From nobody Sun Feb 8 05:27:00 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0892E466B60 for ; Tue, 20 Jan 2026 14:52:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768920725; cv=none; b=fRIlFSNl8rNRUVlzuD6A0GII55Z9tTMHr2FFW+cT+eoDhrYRrI6T7UPG38uWVU575CbfGdonKT2StSVwhgSvNQUPmDXGDjwC+j9bNLQjSrlZNOgjaX2WFMHl7IZIN+fw0zdclzRIDA31d1lPaxFK54CbymNAQHn5B3EFSQzDhJA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768920725; c=relaxed/simple; bh=EVDdVIKJj6HvxkbgOo9Afadvh/2MU71DolaYocO/5iY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GY5IXw8HlkENrBaRDJJWPSfsu5siGTtIbwseAHV7cNFa/+BhAgsdkwzXBkwqj1pYWHcudArp+f6NJJsMp4t8Mg09vyTAHuR0bGJawjGvx6TFHtf3xfQB4mfA5uu9CV3KhWBkmNVzmGxn/5xK+r52oLgCTNOKxozGDkR5Uk0MfJU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=NtxRCE8q; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="NtxRCE8q" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1768920721; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0OlIGcjGD1wi2sSG+3EVGotk9ZQKyl1hE9svG9MZ510=; b=NtxRCE8qFBNmS20sxSEg4WKMCOJhzP8zO7eZuEciNzKss2dO6LAnM24X45Y9qcQoKw/Bm9 BxcMyqxtnCnhr+W9lvWFN2s3J25q3gHC2Aefz+WUe4rwyOrobxhSVLYVNVV3cH6gYEkYzh Ma4G7ZSwa5zUg3YDMYe/0OwXJg+NSS8= Received: from mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-647-mYfMhR1INkeM5o-0xqTrxg-1; Tue, 20 Jan 2026 09:51:57 -0500 X-MC-Unique: mYfMhR1INkeM5o-0xqTrxg-1 X-Mimecast-MFC-AGG-ID: mYfMhR1INkeM5o-0xqTrxg_1768920715 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 7C1611800359; Tue, 20 Jan 2026 14:51:55 +0000 (UTC) Received: from warthog.procyon.org.uk.com (unknown [10.42.28.2]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 8F16230001A2; Tue, 20 Jan 2026 14:51:51 +0000 (UTC) From: David Howells To: Lukas Wunner , Ignat Korchagin Cc: David Howells , Jarkko Sakkinen , Herbert Xu , Eric Biggers , Luis Chamberlain , Petr Pavlu , Daniel Gomez , Sami Tolvanen , "Jason A . Donenfeld" , Ard Biesheuvel , Stephan Mueller , linux-crypto@vger.kernel.org, keyrings@vger.kernel.org, linux-modules@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v13 08/12] pkcs7, x509: Add RSASSA-PSS support Date: Tue, 20 Jan 2026 14:50:54 +0000 Message-ID: <20260120145103.1176337-9-dhowells@redhat.com> In-Reply-To: <20260120145103.1176337-1-dhowells@redhat.com> References: <20260120145103.1176337-1-dhowells@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Content-Type: text/plain; charset="utf-8" Add support for RSASSA-PSS keys and signatures to the PKCS#7 and X.509 implementations. This requires adding support for algorithm parameters for keys and signatures as RSASSA-PSS needs metadata. The ASN.1 encoded data is converted into a printable key=3Dvalue list string and passed to the verification code. Signed-off-by: David Howells cc: Lukas Wunner cc: Ignat Korchagin cc: Herbert Xu cc: keyrings@vger.kernel.org cc: linux-crypto@vger.kernel.org --- crypto/asymmetric_keys/Makefile | 12 +- crypto/asymmetric_keys/mgf1_params.asn1 | 12 ++ crypto/asymmetric_keys/pkcs7.asn1 | 2 +- crypto/asymmetric_keys/pkcs7_parser.c | 114 +++++----- crypto/asymmetric_keys/public_key.c | 10 + crypto/asymmetric_keys/rsassa_params.asn1 | 25 +++ crypto/asymmetric_keys/rsassa_parser.c | 240 ++++++++++++++++++++++ crypto/asymmetric_keys/rsassa_parser.h | 25 +++ crypto/asymmetric_keys/x509.asn1 | 2 +- crypto/asymmetric_keys/x509_cert_parser.c | 100 ++++----- crypto/asymmetric_keys/x509_parser.h | 45 +++- crypto/asymmetric_keys/x509_public_key.c | 36 +++- include/linux/oid_registry.h | 2 + 13 files changed, 503 insertions(+), 122 deletions(-) create mode 100644 crypto/asymmetric_keys/mgf1_params.asn1 create mode 100644 crypto/asymmetric_keys/rsassa_params.asn1 create mode 100644 crypto/asymmetric_keys/rsassa_parser.c create mode 100644 crypto/asymmetric_keys/rsassa_parser.h diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makef= ile index bc65d3b98dcb..c5aed382ee8a 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile @@ -21,7 +21,11 @@ x509_key_parser-y :=3D \ x509_akid.asn1.o \ x509_cert_parser.o \ x509_loader.o \ - x509_public_key.o + x509_public_key.o \ + rsassa_params.asn1.o \ + rsassa_parser.o \ + mgf1_params.asn1.o + obj-$(CONFIG_FIPS_SIGNATURE_SELFTEST) +=3D x509_selftest.o x509_selftest-y +=3D selftest.o x509_selftest-$(CONFIG_FIPS_SIGNATURE_SELFTEST_RSA) +=3D selftest_rsa.o @@ -31,8 +35,14 @@ $(obj)/x509_cert_parser.o: \ $(obj)/x509.asn1.h \ $(obj)/x509_akid.asn1.h =20 +$(obj)/rsassa_parser.o: \ + $(obj)/rsassa_params.asn1.h \ + $(obj)/mgf1_params.asn1.h + $(obj)/x509.asn1.o: $(obj)/x509.asn1.c $(obj)/x509.asn1.h $(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c $(obj)/x509_akid.asn1.h +$(obj)/rsassa_params.asn1.o: $(obj)/rsassa_params.asn1.c $(obj)/rsassa_par= ams.asn1.h +$(obj)/mgf1_params.asn1.o: $(obj)/mgf1_params.asn1.c $(obj)/mgf1_params.as= n1.h =20 # # PKCS#8 private key handling diff --git a/crypto/asymmetric_keys/mgf1_params.asn1 b/crypto/asymmetric_ke= ys/mgf1_params.asn1 new file mode 100644 index 000000000000..c3bc4643e72c --- /dev/null +++ b/crypto/asymmetric_keys/mgf1_params.asn1 @@ -0,0 +1,12 @@ +-- SPDX-License-Identifier: BSD-3-Clause +-- +-- Copyright (C) 2009 IETF Trust and the persons identified as authors +-- of the code +-- +-- +-- https://datatracker.ietf.org/doc/html/rfc4055 Section 6. + +AlgorithmIdentifier ::=3D SEQUENCE { + algorithm OBJECT IDENTIFIER ({ mgf1_note_OID }), + parameters ANY OPTIONAL +} diff --git a/crypto/asymmetric_keys/pkcs7.asn1 b/crypto/asymmetric_keys/pkc= s7.asn1 index 28e1f4a41c14..03c2248f23bc 100644 --- a/crypto/asymmetric_keys/pkcs7.asn1 +++ b/crypto/asymmetric_keys/pkcs7.asn1 @@ -124,7 +124,7 @@ UnauthenticatedAttribute ::=3D SEQUENCE { =20 DigestEncryptionAlgorithmIdentifier ::=3D SEQUENCE { algorithm OBJECT IDENTIFIER ({ pkcs7_note_OID }), - parameters ANY OPTIONAL + parameters ANY OPTIONAL ({ pkcs7_sig_note_algo_params }) } =20 EncryptedDigest ::=3D OCTET STRING ({ pkcs7_sig_note_signature }) diff --git a/crypto/asymmetric_keys/pkcs7_parser.c b/crypto/asymmetric_keys= /pkcs7_parser.c index 90c36fe1b5ed..47d3c1920e8f 100644 --- a/crypto/asymmetric_keys/pkcs7_parser.c +++ b/crypto/asymmetric_keys/pkcs7_parser.c @@ -14,6 +14,7 @@ #include #include #include "pkcs7_parser.h" +#include "rsassa_parser.h" #include "pkcs7.asn1.h" =20 MODULE_DESCRIPTION("PKCS#7 parser"); @@ -28,14 +29,16 @@ struct pkcs7_parse_context { struct x509_certificate **ppcerts; unsigned long data; /* Start of data */ enum OID last_oid; /* Last OID encountered */ - unsigned x509_index; - unsigned sinfo_index; + unsigned int x509_index; + unsigned int sinfo_index; + unsigned int algo_params_size; + const void *algo_params; const void *raw_serial; - unsigned raw_serial_size; - unsigned raw_issuer_size; + unsigned int raw_serial_size; + unsigned int raw_issuer_size; const void *raw_issuer; const void *raw_skid; - unsigned raw_skid_size; + unsigned int raw_skid_size; bool expect_skid; }; =20 @@ -225,45 +228,29 @@ int pkcs7_sig_note_digest_algo(void *context, size_t = hdrlen, const void *value, size_t vlen) { struct pkcs7_parse_context *ctx =3D context; + const char *algo; =20 - switch (ctx->last_oid) { - case OID_sha1: - ctx->sinfo->sig->hash_algo =3D "sha1"; - break; - case OID_sha256: - ctx->sinfo->sig->hash_algo =3D "sha256"; - break; - case OID_sha384: - ctx->sinfo->sig->hash_algo =3D "sha384"; - break; - case OID_sha512: - ctx->sinfo->sig->hash_algo =3D "sha512"; - break; - case OID_sha224: - ctx->sinfo->sig->hash_algo =3D "sha224"; - break; - case OID_sm3: - ctx->sinfo->sig->hash_algo =3D "sm3"; - break; - case OID_gost2012Digest256: - ctx->sinfo->sig->hash_algo =3D "streebog256"; - break; - case OID_gost2012Digest512: - ctx->sinfo->sig->hash_algo =3D "streebog512"; - break; - case OID_sha3_256: - ctx->sinfo->sig->hash_algo =3D "sha3-256"; - break; - case OID_sha3_384: - ctx->sinfo->sig->hash_algo =3D "sha3-384"; - break; - case OID_sha3_512: - ctx->sinfo->sig->hash_algo =3D "sha3-512"; - break; - default: - printk("Unsupported digest algo: %u\n", ctx->last_oid); + algo =3D oid_to_hash(ctx->last_oid); + if (!algo) { + pr_notice("Unsupported digest algo: %u\n", ctx->last_oid); return -ENOPKG; } + + ctx->sinfo->sig->hash_algo =3D algo; + return 0; +} + +/* + * Note the parameters for the signature. + */ +int pkcs7_sig_note_algo_params(void *context, size_t