1 // SPDX-License-Identifier: GPL-2.0-or-later
21 	unsigned long	data;			/* Start of data */
47 		public_key_free(cert->pub);  in x509_free_certificate()
48 		public_key_signature_free(cert->sig);  in x509_free_certificate()
49 		kfree(cert->issuer);  in x509_free_certificate()
50 		kfree(cert->subject);  in x509_free_certificate()
51 		kfree(cert->id);  in x509_free_certificate()
52 		kfree(cert->skid);  in x509_free_certificate()
70 		return ERR_PTR(-ENOMEM);  in x509_cert_parse()
71 	cert->pub = kzalloc(sizeof(struct public_key), GFP_KERNEL);  in x509_cert_parse()
72 	if (!cert->pub)  in x509_cert_parse()
73 		return ERR_PTR(-ENOMEM);  in x509_cert_parse()
74 	cert->sig = kzalloc(sizeof(struct public_key_signature), GFP_KERNEL);  in x509_cert_parse()
75 	if (!cert->sig)  in x509_cert_parse()
76 		return ERR_PTR(-ENOMEM);  in x509_cert_parse()
79 		return ERR_PTR(-ENOMEM);  in x509_cert_parse()
81 	ctx->cert = cert;  in x509_cert_parse()
82 	ctx->data = (unsigned long)data;  in x509_cert_parse()
90 	if (ctx->raw_akid) {  in x509_cert_parse()
92 			 ctx->raw_akid_size, ctx->raw_akid_size, ctx->raw_akid);  in x509_cert_parse()
94 				       ctx->raw_akid, ctx->raw_akid_size);  in x509_cert_parse()
101 	cert->pub->key = kmemdup(ctx->key, ctx->key_size, GFP_KERNEL);  in x509_cert_parse()
102 	if (!cert->pub->key)  in x509_cert_parse()
103 		return ERR_PTR(-ENOMEM);  in x509_cert_parse()
105 	cert->pub->keylen = ctx->key_size;  in x509_cert_parse()
107 	cert->pub->params = kmemdup(ctx->params, ctx->params_size, GFP_KERNEL);  in x509_cert_parse()
108 	if (!cert->pub->params)  in x509_cert_parse()
109 		return ERR_PTR(-ENOMEM);  in x509_cert_parse()
111 	cert->pub->paramlen = ctx->params_size;  in x509_cert_parse()
112 	cert->pub->algo = ctx->key_algo;  in x509_cert_parse()
120 	kid = asymmetric_key_generate_id(cert->raw_serial,  in x509_cert_parse()
121 					 cert->raw_serial_size,  in x509_cert_parse()
122 					 cert->raw_issuer,  in x509_cert_parse()
123 					 cert->raw_issuer_size);  in x509_cert_parse()
126 	cert->id = kid;  in x509_cert_parse()
128 	/* Detect self-signed certificates */  in x509_cert_parse()
147 	ctx->last_oid = look_up_OID(value, vlen);  in x509_note_OID()
148 	if (ctx->last_oid == OID__NR) {  in x509_note_OID()
152 			 (unsigned long)value - ctx->data, buffer);  in x509_note_OID()
168 		 hdrlen, tag, (unsigned long)value - ctx->data, vlen);  in x509_note_tbs_certificate()
170 	ctx->cert->tbs = value - hdrlen;  in x509_note_tbs_certificate()
171 	ctx->cert->tbs_size = vlen + hdrlen;  in x509_note_tbs_certificate()
183 	pr_debug("PubKey Algo: %u\n", ctx->last_oid);  in x509_note_sig_algo()
185 	switch (ctx->last_oid) {  in x509_note_sig_algo()
187 		return -ENOPKG; /* Unsupported combination */  in x509_note_sig_algo()
190 		ctx->cert->sig->hash_algo = "sha1";  in x509_note_sig_algo()
194 		ctx->cert->sig->hash_algo = "sha256";  in x509_note_sig_algo()
198 		ctx->cert->sig->hash_algo = "sha384";  in x509_note_sig_algo()
202 		ctx->cert->sig->hash_algo = "sha512";  in x509_note_sig_algo()
206 		ctx->cert->sig->hash_algo = "sha224";  in x509_note_sig_algo()
210 		ctx->cert->sig->hash_algo = "sha1";  in x509_note_sig_algo()
214 		ctx->cert->sig->hash_algo = "sha3-256";  in x509_note_sig_algo()
218 		ctx->cert->sig->hash_algo = "sha3-384";  in x509_note_sig_algo()
222 		ctx->cert->sig->hash_algo = "sha3-512";  in x509_note_sig_algo()
226 		ctx->cert->sig->hash_algo = "sha224";  in x509_note_sig_algo()
