1 /* System trusted keyring for trusted public keys 2 * 3 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public Licence 8 * as published by the Free Software Foundation; either version 9 * 2 of the Licence, or (at your option) any later version. 10 */ 11 12 #include <linux/export.h> 13 #include <linux/kernel.h> 14 #include <linux/sched.h> 15 #include <linux/cred.h> 16 #include <linux/err.h> 17 #include <keys/asymmetric-type.h> 18 #include <keys/system_keyring.h> 19 #include <crypto/pkcs7.h> 20 21 static struct key *builtin_trusted_keys; 22 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING 23 static struct key *secondary_trusted_keys; 24 #endif 25 26 extern __initconst const u8 system_certificate_list[]; 27 extern __initconst const unsigned long system_certificate_list_size; 28 29 /** 30 * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA 31 * 32 * Restrict the addition of keys into a keyring based on the key-to-be-added 33 * being vouched for by a key in the built in system keyring. 34 */ 35 int restrict_link_by_builtin_trusted(struct key *keyring, 36 const struct key_type *type, 37 const union key_payload *payload) 38 { 39 return restrict_link_by_signature(builtin_trusted_keys, type, payload); 40 } 41 42 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING 43 /** 44 * restrict_link_by_builtin_and_secondary_trusted - Restrict keyring 45 * addition by both builtin and secondary keyrings 46 * 47 * Restrict the addition of keys into a keyring based on the key-to-be-added 48 * being vouched for by a key in either the built-in or the secondary system 49 * keyrings. 50 */ 51 int restrict_link_by_builtin_and_secondary_trusted( 52 struct key *keyring, 53 const struct key_type *type, 54 const union key_payload *payload) 55 { 56 /* If we have a secondary trusted keyring, then that contains a link 57 * through to the builtin keyring and the search will follow that link. 58 */ 59 if (type == &key_type_keyring && 60 keyring == secondary_trusted_keys && 61 payload == &builtin_trusted_keys->payload) 62 /* Allow the builtin keyring to be added to the secondary */ 63 return 0; 64 65 return restrict_link_by_signature(secondary_trusted_keys, type, payload); 66 } 67 #endif 68 69 /* 70 * Create the trusted keyrings 71 */ 72 static __init int system_trusted_keyring_init(void) 73 { 74 pr_notice("Initialise system trusted keyrings\n"); 75 76 builtin_trusted_keys = 77 keyring_alloc(".builtin_trusted_keys", 78 KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), 79 ((KEY_POS_ALL & ~KEY_POS_SETATTR) | 80 KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH), 81 KEY_ALLOC_NOT_IN_QUOTA, 82 NULL, NULL); 83 if (IS_ERR(builtin_trusted_keys)) 84 panic("Can't allocate builtin trusted keyring\n"); 85 86 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING 87 secondary_trusted_keys = 88 keyring_alloc(".secondary_trusted_keys", 89 KUIDT_INIT(0), KGIDT_INIT(0), current_cred(), 90 ((KEY_POS_ALL & ~KEY_POS_SETATTR) | 91 KEY_USR_VIEW | KEY_USR_READ | KEY_USR_SEARCH | 92 KEY_USR_WRITE), 93 KEY_ALLOC_NOT_IN_QUOTA, 94 restrict_link_by_builtin_and_secondary_trusted, 95 NULL); 96 if (IS_ERR(secondary_trusted_keys)) 97 panic("Can't allocate secondary trusted keyring\n"); 98 99 if (key_link(secondary_trusted_keys, builtin_trusted_keys) < 0) 100 panic("Can't link trusted keyrings\n"); 101 #endif 102 103 return 0; 104 } 105 106 /* 107 * Must be initialised before we try and load the keys into the keyring. 108 */ 109 device_initcall(system_trusted_keyring_init); 110 111 /* 112 * Load the compiled-in list of X.509 certificates. 