1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* X.509 certificate parser
4 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
8 #define pr_fmt(fmt) "X.509: "fmt
9 #include <linux/kernel.h>
10 #include <linux/export.h>
11 #include <linux/slab.h>
12 #include <linux/err.h>
13 #include <linux/oid_registry.h>
14 #include <crypto/public_key.h>
15 #include "x509_parser.h"
16 #include "x509.asn1.h"
17 #include "x509_akid.asn1.h"
19 struct x509_parse_context
{
20 struct x509_certificate
*cert
; /* Certificate being constructed */
21 unsigned long data
; /* Start of data */
22 const void *key
; /* Key data */
23 size_t key_size
; /* Size of key data */
24 const void *params
; /* Key parameters */
25 size_t params_size
; /* Size of key parameters */
26 enum OID key_algo
; /* Algorithm used by the cert's key */
27 enum OID last_oid
; /* Last OID encountered */
28 enum OID sig_algo
; /* Algorithm used to sign the cert */
29 u8 o_size
; /* Size of organizationName (O) */
30 u8 cn_size
; /* Size of commonName (CN) */
31 u8 email_size
; /* Size of emailAddress */
32 u16 o_offset
; /* Offset of organizationName (O) */
33 u16 cn_offset
; /* Offset of commonName (CN) */
34 u16 email_offset
; /* Offset of emailAddress */
35 unsigned raw_akid_size
;
36 const void *raw_akid
; /* Raw authorityKeyId in ASN.1 */
37 const void *akid_raw_issuer
; /* Raw directoryName in authorityKeyId */
38 unsigned akid_raw_issuer_size
;
42 * Free an X.509 certificate
44 void x509_free_certificate(struct x509_certificate
*cert
)
47 public_key_free(cert
->pub
);
48 public_key_signature_free(cert
->sig
);
56 EXPORT_SYMBOL_GPL(x509_free_certificate
);
59 * Parse an X.509 certificate
61 struct x509_certificate
*x509_cert_parse(const void *data
, size_t datalen
)
63 struct x509_certificate
*cert
;
64 struct x509_parse_context
*ctx
;
65 struct asymmetric_key_id
*kid
;
69 cert
= kzalloc(sizeof(struct x509_certificate
), GFP_KERNEL
);
72 cert
->pub
= kzalloc(sizeof(struct public_key
), GFP_KERNEL
);
75 cert
->sig
= kzalloc(sizeof(struct public_key_signature
), GFP_KERNEL
);
78 ctx
= kzalloc(sizeof(struct x509_parse_context
), GFP_KERNEL
);
83 ctx
->data
= (unsigned long)data
;
85 /* Attempt to decode the certificate */
86 ret
= asn1_ber_decoder(&x509_decoder
, ctx
, data
, datalen
);
90 /* Decode the AuthorityKeyIdentifier */
92 pr_devel("AKID: %u %*phN\n",
93 ctx
->raw_akid_size
, ctx
->raw_akid_size
, ctx
->raw_akid
);
94 ret
= asn1_ber_decoder(&x509_akid_decoder
, ctx
,
95 ctx
->raw_akid
, ctx
->raw_akid_size
);
97 pr_warn("Couldn't decode AuthKeyIdentifier\n");
103 cert
->pub
->key
= kmemdup(ctx
->key
, ctx
->key_size
, GFP_KERNEL
);
107 cert
->pub
->keylen
= ctx
->key_size
;
109 cert
->pub
->params
= kmemdup(ctx
->params
, ctx
->params_size
, GFP_KERNEL
);
110 if (!cert
->pub
->params
)
113 cert
->pub
->paramlen
= ctx
->params_size
;
114 cert
->pub
->algo
= ctx
->key_algo
;
116 /* Grab the signature bits */
117 ret
= x509_get_sig_params(cert
);
121 /* Generate cert issuer + serial number key ID */
122 kid
= asymmetric_key_generate_id(cert
->raw_serial
,
123 cert
->raw_serial_size
,
125 cert
->raw_issuer_size
);
132 /* Detect self-signed certificates */
133 ret
= x509_check_for_self_signed(cert
);
143 x509_free_certificate(cert
);
147 EXPORT_SYMBOL_GPL(x509_cert_parse
);
150 * Note an OID when we find one for later processing when we know how
153 int x509_note_OID(void *context
, size_t hdrlen
,
155 const void *value
, size_t vlen
)
157 struct x509_parse_context
*ctx
= context
;
159 ctx
->last_oid
= look_up_OID(value
, vlen
);
160 if (ctx
->last_oid
== OID__NR
) {
162 sprint_oid(value
, vlen
, buffer
, sizeof(buffer
));
163 pr_debug("Unknown OID: [%lu] %s\n",
164 (unsigned long)value
- ctx
->data
, buffer
);
170 * Save the position of the TBS data so that we can check the signature over it
173 int x509_note_tbs_certificate(void *context
, size_t hdrlen
,
175 const void *value
, size_t vlen
)
177 struct x509_parse_context
*ctx
= context
;
179 pr_debug("x509_note_tbs_certificate(,%zu,%02x,%ld,%zu)!\n",
180 hdrlen
, tag
, (unsigned long)value
- ctx
->data
, vlen
);
182 ctx
->cert
->tbs
= value
- hdrlen
;
183 ctx
->cert
->tbs_size
= vlen
+ hdrlen
;
188 * Record the algorithm that was used to sign this certificate.
