From patchwork Wed May 5 19:43:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Mulbrook, Andrew" X-Patchwork-Id: 1474554 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com (client-ip=2607:f8b0:4864:20::f3a; helo=mail-qv1-xf3a.google.com; envelope-from=swupdate+bncbaabbxpkzocamgqe66ms2ki@googlegroups.com; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=googlegroups.com header.i=@googlegroups.com header.a=rsa-sha256 header.s=20161025 header.b=rxBp5blM; dkim-atps=neutral Received: from mail-qv1-xf3a.google.com (mail-qv1-xf3a.google.com [IPv6:2607:f8b0:4864:20::f3a]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Fb6Zn0jvPz9sPf for ; Thu, 6 May 2021 05:43:28 +1000 (AEST) Received: by mail-qv1-xf3a.google.com with SMTP id b1-20020a0c9b010000b02901c4bcfbaa53sf2444459qve.19 for ; Wed, 05 May 2021 12:43:28 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1620243805; cv=pass; d=google.com; s=arc-20160816; b=rNKhL284vEIjJ1j3XcGce8+WFSo+unp2nVE/SgwnqSmTee4iDu6muFD31ECuXZCrht JzFlrbZ4/DYPQnDOdxZMdgXmwXkub0njcGpVm6WDT2p+/z2vwjI2EWbqXnQ0HXtV8DXY Kh9QEn0PqM6JEcj48lLGzVqErv99WC3IeEfBAGxjMZVZ/hdakYoll+vTlN8Lr5bJEw3Z lv9ujNjZ6VNX2GYvTVy9KLfgPhT/BIACXs1phSuokehJFSDVKvH2pRjmSvnECZmsaQxP QJA9Hyqn7rkcIOk4GaQ9PUf8aXFR0hoxmkfSinD4Z2Spua7mb1QHgpkxBkN4eQ0cLaqL Q/GA== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from:dkim-signature; bh=itcuPIZa+gahhJPQi6DEeK8PCq8dvFTJpSjWkq0uKm4=; b=mNGCsZlSAMmkI7ctKfUK/7AcytvpQKACB9QiL7cl3Co1YxN86s0RF5c06KtQROz4y9 ox289JYl+/YDXwzRcwXDbCKYYte07BFyX2bw8BPT0t7wGc8qXsvP8xY2FB0QW4Apnww+ GKA1OGhF/zm8eVurWQuLLKEIaOoivTIPjfY+3+2LnO0he6HarV0Mn2ThnQJMXLMKu1bR 6EdQr1zb5ZoG+T50l0rLAq+Vfv9ukgHi4Jr+CHZNWkp2+um86eFPWHvlxJ56LZs55tAc 6/uCPbP+ZJKmX0QzmwPU55ik//KyyJ0yFxXC3cHWTlHKl+kgFPkXqn5GhkVuYYb3/hHj FZLQ== ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@garmin.com header.s=pps1 header.b=AzN9xkYh; dkim=pass header.i=@garmin.onmicrosoft.com header.s=selector1-garmin-onmicrosoft-com header.b="b0nv/7n5"; arc=pass (i=1 spf=pass spfdomain=garmin.com dmarc=pass fromdomain=garmin.com); spf=pass (google.com: domain of andrew.mulbrook@garmin.com designates 205.220.165.212 as permitted sender) smtp.mailfrom=Andrew.Mulbrook@garmin.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=garmin.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :mime-version:x-original-sender:x-original-authentication-results :reply-to:precedence:mailing-list:list-id:list-post:list-help :list-archive:list-subscribe:list-unsubscribe; bh=itcuPIZa+gahhJPQi6DEeK8PCq8dvFTJpSjWkq0uKm4=; b=rxBp5blMcn6AnGuo4EmGLVjBqxwpQikMRKhegJB6I9BxXo5Pez/ZfnwtX4cseC29oO Pgs57ar8gvPyjSPe0Ks7yyn0nU+H8r5zKbB+nEPyQGfeA9nmFpXHjQoq3WO2UO5hDPsX Ri1wrvcPLnDAz9+NdzvHeCZWbvhetazrc4s2bVbtRLAIuDNbVV4olMhbLd0m8yFumED6 UkkOL34sYoByQqQX4euBSRE4C5wo0k8fGVJcW8uz1o2BMauXTYyVBB0faB7bY/0uh8Ad RRjZtBKepdpa8ETU6GCVbmSOKRuxHMdRWbCS8iyf3kxm22BDPaetERKjFzuAg7c8WELB 1wYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:mime-version:x-original-sender :x-original-authentication-results:reply-to:precedence:mailing-list :list-id:x-spam-checked-in-group:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=itcuPIZa+gahhJPQi6DEeK8PCq8dvFTJpSjWkq0uKm4=; b=lZ2FGNk1qvrUG5G/Fmw3Nnd/K5MUYcfozUU4R/QppAwyqVagLklQxQhmUngOTzgO4o