[PATCH v2 6/8] lib: crypto: export and enhance pkcs7_verify_one()

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [PATCH v2 6/8] lib: crypto: export and enhance pkcs7_verify_one()
Date: Wed, 8 Jul 2020 15:37:27 +0900	[thread overview]
Message-ID: <20200708063727.GA21477@laputa> (raw)
In-Reply-To: <7e3188d7-c7e0-83fa-4a51-ab1a458e374b@gmx.de>

Heinrich,

On Tue, Jul 07, 2020 at 12:32:02PM +0200, Heinrich Schuchardt wrote:
> On 16.06.20 07:26, AKASHI Takahiro wrote:
> > The function, pkcs7_verify_one(), will be utilized to rework signature
> > verification logic aiming to support intermediate certificates in
> > "chain of trust."
> 
> Is this also copied from Linux's crypto/asymmetric_keys/pkcs7_verify.c?
> If so, please, mention it in the commit message.

Please read my comments carefully.

I clearly mentioned that this function was imported from linux
in the previous commit, patch 4/8.
Moreover, in this commit message, I explicitly mentioned

> > To do that, its function interface is expanded, adding an extra argument
> > which is expected to return the last certificate in trusted chain.

What more do you expect?

-Takahiro Akashi

> If everything copied from crypto/asymmetric_keys/pkcs7_verify.c were in
> the same commit, the comparison would be easier.
> 
> Best regards
> 
> Heinrich
> 
> 
> >
> > To do that, its function interface is expanded, adding an extra argument
> > which is expected to return the last certificate in trusted chain.
> > Then, this last one must further be verified with signature database, db
> > and/or dbx.
> >
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > ---
> >  include/crypto/pkcs7.h    |  9 +++++-
> >  lib/crypto/pkcs7_verify.c | 61 ++++++++++++++++++++++++++++++++++-----
> >  2 files changed, 62 insertions(+), 8 deletions(-)
> >
> > diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
> > index 8f5c8a7ee3b9..ca35df29f6fb 100644
> > --- a/include/crypto/pkcs7.h
> > +++ b/include/crypto/pkcs7.h
> > @@ -27,7 +27,14 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
> >  				  const void **_data, size_t *_datalen,
> >  				  size_t *_headerlen);
> >
> > -#ifndef __UBOOT__
> > +#ifdef __UBOOT__
> > +struct pkcs7_signed_info;
> > +struct x509_certificate;
> > +
> > +int pkcs7_verify_one(struct pkcs7_message *pkcs7,
> > +		     struct pkcs7_signed_info *sinfo,
> > +		     struct x509_certificate **signer);
> > +#else
> >  /*
> >   * pkcs7_trust.c
> >   */
> > diff --git a/lib/crypto/pkcs7_verify.c b/lib/crypto/pkcs7_verify.c
> > index 9b9030ea4440..dda96ccf57a2 100644
> > --- a/lib/crypto/pkcs7_verify.c
> > +++ b/lib/crypto/pkcs7_verify.c
> > @@ -302,10 +302,27 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7,
> >  }
> >
> >  /*
> > - * Verify the internal certificate chain as best we can.
> > + * pkcs7_verify_sig_chain - Verify the internal certificate chain as best
> > + *                          as we can.
> > + * @pkcs7:	PKCS7 Signed Data
> > + * @sinfo:	PKCS7 Signed Info
> > + * @signer:	Singer's certificate
> > + *
> > + * Build up and verify the internal certificate chain against a signature
> > + * in @sinfo, using certificates contained in @pkcs7 as best as we can.
> > + * If the chain reaches the end, the last certificate will be returned
> > + * in @signer.
> > + *
> > + * Return:	0 - on success, non-zero error code - otherwise
> >   */
> > +#ifdef __UBOOT__
> > +static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
> > +				  struct pkcs7_signed_info *sinfo,
> > +				  struct x509_certificate **signer)
> > +#else
> >  static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
> >  				  struct pkcs7_signed_info *sinfo)
> > +#endif
> >  {
> >  	struct public_key_signature *sig;
> >  	struct x509_certificate *x509 = sinfo->signer, *p;
> > @@ -314,6 +331,8 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
> >
> >  	kenter("");
> >
> > +	*signer = NULL;
> > +
> >  	for (p = pkcs7->certs; p; p = p->next)
> >  		p->seen = false;
> >
> > @@ -331,6 +350,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
> >  			for (p = sinfo->signer; p != x509; p = p->signer)
> >  				p->blacklisted = true;
> >  			pr_debug("- blacklisted\n");
> > +#ifdef __UBOOT__
> > +			*signer = x509;
> > +#endif
> >  			return 0;
> >  		}
> >
> > @@ -356,6 +378,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
> >  				goto unsupported_crypto_in_x509;
> >  			x509->signer = x509;
> >  			pr_debug("- self-signed\n");
> > +#ifdef __UBOOT__
> > +			*signer = x509;
> > +#endif
> >  			return 0;
> >  		}
> >
> > @@ -386,6 +411,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
> >
> >  		/* We didn't find the root of this chain */
> >  		pr_debug("- top\n");
> > +#ifdef __UBOOT__
> > +		*signer = x509;
> > +#endif
> >  		return 0;
> >
> >  	found_issuer_check_skid:
> > @@ -403,6 +431,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
> >  		if (p->seen) {
> >  			pr_warn("Sig %u: X.509 chain contains loop\n",
> >  				sinfo->index);
> > +#ifdef __UBOOT__
> > +			*signer = p;
> > +#endif
> >  			return 0;
> >  		}
> >  		ret = public_key_verify_signature(p->pub, x509->sig);
> > @@ -411,6 +442,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
> >  		x509->signer = p;
> >  		if (x509 == p) {
> >  			pr_debug("- self-signed\n");
> > +#ifdef __UBOOT__
> > +			*signer = p;
> > +#endif
> >  			return 0;
> >  		}
> >  		x509 = p;
> > @@ -430,13 +464,26 @@ unsupported_crypto_in_x509:
> >  }
> >
> >  /*
> > - * Verify one signed information block from a PKCS#7 message.
> > + * pkcs7_verify_one - Verify one signed information block from a PKCS#7
> > + *                    message.
> > + * @pkcs7:	PKCS7 Signed Data
> > + * @sinfo:	PKCS7 Signed Info
> > + * @signer:	Signer's certificate
> > + *
> > + * Verify one signature in @sinfo and follow the certificate chain.
> > + * If the chain reaches the end, the last certificate will be returned
> > + * in @signer.
> > + *
> > + * Return:	0 - on success, non-zero error code - otherwise
> >   */
> > -#ifndef __UBOOT__
> > -static
> > -#endif
> > +#ifdef __UBOOT__
> >  int pkcs7_verify_one(struct pkcs7_message *pkcs7,
> > -		     struct pkcs7_signed_info *sinfo)
> > +		     struct pkcs7_signed_info *sinfo,
> > +		     struct x509_certificate **signer)
> > +#else
> > +static int pkcs7_verify_one(struct pkcs7_message *pkcs7,
> > +			    struct pkcs7_signed_info *sinfo)
> > +#endif
> >  {
> >  	int ret;
> >
> > @@ -480,7 +527,7 @@ int pkcs7_verify_one(struct pkcs7_message *pkcs7,
> >  	pr_devel("Verified signature %u\n", sinfo->index);
> >
> >  	/* Verify the internal certificate chain */
> > -	return pkcs7_verify_sig_chain(pkcs7, sinfo);
> > +	return pkcs7_verify_sig_chain(pkcs7, sinfo, signer);
> >  }
> >
> >  #ifndef __UBOOT__
> >
>

