You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
315 lines
13 KiB
315 lines
13 KiB
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
|
From: Javier Martinez Canillas <javierm@redhat.com> |
|
Date: Sat, 8 May 2021 02:27:58 +0200 |
|
Subject: [PATCH] appendedsig/x509: Also handle the Extended Key Usage |
|
extension |
|
|
|
Red Hat certificates have both Key Usage and Extended Key Usage extensions |
|
present, but the appended signatures x509 parser doesn't handle the latter |
|
and so buils due finding an unrecognised critical extension: |
|
|
|
Error loading initial key: |
|
../../grub-core/commands/appendedsig/x509.c:780:Unhandled critical x509 extension with OID 2.5.29.37 |
|
|
|
Fix this by also parsing the Extended Key Usage extension and handle it by |
|
verifying that the certificate has a single purpose, that is code signing. |
|
|
|
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> |
|
Signed-off-by: Daniel Axtens <dja@axtens.net> |
|
--- |
|
grub-core/commands/appendedsig/x509.c | 94 ++++++++++++++++++++++++++++++- |
|
grub-core/tests/appended_signature_test.c | 29 +++++++++- |
|
grub-core/tests/appended_signatures.h | 81 ++++++++++++++++++++++++++ |
|
3 files changed, 201 insertions(+), 3 deletions(-) |
|
|
|
diff --git a/grub-core/commands/appendedsig/x509.c b/grub-core/commands/appendedsig/x509.c |
|
index 2b38b3670a2..42ec65c54aa 100644 |
|
--- a/grub-core/commands/appendedsig/x509.c |
|
+++ b/grub-core/commands/appendedsig/x509.c |
|
@@ -47,6 +47,12 @@ const char *keyUsage_oid = "2.5.29.15"; |
|
*/ |
|
const char *basicConstraints_oid = "2.5.29.19"; |
|
|
|
+/* |
|
+ * RFC 5280 4.2.1.12 Extended Key Usage |
|
+ */ |
|
+const char *extendedKeyUsage_oid = "2.5.29.37"; |
|
+const char *codeSigningUsage_oid = "1.3.6.1.5.5.7.3.3"; |
|
+ |
|
/* |
|
* RFC 3279 2.3.1 |
|
* |
|
@@ -637,6 +643,77 @@ cleanup: |
|
return err; |
|
} |
|
|
|
+/* |
|
+ * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId |
|
+ * |
|
+ * KeyPurposeId ::= OBJECT IDENTIFIER |
|
+ */ |
|
+static grub_err_t |
|
+verify_extended_key_usage (grub_uint8_t * value, int value_size) |
|
+{ |
|
+ asn1_node extendedasn; |
|
+ int result, count; |
|
+ grub_err_t err = GRUB_ERR_NONE; |
|
+ char usage[MAX_OID_LEN]; |
|
+ int usage_size = sizeof (usage); |
|
+ |
|
+ result = |
|
+ asn1_create_element (_gnutls_pkix_asn, "PKIX1.ExtKeyUsageSyntax", |
|
+ &extendedasn); |
|
+ if (result != ASN1_SUCCESS) |
|
+ { |
|
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY, |
|
+ "Could not create ASN.1 structure for Extended Key Usage"); |
|
+ } |
|
+ |
|
+ result = asn1_der_decoding2 (&extendedasn, value, &value_size, |
|
+ ASN1_DECODE_FLAG_STRICT_DER, asn1_error); |
|
+ if (result != ASN1_SUCCESS) |
|
+ { |
|
+ err = |
|
+ grub_error (GRUB_ERR_BAD_FILE_TYPE, |
|
+ "Error parsing DER for Extended Key Usage: %s", |
|
