* [U-Boot] [RFC 1/9] cmd: add asn1_compiler
2019-09-03 5:42 [U-Boot] [RFC 0/9] import x509/pkcs7 parsers from linux AKASHI Takahiro
@ 2019-09-03 5:42 ` AKASHI Takahiro
2019-09-03 5:42 ` [U-Boot] [RFC 2/9] Makefile: add build script for asn1 parsers AKASHI Takahiro
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: AKASHI Takahiro @ 2019-09-03 5:42 UTC (permalink / raw)
To: u-boot
Imported from linux kernel v5.0.
This host command will be used to create a ASN1 parser, for example,
for pkcs7 or x509.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
cmd/Kconfig | 3 +
include/linux/asn1.h | 69 ++
include/linux/asn1_ber_bytecode.h | 93 ++
include/linux/asn1_decoder.h | 24 +
scripts/Makefile | 3 +
scripts/asn1_compiler.c | 1615 +++++++++++++++++++++++++++++
6 files changed, 1807 insertions(+)
create mode 100644 include/linux/asn1.h
create mode 100644 include/linux/asn1_ber_bytecode.h
create mode 100644 include/linux/asn1_decoder.h
create mode 100644 scripts/asn1_compiler.c
diff --git a/cmd/Kconfig b/cmd/Kconfig
index 05872fa0d7f4..e3f38ee0a5fd 100644
--- a/cmd/Kconfig
+++ b/cmd/Kconfig
@@ -183,6 +183,9 @@ endmenu
config BUILD_BIN2C
bool
+config BUILD_ASN1
+ bool
+
comment "Commands"
menu "Info commands"
diff --git a/include/linux/asn1.h b/include/linux/asn1.h
new file mode 100644
index 000000000000..eed6982860ba
--- /dev/null
+++ b/include/linux/asn1.h
@@ -0,0 +1,69 @@
+/* ASN.1 BER/DER/CER encoding definitions
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells at redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#ifndef _LINUX_ASN1_H
+#define _LINUX_ASN1_H
+
+/* Class */
+enum asn1_class {
+ ASN1_UNIV = 0, /* Universal */
+ ASN1_APPL = 1, /* Application */
+ ASN1_CONT = 2, /* Context */
+ ASN1_PRIV = 3 /* Private */
+};
+#define ASN1_CLASS_BITS 0xc0
+
+
+enum asn1_method {
+ ASN1_PRIM = 0, /* Primitive */
+ ASN1_CONS = 1 /* Constructed */
+};
+#define ASN1_CONS_BIT 0x20
+
+/* Tag */
+enum asn1_tag {
+ ASN1_EOC = 0, /* End Of Contents or N/A */
+ ASN1_BOOL = 1, /* Boolean */
+ ASN1_INT = 2, /* Integer */
+ ASN1_BTS = 3, /* Bit String */
+ ASN1_OTS = 4, /* Octet String */
+ ASN1_NULL = 5, /* Null */
+ ASN1_OID = 6, /* Object Identifier */
+ ASN1_ODE = 7, /* Object Description */
+ ASN1_EXT = 8, /* External */
+ ASN1_REAL = 9, /* Real float */
+ ASN1_ENUM = 10, /* Enumerated */
+ ASN1_EPDV = 11, /* Embedded PDV */
+ ASN1_UTF8STR = 12, /* UTF8 String */
+ ASN1_RELOID = 13, /* Relative OID */
+ /* 14 - Reserved */
+ /* 15 - Reserved */
+ ASN1_SEQ = 16, /* Sequence and Sequence of */
+ ASN1_SET = 17, /* Set and Set of */
+ ASN1_NUMSTR = 18, /* Numerical String */
+ ASN1_PRNSTR = 19, /* Printable String */
+ ASN1_TEXSTR = 20, /* T61 String / Teletext String */
+ ASN1_VIDSTR = 21, /* Videotex String */
+ ASN1_IA5STR = 22, /* IA5 String */
+ ASN1_UNITIM = 23, /* Universal Time */
+ ASN1_GENTIM = 24, /* General Time */
+ ASN1_GRASTR = 25, /* Graphic String */
+ ASN1_VISSTR = 26, /* Visible String */
+ ASN1_GENSTR = 27, /* General String */
+ ASN1_UNISTR = 28, /* Universal String */
+ ASN1_CHRSTR = 29, /* Character String */
+ ASN1_BMPSTR = 30, /* BMP String */
+ ASN1_LONG_TAG = 31 /* Long form tag */
+};
+
+#define ASN1_INDEFINITE_LENGTH 0x80
+
+#endif /* _LINUX_ASN1_H */
diff --git a/include/linux/asn1_ber_bytecode.h b/include/linux/asn1_ber_bytecode.h
new file mode 100644
index 000000000000..ab3a6c002f7b
--- /dev/null
+++ b/include/linux/asn1_ber_bytecode.h
@@ -0,0 +1,93 @@
+/* ASN.1 BER/DER/CER parsing state machine internal definitions
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells at redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#ifndef _LINUX_ASN1_BER_BYTECODE_H
+#define _LINUX_ASN1_BER_BYTECODE_H
+
+#ifdef __KERNEL__
+#include <linux/types.h>
+#endif
+#include <linux/asn1.h>
+
+typedef int (*asn1_action_t)(void *context,
+ size_t hdrlen, /* In case of ANY type */
+ unsigned char tag, /* In case of ANY type */
+ const void *value, size_t vlen);
+
+struct asn1_decoder {
+ const unsigned char *machine;
+ size_t machlen;
+ const asn1_action_t *actions;
+};
+
+enum asn1_opcode {
+ /* The tag-matching ops come first and the odd-numbered slots
+ * are for OR_SKIP ops.
+ */
+#define ASN1_OP_MATCH__SKIP 0x01
+#define ASN1_OP_MATCH__ACT 0x02
+#define ASN1_OP_MATCH__JUMP 0x04
+#define ASN1_OP_MATCH__ANY 0x08
+#define ASN1_OP_MATCH__COND 0x10
+
+ ASN1_OP_MATCH = 0x00,
+ ASN1_OP_MATCH_OR_SKIP = 0x01,
+ ASN1_OP_MATCH_ACT = 0x02,
+ ASN1_OP_MATCH_ACT_OR_SKIP = 0x03,
+ ASN1_OP_MATCH_JUMP = 0x04,
+ ASN1_OP_MATCH_JUMP_OR_SKIP = 0x05,
+ ASN1_OP_MATCH_ANY = 0x08,
+ ASN1_OP_MATCH_ANY_OR_SKIP = 0x09,
+ ASN1_OP_MATCH_ANY_ACT = 0x0a,
+ ASN1_OP_MATCH_ANY_ACT_OR_SKIP = 0x0b,
+ /* Everything before here matches unconditionally */
+
+ ASN1_OP_COND_MATCH_OR_SKIP = 0x11,
+ ASN1_OP_COND_MATCH_ACT_OR_SKIP = 0x13,
+ ASN1_OP_COND_MATCH_JUMP_OR_SKIP = 0x15,
+ ASN1_OP_COND_MATCH_ANY = 0x18,
+ ASN1_OP_COND_MATCH_ANY_OR_SKIP = 0x19,
+ ASN1_OP_COND_MATCH_ANY_ACT = 0x1a,
+ ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP = 0x1b,
+
+ /* Everything before here will want a tag from the data */
+#define ASN1_OP__MATCHES_TAG ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP
+
+ /* These are here to help fill up space */
+ ASN1_OP_COND_FAIL = 0x1c,
+ ASN1_OP_COMPLETE = 0x1d,
+ ASN1_OP_ACT = 0x1e,
+ ASN1_OP_MAYBE_ACT = 0x1f,
+
+ /* The following eight have bit 0 -> SET, 1 -> OF, 2 -> ACT */
+ ASN1_OP_END_SEQ = 0x20,
+ ASN1_OP_END_SET = 0x21,
+ ASN1_OP_END_SEQ_OF = 0x22,
+ ASN1_OP_END_SET_OF = 0x23,
+ ASN1_OP_END_SEQ_ACT = 0x24,
+ ASN1_OP_END_SET_ACT = 0x25,
+ ASN1_OP_END_SEQ_OF_ACT = 0x26,
+ ASN1_OP_END_SET_OF_ACT = 0x27,
+#define ASN1_OP_END__SET 0x01
+#define ASN1_OP_END__OF 0x02
+#define ASN1_OP_END__ACT 0x04
+
+ ASN1_OP_RETURN = 0x28,
+
+ ASN1_OP__NR
+};
+
+#define _tag(CLASS, CP, TAG) ((ASN1_##CLASS << 6) | (ASN1_##CP << 5) | ASN1_##TAG)
+#define _tagn(CLASS, CP, TAG) ((ASN1_##CLASS << 6) | (ASN1_##CP << 5) | TAG)
+#define _jump_target(N) (N)
+#define _action(N) (N)
+
+#endif /* _LINUX_ASN1_BER_BYTECODE_H */
diff --git a/include/linux/asn1_decoder.h b/include/linux/asn1_decoder.h
new file mode 100644
index 000000000000..fa2ff5bc0483
--- /dev/null
+++ b/include/linux/asn1_decoder.h
@@ -0,0 +1,24 @@
+/* ASN.1 decoder
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#ifndef _LINUX_ASN1_DECODER_H
+#define _LINUX_ASN1_DECODER_H
+
+#include <linux/asn1.h>
+
+struct asn1_decoder;
+
+extern int asn1_ber_decoder(const struct asn1_decoder *decoder,
+ void *context,
+ const unsigned char *data,
+ size_t datalen);
+
+#endif /* _LINUX_ASN1_DECODER_H */
diff --git a/scripts/Makefile b/scripts/Makefile
index e7b353f77f43..c4e2ae5db2ea 100644
--- a/scripts/Makefile
+++ b/scripts/Makefile
@@ -5,6 +5,9 @@
# ---------------------------------------------------------------------------
hostprogs-$(CONFIG_BUILD_BIN2C) += bin2c
+hostprogs-$(CONFIG_BUILD_ASN1) += asn1_compiler
+
+HOSTCFLAGS_asn1_compiler.o = -idirafter $(srctree)/include
always := $(hostprogs-y)
diff --git a/scripts/asn1_compiler.c b/scripts/asn1_compiler.c
new file mode 100644
index 000000000000..1b28787028d3
--- /dev/null
+++ b/scripts/asn1_compiler.c
@@ -0,0 +1,1615 @@
+/* Simplified ASN.1 notation parser
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells at redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <string.h>
+#include <ctype.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <linux/asn1_ber_bytecode.h>
+
+enum token_type {
+ DIRECTIVE_ABSENT,
+ DIRECTIVE_ALL,
+ DIRECTIVE_ANY,
+ DIRECTIVE_APPLICATION,
+ DIRECTIVE_AUTOMATIC,
+ DIRECTIVE_BEGIN,
+ DIRECTIVE_BIT,
+ DIRECTIVE_BMPString,
+ DIRECTIVE_BOOLEAN,
+ DIRECTIVE_BY,
+ DIRECTIVE_CHARACTER,
+ DIRECTIVE_CHOICE,
+ DIRECTIVE_CLASS,
+ DIRECTIVE_COMPONENT,
+ DIRECTIVE_COMPONENTS,
+ DIRECTIVE_CONSTRAINED,
+ DIRECTIVE_CONTAINING,
+ DIRECTIVE_DEFAULT,
+ DIRECTIVE_DEFINED,
+ DIRECTIVE_DEFINITIONS,
+ DIRECTIVE_EMBEDDED,
+ DIRECTIVE_ENCODED,
+ DIRECTIVE_ENCODING_CONTROL,
+ DIRECTIVE_END,
+ DIRECTIVE_ENUMERATED,
+ DIRECTIVE_EXCEPT,
+ DIRECTIVE_EXPLICIT,
+ DIRECTIVE_EXPORTS,
+ DIRECTIVE_EXTENSIBILITY,
+ DIRECTIVE_EXTERNAL,
+ DIRECTIVE_FALSE,
+ DIRECTIVE_FROM,
+ DIRECTIVE_GeneralString,
+ DIRECTIVE_GeneralizedTime,
+ DIRECTIVE_GraphicString,
+ DIRECTIVE_IA5String,
+ DIRECTIVE_IDENTIFIER,
+ DIRECTIVE_IMPLICIT,
+ DIRECTIVE_IMPLIED,
+ DIRECTIVE_IMPORTS,
+ DIRECTIVE_INCLUDES,
+ DIRECTIVE_INSTANCE,
+ DIRECTIVE_INSTRUCTIONS,
+ DIRECTIVE_INTEGER,
+ DIRECTIVE_INTERSECTION,
+ DIRECTIVE_ISO646String,
+ DIRECTIVE_MAX,
+ DIRECTIVE_MIN,
+ DIRECTIVE_MINUS_INFINITY,
+ DIRECTIVE_NULL,
+ DIRECTIVE_NumericString,
+ DIRECTIVE_OBJECT,
+ DIRECTIVE_OCTET,
+ DIRECTIVE_OF,
+ DIRECTIVE_OPTIONAL,
+ DIRECTIVE_ObjectDescriptor,
+ DIRECTIVE_PATTERN,
+ DIRECTIVE_PDV,
+ DIRECTIVE_PLUS_INFINITY,
+ DIRECTIVE_PRESENT,
+ DIRECTIVE_PRIVATE,
+ DIRECTIVE_PrintableString,
+ DIRECTIVE_REAL,
+ DIRECTIVE_RELATIVE_OID,
+ DIRECTIVE_SEQUENCE,
+ DIRECTIVE_SET,
+ DIRECTIVE_SIZE,
+ DIRECTIVE_STRING,
+ DIRECTIVE_SYNTAX,
+ DIRECTIVE_T61String,
+ DIRECTIVE_TAGS,
+ DIRECTIVE_TRUE,
+ DIRECTIVE_TeletexString,
+ DIRECTIVE_UNION,
+ DIRECTIVE_UNIQUE,
+ DIRECTIVE_UNIVERSAL,
+ DIRECTIVE_UTCTime,
+ DIRECTIVE_UTF8String,
+ DIRECTIVE_UniversalString,
+ DIRECTIVE_VideotexString,
+ DIRECTIVE_VisibleString,
+ DIRECTIVE_WITH,
+ NR__DIRECTIVES,
+ TOKEN_ASSIGNMENT = NR__DIRECTIVES,
+ TOKEN_OPEN_CURLY,
+ TOKEN_CLOSE_CURLY,
+ TOKEN_OPEN_SQUARE,
+ TOKEN_CLOSE_SQUARE,
+ TOKEN_OPEN_ACTION,
+ TOKEN_CLOSE_ACTION,
+ TOKEN_COMMA,
+ TOKEN_NUMBER,
+ TOKEN_TYPE_NAME,
+ TOKEN_ELEMENT_NAME,
+ NR__TOKENS
+};
+
+static const unsigned char token_to_tag[NR__TOKENS] = {
+ /* EOC goes first */
+ [DIRECTIVE_BOOLEAN] = ASN1_BOOL,
+ [DIRECTIVE_INTEGER] = ASN1_INT,
+ [DIRECTIVE_BIT] = ASN1_BTS,
+ [DIRECTIVE_OCTET] = ASN1_OTS,
+ [DIRECTIVE_NULL] = ASN1_NULL,
+ [DIRECTIVE_OBJECT] = ASN1_OID,
+ [DIRECTIVE_ObjectDescriptor] = ASN1_ODE,
+ [DIRECTIVE_EXTERNAL] = ASN1_EXT,
+ [DIRECTIVE_REAL] = ASN1_REAL,
+ [DIRECTIVE_ENUMERATED] = ASN1_ENUM,
+ [DIRECTIVE_EMBEDDED] = 0,
+ [DIRECTIVE_UTF8String] = ASN1_UTF8STR,
+ [DIRECTIVE_RELATIVE_OID] = ASN1_RELOID,
+ /* 14 */
+ /* 15 */
+ [DIRECTIVE_SEQUENCE] = ASN1_SEQ,
+ [DIRECTIVE_SET] = ASN1_SET,
+ [DIRECTIVE_NumericString] = ASN1_NUMSTR,
+ [DIRECTIVE_PrintableString] = ASN1_PRNSTR,
+ [DIRECTIVE_T61String] = ASN1_TEXSTR,
+ [DIRECTIVE_TeletexString] = ASN1_TEXSTR,
+ [DIRECTIVE_VideotexString] = ASN1_VIDSTR,
+ [DIRECTIVE_IA5String] = ASN1_IA5STR,
+ [DIRECTIVE_UTCTime] = ASN1_UNITIM,
+ [DIRECTIVE_GeneralizedTime] = ASN1_GENTIM,
+ [DIRECTIVE_GraphicString] = ASN1_GRASTR,
+ [DIRECTIVE_VisibleString] = ASN1_VISSTR,
+ [DIRECTIVE_GeneralString] = ASN1_GENSTR,
+ [DIRECTIVE_UniversalString] = ASN1_UNITIM,
+ [DIRECTIVE_CHARACTER] = ASN1_CHRSTR,
+ [DIRECTIVE_BMPString] = ASN1_BMPSTR,
+};
+
+static const char asn1_classes[4][5] = {
+ [ASN1_UNIV] = "UNIV",
+ [ASN1_APPL] = "APPL",
+ [ASN1_CONT] = "CONT",
+ [ASN1_PRIV] = "PRIV"
+};
+
+static const char asn1_methods[2][5] = {
+ [ASN1_UNIV] = "PRIM",
+ [ASN1_APPL] = "CONS"
+};
+
+static const char *const asn1_universal_tags[32] = {
+ "EOC",
+ "BOOL",
+ "INT",
+ "BTS",
+ "OTS",
+ "NULL",
+ "OID",
+ "ODE",
+ "EXT",
+ "REAL",
+ "ENUM",
+ "EPDV",
+ "UTF8STR",
+ "RELOID",
+ NULL, /* 14 */
+ NULL, /* 15 */
+ "SEQ",
+ "SET",
+ "NUMSTR",
+ "PRNSTR",
+ "TEXSTR",
+ "VIDSTR",
+ "IA5STR",
+ "UNITIM",
+ "GENTIM",
+ "GRASTR",
+ "VISSTR",
+ "GENSTR",
+ "UNISTR",
+ "CHRSTR",
+ "BMPSTR",
+ NULL /* 31 */
+};
+
+static const char *filename;
+static const char *grammar_name;
+static const char *outputname;
+static const char *headername;
+
+static const char *const directives[NR__DIRECTIVES] = {
+#define _(X) [DIRECTIVE_##X] = #X
+ _(ABSENT),
+ _(ALL),
+ _(ANY),
+ _(APPLICATION),
+ _(AUTOMATIC),
+ _(BEGIN),
+ _(BIT),
+ _(BMPString),
+ _(BOOLEAN),
+ _(BY),
+ _(CHARACTER),
+ _(CHOICE),
+ _(CLASS),
+ _(COMPONENT),
+ _(COMPONENTS),
+ _(CONSTRAINED),
+ _(CONTAINING),
+ _(DEFAULT),
+ _(DEFINED),
+ _(DEFINITIONS),
+ _(EMBEDDED),
+ _(ENCODED),
+ [DIRECTIVE_ENCODING_CONTROL] = "ENCODING-CONTROL",
+ _(END),
+ _(ENUMERATED),
+ _(EXCEPT),
+ _(EXPLICIT),
+ _(EXPORTS),
+ _(EXTENSIBILITY),
+ _(EXTERNAL),
+ _(FALSE),
+ _(FROM),
+ _(GeneralString),
+ _(GeneralizedTime),
+ _(GraphicString),
+ _(IA5String),
+ _(IDENTIFIER),
+ _(IMPLICIT),
+ _(IMPLIED),
+ _(IMPORTS),
+ _(INCLUDES),
+ _(INSTANCE),
+ _(INSTRUCTIONS),
+ _(INTEGER),
+ _(INTERSECTION),
+ _(ISO646String),
+ _(MAX),
+ _(MIN),
+ [DIRECTIVE_MINUS_INFINITY] = "MINUS-INFINITY",
+ [DIRECTIVE_NULL] = "NULL",
+ _(NumericString),
+ _(OBJECT),
+ _(OCTET),
+ _(OF),
+ _(OPTIONAL),
+ _(ObjectDescriptor),
+ _(PATTERN),
+ _(PDV),
+ [DIRECTIVE_PLUS_INFINITY] = "PLUS-INFINITY",
+ _(PRESENT),
+ _(PRIVATE),
+ _(PrintableString),
+ _(REAL),
+ [DIRECTIVE_RELATIVE_OID] = "RELATIVE-OID",
+ _(SEQUENCE),
+ _(SET),
+ _(SIZE),
+ _(STRING),
+ _(SYNTAX),
+ _(T61String),
+ _(TAGS),
+ _(TRUE),
+ _(TeletexString),
+ _(UNION),
+ _(UNIQUE),
+ _(UNIVERSAL),
+ _(UTCTime),
+ _(UTF8String),
+ _(UniversalString),
+ _(VideotexString),
+ _(VisibleString),
+ _(WITH)
+};
+
+struct action {
+ struct action *next;
+ char *name;
+ unsigned char index;
+};
+
+static struct action *action_list;
+static unsigned nr_actions;
+
+struct token {
+ unsigned short line;
+ enum token_type token_type : 8;
+ unsigned char size;
+ struct action *action;
+ char *content;
+ struct type *type;
+};
+
+static struct token *token_list;
+static unsigned nr_tokens;
+static bool verbose_opt;
+static bool debug_opt;
+
+#define verbose(fmt, ...) do { if (verbose_opt) printf(fmt, ## __VA_ARGS__); } while (0)
+#define debug(fmt, ...) do { if (debug_opt) printf(fmt, ## __VA_ARGS__); } while (0)
+
+static int directive_compare(const void *_key, const void *_pdir)
+{
+ const struct token *token = _key;
+ const char *const *pdir = _pdir, *dir = *pdir;
+ size_t dlen, clen;
+ int val;
+
+ dlen = strlen(dir);
+ clen = (dlen < token->size) ? dlen : token->size;
+
+ //debug("cmp(%s,%s) = ", token->content, dir);
+
+ val = memcmp(token->content, dir, clen);
+ if (val != 0) {
+ //debug("%d [cmp]\n", val);
+ return val;
+ }
+
+ if (dlen == token->size) {
+ //debug("0\n");
+ return 0;
+ }
+ //debug("%d\n", (int)dlen - (int)token->size);
+ return dlen - token->size; /* shorter -> negative */
+}
+
+/*
+ * Tokenise an ASN.1 grammar
+ */
+static void tokenise(char *buffer, char *end)
+{
+ struct token *tokens;
+ char *line, *nl, *start, *p, *q;
+ unsigned tix, lineno;
+
+ /* Assume we're going to have half as many tokens as we have
+ * characters
+ */
+ token_list = tokens = calloc((end - buffer) / 2, sizeof(struct token));
+ if (!tokens) {
+ perror(NULL);
+ exit(1);
+ }
+ tix = 0;
+
+ lineno = 0;
+ while (buffer < end) {
+ /* First of all, break out a line */
+ lineno++;
+ line = buffer;
+ nl = memchr(line, '\n', end - buffer);
+ if (!nl) {
+ buffer = nl = end;
+ } else {
+ buffer = nl + 1;
+ *nl = '\0';
+ }
+
+ /* Remove "--" comments */
+ p = line;
+ next_comment:
+ while ((p = memchr(p, '-', nl - p))) {
+ if (p[1] == '-') {
+ /* Found a comment; see if there's a terminator */
+ q = p + 2;
+ while ((q = memchr(q, '-', nl - q))) {
+ if (q[1] == '-') {
+ /* There is - excise the comment */
+ q += 2;
+ memmove(p, q, nl - q);
+ goto next_comment;
+ }
+ q++;
+ }
+ *p = '\0';
+ nl = p;
+ break;
+ } else {
+ p++;
+ }
+ }
+
+ p = line;
+ while (p < nl) {
+ /* Skip white space */
+ while (p < nl && isspace(*p))
+ *(p++) = 0;
+ if (p >= nl)
+ break;
+
+ tokens[tix].line = lineno;
+ start = p;
+
+ /* Handle string tokens */
+ if (isalpha(*p)) {
+ const char **dir;
+
+ /* Can be a directive, type name or element
+ * name. Find the end of the name.
+ */
+ q = p + 1;
+ while (q < nl && (isalnum(*q) || *q == '-' || *q == '_'))
+ q++;
+ tokens[tix].size = q - p;
+ p = q;
+
+ tokens[tix].content = malloc(tokens[tix].size + 1);
+ if (!tokens[tix].content) {
+ perror(NULL);
+ exit(1);
+ }
+ memcpy(tokens[tix].content, start, tokens[tix].size);
+ tokens[tix].content[tokens[tix].size] = 0;
+
+ /* If it begins with a lowercase letter then
+ * it's an element name
+ */
+ if (islower(tokens[tix].content[0])) {
+ tokens[tix++].token_type = TOKEN_ELEMENT_NAME;
+ continue;
+ }
+
+ /* Otherwise we need to search the directive
+ * table
+ */
+ dir = bsearch(&tokens[tix], directives,
+ sizeof(directives) / sizeof(directives[1]),
+ sizeof(directives[1]),
+ directive_compare);
+ if (dir) {
+ tokens[tix++].token_type = dir - directives;
+ continue;
+ }
+
+ tokens[tix++].token_type = TOKEN_TYPE_NAME;
+ continue;
+ }
+
+ /* Handle numbers */
+ if (isdigit(*p)) {
+ /* Find the end of the number */
+ q = p + 1;
+ while (q < nl && (isdigit(*q)))
+ q++;
+ tokens[tix].size = q - p;
+ p = q;
+ tokens[tix].content = malloc(tokens[tix].size + 1);
+ if (!tokens[tix].content) {
+ perror(NULL);
+ exit(1);
+ }
+ memcpy(tokens[tix].content, start, tokens[tix].size);
+ tokens[tix].content[tokens[tix].size] = 0;
+ tokens[tix++].token_type = TOKEN_NUMBER;
+ continue;
+ }
+
+ if (nl - p >= 3) {
+ if (memcmp(p, "::=", 3) == 0) {
+ p += 3;
+ tokens[tix].size = 3;
+ tokens[tix].content = "::=";
+ tokens[tix++].token_type = TOKEN_ASSIGNMENT;
+ continue;
+ }
+ }
+
+ if (nl - p >= 2) {
+ if (memcmp(p, "({", 2) == 0) {
+ p += 2;
+ tokens[tix].size = 2;
+ tokens[tix].content = "({";
+ tokens[tix++].token_type = TOKEN_OPEN_ACTION;
+ continue;
+ }
+ if (memcmp(p, "})", 2) == 0) {
+ p += 2;
+ tokens[tix].size = 2;
+ tokens[tix].content = "})";
+ tokens[tix++].token_type = TOKEN_CLOSE_ACTION;
+ continue;
+ }
+ }
+
+ if (nl - p >= 1) {
+ tokens[tix].size = 1;
+ switch (*p) {
+ case '{':
+ p += 1;
+ tokens[tix].content = "{";
+ tokens[tix++].token_type = TOKEN_OPEN_CURLY;
+ continue;
+ case '}':
+ p += 1;
+ tokens[tix].content = "}";
+ tokens[tix++].token_type = TOKEN_CLOSE_CURLY;
+ continue;
+ case '[':
+ p += 1;
+ tokens[tix].content = "[";
+ tokens[tix++].token_type = TOKEN_OPEN_SQUARE;
+ continue;
+ case ']':
+ p += 1;
+ tokens[tix].content = "]";
+ tokens[tix++].token_type = TOKEN_CLOSE_SQUARE;
+ continue;
+ case ',':
+ p += 1;
+ tokens[tix].content = ",";
+ tokens[tix++].token_type = TOKEN_COMMA;
+ continue;
+ default:
+ break;
+ }
+ }
+
+ fprintf(stderr, "%s:%u: Unknown character in grammar: '%c'\n",
+ filename, lineno, *p);
+ exit(1);
+ }
+ }
+
+ nr_tokens = tix;
+ verbose("Extracted %u tokens\n", nr_tokens);
+
+#if 0
+ {
+ int n;
+ for (n = 0; n < nr_tokens; n++)
+ debug("Token %3u: '%s'\n", n, token_list[n].content);
+ }
+#endif
+}
+
+static void build_type_list(void);
+static void parse(void);
+static void dump_elements(void);
+static void render(FILE *out, FILE *hdr);
+
+/*
+ *
+ */
+int main(int argc, char **argv)
+{
+ struct stat st;
+ ssize_t readlen;
+ FILE *out, *hdr;
+ char *buffer, *p;
+ char *kbuild_verbose;
+ int fd;
+
+ kbuild_verbose = getenv("KBUILD_VERBOSE");
+ if (kbuild_verbose)
+ verbose_opt = atoi(kbuild_verbose);
+
+ while (argc > 4) {
+ if (strcmp(argv[1], "-v") == 0)
+ verbose_opt = true;
+ else if (strcmp(argv[1], "-d") == 0)
+ debug_opt = true;
+ else
+ break;
+ memmove(&argv[1], &argv[2], (argc - 2) * sizeof(char *));
+ argc--;
+ }
+
+ if (argc != 4) {
+ fprintf(stderr, "Format: %s [-v] [-d] <grammar-file> <c-file> <hdr-file>\n",
+ argv[0]);
+ exit(2);
+ }
+
+ filename = argv[1];
+ outputname = argv[2];
+ headername = argv[3];
+
+ fd = open(filename, O_RDONLY);
+ if (fd < 0) {
+ perror(filename);
+ exit(1);
+ }
+
+ if (fstat(fd, &st) < 0) {
+ perror(filename);
+ exit(1);
+ }
+
+ if (!(buffer = malloc(st.st_size + 1))) {
+ perror(NULL);
+ exit(1);
+ }
+
+ if ((readlen = read(fd, buffer, st.st_size)) < 0) {
+ perror(filename);
+ exit(1);
+ }
+
+ if (close(fd) < 0) {
+ perror(filename);
+ exit(1);
+ }
+
+ if (readlen != st.st_size) {
+ fprintf(stderr, "%s: Short read\n", filename);
+ exit(1);
+ }
+
+ p = strrchr(argv[1], '/');
+ p = p ? p + 1 : argv[1];
+ grammar_name = strdup(p);
+ if (!p) {
+ perror(NULL);
+ exit(1);
+ }
+ p = strchr(grammar_name, '.');
+ if (p)
+ *p = '\0';
+
+ buffer[readlen] = 0;
+ tokenise(buffer, buffer + readlen);
+ build_type_list();
+ parse();
+ dump_elements();
+
+ out = fopen(outputname, "w");
+ if (!out) {
+ perror(outputname);
+ exit(1);
+ }
+
+ hdr = fopen(headername, "w");
+ if (!hdr) {
+ perror(headername);
+ exit(1);
+ }
+
+ render(out, hdr);
+
+ if (fclose(out) < 0) {
+ perror(outputname);
+ exit(1);
+ }
+
+ if (fclose(hdr) < 0) {
+ perror(headername);
+ exit(1);
+ }
+
+ return 0;
+}
+
+enum compound {
+ NOT_COMPOUND,
+ SET,
+ SET_OF,
+ SEQUENCE,
+ SEQUENCE_OF,
+ CHOICE,
+ ANY,
+ TYPE_REF,
+ TAG_OVERRIDE
+};
+
+struct element {
+ struct type *type_def;
+ struct token *name;
+ struct token *type;
+ struct action *action;
+ struct element *children;
+ struct element *next;
+ struct element *render_next;
+ struct element *list_next;
+ uint8_t n_elements;
+ enum compound compound : 8;
+ enum asn1_class class : 8;
+ enum asn1_method method : 8;
+ uint8_t tag;
+ unsigned entry_index;
+ unsigned flags;
+#define ELEMENT_IMPLICIT 0x0001
+#define ELEMENT_EXPLICIT 0x0002
+#define ELEMENT_TAG_SPECIFIED 0x0004
+#define ELEMENT_RENDERED 0x0008
+#define ELEMENT_SKIPPABLE 0x0010
+#define ELEMENT_CONDITIONAL 0x0020
+};
+
+struct type {
+ struct token *name;
+ struct token *def;
+ struct element *element;
+ unsigned ref_count;
+ unsigned flags;
+#define TYPE_STOP_MARKER 0x0001
+#define TYPE_BEGIN 0x0002
+};
+
+static struct type *type_list;
+static struct type **type_index;
+static unsigned nr_types;
+
+static int type_index_compare(const void *_a, const void *_b)
+{
+ const struct type *const *a = _a, *const *b = _b;
+
+ if ((*a)->name->size != (*b)->name->size)
+ return (*a)->name->size - (*b)->name->size;
+ else
+ return memcmp((*a)->name->content, (*b)->name->content,
+ (*a)->name->size);
+}
+
+static int type_finder(const void *_key, const void *_ti)
+{
+ const struct token *token = _key;
+ const struct type *const *ti = _ti;
+ const struct type *type = *ti;
+
+ if (token->size != type->name->size)
+ return token->size - type->name->size;
+ else
+ return memcmp(token->content, type->name->content,
+ token->size);
+}
+
+/*
+ * Build up a list of types and a sorted index to that list.
