iPXE
Macros | Functions | Variables
cms.c File Reference

Cryptographic Message Syntax (PKCS #7) More...

#include <stdint.h>
#include <string.h>
#include <time.h>
#include <errno.h>
#include <ipxe/asn1.h>
#include <ipxe/x509.h>
#include <ipxe/malloc.h>
#include <ipxe/uaccess.h>
#include <ipxe/cms.h>

Go to the source code of this file.

Macros

#define EACCES_NON_SIGNING   __einfo_error ( EINFO_EACCES_NON_SIGNING )
 
#define EINFO_EACCES_NON_SIGNING   __einfo_uniqify ( EINFO_EACCES, 0x01, "Not a signing certificate" )
 
#define EACCES_NON_CODE_SIGNING   __einfo_error ( EINFO_EACCES_NON_CODE_SIGNING )
 
#define EINFO_EACCES_NON_CODE_SIGNING   __einfo_uniqify ( EINFO_EACCES, 0x02, "Not a code-signing certificate" )
 
#define EACCES_WRONG_NAME   __einfo_error ( EINFO_EACCES_WRONG_NAME )
 
#define EINFO_EACCES_WRONG_NAME   __einfo_uniqify ( EINFO_EACCES, 0x04, "Incorrect certificate name" )
 
#define EACCES_NO_SIGNATURES   __einfo_error ( EINFO_EACCES_NO_SIGNATURES )
 
#define EINFO_EACCES_NO_SIGNATURES   __einfo_uniqify ( EINFO_EACCES, 0x05, "No signatures present" )
 
#define EINVAL_DIGEST   __einfo_error ( EINFO_EINVAL_DIGEST )
 
#define EINFO_EINVAL_DIGEST   __einfo_uniqify ( EINFO_EINVAL, 0x01, "Not a digest algorithm" )
 
#define EINVAL_PUBKEY   __einfo_error ( EINFO_EINVAL_PUBKEY )
 
#define EINFO_EINVAL_PUBKEY   __einfo_uniqify ( EINFO_EINVAL, 0x02, "Not a public-key algorithm" )
 
#define ENOTSUP_SIGNEDDATA   __einfo_error ( EINFO_ENOTSUP_SIGNEDDATA )
 
#define EINFO_ENOTSUP_SIGNEDDATA   __einfo_uniqify ( EINFO_ENOTSUP, 0x01, "Not a digital signature" )
 

Functions

 FILE_LICENCE (GPL2_OR_LATER_OR_UBDL)
 
static int cms_parse_content_type (struct cms_signature *sig, const struct asn1_cursor *raw)
 Parse CMS signature content type. More...
 
static int cms_parse_certificates (struct cms_signature *sig, const struct asn1_cursor *raw)
 Parse CMS signature certificate list. More...
 
static struct x509_certificatecms_find_issuer_serial (struct cms_signature *sig, const struct asn1_cursor *issuer, const struct asn1_cursor *serial)
 Identify CMS signature certificate by issuer and serial number. More...
 
static int cms_parse_signer_identifier (struct cms_signature *sig, struct cms_signer_info *info, const struct asn1_cursor *raw)
 Parse CMS signature signer identifier. More...
 
static int cms_parse_digest_algorithm (struct cms_signature *sig, struct cms_signer_info *info, const struct asn1_cursor *raw)
 Parse CMS signature digest algorithm. More...
 
static int cms_parse_signature_algorithm (struct cms_signature *sig, struct cms_signer_info *info, const struct asn1_cursor *raw)
 Parse CMS signature algorithm. More...
 
static int cms_parse_signature_value (struct cms_signature *sig, struct cms_signer_info *info, const struct asn1_cursor *raw)
 Parse CMS signature value. More...
 
static int cms_parse_signer_info (struct cms_signature *sig, struct cms_signer_info *info, const struct asn1_cursor *raw)
 Parse CMS signature signer information. More...
 
static int cms_parse (struct cms_signature *sig, const struct asn1_cursor *raw)
 Parse CMS signature from ASN.1 data. More...
 
static void cms_free (struct refcnt *refcnt)
 Free CMS signature. More...
 
int cms_signature (const void *data, size_t len, struct cms_signature **sig)
 Create CMS signature. More...
 
static void cms_digest (struct cms_signature *sig, struct cms_signer_info *info, userptr_t data, size_t len, void *out)
 Calculate digest of CMS-signed data. More...
 
static int cms_verify_digest (struct cms_signature *sig, struct cms_signer_info *info, struct x509_certificate *cert, userptr_t data, size_t len)
 Verify digest of CMS-signed data. More...
 
static int cms_verify_signer_info (struct cms_signature *sig, struct cms_signer_info *info, userptr_t data, size_t len, time_t time, struct x509_chain *store, struct x509_root *root)
 Verify CMS signature signer information. More...
 
int cms_verify (struct cms_signature *sig, userptr_t data, size_t len, const char *name, time_t time, struct x509_chain *store, struct x509_root *root)
 Verify CMS signature. More...
 

Variables

static uint8_t oid_signeddata [] = { ASN1_OID_SIGNEDDATA }
 "pkcs7-signedData" object identifier More...
 
static struct asn1_cursor oid_signeddata_cursor
 "pkcs7-signedData" object identifier cursor More...
 

Detailed Description

Cryptographic Message Syntax (PKCS #7)

The format of CMS messages is defined in RFC 5652.

Definition in file cms.c.

Macro Definition Documentation

◆ EACCES_NON_SIGNING

#define EACCES_NON_SIGNING   __einfo_error ( EINFO_EACCES_NON_SIGNING )

Definition at line 45 of file cms.c.

◆ EINFO_EACCES_NON_SIGNING

#define EINFO_EACCES_NON_SIGNING   __einfo_uniqify ( EINFO_EACCES, 0x01, "Not a signing certificate" )

Definition at line 47 of file cms.c.

◆ EACCES_NON_CODE_SIGNING

#define EACCES_NON_CODE_SIGNING   __einfo_error ( EINFO_EACCES_NON_CODE_SIGNING )

Definition at line 49 of file cms.c.

◆ EINFO_EACCES_NON_CODE_SIGNING

#define EINFO_EACCES_NON_CODE_SIGNING   __einfo_uniqify ( EINFO_EACCES, 0x02, "Not a code-signing certificate" )

Definition at line 51 of file cms.c.

◆ EACCES_WRONG_NAME

#define EACCES_WRONG_NAME   __einfo_error ( EINFO_EACCES_WRONG_NAME )

Definition at line 53 of file cms.c.

◆ EINFO_EACCES_WRONG_NAME

#define EINFO_EACCES_WRONG_NAME   __einfo_uniqify ( EINFO_EACCES, 0x04, "Incorrect certificate name" )

Definition at line 55 of file cms.c.

