99db443506
A PKCS#7 or CMS message can have per-signature authenticated attributes that are digested as a lump and signed by the authorising key for that signature. If such attributes exist, the content digest isn't itself signed, but rather it is included in a special authattr which then contributes to the signature. Further, we already require the master message content type to be pkcs7_signedData - but there's also a separate content type for the data itself within the SignedData object and this must be repeated inside the authattrs for each signer [RFC2315 9.2, RFC5652 11.1]. We should really validate the authattrs if they exist or forbid them entirely as appropriate. To this end: (1) Alter the PKCS#7 parser to reject any message that has more than one signature where at least one signature has authattrs and at least one that does not. (2) Validate authattrs if they are present and strongly restrict them. Only the following authattrs are permitted and all others are rejected: (a) contentType. This is checked to be an OID that matches the content type in the SignedData object. (b) messageDigest. This must match the crypto digest of the data. (c) signingTime. If present, we check that this is a valid, parseable UTCTime or GeneralTime and that the date it encodes fits within the validity window of the matching X.509 cert. (d) S/MIME capabilities. We don't check the contents. (e) Authenticode SP Opus Info. We don't check the contents. (f) Authenticode Statement Type. We don't check the contents. The message is rejected if (a) or (b) are missing. If the message is an Authenticode type, the message is rejected if (e) is missing; if not Authenticode, the message is rejected if (d) - (f) are present. The S/MIME capabilities authattr (d) unfortunately has to be allowed to support kernels already signed by the pesign program. This only affects kexec. sign-file suppresses them (CMS_NOSMIMECAP). The message is also rejected if an authattr is given more than once or if it contains more than one element in its set of values. (3) Add a parameter to pkcs7_verify() to select one of the following restrictions and pass in the appropriate option from the callers: (*) VERIFYING_MODULE_SIGNATURE This requires that the SignedData content type be pkcs7-data and forbids authattrs. sign-file sets CMS_NOATTR. We could be more flexible and permit authattrs optionally, but only permit minimal content. (*) VERIFYING_FIRMWARE_SIGNATURE This requires that the SignedData content type be pkcs7-data and requires authattrs. In future, this will require an attribute holding the target firmware name in addition to the minimal set. (*) VERIFYING_UNSPECIFIED_SIGNATURE This requires that the SignedData content type be pkcs7-data but allows either no authattrs or only permits the minimal set. (*) VERIFYING_KEXEC_PE_SIGNATURE This only supports the Authenticode SPC_INDIRECT_DATA content type and requires at least an SpcSpOpusInfo authattr in addition to the minimal set. It also permits an SPC_STATEMENT_TYPE authattr (and an S/MIME capabilities authattr because the pesign program doesn't remove these). (*) VERIFYING_KEY_SIGNATURE (*) VERIFYING_KEY_SELF_SIGNATURE These are invalid in this context but are included for later use when limiting the use of X.509 certs. (4) The pkcs7_test key type is given a module parameter to select between the above options for testing purposes. For example: echo 1 >/sys/module/pkcs7_test_key/parameters/usage keyctl padd pkcs7_test foo @s </tmp/stuff.pkcs7 will attempt to check the signature on stuff.pkcs7 as if it contains a firmware blob (1 being VERIFYING_FIRMWARE_SIGNATURE). Suggested-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Marcel Holtmann <marcel@holtmann.org> Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
135 lines
3.8 KiB
Groff
135 lines
3.8 KiB
Groff
PKCS7ContentInfo ::= SEQUENCE {
|
|
contentType ContentType ({ pkcs7_check_content_type }),
|
|
content [0] EXPLICIT SignedData OPTIONAL
|
|
}
|
|
|
|
ContentType ::= OBJECT IDENTIFIER ({ pkcs7_note_OID })