190 int x509_note_sig_algo(void *context
, size_t hdrlen
, unsigned char tag
,
191 const void *value
, size_t vlen
)
193 struct x509_parse_context
*ctx
= context
;
195 pr_debug("PubKey Algo: %u\n", ctx
->last_oid
);
197 switch (ctx
->last_oid
) {
199 return -ENOPKG
; /* Unsupported combination */
201 case OID_sha256WithRSAEncryption
:
202 ctx
->cert
->sig
->hash_algo
= "sha256";
205 case OID_sha384WithRSAEncryption
:
206 ctx
->cert
->sig
->hash_algo
= "sha384";
209 case OID_sha512WithRSAEncryption
:
210 ctx
->cert
->sig
->hash_algo
= "sha512";
213 case OID_sha224WithRSAEncryption
:
214 ctx
->cert
->sig
->hash_algo
= "sha224";
217 case OID_id_rsassa_pkcs1_v1_5_with_sha3_256
:
218 ctx
->cert
->sig
->hash_algo
= "sha3-256";
221 case OID_id_rsassa_pkcs1_v1_5_with_sha3_384
:
222 ctx
->cert
->sig
->hash_algo
= "sha3-384";
225 case OID_id_rsassa_pkcs1_v1_5_with_sha3_512
:
226 ctx
->cert
->sig
->hash_algo
= "sha3-512";
229 case OID_id_ecdsa_with_sha224
:
230 ctx
->cert
->sig
->hash_algo
= "sha224";
233 case OID_id_ecdsa_with_sha256
:
234 ctx
->cert
->sig
->hash_algo
= "sha256";
237 case OID_id_ecdsa_with_sha384
:
238 ctx
->cert
->sig
->hash_algo
= "sha384";
241 case OID_id_ecdsa_with_sha512
:
242 ctx
->cert
->sig
->hash_algo
= "sha512";
245 case OID_id_ecdsa_with_sha3_256
:
246 ctx
->cert
->sig
->hash_algo
= "sha3-256";
249 case OID_id_ecdsa_with_sha3_384
:
250 ctx
->cert
->sig
->hash_algo
= "sha3-384";
253 case OID_id_ecdsa_with_sha3_512
:
254 ctx
->cert
->sig
->hash_algo
= "sha3-512";
257 case OID_gost2012Signature256
:
258 ctx
->cert
->sig
->hash_algo
= "streebog256";
261 case OID_gost2012Signature512
:
262 ctx
->cert
->sig
->hash_algo
= "streebog512";
265 case OID_SM2_with_SM3
:
266 ctx
->cert
->sig
->hash_algo
= "sm3";
271 ctx
->cert
->sig
->pkey_algo
= "rsa";
272 ctx
->cert
->sig
->encoding
= "pkcs1";
273 ctx
->sig_algo
= ctx
->last_oid
;
276 ctx
->cert
->sig
->pkey_algo
= "ecrdsa";
277 ctx
->cert
->sig
->encoding
= "raw";
278 ctx
->sig_algo
= ctx
->last_oid
;
281 ctx
->cert
->sig
->pkey_algo
= "sm2";
282 ctx
->cert
->sig
->encoding
= "raw";
283 ctx
->sig_algo
= ctx
->last_oid
;
286 ctx
->cert
->sig
->pkey_algo
= "ecdsa";
287 ctx
->cert
->sig
->encoding
= "x962";
288 ctx
->sig_algo
= ctx
->last_oid
;
293 * Note the whereabouts and type of the signature.