◆ EACCES_NO_SIGNATURES

#define EACCES_NO_SIGNATURES   __einfo_error ( EINFO_EACCES_NO_SIGNATURES )

Definition at line 57 of file cms.c.

◆ EINFO_EACCES_NO_SIGNATURES

#define EINFO_EACCES_NO_SIGNATURES   __einfo_uniqify ( EINFO_EACCES, 0x05, "No signatures present" )

Definition at line 59 of file cms.c.

◆ EINVAL_DIGEST

#define EINVAL_DIGEST   __einfo_error ( EINFO_EINVAL_DIGEST )

Definition at line 61 of file cms.c.

◆ EINFO_EINVAL_DIGEST

#define EINFO_EINVAL_DIGEST   __einfo_uniqify ( EINFO_EINVAL, 0x01, "Not a digest algorithm" )

Definition at line 63 of file cms.c.

◆ EINVAL_PUBKEY

#define EINVAL_PUBKEY   __einfo_error ( EINFO_EINVAL_PUBKEY )

Definition at line 65 of file cms.c.

◆ EINFO_EINVAL_PUBKEY

#define EINFO_EINVAL_PUBKEY   __einfo_uniqify ( EINFO_EINVAL, 0x02, "Not a public-key algorithm" )

Definition at line 67 of file cms.c.

◆ ENOTSUP_SIGNEDDATA

#define ENOTSUP_SIGNEDDATA   __einfo_error ( EINFO_ENOTSUP_SIGNEDDATA )

Definition at line 69 of file cms.c.

◆ EINFO_ENOTSUP_SIGNEDDATA

#define EINFO_ENOTSUP_SIGNEDDATA   __einfo_uniqify ( EINFO_ENOTSUP, 0x01, "Not a digital signature" )

Definition at line 71 of file cms.c.

Function Documentation

◆ FILE_LICENCE()

FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL  )

◆ cms_parse_content_type()

static int cms_parse_content_type ( struct cms_signature sig,
const struct asn1_cursor raw 
)
static

Parse CMS signature content type.

Parameters
sigCMS signature
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 88 of file cms.c.

89  {
90  struct asn1_cursor cursor;
91 
92  /* Enter contentType */
93  memcpy ( &cursor, raw, sizeof ( cursor ) );
94  asn1_enter ( &cursor, ASN1_OID );
95 
96  /* Check OID is pkcs7-signedData */
97  if ( asn1_compare ( &cursor, &oid_signeddata_cursor ) != 0 ) {
98  DBGC ( sig, "CMS %p does not contain signedData:\n", sig );
99  DBGC_HDA ( sig, 0, raw->data, raw->len );
100  return -ENOTSUP_SIGNEDDATA;
101  }
102 
103  DBGC ( sig, "CMS %p contains signedData\n", sig );
104  return 0;
105 }
asn1_compare
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:443
sig
u8 sig
Definition: CIB_PRM.h:43
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
DBGC
#define DBGC(...)
Definition: compiler.h:505
ENOTSUP_SIGNEDDATA
#define ENOTSUP_SIGNEDDATA
Definition: cms.c:69
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
oid_signeddata_cursor
static struct asn1_cursor oid_signeddata_cursor
"pkcs7-signedData" object identifier cursor
Definition: cms.c:78
ASN1_OID
#define ASN1_OID
ASN.1 object identifier.
Definition: asn1.h:74
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_compare(), asn1_enter(), ASN1_OID, DBGC, DBGC_HDA, ENOTSUP_SIGNEDDATA, memcpy(), oid_signeddata_cursor, raw, and sig.

Referenced by cms_parse().

◆ cms_parse_certificates()

static int cms_parse_certificates ( struct cms_signature sig,
const struct asn1_cursor raw 
)
static

Parse CMS signature certificate list.

Parameters
sigCMS signature
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 114 of file cms.c.

115  {
116  struct asn1_cursor cursor;
117  struct x509_certificate *cert;
118  int rc;
119 
120  /* Enter certificates */
121  memcpy ( &cursor, raw, sizeof ( cursor ) );
122  asn1_enter ( &cursor, ASN1_EXPLICIT_TAG ( 0 ) );
123 
124  /* Add each certificate */
125  while ( cursor.len ) {
126 
127  /* Add certificate to chain */
128  if ( ( rc = x509_append_raw ( sig->certificates, cursor.data,
129  cursor.len ) ) != 0 ) {
130  DBGC ( sig, "CMS %p could not append certificate: %s\n",
131  sig, strerror ( rc) );
132  DBGC_HDA ( sig, 0, cursor.data, cursor.len );
133  return rc;
134  }
135  cert = x509_last ( sig->certificates );
136  DBGC ( sig, "CMS %p found certificate %s\n",
137  sig, x509_name ( cert ) );
138 
139  /* Move to next certificate */
140  asn1_skip_any ( &cursor );
141  }
142 
143  return 0;
144 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
sig
u8 sig
Definition: CIB_PRM.h:43
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
x509_append_raw
int x509_append_raw(struct x509_chain *chain, const void *data, size_t len)
Append X.509 certificate to X.509 certificate chain.
Definition: x509.c:1668
DBGC
#define DBGC(...)
Definition: compiler.h:505
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
x509_last
static struct x509_certificate * x509_last(struct x509_chain *chain)
Get last certificate in X.509 certificate chain.
Definition: x509.h:316
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
x509_certificate
An X.509 certificate.
Definition: x509.h:207
x509_name
const char * x509_name(struct x509_certificate *cert)
Get X.509 certificate display name.
Definition: x509.c:145
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
ASN1_EXPLICIT_TAG
#define ASN1_EXPLICIT_TAG(number)
ASN.1 explicit tag.
Definition: asn1.h:98
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter(), ASN1_EXPLICIT_TAG, asn1_skip_any(), asn1_cursor::data, DBGC, DBGC_HDA, asn1_cursor::len, memcpy(), raw, rc, sig, strerror(), x509_append_raw(), x509_last(), and x509_name().

Referenced by cms_parse().

◆ cms_find_issuer_serial()

static struct x509_certificate* cms_find_issuer_serial ( struct cms_signature sig,
const struct asn1_cursor issuer,
const struct asn1_cursor serial 
)
static

Identify CMS signature certificate by issuer and serial number.

Parameters
sigCMS signature
issuerIssuer
serialSerial number
Return values
certX.509 certificate, or NULL if not found

Definition at line 155 of file cms.c.