|
|
|
|
SignedData ::= SEQUENCE {
|
|
version INTEGER ({ pkcs7_note_signeddata_version }),
|
|
digestAlgorithms DigestAlgorithmIdentifiers,
|
|
contentInfo ContentInfo ({ pkcs7_note_content }),
|
|
certificates CHOICE {
|
|
certSet [0] IMPLICIT ExtendedCertificatesAndCertificates,
|
|
certSequence [2] IMPLICIT Certificates
|
|
} OPTIONAL ({ pkcs7_note_certificate_list }),
|
|
crls CHOICE {
|
|
crlSet [1] IMPLICIT CertificateRevocationLists,
|
|
crlSequence [3] IMPLICIT CRLSequence
|
|
} OPTIONAL,
|
|
signerInfos SignerInfos
|
|
}
|
|
|
|
ContentInfo ::= SEQUENCE {
|
|
contentType ContentType ({ pkcs7_note_OID }),
|
|
content [0] EXPLICIT Data OPTIONAL
|
|
}
|
|
|
|
Data ::= ANY ({ pkcs7_note_data })
|
|
|
|
DigestAlgorithmIdentifiers ::= CHOICE {
|
|
daSet SET OF DigestAlgorithmIdentifier,
|
|
daSequence SEQUENCE OF DigestAlgorithmIdentifier
|
|
}
|
|
|
|
DigestAlgorithmIdentifier ::= SEQUENCE {
|
|
algorithm OBJECT IDENTIFIER ({ pkcs7_note_OID }),
|
|
parameters ANY OPTIONAL
|
|
}
|
|
|
|
--
|
|
-- Certificates and certificate lists
|
|
--
|
|
ExtendedCertificatesAndCertificates ::= SET OF ExtendedCertificateOrCertificate
|
|
|
|
ExtendedCertificateOrCertificate ::= CHOICE {
|
|
certificate Certificate, -- X.509
|
|
extendedCertificate [0] IMPLICIT ExtendedCertificate -- PKCS#6
|
|
}
|
|
|
|
ExtendedCertificate ::= Certificate -- cheating
|
|
|
|
Certificates ::= SEQUENCE OF Certificate
|
|
|
|
CertificateRevocationLists ::= SET OF CertificateList
|
|
|
|
CertificateList ::= SEQUENCE OF Certificate -- This may be defined incorrectly
|
|
|
|
CRLSequence ::= SEQUENCE OF CertificateList
|
|
|
|
Certificate ::= ANY ({ pkcs7_extract_cert }) -- X.509
|
|
|
|
--
|
|
-- Signer information
|
|
--
|
|
SignerInfos ::= CHOICE {
|
|
siSet SET OF SignerInfo,
|
|
siSequence SEQUENCE OF SignerInfo
|
|
}
|
|
|
|
SignerInfo ::= SEQUENCE {
|
|
version INTEGER ({ pkcs7_note_signerinfo_version }),
|
|
sid SignerIdentifier, -- CMS variant, not PKCS#7
|
|
digestAlgorithm DigestAlgorithmIdentifier ({ pkcs7_sig_note_digest_algo }),
|
|
authenticatedAttributes CHOICE {
|
|
aaSet [0] IMPLICIT SetOfAuthenticatedAttribute
|
|
({ pkcs7_sig_note_set_of_authattrs }),
|
|
aaSequence [2] EXPLICIT SEQUENCE OF AuthenticatedAttribute
|
|
-- Explicit because easier to compute digest on
|
|
-- sequence of attributes and then reuse encoded
|
|
-- sequence in aaSequence.
|
|
} OPTIONAL,
|
|
digestEncryptionAlgorithm
|
|
DigestEncryptionAlgorithmIdentifier ({ pkcs7_sig_note_pkey_algo }),
|
|
encryptedDigest EncryptedDigest,
|
|
unauthenticatedAttributes CHOICE {
|
|
uaSet [1] IMPLICIT SET OF UnauthenticatedAttribute,
|
|
uaSequence [3] IMPLICIT SEQUENCE OF UnauthenticatedAttribute
|
|
} OPTIONAL
|
|
} ({ pkcs7_note_signed_info })
|
|
|
|
SignerIdentifier ::= CHOICE {
|
|
-- RFC5652 sec 5.3
|
|
issuerAndSerialNumber IssuerAndSerialNumber,
|
|
subjectKeyIdentifier [0] IMPLICIT SubjectKeyIdentifier
|
|
}
|
|
|
|
IssuerAndSerialNumber ::= SEQUENCE {
|
|
issuer Name ({ pkcs7_sig_note_issuer }),
|
|
serialNumber CertificateSerialNumber ({ pkcs7_sig_note_serial })
|
|
}
|
|
|
|
CertificateSerialNumber ::= INTEGER
|
|
|
|
SubjectKeyIdentifier ::= OCTET STRING ({ pkcs7_sig_note_skid })
|
|
|
|
SetOfAuthenticatedAttribute ::= SET OF AuthenticatedAttribute
|
|
|
|
AuthenticatedAttribute ::= SEQUENCE {
|
|
type OBJECT IDENTIFIER ({ pkcs7_note_OID }),
|
|
values SET OF ANY ({ pkcs7_sig_note_authenticated_attr })
|
|
}
|
|
|
|
UnauthenticatedAttribute ::= SEQUENCE {
|
|
type OBJECT IDENTIFIER,
|
|
values SET OF ANY
|
|
}
|
|
|
|
DigestEncryptionAlgorithmIdentifier ::= SEQUENCE {
|
|
algorithm OBJECT IDENTIFIER ({ pkcs7_note_OID }),
|
|
parameters ANY OPTIONAL
|
|
}
|
|
|
|
EncryptedDigest ::= OCTET STRING ({ pkcs7_sig_note_signature })
|
|
|
|
---
|
|
--- X.500 Name
|
|
---
|
|
Name ::= SEQUENCE OF RelativeDistinguishedName
|
|
|
|
RelativeDistinguishedName ::= SET OF AttributeValueAssertion
|
|
|
|
AttributeValueAssertion ::= SEQUENCE {
|
|
attributeType OBJECT IDENTIFIER ({ pkcs7_note_OID }),
|
|
attributeValue ANY
|
|
}
|