Certs changes
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEqG5UsNXhtOCrfGQP+7dXa6fLC2sFAmKx3toACgkQ+7dXa6fL C2sI+Q//cT5eOtYkkEZF8NR53sfjKKyrwNwPVYrYHniaaYnVtiq1ThyEQ9o0ws3f wuvJu30qthm2rCz9zfTtyoqsv0k5ifGfCiR5fGeQEGgHEA4hGiF7XQoagDsVeR7j dk7hF3veca5fUb2ZOG2v/gJ6jo19/afw5A4s4QnLK+74oiCvoIZyV5gM9LlQx/1f U1YJXfdR7TFaIiNcZYVt6v7nWrpJ2fptIRvml+VGC86JXll6oct6dJ7yO2D5zzCm XU0fgRDk4RJ+e1FkketQu2z1m+YjvJQyxrVH2kuXBmzt2Fl5Ds//+8OlPY6/PX2c 8+lkm0yEOMbfEi1Uht9h2Lfdfqx6BLgsi0BkaLWQJWRHjI8SNcNofVKfsl704wAI fOzqUGTFAY4i+kM6koXSBr8bUuT3tTie+OygwlZPMQnSmr0NM5G1YMm7EjBUJVQk TfCh81mEVmaKiQKBWatysxWyS/ZzCaMwFvlcNW1mvpLNIJ3kWcIeiGw54y49JWbW 2mR4cVMGf62KnAmFEmLuXp4wLh6HmXbdKFvPKrPo9lzatFeYFWfw5AVobOp+KpKY lTpvv6Q6WPwk0wQ4QjyLjw7X52Q5qRmh6oWSUvYDxHxDIcKr0ivtin5aAk48+plv t5hQOT7JYVwEW0B1Y6OUno0YbP+8lkack0BMEHVT3WjoqbzUyIY= =bAcJ -----END PGP SIGNATURE----- Merge tag 'certs-20220621' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs Pull signature checking selftest from David Howells: "The signature checking code, as used by module signing, kexec, etc., is non-FIPS compliant as there is no selftest. For a kernel to be FIPS-compliant, signature checking would have to be tested before being used, and the box would need to panic if it's not available (probably reasonable as simply disabling signature checking would prevent you from loading any driver modules). Deal with this by adding a minimal test. This is split into two patches: the first moves load_certificate_list() to the same place as the X.509 code to make it more accessible internally; the second adds a selftest" * tag 'certs-20220621' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: certs: Add FIPS selftests certs: Move load_certificate_list() to be with the asymmetric keys code
This commit is contained in:
commit
0273fd423b
|
@ -3,8 +3,8 @@
|
||||||
# Makefile for the linux kernel signature checking certificates.
|
# Makefile for the linux kernel signature checking certificates.
|
||||||
#
|
#
|
||||||
|
|
||||||
obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o
|
obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
|
||||||
obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o
|
obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o
|
||||||
obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o
|
obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o
|
||||||
ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),)
|
ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),)
|
||||||
|
|
||||||
|
|
|
@ -15,10 +15,9 @@
|
||||||
#include <linux/err.h>
|
#include <linux/err.h>
|
||||||
#include <linux/seq_file.h>
|
#include <linux/seq_file.h>
|
||||||
#include <linux/uidgid.h>
|
#include <linux/uidgid.h>
|
||||||
#include <linux/verification.h>
|
#include <keys/asymmetric-type.h>
|
||||||
#include <keys/system_keyring.h>
|
#include <keys/system_keyring.h>
|
||||||
#include "blacklist.h"
|
#include "blacklist.h"
|
||||||
#include "common.h"
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* According to crypto/asymmetric_keys/x509_cert_parser.c:x509_note_pkey_algo(),
|
* According to crypto/asymmetric_keys/x509_cert_parser.c:x509_note_pkey_algo(),
|
||||||
|
@ -365,8 +364,9 @@ static __init int load_revocation_certificate_list(void)
|
||||||
if (revocation_certificate_list_size)
|
if (revocation_certificate_list_size)
|
||||||
pr_notice("Loading compiled-in revocation X.509 certificates\n");
|
pr_notice("Loading compiled-in revocation X.509 certificates\n");
|
||||||
|
|
||||||
return load_certificate_list(revocation_certificate_list, revocation_certificate_list_size,
|
return x509_load_certificate_list(revocation_certificate_list,
|
||||||
blacklist_keyring);
|
revocation_certificate_list_size,
|
||||||
|
blacklist_keyring);
|
||||||
}
|
}
|
||||||
late_initcall(load_revocation_certificate_list);
|
late_initcall(load_revocation_certificate_list);