hdrlen, + unsigned char tag, + const void *value, size_t vlen) +{ + struct pkcs7_parse_context *ctx =3D context; + + ctx->algo_params =3D value - hdrlen; + ctx->algo_params_size =3D vlen + hdrlen; return 0; } =20 @@ -275,11 +262,21 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hd= rlen, const void *value, size_t vlen) { struct pkcs7_parse_context *ctx =3D context; + struct public_key_signature *sig =3D ctx->sinfo->sig; + int err; =20 switch (ctx->last_oid) { case OID_rsaEncryption: - ctx->sinfo->sig->pkey_algo =3D "rsa"; - ctx->sinfo->sig->encoding =3D "pkcs1"; + sig->pkey_algo =3D "rsa"; + sig->encoding =3D "pkcs1"; + break; + case OID_id_rsassa_pss: + err =3D rsassa_parse_sig_params(sig, ctx->algo_params, + ctx->algo_params_size); + if (err < 0) + return err; + sig->pkey_algo =3D "rsa"; + sig->encoding =3D "emsa-pss"; break; case OID_id_ecdsa_with_sha1: case OID_id_ecdsa_with_sha224: @@ -289,33 +286,36 @@ int pkcs7_sig_note_pkey_algo(void *context, size_t hd= rlen, case OID_id_ecdsa_with_sha3_256: case OID_id_ecdsa_with_sha3_384: case OID_id_ecdsa_with_sha3_512: - ctx->sinfo->sig->pkey_algo =3D "ecdsa"; - ctx->sinfo->sig->encoding =3D "x962"; + sig->pkey_algo =3D "ecdsa"; + sig->encoding =3D "x962"; break; case OID_gost2012PKey256: case OID_gost2012PKey512: - ctx->sinfo->sig->pkey_algo =3D "ecrdsa"; - ctx->sinfo->sig->encoding =3D "raw"; + sig->pkey_algo =3D "ecrdsa"; + sig->encoding =3D "raw"; break; case OID_id_ml_dsa_44: - ctx->sinfo->sig->pkey_algo =3D "mldsa44"; - ctx->sinfo->sig->encoding =3D "raw"; - ctx->sinfo->sig->algo_does_hash =3D true; + sig->pkey_algo =3D "mldsa44"; + sig->encoding =3D "raw"; + sig->algo_does_hash =3D true; break; case OID_id_ml_dsa_65: - ctx->sinfo->sig->pkey_algo =3D "mldsa65"; - ctx->sinfo->sig->encoding =3D "raw"; - ctx->sinfo->sig->algo_does_hash =3D true; + sig->pkey_algo =3D "mldsa65"; + sig->encoding =3D "raw"; + sig->algo_does_hash =3D true; break; case OID_id_ml_dsa_87: - ctx->sinfo->sig->pkey_algo =3D "mldsa87"; - ctx->sinfo->sig->encoding =3D "raw"; - ctx->sinfo->sig->algo_does_hash =3D true; + sig->pkey_algo =3D "mldsa87"; + sig->encoding =3D "raw"; + sig->algo_does_hash =3D true; break; default: - printk("Unsupported pkey algo: %u\n", ctx->last_oid); + pr_notice("Unsupported pkey algo: %u\n", ctx->last_oid); return -ENOPKG; } + + ctx->algo_params =3D NULL; + ctx->algo_params_size =3D 0; return 0; } =20 diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/p= ublic_key.c index 61dc4f626620..13a5616becaa 100644 --- a/crypto/asymmetric_keys/public_key.c +++ b/crypto/asymmetric_keys/public_key.c @@ -100,6 +100,16 @@ software_key_determine_akcipher(const struct public_ke= y *pkey, } return n >=3D CRYPTO_MAX_ALG_NAME ? -EINVAL : 0; } + if (strcmp(encoding, "emsa-pss") =3D=3D 0) { + if (op !=3D kernel_pkey_sign && + op !=3D kernel_pkey_verify) + return -EINVAL; + *sig =3D true; + if (!hash_algo) + hash_algo =3D "none"; + n =3D snprintf(alg_name, CRYPTO_MAX_ALG_NAME, "rsassa-pss"); + return n >=3D CRYPTO_MAX_ALG_NAME ? -EINVAL : 0; + } if (strcmp(encoding, "raw") !=3D 0) return -EINVAL; /* diff --git a/crypto/asymmetric_keys/rsassa_params.asn1 b/crypto/asymmetric_= keys/rsassa_params.asn1 new file mode 100644 index 000000000000..95a4e5f0dcd5 --- /dev/null +++ b/crypto/asymmetric_keys/rsassa_params.asn1 @@ -0,0 +1,25 @@ +-- SPDX-License-Identifier: BSD-3-Clause +-- +-- Copyright (C) 2009 IETF Trust and the persons identified as authors +-- of the code +-- +-- +-- https://datatracker.ietf.org/doc/html/rfc4055 Section 6. + +RSASSA-PSS-params ::=3D SEQUENCE { + hashAlgorithm [0] HashAlgorithm, + maskGenAlgorithm [1] MaskGenAlgorithm, + saltLength [2] INTEGER ({ rsassa_note_salt_length }), + trailerField [3] TrailerField OPTIONAL +} + +TrailerField ::=3D INTEGER ({ rsassa_note_trailer }) +-- { trailerFieldBC(1) } + +HashAlgorithm ::=3D AlgorithmIdentifier ({ rsassa_note_hash_algo }) +MaskGenAlgorithm ::=3D AlgorithmIdentifier ({ rsassa_note_maskgen_algo }) + +AlgorithmIdentifier ::=3D SEQUENCE { + algorithm OBJECT IDENTIFIER ({ rsassa_note_OID }), + parameters ANY OPTIONAL ({ rsassa_note_params }) +} diff --git