PSARC/2009/447 Kernel Cryptographic Framework support for FIPS 140-2

6703950 Solaris cryptographic framework needs to implement changes for FIPS-140-2 compliance
author: Anthony Scarpino <Anthony.Scarpino@Sun.COM> 2009-10-07 14:16:17 -0700
committer: Anthony Scarpino <Anthony.Scarpino@Sun.COM> 2009-10-07 14:16:17 -0700
commit: 735564919188238196dbd0d320770dda59b38369 (patch)
tree: 4ea68aab711a4145f285f98ce354d5834b1a2475 /usr/src/lib/libelfsign
parent: 89b86bfc58802597fbd72a82e42ff8fbd389b1d5 (diff)
download: illumos-joyent-735564919188238196dbd0d320770dda59b38369.tar.gz
3 files changed, 33 insertions, 4 deletions
diff --git a/usr/src/lib/libelfsign/common/elfcertlib.c b/usr/src/lib/libelfsign/common/elfcertlib.c
index c8238fbfe9..98d71d0fd0 100644
--- a/usr/src/lib/libelfsign/common/elfcertlib.c
+++ b/usr/src/lib/libelfsign/common/elfcertlib.c
@@ -52,11 +52,17 @@ const char _PATH_ELFSIGN_ETC_CERTS[] = ETC_CERTS_DIR;
 /*
  * The CACERT and OBJCACERT are the Cryptographic Trust Anchors
  * for the Solaris Cryptographic Framework.
+ *
+ * The SECACERT is the Signed Execution Trust Anchor that the
+ * Cryptographic Framework uses for FIPS-140 validation of non-crypto
+ * binaries
  */
 static const char _PATH_CRYPTO_CACERT[] = CRYPTO_CERTS_DIR "/CA";
 static const char _PATH_CRYPTO_OBJCACERT[] = CRYPTO_CERTS_DIR "/SUNWObjectCA";
+static const char _PATH_CRYPTO_SECACERT[] = ETC_CERTS_DIR "/SUNWSolarisCA";
 static ELFCert_t CACERT = NULL;
 static ELFCert_t OBJCACERT = NULL;
+static ELFCert_t SECACERT = NULL;
 static pthread_mutex_t ca_mutex = PTHREAD_MUTEX_INITIALIZER;
 
 static void elfcertlib_freecert(ELFsign_t, ELFCert_t);
@@ -95,10 +101,18 @@ elfcertlib_verifycert(ELFsign_t ess, ELFCert_t cert)
 		(void) elfcertlib_getcert(ess, (char *)_PATH_CRYPTO_CACERT,
 		    NULL, &CACERT, ES_GET);
 	}
+
 	if (OBJCACERT == NULL) {
 		(void) elfcertlib_getcert(ess, (char *)_PATH_CRYPTO_OBJCACERT,
 		    NULL, &OBJCACERT, ES_GET);
 	}
+
+	if (SECACERT == NULL) {
+		(void) elfcertlib_getcert(ess,
+		    (char *)_PATH_CRYPTO_SECACERT, NULL, &SECACERT,
+		    ES_GET_FIPS140);
+	}
+
 	(void) pthread_mutex_unlock(&ca_mutex);
 
 	if (CACERT != NULL) {
@@ -139,6 +153,19 @@ elfcertlib_verifycert(ELFsign_t ess, ELFCert_t cert)
 		}
 	}
 
+	if (SECACERT != NULL) {
+		rv = KMF_VerifyCertWithCert(ess->es_kmfhandle,
+		    (const KMF_DATA *)&cert->c_cert,
+		    (const KMF_DATA *)&SECACERT->c_cert.certificate);
+		if (rv == KMF_OK) {
+			if (ess->es_certCAcallback != NULL)
+				(ess->es_certvercallback)(ess->es_callbackctx,
+				    cert, SECACERT);
+			cert->c_verified = E_OK;
+			return (B_TRUE);
+		}
+	}
+
 	return (B_FALSE);
 }
 
@@ -266,7 +293,8 @@ elfcertlib_getcert(ELFsign_t ess, char *cert_pathname,
 	 */
 	if (cert_pathname != NULL && (
 	    strcmp(cert_pathname, _PATH_CRYPTO_CACERT) == 0 ||
-	    strcmp(cert_pathname, _PATH_CRYPTO_OBJCACERT) == 0)) {
+	    strcmp(cert_pathname, _PATH_CRYPTO_OBJCACERT) == 0 ||
+	    strcmp(cert_pathname, _PATH_CRYPTO_SECACERT) == 0)) {
 		if (ess->es_certCAcallback != NULL)
 			(ess->es_certCAcallback)(ess->es_callbackctx, cert,
 			    cert_pathname);
diff --git a/usr/src/lib/libelfsign/common/elfsignlib.c b/usr/src/lib/libelfsign/common/elfsignlib.c
index 1eacfd1db7..8ef0aa4d0b 100644
--- a/usr/src/lib/libelfsign/common/elfsignlib.c
+++ b/usr/src/lib/libelfsign/common/elfsignlib.c
@@ -256,6 +256,7 @@ elfsign_begin(const char *filename, enum ES_ACTION action, ELFsign_t *essp)
 	switch (action) {
 	case ES_GET:
 	case ES_GET_CRYPTO:
+	case ES_GET_FIPS140:
 		cryptodebug("elfsign_begin for get");
 		elfcmd = ELF_C_READ;
 		oflags = O_RDONLY | O_NOCTTY | O_NDELAY;
@@ -1155,6 +1156,7 @@ elfsign_verify_signature(ELFsign_t ess, struct ELFsign_sig_info **esipp)
 		 *	force verification of crypto certs
 		 */
 		if ((ess->es_action == ES_GET_CRYPTO ||
+		    ess->es_action == ES_GET_FIPS140 ||
 		    strstr(fsx.fsx_signer_DN, ELFSIGN_CRYPTO)) &&
 		    !elfcertlib_verifycert(ess, cert)) {
 			cryptodebug("elfsign_verify_signature: invalid cert");
diff --git a/usr/src/lib/libelfsign/common/libelfsign.h b/usr/src/lib/libelfsign/common/libelfsign.h
index 8637fc4c6d..cfbb627eea 100644
--- a/usr/src/lib/libelfsign/common/libelfsign.h
+++ b/usr/src/lib/libelfsign/common/libelfsign.h
@@ -20,15 +20,13 @@
  */
 
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
 #ifndef _LIBELFSIGN_H
 #define	_LIBELFSIGN_H
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -78,6 +76,7 @@ typedef struct ELFCert_s {
 enum ES_ACTION {
 	ES_GET,
 	ES_GET_CRYPTO,
+	ES_GET_FIPS140,
 	ES_UPDATE,
 	ES_UPDATE_RSA_MD5_SHA1,
 	ES_UPDATE_RSA_SHA1
author	Anthony Scarpino <Anthony.Scarpino@Sun.COM>	2009-10-07 14:16:17 -0700
committer	Anthony Scarpino <Anthony.Scarpino@Sun.COM>	2009-10-07 14:16:17 -0700
commit	735564919188238196dbd0d320770dda59b38369 (patch)
tree	4ea68aab711a4145f285f98ce354d5834b1a2475 /usr/src/lib/libelfsign
parent	89b86bfc58802597fbd72a82e42ff8fbd389b1d5 (diff)
download	illumos-joyent-735564919188238196dbd0d320770dda59b38369.tar.gz