crypto/asymmetric_keys/x509_cert_parser.c

0001 // SPDX-License-Identifier: GPL-2.0-or-later
0002 /* X.509 certificate parser
0003  *
0004  * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
0005  * Written by David Howells (dhowells@redhat.com)
0006  */
0007
0008 #define pr_fmt(fmt) "X.509: "fmt
0009 #include <linux/kernel.h>
0010 #include <linux/export.h>
0011 #include <linux/slab.h>
0012 #include <linux/err.h>
0013 #include <linux/oid_registry.h>
0014 #include <crypto/public_key.h>
0015 #include "x509_parser.h"
0016 #include "x509.asn1.h"
0017 #include "x509_akid.asn1.h"
0018
0019 struct x509_parse_context {
0020     struct x509_certificate *cert;      /* Certificate being constructed */
0021     unsigned long   data;           /* Start of data */
0022     const void  *key;           /* Key data */
0023     size_t      key_size;       /* Size of key data */
0024     const void  *params;        /* Key parameters */
0025     size_t      params_size;        /* Size of key parameters */
0026     enum OID    key_algo;       /* Algorithm used by the cert's key */
0027     enum OID    last_oid;       /* Last OID encountered */
0028     enum OID    sig_algo;       /* Algorithm used to sign the cert */
0029     u8      o_size;         /* Size of organizationName (O) */
0030     u8      cn_size;        /* Size of commonName (CN) */
0031     u8      email_size;     /* Size of emailAddress */
0032     u16     o_offset;       /* Offset of organizationName (O) */
0033     u16     cn_offset;      /* Offset of commonName (CN) */
0034     u16     email_offset;       /* Offset of emailAddress */
0035     unsigned    raw_akid_size;
0036     const void  *raw_akid;      /* Raw authorityKeyId in ASN.1 */
0037     const void  *akid_raw_issuer;   /* Raw directoryName in authorityKeyId */
0038     unsigned    akid_raw_issuer_size;
0039 };
0040
0041 /*
0042  * Free an X.509 certificate
0043  */
0044 void x509_free_certificate(struct x509_certificate *cert)
0045 {
0046     if (cert) {
0047         public_key_free(cert->pub);
0048         public_key_signature_free(cert->sig);
0049         kfree(cert->issuer);
0050         kfree(cert->subject);
0051         kfree(cert->id);
0052         kfree(cert->skid);
0053         kfree(cert);
0054     }
0055 }
0056 EXPORT_SYMBOL_GPL(x509_free_certificate);
0057
0058 /*
0059  * Parse an X.509 certificate
0060  */
0061 struct x509_certificate *x509_cert_parse(const void *data, size_t datalen)
0062 {
0063     struct x509_certificate *cert;
0064     struct x509_parse_context *ctx;
0065     struct asymmetric_key_id *kid;
0066     long ret;
0067
0068     ret = -ENOMEM;
0069     cert = kzalloc(sizeof(struct x509_certificate), GFP_KERNEL);
0070     if (!cert)
0071         goto error_no_cert;
0072     cert->pub = kzalloc(sizeof(struct public_key), GFP_KERNEL);
0073     if (!cert->pub)
0074         goto error_no_ctx;
0075     cert->sig = kzalloc(sizeof(struct public_key_signature), GFP_KERNEL);
0076     if (!cert->sig)
0077         goto error_no_ctx;
0078     ctx = kzalloc(sizeof(struct x509_parse_context), GFP_KERNEL);
0079     if (!ctx)
0080         goto error_no_ctx;
0081
0082     ctx->cert = cert;
0083     ctx->data = (unsigned long)data;
0084
0085     /* Attempt to decode the certificate */
0086     ret = asn1_ber_decoder(&x509_decoder, ctx, data, datalen);
