From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Javier Martinez Canillas <javierm@redhat.com>

Date: Sat, 8 May 2021 02:27:58 +0200

Subject: [PATCH] appendedsig/x509: Also handle the Extended Key Usage

 extension

Red Hat certificates have both Key Usage and Extended Key Usage extensions

present, but the appended signatures x509 parser doesn't handle the latter

and so buils due finding an unrecognised critical extension:

Error loading initial key:

../../grub-core/commands/appendedsig/x509.c:780:Unhandled critical x509 extension with OID 2.5.29.37

Fix this by also parsing the Extended Key Usage extension and handle it by

verifying that the certificate has a single purpose, that is code signing.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>

Signed-off-by: Daniel Axtens <dja@axtens.net>

---

 grub-core/commands/appendedsig/x509.c     | 94 ++++++++++++++++++++++++++++++-

 grub-core/tests/appended_signature_test.c | 29 +++++++++-

 grub-core/tests/appended_signatures.h     | 81 ++++++++++++++++++++++++++

 3 files changed, 201 insertions(+), 3 deletions(-)

diff --git a/grub-core/commands/appendedsig/x509.c b/grub-core/commands/appendedsig/x509.c

index 2b38b3670a..42ec65c54a 100644

--- a/grub-core/commands/appendedsig/x509.c

+++ b/grub-core/commands/appendedsig/x509.c

@@ -47,6 +47,12 @@ const char *keyUsage_oid = "2.5.29.15";

  */

 const char *basicConstraints_oid = "2.5.29.19";

+/*

+ * RFC 5280 4.2.1.12 Extended Key Usage

+ */

+const char *extendedKeyUsage_oid = "2.5.29.37";

+const char *codeSigningUsage_oid = "1.3.6.1.5.5.7.3.3";

+

 /*

  * RFC 3279 2.3.1

  *

@@ -637,6 +643,77 @@ cleanup:

   return err;

 }

+/*

+ * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId

+ *

+ * KeyPurposeId ::= OBJECT IDENTIFIER

+ */

+static grub_err_t

+verify_extended_key_usage (grub_uint8_t * value, int value_size)

+{

+  asn1_node extendedasn;

+  int result, count;

+  grub_err_t err = GRUB_ERR_NONE;

+  char usage[MAX_OID_LEN];

+  int usage_size = sizeof (usage);

+

+  result =

+    asn1_create_element (_gnutls_pkix_asn, "PKIX1.ExtKeyUsageSyntax",

+			 &extendedasn);

+  if (result != ASN1_SUCCESS)

+    {

+      return grub_error (GRUB_ERR_OUT_OF_MEMORY,

+			 "Could not create ASN.1 structure for Extended Key Usage");

+    }

+

+  result = asn1_der_decoding2 (&extendedasn, value, &value_size,

+			       ASN1_DECODE_FLAG_STRICT_DER, asn1_error);

+  if (result != ASN1_SUCCESS)

+    {

+      err =

+	grub_error (GRUB_ERR_BAD_FILE_TYPE,

+		    "Error parsing DER for Extended Key Usage: %s",

+		    asn1_error);

+      goto cleanup;

+    }

+

+  /*

+   * If EKUs are present, there must be exactly 1 and it must be a

+   * codeSigning usage.

+   */

+  result = asn1_number_of_elements(extendedasn, "", &count);

+  if (result != ASN1_SUCCESS)

+    {

+      err =

+	grub_error (GRUB_ERR_BAD_FILE_TYPE,

+		    "Error counting number of Extended Key Usages: %s",

+		    asn1_strerror (result));

+      goto cleanup;

+    }

+

+  result = asn1_read_value (extendedasn, "?1", usage, &usage_size);

+  if (result != ASN1_SUCCESS)

+    {

+      err =

+	grub_error (GRUB_ERR_BAD_FILE_TYPE,

+		    "Error reading Extended Key Usage: %s",

+		    asn1_strerror (result));

