Message ID | 20190519004201.7032-1-steils@gentoo.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [v2] libkmod-signature: use PKCS#7 instead of CMS | expand |
Hi, Stefan! Just in case, I have no objections. >>>>> On Sun, 19 May 2019 03:42:01 +0300, Stefan Strogin wrote: > Linux uses either PKCS #7 or CMS for signing modules (see > scripts/sign-file.c). CMS is not supported by LibreSSL or older OpenSSL, > so PKCS #7 is used on systems with these libcrypto providers. > CMS and PKCS #7 formats are very similar. CMS is newer but is > as much as possible backward compatible with PKCS #7 [1]. PKCS > #7 is supported in the latest OpenSSL as well as CMS. The > fields used for signing kernel modules are supported both in > PKCS #7 and CMS. > For now modinfo uses CMS with no alternative requiring OpenSSL > 1.1.0 or newer. > Use PKCS #7 for parsing module signature information, so that > modinfo could be used both with OpenSSL and LibreSSL. > [1] https://tools.ietf.org/html/rfc5652#section-1.1 > Changes v1->v2: > - Don't use ifdefs for keeping redundant CMS code, just use PKCS #7 both > with OpenSSL and LibreSSL. > Signed-off-by: Stefan Strogin <steils@gentoo.org> > --- > libkmod/libkmod-signature.c | 37 +++++++++++++++++++------------------ > 1 file changed, 19 insertions(+), 18 deletions(-) > diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c > index 48d0145..4e8748c 100644 > --- a/libkmod/libkmod-signature.c > +++ b/libkmod/libkmod-signature.c > @@ -20,7 +20,7 @@ > #include <endian.h> > #include <inttypes.h> > #ifdef ENABLE_OPENSSL > -#include <openssl/cms.h> > +#include <openssl/pkcs7.h> > #include <openssl/ssl.h> > #endif > #include <stdio.h> > @@ -122,7 +122,7 @@ static bool fill_default(const char *mem, off_t size, > #ifdef ENABLE_OPENSSL > struct pkcs7_private { > - CMS_ContentInfo *cms; > + PKCS7 *pkcs7; > unsigned char *key_id; > BIGNUM *sno; > }; > @@ -132,7 +132,7 @@ static void pkcs7_free(void *s) > struct kmod_signature_info *si = s; > struct pkcs7_private *pvt = si->private; > - CMS_ContentInfo_free(pvt->cms); > + PKCS7_free(pvt->pkcs7); > BN_free(pvt->sno); > free(pvt->key_id); > free(pvt); > @@ -197,11 +197,10 @@ static bool fill_pkcs7(const char *mem, off_t size, > struct kmod_signature_info *sig_info) > { > const char *pkcs7_raw; > - CMS_ContentInfo *cms; > - STACK_OF(CMS_SignerInfo) *sis; > - CMS_SignerInfo *si; > - int rc; > - ASN1_OCTET_STRING *key_id; > + PKCS7 *pkcs7; > + STACK_OF(PKCS7_SIGNER_INFO) *sis; > + PKCS7_SIGNER_INFO *si; > + PKCS7_ISSUER_AND_SERIAL *is; > X509_NAME *issuer; > ASN1_INTEGER *sno; > ASN1_OCTET_STRING *sig; > @@ -220,31 +219,33 @@ static bool fill_pkcs7(const char *mem, off_t size, > in = BIO_new_mem_buf(pkcs7_raw, sig_len); > - cms = d2i_CMS_bio(in, NULL); > - if (cms == NULL) { > + pkcs7 = d2i_PKCS7_bio(in, NULL); > + if (pkcs7 == NULL) { > BIO_free(in); > return false; > } > BIO_free(in); > - sis = CMS_get0_SignerInfos(cms); > + sis = PKCS7_get_signer_info(pkcs7); > if (sis == NULL) > goto err; > - si = sk_CMS_SignerInfo_value(sis, 0); > + si = sk_PKCS7_SIGNER_INFO_value(sis, 0); > if (si == NULL) > goto err; > - rc = CMS_SignerInfo_get0_signer_id(si, &key_id, &issuer, &sno); > - if (rc == 0) > + is = si->issuer_and_serial; > + if (is == NULL) > goto err; > + issuer = is->issuer; > + sno = is->serial; > - sig = CMS_SignerInfo_get0_signature(si); > + sig = si->enc_digest; > if (sig == NULL) > goto err; > - CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg); > + PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg); sig_info-> sig = (const char *)ASN1_STRING_get0_data(sig); sig_info-> sig_len = ASN1_STRING_length(sig); > @@ -277,7 +278,7 @@ static bool fill_pkcs7(const char *mem, off_t size, > if (pvt == NULL) > goto err3; > - pvt->cms = cms; > + pvt->pkcs7 = pkcs7; pvt-> key_id = key_id_str; pvt-> sno = sno_bn; sig_info-> private = pvt; > @@ -290,7 +291,7 @@ err3: > err2: > BN_free(sno_bn); > err: > - CMS_ContentInfo_free(cms); > + PKCS7_free(pkcs7); > return false; > } > -- > 2.21.0