a/crypto/asymmetric_keys/rsassa_parser.c b/crypto/asymmetric_key= s/rsassa_parser.c new file mode 100644 index 000000000000..b80720fa94be --- /dev/null +++ b/crypto/asymmetric_keys/rsassa_parser.c @@ -0,0 +1,240 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* RSASSA-PSS ASN.1 parameter parser + * + * Copyright (C) 2025 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ + +#define pr_fmt(fmt) "RSASSA-PSS: "fmt +#include +#include +#include +#include +#include +#include +#include +#include "x509_parser.h" +#include "rsassa_parser.h" +#include "rsassa_params.asn1.h" +#include "mgf1_params.asn1.h" + +struct rsassa_parse_context { + struct rsassa_parameters *rsassa; /* The parsed parameters */ + unsigned long data; /* Start of data */ + const void *params; /* Algo parameters */ + unsigned int params_len; /* Length of algo parameters */ + enum OID last_oid; /* Last OID encountered */ + enum OID mgf1_last_oid; /* Last OID encountered in MGF1 */ +}; + +/* + * Parse an RSASSA parameter block. + */ +struct rsassa_parameters *rsassa_params_parse(const void *data, size_t dat= alen) +{ + struct rsassa_parse_context ctx =3D {}; + long ret; + + struct rsassa_parameters *rsassa __free(kfree) =3D + kzalloc(sizeof(*rsassa), GFP_KERNEL); + if (!rsassa) + return ERR_PTR(-ENOMEM); + + ctx.rsassa =3D rsassa; + ctx.data =3D (unsigned long)data; + + /* Attempt to decode the parameters */ + ret =3D asn1_ber_decoder(&rsassa_params_decoder, &ctx, data, datalen); + if (ret < 0) { + pr_debug("RSASSA parse failed %ld\n", ret); + return ERR_PTR(ret); + } + + return no_free_ptr(rsassa); +} + +/* + * Note an OID when we find one for later processing when we know how + * to interpret it. + */ +int rsassa_note_OID(void *context, size_t hdrlen, unsigned char tag, + const void *value, size_t vlen) +{ + struct rsassa_parse_context *ctx =3D context; + + ctx->last_oid =3D look_up_OID(value, vlen); + if (ctx->last_oid =3D=3D OID__NR) { + char buffer[56]; + + sprint_oid(value, vlen, buffer, sizeof(buffer)); + pr_debug("Unknown OID: %s\n", buffer); + } + return 0; +} + +/* + * Parse trailerField. We only accept trailerFieldBC. + */ +int rsassa_note_trailer(void *context, size_t hdrlen, unsigned char tag, + const void *value, size_t vlen) +{ + if (vlen !=3D 1 || *(u8 *)value !=3D 0x01) { + pr_debug("Unknown trailerField\n"); + return -EINVAL; + } + return 0; +} + +int rsassa_note_hash_algo(void *context, size_t hdrlen, unsigned char tag, + const void *value, size_t vlen) +{ + struct rsassa_parse_context *ctx =3D context; + + ctx->rsassa->hash_algo =3D ctx->last_oid; + pr_debug("HASH-ALGO %u %u\n", ctx->rsassa->hash_algo, ctx->params_len); + ctx->params =3D NULL; + return 0; +} + +int rsassa_note_maskgen_algo(void *context, size_t hdrlen, unsigned char t= ag, + const void *value, size_t vlen) +{ + struct rsassa_parse_context *ctx =3D context; + int ret; + + ctx->rsassa->maskgen_algo =3D ctx->last_oid; + pr_debug("MGF-ALGO %u %u\n", ctx->rsassa->maskgen_algo, ctx->params_len); + + switch (ctx->rsassa->maskgen_algo) { + case OID_id_mgf1: + if (!vlen) { + pr_debug("MGF1 missing parameters\n"); + return -EBADMSG; + } + + ret =3D asn1_ber_decoder(&mgf1_params_decoder, ctx, + ctx->params, ctx->params_len); + if (ret < 0) { + pr_debug("MGF1 parse failed %d\n", ret); + return ret; + } + ctx->rsassa->maskgen_hash =3D ctx->mgf1_last_oid; + break; + + default: + pr_debug("Unsupported MaskGenAlgorithm %d\n", ret); + return -ENOPKG; + } + + ctx->params =3D NULL; + return 0; +} + +int rsassa_note_salt_length(void *context, size_t hdrlen, unsigned char ta= g, + const void *value, size_t vlen) +{ + struct rsassa_parse_context *ctx =3D context; + u32 salt_len =3D 0; + + if (!vlen) { + pr_debug("Salt len bad integer\n"); + return -EBADMSG; + } + if (vlen > 4) { + pr_debug("Salt len too long %zu\n", vlen); + return -EBADMSG; + } + if (((u8 *)value)[0] & 0x80) { + pr_debug("Salt len negative\n"); + return -EBADMSG; + } + + for (size_t i =3D 0; i < vlen; i++) { + salt_len <<=3D 8; + salt_len |=3D ((u8 *)value)[i]; + } + + ctx->rsassa->salt_len =3D salt_len; + pr_debug("Salt-Len %u\n", salt_len); + return 0; +} + +/* + * Extract arbitrary