230 		ctx->cert->sig->hash_algo = "sha256";  in x509_note_sig_algo()
234 		ctx->cert->sig->hash_algo = "sha384";  in x509_note_sig_algo()
238 		ctx->cert->sig->hash_algo = "sha512";  in x509_note_sig_algo()
242 		ctx->cert->sig->hash_algo = "sha3-256";  in x509_note_sig_algo()
246 		ctx->cert->sig->hash_algo = "sha3-384";  in x509_note_sig_algo()
250 		ctx->cert->sig->hash_algo = "sha3-512";  in x509_note_sig_algo()
254 		ctx->cert->sig->hash_algo = "streebog256";  in x509_note_sig_algo()
258 		ctx->cert->sig->hash_algo = "streebog512";  in x509_note_sig_algo()
263 	ctx->cert->sig->pkey_algo = "rsa";  in x509_note_sig_algo()
264 	ctx->cert->sig->encoding = "pkcs1";  in x509_note_sig_algo()
265 	ctx->sig_algo = ctx->last_oid;  in x509_note_sig_algo()
268 	ctx->cert->sig->pkey_algo = "ecrdsa";  in x509_note_sig_algo()
269 	ctx->cert->sig->encoding = "raw";  in x509_note_sig_algo()
270 	ctx->sig_algo = ctx->last_oid;  in x509_note_sig_algo()
273 	ctx->cert->sig->pkey_algo = "ecdsa";  in x509_note_sig_algo()
274 	ctx->cert->sig->encoding = "x962";  in x509_note_sig_algo()
275 	ctx->sig_algo = ctx->last_oid;  in x509_note_sig_algo()
288 	pr_debug("Signature: alg=%u, size=%zu\n", ctx->last_oid, vlen);  in x509_note_signature()
295 	if (ctx->last_oid != ctx->sig_algo) {  in x509_note_signature()
297 			ctx->last_oid, ctx->sig_algo);  in x509_note_signature()
298 		return -EINVAL;  in x509_note_signature()
301 	if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0 ||  in x509_note_signature()
302 	    strcmp(ctx->cert->sig->pkey_algo, "ecrdsa") == 0 ||  in x509_note_signature()
303 	    strcmp(ctx->cert->sig->pkey_algo, "ecdsa") == 0) {  in x509_note_signature()
306 			return -EBADMSG;  in x509_note_signature()
309 		vlen--;  in x509_note_signature()
312 	ctx->cert->raw_sig = value;  in x509_note_signature()
313 	ctx->cert->raw_sig_size = vlen;  in x509_note_signature()
325 	ctx->cert->raw_serial = value;  in x509_note_serial()
326 	ctx->cert->raw_serial_size = vlen;  in x509_note_serial()
339 	switch (ctx->last_oid) {  in x509_extract_name_segment()
341 		ctx->cn_size = vlen;  in x509_extract_name_segment()
342 		ctx->cn_offset = (unsigned long)value - ctx->data;  in x509_extract_name_segment()
345 		ctx->o_size = vlen;  in x509_extract_name_segment()
346 		ctx->o_offset = (unsigned long)value - ctx->data;  in x509_extract_name_segment()
349 		ctx->email_size = vlen;  in x509_extract_name_segment()
350 		ctx->email_offset = (unsigned long)value - ctx->data;  in x509_extract_name_segment()
366 	const void *name, *data = (const void *)ctx->data;  in x509_fabricate_name()
371 		return -EINVAL;  in x509_fabricate_name()
374 	if (!ctx->cn_size && !ctx->o_size && !ctx->email_size) {  in x509_fabricate_name()
377 			return -ENOMEM;  in x509_fabricate_name()
382 	if (ctx->cn_size && ctx->o_size) {  in x509_fabricate_name()
386 		namesize = ctx->cn_size;  in x509_fabricate_name()
387 		name = data + ctx->cn_offset;  in x509_fabricate_name()
388 		if (ctx->cn_size >= ctx->o_size &&  in x509_fabricate_name()
389 		    memcmp(data + ctx->cn_offset, data + ctx->o_offset,  in x509_fabricate_name()
390 			   ctx->o_size) == 0)  in x509_fabricate_name()
392 		if (ctx->cn_size >= 7 &&  in x509_fabricate_name()
393 		    ctx->o_size >= 7 &&  in x509_fabricate_name()
394 		    memcmp(data + ctx->cn_offset, data + ctx->o_offset, 7) == 0)  in x509_fabricate_name()