Xyq/6oByextz9IazwrPIkGEcO7EzBWuLyQ8bKQDaYqgRa3LXb4b9kacxewP3QDtk/hiu rBA59Q0mYo4ZmZQL2V3yqKj83cjZuWe+vu7IDMsFSB8egOlGKlg8JRT1N0Ut55/nd2xr KdWEHSnEKZ3M92Fs1w9vkGmP3236rJgWbq6LjlNDzhIaWcq8pq+oU8hLYQ95cTtAO+U7 M16hgSmNtWQ8H7bidye/Jc4X3PHn8c5+8gnxMWLp8TJQ7oGCfBU/P39pTM7qySX5WOgp gU0g== X-Gm-Message-State: AOAM533X4dYauh+zqxd9ResKyvYrig2L9LQ9cm22UmmNoIndgcWIvX36 kMDFZVV153NFrXI+UpXMuv4= X-Google-Smtp-Source: ABdhPJyQ0aG6EDtKfO2+gYJ485BfMksqHK2rsUsgwfT7op6UxTZixP5TeufTETxBSgZwO48kZ0zq5Q== X-Received: by 2002:ac8:a04:: with SMTP id b4mr228421qti.376.1620243805803; Wed, 05 May 2021 12:43:25 -0700 (PDT) X-BeenThere: swupdate@googlegroups.com Received: by 2002:a0c:f28a:: with SMTP id k10ls77525qvl.3.gmail; Wed, 05 May 2021 12:43:25 -0700 (PDT) X-Received: by 2002:a05:6214:d01:: with SMTP id 1mr319650qvh.57.1620243805393; Wed, 05 May 2021 12:43:25 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1620243805; cv=pass; d=google.com; s=arc-20160816; b=rRi3/DSfKO5KMzPs7b2bTgkrauQ0WiPoSwAlVZNaExESrURAPx02JykbeOjwgQ0g61 m3rIXDSlda98FTbnEd4g1H1/RaFUQ3dV9cAAHHOlQT7whhxGbC1iO58JQlNVSY2wQ0tb UPm5025h1xSzvTpe5zG0XBwVKDehI5yOLC1BP5X5hlQdVQWYP/J+oR/TJahZjsyFdyoh ddmWLRakukSHZ/j8SQ7rotLvXK1sWjiS7cax4XyBRE1eKFPQ2c62+5PMPDPAFJg4Fi2Z oQGoouvxsMgAtd0x5bUJltKAd1tgUVnsStGZw6ttdGl0kztDgVbU1Qw1lSQAZtzLL3Tz CKIA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:content-language:accept-language:in-reply-to :references:message-id:date:thread-index:thread-topic:subject:cc:to :from:dkim-signature:dkim-signature; bh=wqp/Q5edCRHgof1C2LMzDfWUDzt+KahQfmWm+/Rs5Yo=; b=FvZQjQejrV2sNIszA5wIntcGgKMgDw3rqGLQO9UI8iiihat8Em6DEHMDFOonoKCwUG hS5yi8TlEIwxeH16N0BVuPhiB40ivvvClC9i5bRuPzzwRV+P1ot1/TEaoQyRSTuuC9b1 iP1QblCiJBsG+83NZS8KTFTm//b+sZNN3XYHHzmxTjJeANF5y4Ef9LwA2noZWoZV4FxE xZBB01U6wY2eTxlNlJbBRuMhyEN3BMABGqJx8eJhRyiJFi2TyaLNee0begQkieAtXYRr OrCqxqva1MHuRqvOs+yMZqXob7W9qOY1jAZRPFkGrX+AGwJbRxzrpt6cmMLc6yfIGwgk HI0Q== ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@garmin.com header.s=pps1 header.b=AzN9xkYh; dkim=pass header.i=@garmin.onmicrosoft.com header.s=selector1-garmin-onmicrosoft-com header.b="b0nv/7n5"; arc=pass (i=1 spf=pass spfdomain=garmin.com dmarc=pass fromdomain=garmin.com); spf=pass (google.com: domain of andrew.mulbrook@garmin.com designates 205.220.165.212 as permitted sender) smtp.mailfrom=Andrew.Mulbrook@garmin.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=garmin.com Received: from mx0a-000eb902.pphosted.com (mx0a-000eb902.pphosted.com. [205.220.165.212]) by gmr-mx.google.com with ESMTPS id s65si23966qkc.2.2021.05.05.12.43.25 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 05 May 2021 12:43:25 -0700 (PDT) Received-SPF: pass (google.com: domain of andrew.mulbrook@garmin.com designates 205.220.165.212 as permitted sender) client-ip=205.220.165.212; Received: from pps.filterd (m0220295.ppops.net [127.0.0.1]) by mx0a-000eb902.