157  {
158  struct x509_link *link;
159  struct x509_certificate *cert;
160 
161  /* Scan through certificate list */
162  list_for_each_entry ( link, &sig->certificates->links, list ) {
163 
164  /* Check issuer and serial number */
165  cert = link->cert;
166  if ( ( asn1_compare ( issuer, &cert->issuer.raw ) == 0 ) &&
167  ( asn1_compare ( serial, &cert->serial.raw ) == 0 ) )
168  return cert;
169  }
170 
171  return NULL;
172 }
x509_issuer::raw
struct asn1_cursor raw
Raw issuer.
Definition: x509.h:30
asn1_compare
int asn1_compare(const struct asn1_cursor *cursor1, const struct asn1_cursor *cursor2)
Compare two ASN.1 objects.
Definition: asn1.c:443
sig
u8 sig
Definition: CIB_PRM.h:43
x509_certificate::issuer
struct x509_issuer issuer
Issuer.
Definition: x509.h:232
x509_serial::raw
struct asn1_cursor raw
Raw serial number.
Definition: x509.h:24
list_for_each_entry
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:431
link
u32 link
Link to next descriptor.
Definition: ar9003_mac.h:68
x509_link
A link in an X.509 certificate chain.
Definition: x509.h:169
x509_certificate
An X.509 certificate.
Definition: x509.h:207
x509_certificate::serial
struct x509_serial serial
Serial number.
Definition: x509.h:226
serial
uint64_t serial
Serial number.
Definition: edd.h:30
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321

References asn1_compare(), x509_certificate::issuer, link, list_for_each_entry, NULL, x509_serial::raw, x509_issuer::raw, serial, x509_certificate::serial, and sig.

Referenced by cms_parse_signer_identifier().

◆ cms_parse_signer_identifier()

static int cms_parse_signer_identifier ( struct cms_signature sig,
struct cms_signer_info info,
const struct asn1_cursor raw 
)
static

Parse CMS signature signer identifier.

Parameters
sigCMS signature
infoSigner information to fill in
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 182 of file cms.c.

184  {
185  struct asn1_cursor cursor;
186  struct asn1_cursor serial;
187  struct asn1_cursor issuer;
188  struct x509_certificate *cert;
189  int rc;
190 
191  /* Enter issuerAndSerialNumber */
192  memcpy ( &cursor, raw, sizeof ( cursor ) );
193  asn1_enter ( &cursor, ASN1_SEQUENCE );
194 
195  /* Identify issuer */
196  memcpy ( &issuer, &cursor, sizeof ( issuer ) );
197  if ( ( rc = asn1_shrink ( &issuer, ASN1_SEQUENCE ) ) != 0 ) {
198  DBGC ( sig, "CMS %p/%p could not locate issuer: %s\n",
199  sig, info, strerror ( rc ) );
200  DBGC_HDA ( sig, 0, raw->data, raw->len );
201  return rc;
202  }
203  DBGC ( sig, "CMS %p/%p issuer is:\n", sig, info );
204  DBGC_HDA ( sig, 0, issuer.data, issuer.len );
205  asn1_skip_any ( &cursor );
206 
207  /* Identify serialNumber */
208  memcpy ( &serial, &cursor, sizeof ( serial ) );
209  if ( ( rc = asn1_shrink ( &serial, ASN1_INTEGER ) ) != 0 ) {
210  DBGC ( sig, "CMS %p/%p could not locate serialNumber: %s\n",
211  sig, info, strerror ( rc ) );
212  DBGC_HDA ( sig, 0, raw->data, raw->len );
213  return rc;
214  }
215  DBGC ( sig, "CMS %p/%p serial number is:\n", sig, info );
216  DBGC_HDA ( sig, 0, serial.data, serial.len );
217 
218  /* Identify certificate */
219  cert = cms_find_issuer_serial ( sig, &issuer, &serial );
220  if ( ! cert ) {
221  DBGC ( sig, "CMS %p/%p could not identify signer's "
222  "certificate\n", sig, info );
223  return -ENOENT;
224  }
225 
226  /* Append certificate to chain */
227  if ( ( rc = x509_append ( info->chain, cert ) ) != 0 ) {
228  DBGC ( sig, "CMS %p/%p could not append certificate: %s\n",
229  sig, info, strerror ( rc ) );
230  return rc;
231  }
232 
233  /* Append remaining certificates to chain */
234  if ( ( rc = x509_auto_append ( info->chain,
235  sig->certificates ) ) != 0 ) {
236  DBGC ( sig, "CMS %p/%p could not append certificates: %s\n",
237  sig, info, strerror ( rc ) );
238  return rc;
239  }
240 
241  return 0;
242 }
cms_find_issuer_serial
static struct x509_certificate * cms_find_issuer_serial(struct cms_signature *sig, const struct asn1_cursor *issuer, const struct asn1_cursor *serial)
Identify CMS signature certificate by issuer and serial number.
Definition: cms.c:155
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
info
u32 info
Definition: ar9003_mac.h:67
sig
u8 sig
Definition: CIB_PRM.h:43
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
x509_certificate::issuer
struct x509_issuer issuer
Issuer.
Definition: x509.h:232
DBGC
#define DBGC(...)
Definition: compiler.h:505
x509_append
int x509_append(struct x509_chain *chain, struct x509_certificate *cert)
Append X.509 certificate to X.509 certificate chain.
Definition: x509.c:1643
ENOENT
#define ENOENT
No such file or directory.
Definition: errno.h:514
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
asn1_shrink
int asn1_shrink(struct asn1_cursor *cursor, unsigned int type)
Shrink ASN.1 cursor to fit object.
Definition: asn1.c:240
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
x509_certificate
An X.509 certificate.
Definition: x509.h:207
serial
uint64_t serial
Serial number.
Definition: edd.h:30
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
ASN1_INTEGER
#define ASN1_INTEGER
ASN.1 integer.
Definition: asn1.h:62
x509_auto_append
int x509_auto_append(struct x509_chain *chain, struct x509_chain *certs)
Append X.509 certificates to X.509 certificate chain.
Definition: x509.c:1748
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter(), ASN1_INTEGER, ASN1_SEQUENCE, asn1_shrink(), asn1_skip_any(), cms_find_issuer_serial(), DBGC, DBGC_HDA, ENOENT, info, x509_certificate::issuer, memcpy(), raw, rc, serial, sig, strerror(), x509_append(), and x509_auto_append().

Referenced by cms_parse_signer_info().

◆ cms_parse_digest_algorithm()

static int cms_parse_digest_algorithm ( struct cms_signature sig,
struct cms_signer_info info,
const struct asn1_cursor raw 
)
static

Parse CMS signature digest algorithm.

Parameters
sigCMS signature
infoSigner information to fill in
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 252 of file cms.c.