+ */
+static void build_type_list(void)
+{
+ struct type *types;
+ unsigned nr, t, n;
+
+ nr = 0;
+ for (n = 0; n < nr_tokens - 1; n++)
+ if (token_list[n + 0].token_type == TOKEN_TYPE_NAME &&
+ token_list[n + 1].token_type == TOKEN_ASSIGNMENT)
+ nr++;
+
+ if (nr == 0) {
+ fprintf(stderr, "%s: No defined types\n", filename);
+ exit(1);
+ }
+
+ nr_types = nr;
+ types = type_list = calloc(nr + 1, sizeof(type_list[0]));
+ if (!type_list) {
+ perror(NULL);
+ exit(1);
+ }
+ type_index = calloc(nr, sizeof(type_index[0]));
+ if (!type_index) {
+ perror(NULL);
+ exit(1);
+ }
+
+ t = 0;
+ types[t].flags |= TYPE_BEGIN;
+ for (n = 0; n < nr_tokens - 1; n++) {
+ if (token_list[n + 0].token_type == TOKEN_TYPE_NAME &&
+ token_list[n + 1].token_type == TOKEN_ASSIGNMENT) {
+ types[t].name = &token_list[n];
+ type_index[t] = &types[t];
+ t++;
+ }
+ }
+ types[t].name = &token_list[n + 1];
+ types[t].flags |= TYPE_STOP_MARKER;
+
+ qsort(type_index, nr, sizeof(type_index[0]), type_index_compare);
+
+ verbose("Extracted %u types\n", nr_types);
+#if 0
+ for (n = 0; n < nr_types; n++) {
+ struct type *type = type_index[n];
+ debug("- %*.*s\n", type->name->content);
+ }
+#endif
+}
+
+static struct element *parse_type(struct token **_cursor, struct token *stop,
+ struct token *name);
+
+/*
+ * Parse the token stream
+ */
+static void parse(void)
+{
+ struct token *cursor;
+ struct type *type;
+
+ /* Parse one type definition statement at a time */
+ type = type_list;
+ do {
+ cursor = type->name;
+
+ if (cursor[0].token_type != TOKEN_TYPE_NAME ||
+ cursor[1].token_type != TOKEN_ASSIGNMENT)
+ abort();
+ cursor += 2;
+
+ type->element = parse_type(&cursor, type[1].name, NULL);
+ type->element->type_def = type;
+
+ if (cursor != type[1].name) {
+ fprintf(stderr, "%s:%d: Parse error at token '%s'\n",
+ filename, cursor->line, cursor->content);
+ exit(1);
+ }
+
+ } while (type++, !(type->flags & TYPE_STOP_MARKER));
+
+ verbose("Extracted %u actions\n", nr_actions);
+}
+
+static struct element *element_list;
+
+static struct element *alloc_elem(struct token *type)
+{
+ struct element *e = calloc(1, sizeof(*e));
+ if (!e) {
+ perror(NULL);
+ exit(1);
+ }
+ e->list_next = element_list;
+ element_list = e;
+ return e;
+}
+
+static struct element *parse_compound(struct token **_cursor, struct token *end,
+ int alternates);
+
+/*
+ * Parse one type definition statement
+ */
+static struct element *parse_type(struct token **_cursor, struct token *end,
+ struct token *name)
+{
+ struct element *top, *element;
+ struct action *action, **ppaction;
+ struct token *cursor = *_cursor;
+ struct type **ref;
+ char *p;
+ int labelled = 0, implicit = 0;
+
+ top = element = alloc_elem(cursor);
+ element->class = ASN1_UNIV;
+ element->method = ASN1_PRIM;
+ element->tag = token_to_tag[cursor->token_type];
+ element->name = name;
+
+ /* Extract the tag value if one given */
+ if (cursor->token_type == TOKEN_OPEN_SQUARE) {
+ cursor++;
+ if (cursor >= end)
+ goto overrun_error;
+ switch (cursor->token_type) {
+ case DIRECTIVE_UNIVERSAL:
+ element->class = ASN1_UNIV;
+ cursor++;
+ break;
+ case DIRECTIVE_APPLICATION:
+ element->class = ASN1_APPL;
+ cursor++;
+ break;
+ case TOKEN_NUMBER:
+ element->class = ASN1_CONT;
+ break;
+ case DIRECTIVE_PRIVATE:
+ element->class = ASN1_PRIV;
+ cursor++;
+ break;
+ default:
+ fprintf(stderr, "%s:%d: Unrecognised tag class token '%s'\n",
+ filename, cursor->line, cursor->content);
+ exit(1);
+ }
+
+ if (cursor >= end)
+ goto overrun_error;
+ if (cursor->token_type != TOKEN_NUMBER) {
+ fprintf(stderr, "%s:%d: Missing tag number '%s'\n",
+ filename, cursor->line, cursor->content);
+ exit(1);
+ }
+
+ element->tag &= ~0x1f;
+ element->tag |= strtoul(cursor->content, &p, 10);
+ element->flags |= ELEMENT_TAG_SPECIFIED;
+ if (p - cursor->content != cursor->size)
+ abort();
+ cursor++;
+
+ if (cursor >= end)
+ goto overrun_error;
+ if (cursor->token_type != TOKEN_CLOSE_SQUARE) {
+ fprintf(stderr, "%s:%d: Missing closing square bracket '%s'\n",
+ filename, cursor->line, cursor->content);
+ exit(1);
+ }
+ cursor++;
+ if (cursor >= end)
+ goto overrun_error;
+ labelled = 1;
+ }
+
+ /* Handle implicit and explicit markers */
+ if (cursor->token_type == DIRECTIVE_IMPLICIT) {
+ element->flags |= ELEMENT_IMPLICIT;
+ implicit = 1;
+ cursor++;
+ if (cursor >= end)
+ goto overrun_error;
+ } else if (cursor->token_type == DIRECTIVE_EXPLICIT) {
+ element->flags |= ELEMENT_EXPLICIT;
+ cursor++;
+ if (cursor >= end)
+ goto overrun_error;
+ }
+
+ if (labelled) {
+ if (!implicit)
+ element->method |= ASN1_CONS;
+ element->compound = implicit ? TAG_OVERRIDE : SEQUENCE;
+ element->children = alloc_elem(cursor);
+ element = element->children;
+ element->class = ASN1_UNIV;
+ element->method = ASN1_PRIM;
+ element->tag = token_to_tag[cursor->token_type];
+ element->name = name;
+ }
+
+ /* Extract the type we're expecting here */
+ element->type = cursor;
+ switch (cursor->token_type) {
+ case DIRECTIVE_ANY:
+ element->compound = ANY;
+ cursor++;
+ break;
+
+ case DIRECTIVE_NULL:
+ case DIRECTIVE_BOOLEAN:
+ case DIRECTIVE_ENUMERATED:
+ case DIRECTIVE_INTEGER:
+ element->compound = NOT_COMPOUND;
+ cursor++;
+ break;
+
+ case DIRECTIVE_EXTERNAL:
+ element->method = ASN1_CONS;
+
+ case DIRECTIVE_BMPString:
+ case DIRECTIVE_GeneralString:
+ case DIRECTIVE_GraphicString:
+ case DIRECTIVE_IA5String:
+ case DIRECTIVE_ISO646String:
+ case DIRECTIVE_NumericString:
+ case DIRECTIVE_PrintableString:
+ case DIRECTIVE_T61String:
+ case DIRECTIVE_TeletexString:
+ case DIRECTIVE_UniversalString:
+ case DIRECTIVE_UTF8String:
+ case DIRECTIVE_VideotexString:
+ case DIRECTIVE_VisibleString:
+ case DIRECTIVE_ObjectDescriptor:
+ case DIRECTIVE_GeneralizedTime:
+ case DIRECTIVE_UTCTime:
+ element->compound = NOT_COMPOUND;
+ cursor++;
+ break;
+
+ case DIRECTIVE_BIT:
+ case DIRECTIVE_OCTET:
+ element->compound = NOT_COMPOUND;
+ cursor++;
+ if (cursor >= end)
+ goto overrun_error;
+ if (cursor->token_type != DIRECTIVE_STRING)
+ goto parse_error;
+ cursor++;
+ break;
+
+ case DIRECTIVE_OBJECT:
+ element->compound = NOT_COMPOUND;
+ cursor++;
+ if (cursor >= end)
+ goto overrun_error;
+ if (cursor->token_type != DIRECTIVE_IDENTIFIER)
+ goto parse_error;
+ cursor++;
+ break;
+
+ case TOKEN_TYPE_NAME:
+ element->compound = TYPE_REF;
+ ref = bsearch(cursor, type_index, nr_types, sizeof(type_index[0]),
+ type_finder);
+ if (!ref) {
+ fprintf(stderr, "%s:%d: Type '%s' undefined\n",
+ filename, cursor->line, cursor->content);
+ exit(1);
+ }
+ cursor->type = *ref;
+ (*ref)->ref_count++;
+ cursor++;
+ break;
+
+ case DIRECTIVE_CHOICE:
+ element->compound = CHOICE;
+ cursor++;
+ element->children = parse_compound(&cursor, end, 1);
+ break;
+
+ case DIRECTIVE_SEQUENCE:
+ element->compound = SEQUENCE;
+ element->method = ASN1_CONS;
+ cursor++;
+ if (cursor >= end)
+ goto overrun_error;
+ if (cursor->token_type == DIRECTIVE_OF) {
+ element->compound = SEQUENCE_OF;
+ cursor++;
+ if (cursor >= end)
+ goto overrun_error;
+ element->children = parse_type(&cursor, end, NULL);
+ } else {
+ element->children = parse_compound(&cursor, end, 0);
+ }
+ break;
+
+ case DIRECTIVE_SET:
+ element->compound = SET;
+ element->method = ASN1_CONS;
+ cursor++;
+ if (cursor >= end)
+ goto overrun_error;
+ if (cursor->token_type == DIRECTIVE_OF) {
+ element->compound = SET_OF;
+ cursor++;
+ if (cursor >= end)
+ goto parse_error;
+ element->children = parse_type(&cursor, end, NULL);
+ } else {
+ element->children = parse_compound(&cursor, end, 1);
+ }
+ break;
+
+ default:
+ fprintf(stderr, "%s:%d: Token '%s' does not introduce a type\n",
+ filename, cursor->line, cursor->content);
+ exit(1);
+ }
+
+ /* Handle elements that are optional */
+ if (cursor < end && (cursor->token_type == DIRECTIVE_OPTIONAL ||
+ cursor->token_type == DIRECTIVE_DEFAULT)
+ ) {
+ cursor++;
+ top->flags |= ELEMENT_SKIPPABLE;
+ }
+
+ if (cursor < end && cursor->token_type == TOKEN_OPEN_ACTION) {
+ cursor++;
+ if (cursor >= end)
+ goto overrun_error;
+ if (cursor->token_type != TOKEN_ELEMENT_NAME) {
+ fprintf(stderr, "%s:%d: Token '%s' is not an action function name\n",
+ filename, cursor->line, cursor->content);
+ exit(1);
+ }
+
+ action = malloc(sizeof(struct action));
+ if (!action) {
+ perror(NULL);
+ exit(1);
+ }
+ action->index = 0;
+ action->name = cursor->content;
+
+ for (ppaction = &action_list;
+ *ppaction;
+ ppaction = &(*ppaction)->next
+ ) {
+ int cmp = strcmp(action->name, (*ppaction)->name);
+ if (cmp == 0) {
+ free(action);
+ action = *ppaction;
+ goto found;
+ }
+ if (cmp < 0) {
+ action->next = *ppaction;
+ *ppaction = action;
+ nr_actions++;
+ goto found;
+ }
+ }
+ action->next = NULL;
+ *ppaction = action;
+ nr_actions++;
+ found:
+
+ element->action = action;
+ cursor->action = action;
+ cursor++;
+ if (cursor >= end)
+ goto overrun_error;
+ if (cursor->token_type != TOKEN_CLOSE_ACTION) {
+ fprintf(stderr, "%s:%d: Missing close action, got '%s'\n",
+ filename, cursor->line, cursor->content);
+ exit(1);
+ }
+ cursor++;
+ }
+
+ *_cursor = cursor;
+ return top;
+
+parse_error:
+ fprintf(stderr, "%s:%d: Unexpected token '%s'\n",
+ filename, cursor->line, cursor->content);
+ exit(1);
+
+overrun_error:
+ fprintf(stderr, "%s: Unexpectedly hit EOF\n", filename);
+ exit(1);
+}
+
+/*
+ * Parse a compound type list
+ */
+static struct element *parse_compound(struct token **_cursor, struct token *end,
+ int alternates)
+{
+ struct element *children, **child_p = &children, *element;
+ struct token *cursor = *_cursor, *name;
+
+ if (cursor->token_type != TOKEN_OPEN_CURLY) {
+ fprintf(stderr, "%s:%d: Expected compound to start with brace not '%s'\n",
+ filename, cursor->line, cursor->content);
+ exit(1);
+ }
+ cursor++;
+ if (cursor >= end)
+ goto overrun_error;
+
+ if (cursor->token_type == TOKEN_OPEN_CURLY) {
+ fprintf(stderr, "%s:%d: Empty compound\n",
+ filename, cursor->line);
+ exit(1);
+ }
+
+ for (;;) {
+ name = NULL;
+ if (cursor->token_type == TOKEN_ELEMENT_NAME) {
+ name = cursor;
+ cursor++;
+ if (cursor >= end)
+ goto overrun_error;
+ }
+
+ element = parse_type(&cursor, end, name);
+ if (alternates)
+ element->flags |= ELEMENT_SKIPPABLE | ELEMENT_CONDITIONAL;
+
+ *child_p = element;
+ child_p = &element->next;
+
+ if (cursor >= end)
+ goto overrun_error;
+ if (cursor->token_type != TOKEN_COMMA)
+ break;
+ cursor++;
+ if (cursor >= end)
+ goto overrun_error;
+ }
+
+ children->flags &= ~ELEMENT_CONDITIONAL;
+
+ if (cursor->token_type != TOKEN_CLOSE_CURLY) {
+ fprintf(stderr, "%s:%d: Expected compound closure, got '%s'\n",
+ filename, cursor->line, cursor->content);
+ exit(1);
+ }
+ cursor++;
+
+ *_cursor = cursor;
+ return children;
+
+overrun_error:
+ fprintf(stderr, "%s: Unexpectedly hit EOF\n", filename);
+ exit(1);
+}
+
+static void dump_element(const struct element *e, int level)
+{
+ const struct element *c;
+ const struct type *t = e->type_def;
+ const char *name = e->name ? e->name->content : ".";
+ const char *tname = t && t->name ? t->name->content : ".";
+ char tag[32];
+
+ if (e->class == 0 && e->method == 0 && e->tag == 0)
+ strcpy(tag, "<...>");
+ else if (e->class == ASN1_UNIV)
+ sprintf(tag, "%s %s %s",
+ asn1_classes[e->class],
+ asn1_methods[e->method],
+ asn1_universal_tags[e->tag]);
+ else
+ sprintf(tag, "%s %s %u",
+ asn1_classes[e->class],
+ asn1_methods[e->method],
+ e->tag);
+
+ printf("%c%c%c%c%c %c %*s[*] \e[33m%s\e[m %s %s \e[35m%s\e[m\n",
+ e->flags & ELEMENT_IMPLICIT ? 'I' : '-',
+ e->flags & ELEMENT_EXPLICIT ? 'E' : '-',
+ e->flags & ELEMENT_TAG_SPECIFIED ? 'T' : '-',
+ e->flags & ELEMENT_SKIPPABLE ? 'S' : '-',
+ e->flags & ELEMENT_CONDITIONAL ? 'C' : '-',
+ "-tTqQcaro"[e->compound],
+ level, "",
+ tag,
+ tname,
+ name,
+ e->action ? e->action->name : "");
+ if (e->compound == TYPE_REF)
+ dump_element(e->type->type->element, level + 3);
+ else
+ for (c = e->children; c; c = c->next)
+ dump_element(c, level + 3);
+}
+
+static void dump_elements(void)
+{
+ if (debug_opt)
+ dump_element(type_list[0].element, 0);
+}
+
+static void render_element(FILE *out, struct element *e, struct element *tag);
+static void render_out_of_line_list(FILE *out);
+
+static int nr_entries;
+static int render_depth = 1;
+static struct element *render_list, **render_list_p = &render_list;
+
+__attribute__((format(printf, 2, 3)))
+static void render_opcode(FILE *out, const char *fmt, ...)
+{
+ va_list va;
+
+ if (out) {
+ fprintf(out, "\t[%4d] =%*s", nr_entries, render_depth, "");
+ va_start(va, fmt);
+ vfprintf(out, fmt, va);
+ va_end(va);
+ }
+ nr_entries++;
+}
+
+__attribute__((format(printf, 2, 3)))
+static void render_more(FILE *out, const char *fmt, ...)
+{
+ va_list va;
+
+ if (out) {
+ va_start(va, fmt);
+ vfprintf(out, fmt, va);
+ va_end(va);
+ }
+}
+
+/*
+ * Render the grammar into a state machine definition.
+ */
+static void render(FILE *out, FILE *hdr)
+{
+ struct element *e;
+ struct action *action;
+ struct type *root;
+ int index;
+
+ fprintf(hdr, "/*\n");
+ fprintf(hdr, " * Automatically generated by asn1_compiler. Do not edit\n");
+ fprintf(hdr, " *\n");
+ fprintf(hdr, " * ASN.1 parser for %s\n", grammar_name);
+ fprintf(hdr, " */\n");
+ fprintf(hdr, "#include <linux/asn1_decoder.h>\n");
+ fprintf(hdr, "\n");
+ fprintf(hdr, "extern const struct asn1_decoder %s_decoder;\n", grammar_name);
+ if (ferror(hdr)) {
+ perror(headername);
+ exit(1);
+ }
+
+ fprintf(out, "/*\n");
+ fprintf(out, " * Automatically generated by asn1_compiler. Do not edit\n");
+ fprintf(out, " *\n");
+ fprintf(out, " * ASN.1 parser for %s\n", grammar_name);
+ fprintf(out, " */\n");
+ fprintf(out, "#include <linux/asn1_ber_bytecode.h>\n");
+ fprintf(out, "#include \"%s.asn1.h\"\n", grammar_name);
+ fprintf(out, "\n");
+ if (ferror(out)) {
+ perror(outputname);
+ exit(1);
+ }
+
+ /* Tabulate the action functions we might have to call */
+ fprintf(hdr, "\n");
+ index = 0;
+ for (action = action_list; action; action = action->next) {
+ action->index = index++;
+ fprintf(hdr,
+ "extern int %s(void *, size_t, unsigned char,"
+ " const void *, size_t);\n",
+ action->name);
+ }
+ fprintf(hdr, "\n");
+
+ fprintf(out, "enum %s_actions {\n", grammar_name);
+ for (action = action_list; action; action = action->next)
+ fprintf(out, "\tACT_%s = %u,\n",
+ action->name, action->index);
+ fprintf(out, "\tNR__%s_actions = %u\n", grammar_name, nr_actions);
+ fprintf(out, "};\n");
+
+ fprintf(out, "\n");
+ fprintf(out, "static const asn1_action_t %s_action_table[NR__%s_actions] = {\n",
+ grammar_name, grammar_name);
+ for (action = action_list; action; action = action->next)
+ fprintf(out, "\t[%4u] = %s,\n", action->index, action->name);
+ fprintf(out, "};\n");
+
+ if (ferror(out)) {
+ perror(outputname);
+ exit(1);
+ }
+
+ /* We do two passes - the first one calculates all the offsets */
+ verbose("Pass 1\n");
+ nr_entries = 0;
+ root = &type_list[0];
+ render_element(NULL, root->element, NULL);
+ render_opcode(NULL, "ASN1_OP_COMPLETE,\n");
+ render_out_of_line_list(NULL);
+
+ for (e = element_list; e; e = e->list_next)
+ e->flags &= ~ELEMENT_RENDERED;
+
+ /* And then we actually render */
+ verbose("Pass 2\n");
+ fprintf(out, "\n");
+ fprintf(out, "static const unsigned char %s_machine[] = {\n",
+ grammar_name);
+
+ nr_entries = 0;
+ root = &type_list[0];
+ render_element(out, root->element, NULL);
+ render_opcode(out, "ASN1_OP_COMPLETE,\n");
+ render_out_of_line_list(out);
+
+ fprintf(out, "};\n");
+
+ fprintf(out, "\n");
+ fprintf(out, "const struct asn1_decoder %s_decoder = {\n", grammar_name);
+ fprintf(out, "\t.machine = %s_machine,\n", grammar_name);
+ fprintf(out, "\t.machlen = sizeof(%s_machine),\n", grammar_name);
+ fprintf(out, "\t.actions = %s_action_table,\n", grammar_name);
+ fprintf(out, "};\n");
+}
+
+/*
+ * Render the out-of-line elements
+ */
+static void render_out_of_line_list(FILE *out)
+{
+ struct element *e, *ce;
+ const char *act;
+ int entry;
+
+ while ((e = render_list)) {
+ render_list = e->render_next;
+ if (!render_list)
+ render_list_p = &render_list;
+
+ render_more(out, "\n");
+ e->entry_index = entry = nr_entries;
+ render_depth++;
+ for (ce = e->children; ce; ce = ce->next)
+ render_element(out, ce, NULL);
+ render_depth--;
+
+ act = e->action ? "_ACT" : "";
+ switch (e->compound) {
+ case SEQUENCE:
+ render_opcode(out, "ASN1_OP_END_SEQ%s,\n", act);
+ break;
+ case SEQUENCE_OF:
+ render_opcode(out, "ASN1_OP_END_SEQ_OF%s,\n", act);
+ render_opcode(out, "_jump_target(%u),\n", entry);
+ break;
+ case SET:
+ render_opcode(out, "ASN1_OP_END_SET%s,\n", act);
+ break;
+ case SET_OF:
+ render_opcode(out, "ASN1_OP_END_SET_OF%s,\n", act);
+ render_opcode(out, "_jump_target(%u),\n", entry);
+ break;
+ default:
+ break;
+ }
+ if (e->action)
+ render_opcode(out, "_action(ACT_%s),\n",
+ e->action->name);
+ render_opcode(out, "ASN1_OP_RETURN,\n");
+ }
+}
+
+/*
+ * Render an element.
+ */
+static void render_element(FILE *out, struct element *e, struct element *tag)
+{
+ struct element *ec, *x;
+ const char *cond, *act;
+ int entry, skippable = 0, outofline = 0;
+
+ if (e->flags & ELEMENT_SKIPPABLE ||
+ (tag && tag->flags & ELEMENT_SKIPPABLE))
+ skippable = 1;
+
+ if ((e->type_def && e->type_def->ref_count > 1) ||
+ skippable)
+ outofline = 1;
+
+ if (e->type_def && out) {
+ render_more(out, "\t// %s\n", e->type_def->name->content);
+ }
+
+ /* Render the operation */
+ cond = (e->flags & ELEMENT_CONDITIONAL ||
+ (tag && tag->flags & ELEMENT_CONDITIONAL)) ? "COND_" : "";
+ act = e->action ? "_ACT" : "";
+ switch (e->compound) {
+ case ANY:
+ render_opcode(out, "ASN1_OP_%sMATCH_ANY%s%s,",
+ cond, act, skippable ? "_OR_SKIP" : "");
+ if (e->name)
+ render_more(out, "\t\t// %s", e->name->content);
+ render_more(out, "\n");
+ goto dont_render_tag;
+
+ case TAG_OVERRIDE:
+ render_element(out, e->children, e);
+ return;
+
+ case SEQUENCE:
+ case SEQUENCE_OF:
+ case SET:
+ case SET_OF:
+ render_opcode(out, "ASN1_OP_%sMATCH%s%s,",
+ cond,
+ outofline ? "_JUMP" : "",
+ skippable ? "_OR_SKIP" : "");
+ break;
+
+ case CHOICE:
+ goto dont_render_tag;
+
+ case TYPE_REF:
+ if (e->class == ASN1_UNIV && e->method == ASN1_PRIM && e->tag == 0)
+ goto dont_render_tag;
+ default:
+ render_opcode(out, "ASN1_OP_%sMATCH%s%s,",
+ cond, act,
+ skippable ? "_OR_SKIP" : "");
+ break;
+ }
+
+ x = tag ?: e;
+ if (x->name)
+ render_more(out, "\t\t// %s", x->name->content);
+ render_more(out, "\n");
+
+ /* Render the tag */
+ if (!tag || !(tag->flags & ELEMENT_TAG_SPECIFIED))
+ tag = e;
+
+ if (tag->class == ASN1_UNIV &&
+ tag->tag != 14 &&
+ tag->tag != 15 &&
+ tag->tag != 31)
+ render_opcode(out, "_tag(%s, %s, %s),\n",
+ asn1_classes[tag->class],
+ asn1_methods[tag->method | e->method],
+ asn1_universal_tags[tag->tag]);
+ else
+ render_opcode(out, "_tagn(%s, %s, %2u),\n",
+ asn1_classes[tag->class],
+ asn1_methods[tag->method | e->method],
+ tag->tag);
+ tag = NULL;
+dont_render_tag:
+
+ /* Deal with compound types */
+ switch (e->compound) {
+ case TYPE_REF:
+ render_element(out, e->type->type->element, tag);
+ if (e->action)
+ render_opcode(out, "ASN1_OP_%sACT,\n",
+ skippable ? "MAYBE_" : "");
+ break;
+
+ case SEQUENCE:
+ if (outofline) {
+ /* Render out-of-line for multiple use or
+ * skipability */
+ render_opcode(out, "_jump_target(%u),", e->entry_index);
+ if (e->type_def && e->type_def->name)
+ render_more(out, "\t\t// --> %s",
+ e->type_def->name->content);
+ render_more(out, "\n");
+ if (!(e->flags & ELEMENT_RENDERED)) {
+ e->flags |= ELEMENT_RENDERED;
+ *render_list_p = e;
+ render_list_p = &e->render_next;
+ }
+ return;
+ } else {
+ /* Render inline for single use */
+ render_depth++;
+ for (ec = e->children; ec; ec = ec->next)
+ render_element(out, ec, NULL);
+ render_depth--;
+ render_opcode(out, "ASN1_OP_END_SEQ%s,\n", act);
+ }
+ break;
+
+ case SEQUENCE_OF:
+ case SET_OF:
+ if (outofline) {
+ /* Render out-of-line for multiple use or
+ * skipability */
+ render_opcode(out, "_jump_target(%u),", e->entry_index);
+ if (e->type_def && e->type_def->name)
+ render_more(out, "\t\t// --> %s",
+ e->type_def->name->content);
+ render_more(out, "\n");
+ if (!(e->flags & ELEMENT_RENDERED)) {
+ e->flags |= ELEMENT_RENDERED;
+ *render_list_p = e;
+ render_list_p = &e->render_next;
+ }
+ return;
+ } else {
+ /* Render inline for single use */
+ entry = nr_entries;
+ render_depth++;
+ render_element(out, e->children, NULL);
+ render_depth--;
+ if (e->compound == SEQUENCE_OF)
+ render_opcode(out, "ASN1_OP_END_SEQ_OF%s,\n", act);
+ else
+ render_opcode(out, "ASN1_OP_END_SET_OF%s,\n", act);
+ render_opcode(out, "_jump_target(%u),\n", entry);
+ }
+ break;
+
+ case SET:
+ /* I can't think of a nice way to do SET support without having
+ * a stack of bitmasks to make sure no element is repeated.
