From patchwork Fri Jul 17 07:16:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 235680 Delivered-To: patch@linaro.org Received: by 2002:a92:d244:0:0:0:0:0 with SMTP id v4csp1458027ilg; Fri, 17 Jul 2020 00:18:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwZdmHhLbn73hyj80LsEeeWs/Ggj1/hR2qsFzYdfHzYRlLZoVSjmZnNebZqz/lydSb9sf2S X-Received: by 2002:a17:906:2b54:: with SMTP id b20mr7310510ejg.366.1594970285345; Fri, 17 Jul 2020 00:18:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594970285; cv=none; d=google.com; s=arc-20160816; b=IYP+dab9u211Hh7rY0/3MRZCZPhp3T5VXC3cYZ5PAwr3voG47GjZ4kcGyacmSniAZ6 8juOgJuXTUzzaEV75u3QvaPcscUS3EUtYLGb57VEVDFcFqIZ+1CgbHFIyO/JV0PsEwFE 1qNCOfY5wVUTOK9E14RLg5cEJHAshWw0AoMEbskDWJ99EbvlkcFMH0gy9kDRjwwD46vw SFb61rOmajuVZSyY3sbvVObsp3uOjBKgsRIOZQa1uk0ZxH8GZ+BKv7BVSl1j5yPz3QDE 3LtSkeaBXbD/UsMzDIr1xoFioUq+nZHSs6z1ygdVPvRcyusBlv5NTxprk1d6MnPOEz4o JWjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=07SLB/8jMG5G0PXUBfuSM4XiD64ERu5Fc3Z5jq6e0Ow=; b=lxYfa9og2K/VS6psYiZkwfLImqjrvQbUEiyFaqPEUY3Yp5Ed3eS1lVJoFyEKYioiJB WKdq74gKuQS35zztm0I3hD5NQE23ltlTol4w5DzgObh7ggqS2PpoZdeuAoYQpjLcX4Vr hPqUnTqTZnyh4NOOGu3NPvXYzq+y+QTkbqvkqMgN/Ps8nsCxXeGKfkk+gMH71+5ewkDM lAmh8ysIF5GXa+DCHiVLUKh7jHGHFjSEh+/E79YkAlWSvB2oxnoBzA4688BxVx/Swh4E pm+rq9MGEOg3WTK5uU60ltJD+NTR2sBKbwj+o2K8qODZE2t6KS3+TWrOFZ+Wow2DAfI0 uGag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=vB+kOujY; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id n11si4547701ejs.209.2020.07.17.00.18.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Jul 2020 00:18:05 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=vB+kOujY; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0188B81EE8; Fri, 17 Jul 2020 09:17:28 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="vB+kOujY"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id BEFBB81C42; Fri, 17 Jul 2020 09:17:13 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1043.google.com (mail-pj1-x1043.google.com [IPv6:2607:f8b0:4864:20::1043]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id A566C81C29 for ; Fri, 17 Jul 2020 09:17:08 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1043.google.com with SMTP id ch3so6098343pjb.5 for ; Fri, 17 Jul 2020 00:17:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=07SLB/8jMG5G0PXUBfuSM4XiD64ERu5Fc3Z5jq6e0Ow=; b=vB+kOujYsX53BjzjNUl0H28FYRrShJKgQG+5IGcEUhgiXrpi6uKgTDv8f5oP4te91l +3SikB1OP49vhie06QC7yq1c2WLvzJ92n0J6i3F9qIqU/j5Wd3dZ0Uv8FjlnDNpiJKo9 8DAhl43Lm1OUmAseS7FWROaFabMVoBnEcDiJ3clHy91DhOZCaIx/iztVRqLp4VoIXBXI V6v7iDEex2xvdkPFwQjjNlKUMspLMT0PT8KuZNCVvAnPiApS1bXKTU6VfWYflP46VcbW bvdJ5CgCX5+x+Do06erTkSThFI9XK/j3ODeZrwf9NGwKNvAc2Iey+BcptwUxgwqlCKID JpSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=07SLB/8jMG5G0PXUBfuSM4XiD64ERu5Fc3Z5jq6e0Ow=; b=V9naBRhgc5H48lCiD8EC5THy4MuJmk5DJWPSLNH4LxSZr/jAN0KfTLAy7OWGBJa44V jzem8fDM7xxoZMVHF5XGNmqakJ3xD80y3HKTIjIgQPgmFKx1WW+tPYLketujpWu4Rt3D vlLz+kKRpbmQGbGcFSZt5M+z13HKZs8Yhnq6ZYVD0JXxNhG17cpKkuecy8j690u7kC5z 0m3q+g1S4DzDEfReope6eVmVAuXSZhcDysLE15h2C36JT20tjo314H4vl4VXAQiULleq Mlpcl2Wez0QQ6keI8CnN+ShAMh6OD42CCi1G4r7YKvRo04CQv9SJeCmcd5JwCaRWCMvc x1tQ== X-Gm-Message-State: AOAM5334AD+Cd1G+ypUzAsyRnxjsxhBneahO2Lfex9L4COrfa2Lk7AAm E+h6oeDidvZBp2JOuVxpMDZOuQ== X-Received: by 2002:a17:90a:c715:: with SMTP id o21mr9005959pjt.35.1594970226997; Fri, 17 Jul 2020 00:17:06 -0700 (PDT) Received: from localhost.localdomain (p6e424d9a.tkyea130.ap.so-net.ne.jp. [110.66.77.154]) by smtp.gmail.com with ESMTPSA id g12sm6749388pfb.190.2020.07.17.00.17.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Jul 2020 00:17:06 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: sughosh.ganu@linaro.org, mail@patrick-wildt.de, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v4 5/7] lib: crypto: export and enhance pkcs7_verify_one() Date: Fri, 17 Jul 2020 16:16:28 +0900 Message-Id: <20200717071630.7363-6-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200717071630.7363-1-takahiro.akashi@linaro.org> References: <20200717071630.7363-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The function, pkcs7_verify_one(), will be utilized to rework signature verification logic aiming to support intermediate certificates in "chain of trust." To do that, its function interface is expanded, adding an extra argument which is expected to return the last certificate in trusted