2019-05-20 17:08:01 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2012-09-24 16:11:48 +00:00
|
|
|
/* X.509 certificate parser
|
|
|
|
*
|
|
|
|
* Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
|
|
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
|
|
*/
|
|
|
|
|
|
|
|
#define pr_fmt(fmt) "X.509: "fmt
|
|
|
|
#include <linux/kernel.h>
|
2014-07-01 15:40:19 +00:00
|
|
|
#include <linux/export.h>
|
2012-09-24 16:11:48 +00:00
|
|
|
#include <linux/slab.h>
|
|
|
|
#include <linux/err.h>
|
|
|
|
#include <linux/oid_registry.h>
|
2016-02-02 18:08:53 +00:00
|
|
|
#include <crypto/public_key.h>
|
2012-09-24 16:11:48 +00:00
|
|
|
#include "x509_parser.h"
|
2018-03-23 13:04:37 +00:00
|
|
|
#include "x509.asn1.h"
|
|
|
|
#include "x509_akid.asn1.h"
|
2012-09-24 16:11:48 +00:00
|
|
|
|
|
|
|
struct x509_parse_context {
|
|
|
|
struct x509_certificate *cert; /* Certificate being constructed */
|
|
|
|
unsigned long data; /* Start of data */
|
|
|
|
const void *key; /* Key data */
|
|
|
|
size_t key_size; /* Size of key data */
|
2019-04-11 15:51:17 +00:00
|
|
|
const void *params; /* Key parameters */
|
|
|
|
size_t params_size; /* Size of key parameters */
|
2022-01-19 00:54:33 +00:00
|
|
|
enum OID key_algo; /* Algorithm used by the cert's key */
|
2012-09-24 16:11:48 +00:00
|
|
|
enum OID last_oid; /* Last OID encountered */
|
2022-01-19 00:54:33 +00:00
|
|
|
enum OID sig_algo; /* Algorithm used to sign the cert */
|
2012-09-24 16:11:48 +00:00
|
|
|
u8 o_size; /* Size of organizationName (O) */
|
|
|
|
u8 cn_size; /* Size of commonName (CN) */
|
|
|
|
u8 email_size; /* Size of emailAddress */
|
|
|
|
u16 o_offset; /* Offset of organizationName (O) */
|
|
|
|
u16 cn_offset; /* Offset of commonName (CN) */
|
|
|
|
u16 email_offset; /* Offset of emailAddress */
|
2015-07-20 20:16:26 +00:00
|
|
|
unsigned raw_akid_size;
|
|
|
|
const void *raw_akid; /* Raw authorityKeyId in ASN.1 */
|
|
|
|
const void *akid_raw_issuer; /* Raw directoryName in authorityKeyId */
|
|
|
|
unsigned akid_raw_issuer_size;
|
2012-09-24 16:11:48 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Free an X.509 certificate
|
|
|
|
*/
|
|
|
|
void x509_free_certificate(struct x509_certificate *cert)
|
|
|
|
{
|
|
|
|
if (cert) {
|
2016-04-06 15:13:33 +00:00
|
|
|
public_key_free(cert->pub);
|
2016-04-06 15:13:33 +00:00
|
|
|
public_key_signature_free(cert->sig);
|
2012-09-24 16:11:48 +00:00
|
|
|
kfree(cert->issuer);
|
|
|
|
kfree(cert->subject);
|
2014-09-16 16:36:13 +00:00
|
|
|
kfree(cert->id);
|
|
|
|
kfree(cert->skid);
|
2012-09-24 16:11:48 +00:00
|
|
|
kfree(cert);
|
|
|
|
}
|
|
|
|
}
|
2014-07-01 15:40:19 +00:00
|
|
|
EXPORT_SYMBOL_GPL(x509_free_certificate);
|
2012-09-24 16:11:48 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Parse an X.509 certificate
|
|
|
|
*/
|
|
|
|
struct x509_certificate *x509_cert_parse(const void *data, size_t datalen)
|
|
|
|
{
|
|
|
|
struct x509_certificate *cert;
|
|
|
|
struct x509_parse_context *ctx;
|
2014-09-16 16:36:13 +00:00
|
|
|
struct asymmetric_key_id *kid;
|
2012-09-24 16:11:48 +00:00
|
|
|
long ret;
|
|
|
|
|
|
|
|
ret = -ENOMEM;
|
|
|
|
cert = kzalloc(sizeof(struct x509_certificate), GFP_KERNEL);
|
|
|
|
if (!cert)
|
|
|
|
goto error_no_cert;
|
|
|
|
cert->pub = kzalloc(sizeof(struct public_key), GFP_KERNEL);
|
|
|
|
if (!cert->pub)
|
|
|
|
goto error_no_ctx;
|
2016-04-06 15:13:33 +00:00
|
|
|
cert->sig = kzalloc(sizeof(struct public_key_signature), GFP_KERNEL);
|
|
|
|
if (!cert->sig)
|
|
|
|
goto error_no_ctx;
|
2012-09-24 16:11:48 +00:00
|
|
|
ctx = kzalloc(sizeof(struct x509_parse_context), GFP_KERNEL);
|
|
|
|
if (!ctx)
|
|
|
|
goto error_no_ctx;
|
|
|
|
|
|
|
|
ctx->cert = cert;
|
|
|
|
ctx->data = (unsigned long)data;
|
|
|
|
|
|
|
|
/* Attempt to decode the certificate */
|
|
|
|
ret = asn1_ber_decoder(&x509_decoder, ctx, data, datalen);
|
|
|
|
if (ret < 0)
|
|
|
|
goto error_decode;
|
|
|
|
|
2015-07-20 20:16:26 +00:00
|
|
|
/* Decode the AuthorityKeyIdentifier */
|
|
|
|
if (ctx->raw_akid) {
|
|
|
|
pr_devel("AKID: %u %*phN\n",
|
|
|
|
ctx->raw_akid_size, ctx->raw_akid_size, ctx->raw_akid);
|
|
|
|
ret = asn1_ber_decoder(&x509_akid_decoder, ctx,
|
|
|
|
ctx->raw_akid, ctx->raw_akid_size);
|
|
|
|
if (ret < 0) {
|
|
|
|
pr_warn("Couldn't decode AuthKeyIdentifier\n");
|
|
|
|
goto error_decode;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-06-08 13:47:49 +00:00
|
|
|
ret = -ENOMEM;
|
2016-02-02 18:08:53 +00:00
|
|
|
cert->pub->key = kmemdup(ctx->key, ctx->key_size, GFP_KERNEL);
|
|
|
|
if (!cert->pub->key)
|
2012-09-24 16:11:48 +00:00
|
|
|
goto error_decode;
|
|
|
|
|
2016-02-02 18:08:53 +00:00
|
|
|
cert->pub->keylen = ctx->key_size;
|
|
|
|
|
2019-04-11 15:51:17 +00:00
|
|
|
cert->pub->params = kmemdup(ctx->params, ctx->params_size, GFP_KERNEL);
|
|
|
|
if (!cert->pub->params)
|
|
|
|
goto error_decode;
|
|
|
|
|
|
|
|
cert->pub->paramlen = ctx->params_size;
|
|
|
|
cert->pub->algo = ctx->key_algo;
|
|
|
|
|
2016-04-06 15:13:34 +00:00
|
|
|
/* Grab the signature bits */
|
|
|
|
ret = x509_get_sig_params(cert);
|
|
|
|
if (ret < 0)
|
|
|
|
goto error_decode;
|
|
|
|
|
2014-09-16 16:36:13 +00:00
|
|
|
/* Generate cert issuer + serial number key ID */
|
|
|
|
kid = asymmetric_key_generate_id(cert->raw_serial,
|
|
|
|
cert->raw_serial_size,
|
|
|
|
cert->raw_issuer,
|
|
|
|
cert->raw_issuer_size);
|
|
|
|
if (IS_ERR(kid)) {
|
|
|
|
ret = PTR_ERR(kid);
|
|
|
|
goto error_decode;
|
|
|
|
}
|
|
|
|
cert->id = kid;
|
|
|
|
|
2016-04-06 15:13:34 +00:00
|
|
|
/* Detect self-signed certificates */
|
|
|
|
ret = x509_check_for_self_signed(cert);
|
|
|
|
if (ret < 0)
|
|
|
|
goto error_decode;
|
|
|
|
|
2012-09-24 16:11:48 +00:00
|
|
|
kfree(ctx);
|
|
|
|
return cert;
|
|
|
|
|
|
|
|
error_decode:
|
|
|
|
kfree(ctx);
|
|
|
|
error_no_ctx:
|
|
|
|
x509_free_certificate(cert);
|
|
|
|
error_no_cert:
|
|
|
|
return ERR_PTR(ret);
|
|
|
|
}
|
2014-07-01 15:40:19 +00:00
|
|
|
EXPORT_SYMBOL_GPL(x509_cert_parse);
|
2012-09-24 16:11:48 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Note an OID when we find one for later processing when we know how
|
|
|
|
* to interpret it.