254  {
255  struct asn1_algorithm *algorithm;
256  int rc;
257 
258  /* Identify algorithm */
259  if ( ( rc = asn1_digest_algorithm ( raw, &algorithm ) ) != 0 ) {
260  DBGC ( sig, "CMS %p/%p could not identify digest algorithm: "
261  "%s\n", sig, info, strerror ( rc ) );
262  DBGC_HDA ( sig, 0, raw->data, raw->len );
263  return rc;
264  }
265 
266  /* Record digest algorithm */
267  info->digest = algorithm->digest;
268  DBGC ( sig, "CMS %p/%p digest algorithm is %s\n",
269  sig, info, algorithm->name );
270 
271  return 0;
272 }
asn1_algorithm
An ASN.1 OID-identified algorithm.
Definition: asn1.h:311
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
info
u32 info
Definition: ar9003_mac.h:67
sig
u8 sig
Definition: CIB_PRM.h:43
DBGC
#define DBGC(...)
Definition: compiler.h:505
asn1_digest_algorithm
int asn1_digest_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified digest algorithm.
Definition: asn1.c:539
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
algorithm
u16 algorithm
Authentication algorithm (Open System or Shared Key)
Definition: ieee80211.h:1030
raw
__be32 raw[7]
Definition: CIB_PRM.h:28

References algorithm, asn1_digest_algorithm(), DBGC, DBGC_HDA, info, raw, rc, sig, and strerror().

Referenced by cms_parse_signer_info().

◆ cms_parse_signature_algorithm()

static int cms_parse_signature_algorithm ( struct cms_signature sig,
struct cms_signer_info info,
const struct asn1_cursor raw 
)
static

Parse CMS signature algorithm.

Parameters
sigCMS signature
infoSigner information to fill in
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 282 of file cms.c.

284  {
285  struct asn1_algorithm *algorithm;
286  int rc;
287 
288  /* Identify algorithm */
289  if ( ( rc = asn1_pubkey_algorithm ( raw, &algorithm ) ) != 0 ) {
290  DBGC ( sig, "CMS %p/%p could not identify public-key "
291  "algorithm: %s\n", sig, info, strerror ( rc ) );
292  DBGC_HDA ( sig, 0, raw->data, raw->len );
293  return rc;
294  }
295 
296  /* Record signature algorithm */
297  info->pubkey = algorithm->pubkey;
298  DBGC ( sig, "CMS %p/%p public-key algorithm is %s\n",
299  sig, info, algorithm->name );
300 
301  return 0;
302 }
asn1_algorithm
An ASN.1 OID-identified algorithm.
Definition: asn1.h:311
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
info
u32 info
Definition: ar9003_mac.h:67
sig
u8 sig
Definition: CIB_PRM.h:43
DBGC
#define DBGC(...)
Definition: compiler.h:505
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
asn1_pubkey_algorithm
int asn1_pubkey_algorithm(const struct asn1_cursor *cursor, struct asn1_algorithm **algorithm)
Parse ASN.1 OID-identified public-key algorithm.
Definition: asn1.c:513
algorithm
u16 algorithm
Authentication algorithm (Open System or Shared Key)
Definition: ieee80211.h:1030
raw
__be32 raw[7]
Definition: CIB_PRM.h:28

References algorithm, asn1_pubkey_algorithm(), DBGC, DBGC_HDA, info, raw, rc, sig, and strerror().

Referenced by cms_parse_signer_info().

◆ cms_parse_signature_value()

static int cms_parse_signature_value ( struct cms_signature sig,
struct cms_signer_info info,
const struct asn1_cursor raw 
)
static

Parse CMS signature value.

Parameters
sigCMS signature
infoSigner information to fill in
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 312 of file cms.c.

314  {
315  struct asn1_cursor cursor;
316  int rc;
317 
318  /* Enter signature */
319  memcpy ( &cursor, raw, sizeof ( cursor ) );
320  if ( ( rc = asn1_enter ( &cursor, ASN1_OCTET_STRING ) ) != 0 ) {
321  DBGC ( sig, "CMS %p/%p could not locate signature:\n",
322  sig, info );
323  DBGC_HDA ( sig, 0, raw->data, raw->len );
324  return rc;
325  }
326 
327  /* Record signature */
328  info->signature_len = cursor.len;
329  info->signature = malloc ( info->signature_len );
330  if ( ! info->signature )
331  return -ENOMEM;
332  memcpy ( info->signature, cursor.data, info->signature_len );
333  DBGC ( sig, "CMS %p/%p signature value is:\n", sig, info );
334  DBGC_HDA ( sig, 0, info->signature, info->signature_len );
335 
336  return 0;
337 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
info
u32 info
Definition: ar9003_mac.h:67
sig
u8 sig
Definition: CIB_PRM.h:43
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
DBGC
#define DBGC(...)
Definition: compiler.h:505
ENOMEM
#define ENOMEM
Not enough space.
Definition: errno.h:534
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
malloc
void * malloc(size_t size)
Allocate memory.
Definition: malloc.c:583
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
ASN1_OCTET_STRING
#define ASN1_OCTET_STRING
ASN.1 octet string.
Definition: asn1.h:68
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter(), ASN1_OCTET_STRING, asn1_cursor::data, DBGC, DBGC_HDA, ENOMEM, info, asn1_cursor::len, malloc(), memcpy(), raw, rc, and sig.

Referenced by cms_parse_signer_info().

◆ cms_parse_signer_info()

static int cms_parse_signer_info ( struct cms_signature sig,
struct cms_signer_info info,
const struct asn1_cursor raw 
)
static

Parse CMS signature signer information.

Parameters
sigCMS signature
infoSigner information to fill in
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 347 of file cms.c.

