Commit bda850cd authored by David Howells's avatar David Howells

PKCS#7: Make trust determination dependent on contents of trust keyring

Make the determination of the trustworthiness of a key dependent on whether
a key that can verify it is present in the supplied ring of trusted keys
rather than whether or not the verifying key has KEY_FLAG_TRUSTED set.

verify_pkcs7_signature() will return -ENOKEY if the PKCS#7 message trust
chain cannot be verified.
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
parent e68503bd
...@@ -121,7 +121,6 @@ late_initcall(load_system_certificate_list); ...@@ -121,7 +121,6 @@ late_initcall(load_system_certificate_list);
int verify_pkcs7_signature(const void *data, size_t len, int verify_pkcs7_signature(const void *data, size_t len,
const void *raw_pkcs7, size_t pkcs7_len, const void *raw_pkcs7, size_t pkcs7_len,
struct key *trusted_keys, struct key *trusted_keys,
int untrusted_error,
enum key_being_used_for usage, enum key_being_used_for usage,
int (*view_content)(void *ctx, int (*view_content)(void *ctx,
const void *data, size_t len, const void *data, size_t len,
...@@ -129,7 +128,6 @@ int verify_pkcs7_signature(const void *data, size_t len, ...@@ -129,7 +128,6 @@ int verify_pkcs7_signature(const void *data, size_t len,
void *ctx) void *ctx)
{ {
struct pkcs7_message *pkcs7; struct pkcs7_message *pkcs7;
bool trusted;
int ret; int ret;
pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len); pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
...@@ -149,13 +147,10 @@ int verify_pkcs7_signature(const void *data, size_t len, ...@@ -149,13 +147,10 @@ int verify_pkcs7_signature(const void *data, size_t len,
if (!trusted_keys) if (!trusted_keys)
trusted_keys = system_trusted_keyring; trusted_keys = system_trusted_keyring;
ret = pkcs7_validate_trust(pkcs7, trusted_keys, &trusted); ret = pkcs7_validate_trust(pkcs7, trusted_keys);
if (ret < 0) if (ret < 0) {
goto error; if (ret == -ENOKEY)
if (!trusted && untrusted_error) {
pr_err("PKCS#7 signature not signed with a trusted key\n"); pr_err("PKCS#7 signature not signed with a trusted key\n");
ret = untrusted_error;
goto error; goto error;
} }
......
...@@ -62,7 +62,7 @@ static int pkcs7_preparse(struct key_preparsed_payload *prep) ...@@ -62,7 +62,7 @@ static int pkcs7_preparse(struct key_preparsed_payload *prep)
return verify_pkcs7_signature(NULL, 0, return verify_pkcs7_signature(NULL, 0,
prep->data, prep->datalen, prep->data, prep->datalen,
NULL, -ENOKEY, usage, NULL, usage,
pkcs7_view_content, prep); pkcs7_view_content, prep);
} }
......
...@@ -22,7 +22,6 @@ struct pkcs7_signed_info { ...@@ -22,7 +22,6 @@ struct pkcs7_signed_info {
struct pkcs7_signed_info *next; struct pkcs7_signed_info *next;
struct x509_certificate *signer; /* Signing certificate (in msg->certs) */ struct x509_certificate *signer; /* Signing certificate (in msg->certs) */
unsigned index; unsigned index;
bool trusted;
bool unsupported_crypto; /* T if not usable due to missing crypto */ bool unsupported_crypto; /* T if not usable due to missing crypto */
/* Message digest - the digest of the Content Data (or NULL) */ /* Message digest - the digest of the Content Data (or NULL) */
......
...@@ -30,7 +30,6 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, ...@@ -30,7 +30,6 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
struct public_key_signature *sig = sinfo->sig; struct public_key_signature *sig = sinfo->sig;
struct x509_certificate *x509, *last = NULL, *p; struct x509_certificate *x509, *last = NULL, *p;
struct key *key; struct key *key;
bool trusted;
int ret; int ret;
kenter(",%u,", sinfo->index); kenter(",%u,", sinfo->index);
...@@ -42,10 +41,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, ...@@ -42,10 +41,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
for (x509 = sinfo->signer; x509; x509 = x509->signer) { for (x509 = sinfo->signer; x509; x509 = x509->signer) {
if (x509->seen) { if (x509->seen) {
if (x509->verified) { if (x509->verified)
trusted = x509->trusted;
goto verified; goto verified;
}
kleave(" = -ENOKEY [cached]"); kleave(" = -ENOKEY [cached]");
return -ENOKEY; return -ENOKEY;
} }
...@@ -122,7 +119,6 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, ...@@ -122,7 +119,6 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
matched: matched:
ret = verify_signature(key, sig); ret = verify_signature(key, sig);
trusted = test_bit(KEY_FLAG_TRUSTED, &key->flags);
key_put(key); key_put(key);
if (ret < 0) { if (ret < 0) {
if (ret == -ENOMEM) if (ret == -ENOMEM)
...@@ -134,12 +130,9 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, ...@@ -134,12 +130,9 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