parameters. + */ +int rsassa_note_params(void *context, size_t hdrlen, unsigned char tag, + const void *value, size_t vlen) +{ + struct rsassa_parse_context *ctx =3D context; + + ctx->params =3D value - hdrlen; + ctx->params_len =3D vlen + hdrlen; + return 0; +} + +/* + * Note an OID when we find one for later processing when we know how to + * interpret it. + */ +int mgf1_note_OID(void *context, size_t hdrlen, unsigned char tag, + const void *value, size_t vlen) +{ + struct rsassa_parse_context *ctx =3D context; + + ctx->mgf1_last_oid =3D look_up_OID(value, vlen); + if (ctx->mgf1_last_oid =3D=3D OID__NR) { + char buffer[56]; + + sprint_oid(value, vlen, buffer, sizeof(buffer)); + pr_debug("Unknown MGF1 OID: %s\n", buffer); + } + return 0; +} + +/* + * Parse the signature parameter block and generate a suitable info string= from + * it. + */ +int rsassa_parse_sig_params(struct public_key_signature *sig, + const u8 *sig_params, unsigned int sig_params_size) +{ + const char *mf, *mh; + + if (!sig_params || !sig_params_size) { + pr_debug("sig algo without parameters\n"); + return -EBADMSG; + } + + struct rsassa_parameters *rsassa __free(rsassa_params_free) =3D + rsassa_params_parse(sig_params, sig_params_size); + if (IS_ERR(rsassa)) + return PTR_ERR(rsassa); + + sig->hash_algo =3D oid_to_hash(rsassa->hash_algo); + if (!sig->hash_algo) { + pr_notice("Unsupported hash: %u\n", rsassa->hash_algo); + return -ENOPKG; + } + + switch (rsassa->maskgen_algo) { + case OID_id_mgf1: + mf =3D "mgf1"; + break; + default: + pr_notice("Unsupported maskgen algo: %u\n", rsassa->maskgen_algo); + return -ENOPKG; + } + + mh =3D oid_to_hash(rsassa->maskgen_hash); + if (!mh) { + pr_notice("Unsupported MGF1 hash: %u\n", rsassa->maskgen_hash); + return -ENOPKG; + } + + sig->info =3D kasprintf(GFP_KERNEL, "sighash=3D%s pss_mask=3D%s,%s pss_sa= lt=3D%u", + sig->hash_algo, mf, mh, rsassa->salt_len); + if (!sig->info) + return -ENOMEM; + pr_debug("Info string: %s\n", sig->info); + return 0; +} diff --git a/crypto/asymmetric_keys/rsassa_parser.h b/crypto/asymmetric_key= s/rsassa_parser.h new file mode 100644 index 000000000000..b80401a3de8f --- /dev/null +++ b/crypto/asymmetric_keys/rsassa_parser.h @@ -0,0 +1,25 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* RSASSA-PSS parameter parsing context + * + * Copyright (C) 2025 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ + +#include + +struct rsassa_parameters { + enum OID hash_algo; /* Hash algorithm identifier */ + enum OID maskgen_algo; /* Mask gen algorithm identifier */ + enum OID maskgen_hash; /* Mask gen hash algorithm identifier */ + u32 salt_len; +}; + +struct rsassa_parameters *rsassa_params_parse(const void *data, size_t dat= alen); +int rsassa_parse_sig_params(struct public_key_signature *sig, + const u8 *sig_params, unsigned int sig_params_size); + +static inline void rsassa_params_free(struct rsassa_parameters *params) +{ + kfree(params); +} +DEFINE_FREE(rsassa_params_free, struct rsassa_parameters*, rsassa_params_= free(_T)) diff --git a/crypto/asymmetric_keys/x509.asn1 b/crypto/asymmetric_keys/x509= .asn1 index feb9573cacce..453b72eba1fe 100644 --- a/crypto/asymmetric_keys/x509.asn1 +++ b/crypto/asymmetric_keys/x509.asn1 @@ -29,7 +29,7 @@ CertificateSerialNumber ::=3D INTEGER =20 AlgorithmIdentifier ::=3D SEQUENCE { algorithm OBJECT IDENTIFIER ({ x509_note_OID }), - parameters ANY OPTIONAL ({ x509_note_params }) + parameters ANY OPTIONAL ({ x509_note_algo_id_params }) } =20 Name ::=3D SEQUENCE OF RelativeDistinguishedName diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_= keys/x509_cert_parser.c index 5ab5b4e5f1b4..a4b848628e37 100644 --- a/crypto/asymmetric_keys/x509_cert_parser.c +++ b/crypto/asymmetric_keys/x509_cert_parser.c @@ -15,28 +15,7 @@ #include "x509_parser.h" #include "x509.asn1.h" #include "x509_akid.asn1.h" - -struct x509_parse_context { - struct x509_certificate *cert; /* Certificate being constructed */ - unsigned long data; /* Start of data */ - const void *key; /* Key data */ - size_t key_size; /* Size of key data */ - const void *params; /* Key parameters */ - size_t params_size; /* Size of key