295 int x509_note_signature(void *context
, size_t hdrlen
,
297 const void *value
, size_t vlen
)
299 struct x509_parse_context
*ctx
= context
;
301 pr_debug("Signature: alg=%u, size=%zu\n", ctx
->last_oid
, vlen
);
304 * In X.509 certificates, the signature's algorithm is stored in two
305 * places: inside the TBSCertificate (the data that is signed), and
306 * alongside the signature. These *must* match.
308 if (ctx
->last_oid
!= ctx
->sig_algo
) {
309 pr_warn("signatureAlgorithm (%u) differs from tbsCertificate.signature (%u)\n",
310 ctx
->last_oid
, ctx
->sig_algo
);
314 if (strcmp(ctx
->cert
->sig
->pkey_algo
, "rsa") == 0 ||
315 strcmp(ctx
->cert
->sig
->pkey_algo
, "ecrdsa") == 0 ||
316 strcmp(ctx
->cert
->sig
->pkey_algo
, "sm2") == 0 ||
317 strcmp(ctx
->cert
->sig
->pkey_algo
, "ecdsa") == 0) {
318 /* Discard the BIT STRING metadata */
319 if (vlen
< 1 || *(const u8
*)value
!= 0)
326 ctx
->cert
->raw_sig
= value
;
327 ctx
->cert
->raw_sig_size
= vlen
;
332 * Note the certificate serial number
334 int x509_note_serial(void *context
, size_t hdrlen
,
336 const void *value
, size_t vlen
)
338 struct x509_parse_context
*ctx
= context
;
339 ctx
->cert
->raw_serial
= value
;
340 ctx
->cert
->raw_serial_size
= vlen
;
345 * Note some of the name segments from which we'll fabricate a name.
347 int x509_extract_name_segment(void *context
, size_t hdrlen
,
349 const void *value
, size_t vlen
)
351 struct x509_parse_context
*ctx
= context
;
353 switch (ctx
->last_oid
) {
356 ctx
->cn_offset
= (unsigned long)value
- ctx
->data
;
358 case OID_organizationName
:
360 ctx
->o_offset
= (unsigned long)value
- ctx
->data
;
362 case OID_email_address
:
363 ctx
->email_size
= vlen
;
364 ctx
->email_offset
= (unsigned long)value
- ctx
->data
;
374 * Fabricate and save the issuer and subject names
376 static int x509_fabricate_name(struct x509_parse_context
*ctx
, size_t hdrlen
,
378 char **_name
, size_t vlen
)
380 const void *name
, *data
= (const void *)ctx
->data
;
387 /* Empty name string if no material */
388 if (!ctx
->cn_size
&& !ctx
->o_size
&& !ctx
->email_size
) {
389 buffer
= kmalloc(1, GFP_KERNEL
);
396 if (ctx
->cn_size
&& ctx
->o_size
) {
397 /* Consider combining O and CN, but use only the CN if it is
398 * prefixed by the O, or a significant portion thereof.
