[PATCH v5 08/27] mbedtls/external: support Microsoft Authentication Code
Raymond Mao
raymond.mao at linaro.org
Wed Jul 31 19:25:18 CEST 2024
Populate Microsoft Authentication Code from the content data
into PKCS7 decoding context if it exists in a PKCS7 message.
Add OIDs for describing objects using for Microsoft Authentication
Code.
The PR for this patch is at:
https://github.com/Mbed-TLS/mbedtls/pull/9001
For enabling EFI loader PKCS7 features with MbedTLS build,
we need this patch on top of MbedTLS v3.6.0 before it is merged into
the next MbedTLS LTS release.
Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
---
Changes in v2
- None.
Changes in v3
- Update commit message.
Changes in v4
- None.
Changes in v5
- None.
.../external/mbedtls/include/mbedtls/oid.h | 30 ++++++++++
.../external/mbedtls/include/mbedtls/pkcs7.h | 10 ++++
lib/mbedtls/external/mbedtls/library/pkcs7.c | 60 +++++++++++++++----
3 files changed, 90 insertions(+), 10 deletions(-)
diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
index fdc25ebf885..2ee982808fa 100644
--- a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
+++ b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
@@ -352,6 +352,36 @@
#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC MBEDTLS_OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */
#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC MBEDTLS_OID_PKCS12_PBE "\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */
+/*
+ * MicroSoft Authenticate Code OIDs
+ */
+#define MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_INTERNET "\x04\x01" /* {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) */
+#define MBEDTLS_OID_MICROSOFT "\x82\x37" /* {microsoft(311)} */
+/*
+ * OID_msIndirectData: (1.3.6.1.4.1.311.2.1.4)
+ * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 4(4)}
+ */
+#define MBEDTLS_OID_MICROSOFT_INDIRECTDATA MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \
+ "\x02\x01\x04"
+/*
+ * OID_msStatementType: (1.3.6.1.4.1.311.2.1.11)
+ * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 11(11)}
+ */
+#define MBEDTLS_OID_MICROSOFT_STATETYPE MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \
+ "\x02\x01\x0b"
+/*
+ * OID_msSpOpusInfo: (1.3.6.1.4.1.311.2.1.12)
+ * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 12(12)}
+ */
+#define MBEDTLS_OID_MICROSOFT_SPOPUSINFO MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \
+ "\x02\x01\x0b"
+/*
+ * OID_msPeImageDataObjId: (1.3.6.1.4.1.311.2.1.15)
+ * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 15(15)}
+ */
+#define MBEDTLS_OID_MICROSOFT_PEIMAGEDATA MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \
+ "\x02\x01\x0f"
+
/*
* EC key algorithms from RFC 5480
*/
diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
index e9b482208e6..9e29b74af70 100644
--- a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
+++ b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
@@ -132,12 +132,22 @@ typedef struct mbedtls_pkcs7_signed_data {
}
mbedtls_pkcs7_signed_data;
+/* Content Data for MicroSoft Authentication Code using in U-Boot Secure Boot */
+typedef struct mbedtls_pkcs7_conten_data {
+ int data_type; /* Type of Data */
+ size_t data_len; /* Length of Data */
+ size_t data_hdrlen; /* Length of Data ASN.1 header */
+ void *data; /* Content Data */
+}
+mbedtls_pkcs7_conten_data;
+
/**
* Structure holding PKCS #7 structure, only signed data for now
*/
typedef struct mbedtls_pkcs7 {
mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw);
mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data);
+ mbedtls_pkcs7_conten_data content_data;
}
mbedtls_pkcs7;
diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c b/lib/mbedtls/external/mbedtls/library/pkcs7.c
index 3aac662ba69..0c2436b56b7 100644
--- a/lib/mbedtls/external/mbedtls/library/pkcs7.c
+++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c
@@ -29,6 +29,13 @@
#include <time.h>
#endif
+enum OID {
+ /* PKCS#7 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7)} */
+ MBEDTLS_OID_DATA = 13, /* 1.2.840.113549.1.7.1 */
+ /* Microsoft Authenticode & Software Publishing */
+ MBEDTLS_OID_MS_INDIRECTDATA = 24, /* 1.3.6.1.4.1.311.2.1.4 */
+};
+
/**
* Initializes the mbedtls_pkcs7 structure.
*/
@@ -449,7 +456,7 @@ cleanup:
* signerInfos SignerInfos }
*/
static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
- mbedtls_pkcs7_signed_data *signed_data)
+ mbedtls_pkcs7 *pkcs7)
{
unsigned char *p = buf;
unsigned char *end = buf + buflen;
@@ -457,6 +464,7 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
size_t len = 0;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_md_type_t md_alg;
+ mbedtls_pkcs7_signed_data *signed_data = &pkcs7->signed_data;
ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE);
@@ -493,25 +501,57 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
if (ret != 0) {
return ret;
}
- if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) {
+
+ /*
+ * We should only support 1.2.840.113549.1.7.1 (PKCS7 DATA) and
+ * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code) that is for
+ * U-Boot Secure Boot
+ */
+ if (!MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) {
+ pkcs7->content_data.data_type = MBEDTLS_OID_DATA;
+ } else if (!MBEDTLS_OID_CMP(MBEDTLS_OID_MICROSOFT_INDIRECTDATA,
+ &content_type)) {
+ pkcs7->content_data.data_type = MBEDTLS_OID_MS_INDIRECTDATA;
+ } else {
return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO;
}
if (p != end_content_info) {
+ unsigned char *tmp_p = p;
+
/* Determine if valid content is present */
ret = mbedtls_asn1_get_tag(&p,
end_content_info,
&len,
- MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC);
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC);
+ if (ret != 0 || p + len != end_content_info) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO,
+ ret);
+ }
+
+ /*
+ * U-Boot Secure Boot needs to calculate the digest of MicroSoft
+ * Authentication Code during verifying an EFI image.
+ * Thus we need to save the context of Content Data.
+ */
+ pkcs7->content_data.data_hdrlen = p - tmp_p;
+ /* Parse the content data from a sequence */
+ ret = mbedtls_asn1_get_tag(&p, end_content_info, &len,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) {
- return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
+ /* TODO: Other Content Data formats are not supported at the moment */
+ return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
+ } else if (p + len != end_content_info) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO,
+ ret);
}
+
+ pkcs7->content_data.data = p;
+ pkcs7->content_data.data_len = len;
+
p += len;
- if (p != end_content_info) {
- return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
- }
- /* Valid content is present - this is not supported */
- return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
}
/* Look for certificates, there may or may not be any */
@@ -624,7 +664,7 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf,
}
try_data:
- ret = pkcs7_get_signed_data(p, len, &pkcs7->signed_data);
+ ret = pkcs7_get_signed_data(p, len, pkcs7);
if (ret != 0) {
goto out;
}
--
2.25.1
More information about the U-Boot
mailing list