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -1,9 +0,0 @@
|
||||||
/* SPDX-License-Identifier: GPL-2.0-or-later */
|
|
||||||
|
|
||||||
#ifndef _CERT_COMMON_H
|
|
||||||
#define _CERT_COMMON_H
|
|
||||||
|
|
||||||
int load_certificate_list(const u8 cert_list[], const unsigned long list_size,
|
|
||||||
const struct key *keyring);
|
|
||||||
|
|
||||||
#endif
|
|
|
@ -16,7 +16,6 @@
|
||||||
#include <keys/asymmetric-type.h>
|
#include <keys/asymmetric-type.h>
|
||||||
#include <keys/system_keyring.h>
|
#include <keys/system_keyring.h>
|
||||||
#include <crypto/pkcs7.h>
|
#include <crypto/pkcs7.h>
|
||||||
#include "common.h"
|
|
||||||
|
|
||||||
static struct key *builtin_trusted_keys;
|
static struct key *builtin_trusted_keys;
|
||||||
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
|
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
|
||||||
|
@ -183,7 +182,8 @@ __init int load_module_cert(struct key *keyring)
|
||||||
|
|
||||||
pr_notice("Loading compiled-in module X.509 certificates\n");
|
pr_notice("Loading compiled-in module X.509 certificates\n");
|
||||||
|
|
||||||
return load_certificate_list(system_certificate_list, module_cert_size, keyring);
|
return x509_load_certificate_list(system_certificate_list,
|
||||||
|
module_cert_size, keyring);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -204,7 +204,7 @@ static __init int load_system_certificate_list(void)
|
||||||
size = system_certificate_list_size - module_cert_size;
|
size = system_certificate_list_size - module_cert_size;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
return load_certificate_list(p, size, builtin_trusted_keys);
|
return x509_load_certificate_list(p, size, builtin_trusted_keys);
|
||||||
}
|
}
|
||||||
late_initcall(load_system_certificate_list);
|
late_initcall(load_system_certificate_list);
|
||||||
|
|
||||||
|
|
|
@ -75,4 +75,14 @@ config SIGNED_PE_FILE_VERIFICATION
|
||||||
This option provides support for verifying the signature(s) on a
|
This option provides support for verifying the signature(s) on a
|
||||||
signed PE binary.
|
signed PE binary.
|
||||||
|
|
||||||
|
config FIPS_SIGNATURE_SELFTEST
|
||||||
|
bool "Run FIPS selftests on the X.509+PKCS7 signature verification"
|
||||||
|
help
|
||||||
|
This option causes some selftests to be run on the signature
|
||||||
|
verification code, using some built in data. This is required
|
||||||
|
for FIPS.
|
||||||
|
depends on KEYS
|
||||||
|
depends on ASYMMETRIC_KEY_TYPE
|
||||||
|
depends on PKCS7_MESSAGE_PARSER
|
||||||
|
|
||||||
endif # ASYMMETRIC_KEY_TYPE
|
endif # ASYMMETRIC_KEY_TYPE
|
||||||
|
|
|
@ -20,7 +20,9 @@ x509_key_parser-y := \
|
||||||
x509.asn1.o \
|
x509.asn1.o \
|
||||||
x509_akid.asn1.o \
|
x509_akid.asn1.o \
|
||||||
x509_cert_parser.o \
|
x509_cert_parser.o \
|
||||||
|
x509_loader.o \
|
||||||
x509_public_key.o
|
x509_public_key.o
|
||||||
|
x509_key_parser-$(CONFIG_FIPS_SIGNATURE_SELFTEST) += selftest.o
|
||||||
|
|
||||||
$(obj)/x509_cert_parser.o: \
|
$(obj)/x509_cert_parser.o: \
|
||||||
$(obj)/x509.asn1.h \
|
$(obj)/x509.asn1.h \
|
||||||
|
|
|
@ -0,0 +1,224 @@
|
||||||
|
/* Self-testing for signature checking.
|
||||||
|
*
|
||||||
|
* Copyright (C) 2022 Red Hat, Inc. All Rights Reserved.
|
||||||
|
* Written by David Howells (dhowells@redhat.com)
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <linux/kernel.h>
|
||||||
|
#include <linux/cred.h>
|
||||||
|
#include <linux/key.h>
|
||||||
|
#include <crypto/pkcs7.h>
|
||||||
|
#include "x509_parser.h"
|
||||||
|
|
||||||
|
struct certs_test {
|
||||||
|
const u8 *data;
|
||||||
|
size_t data_len;
|
||||||
|
const u8 *pkcs7;
|
||||||
|
size_t pkcs7_len;
|
||||||
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Set of X.509 certificates to provide public keys for the tests. These will
|
||||||
|
* be loaded into a temporary keyring for the duration of the testing.