0087     if (ret < 0)
0088         goto error_decode;
0089
0090     /* Decode the AuthorityKeyIdentifier */
0091     if (ctx->raw_akid) {
0092         pr_devel("AKID: %u %*phN\n",
0093              ctx->raw_akid_size, ctx->raw_akid_size, ctx->raw_akid);
0094         ret = asn1_ber_decoder(&x509_akid_decoder, ctx,
0095                        ctx->raw_akid, ctx->raw_akid_size);
0096         if (ret < 0) {
0097             pr_warn("Couldn't decode AuthKeyIdentifier\n");
0098             goto error_decode;
0099         }
0100     }
0101
0102     ret = -ENOMEM;
0103     cert->pub->key = kmemdup(ctx->key, ctx->key_size, GFP_KERNEL);
0104     if (!cert->pub->key)
0105         goto error_decode;
0106
0107     cert->pub->keylen = ctx->key_size;
0108
0109     cert->pub->params = kmemdup(ctx->params, ctx->params_size, GFP_KERNEL);
0110     if (!cert->pub->params)
0111         goto error_decode;
0112
0113     cert->pub->paramlen = ctx->params_size;
0114     cert->pub->algo = ctx->key_algo;
0115
0116     /* Grab the signature bits */
0117     ret = x509_get_sig_params(cert);
0118     if (ret < 0)
0119         goto error_decode;
0120
0121     /* Generate cert issuer + serial number key ID */
0122     kid = asymmetric_key_generate_id(cert->raw_serial,
0123                      cert->raw_serial_size,
0124                      cert->raw_issuer,
0125                      cert->raw_issuer_size);
0126     if (IS_ERR(kid)) {
0127         ret = PTR_ERR(kid);
0128         goto error_decode;
0129     }
0130     cert->id = kid;
0131
0132     /* Detect self-signed certificates */
0133     ret = x509_check_for_self_signed(cert);
0134     if (ret < 0)
0135         goto error_decode;
0136
0137     kfree(ctx);
0138     return cert;
0139
0140 error_decode:
0141     kfree(ctx);
0142 error_no_ctx:
0143     x509_free_certificate(cert);
0144 error_no_cert:
0145     return ERR_PTR(ret);
0146 }
0147 EXPORT_SYMBOL_GPL(x509_cert_parse);
0148
0149 /*
0150  * Note an OID when we find one for later processing when we know how
0151  * to interpret it.
0152  */
0153 int x509_note_OID(void *context, size_t hdrlen,
0154          unsigned char tag,
0155          const void *value, size_t vlen)
0156 {
0157     struct x509_parse_context *ctx = context;
0158
0159     ctx->last_oid = look_up_OID(value, vlen);
0160     if (ctx->last_oid == OID__NR) {
0161         char buffer[50];
0162         sprint_oid(value, vlen, buffer, sizeof(buffer));
0163         pr_debug("Unknown OID: [%lu] %s\n",
0164              (unsigned long)value - ctx->data, buffer);
0165     }
0166     return 0;
0167 }
0168
0169 /*
0170  * Save the position of the TBS data so that we can check the signature over it
0171  * later.
0172  */
0173 int x509_note_tbs_certificate(void *context, size_t hdrlen,
0174                   unsigned char tag,
0175                   const void *value, size_t vlen)
0176 {
0177     struct x509_parse_context *ctx = context;
0178
0179     pr_debug("x509_note_tbs_certificate(,%zu,%02x,%ld,%zu)!\n",
0180          hdrlen, tag, (unsigned long)value - ctx->data, vlen);
0181
0182     ctx->cert->tbs = value - hdrlen;
0183     ctx->cert->tbs_size = vlen + hdrlen;
0184     return 0;
0185 }
0186
0187 /*
0188  * Record the algorithm that was used to sign this certificate.
