| From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name> |
| Date: Sat, 19 May 2018 14:23:54 +0200 |
| Subject: X.509: unpack RSA signatureValue field from BIT STRING |
| |
| commit b65c32ec5a942ab3ada93a048089a938918aba7f upstream. |
| |
| The signatureValue field of a X.509 certificate is encoded as a BIT STRING. |
| For RSA signatures this BIT STRING is of so-called primitive subtype, which |
| contains a u8 prefix indicating a count of unused bits in the encoding. |
| |
| We have to strip this prefix from signature data, just as we already do for |
| key data in x509_extract_key_data() function. |
| |
| This wasn't noticed earlier because this prefix byte is zero for RSA key |
| sizes divisible by 8. Since BIT STRING is a big-endian encoding adding zero |
| prefixes has no bearing on its value. |
| |
| The signature length, however was incorrect, which is a problem for RSA |
| implementations that need it to be exactly correct (like AMD CCP). |
| |
| Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name> |
| Fixes: c26fd69fa009 ("X.509: Add a crypto key parser for binary (DER) X.509 certificates") |
| Signed-off-by: James Morris <james.morris@microsoft.com> |
| [bwh: Backported to 3.16: |
| - x509_certificate::sig is a structure, not a pointer |
| - public_key_signature::pkey_algo is an enumeration type, not a string] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| crypto/asymmetric_keys/x509_cert_parser.c | 9 +++++++++ |
| 1 file changed, 9 insertions(+) |
| |
| --- a/crypto/asymmetric_keys/x509_cert_parser.c |
| +++ b/crypto/asymmetric_keys/x509_cert_parser.c |
| @@ -205,6 +205,15 @@ int x509_note_signature(void *context, s |
| return -EINVAL; |
| } |
| |
| + if (ctx->cert->sig.pkey_algo == PKEY_ALGO_RSA) { |
| + /* Discard the BIT STRING metadata */ |
| + if (vlen < 1 || *(const u8 *)value != 0) |
| + return -EBADMSG; |
| + |
| + value++; |
| + vlen--; |
| + } |
| + |
| ctx->cert->raw_sig = value; |
| ctx->cert->raw_sig_size = vlen; |
| return 0; |