[PATCH v6 10/28] mbedtls/external: support PKCS9 Authenticate Attributes

Ilias Apalodimas ilias.apalodimas at linaro.org
Wed Aug 28 10:53:52 CEST 2024 

Hi Raymond

On Sat, 17 Aug 2024 at 00:48, Raymond Mao <raymond.mao at linaro.org> wrote:
>
> Populate PKCS9 Authenticate Attributes from signer info if it exists
> in a PKCS7 message.
> Add OIDs for describing objects using for Authenticate Attributes.
>
> The PR for this patch is at:
> https://github.com/Mbed-TLS/mbedtls/pull/9001
>
> For enabling EFI loader PKCS7 features with MbedTLS build,
> we need this patch on top of MbedTLS v3.6.0 before it is merged into
> the next MbedTLS LTS release.
>
> Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
> ---
> Changes in v2
> - None.
> Changes in v3
> - Update commit message.
> Changes in v4
> - None.
> Changes in v5
> - None.
> Changes in v6
> - None.
>
>  .../external/mbedtls/include/mbedtls/oid.h    |  5 +++++
>  .../external/mbedtls/include/mbedtls/pkcs7.h  | 11 +++++++++++
>  lib/mbedtls/external/mbedtls/library/pkcs7.c  | 19 ++++++++++++++++++-
>  3 files changed, 34 insertions(+), 1 deletion(-)
>
> diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
> index 2ee982808fa..43cef99f1e3 100644
> --- a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
> +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
> @@ -238,6 +238,11 @@
>  #define MBEDTLS_OID_RSA_SHA_OBS         "\x2B\x0E\x03\x02\x1D"
>
>  #define MBEDTLS_OID_PKCS9_EMAIL         MBEDTLS_OID_PKCS9 "\x01" /**< emailAddress AttributeType ::= { pkcs-9 1 } */
> +#define MBEDTLS_OID_PKCS9_CONTENTTYPE   MBEDTLS_OID_PKCS9 "\x03" /**< contentType AttributeType ::= { pkcs-9 3 } */
> +#define MBEDTLS_OID_PKCS9_MESSAGEDIGEST MBEDTLS_OID_PKCS9 "\x04" /**< messageDigest AttributeType ::= { pkcs-9 4 } */
> +#define MBEDTLS_OID_PKCS9_SIGNINGTIME   MBEDTLS_OID_PKCS9 "\x05" /**< signingTime AttributeType ::= { pkcs-9 5 } */
> +#define MBEDTLS_OID_PKCS9_SMIMECAP      MBEDTLS_OID_PKCS9 "\x0f" /**< smimeCapabilites AttributeType ::= { pkcs-9 15 } */
> +#define MBEDTLS_OID_PKCS9_SMIMEAA       MBEDTLS_OID_PKCS9 "\x10\x02\x0b" /**< smimeCapabilites AttributeType ::= { pkcs-9 16 2 11} */
>
>  /* RFC 4055 */
>  #define MBEDTLS_OID_RSASSA_PSS          MBEDTLS_OID_PKCS1 "\x0a" /**< id-RSASSA-PSS ::= { pkcs-1 10 } */
> diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
> index 9e29b74af70..a88a5e858fc 100644
> --- a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
> +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
> @@ -102,6 +102,16 @@ typedef enum {
>  }
>  mbedtls_pkcs7_type;
>
> +/*
> + * Authenticate Attributes for MicroSoft Authentication Code using in U-Boot
> + * Secure Boot
> + */
> +typedef struct mbedtls_pkcs7_authattrs {
> +    size_t data_len;
> +    void *data;
> +}
> +mbedtls_pkcs7_authattrs;
> +
>  /**
>   * Structure holding PKCS #7 signer info
>   */
> @@ -113,6 +123,7 @@ typedef struct mbedtls_pkcs7_signer_info {
>      mbedtls_x509_buf MBEDTLS_PRIVATE(alg_identifier);
>      mbedtls_x509_buf MBEDTLS_PRIVATE(sig_alg_identifier);
>      mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
> +    mbedtls_pkcs7_authattrs authattrs;
>      struct mbedtls_pkcs7_signer_info *MBEDTLS_PRIVATE(next);
>  }
>  mbedtls_pkcs7_signer_info;
> diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c b/lib/mbedtls/external/mbedtls/library/pkcs7.c
> index 0c2436b56b7..da73fb341d6 100644
> --- a/lib/mbedtls/external/mbedtls/library/pkcs7.c
> +++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c
> @@ -288,6 +288,7 @@ static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end,
>      unsigned char *end_signer, *end_issuer_and_sn;
>      int asn1_ret = 0, ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
>      size_t len = 0;
> +    unsigned char *tmp_p;
>
>      asn1_ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
>                                      | MBEDTLS_ASN1_SEQUENCE);
> @@ -349,7 +350,23 @@ static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end,
>          goto out;
>      }
>
> -    /* Assume authenticatedAttributes is nonexistent */
> +    /* Save authenticatedAttributes if present */
> +    if (*p < end_signer &&
> +        **p == (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0)) {
> +        tmp_p = *p;
> +
> +        ret = mbedtls_asn1_get_tag(p, end_signer, &len,
> +                                   MBEDTLS_ASN1_CONTEXT_SPECIFIC |
> +                                   MBEDTLS_ASN1_CONSTRUCTED | 0);
> +        if (ret != 0) {
> +            goto out;
> +        }
> +
> +        signer->authattrs.data = tmp_p;
> +        signer->authattrs.data_len = len + *p - tmp_p;
> +        *p += len;
> +    }
> +
>      ret = pkcs7_get_digest_algorithm(p, end_signer, &signer->sig_alg_identifier);
>      if (ret != 0) {
>          goto out;
> --
> 2.25.1
>

Acked-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>

More information about the U-Boot mailing list