349  {
350  struct asn1_cursor cursor;
351  int rc;
352 
353  /* Enter signerInfo */
354  memcpy ( &cursor, raw, sizeof ( cursor ) );
355  asn1_enter ( &cursor, ASN1_SEQUENCE );
356 
357  /* Skip version */
358  asn1_skip ( &cursor, ASN1_INTEGER );
359 
360  /* Parse sid */
361  if ( ( rc = cms_parse_signer_identifier ( sig, info, &cursor ) ) != 0 )
362  return rc;
363  asn1_skip_any ( &cursor );
364 
365  /* Parse digestAlgorithm */
366  if ( ( rc = cms_parse_digest_algorithm ( sig, info, &cursor ) ) != 0 )
367  return rc;
368  asn1_skip_any ( &cursor );
369 
370  /* Skip signedAttrs, if present */
371  asn1_skip_if_exists ( &cursor, ASN1_EXPLICIT_TAG ( 0 ) );
372 
373  /* Parse signatureAlgorithm */
374  if ( ( rc = cms_parse_signature_algorithm ( sig, info, &cursor ) ) != 0)
375  return rc;
376  asn1_skip_any ( &cursor );
377 
378  /* Parse signature */
379  if ( ( rc = cms_parse_signature_value ( sig, info, &cursor ) ) != 0 )
380  return rc;
381 
382  return 0;
383 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
info
u32 info
Definition: ar9003_mac.h:67
sig
u8 sig
Definition: CIB_PRM.h:43
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
cms_parse_signer_identifier
static int cms_parse_signer_identifier(struct cms_signature *sig, struct cms_signer_info *info, const struct asn1_cursor *raw)
Parse CMS signature signer identifier.
Definition: cms.c:182
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
cms_parse_signature_algorithm
static int cms_parse_signature_algorithm(struct cms_signature *sig, struct cms_signer_info *info, const struct asn1_cursor *raw)
Parse CMS signature algorithm.
Definition: cms.c:282
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
cms_parse_digest_algorithm
static int cms_parse_digest_algorithm(struct cms_signature *sig, struct cms_signer_info *info, const struct asn1_cursor *raw)
Parse CMS signature digest algorithm.
Definition: cms.c:252
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
ASN1_INTEGER
#define ASN1_INTEGER
ASN.1 integer.
Definition: asn1.h:62
cms_parse_signature_value
static int cms_parse_signature_value(struct cms_signature *sig, struct cms_signer_info *info, const struct asn1_cursor *raw)
Parse CMS signature value.
Definition: cms.c:312
asn1_skip_if_exists
int asn1_skip_if_exists(struct asn1_cursor *cursor, unsigned int type)
Skip ASN.1 object if present.
Definition: asn1.c:187
asn1_skip
int asn1_skip(struct asn1_cursor *cursor, unsigned int type)
Skip ASN.1 object.
Definition: asn1.c:218
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
ASN1_EXPLICIT_TAG
#define ASN1_EXPLICIT_TAG(number)
ASN.1 explicit tag.
Definition: asn1.h:98
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter(), ASN1_EXPLICIT_TAG, ASN1_INTEGER, ASN1_SEQUENCE, asn1_skip(), asn1_skip_any(), asn1_skip_if_exists(), cms_parse_digest_algorithm(), cms_parse_signature_algorithm(), cms_parse_signature_value(), cms_parse_signer_identifier(), info, memcpy(), raw, rc, and sig.

Referenced by cms_parse().

◆ cms_parse()

static int cms_parse ( struct cms_signature sig,
const struct asn1_cursor raw 
)
static

Parse CMS signature from ASN.1 data.

Parameters
sigCMS signature
rawASN.1 cursor
Return values
rcReturn status code

Definition at line 392 of file cms.c.

393  {
394  struct asn1_cursor cursor;
395  struct cms_signer_info *info;
396  int rc;
397 
398  /* Enter contentInfo */
399  memcpy ( &cursor, raw, sizeof ( cursor ) );
400  asn1_enter ( &cursor, ASN1_SEQUENCE );
401 
402  /* Parse contentType */
403 
404  if ( ( rc = cms_parse_content_type ( sig, &cursor ) ) != 0 )
405  return rc;
406  asn1_skip_any ( &cursor );
407 
408  /* Enter content */
409  asn1_enter ( &cursor, ASN1_EXPLICIT_TAG ( 0 ) );
410 
411  /* Enter signedData */
412  asn1_enter ( &cursor, ASN1_SEQUENCE );
413 
414  /* Skip version */
415  asn1_skip ( &cursor, ASN1_INTEGER );
416 
417  /* Skip digestAlgorithms */
418  asn1_skip ( &cursor, ASN1_SET );
419 
420  /* Skip encapContentInfo */
421  asn1_skip ( &cursor, ASN1_SEQUENCE );
422 
423  /* Parse certificates */
424  if ( ( rc = cms_parse_certificates ( sig, &cursor ) ) != 0 )
425  return rc;
426  asn1_skip_any ( &cursor );
427 
428  /* Skip crls, if present */
429  asn1_skip_if_exists ( &cursor, ASN1_EXPLICIT_TAG ( 1 ) );
430 
431  /* Enter signerInfos */
432  asn1_enter ( &cursor, ASN1_SET );
433 
434  /* Add each signerInfo. Errors are handled by ensuring that
435  * cms_put() will always be able to free any allocated memory.
436  */
437  while ( cursor.len ) {
438 
439  /* Allocate signer information block */
440  info = zalloc ( sizeof ( *info ) );
441  if ( ! info )
442  return -ENOMEM;
443  list_add ( &info->list, &sig->info );
444 
445  /* Allocate certificate chain */
446  info->chain = x509_alloc_chain();
447  if ( ! info->chain )
448  return -ENOMEM;
449 
450  /* Parse signerInfo */
451  if ( ( rc = cms_parse_signer_info ( sig, info,
452  &cursor ) ) != 0 )
453  return rc;
454  asn1_skip_any ( &cursor );
455  }
456 
457  return 0;
458 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
info
u32 info
Definition: ar9003_mac.h:67
cms_parse_content_type
static int cms_parse_content_type(struct cms_signature *sig, const struct asn1_cursor *raw)
Parse CMS signature content type.
Definition: cms.c:88
sig
u8 sig
Definition: CIB_PRM.h:43
asn1_enter
int asn1_enter(struct asn1_cursor *cursor, unsigned int type)
Enter ASN.1 object.
Definition: asn1.c:160
list_add
#define list_add(new, head)
Add a new entry to the head of a list.
Definition: list.h:69
cms_parse_certificates
static int cms_parse_certificates(struct cms_signature *sig, const struct asn1_cursor *raw)
Parse CMS signature certificate list.
Definition: cms.c:114
x509_alloc_chain
struct x509_chain * x509_alloc_chain(void)
Allocate X.509 certificate chain.
Definition: x509.c:1620
asn1_skip_any
int asn1_skip_any(struct asn1_cursor *cursor)
Skip ASN.1 object of any type.
Definition: asn1.c:276
ASN1_SET
#define ASN1_SET
ASN.1 set.
Definition: asn1.h:92
ENOMEM
#define ENOMEM
Not enough space.
Definition: errno.h:534
memcpy
void * memcpy(void *dest, const void *src, size_t len) __nonnull
cms_signer_info
CMS signer information.
Definition: cms.h:20
zalloc
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:624
cms_parse_signer_info
static int cms_parse_signer_info(struct cms_signature *sig, struct cms_signer_info *info, const struct asn1_cursor *raw)
Parse CMS signature signer information.
Definition: cms.c:347
ASN1_SEQUENCE
#define ASN1_SEQUENCE
ASN.1 sequence.
Definition: asn1.h:89
ASN1_INTEGER
#define ASN1_INTEGER
ASN.1 integer.
Definition: asn1.h:62
asn1_skip_if_exists
int asn1_skip_if_exists(struct asn1_cursor *cursor, unsigned int type)
Skip ASN.1 object if present.
Definition: asn1.c:187
asn1_skip
int asn1_skip(struct asn1_cursor *cursor, unsigned int type)
Skip ASN.1 object.
Definition: asn1.c:218
raw
__be32 raw[7]
Definition: CIB_PRM.h:28
ASN1_EXPLICIT_TAG
#define ASN1_EXPLICIT_TAG(number)
ASN.1 explicit tag.
Definition: asn1.h:98
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_enter(), ASN1_EXPLICIT_TAG, ASN1_INTEGER, ASN1_SEQUENCE, ASN1_SET, asn1_skip(), asn1_skip_any(), asn1_skip_if_exists(), cms_parse_certificates(), cms_parse_content_type(), cms_parse_signer_info(), ENOMEM, info, asn1_cursor::len, list_add, memcpy(), raw, rc, sig, x509_alloc_chain(), and zalloc().

