diff mbox series

[v2,12/28] mbedtls/external: support MicroSoft Authentication Code

Message ID 20240507175132.1456512-13-raymond.mao@linaro.org
State RFC
Delegated to: Tom Rini
Headers show
Series Integrate MbedTLS v3.6 LTS with U-Boot | expand

Commit Message

Raymond Mao May 7, 2024, 5:50 p.m. UTC
Populate MicroSoft Authentication Code from the content data
into PKCS7 decoding context if it exists in a PKCS7 message.
Add OIDs for describing objects using for MicroSoft Authentication
Code.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
---
Changes in v2
- None.

 .../external/mbedtls/include/mbedtls/oid.h    | 30 ++++++++++
 .../external/mbedtls/include/mbedtls/pkcs7.h  | 10 ++++
 lib/mbedtls/external/mbedtls/library/pkcs7.c  | 60 +++++++++++++++----
 3 files changed, 90 insertions(+), 10 deletions(-)

Comments

Ilias Apalodimas May 8, 2024, 2:31 p.m. UTC | #1
Hi Raymond

On Tue, 7 May 2024 at 20:57, Raymond Mao <raymond.mao@linaro.org> wrote:
>
> Populate MicroSoft Authentication Code from the content data
> into PKCS7 decoding context if it exists in a PKCS7 message.
> Add OIDs for describing objects using for MicroSoft Authentication
> Code.
>

We will need more accurate commit messages for things like this.
IIRC this is already on a PR for mbedTLS and won't be needed in the
future right?
Generally speaking, we shouldn't carry out of tree patches unless we
can prove there's a very good reason. This one needs to be marked as
'do not merge' and we should wait until mbedTLS merges it upstream