0189  */
0190 int x509_note_sig_algo(void *context, size_t hdrlen, unsigned char tag,
0191                const void *value, size_t vlen)
0192 {
0193     struct x509_parse_context *ctx = context;
0194
0195     pr_debug("PubKey Algo: %u\n", ctx->last_oid);
0196
0197     switch (ctx->last_oid) {
0198     case OID_md2WithRSAEncryption:
0199     case OID_md3WithRSAEncryption:
0200     default:
0201         return -ENOPKG; /* Unsupported combination */
0202
0203     case OID_md4WithRSAEncryption:
0204         ctx->cert->sig->hash_algo = "md4";
0205         goto rsa_pkcs1;
0206
0207     case OID_sha1WithRSAEncryption:
0208         ctx->cert->sig->hash_algo = "sha1";
0209         goto rsa_pkcs1;
0210
0211     case OID_sha256WithRSAEncryption:
0212         ctx->cert->sig->hash_algo = "sha256";
0213         goto rsa_pkcs1;
0214
0215     case OID_sha384WithRSAEncryption:
0216         ctx->cert->sig->hash_algo = "sha384";
0217         goto rsa_pkcs1;
0218
0219     case OID_sha512WithRSAEncryption:
0220         ctx->cert->sig->hash_algo = "sha512";
0221         goto rsa_pkcs1;
0222
0223     case OID_sha224WithRSAEncryption:
0224         ctx->cert->sig->hash_algo = "sha224";
0225         goto rsa_pkcs1;
0226
0227     case OID_id_ecdsa_with_sha1:
0228         ctx->cert->sig->hash_algo = "sha1";
0229         goto ecdsa;
0230
0231     case OID_id_ecdsa_with_sha224:
0232         ctx->cert->sig->hash_algo = "sha224";
0233         goto ecdsa;
0234
0235     case OID_id_ecdsa_with_sha256:
0236         ctx->cert->sig->hash_algo = "sha256";
0237         goto ecdsa;
0238
0239     case OID_id_ecdsa_with_sha384:
0240         ctx->cert->sig->hash_algo = "sha384";
0241         goto ecdsa;
0242
0243     case OID_id_ecdsa_with_sha512:
0244         ctx->cert->sig->hash_algo = "sha512";
0245         goto ecdsa;
0246
0247     case OID_gost2012Signature256:
0248         ctx->cert->sig->hash_algo = "streebog256";
0249         goto ecrdsa;
0250
0251     case OID_gost2012Signature512:
0252         ctx->cert->sig->hash_algo = "streebog512";
0253         goto ecrdsa;
0254
0255     case OID_SM2_with_SM3:
0256         ctx->cert->sig->hash_algo = "sm3";
0257         goto sm2;
0258     }
0259
0260 rsa_pkcs1:
0261     ctx->cert->sig->pkey_algo = "rsa";
0262     ctx->cert->sig->encoding = "pkcs1";
0263     ctx->sig_algo = ctx->last_oid;
0264     return 0;
0265 ecrdsa:
0266     ctx->cert->sig->pkey_algo = "ecrdsa";
0267     ctx->cert->sig->encoding = "raw";
0268     ctx->sig_algo = ctx->last_oid;
0269     return 0;
0270 sm2:
0271     ctx->cert->sig->pkey_algo = "sm2";
0272     ctx->cert->sig->encoding = "raw";
0273     ctx->sig_algo = ctx->last_oid;
0274     return 0;
0275 ecdsa:
0276     ctx->cert->sig->pkey_algo = "ecdsa";
0277     ctx->cert->sig->encoding = "x962";
0278     ctx->sig_algo = ctx->last_oid;
0279     return 0;
0280 }
0281
0282 /*
0283  * Note the whereabouts and type of the signature.
0284  */
0285 int x509_note_signature(void *context, size_t hdrlen,
0286             unsigned char tag,
0287             const void *value, size_t vlen)
0288 {
0289     struct x509_parse_context *ctx = context;
0290
0291     pr_debug("Signature: alg=%u, size=%zu\n", ctx->last_oid, vlen);
0292
0293     /*
0294      * In X.509 certificates, the signature's algorithm is stored in two
0295      * places: inside the TBSCertificate (the data that is signed), and
0296      * alongside the signature.  These *must* match.
0297      */
0298     if (ctx->last_oid != ctx->sig_algo) {
0299         pr_warn("signatureAlgorithm (%u) differs from tbsCertificate.signature (%u)\n",
0300             ctx->last_oid, ctx->sig_algo);
0301         return -EINVAL;
0302     }
0303
0304     if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0 ||
0305         strcmp(ctx->cert->sig->pkey_algo, "ecrdsa") == 0 ||
0306         strcmp(ctx->cert->sig->pkey_algo, "sm2") == 0 ||
0307         strcmp(ctx->cert->sig->pkey_algo, "ecdsa") == 0) {
0308         /* Discard the BIT STRING metadata */
0309         if (vlen < 1 || *(const u8 *)value != 0)
0310             return -EBADMSG;
0311
0312         value++;
0313         vlen--;
0314     }
0315
0316     ctx->cert->raw_sig = value;
0317     ctx->cert->raw_sig_size = vlen;
0318     return 0;
0319 }
0320
0321 /*
0322  * Note the certificate serial number
0323  */
0324 int x509_note_serial(void *context, size_t hdrlen,
0325              unsigned char tag,
0326              const void *value, size_t vlen)
0327 {
0328     struct x509_parse_context *ctx = context;
0329     ctx->cert->raw_serial = value;
0330     ctx->cert->raw_serial_size = vlen;
0331     return 0;
0332 }
0333
0334 /*
0335  * Note some of the name segments from which we'll fabricate a name.
