1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Verify the signature on a PKCS#7 message.
3 *
4 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
6 */
7
8 #define pr_fmt(fmt) "PKCS7: "fmt
9 #include <linux/kernel.h>
10 #include <linux/export.h>
11 #include <linux/slab.h>
12 #include <linux/err.h>
13 #include <linux/asn1.h>
14 #include <crypto/hash.h>
15 #include <crypto/hash_info.h>
16 #include <crypto/public_key.h>
17 #include "pkcs7_parser.h"
18
19 /*
20 * Digest the relevant parts of the PKCS#7 data
21 */
pkcs7_digest(struct pkcs7_message * pkcs7,struct pkcs7_signed_info * sinfo)22 static int pkcs7_digest(struct pkcs7_message *pkcs7,
23 struct pkcs7_signed_info *sinfo)
24 {
25 struct public_key_signature *sig = sinfo->sig;
26 struct crypto_shash *tfm;
27 struct shash_desc *desc;
28 size_t desc_size;
29 int ret;
30
31 kenter(",%u,%s", sinfo->index, sinfo->sig->hash_algo);
32
33 if (!sinfo->authattrs && sig->algo_takes_data) {
34 /* There's no intermediate digest and the signature algo
35 * doesn't want the data prehashing.
36 */
37 sig->m = (void *)pkcs7->data;
38 sig->m_size = pkcs7->data_len;
39 sig->m_free = false;
40 return 0;
41 }
42
43 /* The digest was calculated already. */
44 if (sig->m)
45 return 0;
46
47 if (!sinfo->sig->hash_algo)
48 return -ENOPKG;
49
50 /* Allocate the hashing algorithm we're going to need and find out how
51 * big the hash operational data will be.
52 */
53 tfm = crypto_alloc_shash(sinfo->sig->hash_algo, 0, 0);
54 if (IS_ERR(tfm))
55 return (PTR_ERR(tfm) == -ENOENT) ? -ENOPKG : PTR_ERR(tfm);
56
57 desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
58 sig->m_size = crypto_shash_digestsize(tfm);
59
60 ret = -ENOMEM;
61 sig->m = kmalloc(umax(sinfo->authattrs_len, sig->m_size), GFP_KERNEL);
62 if (!sig->m)
63 goto error_no_desc;
64 sig->m_free = true;
65
66 desc = kzalloc(desc_size, GFP_KERNEL);
67 if (!desc)
68 goto error_no_desc;
69
70 desc->tfm = tfm;
71
72 /* Digest the message [RFC2315 9.3] */
73 ret = crypto_shash_digest(desc, pkcs7->data, pkcs7->data_len, sig->m);
74 if (ret < 0)
75 goto error;
76 pr_devel("MsgDigest = [%*ph]\n", 8, sig->m);
77
78 /* However, if there are authenticated attributes, there must be a
79 * message digest attribute amongst them which corresponds to the
80 * digest we just calculated.
81 */
82 if (sinfo->authattrs) {
83 if (!sinfo->msgdigest) {
84 pr_warn("Sig %u: No messageDigest\n", sinfo->index);
85 ret = -EKEYREJECTED;
86 goto error;
87 }
88
89 if (sinfo->msgdigest_len != sig->m_size) {
90 pr_warn("Sig %u: Invalid digest size (%u)\n",
91 sinfo->index, sinfo->msgdigest_len);
92 ret = -EBADMSG;
93 goto error;
94 }
95
96 if (memcmp(sig->m, sinfo->msgdigest,
97 sinfo->msgdigest_len) != 0) {
98 pr_warn("Sig %u: Message digest doesn't match\n",
99 sinfo->index);
100 ret = -EKEYREJECTED;
101 goto error;
102 }
103
104 /* We then calculate anew, using the authenticated attributes
105 * as the contents of the digest instead. Note that we need to
106 * convert the attributes from a CONT.0 into a SET before we
107 * hash it.