+      goto cleanup;

+    }

+

+  if (grub_strncmp (codeSigningUsage_oid, usage, usage_size) != 0)

+    {

+      err =

+	grub_error (GRUB_ERR_BAD_FILE_TYPE,

+		    "Unexpected Extended Key Usage OID, got: %s",

+		    usage);

+      goto cleanup;

+    }

+

+cleanup:

+  asn1_delete_structure (&extendedasn);

+  return err;

+}

 /*

  * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

@@ -660,7 +737,7 @@ verify_extensions (asn1_node cert)

 {

   int result;

   int ext, num_extensions = 0;

-  int usage_present = 0, constraints_present = 0;

+  int usage_present = 0, constraints_present = 0, extended_usage_present = 0;

   char *oid_path, *critical_path, *value_path;

   char extnID[MAX_OID_LEN];

   int extnID_size;

@@ -754,6 +831,15 @@ verify_extensions (asn1_node cert)

 	    }

 	  constraints_present++;

 	}

+      else if (grub_strncmp (extendedKeyUsage_oid, extnID, extnID_size) == 0)

+	{

+	  err = verify_extended_key_usage (value, value_size);

+	  if (err != GRUB_ERR_NONE)

+	    {

+	      goto cleanup_value;

+	    }

+	  extended_usage_present++;

+	}

       else if (grub_strncmp ("TRUE", critical, critical_size) == 0)

 	{

 	  /*

@@ -785,6 +871,12 @@ verify_extensions (asn1_node cert)

 			 "Unexpected number of basic constraints extensions - expected 1, got %d",

 			 constraints_present);

     }

+  if (extended_usage_present > 1)

+    {

+      return grub_error (GRUB_ERR_BAD_FILE_TYPE,

+			 "Unexpected number of Extended Key Usage extensions - expected 0 or 1, got %d",

+			 extended_usage_present);

+    }

   return GRUB_ERR_NONE;

 cleanup_value:

diff --git a/grub-core/tests/appended_signature_test.c b/grub-core/tests/appended_signature_test.c

index 88a485200d..dbba061662 100644

--- a/grub-core/tests/appended_signature_test.c

+++ b/grub-core/tests/appended_signature_test.c

@@ -111,6 +111,22 @@ static struct grub_procfs_entry certificate_printable_der_entry = {

   .get_contents = get_certificate_printable_der

 };

+static char *

+get_certificate_eku_der (grub_size_t * sz)

+{

+  char *ret;

+  *sz = certificate_eku_der_len;

+  ret = grub_malloc (*sz);

+  if (ret)

+    grub_memcpy (ret, certificate_eku_der, *sz);

+  return ret;

+}

+

+static struct grub_procfs_entry certificate_eku_der_entry = {

+  .name = "certificate_eku.der",

+  .get_contents = get_certificate_eku_der

+};

+

 static void

 do_verify (const char *f, int is_valid)

@@ -149,6 +165,7 @@ appended_signature_test (void)

   char *trust_args2[] = { (char *) "(proc)/certificate2.der", NULL };

   char *trust_args_printable[] = { (char *) "(proc)/certificate_printable.der",

 				   NULL };

+  char *trust_args_eku[] = { (char *) "(proc)/certificate_eku.der", NULL };

   char *distrust_args[] = { (char *) "1", NULL };

   char *distrust2_args[] = { (char *) "2", NULL };

   grub_err_t err;

@@ -157,6 +174,7 @@ appended_signature_test (void)

   grub_procfs_register ("certificate2.der", &certificate2_der_entry);

   grub_procfs_register ("certificate_printable.der",

 			&certificate_printable_der_entry);

+  grub_procfs_register ("certificate_eku.der", &certificate_eku_der_entry);

   cmd_trust = grub_command_find ("trust_certificate");

   if (!cmd_trust)

@@ -266,16 +284,23 @@ appended_signature_test (void)

   /*

    * Lastly, check a certificate that uses printableString rather than

-   * utf8String loads properly.