400 namesize
= ctx
->cn_size
;
401 name
= data
+ ctx
->cn_offset
;
402 if (ctx
->cn_size
>= ctx
->o_size
&&
403 memcmp(data
+ ctx
->cn_offset
, data
+ ctx
->o_offset
,
405 goto single_component
;
406 if (ctx
->cn_size
>= 7 &&
408 memcmp(data
+ ctx
->cn_offset
, data
+ ctx
->o_offset
, 7) == 0)
409 goto single_component
;
411 buffer
= kmalloc(ctx
->o_size
+ 2 + ctx
->cn_size
+ 1,
417 data
+ ctx
->o_offset
, ctx
->o_size
);
418 buffer
[ctx
->o_size
+ 0] = ':';
419 buffer
[ctx
->o_size
+ 1] = ' ';
420 memcpy(buffer
+ ctx
->o_size
+ 2,
421 data
+ ctx
->cn_offset
, ctx
->cn_size
);
422 buffer
[ctx
->o_size
+ 2 + ctx
->cn_size
] = 0;
425 } else if (ctx
->cn_size
) {
426 namesize
= ctx
->cn_size
;
427 name
= data
+ ctx
->cn_offset
;
428 } else if (ctx
->o_size
) {
429 namesize
= ctx
->o_size
;
430 name
= data
+ ctx
->o_offset
;
432 namesize
= ctx
->email_size
;
433 name
= data
+ ctx
->email_offset
;
437 buffer
= kmalloc(namesize
+ 1, GFP_KERNEL
);
440 memcpy(buffer
, name
, namesize
);
441 buffer
[namesize
] = 0;
451 int x509_note_issuer(void *context
, size_t hdrlen
,
453 const void *value
, size_t vlen
)
455 struct x509_parse_context
*ctx
= context
;
456 struct asymmetric_key_id
*kid
;
458 ctx
->cert
->raw_issuer
= value
;
459 ctx
->cert
->raw_issuer_size
= vlen
;
461 if (!ctx
->cert
->sig
->auth_ids
[2]) {
462 kid
= asymmetric_key_generate_id(value
, vlen
, "", 0);
465 ctx
->cert
->sig
->auth_ids
[2] = kid
;
468 return x509_fabricate_name(ctx
, hdrlen
, tag
, &ctx
->cert
->issuer
, vlen
);
471 int x509_note_subject(void *context
, size_t hdrlen
,
473 const void *value
, size_t vlen
)
475 struct x509_parse_context
*ctx
= context
;
476 ctx
->cert
->raw_subject
= value
;
477 ctx
->cert
->raw_subject_size
= vlen
;
478 return x509_fabricate_name(ctx
, hdrlen
, tag
, &ctx
->cert
->subject
, vlen
);
482 * Extract the parameters for the public key
484 int x509_note_params(void *context
, size_t hdrlen
,
486 const void *value
, size_t vlen
)
488 struct x509_parse_context
*ctx
= context
;
491 * AlgorithmIdentifier is used three times in the x509, we should skip
492 * first and ignore third, using second one which is after subject and
493 * before subjectPublicKey.
495 if (!ctx
->cert
->raw_subject
|| ctx
->key
)
497 ctx
->params
= value
- hdrlen
;
498 ctx
->params_size
= vlen
+ hdrlen
;
503 * Extract the data for the public key algorithm
505 int x509_extract_key_data(void *context
, size_t hdrlen
,
507 const void *value
, size_t vlen
)
509 struct x509_parse_context
*ctx
= context
;
512 ctx
->key_algo
= ctx
->last_oid
;
513 switch (ctx
->last_oid
) {
514 case OID_rsaEncryption
:
515 ctx
->cert
->pub
->pkey_algo
= "rsa";
517 case OID_gost2012PKey256
:
518 case OID_gost2012PKey512
:
519 ctx
->cert
->pub
->pkey_algo
= "ecrdsa";
522 ctx
->cert
->pub
->pkey_algo
= "sm2";
524 case OID_id_ecPublicKey
:
525 if (parse_OID(ctx
->params
, ctx
->params_size
, &oid
) != 0)
530 ctx
->cert
->pub
->pkey_algo
= "sm2";
532 case OID_id_prime192v1
:
533 ctx
->cert
->pub
->pkey_algo
= "ecdsa-nist-p192";
535 case OID_id_prime256v1
:
536 ctx
->cert
->pub
->pkey_algo
= "ecdsa-nist-p256";
538 case OID_id_ansip384r1
:
539 ctx
->cert
->pub
->pkey_algo
= "ecdsa-nist-p384";
549 /* Discard the BIT STRING metadata */
550 if (vlen
< 1 || *(const u8
*)value
!= 0)
552 ctx
->key
= value
+ 1;
553 ctx
->key_size
= vlen
- 1;
557 /* The keyIdentifier in AuthorityKeyIdentifier SEQUENCE is tag(CONT,PRIM,0) */
558 #define SEQ_TAG_KEYID (ASN1_CONT << 6)
561 * Process certificate extensions that are used to qualify the certificate.
