mirror of
https://github.com/torvalds/linux.git
synced 2024-12-25 20:32:22 +00:00
e68503bd68
Generalise system_verify_data() to provide access to internal content through a callback. This allows all the PKCS#7 stuff to be hidden inside this function and removed from the PE file parser and the PKCS#7 test key. If external content is not required, NULL should be passed as data to the function. If the callback is not required, that can be set to NULL. The function is now called verify_pkcs7_signature() to contrast with verify_pefile_signature() and the definitions of both have been moved into linux/verification.h along with the key_being_used_for enum. Signed-off-by: David Howells <dhowells@redhat.com>
129 lines
2.9 KiB
C
129 lines
2.9 KiB
C
/* Parse a Microsoft Individual Code Signing blob
|
|
*
|
|
* Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public Licence
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the Licence, or (at your option) any later version.
|
|
*/
|
|
|
|
#define pr_fmt(fmt) "MSCODE: "fmt
|
|
#include <linux/kernel.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/err.h>
|
|
#include <linux/oid_registry.h>
|
|
#include <crypto/pkcs7.h>
|
|
#include "verify_pefile.h"
|
|
#include "mscode-asn1.h"
|
|
|
|
/*
|
|
* Parse a Microsoft Individual Code Signing blob
|
|
*/
|
|
int mscode_parse(void *_ctx, const void *content_data, size_t data_len,
|
|
size_t asn1hdrlen)
|
|
{
|
|
struct pefile_context *ctx = _ctx;
|
|
|
|
content_data -= asn1hdrlen;
|
|
data_len += asn1hdrlen;
|
|
pr_devel("Data: %zu [%*ph]\n", data_len, (unsigned)(data_len),
|
|
content_data);
|
|
|
|
return asn1_ber_decoder(&mscode_decoder, ctx, content_data, data_len);
|
|
}
|
|
|
|
/*
|
|
* Check the content type OID
|
|
*/
|
|
int mscode_note_content_type(void *context, size_t hdrlen,
|
|
unsigned char tag,
|
|
const void *value, size_t vlen)
|
|
{
|
|
enum OID oid;
|
|
|
|
oid = look_up_OID(value, vlen);
|
|
if (oid == OID__NR) {
|
|
char buffer[50];
|
|
|
|
sprint_oid(value, vlen, buffer, sizeof(buffer));
|
|
pr_err("Unknown OID: %s\n", buffer);
|
|
return -EBADMSG;
|
|
}
|
|
|
|
/*
|
|
* pesign utility had a bug where it was putting
|
|
* OID_msIndividualSPKeyPurpose instead of OID_msPeImageDataObjId
|
|
* So allow both OIDs.
|
|
*/
|
|
if (oid != OID_msPeImageDataObjId &&
|
|
oid != OID_msIndividualSPKeyPurpose) {
|
|
pr_err("Unexpected content type OID %u\n", oid);
|
|
return -EBADMSG;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Note the digest algorithm OID
|
|
*/
|
|
int mscode_note_digest_algo(void *context, size_t hdrlen,
|
|
unsigned char tag,
|
|
const void *value, size_t vlen)
|
|
{
|
|
struct pefile_context *ctx = context;
|
|
char buffer[50];
|
|
enum OID oid;
|
|
|
|
oid = look_up_OID(value, vlen);
|
|
switch (oid) {
|
|
case OID_md4:
|
|
ctx->digest_algo = "md4";
|
|
break;
|
|
case OID_md5:
|
|
ctx->digest_algo = "md5";
|
|
break;
|
|
case OID_sha1:
|
|
ctx->digest_algo = "sha1";
|
|
break;
|
|
case OID_sha256:
|
|
ctx->digest_algo = "sha256";
|
|
break;
|
|
case OID_sha384:
|
|
ctx->digest_algo = "sha384";
|
|
break;
|
|
case OID_sha512:
|
|
ctx->digest_algo = "sha512";
|
|
break;
|
|
case OID_sha224:
|
|
ctx->digest_algo = "sha224";
|
|
break;
|
|
|
|
case OID__NR:
|
|
sprint_oid(value, vlen, buffer, sizeof(buffer));
|
|
pr_err("Unknown OID: %s\n", buffer);
|
|
return -EBADMSG;
|
|
|
|
default:
|
|
pr_err("Unsupported content type: %u\n", oid);
|
|
return -ENOPKG;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Note the digest we're guaranteeing with this certificate
|
|
*/
|
|
int mscode_note_digest(void *context, size_t hdrlen,
|
|
unsigned char tag,
|
|
const void *value, size_t vlen)
|
|
{
|
|
struct pefile_context *ctx = context;
|
|
|
|
ctx->digest = kmemdup(value, vlen, GFP_KERNEL);
|
|
return ctx->digest ? 0 : -ENOMEM;
|
|
}
|