Referenced by cms_signature().

◆ cms_free()

static void cms_free ( struct refcnt refcnt)
static

Free CMS signature.

Parameters
refcntReference count

Definition at line 465 of file cms.c.

465  {
466  struct cms_signature *sig =
467  container_of ( refcnt, struct cms_signature, refcnt );
468  struct cms_signer_info *info;
469  struct cms_signer_info *tmp;
470 
471  list_for_each_entry_safe ( info, tmp, &sig->info, list ) {
472  list_del ( &info->list );
473  x509_chain_put ( info->chain );
474  free ( info->signature );
475  free ( info );
476  }
477  x509_chain_put ( sig->certificates );
478  free ( sig );
479 }
x509_chain_put
static void x509_chain_put(struct x509_chain *chain)
Drop reference to X.509 certificate chain.
Definition: x509.h:291
info
u32 info
Definition: ar9003_mac.h:67
sig
u8 sig
Definition: CIB_PRM.h:43
refcnt
A reference counter.
Definition: refcnt.h:26
tmp
unsigned long tmp
Definition: linux_pci.h:53
list_del
#define list_del(list)
Delete an entry from a list.
Definition: list.h:119
container_of
#define container_of(ptr, type, field)
Get containing structure.
Definition: stddef.h:35
cms_signer_info
CMS signer information.
Definition: cms.h:20
list_for_each_entry_safe
#define list_for_each_entry_safe(pos, tmp, head, member)
Iterate over entries in a list, safe against deletion of the current entry.
Definition: list.h:458
free
static void(* free)(struct refcnt *refcnt))
Definition: refcnt.h:54
cms_signer_info::list
struct list_head list
List of signer information blocks.
Definition: cms.h:22
cms_signature
A CMS signature.
Definition: cms.h:39

References container_of, free, info, cms_signer_info::list, list_del, list_for_each_entry_safe, sig, tmp, and x509_chain_put().

Referenced by cms_signature().

◆ cms_signature()

int cms_signature ( const void *  data,
size_t  len,
struct cms_signature **  sig 
)

Create CMS signature.

Parameters
dataRaw signature data
lenLength of raw data
Return values
sigCMS signature
rcReturn status code

On success, the caller holds a reference to the CMS signature, and is responsible for ultimately calling cms_put().

Definition at line 492 of file cms.c.

492  {
493  struct asn1_cursor cursor;
494  int rc;
495 
496  /* Allocate and initialise signature */
497  *sig = zalloc ( sizeof ( **sig ) );
498  if ( ! *sig ) {
499  rc = -ENOMEM;
500  goto err_alloc;
501  }
502  ref_init ( &(*sig)->refcnt, cms_free );
503  INIT_LIST_HEAD ( &(*sig)->info );
504 
505  /* Allocate certificate list */
506  (*sig)->certificates = x509_alloc_chain();
507  if ( ! (*sig)->certificates ) {
508  rc = -ENOMEM;
509  goto err_alloc_chain;
510  }
511 
512  /* Initialise cursor */
513  cursor.data = data;
514  cursor.len = len;
515  asn1_shrink_any ( &cursor );
516 
517  /* Parse signature */
518  if ( ( rc = cms_parse ( *sig, &cursor ) ) != 0 )
519  goto err_parse;
520 
521  return 0;
522 
523  err_parse:
524  err_alloc_chain:
525  cms_put ( *sig );
526  err_alloc:
527  return rc;
528 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
sig
u8 sig
Definition: CIB_PRM.h:43
ref_init
#define ref_init(refcnt, free)
Initialise a reference counter.
Definition: refcnt.h:64
cms_put
static void cms_put(struct cms_signature *sig)
Drop reference to CMS signature.
Definition: cms.h:66
x509_alloc_chain
struct x509_chain * x509_alloc_chain(void)
Allocate X.509 certificate chain.
Definition: x509.c:1620
ENOMEM
#define ENOMEM
Not enough space.
Definition: errno.h:534
cms_parse
static int cms_parse(struct cms_signature *sig, const struct asn1_cursor *raw)
Parse CMS signature from ASN.1 data.
Definition: cms.c:392
zalloc
void * zalloc(size_t size)
Allocate cleared memory.
Definition: malloc.c:624
asn1_shrink_any
int asn1_shrink_any(struct asn1_cursor *cursor)
Shrink ASN.1 object of any type.
Definition: asn1.c:286
cms_free
static void cms_free(struct refcnt *refcnt)
Free CMS signature.
Definition: cms.c:465
INIT_LIST_HEAD
#define INIT_LIST_HEAD(list)
Initialise a list head.
Definition: list.h:45
len
uint32_t len
Length.
Definition: ena.h:14
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22
asn1_cursor
An ASN.1 object cursor.
Definition: asn1.h:20

References asn1_shrink_any(), cms_free(), cms_parse(), cms_put(), asn1_cursor::data, data, ENOMEM, INIT_LIST_HEAD, len, asn1_cursor::len, rc, ref_init, sig, x509_alloc_chain(), and zalloc().

◆ cms_digest()

static void cms_digest ( struct cms_signature sig,
struct cms_signer_info info,
userptr_t  data,
size_t  len,
void *  out 
)
static

Calculate digest of CMS-signed data.

Parameters
sigCMS signature
infoSigner information
dataSigned data
lenLength of signed data
outDigest output

Definition at line 539 of file cms.c.

541  {
542  struct digest_algorithm *digest = info->digest;
543  uint8_t ctx[ digest->ctxsize ];
544  uint8_t block[ digest->blocksize ];
545  size_t offset = 0;
546  size_t frag_len;
547 
548  /* Initialise digest */
549  digest_init ( digest, ctx );
550 
551  /* Process data one block at a time */
552  while ( len ) {
553  frag_len = len;
554  if ( frag_len > sizeof ( block ) )
555  frag_len = sizeof ( block );
556  copy_from_user ( block, data, offset, frag_len );
557  digest_update ( digest, ctx, block, frag_len );
558  offset += frag_len;
559  len -= frag_len;
560  }
561 
562  /* Finalise digest */
563  digest_final ( digest, ctx, out );
564 
565  DBGC ( sig, "CMS %p/%p digest value:\n", sig, info );
566  DBGC_HDA ( sig, 0, out, digest->digestsize );
567 }
info
u32 info
Definition: ar9003_mac.h:67
sig
u8 sig
Definition: CIB_PRM.h:43
copy_from_user
static __always_inline void copy_from_user(void *dest, userptr_t src, off_t src_off, size_t len)
Copy data from user buffer.
Definition: uaccess.h:337
DBGC
#define DBGC(...)
Definition: compiler.h:505
out
__be32 out[4]
Definition: CIB_PRM.h:36
digest_algorithm::blocksize
size_t blocksize
Block size.
Definition: crypto.h:23
digest
static void struct digest_algorithm * digest
HMAC-MD5 digest.
Definition: crypto.h:308
DBGC_HDA
#define DBGC_HDA(...)
Definition: compiler.h:506
offset
static userptr_t size_t offset
Offset of the first segment within the content.
Definition: deflate.h:259
ctx
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
uint8_t
unsigned char uint8_t
Definition: stdint.h:10
len
uint32_t len
Length.
Definition: ena.h:14
digest_algorithm::ctxsize
size_t ctxsize
Context size.
Definition: crypto.h:21
block
uint8_t block[3][8]
DES-encrypted blocks.
Definition: mschapv2.h:12
digest_algorithm::digestsize
size_t digestsize
Digest size.
Definition: crypto.h:25
digest_algorithm
A message digest algorithm.
Definition: crypto.h:17
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22

