Skip to content

Commit

Permalink
lib/crypto: port PKCS7 parser on MbedTLS
Browse files Browse the repository at this point in the history
Integrate PKCS7 parser on top of MbedTLS PKCS7 library.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
  • Loading branch information
raymo200915 committed Apr 9, 2024
1 parent 0f85a10 commit 9f1789b
Show file tree
Hide file tree
Showing 2 changed files with 509 additions and 28 deletions.
55 changes: 55 additions & 0 deletions include/crypto/pkcs7_parser.h
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,66 @@
#include <linux/oid_registry.h>
#include <crypto/pkcs7.h>
#include <crypto/x509_parser.h>
#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
#include <external/mbedtls/include/mbedtls/pkcs7.h>
#include <external/mbedtls/include/mbedtls/asn1.h>
#include <external/mbedtls/include/mbedtls/oid.h>
#endif
#include <linux/printk.h>

#define kenter(FMT, ...) \
pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
#define kleave(FMT, ...) \
pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)

/* Backup the parsed MedTLS context that we need */
#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
struct pkcs7_mbedtls_ctx {
void *content_data;
};

struct pkcs7_sinfo_mbedtls_ctx {
void *authattrs_data;
void *content_data_digest;
};
#endif

/*
* MbedTLS integration Notes:
*
* MbedTLS PKCS#7 library does not originally support parsing MicroSoft
* Authentication Code which is used for verifying the PE image digest.
*
* 1. Authenticated Attributes (authenticatedAttributes)
* MbedTLS assumes unauthenticatedAttributes and authenticatedAttributes
* fields not exist.
* See MbedTLS function 'pkcs7_get_signer_info' for details.
*
* 2. MicroSoft Authentication Code (mscode)
* MbedTLS only supports Content Data type defined as 1.2.840.113549.1.7.1
* (MBEDTLS_OID_PKCS7_DATA, aka OID_data).
* 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code, aka
* OID_msIndirectData) is not supported.
* See MbedTLS function 'pkcs7_get_content_info_type' for details.
*
* But the EFI loader assumes that a PKCS#7 message with an EFI image always
* contains MicroSoft Authentication Code as Content Data (msg->data is NOT
* NULL), see function 'efi_signature_verify'.
*
* MbedTLS patch "0002-support-MicroSoft-authentication-code-in-PKCS7-lib.patch"
* is to support both above features by parsing the Content Data and
* Authenticate Attributes from a given PKCS#7 message.
*
* Other fields we don't need to populate from MbedTLS, which are used
* internally by pkcs7_verify:
* 'signer', 'unsupported_crypto', 'blacklisted'
* 'sig->digest' is used internally by pkcs7_digest to calculate the hash of
* Content Data or Authenticate Attributes.
*/
struct pkcs7_signed_info {
#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
struct pkcs7_sinfo_mbedtls_ctx *mbedtls_ctx;
#endif
struct pkcs7_signed_info *next;
struct x509_certificate *signer; /* Signing certificate (in msg->certs) */
unsigned index;
Expand Down Expand Up @@ -55,6 +107,9 @@ struct pkcs7_signed_info {
};

struct pkcs7_message {
#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
struct pkcs7_mbedtls_ctx *mbedtls_ctx;
#endif
struct x509_certificate *certs; /* Certificate list */
struct x509_certificate *crl; /* Revocation list */
struct pkcs7_signed_info *signed_infos;
Expand Down
Loading

0 comments on commit 9f1789b

Please sign in to comment.