1 // SPDX-License-Identifier: GPL-2.0-or-later
21 	unsigned long	data;			/* Start of data */
47 		public_key_free(cert->pub);  in x509_free_certificate()
48 		public_key_signature_free(cert->sig);  in x509_free_certificate()
49 		kfree(cert->issuer);  in x509_free_certificate()
50 		kfree(cert->subject);  in x509_free_certificate()
51 		kfree(cert->id);  in x509_free_certificate()
52 		kfree(cert->skid);  in x509_free_certificate()
68 	ret = -ENOMEM;  in x509_cert_parse()
72 	cert->pub = kzalloc(sizeof(struct public_key), GFP_KERNEL);  in x509_cert_parse()
73 	if (!cert->pub)  in x509_cert_parse()
75 	cert->sig = kzalloc(sizeof(struct public_key_signature), GFP_KERNEL);  in x509_cert_parse()
76 	if (!cert->sig)  in x509_cert_parse()
82 	ctx->cert = cert;  in x509_cert_parse()
83 	ctx->data = (unsigned long)data;  in x509_cert_parse()
91 	if (ctx->raw_akid) {  in x509_cert_parse()
93 			 ctx->raw_akid_size, ctx->raw_akid_size, ctx->raw_akid);  in x509_cert_parse()
95 				       ctx->raw_akid, ctx->raw_akid_size);  in x509_cert_parse()
102 	ret = -ENOMEM;  in x509_cert_parse()
103 	cert->pub->key = kmemdup(ctx->key, ctx->key_size, GFP_KERNEL);  in x509_cert_parse()
104 	if (!cert->pub->key)  in x509_cert_parse()
107 	cert->pub->keylen = ctx->key_size;  in x509_cert_parse()
109 	cert->pub->params = kmemdup(ctx->params, ctx->params_size, GFP_KERNEL);  in x509_cert_parse()
110 	if (!cert->pub->params)  in x509_cert_parse()
113 	cert->pub->paramlen = ctx->params_size;  in x509_cert_parse()
114 	cert->pub->algo = ctx->key_algo;  in x509_cert_parse()
122 	kid = asymmetric_key_generate_id(cert->raw_serial,  in x509_cert_parse()
123 					 cert->raw_serial_size,  in x509_cert_parse()
124 					 cert->raw_issuer,  in x509_cert_parse()
125 					 cert->raw_issuer_size);  in x509_cert_parse()
130 	cert->id = kid;  in x509_cert_parse()
132 	/* Detect self-signed certificates */  in x509_cert_parse()
159 	ctx->last_oid = look_up_OID(value, vlen);  in x509_note_OID()
160 	if (ctx->last_oid == OID__NR) {  in x509_note_OID()
164 			 (unsigned long)value - ctx->data, buffer);  in x509_note_OID()
180 		 hdrlen, tag, (unsigned long)value - ctx->data, vlen);  in x509_note_tbs_certificate()
182 	ctx->cert->tbs = value - hdrlen;  in x509_note_tbs_certificate()
183 	ctx->cert->tbs_size = vlen + hdrlen;  in x509_note_tbs_certificate()
195 	pr_debug("PubKey Algo: %u\n", ctx->last_oid);  in x509_note_sig_algo()
197 	switch (ctx->last_oid) {  in x509_note_sig_algo()
199 		return -ENOPKG; /* Unsupported combination */  in x509_note_sig_algo()
202 		ctx->cert->sig->hash_algo = "sha256";  in x509_note_sig_algo()
206 		ctx->cert->sig->hash_algo = "sha384";  in x509_note_sig_algo()
210 		ctx->cert->sig->hash_algo = "sha512";  in x509_note_sig_algo()
214 		ctx->cert->sig->hash_algo = "sha224";  in x509_note_sig_algo()
218 		ctx->cert->sig->hash_algo = "sha3-256";  in x509_note_sig_algo()
222 		ctx->cert->sig->hash_algo = "sha3-384";  in x509_note_sig_algo()
226 		ctx->cert->sig->hash_algo = "sha3-512";  in x509_note_sig_algo()
230 		ctx->cert->sig->hash_algo = "sha224";  in x509_note_sig_algo()
234 		ctx->cert->sig->hash_algo = "sha256";  in x509_note_sig_algo()
238 		ctx->cert->sig->hash_algo = "sha384";  in x509_note_sig_algo()
242 		ctx->cert->sig->hash_algo = "sha512";  in x509_note_sig_algo()
246 		ctx->cert->sig->hash_algo = "sha3-256";  in x509_note_sig_algo()
250 		ctx->cert->sig->hash_algo = "sha3-384";  in x509_note_sig_algo()
