From patchwork Thu Oct 3 21:50:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992594 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=kYagFT13; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbtR270vz1xt7 for ; Fri, 4 Oct 2024 14:59:11 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1560A89032; Fri, 4 Oct 2024 06:57:26 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="kYagFT13"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 9E67788C6D; Thu, 3 Oct 2024 23:56:49 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3A90788CC5 for ; Thu, 3 Oct 2024 23:56:47 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82a.google.com with SMTP id d75a77b69052e-4581ec0e00eso10080721cf.3 for ; Thu, 03 Oct 2024 14:56:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992606; x=1728597406; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=plX8z+lM00jEYmi/LyzdwvevYUziuvwO8TwHiALzRtc=; b=kYagFT13iDa74eL3d5IwZeYwZG18FYEvbS1+Z72/W0SIymWjIEuTEM13isly9ZqRnq VD1zMGd7QJiISd0BvTSeXISdQDRAgzk/aMHvsgbrBDc/dsRMWZl+LFbou0oWm+J9aB1z SIr+KvhrMs63yt+e/Lfy0OJsz3ewUGfdnwleU3kgmNcUH80IWWaD0Ek6GaDdj5C+0aB2 xUoRPnuBjvoFHw3sAxuGEFiaeS0Nf1GqBS/VpMoVmQoYM1LtaFQxrkJglJQTsYTODj6T I0pssE04O3DZelvpaibDdF3DFpxfJz7WzEmuPuu8jylopSptTNzDlUuZEjUkcdm2yJvS ZcyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992606; x=1728597406; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=plX8z+lM00jEYmi/LyzdwvevYUziuvwO8TwHiALzRtc=; b=jX2Zqi2ie4QLv5OelT2EdBQY+xQkWvcMhqXIs0cr9fqYfFKQ5VJUVN8RZ0VJhKWgld mCpVS77MWdEoUkWZaVrU5dygXQXp0JOTwPyGBgEJHq8KFMJe7JyHricbPR1wpvlnoqzq 3cRD7xu4neZfdQVSPrqWU8PzQs7TMRZTxI8Di7itV+woG1Nyt+ERJu0ZIgYZ3ecUJp43 WHPApnIL2fDFYg0D8MwsMS+wq2CapLYRQzUnuDZyaJT/ULBxh/so52rqqYabUhyih4Vm ux58gqk6k7lIcIWGeWd1FxqFamWApZEgFXLtpCHjtnJxDacYc0B0K3TR/bdkc6M22gsd bqwg== X-Gm-Message-State: AOJu0YwbEcY2ELdqJWSHDow96PXqTLY/P73kNOMfnvFglh2a+4b7h7uG c02G3n8BJvQlGGOtwJQHkdPXGhB/7rIRHNeGS/sv3/yeiepKW/Ptr4kOGTq689BgdlaMvyTW4tD R X-Google-Smtp-Source: AGHT+IFn4beaupUelTlMFIFW98h9exGoG2wv4Pa6NkT89ejPGsmcPLjtidkUZIaFbx4a6bJO6swWyg== X-Received: by 2002:a05:622a:229b:b0:458:534f:fa06 with SMTP id d75a77b69052e-45d9baf4333mr9406801cf.50.1727992605877; Thu, 03 Oct 2024 14:56:45 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.56.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:56:45 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Ilias Apalodimas , Jiaxun Yang , Heinrich Schuchardt , Sean Anderson , Sumit Garg , Andrew Davis , Rasmus Villemoes , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Marek Vasut , Paul Barker , Greg Malysa , Linus Walleij , Kongyang Liu , Jonas Karlman , Sughosh Ganu , Anand Moon , Eddie James Subject: [PATCH v8 10/27] mbedtls/external: support decoding multiple signer's cert Date: Thu, 3 Oct 2024 14:50:23 -0700 Message-Id: <20241003215112.3103601-11-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Support decoding multiple signer's cert in the signed data within a PKCS7 message. The PR for this patch is at: https://github.com/Mbed-TLS/mbedtls/pull/9001 For enabling EFI loader PKCS7 features with MbedTLS build, we need this patch on top of MbedTLS v3.6.0 before it is merged into the next MbedTLS LTS release. Signed-off-by: Raymond Mao --- Changes in v2 - None. Changes in v3 - Update commit message. Changes in v4 - None. Changes in v5 - None. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None lib/mbedtls/external/mbedtls/library/pkcs7.c | 75 ++++++++++++-------- 1 file changed, 47 insertions(+), 28 deletions(-) diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c b/lib/mbedtls/external/mbedtls/library/pkcs7.c index da73fb341d6..01105227d7a 100644 --- a/lib/mbedtls/external/mbedtls/library/pkcs7.c +++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c @@ -61,6 +61,36 @@ static int pkcs7_get_next_content_len(unsigned char **p, unsigned char *end, return ret; } +/** + * Get and decode one cert from a sequence. + * Return 0 for success, + * Return negative error code for failure. + **/ +static int pkcs7_get_one_cert(unsigned char **p, unsigned char *end, + mbedtls_x509_crt *certs) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len = 0; + unsigned char *start = *p; + unsigned char *end_cert; + + ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE); + if (ret != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CERT, ret); + } + + end_cert = *p + len; + + if ((ret = mbedtls_x509_crt_parse_der(certs, start, end_cert - start)) < 0) { + return MBEDTLS_ERR_PKCS7_INVALID_CERT; + } + + *p = end_cert; + + return 0; +} + /** * version Version * Version ::= INTEGER @@ -178,11 +208,12 @@ static int pkcs7_get_certificates(unsigned char **p, unsigned char *end, mbedtls_x509_crt *certs) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t len1 = 0; - size_t len2 = 0; - unsigned char *end_set, *end_cert, *start; + size_t len = 0; + unsigned char *end_set; + int num_of_certs = 0; - ret = mbedtls_asn1_get_tag(p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED + /* Get the set of certs */ + ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC); if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { return 0; @@ -190,38 +221,26 @@ static int pkcs7_get_certificates(unsigned char **p, unsigned char *end, if (ret != 0) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret); } - start = *p; - end_set = *p + len1; + end_set = *p + len; - ret = mbedtls_asn1_get_tag(p, end_set, &len2, MBEDTLS_ASN1_CONSTRUCTED - | MBEDTLS_ASN1_SEQUENCE); + ret = pkcs7_get_one_cert(p, end_set, certs); if (ret != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CERT, ret); + return ret; } - end_cert = *p + len2; + num_of_certs++; - /* - * This is to verify that there is only one signer certificate. It seems it is - * not easy to differentiate between the chain vs different signer's certificate. - * So, we support only the root certificate and the single signer. - * The behaviour would be improved with addition of multiple signer support. - */ - if (end_cert != end_set) { - return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; - } - - if ((ret = mbedtls_x509_crt_parse_der(certs, start, len1)) < 0) { - return MBEDTLS_ERR_PKCS7_INVALID_CERT; + while (*p != end_set) { + ret = pkcs7_get_one_cert(p, end_set, certs); + if (ret != 0) { + return ret; + } + num_of_certs++; } - *p = end_cert; + *p = end_set; - /* - * Since in this version we strictly support single certificate, and reaching - * here implies we have parsed successfully, we return 1. - */ - return 1; + return num_of_certs; } /**