|
|
|
|
*/
|
|
|
|
int x509_note_OID(void *context, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
const void *value, size_t vlen)
|
|
|
|
{
|
|
|
|
struct x509_parse_context *ctx = context;
|
|
|
|
|
|
|
|
ctx->last_oid = look_up_OID(value, vlen);
|
|
|
|
if (ctx->last_oid == OID__NR) {
|
|
|
|
char buffer[50];
|
|
|
|
sprint_oid(value, vlen, buffer, sizeof(buffer));
|
2012-10-03 23:04:46 +00:00
|
|
|
pr_debug("Unknown OID: [%lu] %s\n",
|
2012-09-24 16:11:48 +00:00
|
|
|
(unsigned long)value - ctx->data, buffer);
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Save the position of the TBS data so that we can check the signature over it
|
|
|
|
* later.
|
|
|
|
*/
|
|
|
|
int x509_note_tbs_certificate(void *context, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
const void *value, size_t vlen)
|
|
|
|
{
|
|
|
|
struct x509_parse_context *ctx = context;
|
|
|
|
|
|
|
|
pr_debug("x509_note_tbs_certificate(,%zu,%02x,%ld,%zu)!\n",
|
|
|
|
hdrlen, tag, (unsigned long)value - ctx->data, vlen);
|
|
|
|
|
|
|
|
ctx->cert->tbs = value - hdrlen;
|
|
|
|
ctx->cert->tbs_size = vlen + hdrlen;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2022-01-19 00:54:33 +00:00
|
|
|
* Record the algorithm that was used to sign this certificate.
|
2012-09-24 16:11:48 +00:00
|
|
|
*/
|
2022-01-19 00:54:33 +00:00
|
|
|
int x509_note_sig_algo(void *context, size_t hdrlen, unsigned char tag,
|
|
|
|
const void *value, size_t vlen)
|
2012-09-24 16:11:48 +00:00
|
|
|
{
|
|
|
|
struct x509_parse_context *ctx = context;
|
|
|
|
|
|
|
|
pr_debug("PubKey Algo: %u\n", ctx->last_oid);
|
|
|
|
|
|
|
|
switch (ctx->last_oid) {
|
|
|
|
case OID_md2WithRSAEncryption:
|
|
|
|
case OID_md3WithRSAEncryption:
|
|
|
|
default:
|
|
|
|
return -ENOPKG; /* Unsupported combination */
|
|
|
|
|
|
|
|
case OID_md4WithRSAEncryption:
|
2016-04-06 15:13:33 +00:00
|
|
|
ctx->cert->sig->hash_algo = "md4";
|
2018-10-09 16:47:15 +00:00
|
|
|
goto rsa_pkcs1;
|
2012-09-24 16:11:48 +00:00
|
|
|
|
|
|
|
case OID_sha1WithRSAEncryption:
|
2016-04-06 15:13:33 +00:00
|
|
|
ctx->cert->sig->hash_algo = "sha1";
|
2018-10-09 16:47:15 +00:00
|
|
|
goto rsa_pkcs1;
|
2012-09-24 16:11:48 +00:00
|
|
|
|
|
|
|
case OID_sha256WithRSAEncryption:
|
2016-04-06 15:13:33 +00:00
|
|
|
ctx->cert->sig->hash_algo = "sha256";
|
2018-10-09 16:47:15 +00:00
|
|
|
goto rsa_pkcs1;
|
2012-09-24 16:11:48 +00:00
|
|
|
|
|
|
|
case OID_sha384WithRSAEncryption:
|
2016-04-06 15:13:33 +00:00
|
|
|
ctx->cert->sig->hash_algo = "sha384";
|
2018-10-09 16:47:15 +00:00
|
|
|
goto rsa_pkcs1;
|
2012-09-24 16:11:48 +00:00
|
|
|
|
|
|
|
case OID_sha512WithRSAEncryption:
|
2016-04-06 15:13:33 +00:00
|
|
|
ctx->cert->sig->hash_algo = "sha512";
|
2018-10-09 16:47:15 +00:00
|
|
|
goto rsa_pkcs1;
|
2012-09-24 16:11:48 +00:00
|
|
|
|
|
|
|
case OID_sha224WithRSAEncryption:
|
2016-04-06 15:13:33 +00:00
|
|
|
ctx->cert->sig->hash_algo = "sha224";
|
2018-10-09 16:47:15 +00:00
|
|
|
goto rsa_pkcs1;
|
crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithm
Add Elliptic Curve Russian Digital Signature Algorithm (GOST R
34.10-2012, RFC 7091, ISO/IEC 14888-3) is one of the Russian (and since
2018 the CIS countries) cryptographic standard algorithms (called GOST
algorithms). Only signature verification is supported, with intent to be
used in the IMA.
Summary of the changes:
* crypto/Kconfig:
- EC-RDSA is added into Public-key cryptography section.
* crypto/Makefile:
- ecrdsa objects are added.
* crypto/asymmetric_keys/x509_cert_parser.c:
- Recognize EC-RDSA and Streebog OIDs.
* include/linux/oid_registry.h:
- EC-RDSA OIDs are added to the enum. Also, a two currently not
implemented curve OIDs are added for possible extension later (to
not change numbering and grouping).
* crypto/ecc.c:
- Kenneth MacKay copyright date is updated to 2014, because
vli_mmod_slow, ecc_point_add, ecc_point_mult_shamir are based on his
code from micro-ecc.
- Functions needed for ecrdsa are EXPORT_SYMBOL'ed.
- New functions:
vli_is_negative - helper to determine sign of vli;
vli_from_be64 - unpack big-endian array into vli (used for
a signature);
vli_from_le64 - unpack little-endian array into vli (used for
a public key);
vli_uadd, vli_usub - add/sub u64 value to/from vli (used for
increment/decrement);
mul_64_64 - optimized to use __int128 where appropriate, this speeds
up point multiplication (and as a consequence signature
verification) by the factor of 1.5-2;
vli_umult - multiply vli by a small value (speeds up point
multiplication by another factor of 1.5-2, depending on vli sizes);
vli_mmod_special - module reduction for some form of Pseudo-Mersenne
primes (used for the curves A);
vli_mmod_special2 - module reduction for another form of
Pseudo-Mersenne primes (used for the curves B);
vli_mmod_barrett - module reduction using pre-computed value (used
for the curve C);
vli_mmod_slow - more general module reduction which is much slower
(used when the modulus is subgroup order);
vli_mod_mult_slow - modular multiplication;
ecc_point_add - add two points;
ecc_point_mult_shamir - add two points multiplied by scalars in one
combined multiplication (this gives speed up by another factor 2 in
compare to two separate multiplications).
ecc_is_pubkey_valid_partial - additional samity check is added.
- Updated vli_mmod_fast with non-strict heuristic to call optimal
module reduction function depending on the prime value;
- All computations for the previously defined (two NIST) curves should
not unaffected.
* crypto/ecc.h:
- Newly exported functions are documented.
* crypto/ecrdsa_defs.h
- Five curves are defined.
* crypto/ecrdsa.c:
- Signature verification is implemented.
* crypto/ecrdsa_params.asn1, crypto/ecrdsa_pub_key.asn1:
- Templates for BER decoder for EC-RDSA parameters and public key.