Thanks
/Ilias

> Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
> ---
> Changes in v2
> - None.
>
>  .../external/mbedtls/include/mbedtls/oid.h    | 30 ++++++++++
>  .../external/mbedtls/include/mbedtls/pkcs7.h  | 10 ++++
>  lib/mbedtls/external/mbedtls/library/pkcs7.c  | 60 +++++++++++++++----
>  3 files changed, 90 insertions(+), 10 deletions(-)
>
> diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
> index fdc25ebf885..2ee982808fa 100644
> --- a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
> +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
> @@ -352,6 +352,36 @@
>  #define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC     MBEDTLS_OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */
>  #define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC      MBEDTLS_OID_PKCS12_PBE "\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */
>
> +/*
> + * MicroSoft Authenticate Code OIDs
> + */
> +#define MBEDTLS_OID_PRIVATE_ENTERPRISE              MBEDTLS_OID_INTERNET "\x04\x01" /* {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) */
> +#define MBEDTLS_OID_MICROSOFT                       "\x82\x37"  /* {microsoft(311)} */
> +/*
> + * OID_msIndirectData: (1.3.6.1.4.1.311.2.1.4)
> + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 4(4)}
> + */
> +#define MBEDTLS_OID_MICROSOFT_INDIRECTDATA  MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \
> +    "\x02\x01\x04"
> +/*
> + * OID_msStatementType: (1.3.6.1.4.1.311.2.1.11)
> + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 11(11)}
> + */
> +#define MBEDTLS_OID_MICROSOFT_STATETYPE  MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \
> +    "\x02\x01\x0b"
> +/*
> + * OID_msSpOpusInfo: (1.3.6.1.4.1.311.2.1.12)
> + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 12(12)}
> + */
> +#define MBEDTLS_OID_MICROSOFT_SPOPUSINFO  MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \
> +    "\x02\x01\x0b"
> +/*
> + * OID_msPeImageDataObjId: (1.3.6.1.4.1.311.2.1.15)
> + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 15(15)}
> + */
> +#define MBEDTLS_OID_MICROSOFT_PEIMAGEDATA  MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \
> +    "\x02\x01\x0f"
> +
>  /*
>   * EC key algorithms from RFC 5480
>   */
> diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
> index e9b482208e6..9e29b74af70 100644
> --- a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
> +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
> @@ -132,12 +132,22 @@ typedef struct mbedtls_pkcs7_signed_data {
>  }
>  mbedtls_pkcs7_signed_data;
>
> +/* Content Data for MicroSoft Authentication Code using in U-Boot Secure Boot */
> +typedef struct mbedtls_pkcs7_conten_data {
> +    int data_type;  /* Type of Data */
> +    size_t data_len;    /* Length of Data */
> +    size_t data_hdrlen; /* Length of Data ASN.1 header */
> +    void *data;     /* Content Data */
> +}
> +mbedtls_pkcs7_conten_data;
> +
>  /**
>   * Structure holding PKCS #7 structure, only signed data for now
>   */
>  typedef struct mbedtls_pkcs7 {
>      mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw);
>      mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data);
> +    mbedtls_pkcs7_conten_data content_data;
>  }
>  mbedtls_pkcs7;
>
> diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c b/lib/mbedtls/external/mbedtls/library/pkcs7.c
> index 3aac662ba69..0c2436b56b7 100644
> --- a/lib/mbedtls/external/mbedtls/library/pkcs7.c
> +++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c
> @@ -29,6 +29,13 @@
>  #include <time.h>
>  #endif
>
> +enum OID {
> +    /* PKCS#7 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7)} */
> +    MBEDTLS_OID_DATA = 13,          /* 1.2.840.113549.1.7.1 */
> +    /* Microsoft Authenticode & Software Publishing */
> +    MBEDTLS_OID_MS_INDIRECTDATA = 24,        /* 1.3.6.1.4.1.311.2.1.4 */
> +};
> +
>  /**
>   * Initializes the mbedtls_pkcs7 structure.
>   */
> @@ -449,7 +456,7 @@ cleanup:
>   *      signerInfos SignerInfos }
>   */
>  static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
> -                                 mbedtls_pkcs7_signed_data *signed_data)
> +                                 mbedtls_pkcs7 *pkcs7)
>  {
>      unsigned char *p = buf;
>      unsigned char *end = buf + buflen;
> @@ -457,6 +464,7 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
>      size_t len = 0;
>      int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
>      mbedtls_md_type_t md_alg;
> +    mbedtls_pkcs7_signed_data *signed_data = &pkcs7->signed_data;
>
>      ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
>                                 | MBEDTLS_ASN1_SEQUENCE);
> @@ -493,25 +501,57 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
>      if (ret != 0) {
>          return ret;
>      }
> -    if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) {
> +
> +    /*
> +     * We should only support 1.2.840.113549.1.7.1 (PKCS7 DATA) and
> +     * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code) that is for
> +     * U-Boot Secure Boot
> +     */
> +    if (!MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) {
> +        pkcs7->content_data.data_type = MBEDTLS_OID_DATA;
> +    } else if (!MBEDTLS_OID_CMP(MBEDTLS_OID_MICROSOFT_INDIRECTDATA,
> +                                &content_type)) {
> +        pkcs7->content_data.data_type = MBEDTLS_OID_MS_INDIRECTDATA;
> +    } else {
>          return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO;
>      }
>
>      if (p != end_content_info) {
> +        unsigned char *tmp_p = p;
> +
>          /* Determine if valid content is present */
>          ret = mbedtls_asn1_get_tag(&p,
>                                     end_content_info,
>                                     &len,
> -                                   MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC);
> +                                   MBEDTLS_ASN1_CONSTRUCTED |
> +                                   MBEDTLS_ASN1_CONTEXT_SPECIFIC);
> +        if (ret != 0 || p + len != end_content_info) {
> +            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO,
> +                                     ret);
> +        }
> +
> +        /*
> +         * U-Boot Secure Boot needs to calculate the digest of MicroSoft
> +         * Authentication Code during verifying an EFI image.
> +         * Thus we need to save the context of Content Data.
> +         */
> +        pkcs7->content_data.data_hdrlen = p - tmp_p;
> +        /* Parse the content data from a sequence */
> +        ret = mbedtls_asn1_get_tag(&p, end_content_info, &len,
> +                                   MBEDTLS_ASN1_CONSTRUCTED |
> +                                   MBEDTLS_ASN1_SEQUENCE);
>          if (ret != 0) {
> -            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
> +            /* TODO: Other Content Data formats are not supported at the moment */
> +            return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
> +        } else if (p + len != end_content_info) {
> +            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO,
> +                                     ret);
>          }
> +
> +        pkcs7->content_data.data = p;
> +        pkcs7->content_data.data_len = len;
> +
>          p += len;
> -        if (p != end_content_info) {
> -            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
> -        }
> -        /* Valid content is present - this is not supported */
> -        return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
>      }
>
>      /* Look for certificates, there may or may not be any */
> @@ -624,7 +664,7 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf,
>      }
>
>  try_data:
> -    ret = pkcs7_get_signed_data(p, len, &pkcs7->signed_data);
> +    ret = pkcs7_get_signed_data(p, len, pkcs7);
>      if (ret != 0) {
>          goto out;
>      }
> --
> 2.25.1
>
Raymond Mao May 8, 2024, 2:49 p.m. UTC | #2
Hi Ilias,