parameters */ - enum OID key_algo; /* Algorithm used by the cert's key */ - enum OID last_oid; /* Last OID encountered */ - enum OID sig_algo; /* Algorithm used to sign the cert */ - u8 o_size; /* Size of organizationName (O) */ - u8 cn_size; /* Size of commonName (CN) */ - u8 email_size; /* Size of emailAddress */ - u16 o_offset; /* Offset of organizationName (O) */ - u16 cn_offset; /* Offset of commonName (CN) */ - u16 email_offset; /* Offset of emailAddress */ - unsigned raw_akid_size; - const void *raw_akid; /* Raw authorityKeyId in ASN.1 */ - const void *akid_raw_issuer; /* Raw directoryName in authorityKeyId */ - unsigned akid_raw_issuer_size; -}; +#include "rsassa_parser.h" =20 /* * Free an X.509 certificate @@ -60,12 +39,11 @@ EXPORT_SYMBOL_GPL(x509_free_certificate); */ struct x509_certificate *x509_cert_parse(const void *data, size_t datalen) { - struct x509_certificate *cert __free(x509_free_certificate) =3D NULL; - struct x509_parse_context *ctx __free(kfree) =3D NULL; struct asymmetric_key_id *kid; long ret; =20 - cert =3D kzalloc(sizeof(struct x509_certificate), GFP_KERNEL); + struct x509_certificate *cert __free(x509_free_certificate) =3D + kzalloc(sizeof(struct x509_certificate), GFP_KERNEL); if (!cert) return ERR_PTR(-ENOMEM); cert->pub =3D kzalloc(sizeof(struct public_key), GFP_KERNEL); @@ -74,7 +52,9 @@ struct x509_certificate *x509_cert_parse(const void *data= , size_t datalen) cert->sig =3D kzalloc(sizeof(struct public_key_signature), GFP_KERNEL); if (!cert->sig) return ERR_PTR(-ENOMEM); - ctx =3D kzalloc(sizeof(struct x509_parse_context), GFP_KERNEL); + + struct x509_parse_context *ctx __free(kfree) =3D + kzalloc(sizeof(struct x509_parse_context), GFP_KERNEL); if (!ctx) return ERR_PTR(-ENOMEM); =20 @@ -104,15 +84,15 @@ struct x509_certificate *x509_cert_parse(const void *d= ata, size_t datalen) =20 cert->pub->keylen =3D ctx->key_size; =20 - cert->pub->params =3D kmemdup(ctx->params, ctx->params_size, GFP_KERNEL); + cert->pub->params =3D kmemdup(ctx->key_params, ctx->key_params_size, GFP_= KERNEL); if (!cert->pub->params) return ERR_PTR(-ENOMEM); =20 - cert->pub->paramlen =3D ctx->params_size; + cert->pub->paramlen =3D ctx->key_params_size; cert->pub->algo =3D ctx->key_algo; =20 /* Grab the signature bits */ - ret =3D x509_get_sig_params(cert); + ret =3D x509_get_sig_params(cert, ctx); if (ret < 0) return ERR_PTR(ret); =20 @@ -146,7 +126,7 @@ int x509_note_OID(void *context, size_t hdrlen, =20 ctx->last_oid =3D look_up_OID(value, vlen); if (ctx->last_oid =3D=3D OID__NR) { - char buffer[50]; + char buffer[56]; sprint_oid(value, vlen, buffer, sizeof(buffer)); pr_debug("Unknown OID: [%lu] %s\n", (unsigned long)value - ctx->data, buffer); @@ -179,6 +159,7 @@ int x509_note_sig_algo(void *context, size_t hdrlen, un= signed char tag, const void *value, size_t vlen) { struct x509_parse_context *ctx =3D context; + int err; =20 pr_debug("PubKey Algo: %u\n", ctx->last_oid); =20 @@ -210,6 +191,9 @@ int x509_note_sig_algo(void *context, size_t hdrlen, un= signed char tag, ctx->cert->sig->hash_algo =3D "sha1"; goto ecdsa; =20 + case OID_id_rsassa_pss: + goto rsassa_pss; + case OID_id_rsassa_pkcs1_v1_5_with_sha3_256: ctx->cert->sig->hash_algo =3D "sha3-256"; goto rsa_pkcs1; @@ -268,6 +252,19 @@ int x509_note_sig_algo(void *context, size_t hdrlen, u= nsigned char tag, goto ml_dsa; } =20 +rsassa_pss: + err =3D rsassa_parse_sig_params(ctx->cert->sig, + ctx->algo_params, ctx->algo_params_size); + if (err < 0) + return err; + + ctx->cert->sig->pkey_algo =3D "rsa"; + ctx->cert->sig->encoding =3D "emsa-pss"; + ctx->sig_algo =3D ctx->last_oid; + ctx->algo_params =3D NULL; + ctx->algo_params_size =3D 0; + return 0; + rsa_pkcs1: ctx->cert->sig->pkey_algo =3D "rsa"; ctx->cert->sig->encoding =3D "pkcs1"; @@ -324,8 +321,8 @@ int x509_note_signature(void *context, size_t hdrlen, vlen--; } =20 - ctx->cert->raw_sig =3D value; - ctx->cert->raw_sig_size =3D vlen; + ctx->sig =3D value; + ctx->sig_size =3D vlen; return 0; } =20 @@ -479,23 +476,16 @@ int x509_note_subject(void *context, size_t hdrlen, } =20 /* - * Extract the parameters for the public key + * Extract the parameters for