Cc: linux-integrity@vger.kernel.org
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-04-11 15:51:20 +00:00
|
|
|
|
2021-03-16 21:07:37 +00:00
|
|
|
case OID_id_ecdsa_with_sha1:
|
|
|
|
ctx->cert->sig->hash_algo = "sha1";
|
|
|
|
goto ecdsa;
|
|
|
|
|
|
|
|
case OID_id_ecdsa_with_sha224:
|
|
|
|
ctx->cert->sig->hash_algo = "sha224";
|
|
|
|
goto ecdsa;
|
|
|
|
|
|
|
|
case OID_id_ecdsa_with_sha256:
|
|
|
|
ctx->cert->sig->hash_algo = "sha256";
|
|
|
|
goto ecdsa;
|
|
|
|
|
|
|
|
case OID_id_ecdsa_with_sha384:
|
|
|
|
ctx->cert->sig->hash_algo = "sha384";
|
|
|
|
goto ecdsa;
|
|
|
|
|
|
|
|
case OID_id_ecdsa_with_sha512:
|
|
|
|
ctx->cert->sig->hash_algo = "sha512";
|
|
|
|
goto ecdsa;
|
|
|
|
|
crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithm
Add Elliptic Curve Russian Digital Signature Algorithm (GOST R
34.10-2012, RFC 7091, ISO/IEC 14888-3) is one of the Russian (and since
2018 the CIS countries) cryptographic standard algorithms (called GOST
algorithms). Only signature verification is supported, with intent to be
used in the IMA.
Summary of the changes:
* crypto/Kconfig:
- EC-RDSA is added into Public-key cryptography section.
* crypto/Makefile:
- ecrdsa objects are added.
* crypto/asymmetric_keys/x509_cert_parser.c:
- Recognize EC-RDSA and Streebog OIDs.
* include/linux/oid_registry.h:
- EC-RDSA OIDs are added to the enum. Also, a two currently not
implemented curve OIDs are added for possible extension later (to
not change numbering and grouping).
* crypto/ecc.c:
- Kenneth MacKay copyright date is updated to 2014, because
vli_mmod_slow, ecc_point_add, ecc_point_mult_shamir are based on his
code from micro-ecc.
- Functions needed for ecrdsa are EXPORT_SYMBOL'ed.
- New functions:
vli_is_negative - helper to determine sign of vli;
vli_from_be64 - unpack big-endian array into vli (used for
a signature);
vli_from_le64 - unpack little-endian array into vli (used for
a public key);
vli_uadd, vli_usub - add/sub u64 value to/from vli (used for
increment/decrement);
mul_64_64 - optimized to use __int128 where appropriate, this speeds
up point multiplication (and as a consequence signature
verification) by the factor of 1.5-2;
vli_umult - multiply vli by a small value (speeds up point
multiplication by another factor of 1.5-2, depending on vli sizes);
vli_mmod_special - module reduction for some form of Pseudo-Mersenne
primes (used for the curves A);
vli_mmod_special2 - module reduction for another form of
Pseudo-Mersenne primes (used for the curves B);
vli_mmod_barrett - module reduction using pre-computed value (used
for the curve C);
vli_mmod_slow - more general module reduction which is much slower
(used when the modulus is subgroup order);
vli_mod_mult_slow - modular multiplication;
ecc_point_add - add two points;
ecc_point_mult_shamir - add two points multiplied by scalars in one
combined multiplication (this gives speed up by another factor 2 in
compare to two separate multiplications).
ecc_is_pubkey_valid_partial - additional samity check is added.
- Updated vli_mmod_fast with non-strict heuristic to call optimal
module reduction function depending on the prime value;
- All computations for the previously defined (two NIST) curves should
not unaffected.
* crypto/ecc.h:
- Newly exported functions are documented.
* crypto/ecrdsa_defs.h
- Five curves are defined.
* crypto/ecrdsa.c:
- Signature verification is implemented.
* crypto/ecrdsa_params.asn1, crypto/ecrdsa_pub_key.asn1:
- Templates for BER decoder for EC-RDSA parameters and public key.
Cc: linux-integrity@vger.kernel.org
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-04-11 15:51:20 +00:00
|
|
|
case OID_gost2012Signature256:
|
|
|
|
ctx->cert->sig->hash_algo = "streebog256";
|
|
|
|
goto ecrdsa;
|
|
|
|
|
|
|
|
case OID_gost2012Signature512:
|
|
|
|
ctx->cert->sig->hash_algo = "streebog512";
|
|
|
|
goto ecrdsa;
|
2020-09-20 16:21:01 +00:00
|
|
|
|
|
|
|
case OID_SM2_with_SM3:
|
|
|
|
ctx->cert->sig->hash_algo = "sm3";
|
|
|
|
goto sm2;
|
2012-09-24 16:11:48 +00:00
|
|
|
}
|
|
|
|
|
2018-10-09 16:47:15 +00:00
|
|
|
rsa_pkcs1:
|
|
|
|
ctx->cert->sig->pkey_algo = "rsa";
|
|
|
|
ctx->cert->sig->encoding = "pkcs1";
|
2022-01-19 00:54:33 +00:00
|
|
|
ctx->sig_algo = ctx->last_oid;
|
2012-09-24 16:11:48 +00:00
|
|
|
return 0;
|
crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithm
Add Elliptic Curve Russian Digital Signature Algorithm (GOST R
34.10-2012, RFC 7091, ISO/IEC 14888-3) is one of the Russian (and since
2018 the CIS countries) cryptographic standard algorithms (called GOST
algorithms). Only signature verification is supported, with intent to be
used in the IMA.
Summary of the changes:
* crypto/Kconfig:
- EC-RDSA is added into Public-key cryptography section.
* crypto/Makefile:
- ecrdsa objects are added.
* crypto/asymmetric_keys/x509_cert_parser.c:
- Recognize EC-RDSA and Streebog OIDs.
* include/linux/oid_registry.h:
- EC-RDSA OIDs are added to the enum. Also, a two currently not
implemented curve OIDs are added for possible extension later (to
not change numbering and grouping).
* crypto/ecc.c:
- Kenneth MacKay copyright date is updated to 2014, because
vli_mmod_slow, ecc_point_add, ecc_point_mult_shamir are based on his
code from micro-ecc.
- Functions needed for ecrdsa are EXPORT_SYMBOL'ed.
- New functions:
vli_is_negative - helper to determine sign of vli;
vli_from_be64 - unpack big-endian array into vli (used for
a signature);
vli_from_le64 - unpack little-endian array into vli (used for
a public key);
vli_uadd, vli_usub - add/sub u64 value to/from vli (used for
increment/decrement);
mul_64_64 - optimized to use __int128 where appropriate, this speeds
up point multiplication (and as a consequence signature
verification) by the factor of 1.5-2;
vli_umult - multiply vli by a small value (speeds up point
multiplication by another factor of 1.5-2, depending on vli sizes);
vli_mmod_special - module reduction for some form of Pseudo-Mersenne
primes (used for the curves A);
vli_mmod_special2 - module reduction for another form of
Pseudo-Mersenne primes (used for the curves B);
vli_mmod_barrett - module reduction using pre-computed value (used
for the curve C);
vli_mmod_slow - more general module reduction which is much slower
(used when the modulus is subgroup order);
vli_mod_mult_slow - modular multiplication;
ecc_point_add - add two points;
ecc_point_mult_shamir - add two points multiplied by scalars in one
combined multiplication (this gives speed up by another factor 2 in
compare to two separate multiplications).
ecc_is_pubkey_valid_partial - additional samity check is added.
- Updated vli_mmod_fast with non-strict heuristic to call optimal
module reduction function depending on the prime value;
- All computations for the previously defined (two NIST) curves should
not unaffected.
* crypto/ecc.h:
- Newly exported functions are documented.
* crypto/ecrdsa_defs.h
- Five curves are defined.
* crypto/ecrdsa.c:
- Signature verification is implemented.
* crypto/ecrdsa_params.asn1, crypto/ecrdsa_pub_key.asn1:
- Templates for BER decoder for EC-RDSA parameters and public key.