0336  */
0337 int x509_extract_name_segment(void *context, size_t hdrlen,
0338                   unsigned char tag,
0339                   const void *value, size_t vlen)
0340 {
0341     struct x509_parse_context *ctx = context;
0342
0343     switch (ctx->last_oid) {
0344     case OID_commonName:
0345         ctx->cn_size = vlen;
0346         ctx->cn_offset = (unsigned long)value - ctx->data;
0347         break;
0348     case OID_organizationName:
0349         ctx->o_size = vlen;
0350         ctx->o_offset = (unsigned long)value - ctx->data;
0351         break;
0352     case OID_email_address:
0353         ctx->email_size = vlen;
0354         ctx->email_offset = (unsigned long)value - ctx->data;
0355         break;
0356     default:
0357         break;
0358     }
0359
0360     return 0;
0361 }
0362
0363 /*
0364  * Fabricate and save the issuer and subject names
0365  */
0366 static int x509_fabricate_name(struct x509_parse_context *ctx, size_t hdrlen,
0367                    unsigned char tag,
0368                    char **_name, size_t vlen)
0369 {
0370     const void *name, *data = (const void *)ctx->data;
0371     size_t namesize;
0372     char *buffer;
0373
0374     if (*_name)
0375         return -EINVAL;
0376
0377     /* Empty name string if no material */
0378     if (!ctx->cn_size && !ctx->o_size && !ctx->email_size) {
0379         buffer = kmalloc(1, GFP_KERNEL);
0380         if (!buffer)
0381             return -ENOMEM;
0382         buffer[0] = 0;
0383         goto done;
0384     }
0385
0386     if (ctx->cn_size && ctx->o_size) {
0387         /* Consider combining O and CN, but use only the CN if it is
0388          * prefixed by the O, or a significant portion thereof.
0389          */
0390         namesize = ctx->cn_size;
0391         name = data + ctx->cn_offset;
0392         if (ctx->cn_size >= ctx->o_size &&
0393             memcmp(data + ctx->cn_offset, data + ctx->o_offset,
0394                ctx->o_size) == 0)
0395             goto single_component;
0396         if (ctx->cn_size >= 7 &&
0397             ctx->o_size >= 7 &&
0398             memcmp(data + ctx->cn_offset, data + ctx->o_offset, 7) == 0)
0399             goto single_component;
0400
0401         buffer = kmalloc(ctx->o_size + 2 + ctx->cn_size + 1,
0402                  GFP_KERNEL);
0403         if (!buffer)
0404             return -ENOMEM;
0405
0406         memcpy(buffer,
0407                data + ctx->o_offset, ctx->o_size);
0408         buffer[ctx->o_size + 0] = ':';
0409         buffer[ctx->o_size + 1] = ' ';
0410         memcpy(buffer + ctx->o_size + 2,
0411                data + ctx->cn_offset, ctx->cn_size);
0412         buffer[ctx->o_size + 2 + ctx->cn_size] = 0;
0413         goto done;
0414
0415     } else if (ctx->cn_size) {
0416         namesize = ctx->cn_size;
0417         name = data + ctx->cn_offset;
0418     } else if (ctx->o_size) {
0419         namesize = ctx->o_size;
0420         name = data + ctx->o_offset;
0421     } else {
0422         namesize = ctx->email_size;
0423         name = data + ctx->email_offset;
0424     }
0425
0426 single_component:
0427     buffer = kmalloc(namesize + 1, GFP_KERNEL);
0428     if (!buffer)
0429         return -ENOMEM;
0430     memcpy(buffer, name, namesize);
0431     buffer[namesize] = 0;
0432
0433 done:
0434     *_name = buffer;
0435     ctx->cn_size = 0;
0436     ctx->o_size = 0;
0437     ctx->email_size = 0;
0438     return 0;
0439 }
0440
0441 int x509_note_issuer(void *context, size_t hdrlen,
0442              unsigned char tag,
0443              const void *value, size_t vlen)