254 		ctx->cert->sig->hash_algo = "sha3-512";  in x509_note_sig_algo()
258 		ctx->cert->sig->hash_algo = "streebog256";  in x509_note_sig_algo()
262 		ctx->cert->sig->hash_algo = "streebog512";  in x509_note_sig_algo()
266 		ctx->cert->sig->hash_algo = "sm3";  in x509_note_sig_algo()
271 	ctx->cert->sig->pkey_algo = "rsa";  in x509_note_sig_algo()
272 	ctx->cert->sig->encoding = "pkcs1";  in x509_note_sig_algo()
273 	ctx->sig_algo = ctx->last_oid;  in x509_note_sig_algo()
276 	ctx->cert->sig->pkey_algo = "ecrdsa";  in x509_note_sig_algo()
277 	ctx->cert->sig->encoding = "raw";  in x509_note_sig_algo()
278 	ctx->sig_algo = ctx->last_oid;  in x509_note_sig_algo()
281 	ctx->cert->sig->pkey_algo = "sm2";  in x509_note_sig_algo()
282 	ctx->cert->sig->encoding = "raw";  in x509_note_sig_algo()
283 	ctx->sig_algo = ctx->last_oid;  in x509_note_sig_algo()
286 	ctx->cert->sig->pkey_algo = "ecdsa";  in x509_note_sig_algo()
287 	ctx->cert->sig->encoding = "x962";  in x509_note_sig_algo()
288 	ctx->sig_algo = ctx->last_oid;  in x509_note_sig_algo()
301 	pr_debug("Signature: alg=%u, size=%zu\n", ctx->last_oid, vlen);  in x509_note_signature()
308 	if (ctx->last_oid != ctx->sig_algo) {  in x509_note_signature()
310 			ctx->last_oid, ctx->sig_algo);  in x509_note_signature()
311 		return -EINVAL;  in x509_note_signature()
314 	if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0 ||  in x509_note_signature()
315 	    strcmp(ctx->cert->sig->pkey_algo, "ecrdsa") == 0 ||  in x509_note_signature()
316 	    strcmp(ctx->cert->sig->pkey_algo, "sm2") == 0 ||  in x509_note_signature()
317 	    strcmp(ctx->cert->sig->pkey_algo, "ecdsa") == 0) {  in x509_note_signature()
320 			return -EBADMSG;  in x509_note_signature()
323 		vlen--;  in x509_note_signature()
326 	ctx->cert->raw_sig = value;  in x509_note_signature()
327 	ctx->cert->raw_sig_size = vlen;  in x509_note_signature()
339 	ctx->cert->raw_serial = value;  in x509_note_serial()
340 	ctx->cert->raw_serial_size = vlen;  in x509_note_serial()
353 	switch (ctx->last_oid) {  in x509_extract_name_segment()
355 		ctx->cn_size = vlen;  in x509_extract_name_segment()
356 		ctx->cn_offset = (unsigned long)value - ctx->data;  in x509_extract_name_segment()
359 		ctx->o_size = vlen;  in x509_extract_name_segment()
360 		ctx->o_offset = (unsigned long)value - ctx->data;  in x509_extract_name_segment()
363 		ctx->email_size = vlen;  in x509_extract_name_segment()
364 		ctx->email_offset = (unsigned long)value - ctx->data;  in x509_extract_name_segment()
380 	const void *name, *data = (const void *)ctx->data;  in x509_fabricate_name()
385 		return -EINVAL;  in x509_fabricate_name()
388 	if (!ctx->cn_size && !ctx->o_size && !ctx->email_size) {  in x509_fabricate_name()
391 			return -ENOMEM;  in x509_fabricate_name()
396 	if (ctx->cn_size && ctx->o_size) {  in x509_fabricate_name()
400 		namesize = ctx->cn_size;  in x509_fabricate_name()
401 		name = data + ctx->cn_offset;  in x509_fabricate_name()
402 		if (ctx->cn_size >= ctx->o_size &&  in x509_fabricate_name()
403 		    memcmp(data + ctx->cn_offset, data + ctx->o_offset,  in x509_fabricate_name()
404 			   ctx->o_size) == 0)  in x509_fabricate_name()
406 		if (ctx->cn_size >= 7 &&  in x509_fabricate_name()
407 		    ctx->o_size >= 7 &&  in x509_fabricate_name()
408 		    memcmp(data + ctx->cn_offset, data + ctx->o_offset, 7) == 0)  in x509_fabricate_name()
411 		buffer = kmalloc(ctx->o_size + 2 + ctx->cn_size + 1,  in x509_fabricate_name()