Cc: linux-integrity@vger.kernel.org
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-04-11 15:51:20 +00:00
|
|
|
ecrdsa:
|
|
|
|
ctx->cert->sig->pkey_algo = "ecrdsa";
|
|
|
|
ctx->cert->sig->encoding = "raw";
|
2022-01-19 00:54:33 +00:00
|
|
|
ctx->sig_algo = ctx->last_oid;
|
crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithm
Add Elliptic Curve Russian Digital Signature Algorithm (GOST R
34.10-2012, RFC 7091, ISO/IEC 14888-3) is one of the Russian (and since
2018 the CIS countries) cryptographic standard algorithms (called GOST
algorithms). Only signature verification is supported, with intent to be
used in the IMA.
Summary of the changes:
* crypto/Kconfig:
- EC-RDSA is added into Public-key cryptography section.
* crypto/Makefile:
- ecrdsa objects are added.
* crypto/asymmetric_keys/x509_cert_parser.c:
- Recognize EC-RDSA and Streebog OIDs.
* include/linux/oid_registry.h:
- EC-RDSA OIDs are added to the enum. Also, a two currently not
implemented curve OIDs are added for possible extension later (to
not change numbering and grouping).
* crypto/ecc.c:
- Kenneth MacKay copyright date is updated to 2014, because
vli_mmod_slow, ecc_point_add, ecc_point_mult_shamir are based on his
code from micro-ecc.
- Functions needed for ecrdsa are EXPORT_SYMBOL'ed.
- New functions:
vli_is_negative - helper to determine sign of vli;
vli_from_be64 - unpack big-endian array into vli (used for
a signature);
vli_from_le64 - unpack little-endian array into vli (used for
a public key);
vli_uadd, vli_usub - add/sub u64 value to/from vli (used for
increment/decrement);
mul_64_64 - optimized to use __int128 where appropriate, this speeds
up point multiplication (and as a consequence signature
verification) by the factor of 1.5-2;
vli_umult - multiply vli by a small value (speeds up point
multiplication by another factor of 1.5-2, depending on vli sizes);
vli_mmod_special - module reduction for some form of Pseudo-Mersenne
primes (used for the curves A);
vli_mmod_special2 - module reduction for another form of
Pseudo-Mersenne primes (used for the curves B);
vli_mmod_barrett - module reduction using pre-computed value (used
for the curve C);
vli_mmod_slow - more general module reduction which is much slower
(used when the modulus is subgroup order);
vli_mod_mult_slow - modular multiplication;
ecc_point_add - add two points;
ecc_point_mult_shamir - add two points multiplied by scalars in one
combined multiplication (this gives speed up by another factor 2 in
compare to two separate multiplications).
ecc_is_pubkey_valid_partial - additional samity check is added.
- Updated vli_mmod_fast with non-strict heuristic to call optimal
module reduction function depending on the prime value;
- All computations for the previously defined (two NIST) curves should
not unaffected.
* crypto/ecc.h:
- Newly exported functions are documented.
* crypto/ecrdsa_defs.h
- Five curves are defined.
* crypto/ecrdsa.c:
- Signature verification is implemented.
* crypto/ecrdsa_params.asn1, crypto/ecrdsa_pub_key.asn1:
- Templates for BER decoder for EC-RDSA parameters and public key.
Cc: linux-integrity@vger.kernel.org
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-04-11 15:51:20 +00:00
|
|
|
return 0;
|
2020-09-20 16:21:01 +00:00
|
|
|
sm2:
|
|
|
|
ctx->cert->sig->pkey_algo = "sm2";
|
|
|
|
ctx->cert->sig->encoding = "raw";
|
2022-01-19 00:54:33 +00:00
|
|
|
ctx->sig_algo = ctx->last_oid;
|
2020-09-20 16:21:01 +00:00
|
|
|
return 0;
|
2021-03-16 21:07:37 +00:00
|
|
|
ecdsa:
|
|
|
|
ctx->cert->sig->pkey_algo = "ecdsa";
|
|
|
|
ctx->cert->sig->encoding = "x962";
|
2022-01-19 00:54:33 +00:00
|
|
|
ctx->sig_algo = ctx->last_oid;
|
2021-03-16 21:07:37 +00:00
|
|
|
return 0;
|
2012-09-24 16:11:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Note the whereabouts and type of the signature.
|
|
|
|
*/
|
|
|
|
int x509_note_signature(void *context, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
const void *value, size_t vlen)
|
|
|
|
{
|
|
|
|
struct x509_parse_context *ctx = context;
|
|
|
|
|
2022-01-19 00:54:33 +00:00
|
|
|
pr_debug("Signature: alg=%u, size=%zu\n", ctx->last_oid, vlen);
|
2012-09-24 16:11:48 +00:00
|
|
|
|
2022-01-19 00:54:33 +00:00
|
|
|
/*
|
|
|
|
* In X.509 certificates, the signature's algorithm is stored in two
|
|
|
|
* places: inside the TBSCertificate (the data that is signed), and
|
|
|
|
* alongside the signature. These *must* match.
|
|
|
|
*/
|
|
|
|
if (ctx->last_oid != ctx->sig_algo) {
|
|
|
|
pr_warn("signatureAlgorithm (%u) differs from tbsCertificate.signature (%u)\n",
|
|
|
|
ctx->last_oid, ctx->sig_algo);
|
2012-09-24 16:11:48 +00:00
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithm
Add Elliptic Curve Russian Digital Signature Algorithm (GOST R
34.10-2012, RFC 7091, ISO/IEC 14888-3) is one of the Russian (and since
2018 the CIS countries) cryptographic standard algorithms (called GOST
algorithms). Only signature verification is supported, with intent to be
used in the IMA.
Summary of the changes:
* crypto/Kconfig:
- EC-RDSA is added into Public-key cryptography section.
* crypto/Makefile:
- ecrdsa objects are added.
* crypto/asymmetric_keys/x509_cert_parser.c:
- Recognize EC-RDSA and Streebog OIDs.
* include/linux/oid_registry.h:
- EC-RDSA OIDs are added to the enum. Also, a two currently not
implemented curve OIDs are added for possible extension later (to
not change numbering and grouping).
* crypto/ecc.c:
- Kenneth MacKay copyright date is updated to 2014, because
vli_mmod_slow, ecc_point_add, ecc_point_mult_shamir are based on his
code from micro-ecc.
- Functions needed for ecrdsa are EXPORT_SYMBOL'ed.
- New functions:
vli_is_negative - helper to determine sign of vli;
vli_from_be64 - unpack big-endian array into vli (used for
a signature);
vli_from_le64 - unpack little-endian array into vli (used for
a public key);
vli_uadd, vli_usub - add/sub u64 value to/from vli (used for
increment/decrement);
mul_64_64 - optimized to use __int128 where appropriate, this speeds
up point multiplication (and as a consequence signature
verification) by the factor of 1.5-2;
vli_umult - multiply vli by a small value (speeds up point
multiplication by another factor of 1.5-2, depending on vli sizes);
vli_mmod_special - module reduction for some form of Pseudo-Mersenne
primes (used for the curves A);
vli_mmod_special2 - module reduction for another form of
Pseudo-Mersenne primes (used for the curves B);
vli_mmod_barrett - module reduction using pre-computed value (used
for the curve C);
vli_mmod_slow - more general module reduction which is much slower
(used when the modulus is subgroup order);
vli_mod_mult_slow - modular multiplication;
ecc_point_add - add two points;
ecc_point_mult_shamir - add two points multiplied by scalars in one
combined multiplication (this gives speed up by another factor 2 in
compare to two separate multiplications).
ecc_is_pubkey_valid_partial - additional samity check is added.
- Updated vli_mmod_fast with non-strict heuristic to call optimal
module reduction function depending on the prime value;
- All computations for the previously defined (two NIST) curves should
not unaffected.
* crypto/ecc.h:
- Newly exported functions are documented.
* crypto/ecrdsa_defs.h
- Five curves are defined.
* crypto/ecrdsa.c:
- Signature verification is implemented.
* crypto/ecrdsa_params.asn1, crypto/ecrdsa_pub_key.asn1:
- Templates for BER decoder for EC-RDSA parameters and public key.