+ * The bitmask has also to be checked that no non-optional
+ * elements are left out whilst not preventing optional
+ * elements from being left out.
+ */
+ fprintf(stderr, "The ASN.1 SET type is not currently supported.\n");
+ exit(1);
+
+ case CHOICE:
+ for (ec = e->children; ec; ec = ec->next)
+ render_element(out, ec, ec);
+ if (!skippable)
+ render_opcode(out, "ASN1_OP_COND_FAIL,\n");
+ if (e->action)
+ render_opcode(out, "ASN1_OP_ACT,\n");
+ break;
+
+ default:
+ break;
+ }
+
+ if (e->action)
+ render_opcode(out, "_action(ACT_%s),\n", e->action->name);
+}
--
2.21.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [U-Boot] [RFC 2/9] Makefile: add build script for asn1 parsers
2019-09-03 5:42 [U-Boot] [RFC 0/9] import x509/pkcs7 parsers from linux AKASHI Takahiro
2019-09-03 5:42 ` [U-Boot] [RFC 1/9] cmd: add asn1_compiler AKASHI Takahiro
@ 2019-09-03 5:42 ` AKASHI Takahiro
2019-09-03 5:42 ` [U-Boot] [RFC 3/9] lib: add asn1 decoder AKASHI Takahiro
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: AKASHI Takahiro @ 2019-09-03 5:42 UTC (permalink / raw)
To: u-boot
This rule will be used to build x509 and pkcs7 parsers.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
scripts/Makefile.build | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/scripts/Makefile.build b/scripts/Makefile.build
index f7a041296d3d..9357d310e50b 100644
--- a/scripts/Makefile.build
+++ b/scripts/Makefile.build
@@ -331,7 +331,7 @@ quiet_cmd_asn1_compiler = ASN.1 $@
cmd_asn1_compiler = $(objtree)/scripts/asn1_compiler $< \
$(subst .h,.c,$@) $(subst .c,.h,$@)
-$(obj)/%-asn1.c $(obj)/%-asn1.h: $(src)/%.asn1 $(objtree)/scripts/asn1_compiler
+$(obj)/%.asn1.c $(obj)/%.asn1.h: $(src)/%.asn1 $(objtree)/scripts/asn1_compiler
$(call cmd,asn1_compiler)
# Build the compiled-in targets
@@ -419,9 +419,11 @@ targets += $(multi-used-y) $(multi-used-m)
intermediate_targets = $(foreach sfx, $(2), \
$(patsubst %$(strip $(1)),%$(sfx), \
$(filter %$(strip $(1)), $(targets))))
+# %.asn1.o <- %.asn1.[ch] <- %.asn1
# %.lex.o <- %.lex.c <- %.l
# %.tab.o <- %.tab.[ch] <- %.y
-targets += $(call intermediate_targets, .lex.o, .lex.c) \
+targets += $(call intermediate_targets, .asn1.o, .asn1.c .asn1.h) \
+ $(call intermediate_targets, .lex.o, .lex.c) \
$(call intermediate_targets, .tab.o, .tab.c .tab.h)
# Descending
--
2.21.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [U-Boot] [RFC 3/9] lib: add asn1 decoder
2019-09-03 5:42 [U-Boot] [RFC 0/9] import x509/pkcs7 parsers from linux AKASHI Takahiro
2019-09-03 5:42 ` [U-Boot] [RFC 1/9] cmd: add asn1_compiler AKASHI Takahiro
2019-09-03 5:42 ` [U-Boot] [RFC 2/9] Makefile: add build script for asn1 parsers AKASHI Takahiro
@ 2019-09-03 5:42 ` AKASHI Takahiro
2019-09-03 5:42 ` [U-Boot] [RFC 4/9] lib: add oid registry utility AKASHI Takahiro
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: AKASHI Takahiro @ 2019-09-03 5:42 UTC (permalink / raw)
To: u-boot
Imported from linux kernel v5.0.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
lib/Kconfig | 6 +
lib/Makefile | 1 +
lib/asn1_decoder.c | 520 +++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 527 insertions(+)
create mode 100644 lib/asn1_decoder.c
diff --git a/lib/Kconfig b/lib/Kconfig
index 3da45a5ec322..26c94f49ecd2 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -521,6 +521,12 @@ config SMBIOS_PRODUCT_NAME
endmenu
+config ASN1
+ bool
+ select BUILD_ASN1
+ help
+ Enable asn1 decoder library.
+
source lib/efi/Kconfig
source lib/efi_loader/Kconfig
source lib/optee/Kconfig
diff --git a/lib/Makefile b/lib/Makefile
index 2fffd68f943c..eb3a675fb8c2 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -17,6 +17,7 @@ obj-$(CONFIG_OF_LIVE) += of_live.o
obj-$(CONFIG_CMD_DHRYSTONE) += dhry/
obj-$(CONFIG_ARCH_AT91) += at91/
obj-$(CONFIG_OPTEE) += optee/
+obj-$(CONFIG_BUILD_ASN1) += asn1_decoder.o
obj-$(CONFIG_AES) += aes.o
diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
new file mode 100644
index 000000000000..39e78efa0bc8
--- /dev/null
+++ b/lib/asn1_decoder.c
@@ -0,0 +1,520 @@
+/* Decoder for ASN.1 BER/DER/CER encoded bytestream
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells at redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#include <linux/compat.h>
+#include <linux/kernel.h>
+#include <linux/errno.h>
+#include <linux/asn1_decoder.h>
+#include <linux/asn1_ber_bytecode.h>
+
+static const unsigned char asn1_op_lengths[ASN1_OP__NR] = {
+ /* OPC TAG JMP ACT */
+ [ASN1_OP_MATCH] = 1 + 1,
+ [ASN1_OP_MATCH_OR_SKIP] = 1 + 1,
+ [ASN1_OP_MATCH_ACT] = 1 + 1 + 1,
+ [ASN1_OP_MATCH_ACT_OR_SKIP] = 1 + 1 + 1,
+ [ASN1_OP_MATCH_JUMP] = 1 + 1 + 1,
+ [ASN1_OP_MATCH_JUMP_OR_SKIP] = 1 + 1 + 1,
+ [ASN1_OP_MATCH_ANY] = 1,
+ [ASN1_OP_MATCH_ANY_OR_SKIP] = 1,
+ [ASN1_OP_MATCH_ANY_ACT] = 1 + 1,
+ [ASN1_OP_MATCH_ANY_ACT_OR_SKIP] = 1 + 1,
+ [ASN1_OP_COND_MATCH_OR_SKIP] = 1 + 1,
+ [ASN1_OP_COND_MATCH_ACT_OR_SKIP] = 1 + 1 + 1,
+ [ASN1_OP_COND_MATCH_JUMP_OR_SKIP] = 1 + 1 + 1,
+ [ASN1_OP_COND_MATCH_ANY] = 1,
+ [ASN1_OP_COND_MATCH_ANY_OR_SKIP] = 1,
+ [ASN1_OP_COND_MATCH_ANY_ACT] = 1 + 1,
+ [ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP] = 1 + 1,
+ [ASN1_OP_COND_FAIL] = 1,
+ [ASN1_OP_COMPLETE] = 1,
+ [ASN1_OP_ACT] = 1 + 1,
+ [ASN1_OP_MAYBE_ACT] = 1 + 1,
+ [ASN1_OP_RETURN] = 1,
+ [ASN1_OP_END_SEQ] = 1,
+ [ASN1_OP_END_SEQ_OF] = 1 + 1,
+ [ASN1_OP_END_SET] = 1,
+ [ASN1_OP_END_SET_OF] = 1 + 1,
+ [ASN1_OP_END_SEQ_ACT] = 1 + 1,
+ [ASN1_OP_END_SEQ_OF_ACT] = 1 + 1 + 1,
+ [ASN1_OP_END_SET_ACT] = 1 + 1,
+ [ASN1_OP_END_SET_OF_ACT] = 1 + 1 + 1,
+};
+
+/*
+ * Find the length of an indefinite length object
+ * @data: The data buffer
+ * @datalen: The end of the innermost containing element in the buffer
+ * @_dp: The data parse cursor (updated before returning)
+ * @_len: Where to return the size of the element.
+ * @_errmsg: Where to return a pointer to an error message on error
+ */
+static int asn1_find_indefinite_length(const unsigned char *data, size_t datalen,
+ size_t *_dp, size_t *_len,
+ const char **_errmsg)
+{
+ unsigned char tag, tmp;
+ size_t dp = *_dp, len, n;
+ int indef_level = 1;
+
+next_tag:
+ if (unlikely(datalen - dp < 2)) {
+ if (datalen == dp)
+ goto missing_eoc;
+ goto data_overrun_error;
+ }
+
+ /* Extract a tag from the data */
+ tag = data[dp++];
+ if (tag == ASN1_EOC) {
+ /* It appears to be an EOC. */
+ if (data[dp++] != 0)
+ goto invalid_eoc;
+ if (--indef_level <= 0) {
+ *_len = dp - *_dp;
+ *_dp = dp;
+ return 0;
+ }
+ goto next_tag;
+ }
+
+ if (unlikely((tag & 0x1f) == ASN1_LONG_TAG)) {
+ do {
+ if (unlikely(datalen - dp < 2))
+ goto data_overrun_error;
+ tmp = data[dp++];
+ } while (tmp & 0x80);
+ }
+
+ /* Extract the length */
+ len = data[dp++];
+ if (len <= 0x7f)
+ goto check_length;
+
+ if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
+ /* Indefinite length */
+ if (unlikely((tag & ASN1_CONS_BIT) == ASN1_PRIM << 5))
+ goto indefinite_len_primitive;
+ indef_level++;
+ goto next_tag;
+ }
+
+ n = len - 0x80;
+ if (unlikely(n > sizeof(len) - 1))
+ goto length_too_long;
+ if (unlikely(n > datalen - dp))
+ goto data_overrun_error;
+ len = 0;
+ for (; n > 0; n--) {
+ len <<= 8;
+ len |= data[dp++];
+ }
+check_length:
+ if (len > datalen - dp)
+ goto data_overrun_error;
+ dp += len;
+ goto next_tag;
+
+length_too_long:
+ *_errmsg = "Unsupported length";
+ goto error;
+indefinite_len_primitive:
+ *_errmsg = "Indefinite len primitive not permitted";
+ goto error;
+invalid_eoc:
+ *_errmsg = "Invalid length EOC";
+ goto error;
+data_overrun_error:
+ *_errmsg = "Data overrun error";
+ goto error;
+missing_eoc:
+ *_errmsg = "Missing EOC in indefinite len cons";
+error:
+ *_dp = dp;
+ return -1;
+}
+
+/**
+ * asn1_ber_decoder - Decoder BER/DER/CER ASN.1 according to pattern
+ * @decoder: The decoder definition (produced by asn1_compiler)
+ * @context: The caller's context (to be passed to the action functions)
+ * @data: The encoded data
+ * @datalen: The size of the encoded data
+ *
+ * Decode BER/DER/CER encoded ASN.1 data according to a bytecode pattern
+ * produced by asn1_compiler. Action functions are called on marked tags to
+ * allow the caller to retrieve significant data.
+ *
+ * LIMITATIONS:
+ *
+ * To keep down the amount of stack used by this function, the following limits
+ * have been imposed:
+ *
+ * (1) This won't handle datalen > 65535 without increasing the size of the
+ * cons stack elements and length_too_long checking.
+ *
+ * (2) The stack of constructed types is 10 deep. If the depth of non-leaf
+ * constructed types exceeds this, the decode will fail.
+ *
+ * (3) The SET type (not the SET OF type) isn't really supported as tracking
+ * what members of the set have been seen is a pain.
+ */
+int asn1_ber_decoder(const struct asn1_decoder *decoder,
+ void *context,
+ const unsigned char *data,
+ size_t datalen)
+{
+ const unsigned char *machine = decoder->machine;
+ const asn1_action_t *actions = decoder->actions;
+ size_t machlen = decoder->machlen;
+ enum asn1_opcode op;
+ unsigned char tag = 0, csp = 0, jsp = 0, optag = 0, hdr = 0;
+ const char *errmsg;
+ size_t pc = 0, dp = 0, tdp = 0, len = 0;
+ int ret;
+
+ unsigned char flags = 0;
+#define FLAG_INDEFINITE_LENGTH 0x01
+#define FLAG_MATCHED 0x02
+#define FLAG_LAST_MATCHED 0x04 /* Last tag matched */
+#define FLAG_CONS 0x20 /* Corresponds to CONS bit in the opcode tag
+ * - ie. whether or not we are going to parse
+ * a compound type.
+ */
+
+#define NR_CONS_STACK 10
+ unsigned short cons_dp_stack[NR_CONS_STACK];
+ unsigned short cons_datalen_stack[NR_CONS_STACK];
+ unsigned char cons_hdrlen_stack[NR_CONS_STACK];
+#define NR_JUMP_STACK 10
+ unsigned char jump_stack[NR_JUMP_STACK];
+
+ if (datalen > 65535)
+ return -EMSGSIZE;
+
+next_op:
+ pr_debug("next_op: pc=\e[32m%zu\e[m/%zu dp=\e[33m%zu\e[m/%zu C=%d J=%d\n",
+ pc, machlen, dp, datalen, csp, jsp);
+ if (unlikely(pc >= machlen))
+ goto machine_overrun_error;
+ op = machine[pc];
+ if (unlikely(pc + asn1_op_lengths[op] > machlen))
+ goto machine_overrun_error;
+
+ /* If this command is meant to match a tag, then do that before
+ * evaluating the command.
+ */
+ if (op <= ASN1_OP__MATCHES_TAG) {
+ unsigned char tmp;
+
+ /* Skip conditional matches if possible */
+ if ((op & ASN1_OP_MATCH__COND && flags & FLAG_MATCHED) ||
+ (op & ASN1_OP_MATCH__SKIP && dp == datalen)) {
+ flags &= ~FLAG_LAST_MATCHED;
+ pc += asn1_op_lengths[op];
+ goto next_op;
+ }
+
+ flags = 0;
+ hdr = 2;
+
+ /* Extract a tag from the data */
+ if (unlikely(datalen - dp < 2))
+ goto data_overrun_error;
+ tag = data[dp++];
+ if (unlikely((tag & 0x1f) == ASN1_LONG_TAG))
+ goto long_tag_not_supported;
+
+ if (op & ASN1_OP_MATCH__ANY) {
+ pr_debug("- any %02x\n", tag);
+ } else {
+ /* Extract the tag from the machine
+ * - Either CONS or PRIM are permitted in the data if
+ * CONS is not set in the op stream, otherwise CONS
+ * is mandatory.
+ */
+ optag = machine[pc + 1];
+ flags |= optag & FLAG_CONS;
+
+ /* Determine whether the tag matched */
+ tmp = optag ^ tag;
+ tmp &= ~(optag & ASN1_CONS_BIT);
+ pr_debug("- match? %02x %02x %02x\n", tag, optag, tmp);
+ if (tmp != 0) {
+ /* All odd-numbered tags are MATCH_OR_SKIP. */
+ if (op & ASN1_OP_MATCH__SKIP) {
+ pc += asn1_op_lengths[op];
+ dp--;
+ goto next_op;
+ }
+ goto tag_mismatch;
+ }
+ }
+ flags |= FLAG_MATCHED;
+
+ len = data[dp++];
+ if (len > 0x7f) {
+ if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
+ /* Indefinite length */
+ if (unlikely(!(tag & ASN1_CONS_BIT)))
+ goto indefinite_len_primitive;
+ flags |= FLAG_INDEFINITE_LENGTH;
+ if (unlikely(2 > datalen - dp))
+ goto data_overrun_error;
+ } else {
+ int n = len - 0x80;
+ if (unlikely(n > 2))
+ goto length_too_long;
+ if (unlikely(n > datalen - dp))
+ goto data_overrun_error;
+ hdr += n;
+ for (len = 0; n > 0; n--) {
+ len <<= 8;
+ len |= data[dp++];
+ }
+ if (unlikely(len > datalen - dp))
+ goto data_overrun_error;
+ }
+ } else {
+ if (unlikely(len > datalen - dp))
+ goto data_overrun_error;
+ }
+
+ if (flags & FLAG_CONS) {
+ /* For expected compound forms, we stack the positions
+ * of the start and end of the data.
+ */
+ if (unlikely(csp >= NR_CONS_STACK))
+ goto cons_stack_overflow;
+ cons_dp_stack[csp] = dp;
+ cons_hdrlen_stack[csp] = hdr;
+ if (!(flags & FLAG_INDEFINITE_LENGTH)) {
+ cons_datalen_stack[csp] = datalen;
+ datalen = dp + len;
+ } else {
+ cons_datalen_stack[csp] = 0;
+ }
+ csp++;
+ }
+
+ pr_debug("- TAG: %02x %zu%s\n",
+ tag, len, flags & FLAG_CONS ? " CONS" : "");
+ tdp = dp;
+ }
+
+ /* Decide how to handle the operation */
+ switch (op) {
+ case ASN1_OP_MATCH:
+ case ASN1_OP_MATCH_OR_SKIP:
+ case ASN1_OP_MATCH_ACT:
+ case ASN1_OP_MATCH_ACT_OR_SKIP:
+ case ASN1_OP_MATCH_ANY:
+ case ASN1_OP_MATCH_ANY_OR_SKIP:
+ case ASN1_OP_MATCH_ANY_ACT:
+ case ASN1_OP_MATCH_ANY_ACT_OR_SKIP:
+ case ASN1_OP_COND_MATCH_OR_SKIP:
+ case ASN1_OP_COND_MATCH_ACT_OR_SKIP:
+ case ASN1_OP_COND_MATCH_ANY:
+ case ASN1_OP_COND_MATCH_ANY_OR_SKIP:
+ case ASN1_OP_COND_MATCH_ANY_ACT:
+ case ASN1_OP_COND_MATCH_ANY_ACT_OR_SKIP:
+
+ if (!(flags & FLAG_CONS)) {
+ if (flags & FLAG_INDEFINITE_LENGTH) {
+ size_t tmp = dp;
+
+ ret = asn1_find_indefinite_length(
+ data, datalen, &tmp, &len, &errmsg);
+ if (ret < 0)
+ goto error;
+ }
+ pr_debug("- LEAF: %zu\n", len);
+ }
+
+ if (op & ASN1_OP_MATCH__ACT) {
+ unsigned char act;
+
+ if (op & ASN1_OP_MATCH__ANY)
+ act = machine[pc + 1];
+ else
+ act = machine[pc + 2];
+ ret = actions[act](context, hdr, tag, data + dp, len);
+ if (ret < 0)
+ return ret;
+ }
+
+ if (!(flags & FLAG_CONS))
+ dp += len;
+ pc += asn1_op_lengths[op];
+ goto next_op;
+
+ case ASN1_OP_MATCH_JUMP:
+ case ASN1_OP_MATCH_JUMP_OR_SKIP:
+ case ASN1_OP_COND_MATCH_JUMP_OR_SKIP:
+ pr_debug("- MATCH_JUMP\n");
+ if (unlikely(jsp == NR_JUMP_STACK))
+ goto jump_stack_overflow;
+ jump_stack[jsp++] = pc + asn1_op_lengths[op];
+ pc = machine[pc + 2];
+ goto next_op;
+
+ case ASN1_OP_COND_FAIL:
+ if (unlikely(!(flags & FLAG_MATCHED)))
+ goto tag_mismatch;
+ pc += asn1_op_lengths[op];
+ goto next_op;
+
+ case ASN1_OP_COMPLETE:
+ if (unlikely(jsp != 0 || csp != 0)) {
+ pr_err("ASN.1 decoder error: Stacks not empty@completion (%u, %u)\n",
+ jsp, csp);
+ return -EBADMSG;
+ }
+ return 0;
+
+ case ASN1_OP_END_SET:
+ case ASN1_OP_END_SET_ACT:
+ if (unlikely(!(flags & FLAG_MATCHED)))
+ goto tag_mismatch;
+ case ASN1_OP_END_SEQ:
+ case ASN1_OP_END_SET_OF:
+ case ASN1_OP_END_SEQ_OF:
+ case ASN1_OP_END_SEQ_ACT:
+ case ASN1_OP_END_SET_OF_ACT:
+ case ASN1_OP_END_SEQ_OF_ACT:
+ if (unlikely(csp <= 0))
+ goto cons_stack_underflow;
+ csp--;
+ tdp = cons_dp_stack[csp];
+ hdr = cons_hdrlen_stack[csp];
+ len = datalen;
+ datalen = cons_datalen_stack[csp];
+ pr_debug("- end cons t=%zu dp=%zu l=%zu/%zu\n",
+ tdp, dp, len, datalen);
+ if (datalen == 0) {
+ /* Indefinite length - check for the EOC. */
+ datalen = len;
+ if (unlikely(datalen - dp < 2))
+ goto data_overrun_error;
+ if (data[dp++] != 0) {
+ if (op & ASN1_OP_END__OF) {
+ dp--;
+ csp++;
+ pc = machine[pc + 1];
+ pr_debug("- continue\n");
+ goto next_op;
+ }
+ goto missing_eoc;
+ }
+ if (data[dp++] != 0)
+ goto invalid_eoc;
+ len = dp - tdp - 2;
+ } else {
+ if (dp < len && (op & ASN1_OP_END__OF)) {
+ datalen = len;
+ csp++;
+ pc = machine[pc + 1];
+ pr_debug("- continue\n");
+ goto next_op;
+ }
+ if (dp != len)
+ goto cons_length_error;
+ len -= tdp;
+ pr_debug("- cons len l=%zu d=%zu\n", len, dp - tdp);
+ }
+
+ if (op & ASN1_OP_END__ACT) {
+ unsigned char act;
+ if (op & ASN1_OP_END__OF)
+ act = machine[pc + 2];
+ else
+ act = machine[pc + 1];
+ ret = actions[act](context, hdr, 0, data + tdp, len);
+ if (ret < 0)
+ return ret;
+ }
+ pc += asn1_op_lengths[op];
+ goto next_op;
+
+ case ASN1_OP_MAYBE_ACT:
+ if (!(flags & FLAG_LAST_MATCHED)) {
+ pc += asn1_op_lengths[op];
+ goto next_op;
+ }
+ case ASN1_OP_ACT:
+ ret = actions[machine[pc + 1]](context, hdr, tag, data + tdp, len);
+ if (ret < 0)
+ return ret;
+ pc += asn1_op_lengths[op];
+ goto next_op;
+
+ case ASN1_OP_RETURN:
+ if (unlikely(jsp <= 0))
+ goto jump_stack_underflow;
+ pc = jump_stack[--jsp];
+ flags |= FLAG_MATCHED | FLAG_LAST_MATCHED;
+ goto next_op;
+
+ default:
+ break;
+ }
+
+ /* Shouldn't reach here */
+ pr_err("ASN.1 decoder error: Found reserved opcode (%u) pc=%zu\n",
+ op, pc);
+ return -EBADMSG;
+
+data_overrun_error:
+ errmsg = "Data overrun error";
+ goto error;
+machine_overrun_error:
+ errmsg = "Machine overrun error";
+ goto error;
+jump_stack_underflow:
+ errmsg = "Jump stack underflow";
+ goto error;
+jump_stack_overflow:
+ errmsg = "Jump stack overflow";
+ goto error;
+cons_stack_underflow:
+ errmsg = "Cons stack underflow";
+ goto error;
+cons_stack_overflow:
+ errmsg = "Cons stack overflow";
+ goto error;
+cons_length_error:
+ errmsg = "Cons length error";
+ goto error;
+missing_eoc:
+ errmsg = "Missing EOC in indefinite len cons";
+ goto error;
+invalid_eoc:
+ errmsg = "Invalid length EOC";
+ goto error;
+length_too_long:
+ errmsg = "Unsupported length";
+ goto error;
+indefinite_len_primitive:
+ errmsg = "Indefinite len primitive not permitted";
+ goto error;
+tag_mismatch:
+ errmsg = "Unexpected tag";
+ goto error;
+long_tag_not_supported:
+ errmsg = "Long tag not supported";
+error:
+ pr_debug("\nASN1: %s [m=%zu d=%zu ot=%02x t=%02x l=%zu]\n",
+ errmsg, pc, dp, optag, tag, len);
+ return -EBADMSG;
+}
+EXPORT_SYMBOL_GPL(asn1_ber_decoder);
+
+MODULE_LICENSE("GPL");
--
2.21.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [U-Boot] [RFC 4/9] lib: add oid registry utility
2019-09-03 5:42 [U-Boot] [RFC 0/9] import x509/pkcs7 parsers from linux AKASHI Takahiro
` (2 preceding siblings ...)
2019-09-03 5:42 ` [U-Boot] [RFC 3/9] lib: add asn1 decoder AKASHI Takahiro
@ 2019-09-03 5:42 ` AKASHI Takahiro
2019-09-03 5:42 ` [U-Boot] [RFC 5/9] lib: crypto: add public key utility AKASHI Takahiro
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: AKASHI Takahiro @ 2019-09-03 5:42 UTC (permalink / raw)
To: u-boot
Imported from linux kernel v5.0.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
include/linux/oid_registry.h | 103 +++++++++++++++++
lib/Kconfig | 5 +
lib/Makefile | 16 +++
lib/build_OID_registry | 207 +++++++++++++++++++++++++++++++++++
lib/oid_registry.c | 178 ++++++++++++++++++++++++++++++
5 files changed, 509 insertions(+)
create mode 100644 include/linux/oid_registry.h
create mode 100755 lib/build_OID_registry
create mode 100644 lib/oid_registry.c
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
new file mode 100644
index 000000000000..d2fa9ca42e9a
--- /dev/null
+++ b/include/linux/oid_registry.h
@@ -0,0 +1,103 @@
+/* ASN.1 Object identifier (OID) registry
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells at redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#ifndef _LINUX_OID_REGISTRY_H
+#define _LINUX_OID_REGISTRY_H
+
+#include <linux/types.h>
+
+/*
+ * OIDs are turned into these values if possible, or OID__NR if not held here.
+ *
+ * NOTE! Do not mess with the format of each line as this is read by
+ * build_OID_registry.pl to generate the data for look_up_OID().