|
||||||
|
*/
|
||||||
|
static const __initconst u8 certs_selftest_keys[] = {
|
||||||
|
"\x30\x82\x05\x55\x30\x82\x03\x3d\xa0\x03\x02\x01\x02\x02\x14\x73"
|
||||||
|
"\x98\xea\x98\x2d\xd0\x2e\xa8\xb1\xcf\x57\xc7\xf2\x97\xb3\xe6\x1a"
|
||||||
|
"\xfc\x8c\x0a\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x0b"
|
||||||
|
"\x05\x00\x30\x34\x31\x32\x30\x30\x06\x03\x55\x04\x03\x0c\x29\x43"
|
||||||
|
"\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x76\x65\x72\x69\x66"
|
||||||
|
"\x69\x63\x61\x74\x69\x6f\x6e\x20\x73\x65\x6c\x66\x2d\x74\x65\x73"
|
||||||
|
"\x74\x69\x6e\x67\x20\x6b\x65\x79\x30\x20\x17\x0d\x32\x32\x30\x35"
|
||||||
|
"\x31\x38\x32\x32\x33\x32\x34\x31\x5a\x18\x0f\x32\x31\x32\x32\x30"
|
||||||
|
"\x34\x32\x34\x32\x32\x33\x32\x34\x31\x5a\x30\x34\x31\x32\x30\x30"
|
||||||
|
"\x06\x03\x55\x04\x03\x0c\x29\x43\x65\x72\x74\x69\x66\x69\x63\x61"
|
||||||
|
"\x74\x65\x20\x76\x65\x72\x69\x66\x69\x63\x61\x74\x69\x6f\x6e\x20"
|
||||||
|
"\x73\x65\x6c\x66\x2d\x74\x65\x73\x74\x69\x6e\x67\x20\x6b\x65\x79"
|
||||||
|
"\x30\x82\x02\x22\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01"
|
||||||
|
"\x01\x05\x00\x03\x82\x02\x0f\x00\x30\x82\x02\x0a\x02\x82\x02\x01"
|
||||||
|
"\x00\xcc\xac\x49\xdd\x3b\xca\xb0\x15\x7e\x84\x6a\xb2\x0a\x69\x5f"
|
||||||
|
"\x1c\x0a\x61\x82\x3b\x4f\x2c\xa3\x95\x2c\x08\x58\x4b\xb1\x5d\x99"
|
||||||
|
"\xe0\xc3\xc1\x79\xc2\xb3\xeb\xc0\x1e\x6d\x3e\x54\x1d\xbd\xb7\x92"
|
||||||
|
"\x7b\x4d\xb5\x95\x58\xb2\x52\x2e\xc6\x24\x4b\x71\x63\x80\x32\x77"
|
||||||
|
"\xa7\x38\x5e\xdb\x72\xae\x6e\x0d\xec\xfb\xb6\x6d\x01\x7f\xe9\x55"
|
||||||
|
"\x66\xdf\xbf\x1d\x76\x78\x02\x31\xe8\xe5\x07\xf8\xb7\x82\x5c\x0d"
|
||||||
|
"\xd4\xbb\xfb\xa2\x59\x0d\x2e\x3a\x78\x95\x3a\x8b\x46\x06\x47\x44"
|
||||||
|
"\x46\xd7\xcd\x06\x6a\x41\x13\xe3\x19\xf6\xbb\x6e\x38\xf4\x83\x01"
|
||||||
|
"\xa3\xbf\x4a\x39\x4f\xd7\x0a\xe9\x38\xb3\xf5\x94\x14\x4e\xdd\xf7"
|
||||||
|
"\x43\xfd\x24\xb2\x49\x3c\xa5\xf7\x7a\x7c\xd4\x45\x3d\x97\x75\x68"
|
||||||
|
"\xf1\xed\x4c\x42\x0b\x70\xca\x85\xf3\xde\xe5\x88\x2c\xc5\xbe\xb6"
|
||||||
|
"\x97\x34\xba\x24\x02\xcd\x8b\x86\x9f\xa9\x73\xca\x73\xcf\x92\x81"
|
||||||
|
"\xee\x75\x55\xbb\x18\x67\x5c\xff\x3f\xb5\xdd\x33\x1b\x0c\xe9\x78"
|
||||||
|
"\xdb\x5c\xcf\xaa\x5c\x43\x42\xdf\x5e\xa9\x6d\xec\xd7\xd7\xff\xe6"
|
||||||
|