563 int x509_process_extension(void *context
, size_t hdrlen
,
565 const void *value
, size_t vlen
)
567 struct x509_parse_context
*ctx
= context
;
568 struct asymmetric_key_id
*kid
;
569 const unsigned char *v
= value
;
571 pr_debug("Extension: %u\n", ctx
->last_oid
);
573 if (ctx
->last_oid
== OID_subjectKeyIdentifier
) {
574 /* Get hold of the key fingerprint */
575 if (ctx
->cert
->skid
|| vlen
< 3)
577 if (v
[0] != ASN1_OTS
|| v
[1] != vlen
- 2)
582 ctx
->cert
->raw_skid_size
= vlen
;
583 ctx
->cert
->raw_skid
= v
;
584 kid
= asymmetric_key_generate_id(v
, vlen
, "", 0);
587 ctx
->cert
->skid
= kid
;
588 pr_debug("subjkeyid %*phN\n", kid
->len
, kid
->data
);
592 if (ctx
->last_oid
== OID_keyUsage
) {
594 * Get hold of the keyUsage bit string
595 * v[1] is the encoding size
596 * (Expect either 0x02 or 0x03, making it 1 or 2 bytes)
597 * v[2] is the number of unused bits in the bit string
598 * (If >= 3 keyCertSign is missing when v[1] = 0x02)
599 * v[3] and possibly v[4] contain the bit string
601 * From RFC 5280 4.2.1.3:
602 * 0x04 is where keyCertSign lands in this bit string
603 * 0x80 is where digitalSignature lands in this bit string
605 if (v
[0] != ASN1_BTS
)
612 ctx
->cert
->pub
->key_eflags
|= 1 << KEY_EFLAG_DIGITALSIG
;
613 if (v
[1] == 0x02 && v
[2] <= 2 && (v
[3] & 0x04))
614 ctx
->cert
->pub
->key_eflags
|= 1 << KEY_EFLAG_KEYCERTSIGN
;
615 else if (vlen
> 4 && v
[1] == 0x03 && (v
[3] & 0x04))
616 ctx
->cert
->pub
->key_eflags
|= 1 << KEY_EFLAG_KEYCERTSIGN
;
620 if (ctx
->last_oid
== OID_authorityKeyIdentifier
) {
621 /* Get hold of the CA key fingerprint */
623 ctx
->raw_akid_size
= vlen
;
627 if (ctx
->last_oid
== OID_basicConstraints
) {
629 * Get hold of the basicConstraints
630 * v[1] is the encoding size
631 * (Expect 0x2 or greater, making it 1 or more bytes)
632 * v[2] is the encoding type
633 * (Expect an ASN1_BOOL for the CA)
634 * v[3] is the contents of the ASN1_BOOL
635 * (Expect 1 if the CA is TRUE)
636 * vlen should match the entire extension size
638 if (v
[0] != (ASN1_CONS_BIT
| ASN1_SEQ
))
642 if (v
[1] != vlen
- 2)
644 if (vlen
>= 4 && v
[1] != 0 && v
[2] == ASN1_BOOL
&& v
[3] == 1)
645 ctx
->cert
->pub
->key_eflags
|= 1 << KEY_EFLAG_CA
;
653 * x509_decode_time - Decode an X.509 time ASN.1 object
654 * @_t: The time to fill in
655 * @hdrlen: The length of the object header
656 * @tag: The object tag
657 * @value: The object value
658 * @vlen: The size of the object value
660 * Decode an ASN.1 universal time or generalised time field into a struct the
661 * kernel can handle and check it for validity. The time is decoded thus:
663 * [RFC5280 ยง4.1.2.5]
664 * CAs conforming to this profile MUST always encode certificate validity
665 * dates through the year 2049 as UTCTime; certificate validity dates in
666 * 2050 or later MUST be encoded as GeneralizedTime. Conforming
667 * applications MUST be able to process validity dates that are encoded in
668 * either UTCTime or GeneralizedTime.