+ */
+enum OID {
+ OID_id_dsa_with_sha1, /* 1.2.840.10030.4.3 */
+ OID_id_dsa, /* 1.2.840.10040.4.1 */
+ OID_id_ecdsa_with_sha1, /* 1.2.840.10045.4.1 */
+ OID_id_ecPublicKey, /* 1.2.840.10045.2.1 */
+
+ /* PKCS#1 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)} */
+ OID_rsaEncryption, /* 1.2.840.113549.1.1.1 */
+ OID_md2WithRSAEncryption, /* 1.2.840.113549.1.1.2 */
+ OID_md3WithRSAEncryption, /* 1.2.840.113549.1.1.3 */
+ OID_md4WithRSAEncryption, /* 1.2.840.113549.1.1.4 */
+ OID_sha1WithRSAEncryption, /* 1.2.840.113549.1.1.5 */
+ OID_sha256WithRSAEncryption, /* 1.2.840.113549.1.1.11 */
+ OID_sha384WithRSAEncryption, /* 1.2.840.113549.1.1.12 */
+ OID_sha512WithRSAEncryption, /* 1.2.840.113549.1.1.13 */
+ OID_sha224WithRSAEncryption, /* 1.2.840.113549.1.1.14 */
+ /* PKCS#7 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7)} */
+ OID_data, /* 1.2.840.113549.1.7.1 */
+ OID_signed_data, /* 1.2.840.113549.1.7.2 */
+ /* PKCS#9 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)} */
+ OID_email_address, /* 1.2.840.113549.1.9.1 */
+ OID_contentType, /* 1.2.840.113549.1.9.3 */
+ OID_messageDigest, /* 1.2.840.113549.1.9.4 */
+ OID_signingTime, /* 1.2.840.113549.1.9.5 */
+ OID_smimeCapabilites, /* 1.2.840.113549.1.9.15 */
+ OID_smimeAuthenticatedAttrs, /* 1.2.840.113549.1.9.16.2.11 */
+
+ /* {iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2)} */
+ OID_md2, /* 1.2.840.113549.2.2 */
+ OID_md4, /* 1.2.840.113549.2.4 */
+ OID_md5, /* 1.2.840.113549.2.5 */
+
+ /* Microsoft Authenticode & Software Publishing */
+ OID_msIndirectData, /* 1.3.6.1.4.1.311.2.1.4 */
+ OID_msStatementType, /* 1.3.6.1.4.1.311.2.1.11 */
+ OID_msSpOpusInfo, /* 1.3.6.1.4.1.311.2.1.12 */
+ OID_msPeImageDataObjId, /* 1.3.6.1.4.1.311.2.1.15 */
+ OID_msIndividualSPKeyPurpose, /* 1.3.6.1.4.1.311.2.1.21 */
+ OID_msOutlookExpress, /* 1.3.6.1.4.1.311.16.4 */
+
+ OID_certAuthInfoAccess, /* 1.3.6.1.5.5.7.1.1 */
+ OID_sha1, /* 1.3.14.3.2.26 */
+ OID_sha256, /* 2.16.840.1.101.3.4.2.1 */
+ OID_sha384, /* 2.16.840.1.101.3.4.2.2 */
+ OID_sha512, /* 2.16.840.1.101.3.4.2.3 */
+ OID_sha224, /* 2.16.840.1.101.3.4.2.4 */
+
+ /* Distinguished Name attribute IDs [RFC 2256] */
+ OID_commonName, /* 2.5.4.3 */
+ OID_surname, /* 2.5.4.4 */
+ OID_countryName, /* 2.5.4.6 */
+ OID_locality, /* 2.5.4.7 */
+ OID_stateOrProvinceName, /* 2.5.4.8 */
+ OID_organizationName, /* 2.5.4.10 */
+ OID_organizationUnitName, /* 2.5.4.11 */
+ OID_title, /* 2.5.4.12 */
+ OID_description, /* 2.5.4.13 */
+ OID_name, /* 2.5.4.41 */
+ OID_givenName, /* 2.5.4.42 */
+ OID_initials, /* 2.5.4.43 */
+ OID_generationalQualifier, /* 2.5.4.44 */
+
+ /* Certificate extension IDs */
+ OID_subjectKeyIdentifier, /* 2.5.29.14 */
+ OID_keyUsage, /* 2.5.29.15 */
+ OID_subjectAltName, /* 2.5.29.17 */
+ OID_issuerAltName, /* 2.5.29.18 */
+ OID_basicConstraints, /* 2.5.29.19 */
+ OID_crlDistributionPoints, /* 2.5.29.31 */
+ OID_certPolicies, /* 2.5.29.32 */
+ OID_authorityKeyIdentifier, /* 2.5.29.35 */
+ OID_extKeyUsage, /* 2.5.29.37 */
+
+ OID__NR
+};
+
+extern enum OID look_up_OID(const void *data, size_t datasize);
+extern int sprint_oid(const void *, size_t, char *, size_t);
+extern int sprint_OID(enum OID, char *, size_t);
+
+#endif /* _LINUX_OID_REGISTRY_H */
diff --git a/lib/Kconfig b/lib/Kconfig
index 26c94f49ecd2..d2955c8feb0e 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -527,6 +527,11 @@ config ASN1
help
Enable asn1 decoder library.
+config OID_REGISTRY
+ bool
+ help
+ Enable fast lookup object identifier registry.
+
source lib/efi/Kconfig
source lib/efi_loader/Kconfig
source lib/optee/Kconfig
diff --git a/lib/Makefile b/lib/Makefile
index eb3a675fb8c2..677ec33a1ce1 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -118,4 +118,20 @@ else
obj-y += vsprintf.o strto.o strmhz.o
endif
+#
+# Build a fast OID lookip registry from include/linux/oid_registry.h
+#
+obj-$(CONFIG_OID_REGISTRY) += oid_registry.o
+
+$(obj)/oid_registry.o: $(obj)/oid_registry_data.c
+
+$(obj)/oid_registry_data.c: $(srctree)/include/linux/oid_registry.h \
+ $(src)/build_OID_registry
+ $(call cmd,build_OID_registry)
+
+quiet_cmd_build_OID_registry = GEN $@
+ cmd_build_OID_registry = perl $(srctree)/$(src)/build_OID_registry $< $@
+
+clean-files += oid_registry_data.c
+
subdir-ccflags-$(CONFIG_CC_OPTIMIZE_LIBS_FOR_SPEED) += -O2
diff --git a/lib/build_OID_registry b/lib/build_OID_registry
new file mode 100755
index 000000000000..5d9827217360
--- /dev/null
+++ b/lib/build_OID_registry
@@ -0,0 +1,207 @@
+#!/usr/bin/perl -w
+#
+# Build a static ASN.1 Object Identified (OID) registry
+#
+# Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+# Written by David Howells (dhowells@redhat.com)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public Licence
+# as published by the Free Software Foundation; either version
+# 2 of the Licence, or (at your option) any later version.
+#
+
+use strict;
+
+my @names = ();
+my @oids = ();
+
+if ($#ARGV != 1) {
+ print STDERR "Format: ", $0, " <in-h-file> <out-c-file>\n";
+ exit(2);
+}
+
+#
+# Open the file to read from
+#
+open IN_FILE, "<$ARGV[0]" || die;
+while (<IN_FILE>) {
+ chomp;
+ if (m!\s+OID_([a-zA-z][a-zA-Z0-9_]+),\s+/[*]\s+([012][.0-9]*)\s+[*]/!) {
+ push @names, $1;
+ push @oids, $2;
+ }
+}
+close IN_FILE || die;
+
+#
+# Open the files to write into
+#
+open C_FILE, ">$ARGV[1]" or die;
+print C_FILE "/*\n";
+print C_FILE " * Automatically generated by ", $0, ". Do not edit\n";
+print C_FILE " */\n";
+
+#
+# Split the data up into separate lists and also determine the lengths of the
+# encoded data arrays.
+#
+my @indices = ();
+my @lengths = ();
+my $total_length = 0;
+
+for (my $i = 0; $i <= $#names; $i++) {
+ my $name = $names[$i];
+ my $oid = $oids[$i];
+
+ my @components = split(/[.]/, $oid);
+
+ # Determine the encoded length of this OID
+ my $size = $#components;
+ for (my $loop = 2; $loop <= $#components; $loop++) {
+ my $c = $components[$loop];
+
+ # We will base128 encode the number
+ my $tmp = ($c == 0) ? 0 : int(log($c)/log(2));
+ $tmp = int($tmp / 7);
+ $size += $tmp;
+ }
+ push @lengths, $size;
+ push @indices, $total_length;
+ $total_length += $size;
+}
+
+#
+# Emit the look-up-by-OID index table
+#
+print C_FILE "\n";
+if ($total_length <= 255) {
+ print C_FILE "static const unsigned char oid_index[OID__NR + 1] = {\n";
+} else {
+ print C_FILE "static const unsigned short oid_index[OID__NR + 1] = {\n";
+}
+for (my $i = 0; $i <= $#names; $i++) {
+ print C_FILE "\t[OID_", $names[$i], "] = ", $indices[$i], ",\n"
+}
+print C_FILE "\t[OID__NR] = ", $total_length, "\n";
+print C_FILE "};\n";
+
+#
+# Encode the OIDs
+#
+my @encoded_oids = ();
+
+for (my $i = 0; $i <= $#names; $i++) {
+ my @octets = ();
+
+ my @components = split(/[.]/, $oids[$i]);
+
+ push @octets, $components[0] * 40 + $components[1];
+
+ for (my $loop = 2; $loop <= $#components; $loop++) {
+ my $c = $components[$loop];
+
+ # Base128 encode the number
+ my $tmp = ($c == 0) ? 0 : int(log($c)/log(2));
+ $tmp = int($tmp / 7);
+
+ for (; $tmp > 0; $tmp--) {
+ push @octets, (($c >> $tmp * 7) & 0x7f) | 0x80;
+ }
+ push @octets, $c & 0x7f;
+ }
+
+ push @encoded_oids, \@octets;
+}
+
+#
+# Create a hash value for each OID
+#
+my @hash_values = ();
+for (my $i = 0; $i <= $#names; $i++) {
+ my @octets = @{$encoded_oids[$i]};
+
+ my $hash = $#octets;
+ foreach (@octets) {
+ $hash += $_ * 33;
+ }
+
+ $hash = ($hash >> 24) ^ ($hash >> 16) ^ ($hash >> 8) ^ ($hash);
+
+ push @hash_values, $hash & 0xff;
+}
+
+#
+# Emit the OID data
+#
+print C_FILE "\n";
+print C_FILE "static const unsigned char oid_data[", $total_length, "] = {\n";
+for (my $i = 0; $i <= $#names; $i++) {
+ my @octets = @{$encoded_oids[$i]};
+ print C_FILE "\t";
+ print C_FILE $_, ", " foreach (@octets);
+ print C_FILE "\t// ", $names[$i];
+ print C_FILE "\n";
+}
+print C_FILE "};\n";
+
+#
+# Build the search index table (ordered by length then hash then content)
+#
+my @index_table = ( 0 .. $#names );
+
+@index_table = sort {
+ my @octets_a = @{$encoded_oids[$a]};
+ my @octets_b = @{$encoded_oids[$b]};
+
+ return $hash_values[$a] <=> $hash_values[$b]
+ if ($hash_values[$a] != $hash_values[$b]);
+ return $#octets_a <=> $#octets_b
+ if ($#octets_a != $#octets_b);
+ for (my $i = $#octets_a; $i >= 0; $i--) {
+ return $octets_a[$i] <=> $octets_b[$i]
+ if ($octets_a[$i] != $octets_b[$i]);
+ }
+ return 0;
+
+} @index_table;
+
+#
+# Emit the search index and hash value table
+#
+print C_FILE "\n";
+print C_FILE "static const struct {\n";
+print C_FILE "\tunsigned char hash;\n";
+if ($#names <= 255) {
+ print C_FILE "\tenum OID oid : 8;\n";
+} else {
+ print C_FILE "\tenum OID oid : 16;\n";
+}
+print C_FILE "} oid_search_table[OID__NR] = {\n";
+for (my $i = 0; $i <= $#names; $i++) {
+ my @octets = @{$encoded_oids[$index_table[$i]]};
+ printf(C_FILE "\t[%3u] = { %3u, OID_%-35s }, // ",
+ $i,
+ $hash_values[$index_table[$i]],
+ $names[$index_table[$i]]);
+ printf C_FILE "%02x", $_ foreach (@octets);
+ print C_FILE "\n";
+}
+print C_FILE "};\n";
+
+#
+# Emit the OID debugging name table
+#
+#print C_FILE "\n";
+#print C_FILE "const char *const oid_name_table[OID__NR + 1] = {\n";
+#
+#for (my $i = 0; $i <= $#names; $i++) {
+# print C_FILE "\t\"", $names[$i], "\",\n"
+#}
+#print C_FILE "\t\"Unknown-OID\"\n";
+#print C_FILE "};\n";
+
+#
+# Polish off
+#
+close C_FILE or die;
diff --git a/lib/oid_registry.c b/lib/oid_registry.c
new file mode 100644
index 000000000000..03cd909bb3a9
--- /dev/null
+++ b/lib/oid_registry.c
@@ -0,0 +1,178 @@
+/* ASN.1 Object identifier (OID) registry
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells@redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#include <linux/compat.h>
+#include <linux/oid_registry.h>
+#include <linux/kernel.h>
+#include <linux/errno.h>
+#include <linux/bug.h>
+#include "oid_registry_data.c"
+
+MODULE_DESCRIPTION("OID Registry");
+MODULE_AUTHOR("Red Hat, Inc.");
+MODULE_LICENSE("GPL");
+
+/**
+ * look_up_OID - Find an OID registration for the specified data
+ * @data: Binary representation of the OID
+ * @datasize: Size of the binary representation
+ */
+enum OID look_up_OID(const void *data, size_t datasize)
+{
+ const unsigned char *octets = data;
+ enum OID oid;
+ unsigned char xhash;
+ unsigned i, j, k, hash;
+ size_t len;
+
+ /* Hash the OID data */
+ hash = datasize - 1;
+
+ for (i = 0; i < datasize; i++)
+ hash += octets[i] * 33;
+ hash = (hash >> 24) ^ (hash >> 16) ^ (hash >> 8) ^ hash;
+ hash &= 0xff;
+
+ /* Binary search the OID registry. OIDs are stored in ascending order
+ * of hash value then ascending order of size and then in ascending
+ * order of reverse value.
+ */
+ i = 0;
+ k = OID__NR;
+ while (i < k) {
+ j = (i + k) / 2;
+
+ xhash = oid_search_table[j].hash;
+ if (xhash > hash) {
+ k = j;
+ continue;
+ }
+ if (xhash < hash) {
+ i = j + 1;
+ continue;
+ }
+
+ oid = oid_search_table[j].oid;
+ len = oid_index[oid + 1] - oid_index[oid];
+ if (len > datasize) {
+ k = j;
+ continue;
+ }
+ if (len < datasize) {
+ i = j + 1;
+ continue;
+ }
+
+ /* Variation is most likely to be@the tail end of the
+ * OID, so do the comparison in reverse.
+ */
+ while (len > 0) {
+ unsigned char a = oid_data[oid_index[oid] + --len];
+ unsigned char b = octets[len];
+ if (a > b) {
+ k = j;
+ goto next;
+ }
+ if (a < b) {
+ i = j + 1;
+ goto next;
+ }
+ }
+ return oid;
+ next:
+ ;
+ }
+
+ return OID__NR;
+}
+EXPORT_SYMBOL_GPL(look_up_OID);
+
+/*
+ * sprint_OID - Print an Object Identifier into a buffer
+ * @data: The encoded OID to print
+ * @datasize: The size of the encoded OID
+ * @buffer: The buffer to render into
+ * @bufsize: The size of the buffer
+ *
+ * The OID is rendered into the buffer in "a.b.c.d" format and the number of
+ * bytes is returned. -EBADMSG is returned if the data could not be intepreted
+ * and -ENOBUFS if the buffer was too small.
+ */
+int sprint_oid(const void *data, size_t datasize, char *buffer, size_t bufsize)
+{
+ const unsigned char *v = data, *end = v + datasize;
+ unsigned long num;
+ unsigned char n;
+ size_t ret;
+ int count;
+
+ if (v >= end)
+ goto bad;
+
+ n = *v++;
+ ret = count = snprintf(buffer, bufsize, "%u.%u", n / 40, n % 40);
+ if (count >= bufsize)
+ return -ENOBUFS;
+ buffer += count;
+ bufsize -= count;
+
+ while (v < end) {
+ num = 0;
+ n = *v++;
+ if (!(n & 0x80)) {
+ num = n;
+ } else {
+ num = n & 0x7f;
+ do {
+ if (v >= end)
+ goto bad;
+ n = *v++;
+ num <<= 7;
+ num |= n & 0x7f;
+ } while (n & 0x80);
+ }
+ ret += count = snprintf(buffer, bufsize, ".%lu", num);
+ if (count >= bufsize)
+ return -ENOBUFS;
+ buffer += count;
+ bufsize -= count;
+ }
+
+ return ret;
+
+bad:
+ snprintf(buffer, bufsize, "(bad)");
+ return -EBADMSG;
+}
+EXPORT_SYMBOL_GPL(sprint_oid);
+
+/**
+ * sprint_OID - Print an Object Identifier into a buffer
+ * @oid: The OID to print
+ * @buffer: The buffer to render into
+ * @bufsize: The size of the buffer
+ *
+ * The OID is rendered into the buffer in "a.b.c.d" format and the number of
+ * bytes is returned.
+ */
+int sprint_OID(enum OID oid, char *buffer, size_t bufsize)
+{
+ int ret;
+
+ BUG_ON(oid >= OID__NR);
+
+ ret = sprint_oid(oid_data + oid_index[oid],
+ oid_index[oid + 1] - oid_index[oid],
+ buffer, bufsize);
+ BUG_ON(ret == -EBADMSG);
+ return ret;
+}
+EXPORT_SYMBOL_GPL(sprint_OID);
--
2.21.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [U-Boot] [RFC 5/9] lib: crypto: add public key utility
2019-09-03 5:42 [U-Boot] [RFC 0/9] import x509/pkcs7 parsers from linux AKASHI Takahiro
` (3 preceding siblings ...)
2019-09-03 5:42 ` [U-Boot] [RFC 4/9] lib: add oid registry utility AKASHI Takahiro
@ 2019-09-03 5:42 ` AKASHI Takahiro
2019-09-03 5:42 ` [U-Boot] [RFC 6/9] lib: crypto: add public_key_verify_signature() AKASHI Takahiro
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: AKASHI Takahiro @ 2019-09-03 5:42 UTC (permalink / raw)
To: u-boot
Imported from linux kernel v5.0.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
include/crypto/public_key.h | 89 +++++
include/keys/asymmetric-type.h | 92 +++++
lib/crypto/Kconfig | 19 +
lib/crypto/Makefile | 10 +
lib/crypto/asymmetric_type.c | 655 +++++++++++++++++++++++++++++++++
lib/crypto/public_key.c | 344 +++++++++++++++++
6 files changed, 1209 insertions(+)
create mode 100644 include/crypto/public_key.h
create mode 100644 include/keys/asymmetric-type.h
create mode 100644 lib/crypto/Kconfig
create mode 100644 lib/crypto/Makefile
create mode 100644 lib/crypto/asymmetric_type.c
create mode 100644 lib/crypto/public_key.c
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
new file mode 100644
index 000000000000..91b1f2615294
--- /dev/null
+++ b/include/crypto/public_key.h
@@ -0,0 +1,89 @@
+/* Asymmetric public-key algorithm definitions
+ *
+ * See Documentation/crypto/asymmetric-keys.txt
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells at redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#ifndef _LINUX_PUBLIC_KEY_H
+#define _LINUX_PUBLIC_KEY_H
+
+#ifndef __UBOOT__
+#include <linux/keyctl.h>
+#endif
+#include <linux/types.h>
+
+/*
+ * Cryptographic data for the public-key subtype of the asymmetric key type.
+ *
+ * Note that this may include private part of the key as well as the public
+ * part.
+ */
+struct public_key {
+ void *key;
+ u32 keylen;
+ bool key_is_private;
+ const char *id_type;
+ const char *pkey_algo;
+};
+
+extern void public_key_free(struct public_key *key);
+
+/*
+ * Public key cryptography signature data
+ */
+struct public_key_signature {
+ struct asymmetric_key_id *auth_ids[2];
+ u8 *s; /* Signature */
+ u32 s_size; /* Number of bytes in signature */
+ u8 *digest;
+ u8 digest_size; /* Number of bytes in digest */
+ const char *pkey_algo;
+ const char *hash_algo;
+ const char *encoding;
+};
+
+extern void public_key_signature_free(struct public_key_signature *sig);
+
+#ifndef __UBOOT__
+extern struct asymmetric_key_subtype public_key_subtype;
+
+struct key;
+struct key_type;
+union key_payload;
+
+extern int restrict_link_by_signature(struct key *dest_keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *trust_keyring);
+
+extern int restrict_link_by_key_or_keyring(struct key *dest_keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *trusted);
+
+extern int restrict_link_by_key_or_keyring_chain(struct key *trust_keyring,
+ const struct key_type *type,
+ const union key_payload *payload,
+ struct key *trusted);
+
+extern int query_asymmetric_key(const struct kernel_pkey_params *,
+ struct kernel_pkey_query *);
+
+extern int encrypt_blob(struct kernel_pkey_params *, const void *, void *);
+extern int decrypt_blob(struct kernel_pkey_params *, const void *, void *);
+extern int create_signature(struct kernel_pkey_params *, const void *, void *);
+extern int verify_signature(const struct key *,
+ const struct public_key_signature *);
+
+int public_key_verify_signature(const struct public_key *pkey,
+ const struct public_key_signature *sig);
+#endif /* !__UBOOT__ */
+
+#endif /* _LINUX_PUBLIC_KEY_H */
diff --git a/include/keys/asymmetric-type.h b/include/keys/asymmetric-type.h
new file mode 100644
index 000000000000..ac34780cd6a4
--- /dev/null
+++ b/include/keys/asymmetric-type.h
@@ -0,0 +1,92 @@
+/* Asymmetric Public-key cryptography key type interface
+ *
+ * See Documentation/crypto/asymmetric-keys.txt
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells at redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#ifndef _KEYS_ASYMMETRIC_TYPE_H
+#define _KEYS_ASYMMETRIC_TYPE_H
+
+#ifndef __UBOOT__
+#include <linux/key-type.h>
+#include <linux/verification.h>
+
+extern struct key_type key_type_asymmetric;
+
+/*
+ * The key payload is four words. The asymmetric-type key uses them as
+ * follows:
+ */
+enum asymmetric_payload_bits {
+ asym_crypto, /* The data representing the key */
+ asym_subtype, /* Pointer to an asymmetric_key_subtype struct */
+ asym_key_ids, /* Pointer to an asymmetric_key_ids struct */
+ asym_auth /* The key's authorisation (signature, parent key ID) */
+};
+#endif /* !__UBOOT__ */
+
+/*
+ * Identifiers for an asymmetric key ID. We have three ways of looking up a
+ * key derived from an X.509 certificate:
+ *
+ * (1) Serial Number & Issuer. Non-optional. This is the only valid way to
+ * map a PKCS#7 signature to an X.509 certificate.
+ *
+ * (2) Issuer & Subject Unique IDs. Optional. These were the original way to
+ * match X.509 certificates, but have fallen into disuse in favour of (3).
+ *
+ * (3) Auth & Subject Key Identifiers. Optional. SKIDs are only provided on
+ * CA keys that are intended to sign other keys, so don't appear in end
+ * user certificates unless forced.
+ *
+ * We could also support an PGP key identifier, which is just a SHA1 sum of the
+ * public key and certain parameters, but since we don't support PGP keys at
+ * the moment, we shall ignore those.
+ *
+ * What we actually do is provide a place where binary identifiers can be
+ * stashed and then compare against them when checking for an id match.
+ */
+struct asymmetric_key_id {
+ unsigned short len;
+ unsigned char data[];
+};
+
+struct asymmetric_key_ids {
+ void *id[2];
+};
+
+extern bool asymmetric_key_id_same(const struct asymmetric_key_id *kid1,
+ const struct asymmetric_key_id *kid2);
+
+extern bool asymmetric_key_id_partial(const struct asymmetric_key_id *kid1,
+ const struct asymmetric_key_id *kid2);
+
+extern struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1,
+ size_t len_1,
+ const void *val_2,
+ size_t len_2);
+#ifndef __UBOOT__
+static inline
+const struct asymmetric_key_ids *asymmetric_key_ids(const struct key *key)
+{
+ return key->payload.data[asym_key_ids];
+}
+
+extern struct key *find_asymmetric_key(struct key *keyring,
+ const struct asymmetric_key_id *id_0,
+ const struct asymmetric_key_id *id_1,
+ bool partial);
+#endif
+
+/*
+ * The payload is at the discretion of the subtype.
+ */
+
+#endif /* _KEYS_ASYMMETRIC_TYPE_H */
diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
new file mode 100644
index 000000000000..b8e8288d2f80
--- /dev/null
+++ b/lib/crypto/Kconfig
@@ -0,0 +1,19 @@
+menuconfig ASYMMETRIC_KEY_TYPE
+ bool "Asymmetric (public-key cryptographic) key Support"
+ help
+ This option provides support for a key type that holds the data for
+ the asymmetric keys used for public key cryptographic operations such
+ as encryption, decryption, signature generation and signature
+ verification.
+
+if ASYMMETRIC_KEY_TYPE
+
+config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ bool "Asymmetric public-key crypto algorithm subtype"
+ help
+ This option provides support for asymmetric public key type handling.
+ If signature generation and/or verification are to be used,
+ appropriate hash algorithms (such as SHA-1) must be available.
+ ENOPKG will be reported if the requisite algorithm is unavailable.
+
+endif # ASYMMETRIC_KEY_TYPE
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
new file mode 100644
index 000000000000..a284de9e0411
--- /dev/null
+++ b/lib/crypto/Makefile
@@ -0,0 +1,10 @@
+# SPDX-License-Identifier: GPL-2.0+
+#
+# Makefile for asymmetric cryptographic keys
+#
+
+obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
+
+asymmetric_keys-y := asymmetric_type.o
+
+obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
diff --git a/lib/crypto/asymmetric_type.c b/lib/crypto/asymmetric_type.c
new file mode 100644
index 000000000000..905e8b490133
--- /dev/null
+++ b/lib/crypto/asymmetric_type.c
@@ -0,0 +1,655 @@
+/* Asymmetric public-key cryptography key type
+ *
+ * See Documentation/crypto/asymmetric-keys.txt
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells at redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+#include <crypto/public_key.h>
+#include <linux/compat.h>
+#include <linux/ctype.h>
+#include <linux/string.h>
+#include <keys/asymmetric-type.h>
+
+MODULE_LICENSE("GPL");
+
+#ifndef __UBOOT__
+const char *const key_being_used_for[NR__KEY_BEING_USED_FOR] = {
+ [VERIFYING_MODULE_SIGNATURE] = "mod sig",
+ [VERIFYING_FIRMWARE_SIGNATURE] = "firmware sig",
+ [VERIFYING_KEXEC_PE_SIGNATURE] = "kexec PE sig",
+ [VERIFYING_KEY_SIGNATURE] = "key sig",
+ [VERIFYING_KEY_SELF_SIGNATURE] = "key self sig",
+ [VERIFYING_UNSPECIFIED_SIGNATURE] = "unspec sig",
+};
+EXPORT_SYMBOL_GPL(key_being_used_for);
+
+static LIST_HEAD(asymmetric_key_parsers);
+static DECLARE_RWSEM(asymmetric_key_parsers_sem);
+
+/**
+ * find_asymmetric_key - Find a key by ID.
+ * @keyring: The keys to search.
+ * @id_0: The first ID to look for or NULL.
+ * @id_1: The second ID to look for or NULL.
+ * @partial: Use partial match if true, exact if false.
+ *
+ * Find a key in the given keyring by identifier. The preferred identifier is
+ * the id_0 and the fallback identifier is the id_1. If both are given, the
+ * lookup is by the former, but the latter must also match.
+ */
+struct key *find_asymmetric_key(struct key *keyring,
+ const struct asymmetric_key_id *id_0,
+ const struct asymmetric_key_id *id_1,
+ bool partial)
+{
+ struct key *key;
+ key_ref_t ref;
+ const char *lookup;
+ char *req, *p;
+ int len;
+
+ BUG_ON(!id_0 && !id_1);
+
+ if (id_0) {
+ lookup = id_0->data;
+ len = id_0->len;
+ } else {
+ lookup = id_1->data;
+ len = id_1->len;
+ }
+
+ /* Construct an identifier "id:<keyid>". */
+ p = req = kmalloc(2 + 1 + len * 2 + 1, GFP_KERNEL);
+ if (!req)
+ return ERR_PTR(-ENOMEM);
+
+ if (partial) {
+ *p++ = 'i';
+ *p++ = 'd';
+ } else {
+ *p++ = 'e';
+ *p++ = 'x';
+ }
+ *p++ = ':';
+ p = bin2hex(p, lookup, len);
+ *p = 0;
+
+ pr_debug("Look up: \"%s\"\n", req);
+
+ ref = keyring_search(make_key_ref(keyring, 1),
+ &key_type_asymmetric, req);
+ if (IS_ERR(ref))
+ pr_debug("Request for key '%s' err %ld\n", req, PTR_ERR(ref));
+ kfree(req);
+
+ if (IS_ERR(ref)) {
+ switch (PTR_ERR(ref)) {
+ /* Hide some search errors */
+ case -EACCES:
+ case -ENOTDIR:
+ case -EAGAIN:
+ return ERR_PTR(-ENOKEY);
+ default:
+ return ERR_CAST(ref);
+ }
+ }
+
+ key = key_ref_to_ptr(ref);
+ if (id_0 && id_1) {
+ const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
+
+ if (!kids->id[1]) {
+ pr_debug("First ID matches, but second is missing\n");
+ goto reject;
+ }
+ if (!asymmetric_key_id_same(id_1, kids->id[1])) {
+ pr_debug("First ID matches, but second does not\n");
+ goto reject;
+ }
+ }
+
+ pr_devel("<==%s() = 0 [%x]\n", __func__, key_serial(key));
+ return key;
+
+reject:
+ key_put(key);
+ return ERR_PTR(-EKEYREJECTED);
+}
+EXPORT_SYMBOL_GPL(find_asymmetric_key);
+#endif /* !__UBOOT__ */
+
+/**
+ * asymmetric_key_generate_id: Construct an asymmetric key ID
+ * @val_1: First binary blob
+ * @len_1: Length of first binary blob
+ * @val_2: Second binary blob
+ * @len_2: Length of second binary blob
+ *
+ * Construct an asymmetric key ID from a pair of binary blobs.
+ */
+struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1,
+ size_t len_1,
+ const void *val_2,
+ size_t len_2)
+{
+ struct asymmetric_key_id *kid;
+
+ kid = kmalloc(sizeof(struct asymmetric_key_id) + len_1 + len_2,
+ GFP_KERNEL);
+ if (!kid)
+ return ERR_PTR(-ENOMEM);
+ kid->len = len_1 + len_2;
+ memcpy(kid->data, val_1, len_1);
+ memcpy(kid->data + len_1, val_2, len_2);
+ return kid;
+}
+EXPORT_SYMBOL_GPL(asymmetric_key_generate_id);
+
+/**
+ * asymmetric_key_id_same - Return true if two asymmetric keys IDs are the same.