"\xa1\x3a\x92\x1a\xda\xae\xf6\x8c\x6f\x7b\xd5\xb4\x6e\x06\xe9\x8f"
|
||||||
|
"\xe8\xde\x09\x31\x89\xed\x0e\x11\xa1\xfa\x8a\xe9\xe9\x64\x59\x62"
|
||||||
|
"\x53\xda\xd1\x70\xbe\x11\xd4\x99\x97\x11\xcf\x99\xde\x0b\x9d\x94"
|
||||||
|
"\x7e\xaa\xb8\x52\xea\x37\xdb\x90\x7e\x35\xbd\xd9\xfe\x6d\x0a\x48"
|
||||||
|
"\x70\x28\xdd\xd5\x0d\x7f\x03\x80\x93\x14\x23\x8f\xb9\x22\xcd\x7c"
|
||||||
|
"\x29\xfe\xf1\x72\xb5\x5c\x0b\x12\xcf\x9c\x15\xf6\x11\x4c\x7a\x45"
|
||||||
|
"\x25\x8c\x45\x0a\x34\xac\x2d\x9a\x81\xca\x0b\x13\x22\xcd\xeb\x1a"
|
||||||
|
"\x38\x88\x18\x97\x96\x08\x81\xaa\xcc\x8f\x0f\x8a\x32\x7b\x76\x68"
|
||||||
|
"\x03\x68\x43\xbf\x11\xba\x55\x60\xfd\x80\x1c\x0d\x9b\x69\xb6\x09"
|
||||||
|
"\x72\xbc\x0f\x41\x2f\x07\x82\xc6\xe3\xb2\x13\x91\xc4\x6d\x14\x95"
|
||||||
|
"\x31\xbe\x19\xbd\xbc\xed\xe1\x4c\x74\xa2\xe0\x78\x0b\xbb\x94\xec"
|
||||||
|
"\x4c\x53\x3a\xa2\xb5\x84\x1d\x4b\x65\x7e\xdc\xf7\xdb\x36\x7d\xbe"
|
||||||
|
"\x9e\x3b\x36\x66\x42\x66\x76\x35\xbf\xbe\xf0\xc1\x3c\x7c\xe9\x42"
|
||||||
|
"\x5c\x24\x53\x03\x05\xa8\x67\x24\x50\x02\x75\xff\x24\x46\x3b\x35"
|
||||||
|
"\x89\x76\xe6\x70\xda\xc5\x51\x8c\x9a\xe5\x05\xb0\x0b\xd0\x2d\xd4"
|
||||||
|
"\x7d\x57\x75\x94\x6b\xf9\x0a\xad\x0e\x41\x00\x15\xd0\x4f\xc0\x7f"
|
||||||
|
"\x90\x2d\x18\x48\x8f\x28\xfe\x5d\xa7\xcd\x99\x9e\xbd\x02\x6c\x8a"
|
||||||
|
"\x31\xf3\x1c\xc7\x4b\xe6\x93\xcd\x42\xa2\xe4\x68\x10\x47\x9d\xfc"
|
||||||
|
"\x21\x02\x03\x01\x00\x01\xa3\x5d\x30\x5b\x30\x0c\x06\x03\x55\x1d"
|
||||||
|
"\x13\x01\x01\xff\x04\x02\x30\x00\x30\x0b\x06\x03\x55\x1d\x0f\x04"
|
||||||
|
"\x04\x03\x02\x07\x80\x30\x1d\x06\x03\x55\x1d\x0e\x04\x16\x04\x14"
|
||||||
|
"\xf5\x87\x03\xbb\x33\xce\x1b\x73\xee\x02\xec\xcd\xee\x5b\x88\x17"
|
||||||
|
"\x51\x8f\xe3\xdb\x30\x1f\x06\x03\x55\x1d\x23\x04\x18\x30\x16\x80"
|
||||||
|
"\x14\xf5\x87\x03\xbb\x33\xce\x1b\x73\xee\x02\xec\xcd\xee\x5b\x88"
|
||||||
|
"\x17\x51\x8f\xe3\xdb\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01"
|
||||||
|
"\x01\x0b\x05\x00\x03\x82\x02\x01\x00\xc0\x2e\x12\x41\x7b\x73\x85"
|
||||||
|
"\x16\xc8\xdb\x86\x79\xe8\xf5\xcd\x44\xf4\xc6\xe2\x81\x23\x5e\x47"
|
||||||
|
"\xcb\xab\x25\xf1\x1e\x58\x3e\x31\x7f\x78\xad\x85\xeb\xfe\x14\x88"
|
||||||
|
"\x60\xf7\x7f\xd2\x26\xa2\xf4\x98\x2a\xfd\xba\x05\x0c\x20\x33\x12"
|
||||||
|
"\xcc\x4d\x14\x61\x64\x81\x93\xd3\x33\xed\xc8\xff\xf1\x78\xcc\x5f"
