From 9d6b3053a5b7fff00a9c924df92f91b878311b48 Mon Sep 17 00:00:00 2001 From: Raymond Mao Date: Mon, 4 Mar 2024 09:31:24 -0800 Subject: [PATCH] lib/crypto: port MSCode parser on MbedTLS Integrate MicroSoft Authenticate Code parser on top of MbedTLS ASN.1 decoder. Signed-off-by: Raymond Mao --- include/crypto/mscode.h | 4 ++ lib/crypto/mscode_parser.c | 104 +++++++++++++++++++++++++++++++++++++ 2 files changed, 108 insertions(+) diff --git a/include/crypto/mscode.h b/include/crypto/mscode.h index 551058b96e6..c214fc87e40 100644 --- a/include/crypto/mscode.h +++ b/include/crypto/mscode.h @@ -9,6 +9,10 @@ #ifndef __UBOOT__ #include #endif +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include +#include +#endif struct pefile_context { #ifndef __UBOOT__ diff --git a/lib/crypto/mscode_parser.c b/lib/crypto/mscode_parser.c index 90d5b37a6cf..167304def5f 100644 --- a/lib/crypto/mscode_parser.c +++ b/lib/crypto/mscode_parser.c @@ -18,11 +18,113 @@ #else #include "verify_pefile.h" #endif +#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) #include "mscode.asn1.h" +#endif /* * Parse a Microsoft Individual Code Signing blob + * + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.3.6.1.4.1.311.2.1.15 (SPC_PE_IMAGE_DATA_OBJID) + * U.P.SEQUENCE { + * U.P.BITSTRING NaN : 0 unused bit(s); + * [C.P.0] { + * [C.P.2] { + * [C.P.0] + * } + * } + * } + * } + * U.P.SEQUENCE { + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER + * U.P.NULL + * } + * U.P.OCTETSTRING + * } + * */ +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) + +int mscode_parse(void *_ctx, const void *content_data, size_t data_len, + size_t asn1hdrlen) +{ + struct pefile_context *ctx = _ctx; + unsigned char *p = (unsigned char *)content_data; + unsigned char *end = (unsigned char *)content_data + data_len; + size_t len = 0; + int ret; + unsigned char *inner_p; + size_t seq_len = 0; + + ret = mbedtls_asn1_get_tag(&p, end, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (ret) + return ret; + + inner_p = p; + ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len, MBEDTLS_ASN1_OID); + if (ret) + return ret; + + /* Sanity check on the PE Image Data OID (1.3.6.1.4.1.311.2.1.15) */ + if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_MICROSOFT_PEIMAGEDATA, inner_p, len)) + return -EINVAL; + + p += seq_len; + ret = mbedtls_asn1_get_tag(&p, end, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (ret) + return ret; + + ret = mbedtls_asn1_get_tag(&p, p + seq_len, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (ret) + return ret; + + inner_p = p; + + /* + * Check if the inner sequence contains a supported hash + * algorithm OID + */ + ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len, MBEDTLS_ASN1_OID); + if (ret) + return ret; + + if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_MD5, inner_p, len)) + ctx->digest_algo = "md5"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA1, inner_p, len)) + ctx->digest_algo = "sha1"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA224, inner_p, len)) + ctx->digest_algo = "sha224"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA256, inner_p, len)) + ctx->digest_algo = "sha256"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA384, inner_p, len)) + ctx->digest_algo = "sha384"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA512, inner_p, len)) + ctx->digest_algo = "sha512"; + + if (!ctx->digest_algo) + return -EINVAL; + + p += seq_len; + ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + if (ret) + return ret; + + ctx->digest = p; + ctx->digest_len = len; + + return 0; +} + +#else /* !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) */ + int mscode_parse(void *_ctx, const void *content_data, size_t data_len, size_t asn1hdrlen) { @@ -36,6 +138,8 @@ int mscode_parse(void *_ctx, const void *content_data, size_t data_len, return asn1_ber_decoder(&mscode_decoder, ctx, content_data, data_len); } +#endif /* CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) */ + /* * Check the content type OID */