+ * @kid_1, @kid_2: The key IDs to compare
+ */
+bool asymmetric_key_id_same(const struct asymmetric_key_id *kid1,
+ const struct asymmetric_key_id *kid2)
+{
+ if (!kid1 || !kid2)
+ return false;
+ if (kid1->len != kid2->len)
+ return false;
+ return memcmp(kid1->data, kid2->data, kid1->len) == 0;
+}
+EXPORT_SYMBOL_GPL(asymmetric_key_id_same);
+
+/**
+ * asymmetric_key_id_partial - Return true if two asymmetric keys IDs
+ * partially match
+ * @kid_1, @kid_2: The key IDs to compare
+ */
+bool asymmetric_key_id_partial(const struct asymmetric_key_id *kid1,
+ const struct asymmetric_key_id *kid2)
+{
+ if (!kid1 || !kid2)
+ return false;
+ if (kid1->len < kid2->len)
+ return false;
+ return memcmp(kid1->data + (kid1->len - kid2->len),
+ kid2->data, kid2->len) == 0;
+}
+EXPORT_SYMBOL_GPL(asymmetric_key_id_partial);
+
+#ifndef __UBOOT__
+/**
+ * asymmetric_match_key_ids - Search asymmetric key IDs
+ * @kids: The list of key IDs to check
+ * @match_id: The key ID we're looking for
+ * @match: The match function to use
+ */
+static bool asymmetric_match_key_ids(
+ const struct asymmetric_key_ids *kids,
+ const struct asymmetric_key_id *match_id,
+ bool (*match)(const struct asymmetric_key_id *kid1,
+ const struct asymmetric_key_id *kid2))
+{
+ int i;
+
+ if (!kids || !match_id)
+ return false;
+ for (i = 0; i < ARRAY_SIZE(kids->id); i++)
+ if (match(kids->id[i], match_id))
+ return true;
+ return false;
+}
+
+/* helper function can be called directly with pre-allocated memory */
+inline int __asymmetric_key_hex_to_key_id(const char *id,
+ struct asymmetric_key_id *match_id,
+ size_t hexlen)
+{
+ match_id->len = hexlen;
+ return hex2bin(match_id->data, id, hexlen);
+}
+
+/**
+ * asymmetric_key_hex_to_key_id - Convert a hex string into a key ID.
+ * @id: The ID as a hex string.
+ */
+struct asymmetric_key_id *asymmetric_key_hex_to_key_id(const char *id)
+{
+ struct asymmetric_key_id *match_id;
+ size_t asciihexlen;
+ int ret;
+
+ if (!*id)
+ return ERR_PTR(-EINVAL);
+ asciihexlen = strlen(id);
+ if (asciihexlen & 1)
+ return ERR_PTR(-EINVAL);
+
+ match_id = kmalloc(sizeof(struct asymmetric_key_id) + asciihexlen / 2,
+ GFP_KERNEL);
+ if (!match_id)
+ return ERR_PTR(-ENOMEM);
+ ret = __asymmetric_key_hex_to_key_id(id, match_id, asciihexlen / 2);
+ if (ret < 0) {
+ kfree(match_id);
+ return ERR_PTR(-EINVAL);
+ }
+ return match_id;
+}
+
+/*
+ * Match asymmetric keys by an exact match on an ID.
+ */
+static bool asymmetric_key_cmp(const struct key *key,
+ const struct key_match_data *match_data)
+{
+ const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
+ const struct asymmetric_key_id *match_id = match_data->preparsed;
+
+ return asymmetric_match_key_ids(kids, match_id,
+ asymmetric_key_id_same);
+}
+
+/*
+ * Match asymmetric keys by a partial match on an IDs.
+ */
+static bool asymmetric_key_cmp_partial(const struct key *key,
+ const struct key_match_data *match_data)
+{
+ const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
+ const struct asymmetric_key_id *match_id = match_data->preparsed;
+
+ return asymmetric_match_key_ids(kids, match_id,
+ asymmetric_key_id_partial);
+}
+
+/*
+ * Preparse the match criterion. If we don't set lookup_type and cmp,
+ * the default will be an exact match on the key description.
+ *
+ * There are some specifiers for matching key IDs rather than by the key
+ * description:
+ *
+ * "id:<id>" - find a key by partial match on any available ID
+ * "ex:<id>" - find a key by exact match on any available ID
+ *
+ * These have to be searched by iteration rather than by direct lookup because
+ * the key is hashed according to its description.
+ */
+static int asymmetric_key_match_preparse(struct key_match_data *match_data)
+{
+ struct asymmetric_key_id *match_id;
+ const char *spec = match_data->raw_data;
+ const char *id;
+ bool (*cmp)(const struct key *, const struct key_match_data *) =
+ asymmetric_key_cmp;
+
+ if (!spec || !*spec)
+ return -EINVAL;
+ if (spec[0] == 'i' &&
+ spec[1] == 'd' &&
+ spec[2] == ':') {
+ id = spec + 3;
+ cmp = asymmetric_key_cmp_partial;
+ } else if (spec[0] == 'e' &&
+ spec[1] == 'x' &&
+ spec[2] == ':') {
+ id = spec + 3;
+ } else {
+ goto default_match;
+ }
+
+ match_id = asymmetric_key_hex_to_key_id(id);
+ if (IS_ERR(match_id))
+ return PTR_ERR(match_id);
+
+ match_data->preparsed = match_id;
+ match_data->cmp = cmp;
+ match_data->lookup_type = KEYRING_SEARCH_LOOKUP_ITERATE;
+ return 0;
+
+default_match:
+ return 0;
+}
+
+/*
+ * Free the preparsed the match criterion.
+ */
+static void asymmetric_key_match_free(struct key_match_data *match_data)
+{
+ kfree(match_data->preparsed);
+}
+
+/*
+ * Describe the asymmetric key
+ */
+static void asymmetric_key_describe(const struct key *key, struct seq_file *m)
+{
+ const struct asymmetric_key_subtype *subtype = asymmetric_key_subtype(key);
+ const struct asymmetric_key_ids *kids = asymmetric_key_ids(key);
+ const struct asymmetric_key_id *kid;
+ const unsigned char *p;
+ int n;
+
+ seq_puts(m, key->description);
+
+ if (subtype) {
+ seq_puts(m, ": ");
+ subtype->describe(key, m);
+
+ if (kids && kids->id[1]) {
+ kid = kids->id[1];
+ seq_putc(m, ' ');
+ n = kid->len;
+ p = kid->data;
+ if (n > 4) {
+ p += n - 4;
+ n = 4;
+ }
+ seq_printf(m, "%*phN", n, p);
+ }
+
+ seq_puts(m, " [");
+ /* put something here to indicate the key's capabilities */
+ seq_putc(m, ']');
+ }
+}
+
+/*
+ * Preparse a asymmetric payload to get format the contents appropriately for the
+ * internal payload to cut down on the number of scans of the data performed.
+ *
+ * We also generate a proposed description from the contents of the key that
+ * can be used to name the key if the user doesn't want to provide one.
+ */
+static int asymmetric_key_preparse(struct key_preparsed_payload *prep)
+{
+ struct asymmetric_key_parser *parser;
+ int ret;
+
+ pr_devel("==>%s()\n", __func__);
+
+ if (prep->datalen == 0)
+ return -EINVAL;
+
+ down_read(&asymmetric_key_parsers_sem);
+
+ ret = -EBADMSG;
+ list_for_each_entry(parser, &asymmetric_key_parsers, link) {
+ pr_debug("Trying parser '%s'\n", parser->name);
+
+ ret = parser->parse(prep);
+ if (ret != -EBADMSG) {
+ pr_debug("Parser recognised the format (ret %d)\n",
+ ret);
+ break;
+ }
+ }
+
+ up_read(&asymmetric_key_parsers_sem);
+ pr_devel("<==%s() = %d\n", __func__, ret);
+ return ret;
+}
+
+/*
+ * Clean up the key ID list
+ */
+static void asymmetric_key_free_kids(struct asymmetric_key_ids *kids)
+{
+ int i;
+
+ if (kids) {
+ for (i = 0; i < ARRAY_SIZE(kids->id); i++)
+ kfree(kids->id[i]);
+ kfree(kids);
+ }
+}
+
+/*
+ * Clean up the preparse data
+ */
+static void asymmetric_key_free_preparse(struct key_preparsed_payload *prep)
+{
+ struct asymmetric_key_subtype *subtype = prep->payload.data[asym_subtype];
+ struct asymmetric_key_ids *kids = prep->payload.data[asym_key_ids];
+
+ pr_devel("==>%s()\n", __func__);
+
+ if (subtype) {
+ subtype->destroy(prep->payload.data[asym_crypto],
+ prep->payload.data[asym_auth]);
+ module_put(subtype->owner);
+ }
+ asymmetric_key_free_kids(kids);
+ kfree(prep->description);
+}
+
+/*
+ * dispose of the data dangling from the corpse of a asymmetric key
+ */
+static void asymmetric_key_destroy(struct key *key)
+{
+ struct asymmetric_key_subtype *subtype = asymmetric_key_subtype(key);
+ struct asymmetric_key_ids *kids = key->payload.data[asym_key_ids];
+ void *data = key->payload.data[asym_crypto];
+ void *auth = key->payload.data[asym_auth];
+
+ key->payload.data[asym_crypto] = NULL;
+ key->payload.data[asym_subtype] = NULL;
+ key->payload.data[asym_key_ids] = NULL;
+ key->payload.data[asym_auth] = NULL;
+
+ if (subtype) {
+ subtype->destroy(data, auth);
+ module_put(subtype->owner);
+ }
+
+ asymmetric_key_free_kids(kids);
+}
+
+static struct key_restriction *asymmetric_restriction_alloc(
+ key_restrict_link_func_t check,
+ struct key *key)
+{
+ struct key_restriction *keyres =
+ kzalloc(sizeof(struct key_restriction), GFP_KERNEL);
+
+ if (!keyres)
+ return ERR_PTR(-ENOMEM);
+
+ keyres->check = check;
+ keyres->key = key;
+ keyres->keytype = &key_type_asymmetric;
+
+ return keyres;
+}
+
+/*
+ * look up keyring restrict functions for asymmetric keys
+ */
+static struct key_restriction *asymmetric_lookup_restriction(
+ const char *restriction)
+{
+ char *restrict_method;
+ char *parse_buf;
+ char *next;
+ struct key_restriction *ret = ERR_PTR(-EINVAL);
+
+ if (strcmp("builtin_trusted", restriction) == 0)
+ return asymmetric_restriction_alloc(
+ restrict_link_by_builtin_trusted, NULL);
+
+ if (strcmp("builtin_and_secondary_trusted", restriction) == 0)
+ return asymmetric_restriction_alloc(
+ restrict_link_by_builtin_and_secondary_trusted, NULL);
+
+ parse_buf = kstrndup(restriction, PAGE_SIZE, GFP_KERNEL);
+ if (!parse_buf)
+ return ERR_PTR(-ENOMEM);
+
+ next = parse_buf;
+ restrict_method = strsep(&next, ":");
+
+ if ((strcmp(restrict_method, "key_or_keyring") == 0) && next) {
+ char *key_text;
+ key_serial_t serial;
+ struct key *key;
+ key_restrict_link_func_t link_fn =
+ restrict_link_by_key_or_keyring;
+ bool allow_null_key = false;
+
+ key_text = strsep(&next, ":");
+
+ if (next) {
+ if (strcmp(next, "chain") != 0)
+ goto out;
+
+ link_fn = restrict_link_by_key_or_keyring_chain;
+ allow_null_key = true;
+ }
+
+ if (kstrtos32(key_text, 0, &serial) < 0)
+ goto out;
+
+ if ((serial == 0) && allow_null_key) {
+ key = NULL;
+ } else {
+ key = key_lookup(serial);
+ if (IS_ERR(key)) {
+ ret = ERR_CAST(key);
+ goto out;
+ }
+ }
+
+ ret = asymmetric_restriction_alloc(link_fn, key);
+ if (IS_ERR(ret))
+ key_put(key);
+ }
+
+out:
+ kfree(parse_buf);
+ return ret;
+}
+
+int asymmetric_key_eds_op(struct kernel_pkey_params *params,
+ const void *in, void *out)
+{
+ const struct asymmetric_key_subtype *subtype;
+ struct key *key = params->key;
+ int ret;
+
+ pr_devel("==>%s()\n", __func__);
+
+ if (key->type != &key_type_asymmetric)
+ return -EINVAL;
+ subtype = asymmetric_key_subtype(key);
+ if (!subtype ||
+ !key->payload.data[0])
+ return -EINVAL;
+ if (!subtype->eds_op)
+ return -ENOTSUPP;
+
+ ret = subtype->eds_op(params, in, out);
+
+ pr_devel("<==%s() = %d\n", __func__, ret);
+ return ret;
+}
+
+static int asymmetric_key_verify_signature(struct kernel_pkey_params *params,
+ const void *in, const void *in2)
+{
+ struct public_key_signature sig = {
+ .s_size = params->in2_len,
+ .digest_size = params->in_len,
+ .encoding = params->encoding,
+ .hash_algo = params->hash_algo,
+ .digest = (void *)in,
+ .s = (void *)in2,
+ };
+
+ return verify_signature(params->key, &sig);
+}
+
+struct key_type key_type_asymmetric = {
+ .name = "asymmetric",
+ .preparse = asymmetric_key_preparse,
+ .free_preparse = asymmetric_key_free_preparse,
+ .instantiate = generic_key_instantiate,
+ .match_preparse = asymmetric_key_match_preparse,
+ .match_free = asymmetric_key_match_free,
+ .destroy = asymmetric_key_destroy,
+ .describe = asymmetric_key_describe,
+ .lookup_restriction = asymmetric_lookup_restriction,
+ .asym_query = query_asymmetric_key,
+ .asym_eds_op = asymmetric_key_eds_op,
+ .asym_verify_signature = asymmetric_key_verify_signature,
+};
+EXPORT_SYMBOL_GPL(key_type_asymmetric);
+
+/**
+ * register_asymmetric_key_parser - Register a asymmetric key blob parser
+ * @parser: The parser to register
+ */
+int register_asymmetric_key_parser(struct asymmetric_key_parser *parser)
+{
+ struct asymmetric_key_parser *cursor;
+ int ret;
+
+ down_write(&asymmetric_key_parsers_sem);
+
+ list_for_each_entry(cursor, &asymmetric_key_parsers, link) {
+ if (strcmp(cursor->name, parser->name) == 0) {
+ pr_err("Asymmetric key parser '%s' already registered\n",
+ parser->name);
+ ret = -EEXIST;
+ goto out;
+ }
+ }
+
+ list_add_tail(&parser->link, &asymmetric_key_parsers);
+
+ pr_notice("Asymmetric key parser '%s' registered\n", parser->name);
+ ret = 0;
+
+out:
+ up_write(&asymmetric_key_parsers_sem);
+ return ret;
+}
+EXPORT_SYMBOL_GPL(register_asymmetric_key_parser);
+
+/**
+ * unregister_asymmetric_key_parser - Unregister a asymmetric key blob parser
+ * @parser: The parser to unregister
+ */
+void unregister_asymmetric_key_parser(struct asymmetric_key_parser *parser)
+{
+ down_write(&asymmetric_key_parsers_sem);
+ list_del(&parser->link);
+ up_write(&asymmetric_key_parsers_sem);
+
+ pr_notice("Asymmetric key parser '%s' unregistered\n", parser->name);
+}
+EXPORT_SYMBOL_GPL(unregister_asymmetric_key_parser);
+
+/*
+ * Module stuff
+ */
+static int __init asymmetric_key_init(void)
+{
+ return register_key_type(&key_type_asymmetric);
+}
+
+static void __exit asymmetric_key_cleanup(void)
+{
+ unregister_key_type(&key_type_asymmetric);
+}
+
+module_init(asymmetric_key_init);
+module_exit(asymmetric_key_cleanup);
+#endif /* !__UBOOT__ */
diff --git a/lib/crypto/public_key.c b/lib/crypto/public_key.c
new file mode 100644
index 000000000000..c48f777b06b4
--- /dev/null
+++ b/lib/crypto/public_key.c
@@ -0,0 +1,344 @@
+/* In-software asymmetric public-key crypto subtype
+ *
+ * See Documentation/crypto/asymmetric-keys.txt
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells at redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#define pr_fmt(fmt) "PKEY: "fmt
+#include <linux/compat.h>
+#include <linux/kernel.h>
+#include <crypto/public_key.h>
+
+MODULE_DESCRIPTION("In-software asymmetric public-key subtype");
+MODULE_AUTHOR("Red Hat, Inc.");
+MODULE_LICENSE("GPL");
+
+#ifndef __UBOOT__
+/*
+ * Provide a part of a description of the key for /proc/keys.
+ */
+static void public_key_describe(const struct key *asymmetric_key,
+ struct seq_file *m)
+{
+ struct public_key *key = asymmetric_key->payload.data[asym_crypto];
+
+ if (key)
+ seq_printf(m, "%s.%s", key->id_type, key->pkey_algo);
+}
+#endif
+
+/*
+ * Destroy a public key algorithm key.
+ */
+void public_key_free(struct public_key *key)
+{
+ if (key) {
+ kfree(key->key);
+ kfree(key);
+ }
+}
+EXPORT_SYMBOL_GPL(public_key_free);
+
+/*
+ * from <linux>/crypto/asymmetric_keys/signature.c
+ *
+ * Destroy a public key signature.
+ */
+void public_key_signature_free(struct public_key_signature *sig)
+{
+ int i;
+
+ if (sig) {
+ for (i = 0; i < ARRAY_SIZE(sig->auth_ids); i++)
+ free(sig->auth_ids[i]);
+ free(sig->s);
+ free(sig->digest);
+ free(sig);
+ }
+}
+EXPORT_SYMBOL_GPL(public_key_signature_free);
+
+#ifndef __UBOOT__
+/*
+ * Destroy a public key algorithm key.
+ */
+static void public_key_destroy(void *payload0, void *payload3)
+{
+ public_key_free(payload0);
+ public_key_signature_free(payload3);
+}
+
+/*
+ * Determine the crypto algorithm name.
+ */
+static
+int software_key_determine_akcipher(const char *encoding,
+ const char *hash_algo,
+ const struct public_key *pkey,
+ char alg_name[CRYPTO_MAX_ALG_NAME])
+{
+ int n;
+
+ if (strcmp(encoding, "pkcs1") == 0) {
+ /* The data wangled by the RSA algorithm is typically padded
+ * and encoded in some manner, such as EMSA-PKCS1-1_5 [RFC3447
+ * sec 8.2].
+ */
+ if (!hash_algo)
+ n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME,
+ "pkcs1pad(%s)",
+ pkey->pkey_algo);
+ else
+ n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME,
+ "pkcs1pad(%s,%s)",
+ pkey->pkey_algo, hash_algo);
+ return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0;
+ }
+
+ if (strcmp(encoding, "raw") == 0) {
+ strcpy(alg_name, pkey->pkey_algo);
+ return 0;
+ }
+
+ return -ENOPKG;
+}
+
+/*
+ * Query information about a key.
+ */
+static int software_key_query(const struct kernel_pkey_params *params,
+ struct kernel_pkey_query *info)
+{
+ struct crypto_akcipher *tfm;
+ struct public_key *pkey = params->key->payload.data[asym_crypto];
+ char alg_name[CRYPTO_MAX_ALG_NAME];
+ int ret, len;
+
+ ret = software_key_determine_akcipher(params->encoding,
+ params->hash_algo,
+ pkey, alg_name);
+ if (ret < 0)
+ return ret;
+
+ tfm = crypto_alloc_akcipher(alg_name, 0, 0);
+ if (IS_ERR(tfm))
+ return PTR_ERR(tfm);
+
+ if (pkey->key_is_private)
+ ret = crypto_akcipher_set_priv_key(tfm,
+ pkey->key, pkey->keylen);
+ else
+ ret = crypto_akcipher_set_pub_key(tfm,
+ pkey->key, pkey->keylen);
+ if (ret < 0)
+ goto error_free_tfm;
+
+ len = crypto_akcipher_maxsize(tfm);
+ info->key_size = len * 8;
+ info->max_data_size = len;
+ info->max_sig_size = len;
+ info->max_enc_size = len;
+ info->max_dec_size = len;
+ info->supported_ops = (KEYCTL_SUPPORTS_ENCRYPT |
+ KEYCTL_SUPPORTS_VERIFY);
+ if (pkey->key_is_private)
+ info->supported_ops |= (KEYCTL_SUPPORTS_DECRYPT |
+ KEYCTL_SUPPORTS_SIGN);
+ ret = 0;
+
+error_free_tfm:
+ crypto_free_akcipher(tfm);
+ pr_devel("<==%s() = %d\n", __func__, ret);
+ return ret;
+}
+
+/*
+ * Do encryption, decryption and signing ops.
+ */
+static int software_key_eds_op(struct kernel_pkey_params *params,
+ const void *in, void *out)
+{
+ const struct public_key *pkey = params->key->payload.data[asym_crypto];
+ struct akcipher_request *req;
+ struct crypto_akcipher *tfm;
+ struct crypto_wait cwait;
+ struct scatterlist in_sg, out_sg;
+ char alg_name[CRYPTO_MAX_ALG_NAME];
+ int ret;
+
+ pr_devel("==>%s()\n", __func__);
+
+ ret = software_key_determine_akcipher(params->encoding,
+ params->hash_algo,
+ pkey, alg_name);
+ if (ret < 0)
+ return ret;
+
+ tfm = crypto_alloc_akcipher(alg_name, 0, 0);
+ if (IS_ERR(tfm))
+ return PTR_ERR(tfm);
+
+ req = akcipher_request_alloc(tfm, GFP_KERNEL);
+ if (!req)
+ goto error_free_tfm;
+
+ if (pkey->key_is_private)
+ ret = crypto_akcipher_set_priv_key(tfm,
+ pkey->key, pkey->keylen);
+ else
+ ret = crypto_akcipher_set_pub_key(tfm,
+ pkey->key, pkey->keylen);
+ if (ret)
+ goto error_free_req;
+
+ sg_init_one(&in_sg, in, params->in_len);
+ sg_init_one(&out_sg, out, params->out_len);
+ akcipher_request_set_crypt(req, &in_sg, &out_sg, params->in_len,
+ params->out_len);
+ crypto_init_wait(&cwait);
+ akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
+ CRYPTO_TFM_REQ_MAY_SLEEP,
+ crypto_req_done, &cwait);
+
+ /* Perform the encryption calculation. */
+ switch (params->op) {
+ case kernel_pkey_encrypt:
+ ret = crypto_akcipher_encrypt(req);
+ break;
+ case kernel_pkey_decrypt:
+ ret = crypto_akcipher_decrypt(req);
+ break;
+ case kernel_pkey_sign:
+ ret = crypto_akcipher_sign(req);
+ break;
+ default:
+ BUG();
+ }
+
+ ret = crypto_wait_req(ret, &cwait);
+ if (ret == 0)
+ ret = req->dst_len;
+
+error_free_req:
+ akcipher_request_free(req);
+error_free_tfm:
+ crypto_free_akcipher(tfm);
+ pr_devel("<==%s() = %d\n", __func__, ret);
+ return ret;
+}
+
+/*
+ * Verify a signature using a public key.
+ */
+int public_key_verify_signature(const struct public_key *pkey,
+ const struct public_key_signature *sig)
+{
+ struct crypto_wait cwait;
+ struct crypto_akcipher *tfm;
+ struct akcipher_request *req;
+ struct scatterlist sig_sg, digest_sg;
+ char alg_name[CRYPTO_MAX_ALG_NAME];
+ void *output;
+ unsigned int outlen;
+ int ret;
+
+ pr_devel("==>%s()\n", __func__);
+
+ BUG_ON(!pkey);
+ BUG_ON(!sig);
+ BUG_ON(!sig->s);
+
+ ret = software_key_determine_akcipher(sig->encoding,
+ sig->hash_algo,
+ pkey, alg_name);
+ if (ret < 0)
+ return ret;
+
+ tfm = crypto_alloc_akcipher(alg_name, 0, 0);
+ if (IS_ERR(tfm))
+ return PTR_ERR(tfm);
+
+ ret = -ENOMEM;
+ req = akcipher_request_alloc(tfm, GFP_KERNEL);
+ if (!req)
+ goto error_free_tfm;
+
+ if (pkey->key_is_private)
+ ret = crypto_akcipher_set_priv_key(tfm,
+ pkey->key, pkey->keylen);
+ else
+ ret = crypto_akcipher_set_pub_key(tfm,
+ pkey->key, pkey->keylen);
+ if (ret)
+ goto error_free_req;
+
+ ret = -ENOMEM;
+ outlen = crypto_akcipher_maxsize(tfm);
+ output = kmalloc(outlen, GFP_KERNEL);
+ if (!output)
+ goto error_free_req;
+
+ sg_init_one(&sig_sg, sig->s, sig->s_size);
+ sg_init_one(&digest_sg, output, outlen);
+ akcipher_request_set_crypt(req, &sig_sg, &digest_sg, sig->s_size,
+ outlen);
+ crypto_init_wait(&cwait);
+ akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
+ CRYPTO_TFM_REQ_MAY_SLEEP,
+ crypto_req_done, &cwait);
+
+ /* Perform the verification calculation. This doesn't actually do the
+ * verification, but rather calculates the hash expected by the
+ * signature and returns that to us.
+ */
+ ret = crypto_wait_req(crypto_akcipher_verify(req), &cwait);
+ if (ret)
+ goto out_free_output;
+
+ /* Do the actual verification step. */
+ if (req->dst_len != sig->digest_size ||
+ memcmp(sig->digest, output, sig->digest_size) != 0)
+ ret = -EKEYREJECTED;
+
+out_free_output:
+ kfree(output);
+error_free_req:
+ akcipher_request_free(req);
+error_free_tfm:
+ crypto_free_akcipher(tfm);
+ pr_devel("<==%s() = %d\n", __func__, ret);
+ if (WARN_ON_ONCE(ret > 0))
+ ret = -EINVAL;
+ return ret;
+}
+EXPORT_SYMBOL_GPL(public_key_verify_signature);
+
+static int public_key_verify_signature_2(const struct key *key,
+ const struct public_key_signature *sig)
+{
+ const struct public_key *pk = key->payload.data[asym_crypto];
+ return public_key_verify_signature(pk, sig);
+}
+
+/*
+ * Public key algorithm asymmetric key subtype
+ */
+struct asymmetric_key_subtype public_key_subtype = {
+ .owner = THIS_MODULE,
+ .name = "public_key",
+ .name_len = sizeof("public_key") - 1,
+ .describe = public_key_describe,
+ .destroy = public_key_destroy,
+ .query = software_key_query,
+ .eds_op = software_key_eds_op,
+ .verify_signature = public_key_verify_signature_2,
+};
+EXPORT_SYMBOL_GPL(public_key_subtype);
+#endif /* !__UBOOT__ */
--
2.21.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [U-Boot] [RFC 6/9] lib: crypto: add public_key_verify_signature()
2019-09-03 5:42 [U-Boot] [RFC 0/9] import x509/pkcs7 parsers from linux AKASHI Takahiro
` (4 preceding siblings ...)
2019-09-03 5:42 ` [U-Boot] [RFC 5/9] lib: crypto: add public key utility AKASHI Takahiro
@ 2019-09-03 5:42 ` AKASHI Takahiro
2019-09-03 5:42 ` [U-Boot] [RFC 7/9] lib: crypto: add x509 parser AKASHI Takahiro
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: AKASHI Takahiro @ 2019-09-03 5:42 UTC (permalink / raw)
To: u-boot
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
include/crypto/public_key.h | 2 +-
lib/crypto/Makefile | 2 +-
lib/crypto/public_key_local.c | 69 +++++++++++++++++++++++++++++++++++
3 files changed, 71 insertions(+), 2 deletions(-)
create mode 100644 lib/crypto/public_key_local.c
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index 91b1f2615294..f361d756119d 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -81,9 +81,9 @@ extern int decrypt_blob(struct kernel_pkey_params *, const void *, void *);
extern int create_signature(struct kernel_pkey_params *, const void *, void *);
extern int verify_signature(const struct key *,
const struct public_key_signature *);
+#endif /* !__UBOOT__ */
int public_key_verify_signature(const struct public_key *pkey,
const struct public_key_signature *sig);
-#endif /* !__UBOOT__ */
#endif /* _LINUX_PUBLIC_KEY_H */
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index a284de9e0411..870d2a90b181 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -7,4 +7,4 @@ obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
asymmetric_keys-y := asymmetric_type.o
-obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
+obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o public_key_local.o
diff --git a/lib/crypto/public_key_local.c b/lib/crypto/public_key_local.c
new file mode 100644
index 000000000000..19721f319dbd
--- /dev/null
+++ b/lib/crypto/public_key_local.c
@@ -0,0 +1,69 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Public key utilities
+ *
+ * Copyright (c) 2019 AKASHI Takahiro, Linaro Limited
+ */
+
+#include <common.h>
+#include <crypto/public_key.h>
+#include <u-boot/rsa.h>
+#include <u-boot/sha256.h>
+
+/*
+ * U-Boot version of kernel's public_key_verify_signature() --
+ * Verify a signature using a public key
+ */
+int public_key_verify_signature(const struct public_key *pkey,
+ const struct public_key_signature *sig)
+{
+/*
+ * FIXME
+ * Currently, x509_check_for_self_signed() failed
+ * due to sig->digest == NULL
+ */
+#ifndef __UBOOT__
+ struct image_sign_info info;
+ struct image_region reg;
+ int ret;
+
+ memset(&info, '\0', sizeof(info));
+ /*
+ * FIXME: Algo names here are hard-coded
+ */
+ if (!strcmp(sig->encoding, "pkcs1"))
+ info.padding = image_get_padding_algo("pkcs-1.5");
+ else
+ return -ENOPKG;
+
+ /*
+ * Note: image_get_[checksum|crypto]_algo takes an string
+ * argument like "<checksum>,<crypto>"
+ */
+ if (!strcmp(sig->hash_algo, "sha256"))
+ info.checksum = image_get_checksum_algo("sha256,");
+ else
+ return -ENOPKG;
+
+ if (!strcmp(sig->pkey_algo, "rsa")) {
+ info.name = "sha256,rsa2048";
+ info.crypto = image_get_crypto_algo(info.name);
+ } else {
+ return -ENOPKG;
+ }
+
+ info.key = pkey->key;
+ info.keylen = pkey->keylen;
+
+ reg.data = sig->s;
+ reg.size = sig->s_size;
+
+ ret = rsa_verify(&info, ®, 1, sig->digest, sig->digest_size);
+ if (ret) {
+ debug("%s: Verifying a signature failed\n", __func__);
+ return -EKEYREJECTED;
+ }
+#endif /* __UBOOT__ */
+
+ return 0;
+}
--
2.21.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [U-Boot] [RFC 7/9] lib: crypto: add x509 parser
2019-09-03 5:42 [U-Boot] [RFC 0/9] import x509/pkcs7 parsers from linux AKASHI Takahiro
` (5 preceding siblings ...)