108 *
109 * However, for certain algorithms, such as ML-DSA, the digest
110 * is integrated into the signing algorithm. In such a case,
111 * we copy the authattrs, modifying the tag type, and set that
112 * as the digest.
113 */
114 memcpy(sig->m, sinfo->authattrs, sinfo->authattrs_len);
115 sig->m[0] = ASN1_CONS_BIT | ASN1_SET;
116
117 if (sig->algo_takes_data) {
118 sig->m_size = sinfo->authattrs_len;
119 ret = 0;
120 } else {
121 ret = crypto_shash_digest(desc, sig->m,
122 sinfo->authattrs_len,
123 sig->m);
124 if (ret < 0)
125 goto error;
126 }
127 pr_devel("AADigest = [%*ph]\n", 8, sig->m);
128 }
129
130 error:
131 kfree(desc);
132 error_no_desc:
133 crypto_free_shash(tfm);
134 kleave(" = %d", ret);
135 return ret;
136 }
137
pkcs7_get_digest(struct pkcs7_message * pkcs7,const u8 ** buf,u32 * len,enum hash_algo * hash_algo)138 int pkcs7_get_digest(struct pkcs7_message *pkcs7, const u8 **buf, u32 *len,
139 enum hash_algo *hash_algo)
140 {
141 struct pkcs7_signed_info *sinfo = pkcs7->signed_infos;
142 int i, ret;
143
144 /*
145 * This function doesn't support messages with more than one signature.
146 */
147 if (sinfo == NULL || sinfo->next != NULL)
148 return -EBADMSG;
149
150 ret = pkcs7_digest(pkcs7, sinfo);
151 if (ret)
152 return ret;
153 if (!sinfo->sig->m_free) {
154 pr_notice_once("%s: No digest available\n", __func__);
155 return -EINVAL; /* TODO: MLDSA doesn't necessarily calculate an
156 * intermediate digest. */
157 }
158
159 *buf = sinfo->sig->m;
160 *len = sinfo->sig->m_size;
161
162 i = match_string(hash_algo_name, HASH_ALGO__LAST,
163 sinfo->sig->hash_algo);
164 if (i >= 0)
165 *hash_algo = i;
166
167 return 0;
168 }
169
170 /*
171 * Find the key (X.509 certificate) to use to verify a PKCS#7 message. PKCS#7
172 * uses the issuer's name and the issuing certificate serial number for
173 * matching purposes. These must match the certificate issuer's name (not
174 * subject's name) and the certificate serial number [RFC 2315 6.7].
175 */
pkcs7_find_key(struct pkcs7_message * pkcs7,struct pkcs7_signed_info * sinfo)176 static int pkcs7_find_key(struct pkcs7_message *pkcs7,
177 struct pkcs7_signed_info *sinfo)
178 {
179 struct x509_certificate *x509;
180 unsigned certix = 1;
181
182 kenter("%u", sinfo->index);
183
184 for (x509 = pkcs7->certs; x509; x509 = x509->next, certix++) {
185 /* I'm _assuming_ that the generator of the PKCS#7 message will
186 * encode the fields from the X.509 cert in the same way in the
187 * PKCS#7 message - but I can't be 100% sure of that. It's
188 * possible this will need element-by-element comparison.
189 */
190 if (!asymmetric_key_id_same(x509->id, sinfo->sig->auth_ids[0]))
191 continue;
192 pr_devel("Sig %u: Found cert serial match X.509[%u]\n",
193 sinfo->index, certix);
194
195 sinfo->signer = x509;
196 return 0;
197 }
198
199 /* The relevant X.509 cert isn't found here, but it might be found in
200 * the trust keyring.
201 */
202 pr_debug("Sig %u: Issuing X.509 cert not found (#%*phN)\n",
203 sinfo->index,
204 sinfo->sig->auth_ids[0]->len, sinfo->sig->auth_ids[0]->data);
205 return 0;
206 }
207
208 /*
209 * Verify the internal certificate chain as best we can.