+ asn1_error); |
|
+ goto cleanup; |
|
+ } |
|
+ |
|
+ /* |
|
+ * If EKUs are present, there must be exactly 1 and it must be a |
|
+ * codeSigning usage. |
|
+ */ |
|
+ result = asn1_number_of_elements(extendedasn, "", &count); |
|
+ if (result != ASN1_SUCCESS) |
|
+ { |
|
+ err = |
|
+ grub_error (GRUB_ERR_BAD_FILE_TYPE, |
|
+ "Error counting number of Extended Key Usages: %s", |
|
+ asn1_strerror (result)); |
|
+ goto cleanup; |
|
+ } |
|
+ |
|
+ result = asn1_read_value (extendedasn, "?1", usage, &usage_size); |
|
+ if (result != ASN1_SUCCESS) |
|
+ { |
|
+ err = |
|
+ grub_error (GRUB_ERR_BAD_FILE_TYPE, |
|
+ "Error reading Extended Key Usage: %s", |
|
+ asn1_strerror (result)); |
|
+ goto cleanup; |
|
+ } |
|
+ |
|
+ if (grub_strncmp (codeSigningUsage_oid, usage, usage_size) != 0) |
|
+ { |
|
+ err = |
|
+ grub_error (GRUB_ERR_BAD_FILE_TYPE, |
|
+ "Unexpected Extended Key Usage OID, got: %s", |
|
+ usage); |
|
+ goto cleanup; |
|
+ } |
|
+ |
|
+cleanup: |
|
+ asn1_delete_structure (&extendedasn); |
|
+ return err; |
|
+} |
|
|
|
/* |
|
* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension |
|
@@ -660,7 +737,7 @@ verify_extensions (asn1_node cert) |
|
{ |
|
int result; |
|
int ext, num_extensions = 0; |
|
- int usage_present = 0, constraints_present = 0; |
|
+ int usage_present = 0, constraints_present = 0, extended_usage_present = 0; |
|
char *oid_path, *critical_path, *value_path; |
|
char extnID[MAX_OID_LEN]; |
|
int extnID_size; |
|
@@ -754,6 +831,15 @@ verify_extensions (asn1_node cert) |
|
} |
|
constraints_present++; |
|
} |
|
+ else if (grub_strncmp (extendedKeyUsage_oid, extnID, extnID_size) == 0) |
|
+ { |
|
+ err = verify_extended_key_usage (value, value_size); |
|
+ if (err != GRUB_ERR_NONE) |
|
+ { |
|
+ goto cleanup_value; |
|
+ } |
|
+ extended_usage_present++; |
|
+ } |
|
else if (grub_strncmp ("TRUE", critical, critical_size) == 0) |
|
{ |
|
/* |
|
@@ -785,6 +871,12 @@ verify_extensions (asn1_node cert) |
|
"Unexpected number of basic constraints extensions - expected 1, got %d", |
|
constraints_present); |
|
} |
|
+ if (extended_usage_present > 1) |
|
+ { |
|
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE, |
|
+ "Unexpected number of Extended Key Usage extensions - expected 0 or 1, got %d", |
|
+ extended_usage_present); |
|
+ } |
|
return GRUB_ERR_NONE; |
|
|
|
cleanup_value: |
|
diff --git a/grub-core/tests/appended_signature_test.c b/grub-core/tests/appended_signature_test.c |
|
index 88a485200d8..dbba0616621 100644 |
|
--- a/grub-core/tests/appended_signature_test.c |
|
+++ b/grub-core/tests/appended_signature_test.c |
|
@@ -111,6 +111,22 @@ static struct grub_procfs_entry certificate_printable_der_entry = { |
|
.get_contents = get_certificate_printable_der |
|
}; |
|
|
|
+static char * |
|
+get_certificate_eku_der (grub_size_t * sz) |
|
+{ |
|
+ char *ret; |
|
