1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Parse a Microsoft Individual Code Signing blob
3  *
4  * Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #define pr_fmt(fmt) "MSCODE: "fmt
9 #include <linux/kernel.h>
10 #include <linux/slab.h>
11 #include <linux/err.h>
12 #include <linux/oid_registry.h>
13 #include <crypto/pkcs7.h>
14 #include "verify_pefile.h"
15 #include "mscode.asn1.h"
16 
17 /*
18  * Parse a Microsoft Individual Code Signing blob
19  */
20 int mscode_parse(void *_ctx, const void *content_data, size_t data_len,
21 		 size_t asn1hdrlen)
22 {
23 	struct pefile_context *ctx = _ctx;
24 
25 	content_data -= asn1hdrlen;
26 	data_len += asn1hdrlen;
27 	pr_devel("Data: %zu [%*ph]\n", data_len, (unsigned)(data_len),
28 		 content_data);
29 
30 	return asn1_ber_decoder(&mscode_decoder, ctx, content_data, data_len);
31 }
32 
33 /*
34  * Check the content type OID
35  */
36 int mscode_note_content_type(void *context, size_t hdrlen,
37 			     unsigned char tag,
38 			     const void *value, size_t vlen)
39 {
40 	enum OID oid;
41 
42 	oid = look_up_OID(value, vlen);
43 	if (oid == OID__NR) {
44 		char buffer[50];
45 
46 		sprint_oid(value, vlen, buffer, sizeof(buffer));
47 		pr_err("Unknown OID: %s\n", buffer);
48 		return -EBADMSG;
49 	}
50 
51 	/*
52 	 * pesign utility had a bug where it was putting
53 	 * OID_msIndividualSPKeyPurpose instead of OID_msPeImageDataObjId
54 	 * So allow both OIDs.
55 	 */
56 	if (oid != OID_msPeImageDataObjId &&
57 	    oid != OID_msIndividualSPKeyPurpose) {
58 		pr_err("Unexpected content type OID %u\n", oid);
59 		return -EBADMSG;
60 	}
61 
62 	return 0;
63 }
64 
65 /*
66  * Note the digest algorithm OID
67  */
68 int mscode_note_digest_algo(void *context, size_t hdrlen,
69 			    unsigned char tag,
70 			    const void *value, size_t vlen)
71 {
72 	struct pefile_context *ctx = context;
73 	char buffer[50];
74 	enum OID oid;
75 
76 	oid = look_up_OID(value, vlen);
77 	switch (oid) {
78 	case OID_sha1:
79 		ctx->digest_algo = "sha1";
80 		break;
81 	case OID_sha256:
82 		ctx->digest_algo = "sha256";
83 		break;
84 	case OID_sha384:
85 		ctx->digest_algo = "sha384";
86 		break;
87 	case OID_sha512:
88 		ctx->digest_algo = "sha512";
89 		break;
90 	case OID_sha3_256:
91 		ctx->digest_algo = "sha3-256";
92 		break;
93 	case OID_sha3_384:
94 		ctx->digest_algo = "sha3-384";
95 		break;
96 	case OID_sha3_512:
97 		ctx->digest_algo = "sha3-512";
98 		break;
99 
100 	case OID__NR:
101 		sprint_oid(value, vlen, buffer, sizeof(buffer));
102 		pr_err("Unknown OID: %s\n", buffer);
103 		return -EBADMSG;
104 
105 	default:
106 		pr_err("Unsupported content type: %u\n", oid);
107 		return -ENOPKG;
108 	}
109 
110 	return 0;
111 }
112 
113 /*
114  * Note the digest we're guaranteeing with this certificate
115  */
116 int mscode_note_digest(void *context, size_t hdrlen,
117 		       unsigned char tag,
118 		       const void *value, size_t vlen)
119 {
120 	struct pefile_context *ctx = context;
121 
122 	ctx->digest = kmemdup(value, vlen, GFP_KERNEL);
123 	if (!ctx->digest)
124 		return -ENOMEM;
125 
126 	ctx->digest_len = vlen;
127 
128 	return 0;
129 }
130