References block, digest_algorithm::blocksize, copy_from_user(), ctx, digest_algorithm::ctxsize, data, DBGC, DBGC_HDA, digest, digest_algorithm::digestsize, info, len, offset, out, and sig.

Referenced by cms_verify_digest().

◆ cms_verify_digest()

static int cms_verify_digest ( struct cms_signature sig,
struct cms_signer_info info,
struct x509_certificate cert,
userptr_t  data,
size_t  len 
)
static

Verify digest of CMS-signed data.

Parameters
sigCMS signature
infoSigner information
certCorresponding certificate
dataSigned data
lenLength of signed data
Return values
rcReturn status code

Definition at line 579 of file cms.c.

582  {
583  struct digest_algorithm *digest = info->digest;
584  struct pubkey_algorithm *pubkey = info->pubkey;
585  struct x509_public_key *public_key = &cert->subject.public_key;
586  uint8_t digest_out[ digest->digestsize ];
587  uint8_t ctx[ pubkey->ctxsize ];
588  int rc;
589 
590  /* Generate digest */
591  cms_digest ( sig, info, data, len, digest_out );
592 
593  /* Initialise public-key algorithm */
594  if ( ( rc = pubkey_init ( pubkey, ctx, public_key->raw.data,
595  public_key->raw.len ) ) != 0 ) {
596  DBGC ( sig, "CMS %p/%p could not initialise public key: %s\n",
597  sig, info, strerror ( rc ) );
598  goto err_init;
599  }
600 
601  /* Verify digest */
602  if ( ( rc = pubkey_verify ( pubkey, ctx, digest, digest_out,
603  info->signature,
604  info->signature_len ) ) != 0 ) {
605  DBGC ( sig, "CMS %p/%p signature verification failed: %s\n",
606  sig, info, strerror ( rc ) );
607  goto err_verify;
608  }
609 
610  err_verify:
611  pubkey_final ( pubkey, ctx );
612  err_init:
613  return rc;
614 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
info
u32 info
Definition: ar9003_mac.h:67
cms_digest
static void cms_digest(struct cms_signature *sig, struct cms_signer_info *info, userptr_t data, size_t len, void *out)
Calculate digest of CMS-signed data.
Definition: cms.c:539
sig
u8 sig
Definition: CIB_PRM.h:43
DBGC
#define DBGC(...)
Definition: compiler.h:505
pubkey_algorithm::ctxsize
size_t ctxsize
Context size.
Definition: crypto.h:124
public_key
static const void size_t const void * public_key
Definition: crypto.h:327
digest
static void struct digest_algorithm * digest
HMAC-MD5 digest.
Definition: crypto.h:308
x509_public_key
An X.509 certificate public key.
Definition: x509.h:48
x509_subject::public_key
struct x509_public_key public_key
Public key information.
Definition: x509.h:64
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
x509_certificate::subject
struct x509_subject subject
Subject.
Definition: x509.h:236
ctx
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
uint8_t
unsigned char uint8_t
Definition: stdint.h:10
len
uint32_t len
Length.
Definition: ena.h:14
digest_algorithm::digestsize
size_t digestsize
Digest size.
Definition: crypto.h:25
digest_algorithm
A message digest algorithm.
Definition: crypto.h:17
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22
pubkey_algorithm
A public key algorithm.
Definition: crypto.h:120

References cms_digest(), ctx, pubkey_algorithm::ctxsize, data, DBGC, digest, digest_algorithm::digestsize, info, len, x509_subject::public_key, public_key, rc, sig, strerror(), and x509_certificate::subject.

Referenced by cms_verify_signer_info().

◆ cms_verify_signer_info()

static int cms_verify_signer_info ( struct cms_signature sig,
struct cms_signer_info info,
userptr_t  data,
size_t  len,
time_t  time,
struct x509_chain store,
struct x509_root root 
)
static

Verify CMS signature signer information.

Parameters
sigCMS signature
infoSigner information
dataSigned data
lenLength of signed data
timeTime at which to validate certificates
storeCertificate store, or NULL to use default
rootRoot certificate list, or NULL to use default
Return values
rcReturn status code

Definition at line 628 of file cms.c.

