From patchwork Fri Jul 10 00:24:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: AKASHI Takahiro X-Patchwork-Id: 1326282 X-Patchwork-Delegate: xypron.glpk@gmx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=jWcbO/nq; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4B2v3s2n8fz9sQt for ; Fri, 10 Jul 2020 10:26:33 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2D96281BEB; Fri, 10 Jul 2020 02:25:57 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="jWcbO/nq"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id BC6CB81BDD; Fri, 10 Jul 2020 02:25:45 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-pj1-x1043.google.com (mail-pj1-x1043.google.com [IPv6:2607:f8b0:4864:20::1043]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3412281BCB for ; Fri, 10 Jul 2020 02:25:39 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=takahiro.akashi@linaro.org Received: by mail-pj1-x1043.google.com with SMTP id mn17so1848020pjb.4 for ; Thu, 09 Jul 2020 17:25:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=07SLB/8jMG5G0PXUBfuSM4XiD64ERu5Fc3Z5jq6e0Ow=; b=jWcbO/nq+UaYzlQjaHEcRgEf7MvQwZEY+MQOgad5LNQEhtWS9UJu6ofIkE5eFX4t+F g9yWPS6sbdN7Bsc9mjcZeDxjiHsFtmQcslS2Xx+YdsFs+54abYMIb3nqmSmv+3PIA+jp CFXFL4shVwC8JaeVyf6G/gY5acv++FzvIhRWOW3e9P0qanbIJVWadkjY/w99aRGNj8yU k0kNfQLC78zAjIECktWY0PeiqGsnlb5BxoWTNO+VQ6bt7u0ROcpRjsYLAhwMSX6fDUDq c5Z2BawsUiFdaKCI+eaOwIDYJRMHQ/qArSNxz85nkB/qnT0JAF95sYiAI+9VeXAV2O/3 sEHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=07SLB/8jMG5G0PXUBfuSM4XiD64ERu5Fc3Z5jq6e0Ow=; b=S5lLu/UcpmD5Pql4ycHiRprPfxHiIMHxu/gVDFnhWKSWAYiBme9URm5QqpnCTLsSEz kumYeJsJt1+MLAHIKL0IuIE7NL8hkT5TPcd7wC55/lc4pqKNhKtl0HW0qXDIvHGCIrra 48xe53OGIezSNJ94m7kBCqT19EYLcoYM59w51MD0h6ABCmrlj5nrjm2lerMdyqb9KuUT 6nDVECTZtco8mr96pQvru+13h0G5pLBVrW/gatKXiz8xbVZHomiCrDLu8GsWr5aOK6in CvEijAq04LZMy+z/6B8Onf4SWTaxXWm9VE3NKBcV55jydGD/+aDzEi0dSDrWkksspI1X OCDg== X-Gm-Message-State: AOAM5301aSHKPXy3gF8CZsH2AXGwNAQMETGDP8a97K/Obh3XmQTK53Z3 82QeAclGjUFRmqKitsGttxWnfw== X-Google-Smtp-Source: ABdhPJy9WI4v/6PwbtFsAGgqcG+XwcJmmnqLwhe41lqwy9W29qEX/aWAhlkyoPnq775k+5BIUpBjrQ== X-Received: by 2002:a17:90a:db17:: with SMTP id g23mr2925856pjv.180.1594340737768; Thu, 09 Jul 2020 17:25:37 -0700 (PDT) Received: from localhost.localdomain (p6e421564.tkyea130.ap.so-net.ne.jp. [110.66.21.100]) by smtp.gmail.com with ESMTPSA id m16sm4242287pfd.101.2020.07.09.17.25.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Jul 2020 17:25:37 -0700 (PDT) From: AKASHI Takahiro To: xypron.glpk@gmx.de, agraf@csgraf.de Cc: sughosh.ganu@linaro.org, mail@patrick-wildt.de, u-boot@lists.denx.de, AKASHI Takahiro Subject: [PATCH v3 6/8] lib: crypto: export and enhance pkcs7_verify_one() Date: Fri, 10 Jul 2020 09:24:47 +0900 Message-Id: <20200710002449.26680-7-takahiro.akashi@linaro.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200710002449.26680-1-takahiro.akashi@linaro.org> References: <20200710002449.26680-1-takahiro.akashi@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de X-Virus-Status: Clean The function, pkcs7_verify_one(), will be utilized to rework signature verification logic aiming to support intermediate certificates in "chain of trust." To do that, its function interface is expanded, adding an extra argument which is expected to return the last certificate in trusted chain. Then, this last one must further be verified with signature database, db and/or dbx. Signed-off-by: AKASHI Takahiro --- include/crypto/pkcs7.h | 9 +++++- lib/crypto/pkcs7_verify.c | 61 ++++++++++++++++++++++++++++++++++----- 2 files changed, 62 insertions(+), 8 deletions(-) diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h index 8f5c8a7ee3b9..ca35df29f6fb 100644 --- a/include/crypto/pkcs7.h +++ b/include/crypto/pkcs7.h @@ -27,7 +27,14 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, const void **_data, size_t *_datalen, size_t *_headerlen); -#ifndef __UBOOT__ +#ifdef __UBOOT__ +struct pkcs7_signed_info; +struct x509_certificate; + +int pkcs7_verify_one(struct pkcs7_message *pkcs7, + struct pkcs7_signed_info *sinfo, + struct x509_certificate **signer); +#else /* * pkcs7_trust.c */ diff --git a/lib/crypto/pkcs7_verify.c b/lib/crypto/pkcs7_verify.c index a32e841cb22b..6a51243fcf43 100644 --- a/lib/crypto/pkcs7_verify.c +++ b/lib/crypto/pkcs7_verify.c @@ -298,10 +298,27 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7, } /* - * Verify the internal certificate chain as best we can. + * pkcs7_verify_sig_chain - Verify the internal certificate chain as best + * as we can. + * @pkcs7: PKCS7 Signed Data + * @sinfo: PKCS7 Signed Info + * @signer: Singer's certificate + * + * Build up and verify the internal certificate chain against a signature + * in @sinfo, using certificates contained in @pkcs7 as best as we can. + * If the chain reaches the end, the last certificate will be returned + * in @signer. + * + * Return: 0 - on success, non-zero error code - otherwise */ +#ifdef __UBOOT__ +static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, + struct pkcs7_signed_info *sinfo, + struct x509_certificate **signer) +#else static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, struct pkcs7_signed_info *sinfo) +#endif { struct public_key_signature *sig; struct x509_certificate *x509 = sinfo->signer, *p; @@ -310,6 +327,8 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, kenter(""); + *signer = NULL; + for (p = pkcs7->certs; p; p = p->next) p->seen = false; @@ -327,6 +346,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, for (p = sinfo->signer; p != x509; p = p->signer) p->blacklisted = true; pr_debug("- blacklisted\n"); +#ifdef __UBOOT__ + *signer = x509; +#endif return 0; } @@ -352,6 +374,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, goto unsupported_crypto_in_x509; x509->signer = x509; pr_debug("- self-signed\n"); +#ifdef __UBOOT__ + *signer = x509; +#endif return 0; } @@ -382,6 +407,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, /* We didn't find the root of this chain */ pr_debug("- top\n"); +#ifdef __UBOOT__ + *signer = x509; +#endif return 0; found_issuer_check_skid: @@ -399,6 +427,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, if (p->seen) { pr_warn("Sig %u: X.509 chain contains loop\n", sinfo->index); +#ifdef __UBOOT__ + *signer = p; +#endif return 0; } ret = public_key_verify_signature(p->pub, x509->sig); @@ -407,6 +438,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7, x509->signer = p; if (x509 == p) { pr_debug("- self-signed\n"); +#ifdef __UBOOT__ + *signer = p; +#endif return 0; } x509 = p; @@ -426,13 +460,26 @@ unsupported_crypto_in_x509: } /* - * Verify one signed information block from a PKCS#7 message. + * pkcs7_verify_one - Verify one signed information block from a PKCS#7 + * message. + * @pkcs7: PKCS7 Signed Data + * @sinfo: PKCS7 Signed Info + * @signer: Signer's certificate + * + * Verify one signature in @sinfo and follow the certificate chain. + * If the chain reaches the end, the last certificate will be returned + * in @signer. + * + * Return: 0 - on success, non-zero error code - otherwise */ -#ifndef __UBOOT__ -static -#endif +#ifdef __UBOOT__ int pkcs7_verify_one(struct pkcs7_message *pkcs7, - struct pkcs7_signed_info *sinfo) + struct pkcs7_signed_info *sinfo, + struct x509_certificate **signer) +#else +static int pkcs7_verify_one(struct pkcs7_message *pkcs7, + struct pkcs7_signed_info *sinfo) +#endif { int ret; @@ -476,7 +523,7 @@ int pkcs7_verify_one(struct pkcs7_message *pkcs7, pr_devel("Verified signature %u\n", sinfo->index); /* Verify the internal certificate chain */ - return pkcs7_verify_sig_chain(pkcs7, sinfo); + return pkcs7_verify_sig_chain(pkcs7, sinfo, signer); } #ifndef __UBOOT__