670 int x509_decode_time(time64_t
*_t
, size_t hdrlen
,
672 const unsigned char *value
, size_t vlen
)
674 static const unsigned char month_lengths
[] = { 31, 28, 31, 30, 31, 30,
675 31, 31, 30, 31, 30, 31 };
676 const unsigned char *p
= value
;
677 unsigned year
, mon
, day
, hour
, min
, sec
, mon_len
;
679 #define dec2bin(X) ({ unsigned char x = (X) - '0'; if (x > 9) goto invalid_time; x; })
680 #define DD2bin(P) ({ unsigned x = dec2bin(P[0]) * 10 + dec2bin(P[1]); P += 2; x; })
682 if (tag
== ASN1_UNITIM
) {
683 /* UTCTime: YYMMDDHHMMSSZ */
685 goto unsupported_time
;
691 } else if (tag
== ASN1_GENTIM
) {
692 /* GenTime: YYYYMMDDHHMMSSZ */
694 goto unsupported_time
;
695 year
= DD2bin(p
) * 100 + DD2bin(p
);
696 if (year
>= 1950 && year
<= 2049)
699 goto unsupported_time
;
709 goto unsupported_time
;
715 mon_len
= month_lengths
[mon
- 1];
719 if (year
% 100 == 0) {
727 if (day
< 1 || day
> mon_len
||
728 hour
> 24 || /* ISO 8601 permits 24:00:00 as midnight tomorrow */
730 sec
> 60) /* ISO 8601 permits leap seconds [X.680 46.3] */
733 *_t
= mktime64(year
, mon
, day
, hour
, min
, sec
);
737 pr_debug("Got unsupported time [tag %02x]: '%*phN'\n",
738 tag
, (int)vlen
, value
);
741 pr_debug("Got invalid time [tag %02x]: '%*phN'\n",
742 tag
, (int)vlen
, value
);
745 EXPORT_SYMBOL_GPL(x509_decode_time
);
747 int x509_note_not_before(void *context
, size_t hdrlen
,
749 const void *value
, size_t vlen
)
751 struct x509_parse_context
*ctx
= context
;
752 return x509_decode_time(&ctx
->cert
->valid_from
, hdrlen
, tag
, value
, vlen
);
755 int x509_note_not_after(void *context
, size_t hdrlen
,
757 const void *value
, size_t vlen
)
759 struct x509_parse_context
*ctx
= context
;
760 return x509_decode_time(&ctx
->cert
->valid_to
, hdrlen
, tag
, value
, vlen
);
764 * Note a key identifier-based AuthorityKeyIdentifier
766 int x509_akid_note_kid(void *context
, size_t hdrlen
,
768 const void *value
, size_t vlen
)
770 struct x509_parse_context
*ctx
= context
;
771 struct asymmetric_key_id
*kid
;
773 pr_debug("AKID: keyid: %*phN\n", (int)vlen
, value
);
775 if (ctx
->cert
->sig
->auth_ids
[1])
778 kid
= asymmetric_key_generate_id(value
, vlen
, "", 0);
781 pr_debug("authkeyid %*phN\n", kid
->len
, kid
->data
);
782 ctx
->cert
->sig
->auth_ids
[1] = kid
;
787 * Note a directoryName in an AuthorityKeyIdentifier
789 int x509_akid_note_name(void *context
, size_t hdrlen
,
791 const void *value
, size_t vlen
)
793 struct x509_parse_context
*ctx
= context
;
795 pr_debug("AKID: name: %*phN\n", (int)vlen
, value
);
797 ctx
->akid_raw_issuer
= value
;
798 ctx
->akid_raw_issuer_size
= vlen
;
803 * Note a serial number in an AuthorityKeyIdentifier
805 int x509_akid_note_serial(void *context
, size_t hdrlen
,
807 const void *value
, size_t vlen
)
809 struct x509_parse_context
*ctx
= context
;
810 struct asymmetric_key_id
*kid
;
812 pr_debug("AKID: serial: %*phN\n", (int)vlen
, value
);
814 if (!ctx
->akid_raw_issuer
|| ctx
->cert
->sig
->auth_ids
[0])
817 kid
= asymmetric_key_generate_id(value
,
819 ctx
->akid_raw_issuer
,
820 ctx
->akid_raw_issuer_size
);
824 pr_debug("authkeyid %*phN\n", kid
->len
, kid
->data
);
825 ctx
->cert
->sig
->auth_ids
[0] = kid
;