Cc: linux-integrity@vger.kernel.org
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-04-11 15:51:20 +00:00
|
|
|
if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0 ||
|
2020-09-20 16:21:01 +00:00
|
|
|
strcmp(ctx->cert->sig->pkey_algo, "ecrdsa") == 0 ||
|
2021-03-16 21:07:37 +00:00
|
|
|
strcmp(ctx->cert->sig->pkey_algo, "sm2") == 0 ||
|
|
|
|
strcmp(ctx->cert->sig->pkey_algo, "ecdsa") == 0) {
|
2018-05-19 12:23:54 +00:00
|
|
|
/* Discard the BIT STRING metadata */
|
|
|
|
if (vlen < 1 || *(const u8 *)value != 0)
|
|
|
|
return -EBADMSG;
|
|
|
|
|
|
|
|
value++;
|
|
|
|
vlen--;
|
|
|
|
}
|
|
|
|
|
2013-08-30 15:18:02 +00:00
|
|
|
ctx->cert->raw_sig = value;
|
|
|
|
ctx->cert->raw_sig_size = vlen;
|
2012-09-24 16:11:48 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-07-01 15:40:19 +00:00
|
|
|
/*
|
|
|
|
* Note the certificate serial number
|
|
|
|
*/
|
|
|
|
int x509_note_serial(void *context, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
const void *value, size_t vlen)
|
|
|
|
{
|
|
|
|
struct x509_parse_context *ctx = context;
|
|
|
|
ctx->cert->raw_serial = value;
|
|
|
|
ctx->cert->raw_serial_size = vlen;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2012-09-24 16:11:48 +00:00
|
|
|
/*
|
|
|
|
* Note some of the name segments from which we'll fabricate a name.
|
|
|
|
*/
|
|
|
|
int x509_extract_name_segment(void *context, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
const void *value, size_t vlen)
|
|
|
|
{
|
|
|
|
struct x509_parse_context *ctx = context;
|
|
|
|
|
|
|
|
switch (ctx->last_oid) {
|
|
|
|
case OID_commonName:
|
|
|
|
ctx->cn_size = vlen;
|
|
|
|
ctx->cn_offset = (unsigned long)value - ctx->data;
|
|
|
|
break;
|
|
|
|
case OID_organizationName:
|
|
|
|
ctx->o_size = vlen;
|
|
|
|
ctx->o_offset = (unsigned long)value - ctx->data;
|
|
|
|
break;
|
|
|
|
case OID_email_address:
|
|
|
|
ctx->email_size = vlen;
|
|
|
|
ctx->email_offset = (unsigned long)value - ctx->data;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Fabricate and save the issuer and subject names
|
|
|
|
*/
|
|
|
|
static int x509_fabricate_name(struct x509_parse_context *ctx, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
char **_name, size_t vlen)
|
|
|
|
{
|
|
|
|
const void *name, *data = (const void *)ctx->data;
|
|
|
|
size_t namesize;
|
|
|
|
char *buffer;
|
|
|
|
|
|
|
|
if (*_name)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
/* Empty name string if no material */
|
|
|
|
if (!ctx->cn_size && !ctx->o_size && !ctx->email_size) {
|
|
|
|
buffer = kmalloc(1, GFP_KERNEL);
|
|
|
|
if (!buffer)
|
|
|
|
return -ENOMEM;
|
|
|
|
buffer[0] = 0;
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ctx->cn_size && ctx->o_size) {
|
|
|
|
/* Consider combining O and CN, but use only the CN if it is
|
|
|
|
* prefixed by the O, or a significant portion thereof.
|
|
|
|
*/
|
|
|
|
namesize = ctx->cn_size;
|
|
|
|
name = data + ctx->cn_offset;
|
|
|
|
if (ctx->cn_size >= ctx->o_size &&
|
|
|
|
memcmp(data + ctx->cn_offset, data + ctx->o_offset,
|
|
|
|
ctx->o_size) == 0)
|
|
|
|
goto single_component;
|
|
|
|
if (ctx->cn_size >= 7 &&
|
|
|
|
ctx->o_size >= 7 &&
|
|
|
|
memcmp(data + ctx->cn_offset, data + ctx->o_offset, 7) == 0)
|
|
|
|
goto single_component;
|
|
|
|
|
|
|
|
buffer = kmalloc(ctx->o_size + 2 + ctx->cn_size + 1,
|
|
|
|
GFP_KERNEL);
|
|
|
|
if (!buffer)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
memcpy(buffer,
|
|
|
|
data + ctx->o_offset, ctx->o_size);
|
|
|
|
buffer[ctx->o_size + 0] = ':';
|
|
|
|
buffer[ctx->o_size + 1] = ' ';
|
|
|
|
memcpy(buffer + ctx->o_size + 2,
|
|
|
|
data + ctx->cn_offset, ctx->cn_size);
|
|
|
|
buffer[ctx->o_size + 2 + ctx->cn_size] = 0;
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
} else if (ctx->cn_size) {
|
|
|
|
namesize = ctx->cn_size;
|
|
|
|
name = data + ctx->cn_offset;
|
|
|
|
} else if (ctx->o_size) {
|
|
|
|
namesize = ctx->o_size;
|
|
|
|
name = data + ctx->o_offset;
|
|
|
|
} else {
|
|
|
|
namesize = ctx->email_size;
|
|
|
|
name = data + ctx->email_offset;
|
|
|
|
}
|
|
|
|
|
|
|
|
single_component:
|
|
|
|
buffer = kmalloc(namesize + 1, GFP_KERNEL);
|
|
|
|
if (!buffer)
|
|
|
|
return -ENOMEM;
|
|
|
|
memcpy(buffer, name, namesize);
|
|
|
|
buffer[namesize] = 0;
|
|
|
|
|
|
|
|
done:
|
|
|
|
*_name = buffer;
|
|
|
|
ctx->cn_size = 0;
|
|
|
|
ctx->o_size = 0;
|
|
|
|
ctx->email_size = 0;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int x509_note_issuer(void *context, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
const void *value, size_t vlen)
|
|
|
|
{
|
|
|
|
struct x509_parse_context *ctx = context;
|
2021-11-09 15:16:49 +00:00
|
|
|
struct asymmetric_key_id *kid;
|
|
|
|
|
2014-07-01 15:40:19 +00:00
|
|
|
ctx->cert->raw_issuer = value;
|
|
|
|
ctx->cert->raw_issuer_size = vlen;
|
2021-11-09 15:16:49 +00:00
|
|
|
|
|
|
|
if (!ctx->cert->sig->auth_ids[2]) {
|
|
|
|
kid = asymmetric_key_generate_id(value, vlen, "", 0);
|
|
|
|
if (IS_ERR(kid))
|
|
|
|
return PTR_ERR(kid);
|
|
|
|
ctx->cert->sig->auth_ids[2] = kid;
|
|
|
|
}
|
|
|
|
|
2012-09-24 16:11:48 +00:00
|
|
|
return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->issuer, vlen);
|
|
|
|
}
|
|
|
|
|
|
|
|
int x509_note_subject(void *context, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
const void *value, size_t vlen)
|
|
|
|
{
|
|
|
|
struct x509_parse_context *ctx = context;
|
2014-07-01 15:40:19 +00:00
|
|
|
ctx->cert->raw_subject = value;
|
|
|
|
ctx->cert->raw_subject_size = vlen;
|
2012-09-24 16:11:48 +00:00
|
|
|
return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->subject, vlen);
|
|
|
|
}
|
|
|
|
|
2019-04-11 15:51:17 +00:00
|
|
|
/*
|
|
|
|
* Extract the parameters for the public key
|
|
|
|
*/
|
|
|
|
int x509_note_params(void *context, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
const void *value, size_t vlen)
|
|
|
|
{
|
|
|
|
struct x509_parse_context *ctx = context;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* AlgorithmIdentifier is used three times in the x509, we should skip
|
|
|
|
* first and ignore third, using second one which is after subject and
|
|
|
|
* before subjectPublicKey.
|
|
|
|
*/
|
|
|
|
if (!ctx->cert->raw_subject || ctx->key)
|
|
|
|
return 0;
|
|
|
|
ctx->params = value - hdrlen;
|
|
|
|
ctx->params_size = vlen + hdrlen;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2012-09-24 16:11:48 +00:00
|
|
|
/*
|
|
|
|
* Extract the data for the public key algorithm
|
|
|
|
*/
|
|
|
|
int x509_extract_key_data(void *context, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
const void *value, size_t vlen)
|
|
|
|
{
|
|
|
|
struct x509_parse_context *ctx = context;
|
2021-03-16 21:07:36 +00:00
|
|
|
enum OID oid;
|
2012-09-24 16:11:48 +00:00
|
|
|
|
crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithm
Add Elliptic Curve Russian Digital Signature Algorithm (GOST R
34.10-2012, RFC 7091, ISO/IEC 14888-3) is one of the Russian (and since
2018 the CIS countries) cryptographic standard algorithms (called GOST
algorithms). Only signature verification is supported, with intent to be
used in the IMA.
