Hi Raymond
On Tue, 7 May 2024 at 20:57, Raymond Mao raymond.mao@linaro.org wrote:
Populate MicroSoft Authentication Code from the content data into PKCS7 decoding context if it exists in a PKCS7 message. Add OIDs for describing objects using for MicroSoft Authentication Code.
We will need more accurate commit messages for things like this. IIRC this is already on a PR for mbedTLS and won't be needed in the future right? Generally speaking, we shouldn't carry out of tree patches unless we can prove there's a very good reason. This one needs to be marked as 'do not merge' and we should wait until mbedTLS merges it upstream
Thanks /Ilias
Signed-off-by: Raymond Mao raymond.mao@linaro.org
Changes in v2
- None.
.../external/mbedtls/include/mbedtls/oid.h | 30 ++++++++++ .../external/mbedtls/include/mbedtls/pkcs7.h | 10 ++++ lib/mbedtls/external/mbedtls/library/pkcs7.c | 60 +++++++++++++++---- 3 files changed, 90 insertions(+), 10 deletions(-)
diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h index fdc25ebf885..2ee982808fa 100644 --- a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h @@ -352,6 +352,36 @@ #define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC MBEDTLS_OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */ #define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC MBEDTLS_OID_PKCS12_PBE "\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */
+/*
- MicroSoft Authenticate Code OIDs
- */
+#define MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_INTERNET "\x04\x01" /* {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) */ +#define MBEDTLS_OID_MICROSOFT "\x82\x37" /* {microsoft(311)} */ +/*
- OID_msIndirectData: (1.3.6.1.4.1.311.2.1.4)
- {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 4(4)}
- */
+#define MBEDTLS_OID_MICROSOFT_INDIRECTDATA MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \
- "\x02\x01\x04"
+/*
- OID_msStatementType: (1.3.6.1.4.1.311.2.1.11)
- {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 11(11)}
- */
+#define MBEDTLS_OID_MICROSOFT_STATETYPE MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \
- "\x02\x01\x0b"
+/*
- OID_msSpOpusInfo: (1.3.6.1.4.1.311.2.1.12)
- {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 12(12)}
- */
+#define MBEDTLS_OID_MICROSOFT_SPOPUSINFO MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \
- "\x02\x01\x0b"
+/*
- OID_msPeImageDataObjId: (1.3.6.1.4.1.311.2.1.15)
- {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 15(15)}
- */
+#define MBEDTLS_OID_MICROSOFT_PEIMAGEDATA MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \
- "\x02\x01\x0f"
/*
- EC key algorithms from RFC 5480
*/ diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h index e9b482208e6..9e29b74af70 100644 --- a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h @@ -132,12 +132,22 @@ typedef struct mbedtls_pkcs7_signed_data { } mbedtls_pkcs7_signed_data;
+/* Content Data for MicroSoft Authentication Code using in U-Boot Secure Boot */ +typedef struct mbedtls_pkcs7_conten_data {
- int data_type; /* Type of Data */
- size_t data_len; /* Length of Data */
- size_t data_hdrlen; /* Length of Data ASN.1 header */
- void *data; /* Content Data */
+} +mbedtls_pkcs7_conten_data;
/**
- Structure holding PKCS #7 structure, only signed data for now
*/ typedef struct mbedtls_pkcs7 { mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw); mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data);
- mbedtls_pkcs7_conten_data content_data;
} mbedtls_pkcs7;
diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c b/lib/mbedtls/external/mbedtls/library/pkcs7.c index 3aac662ba69..0c2436b56b7 100644 --- a/lib/mbedtls/external/mbedtls/library/pkcs7.c +++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c @@ -29,6 +29,13 @@ #include <time.h> #endif
+enum OID {
- /* PKCS#7 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7)} */
- MBEDTLS_OID_DATA = 13, /* 1.2.840.113549.1.7.1 */
- /* Microsoft Authenticode & Software Publishing */
- MBEDTLS_OID_MS_INDIRECTDATA = 24, /* 1.3.6.1.4.1.311.2.1.4 */
+};
/**
- Initializes the mbedtls_pkcs7 structure.
*/ @@ -449,7 +456,7 @@ cleanup:
signerInfos SignerInfos }*/ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
mbedtls_pkcs7_signed_data *signed_data)
mbedtls_pkcs7 *pkcs7){ unsigned char *p = buf; unsigned char *end = buf + buflen; @@ -457,6 +464,7 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, size_t len = 0; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_md_type_t md_alg;
mbedtls_pkcs7_signed_data *signed_data = &pkcs7->signed_data;
ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
@@ -493,25 +501,57 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, if (ret != 0) { return ret; }
- if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) {
/*
* We should only support 1.2.840.113549.1.7.1 (PKCS7 DATA) and* 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code) that is for* U-Boot Secure Boot*/if (!MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) {
pkcs7->content_data.data_type = MBEDTLS_OID_DATA;} else if (!MBEDTLS_OID_CMP(MBEDTLS_OID_MICROSOFT_INDIRECTDATA,
&content_type)) {pkcs7->content_data.data_type = MBEDTLS_OID_MS_INDIRECTDATA;} else { return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO; }
if (p != end_content_info) {
unsigned char *tmp_p = p;/* Determine if valid content is present */ ret = mbedtls_asn1_get_tag(&p, end_content_info, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC);
MBEDTLS_ASN1_CONSTRUCTED |MBEDTLS_ASN1_CONTEXT_SPECIFIC);if (ret != 0 || p + len != end_content_info) {return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO,ret);}/** U-Boot Secure Boot needs to calculate the digest of MicroSoft* Authentication Code during verifying an EFI image.* Thus we need to save the context of Content Data.*/pkcs7->content_data.data_hdrlen = p - tmp_p;/* Parse the content data from a sequence */ret = mbedtls_asn1_get_tag(&p, end_content_info, &len,MBEDTLS_ASN1_CONSTRUCTED |MBEDTLS_ASN1_SEQUENCE); if (ret != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
/* TODO: Other Content Data formats are not supported at the moment */return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;} else if (p + len != end_content_info) {return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO,ret); }pkcs7->content_data.data = p;pkcs7->content_data.data_len = len;p += len;
if (p != end_content_info) {return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);}/* Valid content is present - this is not supported */return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;}
/* Look for certificates, there may or may not be any */
@@ -624,7 +664,7 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf, }
try_data:
- ret = pkcs7_get_signed_data(p, len, &pkcs7->signed_data);
- ret = pkcs7_get_signed_data(p, len, pkcs7); if (ret != 0) { goto out; }
-- 2.25.1