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 145JfSJK002023; Wed, 5 May 2021 14:43:21 -0500 Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2175.outbound.protection.outlook.com [104.47.58.175]) by mx0a-000eb902.pphosted.com with ESMTP id 38bea99s1p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 05 May 2021 14:43:21 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YEyA5LGHVrfavEwX8+uLiZ01JXfonIhOiYPvH33zxXO665cPBJGHyAJtsbgK+pr8L72XwUxt94mBNqI7soyuI3nCQbHXWQwQ30oDx2k/7XdxYl+e3anWOdvrXJ993es+16bdfD9TLK7qJ43OPcwGPUWsNLaNpFkZm4Kioku8Lnj8uYUdT5lW1R23qQXL5B5DJQB7COMgF9bGl82BF0CPaTK1dvujHgwf0U5Q4UURL6/HQZpe/TEx5G4dGrS4kmvMRaCgNijlIpo3ht57Zx/wBBYhcx8EzTOeTxEWQleuVxCBn5RpCg0/j6aOwE6ld3kItoLnoukAX5uQGohjvfbakw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wqp/Q5edCRHgof1C2LMzDfWUDzt+KahQfmWm+/Rs5Yo=; b=Szout/0XTE9N/5bUgn7AMDiCZyXKJ9soBdXtlANSlzSiGMqOJ2b9XIY0AI57Q1/OmcuZsCd5treziENWnuFeC+EzMTQsFg81qgAzzsAKlpgrs4ueWWNYEyAdA+E7dUCAGEldJUUyouD1OCDNof2DEcfVeDLNbg7FKDpt2ojIRwHosH6Zv4pQWQycNJXOs8xMzCLJShBaeGc+MHGk0Wp3naEE86eEgAXv06IsM0Zo67MBKZX/SkBFzeG3NoqubIUeFzADYUA3wcJqqwQEMAt1zMIoN7FyoW2KhCh7XRUAwQhcnTXjBHH2G5nn7noBPAIuhregraf1ZumkZkkcUnpatw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 204.77.163.244) smtp.rcpttodomain=googlegroups.com smtp.mailfrom=garmin.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=garmin.com; dkim=none (message not signed); arc=none Received: from MWHPR14CA0040.namprd14.prod.outlook.com (2603:10b6:300:12b::26) by MW4PR04MB7268.namprd04.prod.outlook.com (2603:10b6:303:7e::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.25; Wed, 5 May 2021 19:43:18 +0000 Received: from MW2NAM10FT068.eop-nam10.prod.protection.outlook.com (2603:10b6:300:12b:cafe::d6) by MWHPR14CA0040.outlook.office365.com (2603:10b6:300:12b::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.25 via Frontend Transport; Wed, 5 May 2021 19:43:18 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 204.77.163.244) smtp.mailfrom=garmin.com; googlegroups.com; dkim=none (message not signed) header.d=none;googlegroups.com; dmarc=pass action=none header.from=garmin.com; Received-SPF: Pass (protection.outlook.com: domain of garmin.com designates 204.77.163.244 as permitted sender) receiver=protection.outlook.com; client-ip=204.77.163.244; helo=edgetransport.garmin.com; Received: from edgetransport.garmin.com (204.77.163.244) by MW2NAM10FT068.mail.protection.outlook.com (10.13.154.134) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.25 via Frontend Transport; Wed, 5 May 2021 19:43:18 +0000 Received: from OLAWPA-EXMB8.ad.garmin.com (10.5.144.18) by olawpa-edge2.garmin.com (10.60.4.35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.2106.2; Wed, 5 May 2021 14:43:12 -0500 Received: from OLAWPA-EXMB8.ad.garmin.com (10.5.144.18) by OLAWPA-EXMB8.ad.garmin.com (10.5.144.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521) id 15.1.2242.4; Wed, 5 May 2021 14:43:17 -0500 Received: from OLAWPA-EXMB8.ad.garmin.com ([fe80::acc8:480a:b46f:6ce3]) by OLAWPA-EXMB8.ad.garmin.com ([fe80::acc8:480a:b46f:6ce3%23]) with mapi id 15.01.2242.008; Wed, 5 May 2021 14:43:17 -0500 X-Patchwork-Original-From: "'Mulbrook, Andrew' via swupdate" From: "Mulbrook, Andrew" To: Stefano Babic CC: "'swupdate@googlegroups.com'" Subject: [swupdate] Re: SWUpdate - Multiple key configuration Thread-Topic: SWUpdate - Multiple key configuration Thread-Index: AQHXOvIKrSqzkrvmAkC3NAbjZIjQ7KrIYdwAgAATg2CAAF+TgIAMfHBP Date: Wed, 5 May 2021 19:43:16 +0000 Message-ID: <97dcb0c97ab840b49b5570ded392b25b@garmin.com> References: <146fbe98-38c7-92a8-9f16-dd219b535f24@denx.de> <9a1cb6675b71406583dd2f8c9dd40c2e@garmin.com>, In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [10.50.4.7] MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 3f1664f4-ef12-462e-28f5-08d90ffe0872 X-MS-TrafficTypeDiagnostic: MW4PR04MB7268: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: lFBaLmeGYuwUeUIaatusZbC1nysmALfqxegJ/2XPtnDuAKkMNuKGnjiRTjNXcaMKgxYrNRApDKgYJjZrdyKH/tJ2Eugatv9QVZkAqp1P12Df8YXFRF5Qvdtli49zbp+Iu0HD68W2+dTcNOgK5yLg/M1Wo04goKakx4JMB7KhBhFK3Mz/b/2KOBF6bgwcyc4l4ecO2MIE6Th80Nng7XbyRAA1Pv94s9ILPkNba7j2E1os7RNfTzj8aKirF3Ga9qQ0Eog0w4i2RNKF7TbVd11P2iRRsvkf0vbnJ635F+gtmINnu+SnbiqiReWS88KW65yuwxkfygMP9PjeJC95j0nxlr3Pmsw1vQitdQlOl2F91FByXe5RrS2qW4x0eVtqT/wlIrgeRnulIzW/h5MEHZ3ORiFEXi8Og1FCmUFl2IG5jd9iwEjDKNLMZ9rRsJy13xh5AjjY7VIhJAvO1H9Dq/5nuJG6AOwvTpq5+CFHq3VNU5ag1XIygbJdvGhUoQRE+TsCViEPCWNkqQQpoCIxiVq4CEu2E1RWjwlVheMC3lVCF3Gr2JOB0IbKAjR5uZkD1cYIuB+EIEldhAV0QSF7BtLrB8KY6KKPfN5nekL5EWIpvxuXr+A9WTO+iXTIRqocZ5dQd1ItRp8ogftBvS7yziU7s94G3Q6PcYXbCadndfAG1Gc= X-Forefront-Antispam-Report: CIP:204.77.163.244;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:edgetransport.garmin.com;PTR:extedge.garmin.com;CAT:NONE;SFS:(376002)(346002)(136003)(396003)(39860400002)(36840700001)(46966006)(2616005)(336012)(82740400003)(86362001)(426003)(6916009)(83380400001)(478600001)(82310400003)(99936003)(8676002)(36860700001)(316002)(66616009)(186003)(356005)(8936002)(26005)(47076005)(4326008)(24736004)(108616005)(2906002)(7696005)(70586007)(235185007)(36756003)(70206006)(7636003)(5660300002);DIR:OUT;SFP:1102; X-OriginatorOrg: garmin.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 May 2021 19:43:18.5845 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 3f1664f4-ef12-462e-28f5-08d90ffe0872 X-MS-Exchange-CrossTenant-Id: 38d0d425-ba52-4c0a-a03e-2a65c8e82e2d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=38d0d425-ba52-4c0a-a03e-2a65c8e82e2d;Ip=[204.77.163.244];Helo=[edgetransport.garmin.com] X-MS-Exchange-CrossTenant-AuthSource: MW2NAM10FT068.eop-nam10.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR04MB7268 X-Proofpoint-GUID: gvLUSUiYc3TVth92zPYuo7sUpFcTdTmF X-Proofpoint-ORIG-GUID: gvLUSUiYc3TVth92zPYuo7sUpFcTdTmF X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-05_10:2021-05-05,2021-05-05 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 malwarescore=0 adultscore=0 spamscore=0 clxscore=1015 impostorscore=0 suspectscore=0 phishscore=0 priorityscore=1501 mlxlogscore=999 bulkscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2105050134 X-Original-Sender: andrew.mulbrook@garmin.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@garmin.com header.s=pps1 header.b=AzN9xkYh; dkim=pass header.i=@garmin.onmicrosoft.com header.s=selector1-garmin-onmicrosoft-com header.b="b0nv/7n5"; arc=pass (i=1 spf=pass spfdomain=garmin.com dmarc=pass fromdomain=garmin.com); spf=pass (google.com: domain of andrew.mulbrook@garmin.com designates 205.220.165.212 as permitted sender) smtp.mailfrom=Andrew.Mulbrook@garmin.