397 		buffer = kmalloc(ctx->o_size + 2 + ctx->cn_size + 1,  in x509_fabricate_name()
400 			return -ENOMEM;  in x509_fabricate_name()
403 		       data + ctx->o_offset, ctx->o_size);  in x509_fabricate_name()
404 		buffer[ctx->o_size + 0] = ':';  in x509_fabricate_name()
405 		buffer[ctx->o_size + 1] = ' ';  in x509_fabricate_name()
406 		memcpy(buffer + ctx->o_size + 2,  in x509_fabricate_name()
407 		       data + ctx->cn_offset, ctx->cn_size);  in x509_fabricate_name()
408 		buffer[ctx->o_size + 2 + ctx->cn_size] = 0;  in x509_fabricate_name()
411 	} else if (ctx->cn_size) {  in x509_fabricate_name()
412 		namesize = ctx->cn_size;  in x509_fabricate_name()
413 		name = data + ctx->cn_offset;  in x509_fabricate_name()
414 	} else if (ctx->o_size) {  in x509_fabricate_name()
415 		namesize = ctx->o_size;  in x509_fabricate_name()
416 		name = data + ctx->o_offset;  in x509_fabricate_name()
418 		namesize = ctx->email_size;  in x509_fabricate_name()
419 		name = data + ctx->email_offset;  in x509_fabricate_name()
425 		return -ENOMEM;  in x509_fabricate_name()
431 	ctx->cn_size = 0;  in x509_fabricate_name()
432 	ctx->o_size = 0;  in x509_fabricate_name()
433 	ctx->email_size = 0;  in x509_fabricate_name()
444 	ctx->cert->raw_issuer = value;  in x509_note_issuer()
445 	ctx->cert->raw_issuer_size = vlen;  in x509_note_issuer()
447 	if (!ctx->cert->sig->auth_ids[2]) {  in x509_note_issuer()
451 		ctx->cert->sig->auth_ids[2] = kid;  in x509_note_issuer()
454 	return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->issuer, vlen);  in x509_note_issuer()
462 	ctx->cert->raw_subject = value;  in x509_note_subject()
463 	ctx->cert->raw_subject_size = vlen;  in x509_note_subject()
464 	return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->subject, vlen);  in x509_note_subject()
481 	if (!ctx->cert->raw_subject || ctx->key)  in x509_note_params()
483 	ctx->params = value - hdrlen;  in x509_note_params()
484 	ctx->params_size = vlen + hdrlen;  in x509_note_params()
498 	ctx->key_algo = ctx->last_oid;  in x509_extract_key_data()
499 	switch (ctx->last_oid) {  in x509_extract_key_data()
501 		ctx->cert->pub->pkey_algo = "rsa";  in x509_extract_key_data()
505 		ctx->cert->pub->pkey_algo = "ecrdsa";  in x509_extract_key_data()
508 		if (parse_OID(ctx->params, ctx->params_size, &oid) != 0)  in x509_extract_key_data()
509 			return -EBADMSG;  in x509_extract_key_data()
513 			ctx->cert->pub->pkey_algo = "ecdsa-nist-p192";  in x509_extract_key_data()
516 			ctx->cert->pub->pkey_algo = "ecdsa-nist-p256";  in x509_extract_key_data()
519 			ctx->cert->pub->pkey_algo = "ecdsa-nist-p384";  in x509_extract_key_data()
522 			ctx->cert->pub->pkey_algo = "ecdsa-nist-p521";  in x509_extract_key_data()
525 			return -ENOPKG;  in x509_extract_key_data()
529 		return -ENOPKG;  in x509_extract_key_data()
534 		return -EBADMSG;  in x509_extract_key_data()
535 	ctx->key = value + 1;  in x509_extract_key_data()
536 	ctx->key_size = vlen - 1;  in x509_extract_key_data()
554 	pr_debug("Extension: %u\n", ctx->last_oid);  in x509_process_extension()
556 	if (ctx->last_oid == OID_subjectKeyIdentifier) {  in x509_process_extension()
558 		if (ctx->cert->skid || vlen < 3)  in x509_process_extension()
559 			return -EBADMSG;  in x509_process_extension()
560 		if (v[0] != ASN1_OTS || v[1] != vlen - 2)  in x509_process_extension()
561 			return -EBADMSG;  in x509_process_extension()
563 		vlen -= 2;  in x509_process_extension()