Summary of the changes:
* crypto/Kconfig:
- EC-RDSA is added into Public-key cryptography section.
* crypto/Makefile:
- ecrdsa objects are added.
* crypto/asymmetric_keys/x509_cert_parser.c:
- Recognize EC-RDSA and Streebog OIDs.
* include/linux/oid_registry.h:
- EC-RDSA OIDs are added to the enum. Also, a two currently not
implemented curve OIDs are added for possible extension later (to
not change numbering and grouping).
* crypto/ecc.c:
- Kenneth MacKay copyright date is updated to 2014, because
vli_mmod_slow, ecc_point_add, ecc_point_mult_shamir are based on his
code from micro-ecc.
- Functions needed for ecrdsa are EXPORT_SYMBOL'ed.
- New functions:
vli_is_negative - helper to determine sign of vli;
vli_from_be64 - unpack big-endian array into vli (used for
a signature);
vli_from_le64 - unpack little-endian array into vli (used for
a public key);
vli_uadd, vli_usub - add/sub u64 value to/from vli (used for
increment/decrement);
mul_64_64 - optimized to use __int128 where appropriate, this speeds
up point multiplication (and as a consequence signature
verification) by the factor of 1.5-2;
vli_umult - multiply vli by a small value (speeds up point
multiplication by another factor of 1.5-2, depending on vli sizes);
vli_mmod_special - module reduction for some form of Pseudo-Mersenne
primes (used for the curves A);
vli_mmod_special2 - module reduction for another form of
Pseudo-Mersenne primes (used for the curves B);
vli_mmod_barrett - module reduction using pre-computed value (used
for the curve C);
vli_mmod_slow - more general module reduction which is much slower
(used when the modulus is subgroup order);
vli_mod_mult_slow - modular multiplication;
ecc_point_add - add two points;
ecc_point_mult_shamir - add two points multiplied by scalars in one
combined multiplication (this gives speed up by another factor 2 in
compare to two separate multiplications).
ecc_is_pubkey_valid_partial - additional samity check is added.
- Updated vli_mmod_fast with non-strict heuristic to call optimal
module reduction function depending on the prime value;
- All computations for the previously defined (two NIST) curves should
not unaffected.
* crypto/ecc.h:
- Newly exported functions are documented.
* crypto/ecrdsa_defs.h
- Five curves are defined.
* crypto/ecrdsa.c:
- Signature verification is implemented.
* crypto/ecrdsa_params.asn1, crypto/ecrdsa_pub_key.asn1:
- Templates for BER decoder for EC-RDSA parameters and public key.
Cc: linux-integrity@vger.kernel.org
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-04-11 15:51:20 +00:00
|
|
|
ctx->key_algo = ctx->last_oid;
|
2020-09-20 16:21:01 +00:00
|
|
|
switch (ctx->last_oid) {
|
|
|
|
case OID_rsaEncryption:
|
crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithm
Add Elliptic Curve Russian Digital Signature Algorithm (GOST R
34.10-2012, RFC 7091, ISO/IEC 14888-3) is one of the Russian (and since
2018 the CIS countries) cryptographic standard algorithms (called GOST
algorithms). Only signature verification is supported, with intent to be
used in the IMA.
Summary of the changes:
* crypto/Kconfig:
- EC-RDSA is added into Public-key cryptography section.
* crypto/Makefile:
- ecrdsa objects are added.
* crypto/asymmetric_keys/x509_cert_parser.c:
- Recognize EC-RDSA and Streebog OIDs.
* include/linux/oid_registry.h:
- EC-RDSA OIDs are added to the enum. Also, a two currently not
implemented curve OIDs are added for possible extension later (to
not change numbering and grouping).
* crypto/ecc.c:
- Kenneth MacKay copyright date is updated to 2014, because
vli_mmod_slow, ecc_point_add, ecc_point_mult_shamir are based on his
code from micro-ecc.
- Functions needed for ecrdsa are EXPORT_SYMBOL'ed.
- New functions:
vli_is_negative - helper to determine sign of vli;
vli_from_be64 - unpack big-endian array into vli (used for
a signature);
vli_from_le64 - unpack little-endian array into vli (used for
a public key);
vli_uadd, vli_usub - add/sub u64 value to/from vli (used for
increment/decrement);
mul_64_64 - optimized to use __int128 where appropriate, this speeds
up point multiplication (and as a consequence signature
verification) by the factor of 1.5-2;
vli_umult - multiply vli by a small value (speeds up point
multiplication by another factor of 1.5-2, depending on vli sizes);
vli_mmod_special - module reduction for some form of Pseudo-Mersenne
primes (used for the curves A);
vli_mmod_special2 - module reduction for another form of
Pseudo-Mersenne primes (used for the curves B);
vli_mmod_barrett - module reduction using pre-computed value (used
for the curve C);
vli_mmod_slow - more general module reduction which is much slower
(used when the modulus is subgroup order);
vli_mod_mult_slow - modular multiplication;
ecc_point_add - add two points;
ecc_point_mult_shamir - add two points multiplied by scalars in one
combined multiplication (this gives speed up by another factor 2 in
compare to two separate multiplications).
ecc_is_pubkey_valid_partial - additional samity check is added.
- Updated vli_mmod_fast with non-strict heuristic to call optimal
module reduction function depending on the prime value;
- All computations for the previously defined (two NIST) curves should
not unaffected.
* crypto/ecc.h:
- Newly exported functions are documented.
* crypto/ecrdsa_defs.h
- Five curves are defined.
* crypto/ecrdsa.c:
- Signature verification is implemented.
* crypto/ecrdsa_params.asn1, crypto/ecrdsa_pub_key.asn1:
- Templates for BER decoder for EC-RDSA parameters and public key.
Cc: linux-integrity@vger.kernel.org
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-04-11 15:51:20 +00:00
|
|
|
ctx->cert->pub->pkey_algo = "rsa";
|
2020-09-20 16:21:01 +00:00
|
|
|
break;
|
|
|
|
case OID_gost2012PKey256:
|
|
|
|
case OID_gost2012PKey512:
|
crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithm
Add Elliptic Curve Russian Digital Signature Algorithm (GOST R
34.10-2012, RFC 7091, ISO/IEC 14888-3) is one of the Russian (and since
2018 the CIS countries) cryptographic standard algorithms (called GOST
algorithms). Only signature verification is supported, with intent to be
used in the IMA.
Summary of the changes:
* crypto/Kconfig:
- EC-RDSA is added into Public-key cryptography section.
* crypto/Makefile:
- ecrdsa objects are added.
* crypto/asymmetric_keys/x509_cert_parser.c:
- Recognize EC-RDSA and Streebog OIDs.
* include/linux/oid_registry.h:
- EC-RDSA OIDs are added to the enum. Also, a two currently not
implemented curve OIDs are added for possible extension later (to
not change numbering and grouping).
* crypto/ecc.c:
- Kenneth MacKay copyright date is updated to 2014, because
vli_mmod_slow, ecc_point_add, ecc_point_mult_shamir are based on his
code from micro-ecc.
- Functions needed for ecrdsa are EXPORT_SYMBOL'ed.