632  {
633  struct x509_certificate *cert;
634  int rc;
635 
636  /* Validate certificate chain */
637  if ( ( rc = x509_validate_chain ( info->chain, time, store,
638  root ) ) != 0 ) {
639  DBGC ( sig, "CMS %p/%p could not validate chain: %s\n",
640  sig, info, strerror ( rc ) );
641  return rc;
642  }
643 
644  /* Extract code-signing certificate */
645  cert = x509_first ( info->chain );
646  assert ( cert != NULL );
647 
648  /* Check that certificate can create digital signatures */
649  if ( ! ( cert->extensions.usage.bits & X509_DIGITAL_SIGNATURE ) ) {
650  DBGC ( sig, "CMS %p/%p certificate cannot create signatures\n",
651  sig, info );
652  return -EACCES_NON_SIGNING;
653  }
654 
655  /* Check that certificate can sign code */
656  if ( ! ( cert->extensions.ext_usage.bits & X509_CODE_SIGNING ) ) {
657  DBGC ( sig, "CMS %p/%p certificate is not code-signing\n",
658  sig, info );
659  return -EACCES_NON_CODE_SIGNING;
660  }
661 
662  /* Verify digest */
663  if ( ( rc = cms_verify_digest ( sig, info, cert, data, len ) ) != 0 )
664  return rc;
665 
666  return 0;
667 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
x509_extensions::ext_usage
struct x509_extended_key_usage ext_usage
Extended key usage.
Definition: x509.h:161
info
u32 info
Definition: ar9003_mac.h:67
sig
u8 sig
Definition: CIB_PRM.h:43
root
struct stp_switch root
Root switch.
Definition: stp.h:26
x509_extended_key_usage::bits
unsigned int bits
Usage bits.
Definition: x509.h:114
cms_verify_digest
static int cms_verify_digest(struct cms_signature *sig, struct cms_signer_info *info, struct x509_certificate *cert, userptr_t data, size_t len)
Verify digest of CMS-signed data.
Definition: cms.c:579
DBGC
#define DBGC(...)
Definition: compiler.h:505
assert
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
EACCES_NON_SIGNING
#define EACCES_NON_SIGNING
Definition: cms.c:45
x509_validate_chain
int x509_validate_chain(struct x509_chain *chain, time_t time, struct x509_chain *store, struct x509_root *root)
Validate X.509 certificate chain.
Definition: x509.c:1788
strerror
char * strerror(int errno)
Retrieve string representation of error number.
Definition: strerror.c:78
x509_certificate
An X.509 certificate.
Definition: x509.h:207
EACCES_NON_CODE_SIGNING
#define EACCES_NON_CODE_SIGNING
Definition: cms.c:49
len
uint32_t len
Length.
Definition: ena.h:14
x509_key_usage::bits
unsigned int bits
Usage bits.
Definition: x509.h:95
x509_first
static struct x509_certificate * x509_first(struct x509_chain *chain)
Get first certificate in X.509 certificate chain.
Definition: x509.h:302
x509_certificate::store
struct x509_link store
Link in certificate store.
Definition: x509.h:212
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22
x509_extensions::usage
struct x509_key_usage usage
Key usage.
Definition: x509.h:159
time
uint64_t time
Current time.
Definition: ntlm.h:20
NULL
#define NULL
NULL pointer (VOID *)
Definition: Base.h:321
x509_certificate::extensions
struct x509_extensions extensions
Extensions.
Definition: x509.h:240

References assert(), x509_key_usage::bits, x509_extended_key_usage::bits, cms_verify_digest(), data, DBGC, EACCES_NON_CODE_SIGNING, EACCES_NON_SIGNING, x509_extensions::ext_usage, x509_certificate::extensions, info, len, NULL, rc, root, sig, x509_certificate::store, strerror(), time, x509_extensions::usage, X509_CODE_SIGNING, X509_DIGITAL_SIGNATURE, x509_first(), and x509_validate_chain().

Referenced by cms_verify().

◆ cms_verify()

int cms_verify ( struct cms_signature sig,
userptr_t  data,
size_t  len,
const char *  name,
time_t  time,
struct x509_chain store,
struct x509_root root 
)

Verify CMS signature.

Parameters
sigCMS signature
dataSigned data
lenLength of signed data
nameRequired common name, or NULL to check all signatures
timeTime at which to validate certificates
storeCertificate store, or NULL to use default
rootRoot certificate list, or NULL to use default
Return values
rcReturn status code

Definition at line 681 of file cms.c.

683  {
684  struct cms_signer_info *info;
685  struct x509_certificate *cert;
686  int count = 0;
687  int rc;
688 
689  /* Verify using all signerInfos */
690  list_for_each_entry ( info, &sig->info, list ) {
691  cert = x509_first ( info->chain );
692  if ( name && ( x509_check_name ( cert, name ) != 0 ) )
693  continue;
694  if ( ( rc = cms_verify_signer_info ( sig, info, data, len, time,
695  store, root ) ) != 0 )
696  return rc;
697  count++;
698  }
699 
700  /* Check that we have verified at least one signature */
701  if ( count == 0 ) {
702  if ( name ) {
703  DBGC ( sig, "CMS %p had no signatures matching name "
704  "%s\n", sig, name );
705  return -EACCES_WRONG_NAME;
706  } else {
707  DBGC ( sig, "CMS %p had no signatures\n", sig );
708  return -EACCES_NO_SIGNATURES;
709  }
710  }
711 
712  return 0;
713 }
rc
struct arbelprm_rc_send_wqe rc
Definition: arbel.h:14
name
const char * name
Definition: ath9k_hw.c:1984
EACCES_NO_SIGNATURES
#define EACCES_NO_SIGNATURES
Definition: cms.c:57
info
u32 info
Definition: ar9003_mac.h:67
EACCES_WRONG_NAME
#define EACCES_WRONG_NAME
Definition: cms.c:53
sig
u8 sig
Definition: CIB_PRM.h:43
root
struct stp_switch root
Root switch.
Definition: stp.h:26
x509_check_name
int x509_check_name(struct x509_certificate *cert, const char *name)
Check X.509 certificate name.
Definition: x509.c:1569
DBGC
#define DBGC(...)
Definition: compiler.h:505
cms_signer_info
CMS signer information.
Definition: cms.h:20
list_for_each_entry
#define list_for_each_entry(pos, head, member)
Iterate over entries in a list.
Definition: list.h:431
x509_certificate
An X.509 certificate.
Definition: x509.h:207
len
uint32_t len
Length.
Definition: ena.h:14
x509_first
static struct x509_certificate * x509_first(struct x509_chain *chain)
Get first certificate in X.509 certificate chain.
Definition: x509.h:302
count
uint16_t count
Number of entries.
Definition: ena.h:22
x509_certificate::store
struct x509_link store
Link in certificate store.
Definition: x509.h:212
data
uint8_t data[48]
Additional event data.
Definition: ena.h:22
cms_verify_signer_info
static int cms_verify_signer_info(struct cms_signature *sig, struct cms_signer_info *info, userptr_t data, size_t len, time_t time, struct x509_chain *store, struct x509_root *root)
Verify CMS signature signer information.
Definition: cms.c:628
time
uint64_t time
Current time.
Definition: ntlm.h:20

References cms_verify_signer_info(), count, data, DBGC, EACCES_NO_SIGNATURES, EACCES_WRONG_NAME, info, len, list_for_each_entry, name, rc, root, sig, x509_certificate::store, time, x509_check_name(), and x509_first().

Referenced by cms_verify_fail_okx(), cms_verify_okx(), and imgverify().

Variable Documentation

◆ oid_signeddata

uint8_t oid_signeddata[] = { ASN1_OID_SIGNEDDATA }
static

"pkcs7-signedData" object identifier

Definition at line 75 of file cms.c.

◆ oid_signeddata_cursor

struct asn1_cursor oid_signeddata_cursor
static
Initial value:
=
ASN1_CURSOR ( oid_signeddata )
ASN1_CURSOR
#define ASN1_CURSOR(value)
Define an ASN.1 cursor for a static value.
Definition: asn1.h:305
oid_signeddata
static uint8_t oid_signeddata[]
"pkcs7-signedData" object identifier
Definition: cms.c:75

"pkcs7-signedData" object identifier cursor

Definition at line 78 of file cms.c.

Referenced by cms_parse_content_type().

Generated by   doxygen 1.8.15