an AlgorithmIdentifier. */ -int x509_note_params(void *context, size_t hdrlen, - unsigned char tag, - const void *value, size_t vlen) +int x509_note_algo_id_params(void *context, size_t hdrlen, + unsigned char tag, + const void *value, size_t vlen) { struct x509_parse_context *ctx =3D context; =20 - /* - * AlgorithmIdentifier is used three times in the x509, we should skip - * first and ignore third, using second one which is after subject and - * before subjectPublicKey. - */ - if (!ctx->cert->raw_subject || ctx->key) - return 0; - ctx->params =3D value - hdrlen; - ctx->params_size =3D vlen + hdrlen; + ctx->algo_params =3D value - hdrlen; + ctx->algo_params_size =3D vlen + hdrlen; return 0; } =20 @@ -514,12 +504,28 @@ int x509_extract_key_data(void *context, size_t hdrle= n, case OID_rsaEncryption: ctx->cert->pub->pkey_algo =3D "rsa"; break; + case OID_id_rsassa_pss: + /* Parameters are optional for the key itself. */ + if (ctx->algo_params_size) { + ctx->key_params =3D ctx->algo_params; + ctx->key_params_size =3D ctx->algo_params_size; + ctx->algo_params =3D NULL; + ctx->algo_params_size =3D 0; + + struct rsassa_parameters *params __free(rsassa_params_free) =3D + rsassa_params_parse(ctx->key_params, ctx->key_params_size); + if (IS_ERR(params)) + return PTR_ERR(params); + break; + } + ctx->cert->pub->pkey_algo =3D "rsa"; + break; case OID_gost2012PKey256: case OID_gost2012PKey512: ctx->cert->pub->pkey_algo =3D "ecrdsa"; break; case OID_id_ecPublicKey: - if (parse_OID(ctx->params, ctx->params_size, &oid) !=3D 0) + if (parse_OID(ctx->algo_params, ctx->algo_params_size, &oid) !=3D 0) return -EBADMSG; =20 switch (oid) { @@ -557,6 +563,8 @@ int x509_extract_key_data(void *context, size_t hdrlen, return -EBADMSG; ctx->key =3D value + 1; ctx->key_size =3D vlen - 1; + ctx->algo_params =3D NULL; + ctx->algo_params_size =3D 0; return 0; } =20 diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/= x509_parser.h index 0688c222806b..578de49c37bc 100644 --- a/crypto/asymmetric_keys/x509_parser.h +++ b/crypto/asymmetric_keys/x509_parser.h @@ -22,18 +22,16 @@ struct x509_certificate { time64_t valid_from; time64_t valid_to; const void *tbs; /* Signed data */ - unsigned tbs_size; /* Size of signed data */ - unsigned raw_sig_size; /* Size of signature */ - const void *raw_sig; /* Signature data */ + unsigned int tbs_size; /* Size of signed data */ const void *raw_serial; /* Raw serial number in ASN.1 */ - unsigned raw_serial_size; - unsigned raw_issuer_size; + unsigned int raw_serial_size; + unsigned int raw_issuer_size; const void *raw_issuer; /* Raw issuer name in ASN.1 */ const void *raw_subject; /* Raw subject name in ASN.1 */ - unsigned raw_subject_size; - unsigned raw_skid_size; + unsigned int raw_subject_size; + unsigned int raw_skid_size; const void *raw_skid; /* Raw subjectKeyId in ASN.1 */ - unsigned index; + unsigned int index; bool seen; /* Infinite recursion prevention */ bool verified; bool self_signed; /* T if self-signed (check unsupported_sig too) */ @@ -41,6 +39,34 @@ struct x509_certificate { bool blacklisted; }; =20 +struct x509_parse_context { + struct x509_certificate *cert; /* Certificate being constructed */ + unsigned long data; /* Start of data */ + const void *key; /* Key data */ + size_t key_size; /* Size of key data */ + const void *algo_params; /* AlgorithmIdentifier: parameters */ + size_t algo_params_size; /* AlgorithmIdentifier: parameters size */ + const void *key_params; /* Key parameters */ + size_t key_params_size; /* Size of key parameters */ + const void *sig_params; /* Signature parameters */ + unsigned int sig_params_size; /* Size of sig parameters */ + unsigned int sig_size; /* Size of signature */ + const void *sig; /* Signature data */ + enum OID key_algo; /* Algorithm used by the cert's key */ + enum OID last_oid; /* Last OID encountered */ + enum OID sig_algo; /* Algorithm used to sign the cert */ + u8 o_size; /* Size of organizationName (O) */ + u8 cn_size; /* Size of commonName (CN) */ + u8 email_size; /* Size of emailAddress */ + u16 o_offset; /* Offset of organizationName (O) */ + u16 cn_offset; /* Offset of commonName (CN) */ + u16 