+   * utf8String loads properly, and that a certificate with an appropriate

+   * extended key usage loads.

    */

   err = (cmd_trust->func) (cmd_trust, 1, trust_args_printable);

   grub_test_assert (err == GRUB_ERR_NONE,

-		    "distrusting printable certificate failed: %d: %s",

+		    "trusting printable certificate failed: %d: %s",

+		    grub_errno, grub_errmsg);

+

+  err = (cmd_trust->func) (cmd_trust, 1, trust_args_eku);

+  grub_test_assert (err == GRUB_ERR_NONE,

+		    "trusting certificate with extended key usage failed: %d: %s",

 		    grub_errno, grub_errmsg);

   grub_procfs_unregister (&certificate_der_entry);

   grub_procfs_unregister (&certificate2_der_entry);

   grub_procfs_unregister (&certificate_printable_der_entry);

+  grub_procfs_unregister (&certificate_eku_der_entry);

 }

 GRUB_FUNCTIONAL_TEST (appended_signature_test, appended_signature_test);

diff --git a/grub-core/tests/appended_signatures.h b/grub-core/tests/appended_signatures.h

index aa3dc6278e..2e5ebd7d8b 100644

--- a/grub-core/tests/appended_signatures.h

+++ b/grub-core/tests/appended_signatures.h

@@ -555,3 +555,84 @@ unsigned char certificate_printable_der[] = {

   0xd2

 };

 unsigned int certificate_printable_der_len = 829;

+

+unsigned char certificate_eku_der[] = {

+  0x30, 0x82, 0x03, 0x90, 0x30, 0x82, 0x02, 0x78, 0xa0, 0x03, 0x02, 0x01,

+  0x02, 0x02, 0x09, 0x00, 0xd3, 0x9c, 0x41, 0x33, 0xdd, 0x6b, 0x5f, 0x45,

+  0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,

+  0x0b, 0x05, 0x00, 0x30, 0x47, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55,

+  0x04, 0x03, 0x0c, 0x18, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20,

+  0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20,

+  0x43, 0x41, 0x20, 0x36, 0x31, 0x22, 0x30, 0x20, 0x06, 0x09, 0x2a, 0x86,

+  0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x13, 0x73, 0x65, 0x63,

+  0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65, 0x64, 0x68, 0x61, 0x74,

+  0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x32,

+  0x31, 0x35, 0x31, 0x34, 0x30, 0x30, 0x34, 0x34, 0x5a, 0x17, 0x0d, 0x33,

+  0x38, 0x30, 0x31, 0x31, 0x37, 0x31, 0x34, 0x30, 0x30, 0x34, 0x34, 0x5a,

+  0x30, 0x4e, 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,

+  0x1f, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63,

+  0x75, 0x72, 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20, 0x53, 0x69, 0x67,

+  0x6e, 0x69, 0x6e, 0x67, 0x20, 0x36, 0x30, 0x32, 0x31, 0x22, 0x30, 0x20,

+  0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16,

+  0x13, 0x73, 0x65, 0x63, 0x61, 0x6c, 0x65, 0x72, 0x74, 0x40, 0x72, 0x65,

+  0x64, 0x68, 0x61, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x82, 0x01, 0x22,

