[2/2] Hide forced-signer-name from non-CMS and wolfSSL

Message ID	20230321130713.5203-3-bage@debian.org
State	Accepted
Headers	show Return-Path: <swupdate+bncBC4Z7BGUB4II5WHGUADBUBAPMZJCI@googlegroups.com> Sender: swupdate@googlegroups.com Received-SPF: none (google.com: debian.org does not designate permitted sender hosts) client-ip=2001:41b8:202:deb::311:108; From: Bastian Germann <bage@debian.org> To: swupdate@googlegroups.com Cc: Bastian Germann <bage@debian.org> Subject: [swupdate] [PATCH 2/2] Hide forced-signer-name from non-CMS and wolfSSL Date: Tue, 21 Mar 2023 14:07:13 +0100 Message-Id: <20230321130713.5203-3-bage@debian.org> In-Reply-To: <20230321130713.5203-1-bage@debian.org> References: <20230321130713.5203-1-bage@debian.org> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com
Series	Add PKCS#7 verification \| expand [0/2] Add PKCS#7 verification [1/2] Add PKCS#7 verification for wolfSSL [2/2] Hide forced-signer-name from non-CMS and wolfSSL

Message ID

20230321130713.5203-3-bage@debian.org

State

Accepted

Headers

Sender: swupdate@googlegroups.com
Received-SPF: none (google.com: debian.org does not designate permitted sender
 hosts) client-ip=2001:41b8:202:deb::311:108;
From: Bastian Germann <bage@debian.org>
To: swupdate@googlegroups.com
Cc: Bastian Germann <bage@debian.org>
Subject: [swupdate] [PATCH 2/2] Hide forced-signer-name from non-CMS and
 wolfSSL
Date: Tue, 21 Mar 2023 14:07:13 +0100
Message-Id: <20230321130713.5203-3-bage@debian.org>
In-Reply-To: <20230321130713.5203-1-bage@debian.org>
References: <20230321130713.5203-1-bage@debian.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Precedence: list
Mailing-list: list swupdate@googlegroups.com;
 contact swupdate+owners@googlegroups.com

Series

Add PKCS#7 verification | expand

Commit Message

Bastian Germann March 21, 2023, 1:07 p.m. UTC

The common name comparison is not implemented for PKCS#7 (wolfSSL),
so prevent using it. It cannot be implemented with the plain RSA
verification, so hide it from those configurations as well.

Signed-off-by: Bastian Germann <bage@debian.org>
---
 core/swupdate.c                        | 4 ++++
 scripts/acceptance-tests/CheckImage.mk | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/core/swupdate.c b/core/swupdate.c
index 9955b4b..dff2baf 100644
--- a/core/swupdate.c
+++ b/core/swupdate.c
@@ -93,8 +93,10 @@  static struct option long_options[] = {
 	{"key", required_argument, NULL, 'k'},
 	{"ca-path", required_argument, NULL, 'k'},
 	{"cert-purpose", required_argument, NULL, '1'},
+#if defined(CONFIG_SIGALG_CMS) && !defined(CONFIG_SSL_IMPL_WOLFSSL)
 	{"forced-signer-name", required_argument, NULL, '2'},
 #endif
+#endif
 #ifdef CONFIG_ENCRYPTED_IMAGES
 	{"key-aes", required_argument, NULL, 'K'},
 #endif
@@ -149,7 +151,9 @@  static void usage(char *programname)
 		" -k, --key <public key file>    : file with public key to verify images\n"
 		"     --cert-purpose <purpose>   : set expected certificate purpose\n"
 		"                                  [emailProtection|codeSigning] (default: emailProtection)\n"
+#if defined(CONFIG_SIGALG_CMS) && !defined(CONFIG_SSL_IMPL_WOLFSSL)
 		"     --forced-signer-name <cn>  : set expected common name of signer certificate\n"
+#endif
 		"     --ca-path                  : path to the Certificate Authority (PEM)\n"
 #endif
 #ifdef CONFIG_ENCRYPTED_IMAGES
diff --git a/scripts/acceptance-tests/CheckImage.mk b/scripts/acceptance-tests/CheckImage.mk
index ab691ad..b7c8791 100644
--- a/scripts/acceptance-tests/CheckImage.mk
+++ b/scripts/acceptance-tests/CheckImage.mk
@@ -43,7 +43,9 @@  endif
 tests-y += InvOptsNoImg
 tests-$(CONFIG_MONGOOSE) += InvOptsCheckWithWeb
 tests-$(CONFIG_SURICATTA) += InvOptsCheckWithSur
+ifneq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
 tests-$(CONFIG_SIGALG_CMS) += InvSigNameCheck
+endif
 tests-$(CONFIG_SIGALG_CMS) += ValidSigNameCheck
 
 #

[2/2] Hide forced-signer-name from non-CMS and wolfSSL

Commit Message

Patch