2019-09-03 5:42 ` [U-Boot] [RFC 6/9] lib: crypto: add public_key_verify_signature() AKASHI Takahiro
@ 2019-09-03 5:42 ` AKASHI Takahiro
2019-09-03 5:42 ` [U-Boot] [RFC 8/9] lib: crypto: add pkcs7 message parser AKASHI Takahiro
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: AKASHI Takahiro @ 2019-09-03 5:42 UTC (permalink / raw)
To: u-boot
Imported from linux kernel v5.0.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
lib/Kconfig | 1 +
lib/Makefile | 1 +
lib/crypto/Kconfig | 10 +
lib/crypto/Makefile | 17 +
lib/crypto/x509.asn1 | 60 ++++
lib/crypto/x509_akid.asn1 | 35 ++
lib/crypto/x509_cert_parser.c | 644 ++++++++++++++++++++++++++++++++++
lib/crypto/x509_parser.h | 61 ++++
lib/crypto/x509_public_key.c | 284 +++++++++++++++
9 files changed, 1113 insertions(+)
create mode 100644 lib/crypto/x509.asn1
create mode 100644 lib/crypto/x509_akid.asn1
create mode 100644 lib/crypto/x509_cert_parser.c
create mode 100644 lib/crypto/x509_parser.h
create mode 100644 lib/crypto/x509_public_key.c
diff --git a/lib/Kconfig b/lib/Kconfig
index d2955c8feb0e..aa44f52d9181 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -253,6 +253,7 @@ config AES
present.
source lib/rsa/Kconfig
+source lib/crypto/Kconfig
config TPM
bool "Trusted Platform Module (TPM) Support"
diff --git a/lib/Makefile b/lib/Makefile
index 677ec33a1ce1..64ff105945b3 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -18,6 +18,7 @@ obj-$(CONFIG_CMD_DHRYSTONE) += dhry/
obj-$(CONFIG_ARCH_AT91) += at91/
obj-$(CONFIG_OPTEE) += optee/
obj-$(CONFIG_BUILD_ASN1) += asn1_decoder.o
+obj-y += crypto/
obj-$(CONFIG_AES) += aes.o
diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
index b8e8288d2f80..a87cf6107fc1 100644
--- a/lib/crypto/Kconfig
+++ b/lib/crypto/Kconfig
@@ -16,4 +16,14 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
appropriate hash algorithms (such as SHA-1) must be available.
ENOPKG will be reported if the requisite algorithm is unavailable.
+config X509_CERTIFICATE_PARSER
+ bool "X.509 certificate parser"
+ depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select ASN1
+ select OID_REGISTRY
+ help
+ This option provides support for parsing X.509 format blobs for key
+ data and provides the ability to instantiate a crypto key from a
+ public key packet found inside the certificate.
+
endif # ASYMMETRIC_KEY_TYPE
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 870d2a90b181..1fb1459a3e4f 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -8,3 +8,20 @@ obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
asymmetric_keys-y := asymmetric_type.o
obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o public_key_local.o
+
+#
+# X.509 Certificate handling
+#
+obj-$(CONFIG_X509_CERTIFICATE_PARSER) += x509_key_parser.o
+x509_key_parser-y := \
+ x509.asn1.o \
+ x509_akid.asn1.o \
+ x509_cert_parser.o \
+ x509_public_key.o
+
+$(obj)/x509_cert_parser.o: \
+ $(obj)/x509.asn1.h \
+ $(obj)/x509_akid.asn1.h
+
+$(obj)/x509.asn1.o: $(obj)/x509.asn1.c $(obj)/x509.asn1.h
+$(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c $(obj)/x509_akid.asn1.h
diff --git a/lib/crypto/x509.asn1 b/lib/crypto/x509.asn1
new file mode 100644
index 000000000000..aae0cde414e2
--- /dev/null
+++ b/lib/crypto/x509.asn1
@@ -0,0 +1,60 @@
+Certificate ::= SEQUENCE {
+ tbsCertificate TBSCertificate ({ x509_note_tbs_certificate }),
+ signatureAlgorithm AlgorithmIdentifier,
+ signature BIT STRING ({ x509_note_signature })
+ }
+
+TBSCertificate ::= SEQUENCE {
+ version [ 0 ] Version DEFAULT,
+ serialNumber CertificateSerialNumber ({ x509_note_serial }),
+ signature AlgorithmIdentifier ({ x509_note_pkey_algo }),
+ issuer Name ({ x509_note_issuer }),
+ validity Validity,
+ subject Name ({ x509_note_subject }),
+ subjectPublicKeyInfo SubjectPublicKeyInfo,
+ issuerUniqueID [ 1 ] IMPLICIT UniqueIdentifier OPTIONAL,
+ subjectUniqueID [ 2 ] IMPLICIT UniqueIdentifier OPTIONAL,
+ extensions [ 3 ] Extensions OPTIONAL
+ }
+
+Version ::= INTEGER
+CertificateSerialNumber ::= INTEGER
+
+AlgorithmIdentifier ::= SEQUENCE {
+ algorithm OBJECT IDENTIFIER ({ x509_note_OID }),
+ parameters ANY OPTIONAL
+}
+
+Name ::= SEQUENCE OF RelativeDistinguishedName
+
+RelativeDistinguishedName ::= SET OF AttributeValueAssertion
+
+AttributeValueAssertion ::= SEQUENCE {
+ attributeType OBJECT IDENTIFIER ({ x509_note_OID }),
+ attributeValue ANY ({ x509_extract_name_segment })
+ }
+
+Validity ::= SEQUENCE {
+ notBefore Time ({ x509_note_not_before }),
+ notAfter Time ({ x509_note_not_after })
+ }
+
+Time ::= CHOICE {
+ utcTime UTCTime,
+ generalTime GeneralizedTime
+ }
+
+SubjectPublicKeyInfo ::= SEQUENCE {
+ algorithm AlgorithmIdentifier,
+ subjectPublicKey BIT STRING ({ x509_extract_key_data })
+ }
+
+UniqueIdentifier ::= BIT STRING
+
+Extensions ::= SEQUENCE OF Extension
+
+Extension ::= SEQUENCE {
+ extnid OBJECT IDENTIFIER ({ x509_note_OID }),
+ critical BOOLEAN DEFAULT,
+ extnValue OCTET STRING ({ x509_process_extension })
+ }
diff --git a/lib/crypto/x509_akid.asn1 b/lib/crypto/x509_akid.asn1
new file mode 100644
index 000000000000..1a33231a75a8
--- /dev/null
+++ b/lib/crypto/x509_akid.asn1
@@ -0,0 +1,35 @@
+-- X.509 AuthorityKeyIdentifier
+-- rfc5280 section 4.2.1.1
+
+AuthorityKeyIdentifier ::= SEQUENCE {
+ keyIdentifier [0] IMPLICIT KeyIdentifier OPTIONAL,
+ authorityCertIssuer [1] IMPLICIT GeneralNames OPTIONAL,
+ authorityCertSerialNumber [2] IMPLICIT CertificateSerialNumber OPTIONAL
+ }
+
+KeyIdentifier ::= OCTET STRING ({ x509_akid_note_kid })
+
+CertificateSerialNumber ::= INTEGER ({ x509_akid_note_serial })
+
+GeneralNames ::= SEQUENCE OF GeneralName
+
+GeneralName ::= CHOICE {
+ otherName [0] ANY,
+ rfc822Name [1] IA5String,
+ dNSName [2] IA5String,
+ x400Address [3] ANY,
+ directoryName [4] Name ({ x509_akid_note_name }),
+ ediPartyName [5] ANY,
+ uniformResourceIdentifier [6] IA5String,
+ iPAddress [7] OCTET STRING,
+ registeredID [8] OBJECT IDENTIFIER
+ }
+
+Name ::= SEQUENCE OF RelativeDistinguishedName
+
+RelativeDistinguishedName ::= SET OF AttributeValueAssertion
+
+AttributeValueAssertion ::= SEQUENCE {
+ attributeType OBJECT IDENTIFIER ({ x509_note_OID }),
+ attributeValue ANY ({ x509_extract_name_segment })
+ }
diff --git a/lib/crypto/x509_cert_parser.c b/lib/crypto/x509_cert_parser.c
new file mode 100644
index 000000000000..9dadcf83ab02
--- /dev/null
+++ b/lib/crypto/x509_cert_parser.c
@@ -0,0 +1,644 @@
+/* X.509 certificate parser
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells at redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#define pr_fmt(fmt) "X.509: "fmt
+#include <linux/kernel.h>
+#include <linux/err.h>
+#include <linux/oid_registry.h>
+#include <linux/string.h>
+#include <crypto/public_key.h>
+#include "x509_parser.h"
+#include "x509.asn1.h"
+#include "x509_akid.asn1.h"
+
+struct x509_parse_context {
+ struct x509_certificate *cert; /* Certificate being constructed */
+ unsigned long data; /* Start of data */
+ const void *cert_start; /* Start of cert content */
+ const void *key; /* Key data */
+ size_t key_size; /* Size of key data */
+ enum OID last_oid; /* Last OID encountered */
+ enum OID algo_oid; /* Algorithm OID */
+ unsigned char nr_mpi; /* Number of MPIs stored */
+ u8 o_size; /* Size of organizationName (O) */
+ u8 cn_size; /* Size of commonName (CN) */
+ u8 email_size; /* Size of emailAddress */
+ u16 o_offset; /* Offset of organizationName (O) */
+ u16 cn_offset; /* Offset of commonName (CN) */
+ u16 email_offset; /* Offset of emailAddress */
+ unsigned raw_akid_size;
+ const void *raw_akid; /* Raw authorityKeyId in ASN.1 */
+ const void *akid_raw_issuer; /* Raw directoryName in authorityKeyId */
+ unsigned akid_raw_issuer_size;
+};
+
+/*
+ * Free an X.509 certificate
+ */
+void x509_free_certificate(struct x509_certificate *cert)
+{
+ if (cert) {
+ public_key_free(cert->pub);
+ public_key_signature_free(cert->sig);
+ kfree(cert->issuer);
+ kfree(cert->subject);
+ kfree(cert->id);
+ kfree(cert->skid);
+ kfree(cert);
+ }
+}
+EXPORT_SYMBOL_GPL(x509_free_certificate);
+
+/*
+ * Parse an X.509 certificate
+ */
+struct x509_certificate *x509_cert_parse(const void *data, size_t datalen)
+{
+ struct x509_certificate *cert;
+ struct x509_parse_context *ctx;
+ struct asymmetric_key_id *kid;
+ long ret;
+
+ ret = -ENOMEM;
+ cert = kzalloc(sizeof(struct x509_certificate), GFP_KERNEL);
+ if (!cert)
+ goto error_no_cert;
+ cert->pub = kzalloc(sizeof(struct public_key), GFP_KERNEL);
+ if (!cert->pub)
+ goto error_no_ctx;
+ cert->sig = kzalloc(sizeof(struct public_key_signature), GFP_KERNEL);
+ if (!cert->sig)
+ goto error_no_ctx;
+ ctx = kzalloc(sizeof(struct x509_parse_context), GFP_KERNEL);
+ if (!ctx)
+ goto error_no_ctx;
+
+ ctx->cert = cert;
+ ctx->data = (unsigned long)data;
+
+ /* Attempt to decode the certificate */
+ ret = asn1_ber_decoder(&x509_decoder, ctx, data, datalen);
+ if (ret < 0)
+ goto error_decode;
+
+ /* Decode the AuthorityKeyIdentifier */
+ if (ctx->raw_akid) {
+ pr_devel("AKID: %u %*phN\n",
+ ctx->raw_akid_size, ctx->raw_akid_size, ctx->raw_akid);
+ ret = asn1_ber_decoder(&x509_akid_decoder, ctx,
+ ctx->raw_akid, ctx->raw_akid_size);
+ if (ret < 0) {
+ pr_warn("Couldn't decode AuthKeyIdentifier\n");
+ goto error_decode;
+ }
+ }
+
+ ret = -ENOMEM;
+ cert->pub->key = kmemdup(ctx->key, ctx->key_size, GFP_KERNEL);
+ if (!cert->pub->key)
+ goto error_decode;
+
+ cert->pub->keylen = ctx->key_size;
+
+ /* Grab the signature bits */
+ ret = x509_get_sig_params(cert);
+ if (ret < 0)
+ goto error_decode;
+
+ /* Generate cert issuer + serial number key ID */
+ kid = asymmetric_key_generate_id(cert->raw_serial,
+ cert->raw_serial_size,
+ cert->raw_issuer,
+ cert->raw_issuer_size);
+ if (IS_ERR(kid)) {
+ ret = PTR_ERR(kid);
+ goto error_decode;
+ }
+ cert->id = kid;
+
+ /* Detect self-signed certificates */
+ ret = x509_check_for_self_signed(cert);
+ if (ret < 0)
+ goto error_decode;
+
+ kfree(ctx);
+ return cert;
+
+error_decode:
+ kfree(ctx);
+error_no_ctx:
+ x509_free_certificate(cert);
+error_no_cert:
+ return ERR_PTR(ret);
+}
+EXPORT_SYMBOL_GPL(x509_cert_parse);
+
+/*
+ * Note an OID when we find one for later processing when we know how
+ * to interpret it.
+ */
+int x509_note_OID(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct x509_parse_context *ctx = context;
+
+ ctx->last_oid = look_up_OID(value, vlen);
+ if (ctx->last_oid == OID__NR) {
+ char buffer[50];
+ sprint_oid(value, vlen, buffer, sizeof(buffer));
+ pr_debug("Unknown OID: [%lu] %s\n",
+ (unsigned long)value - ctx->data, buffer);
+ }
+ return 0;
+}
+
+/*
+ * Save the position of the TBS data so that we can check the signature over it
+ * later.
+ */
+int x509_note_tbs_certificate(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct x509_parse_context *ctx = context;
+
+ pr_debug("x509_note_tbs_certificate(,%zu,%02x,%ld,%zu)!\n",
+ hdrlen, tag, (unsigned long)value - ctx->data, vlen);
+
+ ctx->cert->tbs = value - hdrlen;
+ ctx->cert->tbs_size = vlen + hdrlen;
+ return 0;
+}
+
+/*
+ * Record the public key algorithm
+ */
+int x509_note_pkey_algo(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct x509_parse_context *ctx = context;
+
+ pr_debug("PubKey Algo: %u\n", ctx->last_oid);
+
+ switch (ctx->last_oid) {
+ case OID_md2WithRSAEncryption:
+ case OID_md3WithRSAEncryption:
+ default:
+ return -ENOPKG; /* Unsupported combination */
+
+ case OID_md4WithRSAEncryption:
+ ctx->cert->sig->hash_algo = "md4";
+ goto rsa_pkcs1;
+
+ case OID_sha1WithRSAEncryption:
+ ctx->cert->sig->hash_algo = "sha1";
+ goto rsa_pkcs1;
+
+ case OID_sha256WithRSAEncryption:
+ ctx->cert->sig->hash_algo = "sha256";
+ goto rsa_pkcs1;
+
+ case OID_sha384WithRSAEncryption:
+ ctx->cert->sig->hash_algo = "sha384";
+ goto rsa_pkcs1;
+
+ case OID_sha512WithRSAEncryption:
+ ctx->cert->sig->hash_algo = "sha512";
+ goto rsa_pkcs1;
+
+ case OID_sha224WithRSAEncryption:
+ ctx->cert->sig->hash_algo = "sha224";
+ goto rsa_pkcs1;
+ }
+
+rsa_pkcs1:
+ ctx->cert->sig->pkey_algo = "rsa";
+ ctx->cert->sig->encoding = "pkcs1";
+ ctx->algo_oid = ctx->last_oid;
+ return 0;
+}
+
+/*
+ * Note the whereabouts and type of the signature.
+ */
+int x509_note_signature(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct x509_parse_context *ctx = context;
+
+ pr_debug("Signature type: %u size %zu\n", ctx->last_oid, vlen);
+
+ if (ctx->last_oid != ctx->algo_oid) {
+ pr_warn("Got cert with pkey (%u) and sig (%u) algorithm OIDs\n",
+ ctx->algo_oid, ctx->last_oid);
+ return -EINVAL;
+ }
+
+ if (strcmp(ctx->cert->sig->pkey_algo, "rsa") == 0) {
+ /* Discard the BIT STRING metadata */
+ if (vlen < 1 || *(const u8 *)value != 0)
+ return -EBADMSG;
+
+ value++;
+ vlen--;
+ }
+
+ ctx->cert->raw_sig = value;
+ ctx->cert->raw_sig_size = vlen;
+ return 0;
+}
+
+/*
+ * Note the certificate serial number
+ */
+int x509_note_serial(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct x509_parse_context *ctx = context;
+ ctx->cert->raw_serial = value;
+ ctx->cert->raw_serial_size = vlen;
+ return 0;
+}
+
+/*
+ * Note some of the name segments from which we'll fabricate a name.
+ */
+int x509_extract_name_segment(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct x509_parse_context *ctx = context;
+
+ switch (ctx->last_oid) {
+ case OID_commonName:
+ ctx->cn_size = vlen;
+ ctx->cn_offset = (unsigned long)value - ctx->data;
+ break;
+ case OID_organizationName:
+ ctx->o_size = vlen;
+ ctx->o_offset = (unsigned long)value - ctx->data;
+ break;
+ case OID_email_address:
+ ctx->email_size = vlen;
+ ctx->email_offset = (unsigned long)value - ctx->data;
+ break;
+ default:
+ break;
+ }
+
+ return 0;
+}
+
+/*
+ * Fabricate and save the issuer and subject names
+ */
+static int x509_fabricate_name(struct x509_parse_context *ctx, size_t hdrlen,
+ unsigned char tag,
+ char **_name, size_t vlen)
+{
+ const void *name, *data = (const void *)ctx->data;
+ size_t namesize;
+ char *buffer;
+
+ if (*_name)
+ return -EINVAL;
+
+ /* Empty name string if no material */
+ if (!ctx->cn_size && !ctx->o_size && !ctx->email_size) {
+ buffer = kmalloc(1, GFP_KERNEL);
+ if (!buffer)
+ return -ENOMEM;
+ buffer[0] = 0;
+ goto done;
+ }
+
+ if (ctx->cn_size && ctx->o_size) {
+ /* Consider combining O and CN, but use only the CN if it is
+ * prefixed by the O, or a significant portion thereof.
+ */
+ namesize = ctx->cn_size;
+ name = data + ctx->cn_offset;
+ if (ctx->cn_size >= ctx->o_size &&
+ memcmp(data + ctx->cn_offset, data + ctx->o_offset,
+ ctx->o_size) == 0)
+ goto single_component;
+ if (ctx->cn_size >= 7 &&
+ ctx->o_size >= 7 &&
+ memcmp(data + ctx->cn_offset, data + ctx->o_offset, 7) == 0)
+ goto single_component;
+
+ buffer = kmalloc(ctx->o_size + 2 + ctx->cn_size + 1,
+ GFP_KERNEL);
+ if (!buffer)
+ return -ENOMEM;
+
+ memcpy(buffer,
+ data + ctx->o_offset, ctx->o_size);
+ buffer[ctx->o_size + 0] = ':';
+ buffer[ctx->o_size + 1] = ' ';
+ memcpy(buffer + ctx->o_size + 2,
+ data + ctx->cn_offset, ctx->cn_size);
+ buffer[ctx->o_size + 2 + ctx->cn_size] = 0;
+ goto done;
+
+ } else if (ctx->cn_size) {
+ namesize = ctx->cn_size;
+ name = data + ctx->cn_offset;
+ } else if (ctx->o_size) {
+ namesize = ctx->o_size;
+ name = data + ctx->o_offset;
+ } else {
+ namesize = ctx->email_size;
+ name = data + ctx->email_offset;
+ }
+
+single_component:
+ buffer = kmalloc(namesize + 1, GFP_KERNEL);
+ if (!buffer)
+ return -ENOMEM;
+ memcpy(buffer, name, namesize);
+ buffer[namesize] = 0;
+
+done:
+ *_name = buffer;
+ ctx->cn_size = 0;
+ ctx->o_size = 0;
+ ctx->email_size = 0;
+ return 0;
+}
+
+int x509_note_issuer(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct x509_parse_context *ctx = context;
+ ctx->cert->raw_issuer = value;
+ ctx->cert->raw_issuer_size = vlen;
+ return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->issuer, vlen);
+}
+
+int x509_note_subject(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct x509_parse_context *ctx = context;
+ ctx->cert->raw_subject = value;
+ ctx->cert->raw_subject_size = vlen;
+ return x509_fabricate_name(ctx, hdrlen, tag, &ctx->cert->subject, vlen);
+}
+
+/*
+ * Extract the data for the public key algorithm
+ */
+int x509_extract_key_data(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct x509_parse_context *ctx = context;
+
+ if (ctx->last_oid != OID_rsaEncryption)
+ return -ENOPKG;
+
+ ctx->cert->pub->pkey_algo = "rsa";
+
+ /* Discard the BIT STRING metadata */
+ if (vlen < 1 || *(const u8 *)value != 0)
+ return -EBADMSG;
+ ctx->key = value + 1;
+ ctx->key_size = vlen - 1;
+ return 0;
+}
+
+/* The keyIdentifier in AuthorityKeyIdentifier SEQUENCE is tag(CONT,PRIM,0) */
+#define SEQ_TAG_KEYID (ASN1_CONT << 6)
+
+/*
+ * Process certificate extensions that are used to qualify the certificate.
+ */
+int x509_process_extension(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct x509_parse_context *ctx = context;
+ struct asymmetric_key_id *kid;
+ const unsigned char *v = value;
+
+ pr_debug("Extension: %u\n", ctx->last_oid);
+
+ if (ctx->last_oid == OID_subjectKeyIdentifier) {
+ /* Get hold of the key fingerprint */
+ if (ctx->cert->skid || vlen < 3)
+ return -EBADMSG;
+ if (v[0] != ASN1_OTS || v[1] != vlen - 2)
+ return -EBADMSG;
+ v += 2;
+ vlen -= 2;
+
+ ctx->cert->raw_skid_size = vlen;
+ ctx->cert->raw_skid = v;
+ kid = asymmetric_key_generate_id(v, vlen, "", 0);
+ if (IS_ERR(kid))
+ return PTR_ERR(kid);
+ ctx->cert->skid = kid;
+ pr_debug("subjkeyid %*phN\n", kid->len, kid->data);
+ return 0;
+ }
+
+ if (ctx->last_oid == OID_authorityKeyIdentifier) {
+ /* Get hold of the CA key fingerprint */
+ ctx->raw_akid = v;
+ ctx->raw_akid_size = vlen;
+ return 0;
+ }
+
+ return 0;
+}
+
+/**
+ * x509_decode_time - Decode an X.509 time ASN.1 object
+ * @_t: The time to fill in
+ * @hdrlen: The length of the object header
+ * @tag: The object tag
+ * @value: The object value
+ * @vlen: The size of the object value
+ *
+ * Decode an ASN.1 universal time or generalised time field into a struct the
+ * kernel can handle and check it for validity. The time is decoded thus:
+ *
+ * [RFC5280 ยง4.1.2.5]
+ * CAs conforming to this profile MUST always encode certificate validity
+ * dates through the year 2049 as UTCTime; certificate validity dates in
+ * 2050 or later MUST be encoded as GeneralizedTime. Conforming
+ * applications MUST be able to process validity dates that are encoded in
+ * either UTCTime or GeneralizedTime.
+ */
+int x509_decode_time(time64_t *_t, size_t hdrlen,
+ unsigned char tag,
+ const unsigned char *value, size_t vlen)
+{
+ static const unsigned char month_lengths[] = { 31, 28, 31, 30, 31, 30,
+ 31, 31, 30, 31, 30, 31 };
+ const unsigned char *p = value;
+ unsigned year, mon, day, hour, min, sec, mon_len;
+
+#define dec2bin(X) ({ unsigned char x = (X) - '0'; if (x > 9) goto invalid_time; x; })
+#define DD2bin(P) ({ unsigned x = dec2bin(P[0]) * 10 + dec2bin(P[1]); P += 2; x; })
+
+ if (tag == ASN1_UNITIM) {
+ /* UTCTime: YYMMDDHHMMSSZ */
+ if (vlen != 13)
+ goto unsupported_time;
+ year = DD2bin(p);
+ if (year >= 50)
+ year += 1900;
+ else
+ year += 2000;
+ } else if (tag == ASN1_GENTIM) {
+ /* GenTime: YYYYMMDDHHMMSSZ */
+ if (vlen != 15)
+ goto unsupported_time;
+ year = DD2bin(p) * 100 + DD2bin(p);
+ if (year >= 1950 && year <= 2049)
+ goto invalid_time;
+ } else {
+ goto unsupported_time;
+ }
+
+ mon = DD2bin(p);
+ day = DD2bin(p);
+ hour = DD2bin(p);
+ min = DD2bin(p);
+ sec = DD2bin(p);
+
+ if (*p != 'Z')
+ goto unsupported_time;
+
+ if (year < 1970 ||
+ mon < 1 || mon > 12)
+ goto invalid_time;
+
+ mon_len = month_lengths[mon - 1];
+ if (mon == 2) {
+ if (year % 4 == 0) {
+ mon_len = 29;
+ if (year % 100 == 0) {
+ mon_len = 28;
+ if (year % 400 == 0)
+ mon_len = 29;
+ }
+ }
+ }
+
+ if (day < 1 || day > mon_len ||
+ hour > 24 || /* ISO 8601 permits 24:00:00 as midnight tomorrow */
+ min > 59 ||
+ sec > 60) /* ISO 8601 permits leap seconds [X.680 46.3] */
+ goto invalid_time;
+
+ *_t = mktime64(year, mon, day, hour, min, sec);
+ return 0;
+
+unsupported_time:
+ pr_debug("Got unsupported time [tag %02x]: '%*phN'\n",
+ tag, (int)vlen, value);
+ return -EBADMSG;
+invalid_time:
+ pr_debug("Got invalid time [tag %02x]: '%*phN'\n",
+ tag, (int)vlen, value);
+ return -EBADMSG;
+}
+EXPORT_SYMBOL_GPL(x509_decode_time);
+
+int x509_note_not_before(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct x509_parse_context *ctx = context;
+ return x509_decode_time(&ctx->cert->valid_from, hdrlen, tag, value, vlen);
+}
+
+int x509_note_not_after(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct x509_parse_context *ctx = context;
+ return x509_decode_time(&ctx->cert->valid_to, hdrlen, tag, value, vlen);
+}
+
+/*
+ * Note a key identifier-based AuthorityKeyIdentifier
+ */
+int x509_akid_note_kid(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct x509_parse_context *ctx = context;
+ struct asymmetric_key_id *kid;
+
+ pr_debug("AKID: keyid: %*phN\n", (int)vlen, value);
+
+ if (ctx->cert->sig->auth_ids[1])
+ return 0;
+
+ kid = asymmetric_key_generate_id(value, vlen, "", 0);
+ if (IS_ERR(kid))
+ return PTR_ERR(kid);
+ pr_debug("authkeyid %*phN\n", kid->len, kid->data);
+ ctx->cert->sig->auth_ids[1] = kid;
+ return 0;
+}
+
+/*
+ * Note a directoryName in an AuthorityKeyIdentifier
+ */
+int x509_akid_note_name(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct x509_parse_context *ctx = context;
+
+ pr_debug("AKID: name: %*phN\n", (int)vlen, value);
+
+ ctx->akid_raw_issuer = value;
+ ctx->akid_raw_issuer_size = vlen;
+ return 0;
+}
+
+/*
+ * Note a serial number in an AuthorityKeyIdentifier
+ */
+int x509_akid_note_serial(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct x509_parse_context *ctx = context;
+ struct asymmetric_key_id *kid;
+
+ pr_debug("AKID: serial: %*phN\n", (int)vlen, value);
+
+ if (!ctx->akid_raw_issuer || ctx->cert->sig->auth_ids[0])
+ return 0;
+
+ kid = asymmetric_key_generate_id(value,
+ vlen,
+ ctx->akid_raw_issuer,
+ ctx->akid_raw_issuer_size);
+ if (IS_ERR(kid))
+ return PTR_ERR(kid);
+
+ pr_debug("authkeyid %*phN\n", kid->len, kid->data);
+ ctx->cert->sig->auth_ids[0] = kid;
+ return 0;
+}
diff --git a/lib/crypto/x509_parser.h b/lib/crypto/x509_parser.h
new file mode 100644
index 000000000000..e373e7483812
--- /dev/null
+++ b/lib/crypto/x509_parser.h
@@ -0,0 +1,61 @@
+/* X.509 certificate parser internal definitions
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells at redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#include <linux/time.h>
+#include <crypto/public_key.h>
+#include <keys/asymmetric-type.h>
+
+struct x509_certificate {
+ struct x509_certificate *next;
+ struct x509_certificate *signer; /* Certificate that signed this one */
+ struct public_key *pub; /* Public key details */
+ struct public_key_signature *sig; /* Signature parameters */
+ char *issuer; /* Name of certificate issuer */
+ char *subject; /* Name of certificate subject */
+ struct asymmetric_key_id *id; /* Issuer + Serial number */
+ struct asymmetric_key_id *skid; /* Subject + subjectKeyId (optional) */
+ time64_t valid_from;
+ time64_t valid_to;
+ const void *tbs; /* Signed data */
+ unsigned tbs_size; /* Size of signed data */
+ unsigned raw_sig_size; /* Size of sigature */
+ const void *raw_sig; /* Signature data */
+ const void *raw_serial; /* Raw serial number in ASN.1 */
+ unsigned raw_serial_size;
+ unsigned raw_issuer_size;
+ const void *raw_issuer; /* Raw issuer name in ASN.1 */
+ const void *raw_subject; /* Raw subject name in ASN.1 */
+ unsigned raw_subject_size;
+ unsigned raw_skid_size;
+ const void *raw_skid; /* Raw subjectKeyId in ASN.1 */
+ unsigned index;
+ bool seen; /* Infinite recursion prevention */
+ bool verified;
+ bool self_signed; /* T if self-signed (check unsupported_sig too) */
+ bool unsupported_key; /* T if key uses unsupported crypto */
+ bool unsupported_sig; /* T if signature uses unsupported crypto */
+ bool blacklisted;
+};
+
+/*
+ * x509_cert_parser.c
+ */
+extern void x509_free_certificate(struct x509_certificate *cert);
+extern struct x509_certificate *x509_cert_parse(const void *data, size_t datalen);
+extern int x509_decode_time(time64_t *_t, size_t hdrlen,
+ unsigned char tag,
+ const unsigned char *value, size_t vlen);
+
+/*
+ * x509_public_key.c
+ */
+extern int x509_get_sig_params(struct x509_certificate *cert);
+extern int x509_check_for_self_signed(struct x509_certificate *cert);
diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c
new file mode 100644
index 000000000000..36d4ef4b149e
--- /dev/null
+++ b/lib/crypto/x509_public_key.c
@@ -0,0 +1,284 @@
+/* Instantiate a public key crypto key from an X.509 Certificate
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells at redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#define pr_fmt(fmt) "X.509: "fmt
+#include <common.h>
+#include <linux/compat.h>
+#include <linux/errno.h>
+#include <linux/kernel.h>
+#include "x509_parser.h"
+
+/*
+ * Set up the signature parameters in an X.509 certificate. This involves
+ * digesting the signed data and extracting the signature.