|
||||||
|
"\x51\x9f\x09\xd7\xbe\x0d\x5c\x74\xfd\x9b\xdf\x52\x4a\xc9\xa8\x71"
|
||||||
|
"\x25\x33\x04\x10\x67\x36\xd0\xb3\x0b\xc9\xa1\x40\x72\xae\x41\x7b"
|
||||||
|
"\x68\xe6\xe4\x7b\xd0\x28\xf7\x6d\xe7\x3f\x50\xfc\x91\x7c\x91\x56"
|
||||||
|
"\xd4\xdf\xa6\xbb\xe8\x4d\x1b\x58\xaa\x28\xfa\xc1\x19\xeb\x11\x2f"
|
||||||
|
"\x24\x8b\x7c\xc5\xa9\x86\x26\xaa\x6e\xb7\x9b\xd5\xf8\x06\xfb\x02"
|
||||||
|
"\x52\x7b\x9c\x9e\xa1\xe0\x07\x8b\x5e\xe4\xb8\x55\x29\xf6\x48\x52"
|
||||||
|
"\x1c\x1b\x54\x2d\x46\xd8\xe5\x71\xb9\x60\xd1\x45\xb5\x92\x89\x8a"
|
||||||
|
"\x63\x58\x2a\xb3\xc6\xb2\x76\xe2\x3c\x82\x59\x04\xae\x5a\xc4\x99"
|
||||||
|
"\x7b\x2e\x4b\x46\x57\xb8\x29\x24\xb2\xfd\xee\x2c\x0d\xa4\x83\xfa"
|
||||||
|
"\x65\x2a\x07\x35\x8b\x97\xcf\xbd\x96\x2e\xd1\x7e\x6c\xc2\x1e\x87"
|
||||||
|
"\xb6\x6c\x76\x65\xb5\xb2\x62\xda\x8b\xe9\x73\xe3\xdb\x33\xdd\x13"
|
||||||
|
"\x3a\x17\x63\x6a\x76\xde\x8d\x8f\xe0\x47\x61\x28\x3a\x83\xff\x8f"
|
||||||
|
"\xe7\xc7\xe0\x4a\xa3\xe5\x07\xcf\xe9\x8c\x35\x35\x2e\xe7\x80\x66"
|
||||||
|
"\x31\xbf\x91\x58\x0a\xe1\x25\x3d\x38\xd3\xa4\xf0\x59\x34\x47\x07"
|
||||||
|
"\x62\x0f\xbe\x30\xdd\x81\x88\x58\xf0\x28\xb0\x96\xe5\x82\xf8\x05"
|
||||||
|
"\xb7\x13\x01\xbc\xfa\xc6\x1f\x86\x72\xcc\xf9\xee\x8e\xd9\xd6\x04"
|
||||||
|
"\x8c\x24\x6c\xbf\x0f\x5d\x37\x39\xcf\x45\xc1\x93\x3a\xd2\xed\x5c"
|
||||||
|
"\x58\x79\x74\x86\x62\x30\x7e\x8e\xbb\xdd\x7a\xa9\xed\xca\x40\xcb"
|
||||||
|
"\x62\x47\xf4\xb4\x9f\x52\x7f\x72\x63\xa8\xf0\x2b\xaf\x45\x2a\x48"
|
||||||
|
"\x19\x6d\xe3\xfb\xf9\x19\x66\x69\xc8\xcc\x62\x87\x6c\x53\x2b\x2d"
|
||||||
|
"\x6e\x90\x6c\x54\x3a\x82\x25\x41\xcb\x18\x6a\xa4\x22\xa8\xa1\xc4"
|
||||||
|
"\x47\xd7\x81\x00\x1c\x15\x51\x0f\x1a\xaf\xef\x9f\xa6\x61\x8c\xbd"
|
||||||
|
"\x6b\x8b\xed\xe6\xac\x0e\xb6\x3a\x4c\x92\xe6\x0f\x91\x0a\x0f\x71"
|
||||||
|
"\xc7\xa0\xb9\x0d\x3a\x17\x5a\x6f\x35\xc8\xe7\x50\x4f\x46\xe8\x70"
|
||||||
|
"\x60\x48\x06\x82\x8b\x66\x58\xe6\x73\x91\x9c\x12\x3d\x35\x8e\x46"
|
||||||
|
"\xad\x5a\xf5\xb3\xdb\x69\x21\x04\xfd\xd3\x1c\xdf\x94\x9d\x56\xb0"
|
||||||
|
"\x0a\xd1\x95\x76\x8d\xec\x9e\xdd\x0b\x15\x97\x64\xad\xe5\xf2\x62"
|
||||||
|
"\x02\xfc\x9e\x5f\x56\x42\x39\x05\xb3"
|
||||||
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Signed data and detached signature blobs that form the verification tests.