+  0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,

+  0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a,

+  0x02, 0x82, 0x01, 0x01, 0x00, 0xaa, 0x6f, 0xbb, 0x92, 0x77, 0xd7, 0x15,

+  0xef, 0x88, 0x80, 0x88, 0xc0, 0xe7, 0x89, 0xeb, 0x35, 0x76, 0xf4, 0x85,

+  0x05, 0x0f, 0x19, 0xe4, 0x5f, 0x25, 0xdd, 0xc1, 0xa2, 0xe5, 0x5c, 0x06,

+  0xfb, 0xf1, 0x06, 0xb5, 0x65, 0x45, 0xcb, 0xbd, 0x19, 0x33, 0x54, 0xb5,

+  0x1a, 0xcd, 0xe4, 0xa8, 0x35, 0x2a, 0xfe, 0x9c, 0x53, 0xf4, 0xc6, 0x76,

+  0xdb, 0x1f, 0x8a, 0xd4, 0x7b, 0x18, 0x11, 0xaf, 0xa3, 0x90, 0xd4, 0xdd,

+  0x4d, 0xd5, 0x42, 0xcc, 0x14, 0x9a, 0x64, 0x6b, 0xc0, 0x7f, 0xaa, 0x1c,

+  0x94, 0x47, 0x4d, 0x79, 0xbd, 0x57, 0x9a, 0xbf, 0x99, 0x4e, 0x96, 0xa9,

+  0x31, 0x2c, 0xa9, 0xe7, 0x14, 0x65, 0x86, 0xc8, 0xac, 0x79, 0x5e, 0x78,

+  0xa4, 0x3c, 0x00, 0x24, 0xd3, 0xf7, 0xe1, 0xf5, 0x12, 0xad, 0xa0, 0x29,

+  0xe5, 0xfe, 0x80, 0xae, 0xf8, 0xaa, 0x60, 0x36, 0xe7, 0xe8, 0x94, 0xcb,

+  0xe9, 0xd1, 0xcc, 0x0b, 0x4d, 0xf7, 0xde, 0xeb, 0x52, 0xd2, 0x73, 0x09,

+  0x28, 0xdf, 0x48, 0x99, 0x53, 0x9f, 0xc5, 0x9a, 0xd4, 0x36, 0xa3, 0xc6,

+  0x5e, 0x8d, 0xbe, 0xd5, 0xdc, 0x76, 0xb4, 0x74, 0xb8, 0x26, 0x18, 0x27,

+  0xfb, 0xf2, 0xfb, 0xd0, 0x9b, 0x3d, 0x7f, 0x10, 0xe2, 0xab, 0x44, 0xc7,

+  0x88, 0x7f, 0xb4, 0x3d, 0x3e, 0xa3, 0xff, 0x6d, 0x06, 0x4b, 0x3e, 0x55,

+  0xb2, 0x84, 0xf4, 0xad, 0x54, 0x88, 0x81, 0xc3, 0x9c, 0xf8, 0xb6, 0x68,

+  0x96, 0x38, 0x8b, 0xcd, 0x90, 0x6d, 0x25, 0x4b, 0xbf, 0x0c, 0x44, 0x90,

+  0xa5, 0x5b, 0x98, 0xd0, 0x40, 0x2f, 0xbb, 0x0d, 0xa8, 0x4b, 0x8a, 0x62,

+  0x82, 0x46, 0x46, 0x18, 0x38, 0xae, 0x82, 0x07, 0xd0, 0xb4, 0x2f, 0x16,

+  0x79, 0x55, 0x9f, 0x1b, 0xc5, 0x08, 0x6d, 0x85, 0xdf, 0x3f, 0xa9, 0x9b,

+  0x4b, 0xc6, 0x28, 0xd3, 0x58, 0x72, 0x3d, 0x37, 0x11, 0x02, 0x03, 0x01,

+  0x00, 0x01, 0xa3, 0x78, 0x30, 0x76, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d,

+  0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0e, 0x06, 0x03,

+  0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80,

+  0x30, 0x16, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x01, 0x01, 0xff, 0x04, 0x0c,