chain. Then, this last one must further be verified with signature database, db and/or dbx. Signed-off-by: AKASHI Takahiro --- include/crypto/pkcs7.h | 9 +++++- lib/crypto/pkcs7_verify.c | 61 ++++++++++++++++++++++++++++++++++----- 2 files changed, 62 insertions(+), 8 deletions(-) -- 2.27.0 diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h index 8f5c8a7ee3b9..ca35df29f6fb 100644 --- a/include/crypto/pkcs7.h +++ b/include/crypto/pkcs7.h @@ -27,7 +27,14 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, const void **_data, size_t *_datalen, size_t *_headerlen); -#ifndef __UBOOT__ +#ifdef __UBOOT__ +struct pkcs7_signed_info; +struct x509_certificate; + +int pkcs7_verify_one(struct pkcs7_message *pkcs7, + struct pkcs7_signed_info *sinfo, + struct x509_certificate **signer); +#else /* * pkcs7_trust.c */ diff --git a/lib/crypto/pkcs7_verify.c b/lib/crypto/pkcs7_verify.c index a32e841cb22b..6a51243fcf43 100644 --- a/lib/crypto/pkcs7_verify.c +++ b/lib/crypto/pkcs7_verify.c @@ -298,10 +298,27 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7, } /* - * Verify the internal certificate chain as best we can. + * pkcs7_verify_sig_chain - Verify the internal certificate chain as best + * as we can. + * @pkcs7: PKCS7 Signed Data + * @sinfo: PKCS7 Signed Info + * @signer: Singer's certificate + * + * Build up and verify the internal certificate chain against a signature + * in @sinfo, using certificates contained in @pkcs7 as best as we can. + * If the chain reaches the end, the last certificate will be returned + * in @signer. + * + * Return: 0 - on success, non-zero error code - otherwise */ +#ifdef __UBOOT__ +static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, + struct pkcs7_signed_info *sinfo, + struct x509_certificate **signer) +#else static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, struct pkcs7_signed_info *sinfo) +#endif { struct public_key_signature *sig; struct x509_certificate *x509 = sinfo->signer, *p; @@ -310,6 +327,8 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, kenter(""); + *signer = NULL; + for (p = pkcs7->certs; p; p = p->next) p->seen = false; @@ -327,6 +346,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, for (p = sinfo->signer; p != x509; p = p->signer) p->blacklisted = true; pr_debug("- blacklisted\n"); +#ifdef __UBOOT__ + *signer = x509; +#endif return 0; } @@ -352,6 +374,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, goto unsupported_crypto_in_x509; x509->signer = x509; pr_debug("- self-signed\n"); +#ifdef __UBOOT__ + *signer = x509; +#endif return 0; } @@ -382,6 +407,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, /* We didn't find the root of this chain */ pr_debug("- top\n"); +#ifdef __UBOOT__ + *signer = x509; +#endif return 0; found_issuer_check_skid: @@ -399,6 +427,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, if (p->seen) { pr_warn("Sig %u: X.509 chain contains loop\n", sinfo->index); +#ifdef __UBOOT__ + *signer = p; +#endif return 0; } ret = public_key_verify_signature(p->pub, x509->sig); @@ -407,6 +438,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, x509->signer = p; if (x509 == p) { pr_debug("- self-signed\n"); +#ifdef __UBOOT__ + *signer = p; +#endif return 0; } x509 = p; @@ -426,13 +460,26 @@ unsupported_crypto_in_x509: } /* - * Verify one signed information block from a PKCS#7 message. + * pkcs7_verify_one - Verify one signed information block from a PKCS#7 + * message. + * @pkcs7: PKCS7 Signed Data + * @sinfo: PKCS7 Signed Info + * @signer: Signer's certificate + * + * Verify one signature in @sinfo and follow the certificate chain. + * If the chain reaches the end, the last certificate will be returned + * in @signer. + * + * Return: 0 - on success, non-zero error code - otherwise */ -#ifndef __UBOOT__ -static -#endif +#ifdef __UBOOT__ int pkcs7_verify_one(struct pkcs7_message *pkcs7, - struct pkcs7_signed_info *sinfo) + struct pkcs7_signed_info *sinfo, + struct x509_certificate **signer) +#else +static int pkcs7_verify_one(struct pkcs7_message *pkcs7, + struct pkcs7_signed_info *sinfo) +#endif { int ret; @@ -476,7 +523,7 @@ int pkcs7_verify_one(struct pkcs7_message *pkcs7, pr_devel("Verified signature %u\n", sinfo->index); /* Verify the internal certificate chain */ - return pkcs7_verify_sig_chain(pkcs7, sinfo); + return pkcs7_verify_sig_chain(pkcs7, sinfo, signer); } #ifndef __UBOOT__