|
||||||
|
*/
|
||||||
|
static const __initconst u8 certs_selftest_1_data[] = {
|
||||||
|
"\x54\x68\x69\x73\x20\x69\x73\x20\x73\x6f\x6d\x65\x20\x74\x65\x73"
|
||||||
|
"\x74\x20\x64\x61\x74\x61\x20\x75\x73\x65\x64\x20\x66\x6f\x72\x20"
|
||||||
|
"\x73\x65\x6c\x66\x2d\x74\x65\x73\x74\x69\x6e\x67\x20\x63\x65\x72"
|
||||||
|
"\x74\x69\x66\x69\x63\x61\x74\x65\x20\x76\x65\x72\x69\x66\x69\x63"
|
||||||
|
"\x61\x74\x69\x6f\x6e\x2e\x0a"
|
||||||
|
};
|
||||||
|
|
||||||
|
static const __initconst u8 certs_selftest_1_pkcs7[] = {
|
||||||
|
"\x30\x82\x02\xab\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x07\x02\xa0"
|
||||||
|
"\x82\x02\x9c\x30\x82\x02\x98\x02\x01\x01\x31\x0d\x30\x0b\x06\x09"
|
||||||
|
"\x60\x86\x48\x01\x65\x03\x04\x02\x01\x30\x0b\x06\x09\x2a\x86\x48"
|
||||||
|
"\x86\xf7\x0d\x01\x07\x01\x31\x82\x02\x75\x30\x82\x02\x71\x02\x01"
|
||||||
|
"\x01\x30\x4c\x30\x34\x31\x32\x30\x30\x06\x03\x55\x04\x03\x0c\x29"
|
||||||
|
"\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x65\x20\x76\x65\x72\x69"
|
||||||
|
"\x66\x69\x63\x61\x74\x69\x6f\x6e\x20\x73\x65\x6c\x66\x2d\x74\x65"
|
||||||
|
"\x73\x74\x69\x6e\x67\x20\x6b\x65\x79\x02\x14\x73\x98\xea\x98\x2d"
|
||||||
|
"\xd0\x2e\xa8\xb1\xcf\x57\xc7\xf2\x97\xb3\xe6\x1a\xfc\x8c\x0a\x30"
|
||||||
|
"\x0b\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x30\x0d\x06\x09"
|
||||||
|
"\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01\x05\x00\x04\x82\x02\x00\xac"
|
||||||
|
"\xb0\xf2\x07\xd6\x99\x6d\xc0\xc0\xd9\x8d\x31\x0d\x7e\x04\xeb\xc3"
|
||||||
|
"\x88\x90\xc4\x58\x46\xd4\xe2\xa0\xa3\x25\xe3\x04\x50\x37\x85\x8c"
|
||||||
|
"\x91\xc6\xfc\xc5\xd4\x92\xfd\x05\xd8\xb8\xa3\xb8\xba\x89\x13\x00"
|
||||||
|
"\x88\x79\x99\x51\x6b\x5b\x28\x31\xc0\xb3\x1b\x7a\x68\x2c\x00\xdb"
|
||||||
|
"\x4b\x46\x11\xf3\xfa\x50\x8e\x19\x89\xa2\x4c\xda\x4c\x89\x01\x11"
|
||||||
|
"\x89\xee\xd3\xc8\xc1\xe7\xa7\xf6\xb2\xa2\xf8\x65\xb8\x35\x20\x33"
|
||||||
|
"\xba\x12\x62\xd5\xbd\xaa\x71\xe5\x5b\xc0\x6a\x32\xff\x6a\x2e\x23"
|
||||||
|
