1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
// SPDX-License-Identifier: GPL-2.0-or-later
/* Self-testing for signature checking.
*
* Copyright (C) 2022 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*/
#include <crypto/pkcs7.h>
#include <linux/cred.h>
#include <linux/kernel.h>
#include <linux/key.h>
#include <linux/module.h>
#include "selftest.h"
#include "x509_parser.h"
void fips_signature_selftest(const char *name,
const u8 *keys, size_t keys_len,
const u8 *data, size_t data_len,
const u8 *sig, size_t sig_len)
{
struct key *keyring;
int ret;
pr_notice("Running certificate verification %s selftest\n", name);
keyring = keyring_alloc(".certs_selftest",
GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(),
(KEY_POS_ALL & ~KEY_POS_SETATTR) |
KEY_USR_VIEW | KEY_USR_READ |
KEY_USR_SEARCH,
KEY_ALLOC_NOT_IN_QUOTA,
NULL, NULL);
if (IS_ERR(keyring))
panic("Can't allocate certs %s selftest keyring: %ld\n", name, PTR_ERR(keyring));
ret = x509_load_certificate_list(keys, keys_len, keyring);
if (ret < 0)
panic("Can't allocate certs %s selftest keyring: %d\n", name, ret);
struct pkcs7_message *pkcs7;
pkcs7 = pkcs7_parse_message(sig, sig_len);
if (IS_ERR(pkcs7))
panic("Certs %s selftest: pkcs7_parse_message() = %d\n", name, ret);
pkcs7_supply_detached_data(pkcs7, data, data_len);
ret = pkcs7_verify(pkcs7, VERIFYING_MODULE_SIGNATURE);
if (ret < 0)
panic("Certs %s selftest: pkcs7_verify() = %d\n", name, ret);
ret = pkcs7_validate_trust(pkcs7, keyring);
if (ret < 0)
panic("Certs %s selftest: pkcs7_validate_trust() = %d\n", name, ret);
pkcs7_free_message(pkcs7);
key_put(keyring);
}
static int __init fips_signature_selftest_init(void)
{
fips_signature_selftest_rsa();
fips_signature_selftest_ecdsa();
return 0;
}
late_initcall(fips_signature_selftest_init);
MODULE_DESCRIPTION("X.509 self tests");
MODULE_AUTHOR("Red Hat, Inc.");
MODULE_LICENSE("GPL");
|