+  0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03,

+  0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x6c,

+  0xe4, 0x6c, 0x27, 0xaa, 0xcd, 0x0d, 0x4b, 0x74, 0x21, 0xa4, 0xf6, 0x5f,

+  0x87, 0xb5, 0x31, 0xfe, 0x10, 0xbb, 0xa7, 0x30, 0x1f, 0x06, 0x03, 0x55,

+  0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xe8, 0x6a, 0x1c, 0xab,

+  0x2c, 0x48, 0xf9, 0x60, 0x36, 0xa2, 0xf0, 0x7b, 0x8e, 0xd2, 0x9d, 0xb4,

+  0x2a, 0x28, 0x98, 0xc8, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,

+  0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,

+  0x55, 0x34, 0xe2, 0xfa, 0xf6, 0x89, 0x86, 0xad, 0x92, 0x21, 0xec, 0xb9,

+  0x54, 0x0e, 0x18, 0x47, 0x0d, 0x1b, 0xa7, 0x58, 0xad, 0x69, 0xe4, 0xef,

+  0x3b, 0xe6, 0x8d, 0xdd, 0xda, 0x0c, 0x45, 0xf6, 0xe8, 0x96, 0xa4, 0x29,

+  0x0f, 0xbb, 0xcf, 0x16, 0xae, 0x93, 0xd0, 0xcb, 0x2a, 0x26, 0x1a, 0x7b,

+  0xfc, 0x51, 0x22, 0x76, 0x98, 0x31, 0xa7, 0x0f, 0x29, 0x35, 0x79, 0xbf,

+  0xe2, 0x4f, 0x0f, 0x14, 0xf5, 0x1f, 0xcb, 0xbf, 0x87, 0x65, 0x13, 0x32,

+  0xa3, 0x19, 0x4a, 0xd1, 0x3f, 0x45, 0xd4, 0x4b, 0xe2, 0x00, 0x26, 0xa9,

+  0x3e, 0xd7, 0xa5, 0x37, 0x9f, 0xf5, 0xad, 0x61, 0xe2, 0x40, 0xa9, 0x74,

+  0x24, 0x53, 0xf2, 0x78, 0xeb, 0x10, 0x9b, 0x2c, 0x27, 0x88, 0x46, 0xcb,

+  0xe4, 0x60, 0xca, 0xf5, 0x06, 0x24, 0x40, 0x2a, 0x97, 0x3a, 0xcc, 0xd0,

+  0x81, 0xb1, 0x15, 0xa3, 0x4f, 0xd0, 0x2b, 0x4f, 0xca, 0x6e, 0xaa, 0x24,

+  0x31, 0xb3, 0xac, 0xa6, 0x75, 0x05, 0xfe, 0x8a, 0xf4, 0x41, 0xc4, 0x06,

+  0x8a, 0xc7, 0x0a, 0x83, 0x4e, 0x49, 0xd4, 0x3f, 0x83, 0x50, 0xec, 0x57,

+  0x04, 0x97, 0x14, 0x49, 0xf5, 0xe1, 0xb1, 0x7a, 0x9c, 0x09, 0x4f, 0x61,

+  0x87, 0xc3, 0x97, 0x22, 0x17, 0xc2, 0xeb, 0xcc, 0x32, 0x81, 0x31, 0x21,

+  0x3f, 0x10, 0x57, 0x5b, 0x43, 0xbe, 0xcd, 0x68, 0x82, 0xbe, 0xe5, 0xc1,

+  0x65, 0x94, 0x7e, 0xc2, 0x34, 0x76, 0x2b, 0xcf, 0x89, 0x3c, 0x2b, 0x81,

+  0x23, 0x72, 0x95, 0xcf, 0xc9, 0x67, 0x19, 0x2a, 0xd5, 0x5c, 0xca, 0xa3,

+  0x46, 0xbd, 0x48, 0x06, 0x0b, 0xa6, 0xa3, 0x96, 0x50, 0x28, 0xc7, 0x7e,

+  0xcf, 0x62, 0xf2, 0xfa, 0xc4, 0xf2, 0x53, 0xe3, 0xc9, 0xe8, 0x2e, 0xdd,

+  0x29, 0x37, 0x07, 0x47, 0xff, 0xff, 0x8a, 0x32, 0xbd, 0xa2, 0xb7, 0x21,

+  0x89, 0xa0, 0x55, 0xf7

+};

+unsigned int certificate_eku_der_len = 916;