verified: verified:
if (x509) { if (x509) {
x509->verified = true; x509->verified = true;
for (p = sinfo->signer; p != x509; p = p->signer) { for (p = sinfo->signer; p != x509; p = p->signer)
p->verified = true; p->verified = true;
p->trusted = trusted;
}
} }
sinfo->trusted = trusted;
kleave(" = 0"); kleave(" = 0");
return 0; return 0;
} }
...@@ -148,7 +141,6 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, ...@@ -148,7 +141,6 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
* pkcs7_validate_trust - Validate PKCS#7 trust chain * pkcs7_validate_trust - Validate PKCS#7 trust chain
* @pkcs7: The PKCS#7 certificate to validate * @pkcs7: The PKCS#7 certificate to validate
* @trust_keyring: Signing certificates to use as starting points * @trust_keyring: Signing certificates to use as starting points
* @_trusted: Set to true if trustworth, false otherwise
* *
* Validate that the certificate chain inside the PKCS#7 message intersects * Validate that the certificate chain inside the PKCS#7 message intersects
* keys we already know and trust. * keys we already know and trust.
...@@ -170,16 +162,13 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, ...@@ -170,16 +162,13 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
* May also return -ENOMEM. * May also return -ENOMEM.
*/ */
int pkcs7_validate_trust(struct pkcs7_message *pkcs7, int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
struct key *trust_keyring, struct key *trust_keyring)
bool *_trusted)
{ {
struct pkcs7_signed_info *sinfo; struct pkcs7_signed_info *sinfo;
struct x509_certificate *p; struct x509_certificate *p;
int cached_ret = -ENOKEY; int cached_ret = -ENOKEY;
int ret; int ret;
*_trusted = false;
for (p = pkcs7->certs; p; p = p->next) for (p = pkcs7->certs; p; p = p->next)
p->seen = false; p->seen = false;
...@@ -193,7 +182,6 @@ int pkcs7_validate_trust(struct pkcs7_message *pkcs7, ...@@ -193,7 +182,6 @@ int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
cached_ret = -ENOPKG; cached_ret = -ENOPKG;
continue; continue;
case 0: case 0:
*_trusted |= sinfo->trusted;
cached_ret = 0; cached_ret = 0;
continue; continue;
default: default:
......
...@@ -436,7 +436,7 @@ int verify_pefile_signature(const void *pebuf, unsigned pelen, ...@@ -436,7 +436,7 @@ int verify_pefile_signature(const void *pebuf, unsigned pelen,
ret = verify_pkcs7_signature(NULL, 0, ret = verify_pkcs7_signature(NULL, 0,
pebuf + ctx.sig_offset, ctx.sig_len, pebuf + ctx.sig_offset, ctx.sig_len,
trusted_keys, -EKEYREJECTED, usage, trusted_keys, usage,
mscode_parse, &ctx); mscode_parse, &ctx);
if (ret < 0) if (ret < 0)
goto error; goto error;
......
...@@ -39,7 +39,6 @@ struct x509_certificate { ...@@ -39,7 +39,6 @@ struct x509_certificate {
unsigned index; unsigned index;
bool seen; /* Infinite recursion prevention */ bool seen; /* Infinite recursion prevention */
bool verified; bool verified;
bool trusted;
bool self_signed; /* T if self-signed (check unsupported_sig too) */ bool self_signed; /* T if self-signed (check unsupported_sig too) */
bool unsupported_key; /* T if key uses unsupported crypto */ bool unsupported_key; /* T if key uses unsupported crypto */
bool unsupported_sig; /* T if signature uses unsupported crypto */ bool unsupported_sig; /* T if signature uses unsupported crypto */
......
...@@ -33,8 +33,7 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, ...@@ -33,8 +33,7 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
* pkcs7_trust.c * pkcs7_trust.c
*/ */
extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7, extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
struct key *trust_keyring, struct key *trust_keyring);
bool *_trusted);
/* /*
* pkcs7_verify.c * pkcs7_verify.c
......
...@@ -33,7 +33,6 @@ struct key; ...@@ -33,7 +33,6 @@ struct key;
extern int verify_pkcs7_signature(const void *data, size_t len, extern int verify_pkcs7_signature(const void *data, size_t len,
const void *raw_pkcs7, size_t pkcs7_len, const void *raw_pkcs7, size_t pkcs7_len,
struct key *trusted_keys, struct key *trusted_keys,
int untrusted_error,
enum key_being_used_for usage, enum key_being_used_for usage,
int (*view_content)(void *ctx, int (*view_content)(void *ctx,
const void *data, size_t len, const void *data, size_t len,
......
...@@ -81,6 +81,6 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen) ...@@ -81,6 +81,6 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen)
} }
return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len, return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
NULL, -ENOKEY, VERIFYING_MODULE_SIGNATURE, NULL, VERIFYING_MODULE_SIGNATURE,
NULL, NULL); NULL, NULL);
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment