[PATCH v8 20/27] lib/crypto: Adapt PKCS7 parser to MbedTLS

Ilias Apalodimas ilias.apalodimas at linaro.org
Wed Oct 9 11:19:59 CEST 2024 

On Fri, 4 Oct 2024 at 01:02, Raymond Mao <raymond.mao at linaro.org> wrote:
>
> Previous patch has introduced MbedTLS porting layer for PKCS7 parser,
> here to adjust the header and makefiles accordingly.
>
> Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
> ---
> Changes in v2
> - Move the porting layer to MbedTLS dir.
> Changes in v3
> - Update commit message.
> Changes in v4
> - Control building legacy library via '_LEGACY' Kconfig.
> Changes in v5
> - Correct header file include directories.
> Changes in v6
> - None.
> Changes in v7
> - None.
> Changes in v8
> - None
>
>  include/crypto/pkcs7_parser.h | 56 +++++++++++++++++++++++++++++++++++
>  lib/crypto/Makefile           |  7 +++--
>  2 files changed, 60 insertions(+), 3 deletions(-)
>
> diff --git a/include/crypto/pkcs7_parser.h b/include/crypto/pkcs7_parser.h
> index 2c45cce5234..469c2711fa6 100644
> --- a/include/crypto/pkcs7_parser.h
> +++ b/include/crypto/pkcs7_parser.h
> @@ -11,6 +11,12 @@
>  #include <linux/oid_registry.h>
>  #include <crypto/pkcs7.h>
>  #include <crypto/x509_parser.h>
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
> +#include <mbedtls/pkcs7.h>
> +#include <library/x509_internal.h>
> +#include <mbedtls/asn1.h>
> +#include <mbedtls/oid.h>
> +#endif
>  #include <linux/printk.h>
>
>  #define kenter(FMT, ...) \
> @@ -18,7 +24,54 @@
>  #define kleave(FMT, ...) \
>         pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
>
> +/* Backup the parsed MedTLS context that we need */
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
> +struct pkcs7_mbedtls_ctx {
> +       void *content_data;
> +};
> +
> +struct pkcs7_sinfo_mbedtls_ctx {
> +       void *authattrs_data;
> +       void *content_data_digest;
> +};
> +#endif
> +
> +/*
> + * MbedTLS integration Notes:
> + *
> + * MbedTLS PKCS#7 library does not originally support parsing MicroSoft
> + * Authentication Code which is used for verifying the PE image digest.
> + *
> + * 1.  Authenticated Attributes (authenticatedAttributes)
> + *     MbedTLS assumes unauthenticatedAttributes and authenticatedAttributes
> + *     fields not exist.
> + *     See MbedTLS function 'pkcs7_get_signer_info' for details.
> + *
> + * 2.  MicroSoft Authentication Code (mscode)
> + *     MbedTLS only supports Content Data type defined as 1.2.840.113549.1.7.1
> + *     (MBEDTLS_OID_PKCS7_DATA, aka OID_data).
> + *     1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code, aka
> + *     OID_msIndirectData) is not supported.
> + *     See MbedTLS function 'pkcs7_get_content_info_type' for details.
> + *
> + * But the EFI loader assumes that a PKCS#7 message with an EFI image always
> + * contains MicroSoft Authentication Code as Content Data (msg->data is NOT
> + * NULL), see function 'efi_signature_verify'.
> + *
> + * MbedTLS patch "0002-support-MicroSoft-authentication-code-in-PKCS7-lib.patch"
> + * is to support both above features by parsing the Content Data and
> + * Authenticate Attributes from a given PKCS#7 message.
> + *
> + * Other fields we don't need to populate from MbedTLS, which are used
> + * internally by pkcs7_verify:
> + * 'signer', 'unsupported_crypto', 'blacklisted'
> + * 'sig->digest' is used internally by pkcs7_digest to calculate the hash of
> + * Content Data or Authenticate Attributes.
> + */
>  struct pkcs7_signed_info {
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
> +       struct pkcs7_sinfo_mbedtls_ctx *mbedtls_ctx;
> +#endif
>         struct pkcs7_signed_info *next;
>         struct x509_certificate *signer; /* Signing certificate (in msg->certs) */
>         unsigned        index;
> @@ -55,6 +108,9 @@ struct pkcs7_signed_info {
>  };
>
>  struct pkcs7_message {
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
> +       struct pkcs7_mbedtls_ctx *mbedtls_ctx;
> +#endif
>         struct x509_certificate *certs; /* Certificate list */
>         struct x509_certificate *crl;   /* Revocation list */
>         struct pkcs7_signed_info *signed_infos;
> diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
> index 4302f197297..7129315393f 100644
> --- a/lib/crypto/Makefile
> +++ b/lib/crypto/Makefile
> @@ -50,15 +50,16 @@ $(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c $(obj)/x509_akid.asn1.h
>  # PKCS#7 message handling
>  #
>  obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o
> -pkcs7_message-y := \
> +pkcs7_message-y := pkcs7_helper.o
> +pkcs7_message-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_LEGACY) += \
>         pkcs7.asn1.o \
> -       pkcs7_helper.o \
>         pkcs7_parser.o
> -obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o
>
>  $(obj)/pkcs7_parser.o: $(obj)/pkcs7.asn1.h
>  $(obj)/pkcs7.asn1.o: $(obj)/pkcs7.asn1.c $(obj)/pkcs7.asn1.h
>
> +obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o
> +
>  #
>  # Signed PE binary-wrapped key handling
>  #
> --
> 2.25.1
>

Acked-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>

More information about the U-Boot mailing list