113 */ 114 static __init int load_system_certificate_list(void) 115 { 116 key_ref_t key; 117 const u8 *p, *end; 118 size_t plen; 119 120 pr_notice("Loading compiled-in X.509 certificates\n"); 121 122 p = system_certificate_list; 123 end = p + system_certificate_list_size; 124 while (p < end) { 125 /* Each cert begins with an ASN.1 SEQUENCE tag and must be more 126 * than 256 bytes in size. 127 */ 128 if (end - p < 4) 129 goto dodgy_cert; 130 if (p[0] != 0x30 && 131 p[1] != 0x82) 132 goto dodgy_cert; 133 plen = (p[2] << 8) | p[3]; 134 plen += 4; 135 if (plen > end - p) 136 goto dodgy_cert; 137 138 key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1), 139 "asymmetric", 140 NULL, 141 p, 142 plen, 143 ((KEY_POS_ALL & ~KEY_POS_SETATTR) | 144 KEY_USR_VIEW | KEY_USR_READ), 145 KEY_ALLOC_NOT_IN_QUOTA | 146 KEY_ALLOC_BUILT_IN | 147 KEY_ALLOC_BYPASS_RESTRICTION); 148 if (IS_ERR(key)) { 149 pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", 150 PTR_ERR(key)); 151 } else { 152 pr_notice("Loaded X.509 cert '%s'\n", 153 key_ref_to_ptr(key)->description); 154 key_ref_put(key); 155 } 156 p += plen; 157 } 158 159 return 0; 160 161 dodgy_cert: 162 pr_err("Problem parsing in-kernel X.509 certificate list\n"); 163 return 0; 164 } 165 late_initcall(load_system_certificate_list); 166 167 #ifdef CONFIG_SYSTEM_DATA_VERIFICATION 168 169 /** 170 * verify_pkcs7_signature - Verify a PKCS#7-based signature on system data. 171 * @data: The data to be verified (NULL if expecting internal data). 172 * @len: Size of @data. 173 * @raw_pkcs7: The PKCS#7 message that is the signature. 174 * @pkcs7_len: The size of @raw_pkcs7. 175 * @trusted_keys: Trusted keys to use (NULL for builtin trusted keys only, 176 * (void *)1UL for all trusted keys). 177 * @usage: The use to which the key is being put. 178 * @view_content: Callback to gain access to content. 179 * @ctx: Context for callback. 180 */ 181 int verify_pkcs7_signature(const void *data, size_t len, 182 const void *raw_pkcs7, size_t pkcs7_len, 183 struct key *trusted_keys, 184 enum key_being_used_for usage, 185 int (*view_content)(void *ctx, 186 const void *data, size_t len, 187 size_t asn1hdrlen), 188 void *ctx) 189 { 190 struct pkcs7_message *pkcs7; 191 int ret; 192 193 pkcs7 = pkcs7_parse_message(raw_pkcs7, pkcs7_len); 194 if (IS_ERR(pkcs7)) 195 return PTR_ERR(pkcs7); 196 197 /* The data should be detached - so we need to supply it. */ 198 if (data && pkcs7_supply_detached_data(pkcs7, data, len) < 0) { 199 pr_err("PKCS#7 signature with non-detached data\n"); 200 ret = -EBADMSG; 201 goto error; 202 } 203 204 ret = pkcs7_verify(pkcs7, usage); 205 if (ret < 0) 206 goto error; 207 208 if (!trusted_keys) { 209 trusted_keys = builtin_trusted_keys; 210 } else if (trusted_keys == (void *)1UL) { 211 #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING 212 trusted_keys = secondary_trusted_keys; 213 #else 214 trusted_keys = builtin_trusted_keys; 215 #endif 216 } 217 ret = pkcs7_validate_trust(pkcs7, trusted_keys); 218 if (ret < 0) { 219 if (ret == -ENOKEY) 220 pr_err("PKCS#7 signature not signed with a trusted key\n"); 221 goto error; 222 } 223 224 if (view_content) { 225 size_t asn1hdrlen; 226 227 ret = pkcs7_get_content_data(pkcs7, &data, &len, &asn1hdrlen); 228 if (ret < 0) { 229 if (ret == -ENODATA) 230 pr_devel("PKCS#7 message does not contain data\n"); 231 goto error; 232 } 233 234 ret = view_content(ctx, data, len, asn1hdrlen); 235 } 236 237 error: 238 pkcs7_free_message(pkcs7); 239 pr_devel("<==%s() = %d\n", __func__, ret); 240 return ret; 241 } 242 EXPORT_SYMBOL_GPL(verify_pkcs7_signature); 243 244 #endif /* CONFIG_SYSTEM_DATA_VERIFICATION */ 245