- New functions:
vli_is_negative - helper to determine sign of vli;
vli_from_be64 - unpack big-endian array into vli (used for
a signature);
vli_from_le64 - unpack little-endian array into vli (used for
a public key);
vli_uadd, vli_usub - add/sub u64 value to/from vli (used for
increment/decrement);
mul_64_64 - optimized to use __int128 where appropriate, this speeds
up point multiplication (and as a consequence signature
verification) by the factor of 1.5-2;
vli_umult - multiply vli by a small value (speeds up point
multiplication by another factor of 1.5-2, depending on vli sizes);
vli_mmod_special - module reduction for some form of Pseudo-Mersenne
primes (used for the curves A);
vli_mmod_special2 - module reduction for another form of
Pseudo-Mersenne primes (used for the curves B);
vli_mmod_barrett - module reduction using pre-computed value (used
for the curve C);
vli_mmod_slow - more general module reduction which is much slower
(used when the modulus is subgroup order);
vli_mod_mult_slow - modular multiplication;
ecc_point_add - add two points;
ecc_point_mult_shamir - add two points multiplied by scalars in one
combined multiplication (this gives speed up by another factor 2 in
compare to two separate multiplications).
ecc_is_pubkey_valid_partial - additional samity check is added.
- Updated vli_mmod_fast with non-strict heuristic to call optimal
module reduction function depending on the prime value;
- All computations for the previously defined (two NIST) curves should
not unaffected.
* crypto/ecc.h:
- Newly exported functions are documented.
* crypto/ecrdsa_defs.h
- Five curves are defined.
* crypto/ecrdsa.c:
- Signature verification is implemented.
* crypto/ecrdsa_params.asn1, crypto/ecrdsa_pub_key.asn1:
- Templates for BER decoder for EC-RDSA parameters and public key.
Cc: linux-integrity@vger.kernel.org
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-04-11 15:51:20 +00:00
|
|
|
ctx->cert->pub->pkey_algo = "ecrdsa";
|
2020-09-20 16:21:01 +00:00
|
|
|
break;
|
2022-06-27 09:19:58 +00:00
|
|
|
case OID_sm2:
|
|
|
|
ctx->cert->pub->pkey_algo = "sm2";
|
|
|
|
break;
|
2020-09-20 16:21:01 +00:00
|
|
|
case OID_id_ecPublicKey:
|
2021-03-16 21:07:36 +00:00
|
|
|
if (parse_OID(ctx->params, ctx->params_size, &oid) != 0)
|
|
|
|
return -EBADMSG;
|
|
|
|
|
|
|
|
switch (oid) {
|
|
|
|
case OID_sm2:
|
|
|
|
ctx->cert->pub->pkey_algo = "sm2";
|
|
|
|
break;
|
2021-03-16 21:07:37 +00:00
|
|
|
case OID_id_prime192v1:
|
|
|
|
ctx->cert->pub->pkey_algo = "ecdsa-nist-p192";
|
|
|
|
break;
|
|
|
|
case OID_id_prime256v1:
|
|
|
|
ctx->cert->pub->pkey_algo = "ecdsa-nist-p256";
|
|
|
|
break;
|
2021-03-16 21:07:39 +00:00
|
|
|
case OID_id_ansip384r1:
|
|
|
|
ctx->cert->pub->pkey_algo = "ecdsa-nist-p384";
|
|
|
|
break;
|
2021-03-16 21:07:36 +00:00
|
|
|
default:
|
|
|
|
return -ENOPKG;
|
|
|
|
}
|
2020-09-20 16:21:01 +00:00
|
|
|
break;
|
|
|
|
default:
|
2012-09-24 16:11:48 +00:00
|
|
|
return -ENOPKG;
|
2020-09-20 16:21:01 +00:00
|
|
|
}
|
2012-09-24 16:11:48 +00:00
|
|
|
|
2013-08-30 15:15:24 +00:00
|
|
|
/* Discard the BIT STRING metadata */
|
2017-12-08 15:13:27 +00:00
|
|
|
if (vlen < 1 || *(const u8 *)value != 0)
|
|
|
|
return -EBADMSG;
|
2012-09-24 16:11:48 +00:00
|
|
|
ctx->key = value + 1;
|
|
|
|
ctx->key_size = vlen - 1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-04-22 01:26:55 +00:00
|
|
|
/* The keyIdentifier in AuthorityKeyIdentifier SEQUENCE is tag(CONT,PRIM,0) */
|
|
|
|
#define SEQ_TAG_KEYID (ASN1_CONT << 6)
|
|
|
|
|
2012-09-24 16:11:48 +00:00
|
|
|
/*
|
|
|
|
* Process certificate extensions that are used to qualify the certificate.
|
|
|
|
*/
|
|
|
|
int x509_process_extension(void *context, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
const void *value, size_t vlen)
|
|
|
|
{
|
|
|
|
struct x509_parse_context *ctx = context;
|
2014-09-16 16:36:13 +00:00
|
|
|
struct asymmetric_key_id *kid;
|
2012-09-24 16:11:48 +00:00
|
|
|
const unsigned char *v = value;
|
|
|
|
|
|
|
|
pr_debug("Extension: %u\n", ctx->last_oid);
|
|
|
|
|
|
|
|
if (ctx->last_oid == OID_subjectKeyIdentifier) {
|
|
|
|
/* Get hold of the key fingerprint */
|
2014-09-16 16:36:13 +00:00
|
|
|
if (ctx->cert->skid || vlen < 3)
|
2012-09-24 16:11:48 +00:00
|
|
|
return -EBADMSG;
|
|
|
|
if (v[0] != ASN1_OTS || v[1] != vlen - 2)
|
|
|
|
return -EBADMSG;
|
|
|
|
v += 2;
|
|
|
|
vlen -= 2;
|
|
|
|
|
2014-10-03 15:17:02 +00:00
|
|
|
ctx->cert->raw_skid_size = vlen;
|
|
|
|
ctx->cert->raw_skid = v;
|
2015-07-20 20:16:32 +00:00
|
|
|
kid = asymmetric_key_generate_id(v, vlen, "", 0);
|
2014-09-16 16:36:13 +00:00
|
|
|
if (IS_ERR(kid))
|
|
|
|
return PTR_ERR(kid);
|
|
|
|
ctx->cert->skid = kid;
|
|
|
|
pr_debug("subjkeyid %*phN\n", kid->len, kid->data);
|
2012-09-24 16:11:48 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ctx->last_oid == OID_authorityKeyIdentifier) {
|
|
|
|
/* Get hold of the CA key fingerprint */
|
2015-07-20 20:16:26 +00:00
|
|
|
ctx->raw_akid = v;
|
|
|
|
ctx->raw_akid_size = vlen;
|
2012-09-24 16:11:48 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-07-29 15:58:32 +00:00
|
|
|
/**
|
|
|
|
* x509_decode_time - Decode an X.509 time ASN.1 object
|
|
|
|
* @_t: The time to fill in
|
|
|
|
* @hdrlen: The length of the object header
|
|
|
|
* @tag: The object tag
|
|
|
|
* @value: The object value
|
|
|
|
* @vlen: The size of the object value
|
|
|
|
*
|
|
|
|
* Decode an ASN.1 universal time or generalised time field into a struct the
|
|
|
|
* kernel can handle and check it for validity. The time is decoded thus:
|
|
|
|
*
|
|
|
|
* [RFC5280 §4.1.2.5]
|
|
|
|
* CAs conforming to this profile MUST always encode certificate validity
|
|
|
|
* dates through the year 2049 as UTCTime; certificate validity dates in
|
|
|
|
* 2050 or later MUST be encoded as GeneralizedTime. Conforming
|
|
|
|
* applications MUST be able to process validity dates that are encoded in
|
|
|
|
* either UTCTime or GeneralizedTime.
