/*
* Check the content type OID
*/
int mscode_note_content_type(void *context, size_t hdrlen,
unsigned char tag,
const void *value, size_t vlen)
{
enum OID oid;
oid = look_up_OID(value, vlen);
if (oid == OID__NR) {
char buffer[50];
sprint_oid(value, vlen, buffer, sizeof(buffer));
pr_err("Unknown OID: %s\n", buffer);
return -EBADMSG;
}
/*
* pesign utility had a bug where it was putting
* OID_msIndividualSPKeyPurpose instead of OID_msPeImageDataObjId
* So allow both OIDs.
*/
if (oid != OID_msPeImageDataObjId &&
oid != OID_msIndividualSPKeyPurpose) {
pr_err("Unexpected content type OID %u\n", oid);
return -EBADMSG;
}
return 0;
}
/*
* Note the digest algorithm OID
*/
int mscode_note_digest_algo(void *context, size_t hdrlen,
unsigned char tag,
const void *value, size_t vlen)
{
struct pefile_context *ctx = context;
char buffer[50];
enum OID oid;
oid = look_up_OID(value, vlen);
switch (oid) {
case OID_md4:
ctx->digest_algo = HASH_ALGO_MD4;
break;
case OID_md5:
ctx->digest_algo = HASH_ALGO_MD5;
break;
case OID_sha1:
ctx->digest_algo = HASH_ALGO_SHA1;
break;
case OID_sha256:
ctx->digest_algo = HASH_ALGO_SHA256;
break;
case OID__NR:
sprint_oid(value, vlen, buffer, sizeof(buffer));
pr_err("Unknown OID: %s\n", buffer);
return -EBADMSG;
default:
pr_err("Unsupported content type: %u\n", oid);
return -ENOPKG;
}
return 0;
}
/*
* Note an OID when we find one for later processing when we know how
* to interpret it.
*/
int x509_note_OID(void *context, size_t hdrlen,
unsigned char tag,
const void *value, size_t vlen)
{
struct x509_parse_context *ctx = context;
ctx->last_oid = look_up_OID(value, vlen);
if (ctx->last_oid == OID__NR) {
char buffer[50];
sprint_oid(value, vlen, buffer, sizeof(buffer));
pr_debug("Unknown OID: [%lu] %s\n",
(unsigned long)value - ctx->data, buffer);
}
return 0;
}
/*
* Parse authenticated attributes.
*/
int pkcs7_sig_note_authenticated_attr(void *context, size_t hdrlen,
unsigned char tag,
const void *value, size_t vlen)
{
struct pkcs7_parse_context *ctx = context;
struct pkcs7_signed_info *sinfo = ctx->sinfo;
enum OID content_type;
pr_devel("AuthAttr: %02x %zu [%*ph]\n", tag, vlen, (unsigned)vlen, value);
switch (ctx->last_oid) {
case OID_contentType:
if (__test_and_set_bit(sinfo_has_content_type, &sinfo->aa_set))
goto repeated;
content_type = look_up_OID(value, vlen);
if (content_type != ctx->msg->data_type) {
pr_warn("Mismatch between global data type (%d) and sinfo %u (%d)\n",
ctx->msg->data_type, sinfo->index,
content_type);
return -EBADMSG;
}
return 0;
case OID_signingTime:
if (__test_and_set_bit(sinfo_has_signing_time, &sinfo->aa_set))
goto repeated;
/* Should we check that the signing time is consistent
* with the signer's X.509 cert?
*/
return x509_decode_time(&sinfo->signing_time,
hdrlen, tag, value, vlen);
case OID_messageDigest:
if (__test_and_set_bit(sinfo_has_message_digest, &sinfo->aa_set))
goto repeated;
if (tag != ASN1_OTS)
return -EBADMSG;
sinfo->msgdigest = value;
sinfo->msgdigest_len = vlen;
return 0;
case OID_smimeCapabilites:
if (__test_and_set_bit(sinfo_has_smime_caps, &sinfo->aa_set))
goto repeated;
if (ctx->msg->data_type != OID_msIndirectData) {
pr_warn("S/MIME Caps only allowed with Authenticode\n");
return -EKEYREJECTED;
}
return 0;
/* Microsoft SpOpusInfo seems to be contain cont[0] 16-bit BE
* char URLs and cont[1] 8-bit char URLs.
*
* Microsoft StatementType seems to contain a list of OIDs that
* are also used as extendedKeyUsage types in X.509 certs.
*/
case OID_msSpOpusInfo:
if (__test_and_set_bit(sinfo_has_ms_opus_info, &sinfo->aa_set))
goto repeated;
goto authenticode_check;
case OID_msStatementType:
if (__test_and_set_bit(sinfo_has_ms_statement_type, &sinfo->aa_set))
goto repeated;
authenticode_check:
if (ctx->msg->data_type != OID_msIndirectData) {
pr_warn("Authenticode AuthAttrs only allowed with Authenticode\n");
return -EKEYREJECTED;
}
/* I'm not sure how to validate these */
return 0;
default:
return 0;
}
repeated:
/* We permit max one item per AuthenticatedAttribute and no repeats */
pr_warn("Repeated/multivalue AuthAttrs not permitted\n");
return -EKEYREJECTED;
}