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=garmin.com X-Original-From: "Mulbrook, Andrew" Reply-To: "Mulbrook, Andrew" Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: swupdate@googlegroups.com X-Google-Group-Id: 605343134186 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , >> From: Stefano Babic > Just appearently : if the new key is delivered due to a security reason, > you have tons of HW accepting software with the old key. This can help > in a mixed conditions (a mix in field of devices with new and old keys, > and nobody can track it) - but again, it is even a well known use case > with certificates. It does not matter if your SWU is signed with an old > or new certificate, until they are released by the same CA SWUpdate is > able to verify both. I think this is the fundamentals of the use case. We have multiple devices in field with potentially outdated PKI information and no network connectivity. The desire is to allow acceptance of an update by including a signature done with the outdated signer information and require devices with updated software to accept only the newer signature. In other words, we want a single update to operate correctly on old hardware without updated certificates and new hardware with updated certificates. > Yes, but RSA keys suffer for this limitattion - you will be better > served by switching to CMS. The issue I found with CMS is that the default verification handling routines of OpenSSL verify ALL signatures within the archive, and that means that a signature provided by an unknown CA or signature done with a revoked certificate would trip the verification. After some tinkering, I managed to find a solution to that I think hits our use case and maintains swupdate well. The attached patch adds an option that skips out the OpenSSL check of all signatures and instead requires that at least one of the signatures matches the public key certificate passed to swupdate. I think this in combination with ignoring key expirey dates gets us where we need. I hope the attached patch technique works - if another approach would be better to get included in the upstream, we're open to revising further. At this point, I'm scratching my head for more ideas that don't involve more complicated PKI on the device side. > Another point you can consider is to extend SWUpdate's keystore. > Currently, SWUpdate loads just one key or one CA certificate. Having > multiple keys or multiple certificates that SWUpdate (or better, openSSL > or the other crypto implementation) could be an option for you. If we are utilizing CMS signatures, I think this might make sense as an extension to the included patch. The main use case now is simply trying to update devices with outdated key information. Thanks for your time, Andrew From 062014ba9fe13f7979c5b0a302cf4cf06cdef344 Mon Sep 17 00:00:00 2001 From: Andrew Mulbrook Date: Wed, 5 May 2021 14:10:28 -0500 Subject: [PATCH] Add optional CMS single signer verification This change introduces a Kconfig parameter allowing CMS verification when additional unrecognized signatures are included in the CMS stream. Content verification is required against all signatures, but swupdate only requires a single signature in the set to be verified against the public key specified