Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

PKCS#7: Check content type and versions

We only support PKCS#7 signed-data [RFC2315 sec 9] content at the top level,
so reject anything else.  Further, check that the version numbers in
SignedData and SignerInfo are 1 in both cases.

Note that we don't restrict the inner content type.  In the PKCS#7 code we
don't parse the data attached there, but merely verify the signature over
it.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-By: David Woodhouse <David.Woodhouse@intel.com>
David Howells 10 years ago
parent
99d27b1b52
commit
2c7fd3675e
2 changed files with 77 additions and 4 deletions
Split View Show Diff Stats
  1. 3 3
      crypto/asymmetric_keys/pkcs7.asn1
  2. 74 1
      crypto/asymmetric_keys/pkcs7_parser.c

+ 3 - 3
crypto/asymmetric_keys/pkcs7.asn1
View File 

@@ -1,12 +1,12 @@
 
 PKCS7ContentInfo ::= SEQUENCE {
 
-	contentType	ContentType,
 
+	contentType	ContentType ({ pkcs7_check_content_type }),
 
 	content		[0] EXPLICIT SignedData OPTIONAL
 
 }
 
 
 ContentType ::= OBJECT IDENTIFIER ({ pkcs7_note_OID })
 
 
 SignedData ::= SEQUENCE {
 
-	version			INTEGER,
 
+	version			INTEGER ({ pkcs7_note_signeddata_version }),
 
 	digestAlgorithms	DigestAlgorithmIdentifiers,
 
 	contentInfo		ContentInfo,
 
 	certificates		CHOICE {
 
@@ -68,7 +68,7 @@ SignerInfos ::= CHOICE {
 
 }
 
 
 SignerInfo ::= SEQUENCE {
 
-	version			INTEGER,
 
+	version			INTEGER ({ pkcs7_note_signerinfo_version }),
 
 	issuerAndSerialNumber	IssuerAndSerialNumber,
 
 	digestAlgorithm		DigestAlgorithmIdentifier ({ pkcs7_sig_note_digest_algo }),
 
 	authenticatedAttributes	CHOICE {

+ 74 - 1
crypto/asymmetric_keys/pkcs7_parser.c
View File 

@@ -225,6 +225,79 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
 
 	return 0;
 
 }
 
 
+/*
 
+ * We only support signed data [RFC2315 sec 9].
 
+ */
 
+int pkcs7_check_content_type(void *context, size_t hdrlen,
 
+			     unsigned char tag,
 
+			     const void *value, size_t vlen)
 
+{
 
+	struct pkcs7_parse_context *ctx = context;
 
+
 
+	if (ctx->last_oid != OID_signed_data) {
 
+		pr_warn("Only support pkcs7_signedData type\n");
 
+		return -EINVAL;
 
+	}
 
+
 
+	return 0;
 
+}
 
+
 
+/*
 
+ * Note the SignedData version
 
+ */
 
+int pkcs7_note_signeddata_version(void *context, size_t hdrlen,
 
+				  unsigned char tag,
 
+				  const void *value, size_t vlen)
 
+{
 
+	unsigned version;
 
+
 
+	if (vlen != 1)
 
+		goto unsupported;
 
+
 
+	version = *(const u8 *)value;
 
+	switch (version) {
 
+	case 1:
 
+		/* PKCS#7 SignedData [RFC2315 sec 9.1] */
 
+		break;
 
+	default:
 
+		goto unsupported;
 
+	}
 
+
 
+	return 0;
 
+
 
+unsupported:
 
+	pr_warn("Unsupported SignedData version\n");
 
+	return -EINVAL;
 
+}
 
+
 
+/*
 
+ * Note the SignerInfo version
 
+ */
 
+int pkcs7_note_signerinfo_version(void *context, size_t hdrlen,
 
+				  unsigned char tag,
 
+				  const void *value, size_t vlen)
 
+{
 
+	unsigned version;
 
+
 
+	if (vlen != 1)
 
+		goto unsupported;
 
+
 
+	version = *(const u8 *)value;
 
+	switch (version) {
 
+	case 1:
 
+		/* PKCS#7 SignerInfo [RFC2315 sec 9.2] */
 
+		break;
 
+	default:
 
+		goto unsupported;
 
+	}
 
+
 
+	return 0;
 
+
 
+unsupported:
 
+	pr_warn("Unsupported SignerInfo version\n");
 
+	return -EINVAL;
 
+}
 
+
 
 /*
 
  * Extract a certificate and store it in the context.
 
  */
 
@@ -326,7 +399,7 @@ int pkcs7_sig_note_authenticated_attr(void *context, size_t hdrlen,
 
 }
 
 
 /*
 
- * Note the set of auth attributes for digestion purposes [RFC2315 9.3]
 
+ * Note the set of auth attributes for digestion purposes [RFC2315 sec 9.3]
 
  */
 
 int pkcs7_sig_note_set_of_authattrs(void *context, size_t hdrlen,
 
 				    unsigned char tag,