signer amongst the
 | 	/* No match - see if the root certificate has a signer amongst the
 | ||||||
| 	 * trusted keys. | 	 * trusted keys. | ||||||
| 	 */ | 	 */ | ||||||
| 	if (!last || !last->issuer || !last->authority) { | 	if (last && last->authority) { | ||||||
| 		kleave(" = -ENOKEY [no backref]"); | 		key = x509_request_asymmetric_key(trust_keyring, last->authority); | ||||||
| 		return -ENOKEY; | 		if (!IS_ERR(key)) { | ||||||
|  | 			x509 = last; | ||||||
|  | 			pr_devel("sinfo %u: Root cert %u signer is key %x\n", | ||||||
|  | 				 sinfo->index, x509->index, key_serial(key)); | ||||||
|  | 			goto matched; | ||||||
|  | 		} | ||||||
|  | 		if (PTR_ERR(key) != -ENOKEY) | ||||||
|  | 			return PTR_ERR(key); | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	key = x509_request_asymmetric_key(trust_keyring, last->authority); | 	/* As a last resort, see if we have a trusted public key that matches
 | ||||||
| 	if (IS_ERR(key)) | 	 * the signed info directly. | ||||||
| 		return PTR_ERR(key) == -ENOMEM ? -ENOMEM : -ENOKEY; | 	 */ | ||||||
| 	x509 = last; | 	key = x509_request_asymmetric_key(trust_keyring, | ||||||
|  | 					  sinfo->signing_cert_id); | ||||||
|  | 	if (!IS_ERR(key)) { | ||||||
|  | 		pr_devel("sinfo %u: Direct signer is key %x\n", | ||||||
|  | 			 sinfo->index, key_serial(key)); | ||||||
|  | 		x509 = NULL; | ||||||
|  | 		goto matched; | ||||||
|  | 	} | ||||||
|  | 	if (PTR_ERR(key) != -ENOKEY) | ||||||
|  | 		return PTR_ERR(key); | ||||||
|  | 
 | ||||||
|  | 	kleave(" = -ENOKEY [no backref]"); | ||||||
|  | 	return -ENOKEY; | ||||||
| 
 | 
 | ||||||
| matched: | matched: | ||||||
| 	ret = verify_signature(key, sig); | 	ret = verify_signature(key, sig); | ||||||
| @ -103,11 +125,13 @@ matched: | |||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| verified: | verified: | ||||||
|  | 	if (x509) { | ||||||
| 		x509->verified = true; | 		x509->verified = true; | ||||||
| 		for (p = sinfo->signer; p != x509; p = p->signer) { | 		for (p = sinfo->signer; p != x509; p = p->signer) { | ||||||
| 			p->verified = true; | 			p->verified = true; | ||||||
| 			p->trusted = trusted; | 			p->trusted = trusted; | ||||||
| 		} | 		} | ||||||
|  | 	} | ||||||
| 	sinfo->trusted = trusted; | 	sinfo->trusted = trusted; | ||||||
| 	kleave(" = 0"); | 	kleave(" = 0"); | ||||||
| 	return 0; | 	return 0; | ||||||
|  | |||||||
| @ -154,10 +154,13 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7, | |||||||
| 		return 0; | 		return 0; | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	pr_warn("Sig %u: Issuing X.509 cert not found (#%*ph)\n", | 	/* The relevant X.509 cert isn't found here, but it might be found in
 | ||||||
|  | 	 * the trust keyring. | ||||||
|  | 	 */ | ||||||
|  | 	pr_debug("Sig %u: Issuing X.509 cert not found (#%*phN)\n", | ||||||
| 		 sinfo->index, | 		 sinfo->index, | ||||||
| 		 sinfo->signing_cert_id->len, sinfo->signing_cert_id->data); | 		 sinfo->signing_cert_id->len, sinfo->signing_cert_id->data); | ||||||
| 	return -ENOKEY; | 	return 0; | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| /*
 | /*
 | ||||||
| @ -275,11 +278,14 @@ static int pkcs7_verify_one(struct pkcs7_message *pkcs7, | |||||||
| 	if (ret < 0) | 	if (ret < 0) | ||||||
| 		return ret; | 		return ret; | ||||||
| 
 | 
 | ||||||
| 	/* Find the key for the signature */ | 	/* Find the key for the signature if there is one */ | ||||||
| 	ret = pkcs7_find_key(pkcs7, sinfo); | 	ret = pkcs7_find_key(pkcs7, sinfo); | ||||||
| 	if (ret < 0) | 	if (ret < 0) | ||||||
| 		return ret; | 		return ret; | ||||||
| 
 | 
 | ||||||
|  | 	if (!sinfo->signer) | ||||||
|  | 		return 0; | ||||||
|  | 
 | ||||||
| 	pr_devel("Using X.509[%u] for sig %u\n", | 	pr_devel("Using X.509[%u] for sig %u\n", | ||||||
| 		 sinfo->signer->index, sinfo->index); | 		 sinfo->signer->index, sinfo->index); | ||||||
| 
 | 
 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 David Howells
						David Howells