0444 {
0445     struct x509_parse_context *ctx = context;
0446     struct asymmetric_key_id *kid;
0447
0448     ctx->cert->raw_issuer = value;
0449     ctx->cert->raw_issuer_size = vlen;
0450
0451     if (!ctx->cert->sig->auth_ids[2]) {
0452         kid = asymmetric_key_generate_id(value, vlen, "", 0);
0453         if (IS_ERR(kid))
0454             return PTR_ERR(kid);
0455         ctx->cert->sig->auth_ids[2] = kid;
0456     }
0457
0458     return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->issuer, vlen);
0459 }
0460
0461 int x509_note_subject(void *context, size_t hdrlen,
0462               unsigned char tag,
0463               const void *value, size_t vlen)
0464 {
0465     struct x509_parse_context *ctx = context;
0466     ctx->cert->raw_subject = value;
0467     ctx->cert->raw_subject_size = vlen;
0468     return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->subject, vlen);
0469 }
0470
0471 /*
0472  * Extract the parameters for the public key
0473  */
0474 int x509_note_params(void *context, size_t hdrlen,
0475              unsigned char tag,
0476              const void *value, size_t vlen)
0477 {
0478     struct x509_parse_context *ctx = context;
0479
0480     /*
0481      * AlgorithmIdentifier is used three times in the x509, we should skip
0482      * first and ignore third, using second one which is after subject and
0483      * before subjectPublicKey.
0484      */
0485     if (!ctx->cert->raw_subject || ctx->key)
0486         return 0;
0487     ctx->params = value - hdrlen;
0488     ctx->params_size = vlen + hdrlen;
0489     return 0;
0490 }
0491
0492 /*
0493  * Extract the data for the public key algorithm
0494  */
0495 int x509_extract_key_data(void *context, size_t hdrlen,
0496               unsigned char tag,
0497               const void *value, size_t vlen)
0498 {
0499     struct x509_parse_context *ctx = context;
0500     enum OID oid;
0501
0502     ctx->key_algo = ctx->last_oid;
0503     switch (ctx->last_oid) {
0504     case OID_rsaEncryption:
0505         ctx->cert->pub->pkey_algo = "rsa";
0506         break;
0507     case OID_gost2012PKey256:
0508     case OID_gost2012PKey512:
0509         ctx->cert->pub->pkey_algo = "ecrdsa";
0510         break;
0511     case OID_sm2:
0512         ctx->cert->pub->pkey_algo = "sm2";
0513         break;
0514     case OID_id_ecPublicKey:
0515         if (parse_OID(ctx->params, ctx->params_size, &oid) != 0)
0516             return -EBADMSG;
0517
0518         switch (oid) {
0519         case OID_sm2:
0520             ctx->cert->pub->pkey_algo = "sm2";
0521             break;
0522         case OID_id_prime192v1:
0523             ctx->cert->pub->pkey_algo = "ecdsa-nist-p192";
0524             break;
0525         case OID_id_prime256v1:
0526             ctx->cert->pub->pkey_algo = "ecdsa-nist-p256";
0527             break;
0528         case OID_id_ansip384r1:
0529             ctx->cert->pub->pkey_algo = "ecdsa-nist-p384";
0530             break;
0531         default:
0532             return -ENOPKG;
0533         }
0534         break;
0535     default:
0536         return -ENOPKG;
0537     }
0538
0539     /* Discard the BIT STRING metadata */
0540     if (vlen < 1 || *(const u8 *)value != 0)
0541         return -EBADMSG;
0542     ctx->key = value + 1;
0543     ctx->key_size = vlen - 1;
0544     return 0;
0545 }
0546
0547 /* The keyIdentifier in AuthorityKeyIdentifier SEQUENCE is tag(CONT,PRIM,0) */
0548 #define SEQ_TAG_KEYID (ASN1_CONT << 6)
0549
0550 /*
0551  * Process certificate extensions that are used to qualify the certificate.