210 */
pkcs7_verify_sig_chain(struct pkcs7_message * pkcs7,struct pkcs7_signed_info * sinfo)211 static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
212 struct pkcs7_signed_info *sinfo)
213 {
214 struct public_key_signature *sig;
215 struct x509_certificate *x509 = sinfo->signer, *p;
216 struct asymmetric_key_id *auth;
217 int ret;
218
219 kenter("");
220
221 for (p = pkcs7->certs; p; p = p->next)
222 p->seen = false;
223
224 for (;;) {
225 pr_debug("verify %s: %*phN\n",
226 x509->subject,
227 x509->raw_serial_size, x509->raw_serial);
228 x509->seen = true;
229
230 if (x509->blacklisted) {
231 /* If this cert is blacklisted, then mark everything
232 * that depends on this as blacklisted too.
233 */
234 sinfo->blacklisted = true;
235 for (p = sinfo->signer; p != x509; p = p->signer)
236 p->blacklisted = true;
237 pr_debug("- blacklisted\n");
238 return 0;
239 }
240
241 pr_debug("- issuer %s\n", x509->issuer);
242 sig = x509->sig;
243 if (sig->auth_ids[0])
244 pr_debug("- authkeyid.id %*phN\n",
245 sig->auth_ids[0]->len, sig->auth_ids[0]->data);
246 if (sig->auth_ids[1])
247 pr_debug("- authkeyid.skid %*phN\n",
248 sig->auth_ids[1]->len, sig->auth_ids[1]->data);
249
250 if (x509->self_signed) {
251 /* If there's no authority certificate specified, then
252 * the certificate must be self-signed and is the root
253 * of the chain. Likewise if the cert is its own
254 * authority.
255 */
256 if (x509->unsupported_sig)
257 goto unsupported_sig_in_x509;
258 x509->signer = x509;
259 pr_debug("- self-signed\n");
260 return 0;
261 }
262
263 /* Look through the X.509 certificates in the PKCS#7 message's
264 * list to see if the next one is there.
265 */
266 auth = sig->auth_ids[0];
267 if (auth) {
268 pr_debug("- want %*phN\n", auth->len, auth->data);
269 for (p = pkcs7->certs; p; p = p->next) {
270 pr_debug("- cmp [%u] %*phN\n",
271 p->index, p->id->len, p->id->data);
272 if (asymmetric_key_id_same(p->id, auth))
273 goto found_issuer_check_skid;
274 }
275 } else if (sig->auth_ids[1]) {
276 auth = sig->auth_ids[1];
277 pr_debug("- want %*phN\n", auth->len, auth->data);
278 for (p = pkcs7->certs; p; p = p->next) {
279 if (!p->skid)
280 continue;
281 pr_debug("- cmp [%u] %*phN\n",
282 p->index, p->skid->len, p->skid->data);
283 if (asymmetric_key_id_same(p->skid, auth))
284 goto found_issuer;
285 }
286 }
287
288 /* We didn't find the root of this chain */
289 pr_debug("- top\n");
290 return 0;
291
292 found_issuer_check_skid:
293 /* We matched issuer + serialNumber, but if there's an
294 * authKeyId.keyId, that must match the CA subjKeyId also.