to swupdate. This operation requires manual checking of signatures outside of the CMS_verify operation as OpenSSL requires all signatures within the CMS envelop to verify. Signed-off-by: Andrew Mulbrook --- Kconfig | 4 +++ corelib/swupdate_cms_verify.c | 58 ++++++++++++++++++++++++++++++++++- 2 files changed, 61 insertions(+), 1 deletion(-) diff --git a/Kconfig b/Kconfig index 75f9eaa..2a8133c 100644 --- a/Kconfig +++ b/Kconfig @@ -457,6 +457,10 @@ config CMS_IGNORE_EXPIRED_CERTIFICATE config CMS_IGNORE_CERTIFICATE_PURPOSE bool "Ignore X.509 certificate purpose" depends on SIGALG_CMS + +config CMS_SKIP_UNKNOWN_SIGNERS + bool "Ignore unverifiable signatures if known signer verifies" + depends on SIGALG_CMS endmenu diff --git a/corelib/swupdate_cms_verify.c b/corelib/swupdate_cms_verify.c index 5ec3878..2c0ba39 100644 --- a/corelib/swupdate_cms_verify.c +++ b/corelib/swupdate_cms_verify.c @@ -16,6 +16,12 @@ #include "util.h" #include "swupdate_verify_private.h" +#if defined(CONFIG_CMS_SKIP_UNKNOWN_SIGNERS) +#define VERIFY_UNKNOWN_SIGNER_FLAGS (CMS_NO_SIGNER_CERT_VERIFY) +#else +#define VERIFY_UNKNOWN_SIGNER_FLAGS (0) +#endif + int check_code_sign(const X509_PURPOSE *xp, const X509 *crt, int ca) { X509 *x = (X509 *)crt; @@ -182,6 +188,47 @@ static int check_signer_name(CMS_ContentInfo *cms, const char *name) return ret; } +#if defined(CONFIG_CMS_SKIP_UNKNOWN_SIGNERS) +static int check_verified_signer(CMS_ContentInfo* cms, X509_STORE* store) +{ + int i, ret = 1; + + X509_STORE_CTX *ctx = X509_STORE_CTX_new(); + STACK_OF(CMS_SignerInfo) *infos = CMS_get0_SignerInfos(cms); + STACK_OF(X509)* cms_certs = CMS_get1_certs(cms); + + if (!ctx) { + ERROR("Failed to allocate verification context"); + return ret; + } + + for (i = 0; i < sk_CMS_SignerInfo_num(infos) && ret != 0; ++i) { + CMS_SignerInfo *si = sk_CMS_SignerInfo_value(infos, i); + X509 *signer = NULL; + + CMS_SignerInfo_get0_algs(si, NULL, &signer, NULL, NULL); + if (!X509_STORE_CTX_init(ctx, store, signer, cms_certs)) { + ERROR("Failed to initialize signer verification operation"); + break; + } + + X509_STORE_CTX_set_default(ctx, "smime_sign"); + if (X509_verify_cert(ctx) > 0) { + TRACE("Verified signature %d in signer sequence", i); + ret = 0; + } else { + TRACE("Failed to verify certificate %d in signer sequence", i); + } + + X509_STORE_CTX_cleanup(ctx); + } + + X509_STORE_CTX_free(ctx); + + return ret; +} +#endif + int swupdate_verify_file(struct swupdate_digest *dgst, const char *sigfile, const char *file, const char *signer_name) { @@ -221,13 +268,22 @@ int swupdate_verify_file(struct swupdate_digest *dgst, const char *sigfile, /* Then try to verify signature */ if (!CMS_verify(cms, NULL, dgst->certs, content_bio, - NULL, CMS_BINARY)) { + NULL, CMS_BINARY | VERIFY_UNKNOWN_SIGNER_FLAGS)) { ERR_print_errors_fp(stderr); ERROR("Signature verification failed"); status = -EBADMSG; goto out; } +#if defined(CONFIG_CMS_SKIP_UNKNOWN_SIGNERS) + /* Verify at least one signer authenticates */ + if (check_verified_signer(cms, dgst->certs)) { + ERROR("Authentication of all signatures failed"); + status = -EBADMSG; + goto out; + } +#endif + TRACE("Verified OK"); /* Signature is valid */ -- 2.31.1