Commit bda850cd authored by David Howells's avatar David Howells
Browse files

PKCS#7: Make trust determination dependent on contents of trust keyring 



Make the determination of the trustworthiness of a key dependent on whether
a key that can verify it is present in the supplied ring of trusted keys
rather than whether or not the verifying key has KEY_FLAG_TRUSTED set.

verify_pkcs7_signature() will return -ENOKEY if the PKCS#7 message trust
chain cannot be verified.

Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
parent e68503bd

certs/system_keyring.c

+4 −9
Original line number Diff line number Diff line
@@ -121,7 +121,6 @@ late_initcall(load_system_certificate_list); 
int verify_pkcs7_signature(const void *data, size_t len,

			   const void *raw_pkcs7, size_t pkcs7_len,

			   struct key *trusted_keys,

			   int untrusted_error,

			   enum key_being_used_for usage,

			   int (*view_content)(void *ctx,

					       const void *data, size_t len,
@@ -129,7 +128,6 @@ int verify_pkcs7_signature(const void *data, size_t len, 
			   void *ctx)

{

	struct pkcs7_message *pkcs7;

	bool trusted;

	int ret;



	pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len);
@@ -149,13 +147,10 @@ int verify_pkcs7_signature(const void *data, size_t len, 


	if (!trusted_keys)

		trusted_keys = system_trusted_keyring;

	ret = pkcs7_validate_trust(pkcs7, trusted_keys, &trusted);

	if (ret < 0)

		goto error;



	if (!trusted && untrusted_error) {

	ret = pkcs7_validate_trust(pkcs7, trusted_keys);

	if (ret < 0) {

		if (ret == -ENOKEY)

			pr_err("PKCS#7 signature not signed with a trusted key\n");

		ret = untrusted_error;

		goto error;

	}

crypto/asymmetric_keys/pkcs7_key_type.c

+1 −1
Original line number Diff line number Diff line
@@ -62,7 +62,7 @@ static int pkcs7_preparse(struct key_preparsed_payload *prep) 


	return verify_pkcs7_signature(NULL, 0,

				      prep->data, prep->datalen,

				      NULL, -ENOKEY, usage,

				      NULL, usage,

				      pkcs7_view_content, prep);

}

crypto/asymmetric_keys/pkcs7_parser.h

+0 −1
Original line number Diff line number Diff line
@@ -22,7 +22,6 @@ struct pkcs7_signed_info { 
	struct pkcs7_signed_info *next;

	struct x509_certificate *signer; /* Signing certificate (in msg->certs) */

	unsigned	index;

	bool		trusted;

	bool		unsupported_crypto;	/* T if not usable due to missing crypto */



	/* Message digest - the digest of the Content Data (or NULL) */

crypto/asymmetric_keys/pkcs7_trust.c

+3 −15
Original line number Diff line number Diff line
@@ -30,7 +30,6 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, 
	struct public_key_signature *sig = sinfo->sig;

	struct x509_certificate *x509, *last = NULL, *p;

	struct key *key;

	bool trusted;

	int ret;



	kenter(",%u,", sinfo->index);
@@ -42,10 +41,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, 


	for (x509 = sinfo->signer; x509; x509 = x509->signer) {

		if (x509->seen) {

			if (x509->verified) {

				trusted = x509->trusted;

			if (x509->verified)

				goto verified;

			}

			kleave(" = -ENOKEY [cached]");

			return -ENOKEY;

		}
@@ -122,7 +119,6 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7, 


matched:

	ret = verify_signature(key, sig);

	trusted = test_bit(KEY_FLAG_TRUSTED, &key->flags);

	key_put(key);

	if (ret < 0) {

		if (ret == -ENOMEM)
@@ -134,12 +130,9 @@ matched: 
verified:

	if (x509) {

		x509->verified = true;

		for (p = sinfo->signer; p != x509; p = p->signer) {

		for (p = sinfo->signer; p != x509; p = p->signer)

			p->verified = true;

			p->trusted = trusted;

		}

	}

	sinfo->trusted = trusted;

	kleave(" = 0");

	return 0;

}
@@ -148,7 +141,6 @@ verified: 
 * pkcs7_validate_trust - Validate PKCS#7 trust chain

 * @pkcs7: The PKCS#7 certificate to validate

 * @trust_keyring: Signing certificates to use as starting points

 * @_trusted: Set to true if trustworth, false otherwise

 *

 * Validate that the certificate chain inside the PKCS#7 message intersects

 * keys we already know and trust.
@@ -170,16 +162,13 @@ verified: 
 * May also return -ENOMEM.

 */

int pkcs7_validate_trust(struct pkcs7_message *pkcs7,

			 struct key *trust_keyring,

			 bool *_trusted)

			 struct key *trust_keyring)

{

	struct pkcs7_signed_info *sinfo;

	struct x509_certificate *p;

	int cached_ret = -ENOKEY;

	int ret;



	*_trusted = false;



	for (p = pkcs7->certs; p; p = p->next)

		p->seen = false;
@@ -193,7 +182,6 @@ int pkcs7_validate_trust(struct pkcs7_message *pkcs7, 
				cached_ret = -ENOPKG;

			continue;

		case 0:

			*_trusted |= sinfo->trusted;

			cached_ret = 0;

			continue;

		default:

crypto/asymmetric_keys/verify_pefile.c

+1 −1
Original line number Diff line number Diff line
@@ -436,7 +436,7 @@ int verify_pefile_signature(const void *pebuf, unsigned pelen, 


	ret = verify_pkcs7_signature(NULL, 0,

				     pebuf + ctx.sig_offset, ctx.sig_len,

				     trusted_keys, -EKEYREJECTED, usage,

				     trusted_keys, usage,

				     mscode_parse, &ctx);

	if (ret < 0)

		goto error;

CRA Git | Maintained and supported by SUSTech CRA and CCSE