[PATCH 3/8] lib: crypto: enable x509_check_for_self_signed()
AKASHI Takahiro
takahiro.akashi at linaro.org
Tue Jun 9 07:13:56 CEST 2020
When the file, x509_public_key.c, was imported from linux code in
commit b4adf627d5b7 ("lib: crypto: add x509 parser"),
x509_check_for_self_signed() was commented out for simplicity.
Now it need be enabled in order to make pkcs7_verify_one(), which will be
imported in a later patch, functional.
Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
---
lib/crypto/x509_cert_parser.c | 2 --
lib/crypto/x509_public_key.c | 33 +++++++++++++++++++++++++--------
2 files changed, 25 insertions(+), 10 deletions(-)
diff --git a/lib/crypto/x509_cert_parser.c b/lib/crypto/x509_cert_parser.c
index 5f984b9dfdae..eb24349460c2 100644
--- a/lib/crypto/x509_cert_parser.c
+++ b/lib/crypto/x509_cert_parser.c
@@ -142,12 +142,10 @@ struct x509_certificate *x509_cert_parse(const void *data, size_t datalen)
}
cert->id = kid;
-#ifndef __UBOOT__
/* Detect self-signed certificates */
ret = x509_check_for_self_signed(cert);
if (ret < 0)
goto error_decode;
-#endif
kfree(ctx);
return cert;
diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c
index 571af9a0adf9..91810a864049 100644
--- a/lib/crypto/x509_public_key.c
+++ b/lib/crypto/x509_public_key.c
@@ -8,6 +8,7 @@
#define pr_fmt(fmt) "X.509: "fmt
#ifdef __UBOOT__
#include <common.h>
+#include <image.h>
#include <dm/devres.h>
#include <linux/compat.h>
#include <linux/err.h>
@@ -18,6 +19,7 @@
#include <linux/kernel.h>
#ifdef __UBOOT__
#include <crypto/x509_parser.h>
+#include <u-boot/rsa-checksum.h>
#else
#include <linux/slab.h>
#include <keys/asymmetric-subtype.h>
@@ -35,7 +37,9 @@
int x509_get_sig_params(struct x509_certificate *cert)
{
struct public_key_signature *sig = cert->sig;
-#ifndef __UBOOT__
+#ifdef __UBOOT__
+ struct image_region region;
+#else
struct crypto_shash *tfm;
struct shash_desc *desc;
size_t desc_size;
@@ -63,12 +67,25 @@ int x509_get_sig_params(struct x509_certificate *cert)
sig->s_size = cert->raw_sig_size;
#ifdef __UBOOT__
- /*
- * Note:
- * This part (filling sig->digest) should be implemented if
- * x509_check_for_self_signed() is enabled x509_cert_parse().
- * Currently, this check won't affect UEFI secure boot.
- */
+ if (!sig->hash_algo)
+ return -ENOPKG;
+ if (!strcmp(sig->hash_algo, "sha256"))
+ sig->digest_size = SHA256_SUM_LEN;
+ else if (!strcmp(sig->hash_algo, "sha1"))
+ sig->digest_size = SHA1_SUM_LEN;
+ else
+ return -ENOPKG;
+
+ sig->digest = calloc(1, sig->digest_size);
+ if (!sig->digest)
+ return -ENOMEM;
+
+ region.data = cert->tbs;
+ region.size = cert->tbs_size;
+ hash_calculate(sig->hash_algo, ®ion, 1, sig->digest);
+
+ /* TODO: is_hash_blacklisted()? */
+
ret = 0;
#else
/* Allocate the hashing algorithm we're going to need and find out how
@@ -118,7 +135,6 @@ error:
return ret;
}
-#ifndef __UBOOT__
/*
* Check for self-signedness in an X.509 cert and if found, check the signature
* immediately if we can.
@@ -175,6 +191,7 @@ not_self_signed:
return 0;
}
+#ifndef __UBOOT__
/*
* Attempt to parse a data blob for a key as an X509 certificate.
*/
--
2.27.0
More information about the U-Boot
mailing list