414 			return -ENOMEM;  in x509_fabricate_name()
417 		       data + ctx->o_offset, ctx->o_size);  in x509_fabricate_name()
418 		buffer[ctx->o_size + 0] = ':';  in x509_fabricate_name()
419 		buffer[ctx->o_size + 1] = ' ';  in x509_fabricate_name()
420 		memcpy(buffer + ctx->o_size + 2,  in x509_fabricate_name()
421 		       data + ctx->cn_offset, ctx->cn_size);  in x509_fabricate_name()
422 		buffer[ctx->o_size + 2 + ctx->cn_size] = 0;  in x509_fabricate_name()
425 	} else if (ctx->cn_size) {  in x509_fabricate_name()
426 		namesize = ctx->cn_size;  in x509_fabricate_name()
427 		name = data + ctx->cn_offset;  in x509_fabricate_name()
428 	} else if (ctx->o_size) {  in x509_fabricate_name()
429 		namesize = ctx->o_size;  in x509_fabricate_name()
430 		name = data + ctx->o_offset;  in x509_fabricate_name()
432 		namesize = ctx->email_size;  in x509_fabricate_name()
433 		name = data + ctx->email_offset;  in x509_fabricate_name()
439 		return -ENOMEM;  in x509_fabricate_name()
445 	ctx->cn_size = 0;  in x509_fabricate_name()
446 	ctx->o_size = 0;  in x509_fabricate_name()
447 	ctx->email_size = 0;  in x509_fabricate_name()
458 	ctx->cert->raw_issuer = value;  in x509_note_issuer()
459 	ctx->cert->raw_issuer_size = vlen;  in x509_note_issuer()
461 	if (!ctx->cert->sig->auth_ids[2]) {  in x509_note_issuer()
465 		ctx->cert->sig->auth_ids[2] = kid;  in x509_note_issuer()
468 	return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->issuer, vlen);  in x509_note_issuer()
476 	ctx->cert->raw_subject = value;  in x509_note_subject()
477 	ctx->cert->raw_subject_size = vlen;  in x509_note_subject()
478 	return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->subject, vlen);  in x509_note_subject()
495 	if (!ctx->cert->raw_subject || ctx->key)  in x509_note_params()
497 	ctx->params = value - hdrlen;  in x509_note_params()
498 	ctx->params_size = vlen + hdrlen;  in x509_note_params()
512 	ctx->key_algo = ctx->last_oid;  in x509_extract_key_data()
513 	switch (ctx->last_oid) {  in x509_extract_key_data()
515 		ctx->cert->pub->pkey_algo = "rsa";  in x509_extract_key_data()
519 		ctx->cert->pub->pkey_algo = "ecrdsa";  in x509_extract_key_data()
522 		ctx->cert->pub->pkey_algo = "sm2";  in x509_extract_key_data()
525 		if (parse_OID(ctx->params, ctx->params_size, &oid) != 0)  in x509_extract_key_data()
526 			return -EBADMSG;  in x509_extract_key_data()
530 			ctx->cert->pub->pkey_algo = "sm2";  in x509_extract_key_data()
533 			ctx->cert->pub->pkey_algo = "ecdsa-nist-p192";  in x509_extract_key_data()
536 			ctx->cert->pub->pkey_algo = "ecdsa-nist-p256";  in x509_extract_key_data()
539 			ctx->cert->pub->pkey_algo = "ecdsa-nist-p384";  in x509_extract_key_data()
542 			return -ENOPKG;  in x509_extract_key_data()
546 		return -ENOPKG;  in x509_extract_key_data()
551 		return -EBADMSG;  in x509_extract_key_data()
552 	ctx->key = value + 1;  in x509_extract_key_data()
553 	ctx->key_size = vlen - 1;  in x509_extract_key_data()
571 	pr_debug("Extension: %u\n", ctx->last_oid);  in x509_process_extension()
573 	if (ctx->last_oid == OID_subjectKeyIdentifier) {  in x509_process_extension()
575 		if (ctx->cert->skid || vlen < 3)  in x509_process_extension()
576 			return -EBADMSG;  in x509_process_extension()
577 		if (v[0] != ASN1_OTS || v[1] != vlen - 2)  in x509_process_extension()
578 			return -EBADMSG;  in x509_process_extension()
580 		vlen -= 2;  in x509_process_extension()