+ */
+int x509_get_sig_params(struct x509_certificate *cert)
+{
+ struct public_key_signature *sig = cert->sig;
+#ifndef __UBOOT__
+ struct crypto_shash *tfm;
+ struct shash_desc *desc;
+ size_t desc_size;
+#endif
+ int ret;
+
+ pr_devel("==>%s()\n", __func__);
+
+ if (!cert->pub->pkey_algo)
+ cert->unsupported_key = true;
+
+ if (!sig->pkey_algo)
+ cert->unsupported_sig = true;
+
+ /* We check the hash if we can - even if we can't then verify it */
+ if (!sig->hash_algo) {
+ cert->unsupported_sig = true;
+ return 0;
+ }
+
+ sig->s = kmemdup(cert->raw_sig, cert->raw_sig_size, GFP_KERNEL);
+ if (!sig->s)
+ return -ENOMEM;
+
+ sig->s_size = cert->raw_sig_size;
+
+#ifdef __UBOOT__
+ /*
+ * NOTE: Blacklist check is always done on the fly
+ * in efi_siganture_verify*(). So sig->digest nor
+ * sig->digest_size won't be set here.
+ */
+ ret = 0;
+#else
+ /* Allocate the hashing algorithm we're going to need and find out how
+ * big the hash operational data will be.
+ */
+ tfm = crypto_alloc_shash(sig->hash_algo, 0, 0);
+ if (IS_ERR(tfm)) {
+ if (PTR_ERR(tfm) == -ENOENT) {
+ cert->unsupported_sig = true;
+ return 0;
+ }
+ return PTR_ERR(tfm);
+ }
+
+ desc_size = crypto_shash_descsize(tfm) + sizeof(*desc);
+ sig->digest_size = crypto_shash_digestsize(tfm);
+
+ ret = -ENOMEM;
+ sig->digest = kmalloc(sig->digest_size, GFP_KERNEL);
+ if (!sig->digest)
+ goto error;
+
+ desc = kzalloc(desc_size, GFP_KERNEL);
+ if (!desc)
+ goto error;
+
+ desc->tfm = tfm;
+ desc->flags = CRYPTO_TFM_REQ_MAY_SLEEP;
+
+ ret = crypto_shash_digest(desc, cert->tbs, cert->tbs_size, sig->digest);
+ if (ret < 0)
+ goto error_2;
+
+ ret = is_hash_blacklisted(sig->digest, sig->digest_size, "tbs");
+ if (ret == -EKEYREJECTED) {
+ pr_err("Cert %*phN is blacklisted\n",
+ sig->digest_size, sig->digest);
+ cert->blacklisted = true;
+ ret = 0;
+ }
+
+error_2:
+ kfree(desc);
+error:
+ crypto_free_shash(tfm);
+#endif /* __UBOOT__ */
+ pr_devel("<==%s() = %d\n", __func__, ret);
+ return ret;
+}
+
+/*
+ * Check for self-signedness in an X.509 cert and if found, check the signature
+ * immediately if we can.
+ */
+int x509_check_for_self_signed(struct x509_certificate *cert)
+{
+ int ret = 0;
+
+ pr_devel("==>%s()\n", __func__);
+
+ if (cert->raw_subject_size != cert->raw_issuer_size ||
+ memcmp(cert->raw_subject, cert->raw_issuer,
+ cert->raw_issuer_size) != 0)
+ goto not_self_signed;
+
+ if (cert->sig->auth_ids[0] || cert->sig->auth_ids[1]) {
+ /* If the AKID is present it may have one or two parts. If
+ * both are supplied, both must match.
+ */
+ bool a = asymmetric_key_id_same(cert->skid, cert->sig->auth_ids[1]);
+ bool b = asymmetric_key_id_same(cert->id, cert->sig->auth_ids[0]);
+
+ if (!a && !b)
+ goto not_self_signed;
+
+ ret = -EKEYREJECTED;
+ if (((a && !b) || (b && !a)) &&
+ cert->sig->auth_ids[0] && cert->sig->auth_ids[1])
+ goto out;
+ }
+
+ ret = -EKEYREJECTED;
+ if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0)
+ goto out;
+
+ ret = public_key_verify_signature(cert->pub, cert->sig);
+ if (ret < 0) {
+ if (ret == -ENOPKG) {
+ cert->unsupported_sig = true;
+ ret = 0;
+ }
+ goto out;
+ }
+
+ pr_devel("Cert Self-signature verified");
+ cert->self_signed = true;
+
+out:
+ pr_devel("<==%s() = %d\n", __func__, ret);
+ return ret;
+
+not_self_signed:
+ pr_devel("<==%s() = 0 [not]\n", __func__);
+ return 0;
+}
+
+#ifndef __UBOOT__
+/*
+ * Attempt to parse a data blob for a key as an X509 certificate.
+ */
+static int x509_key_preparse(struct key_preparsed_payload *prep)
+{
+ struct asymmetric_key_ids *kids;
+ struct x509_certificate *cert;
+ const char *q;
+ size_t srlen, sulen;
+ char *desc = NULL, *p;
+ int ret;
+
+ cert = x509_cert_parse(prep->data, prep->datalen);
+ if (IS_ERR(cert))
+ return PTR_ERR(cert);
+
+ pr_devel("Cert Issuer: %s\n", cert->issuer);
+ pr_devel("Cert Subject: %s\n", cert->subject);
+
+ if (cert->unsupported_key) {
+ ret = -ENOPKG;
+ goto error_free_cert;
+ }
+
+ pr_devel("Cert Key Algo: %s\n", cert->pub->pkey_algo);
+ pr_devel("Cert Valid period: %lld-%lld\n", cert->valid_from, cert->valid_to);
+
+ cert->pub->id_type = "X509";
+
+ if (cert->unsupported_sig) {
+ public_key_signature_free(cert->sig);
+ cert->sig = NULL;
+ } else {
+ pr_devel("Cert Signature: %s + %s\n",
+ cert->sig->pkey_algo, cert->sig->hash_algo);
+ }
+
+ /* Don't permit addition of blacklisted keys */
+ ret = -EKEYREJECTED;
+ if (cert->blacklisted)
+ goto error_free_cert;
+
+ /* Propose a description */
+ sulen = strlen(cert->subject);
+ if (cert->raw_skid) {
+ srlen = cert->raw_skid_size;
+ q = cert->raw_skid;
+ } else {
+ srlen = cert->raw_serial_size;
+ q = cert->raw_serial;
+ }
+
+ ret = -ENOMEM;
+ desc = kmalloc(sulen + 2 + srlen * 2 + 1, GFP_KERNEL);
+ if (!desc)
+ goto error_free_cert;
+ p = memcpy(desc, cert->subject, sulen);
+ p += sulen;
+ *p++ = ':';
+ *p++ = ' ';
+ p = bin2hex(p, q, srlen);
+ *p = 0;
+
+ kids = kmalloc(sizeof(struct asymmetric_key_ids), GFP_KERNEL);
+ if (!kids)
+ goto error_free_desc;
+ kids->id[0] = cert->id;
+ kids->id[1] = cert->skid;
+
+ /* We're pinning the module by being linked against it */
+ __module_get(public_key_subtype.owner);
+ prep->payload.data[asym_subtype] = &public_key_subtype;
+ prep->payload.data[asym_key_ids] = kids;
+ prep->payload.data[asym_crypto] = cert->pub;
+ prep->payload.data[asym_auth] = cert->sig;
+ prep->description = desc;
+ prep->quotalen = 100;
+
+ /* We've finished with the certificate */
+ cert->pub = NULL;
+ cert->id = NULL;
+ cert->skid = NULL;
+ cert->sig = NULL;
+ desc = NULL;
+ ret = 0;
+
+error_free_desc:
+ kfree(desc);
+error_free_cert:
+ x509_free_certificate(cert);
+ return ret;
+}
+
+static struct asymmetric_key_parser x509_key_parser = {
+ .owner = THIS_MODULE,
+ .name = "x509",
+ .parse = x509_key_preparse,
+};
+
+/*
+ * Module stuff
+ */
+static int __init x509_key_init(void)
+{
+ return register_asymmetric_key_parser(&x509_key_parser);
+}
+
+static void __exit x509_key_exit(void)
+{
+ unregister_asymmetric_key_parser(&x509_key_parser);
+}
+
+module_init(x509_key_init);
+module_exit(x509_key_exit);
+#endif /* !__UBOOT__ */
+
+MODULE_DESCRIPTION("X.509 certificate parser");
+MODULE_AUTHOR("Red Hat, Inc.");
+MODULE_LICENSE("GPL");
--
2.21.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [U-Boot] [RFC 8/9] lib: crypto: add pkcs7 message parser
2019-09-03 5:42 [U-Boot] [RFC 0/9] import x509/pkcs7 parsers from linux AKASHI Takahiro
` (6 preceding siblings ...)
2019-09-03 5:42 ` [U-Boot] [RFC 7/9] lib: crypto: add x509 parser AKASHI Takahiro
@ 2019-09-03 5:42 ` AKASHI Takahiro
2019-09-03 5:42 ` [U-Boot] [RFC 9/9] lib: crypto: add rsa public key parser AKASHI Takahiro
2019-10-03 5:51 ` [U-Boot] [RFC 0/9] import x509/pkcs7 parsers from linux AKASHI Takahiro
9 siblings, 0 replies; 11+ messages in thread
From: AKASHI Takahiro @ 2019-09-03 5:42 UTC (permalink / raw)
To: u-boot
Imported from linux kernel v5.0.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
include/crypto/pkcs7.h | 51 +++
lib/crypto/Kconfig | 9 +
lib/crypto/Makefile | 11 +
lib/crypto/pkcs7.asn1 | 135 ++++++++
lib/crypto/pkcs7_parser.c | 690 ++++++++++++++++++++++++++++++++++++++
lib/crypto/pkcs7_parser.h | 69 ++++
scripts/Makefile.build | 4 +-
7 files changed, 966 insertions(+), 3 deletions(-)
create mode 100644 include/crypto/pkcs7.h
create mode 100644 lib/crypto/pkcs7.asn1
create mode 100644 lib/crypto/pkcs7_parser.c
create mode 100644 lib/crypto/pkcs7_parser.h
diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
new file mode 100644
index 000000000000..1c6a7cd7a995
--- /dev/null
+++ b/include/crypto/pkcs7.h
@@ -0,0 +1,51 @@
+/* PKCS#7 crypto data parser
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells at redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#ifndef _CRYPTO_PKCS7_H
+#define _CRYPTO_PKCS7_H
+
+#ifndef __UBOOT__
+#include <linux/verification.h>
+#include <crypto/public_key.h>
+#endif
+
+struct key;
+struct pkcs7_message;
+
+/*
+ * pkcs7_parser.c
+ */
+extern struct pkcs7_message *pkcs7_parse_message(const void *data,
+ size_t datalen);
+extern void pkcs7_free_message(struct pkcs7_message *pkcs7);
+
+extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
+ const void **_data, size_t *_datalen,
+ size_t *_headerlen);
+
+#ifndef __UBOOT__
+/*
+ * pkcs7_trust.c
+ */
+extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
+ struct key *trust_keyring);
+
+/*
+ * pkcs7_verify.c
+ */
+extern int pkcs7_verify(struct pkcs7_message *pkcs7,
+ enum key_being_used_for usage);
+
+extern int pkcs7_supply_detached_data(struct pkcs7_message *pkcs7,
+ const void *data, size_t datalen);
+#endif
+
+#endif /* _CRYPTO_PKCS7_H */
diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
index a87cf6107fc1..86b676515405 100644
--- a/lib/crypto/Kconfig
+++ b/lib/crypto/Kconfig
@@ -26,4 +26,13 @@ config X509_CERTIFICATE_PARSER
data and provides the ability to instantiate a crypto key from a
public key packet found inside the certificate.
+config PKCS7_MESSAGE_PARSER
+ bool "PKCS#7 message parser"
+ depends on X509_CERTIFICATE_PARSER
+ select ASN1
+ select OID_REGISTRY
+ help
+ This option provides support for parsing PKCS#7 format messages for
+ signature data and provides the ability to verify the signature.
+
endif # ASYMMETRIC_KEY_TYPE
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 1fb1459a3e4f..3e98d28ea17a 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -25,3 +25,14 @@ $(obj)/x509_cert_parser.o: \
$(obj)/x509.asn1.o: $(obj)/x509.asn1.c $(obj)/x509.asn1.h
$(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c $(obj)/x509_akid.asn1.h
+
+#
+# PKCS#7 message handling
+#
+obj-$(CONFIG_PKCS7_MESSAGE_PARSER) += pkcs7_message.o
+pkcs7_message-y := \
+ pkcs7.asn1.o \
+ pkcs7_parser.o
+
+$(obj)/pkcs7_parser.o: $(obj)/pkcs7.asn1.h
+$(obj)/pkcs7.asn1.o: $(obj)/pkcs7.asn1.c $(obj)/pkcs7.asn1.h
diff --git a/lib/crypto/pkcs7.asn1 b/lib/crypto/pkcs7.asn1
new file mode 100644
index 000000000000..1eca740b816a
--- /dev/null
+++ b/lib/crypto/pkcs7.asn1
@@ -0,0 +1,135 @@
+PKCS7ContentInfo ::= SEQUENCE {
+ contentType ContentType ({ pkcs7_check_content_type }),
+ content [0] EXPLICIT SignedData OPTIONAL
+}
+
+ContentType ::= OBJECT IDENTIFIER ({ pkcs7_note_OID })
+
+SignedData ::= SEQUENCE {
+ version INTEGER ({ pkcs7_note_signeddata_version }),
+ digestAlgorithms DigestAlgorithmIdentifiers,
+ contentInfo ContentInfo ({ pkcs7_note_content }),
+ certificates CHOICE {
+ certSet [0] IMPLICIT ExtendedCertificatesAndCertificates,
+ certSequence [2] IMPLICIT Certificates
+ } OPTIONAL ({ pkcs7_note_certificate_list }),
+ crls CHOICE {
+ crlSet [1] IMPLICIT CertificateRevocationLists,
+ crlSequence [3] IMPLICIT CRLSequence
+ } OPTIONAL,
+ signerInfos SignerInfos
+}
+
+ContentInfo ::= SEQUENCE {
+ contentType ContentType ({ pkcs7_note_OID }),
+ content [0] EXPLICIT Data OPTIONAL
+}
+
+Data ::= ANY ({ pkcs7_note_data })
+
+DigestAlgorithmIdentifiers ::= CHOICE {
+ daSet SET OF DigestAlgorithmIdentifier,
+ daSequence SEQUENCE OF DigestAlgorithmIdentifier
+}
+
+DigestAlgorithmIdentifier ::= SEQUENCE {
+ algorithm OBJECT IDENTIFIER ({ pkcs7_note_OID }),
+ parameters ANY OPTIONAL
+}
+
+--
+-- Certificates and certificate lists
+--
+ExtendedCertificatesAndCertificates ::= SET OF ExtendedCertificateOrCertificate
+
+ExtendedCertificateOrCertificate ::= CHOICE {
+ certificate Certificate, -- X.509
+ extendedCertificate [0] IMPLICIT ExtendedCertificate -- PKCS#6
+}
+
+ExtendedCertificate ::= Certificate -- cheating
+
+Certificates ::= SEQUENCE OF Certificate
+
+CertificateRevocationLists ::= SET OF CertificateList
+
+CertificateList ::= SEQUENCE OF Certificate -- This may be defined incorrectly
+
+CRLSequence ::= SEQUENCE OF CertificateList
+
+Certificate ::= ANY ({ pkcs7_extract_cert }) -- X.509
+
+--
+-- Signer information
+--
+SignerInfos ::= CHOICE {
+ siSet SET OF SignerInfo,
+ siSequence SEQUENCE OF SignerInfo
+}
+
+SignerInfo ::= SEQUENCE {
+ version INTEGER ({ pkcs7_note_signerinfo_version }),
+ sid SignerIdentifier, -- CMS variant, not PKCS#7
+ digestAlgorithm DigestAlgorithmIdentifier ({ pkcs7_sig_note_digest_algo }),
+ authenticatedAttributes CHOICE {
+ aaSet [0] IMPLICIT SetOfAuthenticatedAttribute
+ ({ pkcs7_sig_note_set_of_authattrs }),
+ aaSequence [2] EXPLICIT SEQUENCE OF AuthenticatedAttribute
+ -- Explicit because easier to compute digest on
+ -- sequence of attributes and then reuse encoded
+ -- sequence in aaSequence.
+ } OPTIONAL,
+ digestEncryptionAlgorithm
+ DigestEncryptionAlgorithmIdentifier ({ pkcs7_sig_note_pkey_algo }),
+ encryptedDigest EncryptedDigest,
+ unauthenticatedAttributes CHOICE {
+ uaSet [1] IMPLICIT SET OF UnauthenticatedAttribute,
+ uaSequence [3] IMPLICIT SEQUENCE OF UnauthenticatedAttribute
+ } OPTIONAL
+} ({ pkcs7_note_signed_info })
+
+SignerIdentifier ::= CHOICE {
+ -- RFC5652 sec 5.3
+ issuerAndSerialNumber IssuerAndSerialNumber,
+ subjectKeyIdentifier [0] IMPLICIT SubjectKeyIdentifier
+}
+
+IssuerAndSerialNumber ::= SEQUENCE {
+ issuer Name ({ pkcs7_sig_note_issuer }),
+ serialNumber CertificateSerialNumber ({ pkcs7_sig_note_serial })
+}
+
+CertificateSerialNumber ::= INTEGER
+
+SubjectKeyIdentifier ::= OCTET STRING ({ pkcs7_sig_note_skid })
+
+SetOfAuthenticatedAttribute ::= SET OF AuthenticatedAttribute
+
+AuthenticatedAttribute ::= SEQUENCE {
+ type OBJECT IDENTIFIER ({ pkcs7_note_OID }),
+ values SET OF ANY ({ pkcs7_sig_note_authenticated_attr })
+}
+
+UnauthenticatedAttribute ::= SEQUENCE {
+ type OBJECT IDENTIFIER,
+ values SET OF ANY
+}
+
+DigestEncryptionAlgorithmIdentifier ::= SEQUENCE {
+ algorithm OBJECT IDENTIFIER ({ pkcs7_note_OID }),
+ parameters ANY OPTIONAL
+}
+
+EncryptedDigest ::= OCTET STRING ({ pkcs7_sig_note_signature })
+
+---
+--- X.500 Name
+---
+Name ::= SEQUENCE OF RelativeDistinguishedName
+
+RelativeDistinguishedName ::= SET OF AttributeValueAssertion
+
+AttributeValueAssertion ::= SEQUENCE {
+ attributeType OBJECT IDENTIFIER ({ pkcs7_note_OID }),
+ attributeValue ANY
+}
diff --git a/lib/crypto/pkcs7_parser.c b/lib/crypto/pkcs7_parser.c
new file mode 100644
index 000000000000..9a2bdb0b8e24
--- /dev/null
+++ b/lib/crypto/pkcs7_parser.c
@@ -0,0 +1,690 @@
+/* PKCS#7 parser
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells at redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#define pr_fmt(fmt) "PKCS7: "fmt
+#include <linux/bitops.h>
+#include <linux/compat.h>
+#include <linux/kernel.h>
+#include <linux/err.h>
+#include <linux/oid_registry.h>
+#include <crypto/public_key.h>
+#include "pkcs7_parser.h"
+#include "pkcs7.asn1.h"
+
+MODULE_DESCRIPTION("PKCS#7 parser");
+MODULE_AUTHOR("Red Hat, Inc.");
+MODULE_LICENSE("GPL");
+
+struct pkcs7_parse_context {
+ struct pkcs7_message *msg; /* Message being constructed */
+ struct pkcs7_signed_info *sinfo; /* SignedInfo being constructed */
+ struct pkcs7_signed_info **ppsinfo;
+ struct x509_certificate *certs; /* Certificate cache */
+ struct x509_certificate **ppcerts;
+ unsigned long data; /* Start of data */
+ enum OID last_oid; /* Last OID encountered */
+ unsigned x509_index;
+ unsigned sinfo_index;
+ const void *raw_serial;
+ unsigned raw_serial_size;
+ unsigned raw_issuer_size;
+ const void *raw_issuer;
+ const void *raw_skid;
+ unsigned raw_skid_size;
+ bool expect_skid;
+};
+
+/*
+ * Free a signed information block.
+ */
+static void pkcs7_free_signed_info(struct pkcs7_signed_info *sinfo)
+{
+ if (sinfo) {
+ public_key_signature_free(sinfo->sig);
+ kfree(sinfo);
+ }
+}
+
+/**
+ * pkcs7_free_message - Free a PKCS#7 message
+ * @pkcs7: The PKCS#7 message to free
+ */
+void pkcs7_free_message(struct pkcs7_message *pkcs7)
+{
+ struct x509_certificate *cert;
+ struct pkcs7_signed_info *sinfo;
+
+ if (pkcs7) {
+ while (pkcs7->certs) {
+ cert = pkcs7->certs;
+ pkcs7->certs = cert->next;
+ x509_free_certificate(cert);
+ }
+ while (pkcs7->crl) {
+ cert = pkcs7->crl;
+ pkcs7->crl = cert->next;
+ x509_free_certificate(cert);
+ }
+ while (pkcs7->signed_infos) {
+ sinfo = pkcs7->signed_infos;
+ pkcs7->signed_infos = sinfo->next;
+ pkcs7_free_signed_info(sinfo);
+ }
+ kfree(pkcs7);
+ }
+}
+EXPORT_SYMBOL_GPL(pkcs7_free_message);
+
+/*
+ * Check authenticatedAttributes are provided or not provided consistently.
+ */
+static int pkcs7_check_authattrs(struct pkcs7_message *msg)
+{
+ struct pkcs7_signed_info *sinfo;
+ bool want = false;
+
+ sinfo = msg->signed_infos;
+ if (!sinfo)
+ goto inconsistent;
+
+ if (sinfo->authattrs) {
+ want = true;
+ msg->have_authattrs = true;
+ }
+
+ for (sinfo = sinfo->next; sinfo; sinfo = sinfo->next)
+ if (!!sinfo->authattrs != want)
+ goto inconsistent;
+ return 0;
+
+inconsistent:
+ pr_warn("Inconsistently supplied authAttrs\n");
+ return -EINVAL;
+}
+
+/**
+ * pkcs7_parse_message - Parse a PKCS#7 message
+ * @data: The raw binary ASN.1 encoded message to be parsed
+ * @datalen: The size of the encoded message
+ */
+struct pkcs7_message *pkcs7_parse_message(const void *data, size_t datalen)
+{
+ struct pkcs7_parse_context *ctx;
+ struct pkcs7_message *msg = ERR_PTR(-ENOMEM);
+ int ret;
+
+ ctx = kzalloc(sizeof(struct pkcs7_parse_context), GFP_KERNEL);
+ if (!ctx)
+ goto out_no_ctx;
+ ctx->msg = kzalloc(sizeof(struct pkcs7_message), GFP_KERNEL);
+ if (!ctx->msg)
+ goto out_no_msg;
+ ctx->sinfo = kzalloc(sizeof(struct pkcs7_signed_info), GFP_KERNEL);
+ if (!ctx->sinfo)
+ goto out_no_sinfo;
+ ctx->sinfo->sig = kzalloc(sizeof(struct public_key_signature),
+ GFP_KERNEL);
+ if (!ctx->sinfo->sig)
+ goto out_no_sig;
+
+ ctx->data = (unsigned long)data;
+ ctx->ppcerts = &ctx->certs;
+ ctx->ppsinfo = &ctx->msg->signed_infos;
+
+ /* Attempt to decode the signature */
+ ret = asn1_ber_decoder(&pkcs7_decoder, ctx, data, datalen);
+ if (ret < 0) {
+ msg = ERR_PTR(ret);
+ goto out;
+ }
+
+ ret = pkcs7_check_authattrs(ctx->msg);
+ if (ret < 0) {
+ msg = ERR_PTR(ret);
+ goto out;
+ }
+
+ msg = ctx->msg;
+ ctx->msg = NULL;
+
+out:
+ while (ctx->certs) {
+ struct x509_certificate *cert = ctx->certs;
+ ctx->certs = cert->next;
+ x509_free_certificate(cert);
+ }
+out_no_sig:
+ pkcs7_free_signed_info(ctx->sinfo);
+out_no_sinfo:
+ pkcs7_free_message(ctx->msg);
+out_no_msg:
+ kfree(ctx);
+out_no_ctx:
+ return msg;
+}
+EXPORT_SYMBOL_GPL(pkcs7_parse_message);
+
+/**
+ * pkcs7_get_content_data - Get access to the PKCS#7 content
+ * @pkcs7: The preparsed PKCS#7 message to access
+ * @_data: Place to return a pointer to the data
+ * @_data_len: Place to return the data length
+ * @_headerlen: Size of ASN.1 header not included in _data
+ *
+ * Get access to the data content of the PKCS#7 message. The size of the
+ * header of the ASN.1 object that contains it is also provided and can be used
+ * to adjust *_data and *_data_len to get the entire object.
+ *
+ * Returns -ENODATA if the data object was missing from the message.
+ */
+int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
+ const void **_data, size_t *_data_len,
+ size_t *_headerlen)
+{
+ if (!pkcs7->data)
+ return -ENODATA;
+
+ *_data = pkcs7->data;
+ *_data_len = pkcs7->data_len;
+ if (_headerlen)
+ *_headerlen = pkcs7->data_hdrlen;
+ return 0;
+}
+EXPORT_SYMBOL_GPL(pkcs7_get_content_data);
+
+/*
+ * Note an OID when we find one for later processing when we know how
+ * to interpret it.
+ */
+int pkcs7_note_OID(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+
+ ctx->last_oid = look_up_OID(value, vlen);
+ if (ctx->last_oid == OID__NR) {
+ char buffer[50];
+ sprint_oid(value, vlen, buffer, sizeof(buffer));
+ printk("PKCS7: Unknown OID: [%lu] %s\n",
+ (unsigned long)value - ctx->data, buffer);
+ }
+ return 0;
+}
+
+/*
+ * Note the digest algorithm for the signature.