0552  */
0553 int x509_process_extension(void *context, size_t hdrlen,
0554                unsigned char tag,
0555                const void *value, size_t vlen)
0556 {
0557     struct x509_parse_context *ctx = context;
0558     struct asymmetric_key_id *kid;
0559     const unsigned char *v = value;
0560
0561     pr_debug("Extension: %u\n", ctx->last_oid);
0562
0563     if (ctx->last_oid == OID_subjectKeyIdentifier) {
0564         /* Get hold of the key fingerprint */
0565         if (ctx->cert->skid || vlen < 3)
0566             return -EBADMSG;
0567         if (v[0] != ASN1_OTS || v[1] != vlen - 2)
0568             return -EBADMSG;
0569         v += 2;
0570         vlen -= 2;
0571
0572         ctx->cert->raw_skid_size = vlen;
0573         ctx->cert->raw_skid = v;
0574         kid = asymmetric_key_generate_id(v, vlen, "", 0);
0575         if (IS_ERR(kid))
0576             return PTR_ERR(kid);
0577         ctx->cert->skid = kid;
0578         pr_debug("subjkeyid %*phN\n", kid->len, kid->data);
0579         return 0;
0580     }
0581
0582     if (ctx->last_oid == OID_authorityKeyIdentifier) {
0583         /* Get hold of the CA key fingerprint */
0584         ctx->raw_akid = v;
0585         ctx->raw_akid_size = vlen;
0586         return 0;
0587     }
0588
0589     return 0;
0590 }
0591
0592 /**
0593  * x509_decode_time - Decode an X.509 time ASN.1 object
0594  * @_t: The time to fill in
0595  * @hdrlen: The length of the object header
0596  * @tag: The object tag
0597  * @value: The object value
0598  * @vlen: The size of the object value
0599  *
0600  * Decode an ASN.1 universal time or generalised time field into a struct the
0601  * kernel can handle and check it for validity.  The time is decoded thus:
0602  *
0603  *  [RFC5280 §4.1.2.5]
0604  *  CAs conforming to this profile MUST always encode certificate validity
0605  *  dates through the year 2049 as UTCTime; certificate validity dates in
0606  *  2050 or later MUST be encoded as GeneralizedTime.  Conforming
0607  *  applications MUST be able to process validity dates that are encoded in
0608  *  either UTCTime or GeneralizedTime.
0609  */
0610 int x509_decode_time(time64_t *_t,  size_t hdrlen,
0611              unsigned char tag,
0612              const unsigned char *value, size_t vlen)
0613 {
0614     static const unsigned char month_lengths[] = { 31, 28, 31, 30, 31, 30,
0615                                31, 31, 30, 31, 30, 31 };
0616     const unsigned char *p = value;
0617     unsigned year, mon, day, hour, min, sec, mon_len;
0618
0619 #define dec2bin(X) ({ unsigned char x = (X) - '0'; if (x > 9) goto invalid_time; x; })
0620 #define DD2bin(P) ({ unsigned x = dec2bin(P[0]) * 10 + dec2bin(P[1]); P += 2; x; })
0621
0622     if (tag == ASN1_UNITIM) {
0623         /* UTCTime: YYMMDDHHMMSSZ */
0624         if (vlen != 13)
0625             goto unsupported_time;
0626         year = DD2bin(p);
0627         if (year >= 50)
0628             year += 1900;
0629         else
0630             year += 2000;
0631     } else if (tag == ASN1_GENTIM) {
0632         /* GenTime: YYYYMMDDHHMMSSZ */
0633         if (vlen != 15)
0634             goto unsupported_time;
0635         year = DD2bin(p) * 100 + DD2bin(p);
0636         if (year >= 1950 && year <= 2049)
0637             goto invalid_time;
0638     } else {
0639         goto unsupported_time;
0640     }
0641
0642     mon  = DD2bin(p);
0643     day = DD2bin(p);
0644     hour = DD2bin(p);
0645     min  = DD2bin(p);
0646     sec  = DD2bin(p);
0647
0648     if (*p != 'Z')
0649         goto unsupported_time;
0650
0651     if (year < 1970 ||
0652         mon < 1 || mon > 12)
0653         goto invalid_time;
0654