"\xef\x2b\xb6\x58\xb1\xfb\x5f\x82\x34\x40\x6d\x9f\xbc\x27\xac\x37"
|
||||||
|
"\x23\x99\xcf\x7d\x20\xb2\x39\x01\xc0\x12\xce\xd7\x5d\x2f\xb6\xab"
|
||||||
|
"\xb5\x56\x4f\xef\xf4\x72\x07\x58\x65\xa9\xeb\x1f\x75\x1c\x5f\x0c"
|
||||||
|
"\x88\xe0\xa4\xe2\xcd\x73\x2b\x9e\xb2\x05\x7e\x12\xf8\xd0\x66\x41"
|
||||||
|
"\xcc\x12\x63\xd4\xd6\xac\x9b\x1d\x14\x77\x8d\x1c\x57\xd5\x27\xc6"
|
||||||
|
"\x49\xa2\x41\x43\xf3\x59\x29\xe5\xcb\xd1\x75\xbc\x3a\x97\x2a\x72"
|
||||||
|
"\x22\x66\xc5\x3b\xc1\xba\xfc\x53\x18\x98\xe2\x21\x64\xc6\x52\x87"
|
||||||
|
"\x13\xd5\x7c\x42\xe8\xfb\x9c\x9a\x45\x32\xd5\xa5\x22\x62\x9d\xd4"
|
||||||
|
"\xcb\xa4\xfa\x77\xbb\x50\x24\x0b\x8b\x88\x99\x15\x56\xa9\x1e\x92"
|
||||||
|
"\xbf\x5d\x94\x77\xb6\xf1\x67\x01\x60\x06\x58\x5c\xdf\x18\x52\x79"
|
||||||
|
"\x37\x30\x93\x7d\x87\x04\xf1\xe0\x55\x59\x52\xf3\xc2\xb1\x1c\x5b"
|
||||||
|
"\x12\x7c\x49\x87\xfb\xf7\xed\xdd\x95\x71\xec\x4b\x1a\x85\x08\xb0"
|
||||||
|
"\xa0\x36\xc4\x7b\xab\x40\xe0\xf1\x98\xcc\xaf\x19\x40\x8f\x47\x6f"
|
||||||
|
"\xf0\x6c\x84\x29\x7f\x7f\x04\x46\xcb\x08\x0f\xe0\xc1\xc9\x70\x6e"
|
||||||
|
"\x95\x3b\xa4\xbc\x29\x2b\x53\x67\x45\x1b\x0d\xbc\x13\xa5\x76\x31"
|
||||||
|
"\xaf\xb9\xd0\xe0\x60\x12\xd2\xf4\xb7\x7c\x58\x7e\xf6\x2d\xbb\x24"
|
||||||
|
"\x14\x5a\x20\x24\xa8\x12\xdf\x25\xbd\x42\xce\x96\x7c\x2e\xba\x14"
|
||||||
|
"\x1b\x81\x9f\x18\x45\xa4\xc6\x70\x3e\x0e\xf0\xd3\x7b\x9c\x10\xbe"
|
||||||
|
"\xb8\x7a\x89\xc5\x9e\xd9\x97\xdf\xd7\xe7\xc6\x1d\xc0\x20\x6c\xb8"
|
||||||
|
"\x1e\x3a\x63\xb8\x39\x8e\x8e\x62\xd5\xd2\xb4\xcd\xff\x46\xfc\x8e"
|
||||||
|
"\xec\x07\x35\x0c\xff\xb0\x05\xe6\xf4\xe5\xfe\xa2\xe3\x0a\xe6\x36"
|
||||||
|
"\xa7\x4a\x7e\x62\x1d\xc4\x50\x39\x35\x4e\x28\xcb\x4a\xfb\x9d\xdb"
|
||||||
|
"\xdd\x23\xd6\x53\xb1\x74\x77\x12\xf7\x9c\xf0\x9a\x6b\xf7\xa9\x64"
|
||||||
|
"\x2d\x86\x21\x2a\xcf\xc6\x54\xf5\xc9\xad\xfa\xb5\x12\xb4\xf3\x51"
|
||||||
|
"\x77\x55\x3c\x6f\x0c\x32\xd3\x8c\x44\x39\x71\x25\xfe\x96\xd2"
|
||||||
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
* List of tests to be run.