295 */
296 if (sig->auth_ids[1] &&
297 !asymmetric_key_id_same(p->skid, sig->auth_ids[1])) {
298 pr_warn("Sig %u: X.509 chain contains auth-skid nonmatch (%u->%u)\n",
299 sinfo->index, x509->index, p->index);
300 return -EKEYREJECTED;
301 }
302 found_issuer:
303 pr_debug("- subject %s\n", p->subject);
304 if (p->seen) {
305 pr_warn("Sig %u: X.509 chain contains loop\n",
306 sinfo->index);
307 return 0;
308 }
309 ret = public_key_verify_signature(p->pub, x509->sig);
310 if (ret < 0)
311 return ret;
312 x509->signer = p;
313 if (x509 == p) {
314 pr_debug("- self-signed\n");
315 return 0;
316 }
317 x509 = p;
318 might_sleep();
319 }
320
321 unsupported_sig_in_x509:
322 /* Just prune the certificate chain at this point if we lack some
323 * crypto module to go further. Note, however, we don't want to set
324 * sinfo->unsupported_crypto as the signed info block may still be
325 * validatable against an X.509 cert lower in the chain that we have a
326 * trusted copy of.
327 */
328 return 0;
329 }
330
331 /*
332 * Verify one signed information block from a PKCS#7 message.
333 */
pkcs7_verify_one(struct pkcs7_message * pkcs7,struct pkcs7_signed_info * sinfo)334 static int pkcs7_verify_one(struct pkcs7_message *pkcs7,
335 struct pkcs7_signed_info *sinfo)
336 {
337 int ret;
338
339 kenter(",%u", sinfo->index);
340
341 /* First of all, digest the data in the PKCS#7 message and the
342 * signed information block
343 */
344 ret = pkcs7_digest(pkcs7, sinfo);
345 if (ret < 0)
346 return ret;
347
348 /* Find the key for the signature if there is one */
349 ret = pkcs7_find_key(pkcs7, sinfo);
350 if (ret < 0)
351 return ret;
352
353 if (!sinfo->signer)
354 return 0;
355
356 pr_devel("Using X.509[%u] for sig %u\n",
357 sinfo->signer->index, sinfo->index);
358
359 /* Check that the PKCS#7 signing time is valid according to the X.509
360 * certificate. We can't, however, check against the system clock
361 * since that may not have been set yet and may be wrong.
362 */
363 if (test_bit(sinfo_has_signing_time, &sinfo->aa_set)) {
364 if (sinfo->signing_time < sinfo->signer->valid_from ||
365 sinfo->signing_time > sinfo->signer->valid_to) {
366 pr_warn("Message signed outside of X.509 validity window\n");
367 return -EKEYREJECTED;
368 }
369 }
370
371 /* Verify the PKCS#7 binary against the key */
372 ret = public_key_verify_signature(sinfo->signer->pub, sinfo->sig);
373 if (ret < 0)
374 return ret;
375
376 pr_devel("Verified signature %u\n", sinfo->index);
377
378 /* Verify the internal certificate chain */
379 return pkcs7_verify_sig_chain(pkcs7, sinfo);
380 }
381
382 /**
383 * pkcs7_verify - Verify a PKCS#7 message
384 * @pkcs7: The PKCS#7 message to be verified
385 * @usage: The use to which the key is being put
386 *
387 * Verify a PKCS#7 message is internally consistent - that is, the data digest
388 * matches the digest in the AuthAttrs and any signature in the message or one
389 * of the X.509 certificates it carries that matches another X.509 cert in the
390 * message can be verified.
391 *
392 * This does not look to match the contents of the PKCS#7 message against any
393 * external public keys.
394 *
395 * Returns, in order of descending priority:
396 *
397 * (*) -EKEYREJECTED if a key was selected that had a usage restriction at
398 * odds with the specified usage, or:
399 *
400 * (*) -EKEYREJECTED if a signature failed to match for which we found an
401 * appropriate X.509 certificate, or:
402 *
403 * (*) -EBADMSG if some part of the message was invalid, or:
404 *
405 * (*) 0 if a signature chain passed verification, or:
406 *
407 * (*) -EKEYREJECTED if a blacklisted key was encountered, or:
408 *
409 * (*) -ENOPKG if none of the signature chains are verifiable because suitable
410 * crypto modules couldn't be found.
