| Message ID | 20240528140955.1960172-20-raymond.mao@linaro.org |
|---|---|
| State | RFC |
| Delegated to: | Tom Rini |
| Headers | show |
| Series | Integrate MbedTLS v3.6 LTS with U-Boot | expand |
On Tue, 28 May 2024 at 17:17, Raymond Mao <raymond.mao@linaro.org> wrote: > > Add porting layer for MSCode on top of MbedTLS ASN1 library. > > Signed-off-by: Raymond Mao <raymond.mao@linaro.org> > --- > Changes in v2 > - Move the porting layer to MbedTLS dir. > Changes in v3 > - None. > > lib/mbedtls/Makefile | 1 + > lib/mbedtls/mscode_parser.c | 111 ++++++++++++++++++++++++++++++++++++ > 2 files changed, 112 insertions(+) > create mode 100644 lib/mbedtls/mscode_parser.c > > diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile > index 005b8a25320..f0b8a1c4003 100644 > --- a/lib/mbedtls/Makefile > +++ b/lib/mbedtls/Makefile > @@ -26,6 +26,7 @@ obj-$(CONFIG_MBEDTLS_LIB_X509) += x509_mbedtls.o > x509_mbedtls-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o > x509_mbedtls-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += x509_cert_parser.o > x509_mbedtls-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_parser.o > +x509_mbedtls-$(CONFIG_$(SPL_)MSCODE_PARSER) += mscode_parser.o > > obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o > mbedtls_lib_crypto-y := \ > diff --git a/lib/mbedtls/mscode_parser.c b/lib/mbedtls/mscode_parser.c > new file mode 100644 > index 00000000000..34715f3a137 > --- /dev/null > +++ b/lib/mbedtls/mscode_parser.c > @@ -0,0 +1,111 @@ > +// SPDX-License-Identifier: GPL-2.0+ > +/* > + * MSCode parser using MbedTLS ASN1 library > + * > + * Copyright (c) 2024 Linaro Limited > + * Author: Raymond Mao <raymond.mao@linaro.org> > + */ > + > +#include <linux/kernel.h> > +#include <linux/err.h> > +#include <crypto/pkcs7.h> > +#include <crypto/mscode.h> > + > +/* > + * Parse a Microsoft Individual Code Signing blob > + * > + * U.P.SEQUENCE { > + * U.P.OBJECTIDENTIFIER 1.3.6.1.4.1.311.2.1.15 (SPC_PE_IMAGE_DATA_OBJID) > + * U.P.SEQUENCE { > + * U.P.BITSTRING NaN : 0 unused bit(s); > + * [C.P.0] { > + * [C.P.2] { > + * [C.P.0] <arbitrary string> > + * } > + * } > + * } > + * } > + * U.P.SEQUENCE { > + * U.P.SEQUENCE { > + * U.P.OBJECTIDENTIFIER <digest algorithm OID> > + * U.P.NULL > + * } > + * U.P.OCTETSTRING <PE image digest> > + * } You need to describe the function arguments as well on the comment > + * > + */ > +int mscode_parse(void *_ctx, const void *content_data, size_t data_len, > + size_t asn1hdrlen) > +{ > + struct pefile_context *ctx = _ctx; > + unsigned char *p = (unsigned char *)content_data; > + unsigned char *end = (unsigned char *)content_data + data_len; Why are you dropping const here? > + size_t len = 0; > + int ret; > + unsigned char *inner_p; > + size_t seq_len = 0; > + > + ret = mbedtls_asn1_get_tag(&p, end, &seq_len, > + MBEDTLS_ASN1_CONSTRUCTED | > + MBEDTLS_ASN1_SEQUENCE); > + if (ret) > + return ret; > + > + inner_p = p; > + ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len, MBEDTLS_ASN1_OID); > + if (ret) > + return ret; > + > + /* Sanity check on the PE Image Data OID (1.3.6.1.4.1.311.2.1.15) */ > + if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_MICROSOFT_PEIMAGEDATA, inner_p, len)) > + return -EINVAL; > + > + p += seq_len; > + ret = mbedtls_asn1_get_tag(&p, end, &seq_len, > + MBEDTLS_ASN1_CONSTRUCTED | > + MBEDTLS_ASN1_SEQUENCE); > + if (ret) > + return ret; > + > + ret = mbedtls_asn1_get_tag(&p, p + seq_len, &seq_len, > + MBEDTLS_ASN1_CONSTRUCTED | > + MBEDTLS_ASN1_SEQUENCE); > + if (ret) > + return ret; > + > + inner_p = p; > + > + /* > + * Check if the inner sequence contains a supported hash > + * algorithm OID > + */ > + ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len, MBEDTLS_ASN1_OID); > + if (ret) > + return ret; > + > + if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_MD5, inner_p, len)) > + ctx->digest_algo = "md5"; > + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA1, inner_p, len)) > + ctx->digest_algo = "sha1"; > + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA224, inner_p, len)) > + ctx->digest_algo = "sha224"; > + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA256, inner_p, len)) > + ctx->digest_algo = "sha256"; > + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA384, inner_p, len)) > + ctx->digest_algo = "sha384"; > + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA512, inner_p, len)) > + ctx->digest_algo = "sha512"; > + > + if (!ctx->digest_algo) > + return -EINVAL; > + > + p += seq_len; > + ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); > + if (ret) > + return ret; > + > + ctx->digest = p; > + ctx->digest_len = len; > + > + return 0; > +} > -- > 2.25.1 > Thanks /Ilias
