1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* PKCS#8 Private Key parser [RFC 5208].
3 *
4 * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
6 */
7
8 #define pr_fmt(fmt) "PKCS8: "fmt
9 #include <linux/module.h>
10 #include <linux/kernel.h>
11 #include <linux/export.h>
12 #include <linux/slab.h>
13 #include <linux/err.h>
14 #include <linux/oid_registry.h>
15 #include <keys/asymmetric-subtype.h>
16 #include <keys/asymmetric-parser.h>
17 #include <crypto/public_key.h>
18 #include "pkcs8.asn1.h"
19
20 struct pkcs8_parse_context {
21 struct public_key *pub;
22 unsigned long data; /* Start of data */
23 enum OID last_oid; /* Last OID encountered */
24 enum OID algo_oid; /* Algorithm OID */
25 u32 key_size;
26 const void *key;
27 };
28
29 /*
30 * Note an OID when we find one for later processing when we know how to
31 * interpret it.
32 */
pkcs8_note_OID(void * context,size_t hdrlen,unsigned char tag,const void * value,size_t vlen)33 int pkcs8_note_OID(void *context, size_t hdrlen,
34 unsigned char tag,
35 const void *value, size_t vlen)
36 {
37 struct pkcs8_parse_context *ctx = context;
38
39 ctx->last_oid = look_up_OID(value, vlen);
40 if (ctx->last_oid == OID__NR) {
41 char buffer[50];
42
43 sprint_oid(value, vlen, buffer, sizeof(buffer));
44 pr_info("Unknown OID: [%lu] %s\n",
45 (unsigned long)value - ctx->data, buffer);
46 }
47 return 0;
48 }
49
50 /*
51 * Note the version number of the ASN.1 blob.
52 */
pkcs8_note_version(void * context,size_t hdrlen,unsigned char tag,const void * value,size_t vlen)53 int pkcs8_note_version(void *context, size_t hdrlen,
54 unsigned char tag,
55 const void *value, size_t vlen)
56 {
57 if (vlen != 1 || ((const u8 *)value)[0] != 0) {
58 pr_warn("Unsupported PKCS#8 version\n");
59 return -EBADMSG;
60 }
61 return 0;
62 }
63
64 /*
65 * Note the public algorithm.
66 */
pkcs8_note_algo(void * context,size_t hdrlen,unsigned char tag,const void * value,size_t vlen)67 int pkcs8_note_algo(void *context, size_t hdrlen,
68 unsigned char tag,
69 const void *value, size_t vlen)
70 {
71 struct pkcs8_parse_context *ctx = context;
72
73 if (ctx->last_oid != OID_rsaEncryption)
74 return -ENOPKG;
75
76 ctx->pub->pkey_algo = "rsa";
77 return 0;
78 }
79
80 /*
81 * Note the key data of the ASN.1 blob.
82 */
pkcs8_note_key(void * context,size_t hdrlen,unsigned char tag,const void * value,size_t vlen)83 int pkcs8_note_key(void *context, size_t hdrlen,
84 unsigned char tag,
85 const void *value, size_t vlen)
86 {
87 struct pkcs8_parse_context *ctx = context;
88
89 ctx->key = value;
90 ctx->key_size = vlen;
91 return 0;
92 }
93
94 /*
95 * Parse a PKCS#8 private key blob.
96 */
pkcs8_parse(const void * data,size_t datalen)97 static struct public_key *pkcs8_parse(const void *data, size_t datalen)
98 {
99 struct pkcs8_parse_context ctx;
100 struct public_key *pub;
101 long ret;
102
103 memset(&ctx, 0, sizeof(ctx));
104
105 ret = -ENOMEM;
106 ctx.pub = kzalloc(sizeof(struct public_key), GFP_KERNEL);
107 if (!ctx.pub)
108 goto error;
109
110 ctx.data = (unsigned long)data;
111
112 /* Attempt to decode the private key */
113 ret = asn1_ber_decoder(&pkcs8_decoder, &ctx, data, datalen);
114 if (ret < 0)
115 goto error_decode;
116
117 ret = -ENOMEM;
118 pub = ctx.pub;
119 pub->key = kmemdup(ctx.key, ctx.key_size, GFP_KERNEL);
120 if (!pub->key)
121 goto error_decode;
122
123 pub->keylen = ctx.key_size;
124 pub->key_is_private = true;
125 return pub;
126
127 error_decode:
128 kfree(ctx.pub);
129 error:
130 return ERR_PTR(ret);
131 }
132
133 /*
134 * Attempt to parse a data blob for a key as a PKCS#8 private key.
135 */
pkcs8_key_preparse(struct key_preparsed_payload * prep)136 static int pkcs8_key_preparse(struct key_preparsed_payload *prep)
137 {
138 struct public_key *pub;
139
140 pub = pkcs8_parse(prep->data, prep->datalen);
141 if (IS_ERR(pub))
142 return PTR_ERR(pub);
143
144 pr_devel("Cert Key Algo: %s\n", pub->pkey_algo);
145 pub->id_type = "PKCS8";
146
147 /* We're pinning the module by being linked against it */
148 __module_get(public_key_subtype.owner);
149 prep->payload.data[asym_subtype] = &public_key_subtype;
150 prep->payload.data[asym_key_ids] = NULL;
151 prep->payload.data[asym_crypto] = pub;
152 prep->payload.data[asym_auth] = NULL;
153 prep->quotalen = 100;
154 return 0;
155 }
156
157 static struct asymmetric_key_parser pkcs8_key_parser = {
158 .owner = THIS_MODULE,
159 .name = "pkcs8",
160 .parse = pkcs8_key_preparse,
161 };
162
163 /*
164 * Module stuff
165 */
pkcs8_key_init(void)166 static int __init pkcs8_key_init(void)
167 {
168 return register_asymmetric_key_parser(&pkcs8_key_parser);
169 }
170
pkcs8_key_exit(void)171 static void __exit pkcs8_key_exit(void)
172 {
173 unregister_asymmetric_key_parser(&pkcs8_key_parser);
174 }
175
176 module_init(pkcs8_key_init);
177 module_exit(pkcs8_key_exit);
178
179 MODULE_DESCRIPTION("PKCS#8 certificate parser");
180 MODULE_LICENSE("GPL");
181