email_offset; /* Offset of emailAddress */ + unsigned int raw_akid_size; + const void *raw_akid; /* Raw authorityKeyId in ASN.1 */ + const void *akid_raw_issuer; /* Raw directoryName in authorityKeyId */ + unsigned int akid_raw_issuer_size; +}; + /* * x509_cert_parser.c */ @@ -55,5 +81,6 @@ extern int x509_decode_time(time64_t *_t, size_t hdrlen, /* * x509_public_key.c */ -extern int x509_get_sig_params(struct x509_certificate *cert); +extern const char *oid_to_hash(enum OID oid); +extern int x509_get_sig_params(struct x509_certificate *cert, struct x509_= parse_context *parse); extern int x509_check_for_self_signed(struct x509_certificate *cert); diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_k= eys/x509_public_key.c index 2243add11d48..4490cfa368a3 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -17,11 +17,32 @@ #include "asymmetric_keys.h" #include "x509_parser.h" =20 +/* + * Translate OIDs to hash algorithm names. + */ +const char *oid_to_hash(enum OID oid) +{ + switch (oid) { + case OID_sha1: return "sha1"; + case OID_sha256: return "sha256"; + case OID_sha384: return "sha384"; + case OID_sha512: return "sha512"; + case OID_sha224: return "sha224"; + case OID_sm3: return "sm3"; + case OID_gost2012Digest256: return "streebog256"; + case OID_gost2012Digest512: return "streebog512"; + case OID_sha3_256: return "sha3-256"; + case OID_sha3_384: return "sha3-384"; + case OID_sha3_512: return "sha3-512"; + default: return NULL; + } +} + /* * Set up the signature parameters in an X.509 certificate. This involves * digesting the signed data and extracting the signature. */ -int x509_get_sig_params(struct x509_certificate *cert) +int x509_get_sig_params(struct x509_certificate *cert, struct x509_parse_c= ontext *parse) { struct public_key_signature *sig =3D cert->sig; struct crypto_shash *tfm; @@ -31,11 +52,11 @@ int x509_get_sig_params(struct x509_certificate *cert) =20 pr_devel("=3D=3D>%s()\n", __func__); =20 - sig->s =3D kmemdup(cert->raw_sig, cert->raw_sig_size, GFP_KERNEL); + sig->s =3D kmemdup(parse->sig, parse->sig_size, GFP_KERNEL); if (!sig->s) return -ENOMEM; =20 - sig->s_size =3D cert->raw_sig_size; + sig->s_size =3D parse->sig_size; =20 /* Allocate the hashing algorithm we're going to need and find out how * big the hash operational data will be. @@ -43,6 +64,7 @@ int x509_get_sig_params(struct x509_certificate *cert) tfm =3D crypto_alloc_shash(sig->hash_algo, 0, 0); if (IS_ERR(tfm)) { if (PTR_ERR(tfm) =3D=3D -ENOENT) { + pr_debug("Unsupported hash %s\n", sig->hash_algo); cert->unsupported_sig =3D true; return 0; } @@ -149,13 +171,12 @@ int x509_check_for_self_signed(struct x509_certificat= e *cert) */ static int x509_key_preparse(struct key_preparsed_payload *prep) { - struct x509_certificate *cert __free(x509_free_certificate) =3D NULL; - struct asymmetric_key_ids *kids __free(kfree) =3D NULL; char *p, *desc __free(kfree) =3D NULL; const char *q; size_t srlen, sulen; =20 - cert =3D x509_cert_parse(prep->data, prep->datalen); + struct x509_certificate *cert __free(x509_free_certificate) =3D + x509_cert_parse(prep->data, prep->datalen); if (IS_ERR(cert)) return PTR_ERR(cert); =20 @@ -198,7 +219,8 @@ static int x509_key_preparse(struct key_preparsed_paylo= ad *prep) p =3D bin2hex(p, q, srlen); *p =3D 0; =20 - kids =3D kmalloc(sizeof(struct asymmetric_key_ids), GFP_KERNEL); + struct asymmetric_key_ids *kids __free(kfree) =3D + kmalloc(sizeof(struct asymmetric_key_ids), GFP_KERNEL); if (!kids) return -ENOMEM; kids->id[0] =3D cert->id; diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h index ebce402854de..7fe168f54a6c 100644 --- a/include/linux/oid_registry.h +++ b/include/linux/oid_registry.h @@ -31,6 +31,8 @@ enum OID { /* PKCS#1 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)= } */ OID_rsaEncryption, /* 1.2.840.113549.1.1.1 */ OID_sha1WithRSAEncryption, /* 1.2.840.113549.1.1.5 */ + OID_id_mgf1, /* 1.2.840.113549.1.1.8 */ + OID_id_rsassa_pss, /* 1.2.840.113549.1.1.10 */ OID_sha256WithRSAEncryption, /* 1.2.840.113549.1.1.11 */ OID_sha384WithRSAEncryption, /* 1.2.840.113549.1.1.12 */ OID_sha512WithRSAEncryption, /* 1.2.840.113549.1.1.13 */