+ *sz = certificate_eku_der_len; |
|
+ ret = grub_malloc (*sz); |
|
+ if (ret) |
|
+ grub_memcpy (ret, certificate_eku_der, *sz); |
|
+ return ret; |
|
+} |
|
+ |
|
+static struct grub_procfs_entry certificate_eku_der_entry = { |
|
+ .name = "certificate_eku.der", |
|
+ .get_contents = get_certificate_eku_der |
|
+}; |
|
+ |
|
|
|
static void |
|
do_verify (const char *f, int is_valid) |
|
@@ -149,6 +165,7 @@ appended_signature_test (void) |
|
char *trust_args2[] = { (char *) "(proc)/certificate2.der", NULL }; |
|
char *trust_args_printable[] = { (char *) "(proc)/certificate_printable.der", |
|
NULL }; |
|
+ char *trust_args_eku[] = { (char *) "(proc)/certificate_eku.der", NULL }; |
|
char *distrust_args[] = { (char *) "1", NULL }; |
|
char *distrust2_args[] = { (char *) "2", NULL }; |
|
grub_err_t err; |
|
@@ -157,6 +174,7 @@ appended_signature_test (void) |
|
grub_procfs_register ("certificate2.der", &certificate2_der_entry); |
|
grub_procfs_register ("certificate_printable.der", |
|
&certificate_printable_der_entry); |
|
+ grub_procfs_register ("certificate_eku.der", &certificate_eku_der_entry); |
|
|
|
cmd_trust = grub_command_find ("trust_certificate"); |
|
if (!cmd_trust) |
|
@@ -266,16 +284,23 @@ appended_signature_test (void) |
|
|
|
/* |
|
* Lastly, check a certificate that uses printableString rather than |
|
- * utf8String loads properly. |
|
+ * utf8String loads properly, and that a certificate with an appropriate |
|
+ * extended key usage loads. |
|
*/ |
|
err = (cmd_trust->func) (cmd_trust, 1, trust_args_printable); |
|
grub_test_assert (err == GRUB_ERR_NONE, |
|
- "distrusting printable certificate failed: %d: %s", |
|
+ "trusting printable certificate failed: %d: %s", |
|
+ grub_errno, grub_errmsg); |
|
+ |
|
+ err = (cmd_trust->func) (cmd_trust, 1, trust_args_eku); |
|
+ grub_test_assert (err == GRUB_ERR_NONE, |
|
+ "trusting certificate with extended key usage failed: %d: %s", |
|
grub_errno, grub_errmsg); |
|
|
|
grub_procfs_unregister (&certificate_der_entry); |
|
grub_procfs_unregister (&certificate2_der_entry); |
|
grub_procfs_unregister (&certificate_printable_der_entry); |
|
+ grub_procfs_unregister (&certificate_eku_der_entry); |
|
} |
|
|
|
GRUB_FUNCTIONAL_TEST (appended_signature_test, appended_signature_test); |
|
diff --git a/grub-core/tests/appended_signatures.h b/grub-core/tests/appended_signatures.h |
|
index aa3dc6278e3..2e5ebd7d8bd 100644 |
|
--- a/grub-core/tests/appended_signatures.h |
|
+++ b/grub-core/tests/appended_signatures.h |
|
@@ -555,3 +555,84 @@ unsigned char certificate_printable_der[] = { |
|
0xd2 |
|
}; |
|
unsigned int certificate_printable_der_len = 829; |
|
+ |
|
+unsigned char certificate_eku_der[] = { |
|
+ 0x30, 0x82, 0x03, 0x90, 0x30, 0x82, 0x02, 0x78, 0xa0, 0x03, 0x02, 0x01, |
|
+ 0x02, 0x02, 0x09, 0x00, 0xd3, 0x9c, 0x41, 0x33, 0xdd, 0x6b, 0x5f, 0x45, |
|