|
||||||
|
*/
|
||||||
|
#define TEST(data, pkcs7) { data, sizeof(data) - 1, pkcs7, sizeof(pkcs7) - 1 }
|
||||||
|
static const struct certs_test certs_tests[] __initconst = {
|
||||||
|
TEST(certs_selftest_1_data, certs_selftest_1_pkcs7),
|
||||||
|
};
|
||||||
|
|
||||||
|
int __init fips_signature_selftest(void)
|
||||||
|
{
|
||||||
|
struct key *keyring;
|
||||||
|
int ret, i;
|
||||||
|
|
||||||
|
pr_notice("Running certificate verification selftests\n");
|
||||||
|
|
||||||
|
keyring = keyring_alloc(".certs_selftest",
|
||||||
|
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
|
||||||
|
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
||||||
|
KEY_USR_VIEW | KEY_USR_READ |
|
||||||
|
KEY_USR_SEARCH,
|
||||||
|
KEY_ALLOC_NOT_IN_QUOTA,
|
||||||
|
NULL, NULL);
|
||||||
|
if (IS_ERR(keyring))
|
||||||
|
panic("Can't allocate certs selftest keyring: %ld\n",
|
||||||
|
PTR_ERR(keyring));
|
||||||
|
|
||||||
|
ret = x509_load_certificate_list(certs_selftest_keys,
|
||||||
|
sizeof(certs_selftest_keys) - 1, keyring);
|
||||||
|
if (ret < 0)
|
||||||
|
panic("Can't allocate certs selftest keyring: %d\n", ret);
|
||||||
|
|
||||||
|
for (i = 0; i < ARRAY_SIZE(certs_tests); i++) {
|
||||||
|
const struct certs_test *test = &certs_tests[i];
|
||||||
|
struct pkcs7_message *pkcs7;
|
||||||
|
|
||||||
|
pkcs7 = pkcs7_parse_message(test->pkcs7, test->pkcs7_len);
|
||||||
|
if (IS_ERR(pkcs7))
|
||||||
|
panic("Certs selftest %d: pkcs7_parse_message() = %d\n", i, ret);
|
||||||
|
|
||||||
|
pkcs7_supply_detached_data(pkcs7, test->data, test->data_len);
|
||||||
|
|
||||||
|
ret = pkcs7_verify(pkcs7, VERIFYING_MODULE_SIGNATURE);
|
||||||
|
if (ret < 0)
|
||||||
|
panic("Certs selftest %d: pkcs7_verify() = %d\n", i, ret);
|
||||||
|
|
||||||
|
ret = pkcs7_validate_trust(pkcs7, keyring);
|
||||||
|
if (ret < 0)
|
||||||
|
panic("Certs selftest %d: pkcs7_validate_trust() = %d\n", i, ret);
|
||||||
|
|
||||||
|
pkcs7_free_message(pkcs7);
|
||||||
|
}
|
||||||
|
|
||||||
|
key_put(keyring);
|
||||||
|
return 0;
|
||||||
|
}
|
|
@ -2,11 +2,11 @@
|
||||||
|
|
||||||
#include <linux/kernel.h>
|
#include <linux/kernel.h>
|
||||||
#include <linux/key.h>
|
#include <linux/key.h>
|
||||||
#include "common.h"
|
#include <keys/asymmetric-type.h>
|
||||||
|
|
||||||
int load_certificate_list(const u8 cert_list[],
|
int x509_load_certificate_list(const u8 cert_list[],
|
||||||
const unsigned long list_size,
|
const unsigned long list_size,
|
||||||
const struct key *keyring)
|
const struct key *keyring)
|
||||||
{
|
{
|
||||||
key_ref_t key;
|
key_ref_t key;
|
||||||
const u8 *p, *end;
|
const u8 *p, *end;
|
|
@ -40,6 +40,15 @@ struct x509_certificate {
|
||||||
bool blacklisted;
|
bool blacklisted;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
* selftest.c
|
||||||
|
*/
|
||||||
|
#ifdef CONFIG_FIPS_SIGNATURE_SELFTEST
|
||||||
|
extern int __init fips_signature_selftest(void);
|
||||||
|
#else
|
||||||
|
static inline int fips_signature_selftest(void) { return 0; }
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* x509_cert_parser.c
|
* x509_cert_parser.c
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -244,9 +244,15 @@ static struct asymmetric_key_parser x509_key_parser = {
|
||||||
/*
|
/*
|
||||||
* Module stuff
|
* Module stuff
|
||||||
*/
|
*/
|
||||||
|
extern int __init certs_selftest(void);
|
||||||
static int __init x509_key_init(void)
|
static int __init x509_key_init(void)
|
||||||
{
|
{
|
||||||
return register_asymmetric_key_parser(&x509_key_parser);
|
int ret;
|
||||||
|
|
||||||
|
ret = register_asymmetric_key_parser(&x509_key_parser);
|
||||||
|
if (ret < 0)
|
||||||
|
return ret;
|
||||||
|
return fips_signature_selftest();
|
||||||
}
|
}
|
||||||
|
|
||||||
static void __exit x509_key_exit(void)
|
static void __exit x509_key_exit(void)
|
||||||
|
|
|
@ -84,6 +84,9 @@ extern struct key *find_asymmetric_key(struct key *keyring,
|
||||||
const struct asymmetric_key_id *id_2,
|
const struct asymmetric_key_id *id_2,
|
||||||
bool partial);
|
bool partial);
|
||||||
|
|
||||||
|
int x509_load_certificate_list(const u8 cert_list[], const unsigned long list_size,
|
||||||
|
const struct key *keyring);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The payload is at the discretion of the subtype.
|
* The payload is at the discretion of the subtype.
|
||||||
*/
|
*/
|
||||||
|
|
Loading…
Reference in New Issue