411 */
pkcs7_verify(struct pkcs7_message * pkcs7,enum key_being_used_for usage)412 int pkcs7_verify(struct pkcs7_message *pkcs7,
413 enum key_being_used_for usage)
414 {
415 struct pkcs7_signed_info *sinfo;
416 int actual_ret = -ENOPKG;
417 int ret;
418
419 kenter("");
420
421 switch (usage) {
422 case VERIFYING_MODULE_SIGNATURE:
423 if (pkcs7->data_type != OID_data) {
424 pr_warn("Invalid module sig (not pkcs7-data)\n");
425 return -EKEYREJECTED;
426 }
427 if (pkcs7->have_authattrs) {
428 #ifdef CONFIG_PKCS7_WAIVE_AUTHATTRS_REJECTION_FOR_MLDSA
429 if (pkcs7->authattrs_rej_waivable) {
430 pr_warn_once("Waived invalid module sig (has authattrs)\n");
431 break;
432 }
433 #endif
434 pr_warn("Invalid module sig (has authattrs)\n");
435 return -EKEYREJECTED;
436 }
437 break;
438 case VERIFYING_FIRMWARE_SIGNATURE:
439 if (pkcs7->data_type != OID_data) {
440 pr_warn("Invalid firmware sig (not pkcs7-data)\n");
441 return -EKEYREJECTED;
442 }
443 if (!pkcs7->have_authattrs) {
444 pr_warn("Invalid firmware sig (missing authattrs)\n");
445 return -EKEYREJECTED;
446 }
447 break;
448 case VERIFYING_KEXEC_PE_SIGNATURE:
449 if (pkcs7->data_type != OID_msIndirectData) {
450 pr_warn("Invalid kexec sig (not Authenticode)\n");
451 return -EKEYREJECTED;
452 }
453 /* Authattr presence checked in parser */
454 break;
455 case VERIFYING_UNSPECIFIED_SIGNATURE:
456 case VERIFYING_BPF_SIGNATURE:
457 if (pkcs7->data_type != OID_data) {
458 pr_warn("Invalid unspecified sig (not pkcs7-data)\n");
459 return -EKEYREJECTED;
460 }
461 break;
462 default:
463 return -EINVAL;
464 }
465
466 for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
467 ret = pkcs7_verify_one(pkcs7, sinfo);
468 if (sinfo->blacklisted) {
469 if (actual_ret == -ENOPKG)
470 actual_ret = -EKEYREJECTED;
471 continue;
472 }
473 if (ret < 0) {
474 if (ret == -ENOPKG) {
475 sinfo->unsupported_crypto = true;
476 continue;
477 }
478 kleave(" = %d", ret);
479 return ret;
480 }
481 actual_ret = 0;
482 }
483
484 kleave(" = %d", actual_ret);
485 return actual_ret;
486 }
487 EXPORT_SYMBOL_GPL(pkcs7_verify);
488
489 /**
490 * pkcs7_supply_detached_data - Supply the data needed to verify a PKCS#7 message
491 * @pkcs7: The PKCS#7 message
492 * @data: The data to be verified
493 * @datalen: The amount of data
494 *
495 * Supply the detached data needed to verify a PKCS#7 message. Note that no
496 * attempt to retain/pin the data is made. That is left to the caller. The
497 * data will not be modified by pkcs7_verify() and will not be freed when the
498 * PKCS#7 message is freed.
499 *
500 * Returns -EINVAL if data is already supplied in the message, 0 otherwise.
501 */
pkcs7_supply_detached_data(struct pkcs7_message * pkcs7,const void * data,size_t datalen)502 int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7,
503 const void *data, size_t datalen)
504 {
505 if (pkcs7->data) {
506 pr_warn("Data already supplied\n");
507 return -EINVAL;
508 }
509 pkcs7->data = data;
510 pkcs7->data_len = datalen;
511 return 0;
512 }
513 EXPORT_SYMBOL_GPL(pkcs7_supply_detached_data);
514