Hi Ilias, On Fri, 31 May 2024 at 06:03, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote: > On Tue, 28 May 2024 at 17:17, Raymond Mao <raymond.mao@linaro.org> wrote: > > > > Add porting layer for MSCode on top of MbedTLS ASN1 library. > > > > Signed-off-by: Raymond Mao <raymond.mao@linaro.org> > > --- > > Changes in v2 > > - Move the porting layer to MbedTLS dir. > > Changes in v3 > > - None. > > > > lib/mbedtls/Makefile | 1 + > > lib/mbedtls/mscode_parser.c | 111 ++++++++++++++++++++++++++++++++++++ > > 2 files changed, 112 insertions(+) > > create mode 100644 lib/mbedtls/mscode_parser.c > > > > [snip] > > diff --git a/lib/mbedtls/mscode_parser.c b/lib/mbedtls/mscode_parser.c > > new file mode 100644 > > index 00000000000..34715f3a137 > > --- /dev/null > > +++ b/lib/mbedtls/mscode_parser.c > > [snip] > > > + * > > + */ > > +int mscode_parse(void *_ctx, const void *content_data, size_t data_len, > > + size_t asn1hdrlen) > > +{ > > + struct pefile_context *ctx = _ctx; > > + unsigned char *p = (unsigned char *)content_data; > > + unsigned char *end = (unsigned char *)content_data + data_len; > > Why are you dropping const here? > > mbedtls_asn1_get_tag requires the args without const. Regards, Raymond
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 005b8a25320..f0b8a1c4003 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -26,6 +26,7 @@ obj-$(CONFIG_MBEDTLS_LIB_X509) += x509_mbedtls.o x509_mbedtls-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o x509_mbedtls-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += x509_cert_parser.o x509_mbedtls-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_parser.o +x509_mbedtls-$(CONFIG_$(SPL_)MSCODE_PARSER) += mscode_parser.o obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o mbedtls_lib_crypto-y := \ diff --git a/lib/mbedtls/mscode_parser.c b/lib/mbedtls/mscode_parser.c new file mode 100644 index 00000000000..34715f3a137 --- /dev/null +++ b/lib/mbedtls/mscode_parser.c @@ -0,0 +1,111 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * MSCode parser using MbedTLS ASN1 library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao <raymond.mao@linaro.org> + */ + +#include <linux/kernel.h> +#include <linux/err.h> +#include <crypto/pkcs7.h> +#include <crypto/mscode.h> + +/* + * Parse a Microsoft Individual Code Signing blob + * + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.3.6.1.4.1.311.2.1.15 (SPC_PE_IMAGE_DATA_OBJID) + * U.P.SEQUENCE { + * U.P.BITSTRING NaN : 0 unused bit(s); + * [C.P.0] { + * [C.P.2] { + * [C.P.0] <arbitrary string> + * } + * } + * } + * } + * U.P.SEQUENCE { + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER <digest algorithm OID> + * U.P.NULL + * } + * U.P.OCTETSTRING <PE image digest> + * } + * + */ +int mscode_parse(void *_ctx, const void *content_data, size_t data_len, + size_t asn1hdrlen) +{ + struct pefile_context *ctx = _ctx; + unsigned char *p = (unsigned char *)content_data; + unsigned char *end = (unsigned char *)content_data + data_len; + size_t len = 0; + int ret; + unsigned char *inner_p; + size_t seq_len = 0; + + ret = mbedtls_asn1_get_tag(&p, end, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (ret) + return ret; + + inner_p = p; + ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len, MBEDTLS_ASN1_OID); + if (ret) + return ret; + + /* Sanity check on the PE Image Data OID (1.3.6.1.4.1.311.2.1.15) */ + if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_MICROSOFT_PEIMAGEDATA, inner_p, len)) + return -EINVAL; + + p += seq_len; + ret = mbedtls_asn1_get_tag(&p, end, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (ret) + return ret; + + ret = mbedtls_asn1_get_tag(&p, p + seq_len, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (ret) + return ret; + + inner_p = p; + + /* + * Check if the inner sequence contains a supported hash + * algorithm OID + */ + ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len, MBEDTLS_ASN1_OID); + if (ret) + return ret; + + if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_MD5, inner_p, len)) + ctx->digest_algo = "md5"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA1, inner_p, len)) + ctx->digest_algo = "sha1"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA224, inner_p, len)) + ctx->digest_algo = "sha224"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA256, inner_p, len)) + ctx->digest_algo = "sha256"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA384, inner_p, len)) + ctx->digest_algo = "sha384"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA512, inner_p, len)) + ctx->digest_algo = "sha512"; + + if (!ctx->digest_algo) + return -EINVAL; + + p += seq_len; + ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + if (ret) + return ret; + + ctx->digest = p; + ctx->digest_len = len; + + return 0; +}
Add porting layer for MSCode on top of MbedTLS ASN1 library. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - None. lib/mbedtls/Makefile | 1 + lib/mbedtls/mscode_parser.c | 111 ++++++++++++++++++++++++++++++++++++ 2 files changed, 112 insertions(+) create mode 100644 lib/mbedtls/mscode_parser.c