565 		ctx->cert->raw_skid_size = vlen;  in x509_process_extension()
566 		ctx->cert->raw_skid = v;  in x509_process_extension()
570 		ctx->cert->skid = kid;  in x509_process_extension()
571 		pr_debug("subjkeyid %*phN\n", kid->len, kid->data);  in x509_process_extension()
575 	if (ctx->last_oid == OID_keyUsage) {  in x509_process_extension()
589 			return -EBADMSG;  in x509_process_extension()
591 			return -EBADMSG;  in x509_process_extension()
593 			return -EBADMSG;  in x509_process_extension()
595 			ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_DIGITALSIG;  in x509_process_extension()
597 			ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_KEYCERTSIGN;  in x509_process_extension()
599 			ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_KEYCERTSIGN;  in x509_process_extension()
603 	if (ctx->last_oid == OID_authorityKeyIdentifier) {  in x509_process_extension()
605 		ctx->raw_akid = v;  in x509_process_extension()
606 		ctx->raw_akid_size = vlen;  in x509_process_extension()
610 	if (ctx->last_oid == OID_basicConstraints) {  in x509_process_extension()
622 			return -EBADMSG;  in x509_process_extension()
624 			return -EBADMSG;  in x509_process_extension()
625 		if (v[1] != vlen - 2)  in x509_process_extension()
626 			return -EBADMSG;  in x509_process_extension()
628 			ctx->cert->pub->key_eflags |= 1 << KEY_EFLAG_CA;  in x509_process_extension()
636  * x509_decode_time - Decode an X.509 time ASN.1 object
648  *	dates through the year 2049 as UTCTime; certificate validity dates in
660 	unsigned year, mon, day, hour, min, sec, mon_len;  in x509_decode_time()  local
662 #define dec2bin(X) ({ unsigned char x = (X) - '0'; if (x > 9) goto invalid_time; x; })  in x509_decode_time()
669 		year = DD2bin(p);  in x509_decode_time()
670 		if (year >= 50)  in x509_decode_time()
671 			year += 1900;  in x509_decode_time()
673 			year += 2000;  in x509_decode_time()
678 		year = DD2bin(p) * 100 + DD2bin(p);  in x509_decode_time()
679 		if (year >= 1950 && year <= 2049)  in x509_decode_time()
694 	if (year < 1970 ||  in x509_decode_time()
698 	mon_len = month_lengths[mon - 1];  in x509_decode_time()
700 		if (year % 4 == 0) {  in x509_decode_time()
702 			if (year % 100 == 0) {  in x509_decode_time()
704 				if (year % 400 == 0)  in x509_decode_time()
716 	*_t = mktime64(year, mon, day, hour, min, sec);  in x509_decode_time()
722 	return -EBADMSG;  in x509_decode_time()
726 	return -EBADMSG;  in x509_decode_time()
735 	return x509_decode_time(&ctx->cert->valid_from, hdrlen, tag, value, vlen);  in x509_note_not_before()
743 	return x509_decode_time(&ctx->cert->valid_to, hdrlen, tag, value, vlen);  in x509_note_not_after()
747  * Note a key identifier-based AuthorityKeyIdentifier
758 	if (ctx->cert->sig->auth_ids[1])  in x509_akid_note_kid()
764 	pr_debug("authkeyid %*phN\n", kid->len, kid->data);  in x509_akid_note_kid()
765 	ctx->cert->sig->auth_ids[1] = kid;  in x509_akid_note_kid()
780 	ctx->akid_raw_issuer = value;  in x509_akid_note_name()
781 	ctx->akid_raw_issuer_size = vlen;  in x509_akid_note_name()
797 	if (!ctx->akid_raw_issuer || ctx->cert->sig->auth_ids[0])  in x509_akid_note_serial()
802 					 ctx->akid_raw_issuer,  in x509_akid_note_serial()
803 					 ctx->akid_raw_issuer_size);  in x509_akid_note_serial()
807 	pr_debug("authkeyid %*phN\n", kid->len, kid->data);  in x509_akid_note_serial()
808 	ctx->cert->sig->auth_ids[0] = kid;  in x509_akid_note_serial()