582 		ctx->cert->raw_skid_size = vlen;  in x509_process_extension()
583 		ctx->cert->raw_skid = v;  in x509_process_extension()
587 		ctx->cert->skid = kid;  in x509_process_extension()
588 		pr_debug("subjkeyid %*phN\n", kid->len, kid->data);  in x509_process_extension()
592 	if (ctx->last_oid == OID_keyUsage) {  in x509_process_extension()
606 			return -EBADMSG;  in x509_process_extension()
608 			return -EBADMSG;  in x509_process_extension()
610 			return -EBADMSG;  in x509_process_extension()
612 			ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_DIGITALSIG;  in x509_process_extension()
614 			ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_KEYCERTSIGN;  in x509_process_extension()
616 			ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_KEYCERTSIGN;  in x509_process_extension()
620 	if (ctx->last_oid == OID_authorityKeyIdentifier) {  in x509_process_extension()
622 		ctx->raw_akid = v;  in x509_process_extension()
623 		ctx->raw_akid_size = vlen;  in x509_process_extension()
627 	if (ctx->last_oid == OID_basicConstraints) {  in x509_process_extension()
639 			return -EBADMSG;  in x509_process_extension()
641 			return -EBADMSG;  in x509_process_extension()
642 		if (v[1] != vlen - 2)  in x509_process_extension()
643 			return -EBADMSG;  in x509_process_extension()
645 			ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_CA;  in x509_process_extension()
653  * x509_decode_time - Decode an X.509 time ASN.1 object
665  *	dates through the year 2049 as UTCTime; certificate validity dates in
677 	unsigned year, mon, day, hour, min, sec, mon_len;  in x509_decode_time()  local
679 #define dec2bin(X) ({ unsigned char x = (X) - '0'; if (x > 9) goto invalid_time; x; })  in x509_decode_time()
686 		year = DD2bin(p);  in x509_decode_time()
687 		if (year >= 50)  in x509_decode_time()
688 			year += 1900;  in x509_decode_time()
690 			year += 2000;  in x509_decode_time()
695 		year = DD2bin(p) * 100 + DD2bin(p);  in x509_decode_time()
696 		if (year >= 1950 && year <= 2049)  in x509_decode_time()
711 	if (year < 1970 ||  in x509_decode_time()
715 	mon_len = month_lengths[mon - 1];  in x509_decode_time()
717 		if (year % 4 == 0) {  in x509_decode_time()
719 			if (year % 100 == 0) {  in x509_decode_time()
721 				if (year % 400 == 0)  in x509_decode_time()
733 	*_t = mktime64(year, mon, day, hour, min, sec);  in x509_decode_time()
739 	return -EBADMSG;  in x509_decode_time()
743 	return -EBADMSG;  in x509_decode_time()
752 	return x509_decode_time(&ctx->cert->valid_from, hdrlen, tag, value, vlen);  in x509_note_not_before()
760 	return x509_decode_time(&ctx->cert->valid_to, hdrlen, tag, value, vlen);  in x509_note_not_after()
764  * Note a key identifier-based AuthorityKeyIdentifier
775 	if (ctx->cert->sig->auth_ids[1])  in x509_akid_note_kid()
781 	pr_debug("authkeyid %*phN\n", kid->len, kid->data);  in x509_akid_note_kid()
782 	ctx->cert->sig->auth_ids[1] = kid;  in x509_akid_note_kid()
797 	ctx->akid_raw_issuer = value;  in x509_akid_note_name()
798 	ctx->akid_raw_issuer_size = vlen;  in x509_akid_note_name()
814 	if (!ctx->akid_raw_issuer || ctx->cert->sig->auth_ids[0])  in x509_akid_note_serial()
819 					 ctx->akid_raw_issuer,  in x509_akid_note_serial()
820 					 ctx->akid_raw_issuer_size);  in x509_akid_note_serial()
824 	pr_debug("authkeyid %*phN\n", kid->len, kid->data);  in x509_akid_note_serial()
825 	ctx->cert->sig->auth_ids[0] = kid;  in x509_akid_note_serial()