0655     mon_len = month_lengths[mon - 1];
0656     if (mon == 2) {
0657         if (year % 4 == 0) {
0658             mon_len = 29;
0659             if (year % 100 == 0) {
0660                 mon_len = 28;
0661                 if (year % 400 == 0)
0662                     mon_len = 29;
0663             }
0664         }
0665     }
0666
0667     if (day < 1 || day > mon_len ||
0668         hour > 24 || /* ISO 8601 permits 24:00:00 as midnight tomorrow */
0669         min > 59 ||
0670         sec > 60) /* ISO 8601 permits leap seconds [X.680 46.3] */
0671         goto invalid_time;
0672
0673     *_t = mktime64(year, mon, day, hour, min, sec);
0674     return 0;
0675
0676 unsupported_time:
0677     pr_debug("Got unsupported time [tag %02x]: '%*phN'\n",
0678          tag, (int)vlen, value);
0679     return -EBADMSG;
0680 invalid_time:
0681     pr_debug("Got invalid time [tag %02x]: '%*phN'\n",
0682          tag, (int)vlen, value);
0683     return -EBADMSG;
0684 }
0685 EXPORT_SYMBOL_GPL(x509_decode_time);
0686
0687 int x509_note_not_before(void *context, size_t hdrlen,
0688              unsigned char tag,
0689              const void *value, size_t vlen)
0690 {
0691     struct x509_parse_context *ctx = context;
0692     return x509_decode_time(&ctx->cert->valid_from, hdrlen, tag, value, vlen);
0693 }
0694
0695 int x509_note_not_after(void *context, size_t hdrlen,
0696             unsigned char tag,
0697             const void *value, size_t vlen)
0698 {
0699     struct x509_parse_context *ctx = context;
0700     return x509_decode_time(&ctx->cert->valid_to, hdrlen, tag, value, vlen);
0701 }
0702
0703 /*
0704  * Note a key identifier-based AuthorityKeyIdentifier
0705  */
0706 int x509_akid_note_kid(void *context, size_t hdrlen,
0707                unsigned char tag,
0708                const void *value, size_t vlen)
0709 {
0710     struct x509_parse_context *ctx = context;
0711     struct asymmetric_key_id *kid;
0712
0713     pr_debug("AKID: keyid: %*phN\n", (int)vlen, value);
0714
0715     if (ctx->cert->sig->auth_ids[1])
0716         return 0;
0717
0718     kid = asymmetric_key_generate_id(value, vlen, "", 0);
0719     if (IS_ERR(kid))
0720         return PTR_ERR(kid);
0721     pr_debug("authkeyid %*phN\n", kid->len, kid->data);
0722     ctx->cert->sig->auth_ids[1] = kid;
0723     return 0;
0724 }
0725
0726 /*
0727  * Note a directoryName in an AuthorityKeyIdentifier
0728  */
0729 int x509_akid_note_name(void *context, size_t hdrlen,
0730             unsigned char tag,
0731             const void *value, size_t vlen)
0732 {
0733     struct x509_parse_context *ctx = context;
0734
0735     pr_debug("AKID: name: %*phN\n", (int)vlen, value);
0736
0737     ctx->akid_raw_issuer = value;
0738     ctx->akid_raw_issuer_size = vlen;
0739     return 0;
0740 }
0741
0742 /*
0743  * Note a serial number in an AuthorityKeyIdentifier
0744  */
0745 int x509_akid_note_serial(void *context, size_t hdrlen,
0746               unsigned char tag,
0747               const void *value, size_t vlen)
0748 {
0749     struct x509_parse_context *ctx = context;
0750     struct asymmetric_key_id *kid;
0751
0752     pr_debug("AKID: serial: %*phN\n", (int)vlen, value);
0753
0754     if (!ctx->akid_raw_issuer || ctx->cert->sig->auth_ids[0])
0755         return 0;
0756
0757     kid = asymmetric_key_generate_id(value,
0758                      vlen,
0759                      ctx->akid_raw_issuer,
0760                      ctx->akid_raw_issuer_size);
0761     if (IS_ERR(kid))
0762         return PTR_ERR(kid);
0763
0764     pr_debug("authkeyid %*phN\n", kid->len, kid->data);
0765     ctx->cert->sig->auth_ids[0] = kid;
0766     return 0;
0767 }