diff --git a/libkmod/libkmod-signature.c b/libkmod/libkmod-signature.c index 48d0145..4e8748c 100644 --- a/libkmod/libkmod-signature.c +++ b/libkmod/libkmod-signature.c @@ -20,7 +20,7 @@ #include <endian.h> #include <inttypes.h> #ifdef ENABLE_OPENSSL -#include <openssl/cms.h> +#include <openssl/pkcs7.h> #include <openssl/ssl.h> #endif #include <stdio.h> @@ -122,7 +122,7 @@ static bool fill_default(const char *mem, off_t size, #ifdef ENABLE_OPENSSL struct pkcs7_private { - CMS_ContentInfo *cms; + PKCS7 *pkcs7; unsigned char *key_id; BIGNUM *sno; }; @@ -132,7 +132,7 @@ static void pkcs7_free(void *s) struct kmod_signature_info *si = s; struct pkcs7_private *pvt = si->private; - CMS_ContentInfo_free(pvt->cms); + PKCS7_free(pvt->pkcs7); BN_free(pvt->sno); free(pvt->key_id); free(pvt); @@ -197,11 +197,10 @@ static bool fill_pkcs7(const char *mem, off_t size, struct kmod_signature_info *sig_info) { const char *pkcs7_raw; - CMS_ContentInfo *cms; - STACK_OF(CMS_SignerInfo) *sis; - CMS_SignerInfo *si; - int rc; - ASN1_OCTET_STRING *key_id; + PKCS7 *pkcs7; + STACK_OF(PKCS7_SIGNER_INFO) *sis; + PKCS7_SIGNER_INFO *si; + PKCS7_ISSUER_AND_SERIAL *is; X509_NAME *issuer; ASN1_INTEGER *sno; ASN1_OCTET_STRING *sig; @@ -220,31 +219,33 @@ static bool fill_pkcs7(const char *mem, off_t size, in = BIO_new_mem_buf(pkcs7_raw, sig_len); - cms = d2i_CMS_bio(in, NULL); - if (cms == NULL) { + pkcs7 = d2i_PKCS7_bio(in, NULL); + if (pkcs7 == NULL) { BIO_free(in); return false; } BIO_free(in); - sis = CMS_get0_SignerInfos(cms); + sis = PKCS7_get_signer_info(pkcs7); if (sis == NULL) goto err; - si = sk_CMS_SignerInfo_value(sis, 0); + si = sk_PKCS7_SIGNER_INFO_value(sis, 0); if (si == NULL) goto err; - rc = CMS_SignerInfo_get0_signer_id(si, &key_id, &issuer, &sno); - if (rc == 0) + is = si->issuer_and_serial; + if (is == NULL) goto err; + issuer = is->issuer; + sno = is->serial; - sig = CMS_SignerInfo_get0_signature(si); + sig = si->enc_digest; if (sig == NULL) goto err; - CMS_SignerInfo_get0_algs(si, NULL, NULL, &dig_alg, &sig_alg); + PKCS7_SIGNER_INFO_get0_algs(si, NULL, &dig_alg, &sig_alg); sig_info->sig = (const char *)ASN1_STRING_get0_data(sig); sig_info->sig_len = ASN1_STRING_length(sig); @@ -277,7 +278,7 @@ static bool fill_pkcs7(const char *mem, off_t size, if (pvt == NULL) goto err3; - pvt->cms = cms; + pvt->pkcs7 = pkcs7; pvt->key_id = key_id_str; pvt->sno = sno_bn; sig_info->private = pvt; @@ -290,7 +291,7 @@ err3: err2: BN_free(sno_bn); err: - CMS_ContentInfo_free(cms); + PKCS7_free(pkcs7); return false; }
Linux uses either PKCS #7 or CMS for signing modules (see scripts/sign-file.c). CMS is not supported by LibreSSL or older OpenSSL, so PKCS #7 is used on systems with these libcrypto providers. CMS and PKCS #7 formats are very similar. CMS is newer but is as much as possible backward compatible with PKCS #7 [1]. PKCS #7 is supported in the latest OpenSSL as well as CMS. The fields used for signing kernel modules are supported both in PKCS #7 and CMS. For now modinfo uses CMS with no alternative requiring OpenSSL 1.1.0 or newer. Use PKCS #7 for parsing module signature information, so that modinfo could be used both with OpenSSL and LibreSSL. [1] https://tools.ietf.org/html/rfc5652#section-1.1 Changes v1->v2: - Don't use ifdefs for keeping redundant CMS code, just use PKCS #7 both with OpenSSL and LibreSSL. Signed-off-by: Stefan Strogin <steils@gentoo.org> --- libkmod/libkmod-signature.c | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-)