+ */
+int pkcs7_sig_note_digest_algo(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+
+ switch (ctx->last_oid) {
+ case OID_md4:
+ ctx->sinfo->sig->hash_algo = "md4";
+ break;
+ case OID_md5:
+ ctx->sinfo->sig->hash_algo = "md5";
+ break;
+ case OID_sha1:
+ ctx->sinfo->sig->hash_algo = "sha1";
+ break;
+ case OID_sha256:
+ ctx->sinfo->sig->hash_algo = "sha256";
+ break;
+ case OID_sha384:
+ ctx->sinfo->sig->hash_algo = "sha384";
+ break;
+ case OID_sha512:
+ ctx->sinfo->sig->hash_algo = "sha512";
+ break;
+ case OID_sha224:
+ ctx->sinfo->sig->hash_algo = "sha224";
+ break;
+ default:
+ printk("Unsupported digest algo: %u\n", ctx->last_oid);
+ return -ENOPKG;
+ }
+ return 0;
+}
+
+/*
+ * Note the public key algorithm for the signature.
+ */
+int pkcs7_sig_note_pkey_algo(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+
+ switch (ctx->last_oid) {
+ case OID_rsaEncryption:
+ ctx->sinfo->sig->pkey_algo = "rsa";
+ ctx->sinfo->sig->encoding = "pkcs1";
+ break;
+ default:
+ printk("Unsupported pkey algo: %u\n", ctx->last_oid);
+ return -ENOPKG;
+ }
+ return 0;
+}
+
+/*
+ * We only support signed data [RFC2315 sec 9].
+ */
+int pkcs7_check_content_type(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+
+ if (ctx->last_oid != OID_signed_data) {
+ pr_warn("Only support pkcs7_signedData type\n");
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+/*
+ * Note the SignedData version
+ */
+int pkcs7_note_signeddata_version(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+ unsigned version;
+
+ if (vlen != 1)
+ goto unsupported;
+
+ ctx->msg->version = version = *(const u8 *)value;
+ switch (version) {
+ case 1:
+ /* PKCS#7 SignedData [RFC2315 sec 9.1]
+ * CMS ver 1 SignedData [RFC5652 sec 5.1]
+ */
+ break;
+ case 3:
+ /* CMS ver 3 SignedData [RFC2315 sec 5.1] */
+ break;
+ default:
+ goto unsupported;
+ }
+
+ return 0;
+
+unsupported:
+ pr_warn("Unsupported SignedData version\n");
+ return -EINVAL;
+}
+
+/*
+ * Note the SignerInfo version
+ */
+int pkcs7_note_signerinfo_version(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+ unsigned version;
+
+ if (vlen != 1)
+ goto unsupported;
+
+ version = *(const u8 *)value;
+ switch (version) {
+ case 1:
+ /* PKCS#7 SignerInfo [RFC2315 sec 9.2]
+ * CMS ver 1 SignerInfo [RFC5652 sec 5.3]
+ */
+ if (ctx->msg->version != 1)
+ goto version_mismatch;
+ ctx->expect_skid = false;
+ break;
+ case 3:
+ /* CMS ver 3 SignerInfo [RFC2315 sec 5.3] */
+ if (ctx->msg->version == 1)
+ goto version_mismatch;
+ ctx->expect_skid = true;
+ break;
+ default:
+ goto unsupported;
+ }
+
+ return 0;
+
+unsupported:
+ pr_warn("Unsupported SignerInfo version\n");
+ return -EINVAL;
+version_mismatch:
+ pr_warn("SignedData-SignerInfo version mismatch\n");
+ return -EBADMSG;
+}
+
+/*
+ * Extract a certificate and store it in the context.
+ */
+int pkcs7_extract_cert(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+ struct x509_certificate *x509;
+
+ if (tag != ((ASN1_UNIV << 6) | ASN1_CONS_BIT | ASN1_SEQ)) {
+ pr_debug("Cert began with tag %02x@%lu\n",
+ tag, (unsigned long)ctx - ctx->data);
+ return -EBADMSG;
+ }
+
+ /* We have to correct for the header so that the X.509 parser can start
+ * from the beginning. Note that since X.509 stipulates DER, there
+ * probably shouldn't be an EOC trailer - but it is in PKCS#7 (which
+ * stipulates BER).
+ */
+ value -= hdrlen;
+ vlen += hdrlen;
+
+ if (((u8*)value)[1] == 0x80)
+ vlen += 2; /* Indefinite length - there should be an EOC */
+
+ x509 = x509_cert_parse(value, vlen);
+ if (IS_ERR(x509))
+ return PTR_ERR(x509);
+
+ x509->index = ++ctx->x509_index;
+ pr_debug("Got cert %u for %s\n", x509->index, x509->subject);
+ pr_debug("- fingerprint %*phN\n", x509->id->len, x509->id->data);
+
+ *ctx->ppcerts = x509;
+ ctx->ppcerts = &x509->next;
+ return 0;
+}
+
+/*
+ * Save the certificate list
+ */
+int pkcs7_note_certificate_list(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+
+ pr_devel("Got cert list (%02x)\n", tag);
+
+ *ctx->ppcerts = ctx->msg->certs;
+ ctx->msg->certs = ctx->certs;
+ ctx->certs = NULL;
+ ctx->ppcerts = &ctx->certs;
+ return 0;
+}
+
+/*
+ * Note the content type.
+ */
+int pkcs7_note_content(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+
+ if (ctx->last_oid != OID_data &&
+ ctx->last_oid != OID_msIndirectData) {
+ pr_warn("Unsupported data type %d\n", ctx->last_oid);
+ return -EINVAL;
+ }
+
+ ctx->msg->data_type = ctx->last_oid;
+ return 0;
+}
+
+/*
+ * Extract the data from the message and store that and its content type OID in
+ * the context.
+ */
+int pkcs7_note_data(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+
+ pr_debug("Got data\n");
+
+ ctx->msg->data = value;
+ ctx->msg->data_len = vlen;
+ ctx->msg->data_hdrlen = hdrlen;
+ return 0;
+}
+
+/*
+ * Parse authenticated attributes.
+ */
+int pkcs7_sig_note_authenticated_attr(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+ struct pkcs7_signed_info *sinfo = ctx->sinfo;
+ enum OID content_type;
+
+ pr_devel("AuthAttr: %02x %zu [%*ph]\n", tag, vlen, (unsigned)vlen, value);
+
+ switch (ctx->last_oid) {
+ case OID_contentType:
+ if (__test_and_set_bit(sinfo_has_content_type, &sinfo->aa_set))
+ goto repeated;
+ content_type = look_up_OID(value, vlen);
+ if (content_type != ctx->msg->data_type) {
+ pr_warn("Mismatch between global data type (%d) and sinfo %u (%d)\n",
+ ctx->msg->data_type, sinfo->index,
+ content_type);
+ return -EBADMSG;
+ }
+ return 0;
+
+ case OID_signingTime:
+ if (__test_and_set_bit(sinfo_has_signing_time, &sinfo->aa_set))
+ goto repeated;
+ /* Should we check that the signing time is consistent
+ * with the signer's X.509 cert?
+ */
+ return x509_decode_time(&sinfo->signing_time,
+ hdrlen, tag, value, vlen);
+
+ case OID_messageDigest:
+ if (__test_and_set_bit(sinfo_has_message_digest, &sinfo->aa_set))
+ goto repeated;
+ if (tag != ASN1_OTS)
+ return -EBADMSG;
+ sinfo->msgdigest = value;
+ sinfo->msgdigest_len = vlen;
+ return 0;
+
+ case OID_smimeCapabilites:
+ if (__test_and_set_bit(sinfo_has_smime_caps, &sinfo->aa_set))
+ goto repeated;
+#ifdef __UBOOT__ /* OID_data is needed for authenticated UEFI variables */
+ if (ctx->msg->data_type != OID_msIndirectData &&
+ ctx->msg->data_type != OID_data) {
+#else
+ if (ctx->msg->data_type != OID_msIndirectData) {
+#endif
+ pr_warn("S/MIME Caps only allowed with Authenticode\n");
+ return -EKEYREJECTED;
+ }
+ return 0;
+
+ /* Microsoft SpOpusInfo seems to be contain cont[0] 16-bit BE
+ * char URLs and cont[1] 8-bit char URLs.
+ *
+ * Microsoft StatementType seems to contain a list of OIDs that
+ * are also used as extendedKeyUsage types in X.509 certs.
+ */
+ case OID_msSpOpusInfo:
+ if (__test_and_set_bit(sinfo_has_ms_opus_info, &sinfo->aa_set))
+ goto repeated;
+ goto authenticode_check;
+ case OID_msStatementType:
+ if (__test_and_set_bit(sinfo_has_ms_statement_type, &sinfo->aa_set))
+ goto repeated;
+ authenticode_check:
+ if (ctx->msg->data_type != OID_msIndirectData) {
+ pr_warn("Authenticode AuthAttrs only allowed with Authenticode\n");
+ return -EKEYREJECTED;
+ }
+ /* I'm not sure how to validate these */
+ return 0;
+ default:
+ return 0;
+ }
+
+repeated:
+ /* We permit max one item per AuthenticatedAttribute and no repeats */
+ pr_warn("Repeated/multivalue AuthAttrs not permitted\n");
+ return -EKEYREJECTED;
+}
+
+/*
+ * Note the set of auth attributes for digestion purposes [RFC2315 sec 9.3]
+ */
+int pkcs7_sig_note_set_of_authattrs(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+ struct pkcs7_signed_info *sinfo = ctx->sinfo;
+
+ if (!test_bit(sinfo_has_content_type, &sinfo->aa_set) ||
+ !test_bit(sinfo_has_message_digest, &sinfo->aa_set)) {
+ pr_warn("Missing required AuthAttr\n");
+ return -EBADMSG;
+ }
+
+ if (ctx->msg->data_type != OID_msIndirectData &&
+ test_bit(sinfo_has_ms_opus_info, &sinfo->aa_set)) {
+ pr_warn("Unexpected Authenticode AuthAttr\n");
+ return -EBADMSG;
+ }
+
+ /* We need to switch the 'CONT 0' to a 'SET OF' when we digest */
+ sinfo->authattrs = value - (hdrlen - 1);
+ sinfo->authattrs_len = vlen + (hdrlen - 1);
+ return 0;
+}
+
+/*
+ * Note the issuing certificate serial number
+ */
+int pkcs7_sig_note_serial(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+ ctx->raw_serial = value;
+ ctx->raw_serial_size = vlen;
+ return 0;
+}
+
+/*
+ * Note the issuer's name
+ */
+int pkcs7_sig_note_issuer(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+ ctx->raw_issuer = value;
+ ctx->raw_issuer_size = vlen;
+ return 0;
+}
+
+/*
+ * Note the issuing cert's subjectKeyIdentifier
+ */
+int pkcs7_sig_note_skid(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+
+ pr_devel("SKID: %02x %zu [%*ph]\n", tag, vlen, (unsigned)vlen, value);
+
+ ctx->raw_skid = value;
+ ctx->raw_skid_size = vlen;
+ return 0;
+}
+
+/*
+ * Note the signature data
+ */
+int pkcs7_sig_note_signature(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+
+ ctx->sinfo->sig->s = kmemdup(value, vlen, GFP_KERNEL);
+ if (!ctx->sinfo->sig->s)
+ return -ENOMEM;
+
+ ctx->sinfo->sig->s_size = vlen;
+ return 0;
+}
+
+/*
+ * Note a signature information block
+ */
+int pkcs7_note_signed_info(void *context, size_t hdrlen,
+ unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct pkcs7_parse_context *ctx = context;
+ struct pkcs7_signed_info *sinfo = ctx->sinfo;
+ struct asymmetric_key_id *kid;
+
+ if (ctx->msg->data_type == OID_msIndirectData && !sinfo->authattrs) {
+ pr_warn("Authenticode requires AuthAttrs\n");
+ return -EBADMSG;
+ }
+
+ /* Generate cert issuer + serial number key ID */
+ if (!ctx->expect_skid) {
+ kid = asymmetric_key_generate_id(ctx->raw_serial,
+ ctx->raw_serial_size,
+ ctx->raw_issuer,
+ ctx->raw_issuer_size);
+ } else {
+ kid = asymmetric_key_generate_id(ctx->raw_skid,
+ ctx->raw_skid_size,
+ "", 0);
+ }
+ if (IS_ERR(kid))
+ return PTR_ERR(kid);
+
+ pr_devel("SINFO KID: %u [%*phN]\n", kid->len, kid->len, kid->data);
+
+ sinfo->sig->auth_ids[0] = kid;
+ sinfo->index = ++ctx->sinfo_index;
+ *ctx->ppsinfo = sinfo;
+ ctx->ppsinfo = &sinfo->next;
+ ctx->sinfo = kzalloc(sizeof(struct pkcs7_signed_info), GFP_KERNEL);
+ if (!ctx->sinfo)
+ return -ENOMEM;
+ ctx->sinfo->sig = kzalloc(sizeof(struct public_key_signature),
+ GFP_KERNEL);
+ if (!ctx->sinfo->sig)
+ return -ENOMEM;
+ return 0;
+}
diff --git a/lib/crypto/pkcs7_parser.h b/lib/crypto/pkcs7_parser.h
new file mode 100644
index 000000000000..ac341e19e530
--- /dev/null
+++ b/lib/crypto/pkcs7_parser.h
@@ -0,0 +1,69 @@
+/* PKCS#7 crypto data parser internal definitions
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowells at redhat.com)
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#include <linux/oid_registry.h>
+#include <crypto/pkcs7.h>
+#include "x509_parser.h"
+
+#define kenter(FMT, ...) \
+ pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
+#define kleave(FMT, ...) \
+ pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
+
+struct pkcs7_signed_info {
+ struct pkcs7_signed_info *next;
+ struct x509_certificate *signer; /* Signing certificate (in msg->certs) */
+ unsigned index;
+ bool unsupported_crypto; /* T if not usable due to missing crypto */
+ bool blacklisted;
+
+ /* Message digest - the digest of the Content Data (or NULL) */
+ const void *msgdigest;
+ unsigned msgdigest_len;
+
+ /* Authenticated Attribute data (or NULL) */
+ unsigned authattrs_len;
+ const void *authattrs;
+ unsigned long aa_set;
+#define sinfo_has_content_type 0
+#define sinfo_has_signing_time 1
+#define sinfo_has_message_digest 2
+#define sinfo_has_smime_caps 3
+#define sinfo_has_ms_opus_info 4
+#define sinfo_has_ms_statement_type 5
+ time64_t signing_time;
+
+ /* Message signature.
+ *
+ * This contains the generated digest of _either_ the Content Data or
+ * the Authenticated Attributes [RFC2315 9.3]. If the latter, one of
+ * the attributes contains the digest of the the Content Data within
+ * it.
+ *
+ * THis also contains the issuing cert serial number and issuer's name
+ * [PKCS#7 or CMS ver 1] or issuing cert's SKID [CMS ver 3].
+ */
+ struct public_key_signature *sig;
+};
+
+struct pkcs7_message {
+ struct x509_certificate *certs; /* Certificate list */
+ struct x509_certificate *crl; /* Revocation list */
+ struct pkcs7_signed_info *signed_infos;
+ u8 version; /* Version of cert (1 -> PKCS#7 or CMS; 3 -> CMS) */
+ bool have_authattrs; /* T if have authattrs */
+
+ /* Content Data (or NULL) */
+ enum OID data_type; /* Type of Data */
+ size_t data_len; /* Length of Data */
+ size_t data_hdrlen; /* Length of Data ASN.1 header */
+ const void *data; /* Content Data (or 0) */
+};
diff --git a/scripts/Makefile.build b/scripts/Makefile.build
index 9357d310e50b..71458e089cd6 100644
--- a/scripts/Makefile.build
+++ b/scripts/Makefile.build
@@ -419,11 +419,9 @@ targets += $(multi-used-y) $(multi-used-m)
intermediate_targets = $(foreach sfx, $(2), \
$(patsubst %$(strip $(1)),%$(sfx), \
$(filter %$(strip $(1)), $(targets))))
-# %.asn1.o <- %.asn1.[ch] <- %.asn1
# %.lex.o <- %.lex.c <- %.l
# %.tab.o <- %.tab.[ch] <- %.y
-targets += $(call intermediate_targets, .asn1.o, .asn1.c .asn1.h) \
- $(call intermediate_targets, .lex.o, .lex.c) \
+targets += $(call intermediate_targets, .lex.o, .lex.c) \
$(call intermediate_targets, .tab.o, .tab.c .tab.h)
# Descending
--
2.21.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [U-Boot] [RFC 9/9] lib: crypto: add rsa public key parser
2019-09-03 5:42 [U-Boot] [RFC 0/9] import x509/pkcs7 parsers from linux AKASHI Takahiro
` (7 preceding siblings ...)
2019-09-03 5:42 ` [U-Boot] [RFC 8/9] lib: crypto: add pkcs7 message parser AKASHI Takahiro
@ 2019-09-03 5:42 ` AKASHI Takahiro
2019-10-03 5:51 ` [U-Boot] [RFC 0/9] import x509/pkcs7 parsers from linux AKASHI Takahiro
9 siblings, 0 replies; 11+ messages in thread
From: AKASHI Takahiro @ 2019-09-03 5:42 UTC (permalink / raw)
To: u-boot
Imported from linux kernel v5.0.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
include/crypto/internal/rsa.h | 62 +++++++++++++++++++++++++++
lib/crypto/Makefile | 10 ++++-
lib/crypto/rsa_helper.c | 81 +++++++++++++++++++++++++++++++++++
lib/crypto/rsapubkey.asn1 | 4 ++
4 files changed, 156 insertions(+), 1 deletion(-)
create mode 100644 include/crypto/internal/rsa.h
create mode 100644 lib/crypto/rsa_helper.c
create mode 100644 lib/crypto/rsapubkey.asn1
diff --git a/include/crypto/internal/rsa.h b/include/crypto/internal/rsa.h
new file mode 100644
index 000000000000..9e8f1590de98
--- /dev/null
+++ b/include/crypto/internal/rsa.h
@@ -0,0 +1,62 @@
+/*
+ * RSA internal helpers
+ *
+ * Copyright (c) 2015, Intel Corporation
+ * Authors: Tadeusz Struk <tadeusz.struk@intel.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ */
+#ifndef _RSA_HELPER_
+#define _RSA_HELPER_
+#include <linux/types.h>
+
+/**
+ * rsa_key - RSA key structure
+ * @n : RSA modulus raw byte stream
+ * @e : RSA public exponent raw byte stream
+ * @d : RSA private exponent raw byte stream
+ * @p : RSA prime factor p of n raw byte stream
+ * @q : RSA prime factor q of n raw byte stream
+ * @dp : RSA exponent d mod (p - 1) raw byte stream
+ * @dq : RSA exponent d mod (q - 1) raw byte stream
+ * @qinv : RSA CRT coefficient q^(-1) mod p raw byte stream
+ * @n_sz : length in bytes of RSA modulus n
+ * @e_sz : length in bytes of RSA public exponent
+ * @d_sz : length in bytes of RSA private exponent
+ * @p_sz : length in bytes of p field
+ * @q_sz : length in bytes of q field
+ * @dp_sz : length in bytes of dp field
+ * @dq_sz : length in bytes of dq field
+ * @qinv_sz : length in bytes of qinv field
+ */
+struct rsa_key {
+ const u8 *n;
+ const u8 *e;
+ const u8 *d;
+ const u8 *p;
+ const u8 *q;
+ const u8 *dp;
+ const u8 *dq;
+ const u8 *qinv;
+ size_t n_sz;
+ size_t e_sz;
+ size_t d_sz;
+ size_t p_sz;
+ size_t q_sz;
+ size_t dp_sz;
+ size_t dq_sz;
+ size_t qinv_sz;
+};
+
+int rsa_parse_pub_key(struct rsa_key *rsa_key, const void *key,
+ unsigned int key_len);
+
+int rsa_parse_priv_key(struct rsa_key *rsa_key, const void *key,
+ unsigned int key_len);
+
+extern struct crypto_template rsa_pkcs1pad_tmpl;
+#endif
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 3e98d28ea17a..f2cd3fbb0413 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -17,7 +17,9 @@ x509_key_parser-y := \
x509.asn1.o \
x509_akid.asn1.o \
x509_cert_parser.o \
- x509_public_key.o
+ x509_public_key.o \
+ rsapubkey.asn1.o \
+ rsa_helper.o
$(obj)/x509_cert_parser.o: \
$(obj)/x509.asn1.h \
@@ -36,3 +38,9 @@ pkcs7_message-y := \
$(obj)/pkcs7_parser.o: $(obj)/pkcs7.asn1.h
$(obj)/pkcs7.asn1.o: $(obj)/pkcs7.asn1.c $(obj)/pkcs7.asn1.h
+
+#
+# RSA public key parser
+#
+$(obj)/rsapubkey.asn1.o: $(obj)/rsapubkey.asn1.c $(obj)/rsapubkey.asn1.h
+$(obj)/rsa_helper.o: $(obj)/rsapubkey.asn1.h
diff --git a/lib/crypto/rsa_helper.c b/lib/crypto/rsa_helper.c
new file mode 100644
index 000000000000..577dfbc1c5fd
--- /dev/null
+++ b/lib/crypto/rsa_helper.c
@@ -0,0 +1,81 @@
+/*
+ * RSA key extract helper
+ *
+ * Copyright (c) 2015, Intel Corporation
+ * Authors: Tadeusz Struk <tadeusz.struk@intel.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ */
+#include <linux/err.h>
+#include <crypto/internal/rsa.h>
+#include "rsapubkey.asn1.h"
+
+int rsa_get_n(void *context, size_t hdrlen, unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct rsa_key *key = context;
+#ifndef __UBOOT__
+ const u8 *ptr = value;
+ size_t n_sz = vlen;
+#endif
+
+ /* invalid key provided */
+ if (!value || !vlen)
+ return -EINVAL;
+
+#ifndef __UBOOT__
+ if (fips_enabled) {
+ while (n_sz && !*ptr) {
+ ptr++;
+ n_sz--;
+ }
+
+ /* In FIPS mode only allow key size 2K and higher */
+ if (n_sz < 256) {
+ pr_err("RSA: key size not allowed in FIPS mode\n");
+ return -EINVAL;
+ }
+ }
+#endif
+
+ key->n = value;
+ key->n_sz = vlen;
+
+ return 0;
+}
+
+int rsa_get_e(void *context, size_t hdrlen, unsigned char tag,
+ const void *value, size_t vlen)
+{
+ struct rsa_key *key = context;
+
+ /* invalid key provided */
+ if (!value || !key->n_sz || !vlen || vlen > key->n_sz)
+ return -EINVAL;
+
+ key->e = value;
+ key->e_sz = vlen;
+
+ return 0;
+}
+
+/**
+ * rsa_parse_pub_key() - decodes the BER encoded buffer and stores in the
+ * provided struct rsa_key, pointers to the raw key as is,
+ * so that the caller can copy it or MPI parse it, etc.
+ *
+ * @rsa_key: struct rsa_key key representation
+ * @key: key in BER format
+ * @key_len: length of key
+ *
+ * Return: 0 on success or error code in case of error
+ */
+int rsa_parse_pub_key(struct rsa_key *rsa_key, const void *key,
+ unsigned int key_len)
+{
+ return asn1_ber_decoder(&rsapubkey_decoder, rsa_key, key, key_len);
+}
diff --git a/lib/crypto/rsapubkey.asn1 b/lib/crypto/rsapubkey.asn1
new file mode 100644
index 000000000000..725498e461d2
--- /dev/null
+++ b/lib/crypto/rsapubkey.asn1
@@ -0,0 +1,4 @@
+RsaPubKey ::= SEQUENCE {
+ n INTEGER ({ rsa_get_n }),
+ e INTEGER ({ rsa_get_e })
+}
--
2.21.0
^ permalink raw reply related [flat|nested] 11+ messages in thread* [U-Boot] [RFC 0/9] import x509/pkcs7 parsers from linux
2019-09-03 5:42 [U-Boot] [RFC 0/9] import x509/pkcs7 parsers from linux AKASHI Takahiro
` (8 preceding siblings ...)
2019-09-03 5:42 ` [U-Boot] [RFC 9/9] lib: crypto: add rsa public key parser AKASHI Takahiro
@ 2019-10-03 5:51 ` AKASHI Takahiro
9 siblings, 0 replies; 11+ messages in thread
From: AKASHI Takahiro @ 2019-10-03 5:51 UTC (permalink / raw)
To: u-boot
Ping.
Does anybody have any comments on this patch set?
Happy or unhappy with my approach here?
Thanks,
-Takahiro Akashi
On Tue, Sep 03, 2019 at 02:42:37PM +0900, AKASHI Takahiro wrote:
> Asn1 parsers of x509 certificates and pkcs7 messages are required
> to implement image authentication and variable authentication as
> part of UEFI secure boot feature.
>
> As we discussed before in the thread[1], most people insisted that
> we should re-use corresponding source code from Linux repository
> for this purpose.
>
> Here is my attempt to import all the necessary files from Linux; Those
> will eventually be part of UEFI secure boot implementation, but I'd like
> to get early feedback from other peoples before submitting the whole
> patchset so that they will be better formatted for merging.
>
> My approach here is
> * files from Linux 5.0
> (will be updated to the latest when I will submit them as finalized
> patches.)
> * modify files as little as possible
> * mark/protect unavoidable changes with "#if(n)def __UBOOT__"
> so that future fixes/differences in Linux repository will easily
> be applied to U-Boot.
>
> Please note that checkpatch.pl will complain with a bunch of
> warnings/errors but I intentionally left them unchanged for the sake
> of better maintainability I said above.
>
> Any comments will be appreciated.
> -Takahiro Akashi
>
> [1] https://lists.denx.de/pipermail/u-boot/2019-April/366423.html
>
> AKASHI Takahiro (9):
> cmd: add asn1_compiler
> Makefile: add build script for asn1 parsers
> lib: add asn1 decoder
> lib: add oid registry utility
> lib: crypto: add public key utility
> lib: crypto: add public_key_verify_signature()
> lib: crypto: add x509 parser
> lib: crypto: add pkcs7 message parser
> lib: crypto: add rsa public key parser
>
> cmd/Kconfig | 3 +
> include/crypto/internal/rsa.h | 62 ++
> include/crypto/pkcs7.h | 51 +
> include/crypto/public_key.h | 89 ++
> include/keys/asymmetric-type.h | 92 ++
> include/linux/asn1.h | 69 ++
> include/linux/asn1_ber_bytecode.h | 93 ++
> include/linux/asn1_decoder.h | 24 +
> include/linux/oid_registry.h | 103 ++
> lib/Kconfig | 12 +
> lib/Makefile | 18 +
> lib/asn1_decoder.c | 520 ++++++++++
> lib/build_OID_registry | 207 ++++
> lib/crypto/Kconfig | 38 +
> lib/crypto/Makefile | 46 +
> lib/crypto/asymmetric_type.c | 655 ++++++++++++
> lib/crypto/pkcs7.asn1 | 135 +++
> lib/crypto/pkcs7_parser.c | 690 ++++++++++++
> lib/crypto/pkcs7_parser.h | 69 ++
> lib/crypto/public_key.c | 344 ++++++
> lib/crypto/public_key_local.c | 69 ++
> lib/crypto/rsa_helper.c | 81 ++
> lib/crypto/rsapubkey.asn1 | 4 +
> lib/crypto/x509.asn1 | 60 ++
> lib/crypto/x509_akid.asn1 | 35 +
> lib/crypto/x509_cert_parser.c | 644 ++++++++++++
> lib/crypto/x509_parser.h | 61 ++
> lib/crypto/x509_public_key.c | 284 +++++
> lib/oid_registry.c | 178 ++++
> scripts/Makefile | 3 +
> scripts/Makefile.build | 2 +-
> scripts/asn1_compiler.c | 1615 +++++++++++++++++++++++++++++
> 32 files changed, 6355 insertions(+), 1 deletion(-)
> create mode 100644 include/crypto/internal/rsa.h
> create mode 100644 include/crypto/pkcs7.h
> create mode 100644 include/crypto/public_key.h
> create mode 100644 include/keys/asymmetric-type.h
> create mode 100644 include/linux/asn1.h
> create mode 100644 include/linux/asn1_ber_bytecode.h
> create mode 100644 include/linux/asn1_decoder.h
> create mode 100644 include/linux/oid_registry.h
> create mode 100644 lib/asn1_decoder.c
> create mode 100755 lib/build_OID_registry
> create mode 100644 lib/crypto/Kconfig
> create mode 100644 lib/crypto/Makefile
> create mode 100644 lib/crypto/asymmetric_type.c
> create mode 100644 lib/crypto/pkcs7.asn1
> create mode 100644 lib/crypto/pkcs7_parser.c
> create mode 100644 lib/crypto/pkcs7_parser.h
> create mode 100644 lib/crypto/public_key.c
> create mode 100644 lib/crypto/public_key_local.c
> create mode 100644 lib/crypto/rsa_helper.c
> create mode 100644 lib/crypto/rsapubkey.asn1
> create mode 100644 lib/crypto/x509.asn1
> create mode 100644 lib/crypto/x509_akid.asn1
> create mode 100644 lib/crypto/x509_cert_parser.c
> create mode 100644 lib/crypto/x509_parser.h
> create mode 100644 lib/crypto/x509_public_key.c
> create mode 100644 lib/oid_registry.c
> create mode 100644 scripts/asn1_compiler.c
>
> --
> 2.21.0
>
^ permalink raw reply [flat|nested] 11+ messages in thread