On Wed, 8 May 2024 at 10:32, Ilias Apalodimas <ilias.apalodimas@linaro.org>
wrote:

> Hi Raymond
>
> On Tue, 7 May 2024 at 20:57, Raymond Mao <raymond.mao@linaro.org> wrote:
> >
> > Populate MicroSoft Authentication Code from the content data
> > into PKCS7 decoding context if it exists in a PKCS7 message.
> > Add OIDs for describing objects using for MicroSoft Authentication
> > Code.
> >
>
> We will need more accurate commit messages for things like this.
> IIRC this is already on a PR for mbedTLS and won't be needed in the
> future right?
> Generally speaking, we shouldn't carry out of tree patches unless we
> can prove there's a very good reason. This one needs to be marked as
> 'do not merge' and we should wait until mbedTLS merges it upstream
>
> I can add a tag here to link to the MbedTLS upstream PR for reference.
However I think we still need to merge these patches, since MbedTLS will
not merge
it in v3.6.0. Without it, the EFI Secure Boot and Capsule functions will be
broken.

In the future, when MbedTLS merges them in later v3.6.x, we can simply
update the
git subtree.

Regards,
Raymond
diff mbox series

Patch

diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
index fdc25ebf885..2ee982808fa 100644
--- a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
+++ b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
@@ -352,6 +352,36 @@ 
 #define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC     MBEDTLS_OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */
 #define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC      MBEDTLS_OID_PKCS12_PBE "\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */
 
+/*
+ * MicroSoft Authenticate Code OIDs
+ */
+#define MBEDTLS_OID_PRIVATE_ENTERPRISE              MBEDTLS_OID_INTERNET "\x04\x01" /* {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) */
+#define MBEDTLS_OID_MICROSOFT                       "\x82\x37"  /* {microsoft(311)} */
+/*
+ * OID_msIndirectData: (1.3.6.1.4.1.311.2.1.4)
+ * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 4(4)}
+ */
+#define MBEDTLS_OID_MICROSOFT_INDIRECTDATA  MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \
+    "\x02\x01\x04"
+/*
+ * OID_msStatementType: (1.3.6.1.4.1.311.2.1.11)
+ * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 11(11)}
+ */
+#define MBEDTLS_OID_MICROSOFT_STATETYPE  MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \
+    "\x02\x01\x0b"
+/*
+ * OID_msSpOpusInfo: (1.3.6.1.4.1.311.2.1.12)
+ * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 12(12)}
+ */
+#define MBEDTLS_OID_MICROSOFT_SPOPUSINFO  MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \
+    "\x02\x01\x0b"
+/*
+ * OID_msPeImageDataObjId: (1.3.6.1.4.1.311.2.1.15)
+ * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 15(15)}
+ */
+#define MBEDTLS_OID_MICROSOFT_PEIMAGEDATA  MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \
+    "\x02\x01\x0f"
+
 /*
  * EC key algorithms from RFC 5480
  */
diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
index e9b482208e6..9e29b74af70 100644
--- a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
+++ b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
@@ -132,12 +132,22 @@  typedef struct mbedtls_pkcs7_signed_data {
 }
 mbedtls_pkcs7_signed_data;
 