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, |
|
+ 0x0b, 0x05, 0x00, 0x30, 0x47, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, |
|
+ 0x04, 0x03, 0x0c, 0x18, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, |
|
+ 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, |
|
+ 0x43, 0x41, 0x20, 0x36, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a, 0x86, |
|
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63, |
|
+ 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74, |
|
+ 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x32, |
|
+ 0x31, 0x35, 0x31, 0x34, 0x30, 0x30, 0x34, 0x34, 0x5a, 0x17, 0x0d, 0x33, |
|
+ 0x38, 0x30, 0x31, 0x31, 0x37, 0x31, 0x34, 0x30, 0x30, 0x34, 0x34, 0x5a, |
|
+ 0x30, 0x4e, 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, |
|
+ 0x1f, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, |
|
+ 0x75, 0x72, 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x53, 0x69, 0x67, |
|
+ 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x36, 0x30, 0x32, 0x31, 0x22, 0x30, 0x20, |
|
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, |
|
+ 0x13, 0x73, 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, |
|
+ 0x64, 0x68, 0x61, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22, |
|
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, |
|
+ 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, |
|
+ 0x02, 0x82, 0x01, 0x01, 0x00, 0xaa, 0x6f, 0xbb, 0x92, 0x77, 0xd7, 0x15, |
|
+ 0xef, 0x88, 0x80, 0x88, 0xc0, 0xe7, 0x89, 0xeb, 0x35, 0x76, 0xf4, 0x85, |
|
+ 0x05, 0x0f, 0x19, 0xe4, 0x5f, 0x25, 0xdd, 0xc1, 0xa2, 0xe5, 0x5c, 0x06, |
|
+ 0xfb, 0xf1, 0x06, 0xb5, 0x65, 0x45, 0xcb, 0xbd, 0x19, 0x33, 0x54, 0xb5, |
|
+ 0x1a, 0xcd, 0xe4, 0xa8, 0x35, 0x2a, 0xfe, 0x9c, 0x53, 0xf4, 0xc6, 0x76, |
|
+ 0xdb, 0x1f, 0x8a, 0xd4, 0x7b, 0x18, 0x11, 0xaf, 0xa3, 0x90, 0xd4, 0xdd, |
|
+ 0x4d, 0xd5, 0x42, 0xcc, 0x14, 0x9a, 0x64, 0x6b, 0xc0, 0x7f, 0xaa, 0x1c, |
|
+ 0x94, 0x47, 0x4d, 0x79, 0xbd, 0x57, 0x9a, 0xbf, 0x99, 0x4e, 0x96, 0xa9, |
|
+ 0x31, 0x2c, 0xa9, 0xe7, 0x14, 0x65, 0x86, 0xc8, 0xac, 0x79, 0x5e, 0x78, |
|
+ 0xa4, 0x3c, 0x00, 0x24, 0xd3, 0xf7, 0xe1, 0xf5, 0x12, 0xad, 0xa0, 0x29, |
|
+ 0xe5, 0xfe, 0x80, 0xae, 0xf8, 0xaa, 0x60, 0x36, 0xe7, 0xe8, 0x94, 0xcb, |
|
+ 0xe9, 0xd1, 0xcc, 0x0b, 0x4d, 0xf7, 0xde, 0xeb, 0x52, 0xd2, 0x73, 0x09, |
|
+ 0x28, 0xdf, 0x48, 0x99, 0x53, 0x9f, 0xc5, 0x9a, 0xd4, 0x36, 0xa3, 0xc6, |
|
+ 0x5e, 0x8d, 0xbe, 0xd5, 0xdc, 0x76, 0xb4, 0x74, 0xb8, 0x26, 0x18, 0x27, |
|
+ 0xfb, 0xf2, 0xfb, 0xd0, 0x9b, 0x3d, 0x7f, 0x10, 0xe2, 0xab, 0x44, 0xc7, |
|
+ 0x88, 0x7f, 0xb4, 0x3d, 0x3e, 0xa3, 0xff, 0x6d, 0x06, 0x4b, 0x3e, 0x55, |
|
+ 0xb2, 0x84, 0xf4, 0xad, 0x54, 0x88, 0x81, 0xc3, 0x9c, 0xf8, 0xb6, 0x68, |
|
+ 0x96, 0x38, 0x8b, 0xcd, 0x90, 0x6d, 0x25, 0x4b, 0xbf, 0x0c, 0x44, 0x90, |
|
+ 0xa5, 0x5b, 0x98, 0xd0, 0x40, 0x2f, 0xbb, 0x0d, 0xa8, 0x4b, 0x8a, 0x62, |