|
2012-09-24 16:11:48 +00:00
|
|
|
*/
|
2015-07-29 15:58:32 +00:00
|
|
|
int x509_decode_time(time64_t *_t, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
const unsigned char *value, size_t vlen)
|
2012-09-24 16:11:48 +00:00
|
|
|
{
|
2016-02-24 14:37:15 +00:00
|
|
|
static const unsigned char month_lengths[] = { 31, 28, 31, 30, 31, 30,
|
2015-07-29 15:58:32 +00:00
|
|
|
31, 31, 30, 31, 30, 31 };
|
2012-09-24 16:11:48 +00:00
|
|
|
const unsigned char *p = value;
|
2015-07-29 15:58:32 +00:00
|
|
|
unsigned year, mon, day, hour, min, sec, mon_len;
|
2012-09-24 16:11:48 +00:00
|
|
|
|
2015-07-29 15:58:32 +00:00
|
|
|
#define dec2bin(X) ({ unsigned char x = (X) - '0'; if (x > 9) goto invalid_time; x; })
|
2012-09-24 16:11:48 +00:00
|
|
|
#define DD2bin(P) ({ unsigned x = dec2bin(P[0]) * 10 + dec2bin(P[1]); P += 2; x; })
|
|
|
|
|
|
|
|
if (tag == ASN1_UNITIM) {
|
|
|
|
/* UTCTime: YYMMDDHHMMSSZ */
|
|
|
|
if (vlen != 13)
|
|
|
|
goto unsupported_time;
|
2015-07-29 15:58:32 +00:00
|
|
|
year = DD2bin(p);
|
|
|
|
if (year >= 50)
|
|
|
|
year += 1900;
|
2012-09-24 16:11:48 +00:00
|
|
|
else
|
2015-07-29 15:58:32 +00:00
|
|
|
year += 2000;
|
2012-09-24 16:11:48 +00:00
|
|
|
} else if (tag == ASN1_GENTIM) {
|
|
|
|
/* GenTime: YYYYMMDDHHMMSSZ */
|
|
|
|
if (vlen != 15)
|
|
|
|
goto unsupported_time;
|
2015-07-29 15:58:32 +00:00
|
|
|
year = DD2bin(p) * 100 + DD2bin(p);
|
|
|
|
if (year >= 1950 && year <= 2049)
|
|
|
|
goto invalid_time;
|
2012-09-24 16:11:48 +00:00
|
|
|
} else {
|
|
|
|
goto unsupported_time;
|
|
|
|
}
|
|
|
|
|
2015-07-29 15:58:32 +00:00
|
|
|
mon = DD2bin(p);
|
|
|
|
day = DD2bin(p);
|
|
|
|
hour = DD2bin(p);
|
|
|
|
min = DD2bin(p);
|
|
|
|
sec = DD2bin(p);
|
2012-09-24 16:11:48 +00:00
|
|
|
|
|
|
|
if (*p != 'Z')
|
|
|
|
goto unsupported_time;
|
|
|
|
|
2015-11-12 09:36:40 +00:00
|
|
|
if (year < 1970 ||
|
|
|
|
mon < 1 || mon > 12)
|
|
|
|
goto invalid_time;
|
|
|
|
|
|
|
|
mon_len = month_lengths[mon - 1];
|
2015-07-29 15:58:32 +00:00
|
|
|
if (mon == 2) {
|
|
|
|
if (year % 4 == 0) {
|
|
|
|
mon_len = 29;
|
|
|
|
if (year % 100 == 0) {
|
2016-02-24 14:37:15 +00:00
|
|
|
mon_len = 28;
|
|
|
|
if (year % 400 == 0)
|
|
|
|
mon_len = 29;
|
2015-07-29 15:58:32 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-11-12 09:36:40 +00:00
|
|
|
if (day < 1 || day > mon_len ||
|
2016-02-24 14:37:54 +00:00
|
|
|
hour > 24 || /* ISO 8601 permits 24:00:00 as midnight tomorrow */
|
2015-09-17 07:42:51 +00:00
|
|
|
min > 59 ||
|
2016-02-24 14:37:53 +00:00
|
|
|
sec > 60) /* ISO 8601 permits leap seconds [X.680 46.3] */
|
2015-07-29 15:58:32 +00:00
|
|
|
goto invalid_time;
|
2015-11-12 09:36:40 +00:00
|
|
|
|
2015-07-29 15:58:32 +00:00
|
|
|
*_t = mktime64(year, mon, day, hour, min, sec);
|
2012-09-24 16:11:48 +00:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
unsupported_time:
|
2015-07-29 15:58:32 +00:00
|
|
|
pr_debug("Got unsupported time [tag %02x]: '%*phN'\n",
|
|
|
|
tag, (int)vlen, value);
|
|
|
|
return -EBADMSG;
|
|
|
|
invalid_time:
|
|
|
|
pr_debug("Got invalid time [tag %02x]: '%*phN'\n",
|
|
|
|
tag, (int)vlen, value);
|
2012-09-24 16:11:48 +00:00
|
|
|
return -EBADMSG;
|
|
|
|
}
|
2015-07-29 15:58:32 +00:00
|
|
|
EXPORT_SYMBOL_GPL(x509_decode_time);
|
2012-09-24 16:11:48 +00:00
|
|
|
|
|
|
|
int x509_note_not_before(void *context, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
const void *value, size_t vlen)
|
|
|
|
{
|
|
|
|
struct x509_parse_context *ctx = context;
|
2015-07-29 15:58:32 +00:00
|
|
|
return x509_decode_time(&ctx->cert->valid_from, hdrlen, tag, value, vlen);
|
2012-09-24 16:11:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
int x509_note_not_after(void *context, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
const void *value, size_t vlen)
|
|
|
|
{
|
|
|
|
struct x509_parse_context *ctx = context;
|
2015-07-29 15:58:32 +00:00
|
|
|
return x509_decode_time(&ctx->cert->valid_to, hdrlen, tag, value, vlen);
|
2012-09-24 16:11:48 +00:00
|
|
|
}
|
2015-07-20 20:16:26 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Note a key identifier-based AuthorityKeyIdentifier
|
|
|
|
*/
|
|
|
|
int x509_akid_note_kid(void *context, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
const void *value, size_t vlen)
|
|
|
|
{
|
|
|
|
struct x509_parse_context *ctx = context;
|
|
|
|
struct asymmetric_key_id *kid;
|
|
|
|
|
|
|
|
pr_debug("AKID: keyid: %*phN\n", (int)vlen, value);
|
|
|
|
|
2016-04-06 15:13:33 +00:00
|
|
|
if (ctx->cert->sig->auth_ids[1])
|
2015-07-20 20:16:26 +00:00
|
|
|
return 0;
|
|
|
|
|
2015-07-20 20:16:32 +00:00
|
|
|
kid = asymmetric_key_generate_id(value, vlen, "", 0);
|
2015-07-20 20:16:26 +00:00
|
|
|
if (IS_ERR(kid))
|
|
|
|
return PTR_ERR(kid);
|
|
|
|
pr_debug("authkeyid %*phN\n", kid->len, kid->data);
|
2016-04-06 15:13:33 +00:00
|
|
|
ctx->cert->sig->auth_ids[1] = kid;
|
2015-07-20 20:16:26 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Note a directoryName in an AuthorityKeyIdentifier
|
|
|
|
*/
|
|
|
|
int x509_akid_note_name(void *context, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
const void *value, size_t vlen)
|
|
|
|
{
|
|
|
|
struct x509_parse_context *ctx = context;
|
|
|
|
|
|
|
|
pr_debug("AKID: name: %*phN\n", (int)vlen, value);
|
|
|
|
|
|
|
|
ctx->akid_raw_issuer = value;
|
|
|
|
ctx->akid_raw_issuer_size = vlen;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Note a serial number in an AuthorityKeyIdentifier
|
|
|
|
*/
|
|
|
|
int x509_akid_note_serial(void *context, size_t hdrlen,
|
|
|
|
unsigned char tag,
|
|
|
|
const void *value, size_t vlen)
|
|
|
|
{
|
|
|
|
struct x509_parse_context *ctx = context;
|
|
|
|
struct asymmetric_key_id *kid;
|
|
|
|
|
|
|
|
pr_debug("AKID: serial: %*phN\n", (int)vlen, value);
|
|
|
|
|
2016-04-06 15:13:33 +00:00
|
|
|
if (!ctx->akid_raw_issuer || ctx->cert->sig->auth_ids[0])
|
2015-07-20 20:16:26 +00:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
kid = asymmetric_key_generate_id(value,
|
|
|
|
vlen,
|
|
|
|
ctx->akid_raw_issuer,
|
|
|
|
ctx->akid_raw_issuer_size);
|
|
|
|
if (IS_ERR(kid))
|
|
|
|
return PTR_ERR(kid);
|
|
|
|
|
|
|
|
pr_debug("authkeyid %*phN\n", kid->len, kid->data);
|
2016-04-06 15:13:33 +00:00
|
|
|
ctx->cert->sig->auth_ids[0] = kid;
|
2015-07-20 20:16:26 +00:00
|
|
|
return 0;
|
|
|
|
}
|