+/* Content Data for MicroSoft Authentication Code using in U-Boot Secure Boot */
+typedef struct mbedtls_pkcs7_conten_data {
+    int data_type;  /* Type of Data */
+    size_t data_len;    /* Length of Data */
+    size_t data_hdrlen; /* Length of Data ASN.1 header */
+    void *data;     /* Content Data */
+}
+mbedtls_pkcs7_conten_data;
+
 /**
  * Structure holding PKCS #7 structure, only signed data for now
  */
 typedef struct mbedtls_pkcs7 {
     mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw);
     mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data);
+    mbedtls_pkcs7_conten_data content_data;
 }
 mbedtls_pkcs7;
 
diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c b/lib/mbedtls/external/mbedtls/library/pkcs7.c
index 3aac662ba69..0c2436b56b7 100644
--- a/lib/mbedtls/external/mbedtls/library/pkcs7.c
+++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c
@@ -29,6 +29,13 @@ 
 #include <time.h>
 #endif
 
+enum OID {
+    /* PKCS#7 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7)} */
+    MBEDTLS_OID_DATA = 13,          /* 1.2.840.113549.1.7.1 */
+    /* Microsoft Authenticode & Software Publishing */
+    MBEDTLS_OID_MS_INDIRECTDATA = 24,        /* 1.3.6.1.4.1.311.2.1.4 */
+};
+
 /**
  * Initializes the mbedtls_pkcs7 structure.
  */
@@ -449,7 +456,7 @@  cleanup:
  *      signerInfos SignerInfos }
  */
 static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
-                                 mbedtls_pkcs7_signed_data *signed_data)
+                                 mbedtls_pkcs7 *pkcs7)
 {
     unsigned char *p = buf;
     unsigned char *end = buf + buflen;
@@ -457,6 +464,7 @@  static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
     size_t len = 0;
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_md_type_t md_alg;
+    mbedtls_pkcs7_signed_data *signed_data = &pkcs7->signed_data;
 
     ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
                                | MBEDTLS_ASN1_SEQUENCE);
@@ -493,25 +501,57 @@  static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
     if (ret != 0) {
         return ret;
     }
-    if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) {
+
+    /*
+     * We should only support 1.2.840.113549.1.7.1 (PKCS7 DATA) and
+     * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code) that is for
+     * U-Boot Secure Boot
+     */
+    if (!MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) {
+        pkcs7->content_data.data_type = MBEDTLS_OID_DATA;
+    } else if (!MBEDTLS_OID_CMP(MBEDTLS_OID_MICROSOFT_INDIRECTDATA,
+                                &content_type)) {
+        pkcs7->content_data.data_type = MBEDTLS_OID_MS_INDIRECTDATA;
+    } else {
         return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO;
     }
 
     if (p != end_content_info) {
+        unsigned char *tmp_p = p;
+
         /* Determine if valid content is present */
         ret = mbedtls_asn1_get_tag(&p,
                                    end_content_info,
                                    &len,
-                                   MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC);
+                                   MBEDTLS_ASN1_CONSTRUCTED |
+                                   MBEDTLS_ASN1_CONTEXT_SPECIFIC);
+        if (ret != 0 || p + len != end_content_info) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO,
+                                     ret);
+        }
+
+        /*
+         * U-Boot Secure Boot needs to calculate the digest of MicroSoft
+         * Authentication Code during verifying an EFI image.
+         * Thus we need to save the context of Content Data.
+         */
+        pkcs7->content_data.data_hdrlen = p - tmp_p;
+        /* Parse the content data from a sequence */
+        ret = mbedtls_asn1_get_tag(&p, end_content_info, &len,
+                                   MBEDTLS_ASN1_CONSTRUCTED |
+                                   MBEDTLS_ASN1_SEQUENCE);
         if (ret != 0) {
-            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
+            /* TODO: Other Content Data formats are not supported at the moment */
+            return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
+        } else if (p + len != end_content_info) {
+            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO,
+                                     ret);
         }
+
+        pkcs7->content_data.data = p;
+        pkcs7->content_data.data_len = len;
+
         p += len;
-        if (p != end_content_info) {
-            return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
-        }
-        /* Valid content is present - this is not supported */
-        return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
     }
 
     /* Look for certificates, there may or may not be any */
@@ -624,7 +664,7 @@  int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf,
     }
 
 try_data:
-    ret = pkcs7_get_signed_data(p, len, &pkcs7->signed_data);
+    ret = pkcs7_get_signed_data(p, len, pkcs7);
     if (ret != 0) {
         goto out;
     }