|
+ 0x82, 0x46, 0x46, 0x18, 0x38, 0xae, 0x82, 0x07, 0xd0, 0xb4, 0x2f, 0x16, |
|
+ 0x79, 0x55, 0x9f, 0x1b, 0xc5, 0x08, 0x6d, 0x85, 0xdf, 0x3f, 0xa9, 0x9b, |
|
+ 0x4b, 0xc6, 0x28, 0xd3, 0x58, 0x72, 0x3d, 0x37, 0x11, 0x02, 0x03, 0x01, |
|
+ 0x00, 0x01, 0xa3, 0x78, 0x30, 0x76, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, |
|
+ 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, 0x06, 0x03, |
|
+ 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, |
|
+ 0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c, |
|
+ 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03, |
|
+ 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x6c, |
|
+ 0xe4, 0x6c, 0x27, 0xaa, 0xcd, 0x0d, 0x4b, 0x74, 0x21, 0xa4, 0xf6, 0x5f, |
|
+ 0x87, 0xb5, 0x31, 0xfe, 0x10, 0xbb, 0xa7, 0x30, 0x1f, 0x06, 0x03, 0x55, |
|
+ 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xe8, 0x6a, 0x1c, 0xab, |
|
+ 0x2c, 0x48, 0xf9, 0x60, 0x36, 0xa2, 0xf0, 0x7b, 0x8e, 0xd2, 0x9d, 0xb4, |
|
+ 0x2a, 0x28, 0x98, 0xc8, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, |
|
+ 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, |
|
+ 0x55, 0x34, 0xe2, 0xfa, 0xf6, 0x89, 0x86, 0xad, 0x92, 0x21, 0xec, 0xb9, |
|
+ 0x54, 0x0e, 0x18, 0x47, 0x0d, 0x1b, 0xa7, 0x58, 0xad, 0x69, 0xe4, 0xef, |
|
+ 0x3b, 0xe6, 0x8d, 0xdd, 0xda, 0x0c, 0x45, 0xf6, 0xe8, 0x96, 0xa4, 0x29, |
|
+ 0x0f, 0xbb, 0xcf, 0x16, 0xae, 0x93, 0xd0, 0xcb, 0x2a, 0x26, 0x1a, 0x7b, |
|
+ 0xfc, 0x51, 0x22, 0x76, 0x98, 0x31, 0xa7, 0x0f, 0x29, 0x35, 0x79, 0xbf, |
|
+ 0xe2, 0x4f, 0x0f, 0x14, 0xf5, 0x1f, 0xcb, 0xbf, 0x87, 0x65, 0x13, 0x32, |
|
+ 0xa3, 0x19, 0x4a, 0xd1, 0x3f, 0x45, 0xd4, 0x4b, 0xe2, 0x00, 0x26, 0xa9, |
|
+ 0x3e, 0xd7, 0xa5, 0x37, 0x9f, 0xf5, 0xad, 0x61, 0xe2, 0x40, 0xa9, 0x74, |
|
+ 0x24, 0x53, 0xf2, 0x78, 0xeb, 0x10, 0x9b, 0x2c, 0x27, 0x88, 0x46, 0xcb, |
|
+ 0xe4, 0x60, 0xca, 0xf5, 0x06, 0x24, 0x40, 0x2a, 0x97, 0x3a, 0xcc, 0xd0, |
|
+ 0x81, 0xb1, 0x15, 0xa3, 0x4f, 0xd0, 0x2b, 0x4f, 0xca, 0x6e, 0xaa, 0x24, |
|
+ 0x31, 0xb3, 0xac, 0xa6, 0x75, 0x05, 0xfe, 0x8a, 0xf4, 0x41, 0xc4, 0x06, |
|
+ 0x8a, 0xc7, 0x0a, 0x83, 0x4e, 0x49, 0xd4, 0x3f, 0x83, 0x50, 0xec, 0x57, |
|
+ 0x04, 0x97, 0x14, 0x49, 0xf5, 0xe1, 0xb1, 0x7a, 0x9c, 0x09, 0x4f, 0x61, |
|
+ 0x87, 0xc3, 0x97, 0x22, 0x17, 0xc2, 0xeb, 0xcc, 0x32, 0x81, 0x31, 0x21, |
|
+ 0x3f, 0x10, 0x57, 0x5b, 0x43, 0xbe, 0xcd, 0x68, 0x82, 0xbe, 0xe5, 0xc1, |
|
+ 0x65, 0x94, 0x7e, 0xc2, 0x34, 0x76, 0x2b, 0xcf, 0x89, 0x3c, 0x2b, 0x81, |
|
+ 0x23, 0x72, 0x95, 0xcf, 0xc9, 0x67, 0x19, 0x2a, 0xd5, 0x5c, 0xca, 0xa3, |
|
+ 0x46, 0xbd, 0x48, 0x06, 0x0b, 0xa6, 0xa3, 0x96, 0x50, 0x28, 0xc7, 0x7e, |
|
+ 0xcf, 0x62, 0xf2, 0xfa, 0xc4, 0xf2, 0x53, 0xe3, 0xc9, 0xe8, 0x2e, 0xdd, |
|
+ 0x29, 0x37, 0x07, 0x47, 0xff, 0xff, 0x8a, 0x32, 0xbd, 0xa2, 0xb7, 0x21, |
|
+ 0x89, 0xa0, 0x55, 0xf7 |
|
+}; |
|
+unsigned int certificate_eku_der_len = 916;
|
|
|