next prev parent reply	other threads:[~2020-07-08  6:37 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-16  5:26 [PATCH v2 0/8] efi_loader: secure boot: support intermediate certificates in signature AKASHI Takahiro
2020-06-16  5:26 ` [PATCH v2 1/8] lib: rsa: export rsa_verify_with_pkey() AKASHI Takahiro
2020-07-07 10:06   ` Heinrich Schuchardt
2020-06-16  5:26 ` [PATCH v2 2/8] lib: crypto: add public_key_verify_signature() AKASHI Takahiro
2020-07-07 10:04   ` Heinrich Schuchardt
2020-07-08  6:21     ` AKASHI Takahiro
2020-06-16  5:26 ` [PATCH v2 3/8] lib: crypto: enable x509_check_for_self_signed() AKASHI Takahiro
2020-07-07 10:02   ` Heinrich Schuchardt
2020-07-08  6:24     ` AKASHI Takahiro
2020-06-16  5:26 ` [PATCH v2 4/8] lib: crypto: import pkcs7_verify.c from linux AKASHI Takahiro
2020-07-07 10:27   ` Heinrich Schuchardt
2020-07-08  6:30     ` AKASHI Takahiro
2020-06-16  5:26 ` [PATCH v2 5/8] lib: crypto: add pkcs7_digest() AKASHI Takahiro
2020-06-16  5:26 ` [PATCH v2 6/8] lib: crypto: export and enhance pkcs7_verify_one() AKASHI Takahiro
2020-07-07 10:32   ` Heinrich Schuchardt
2020-07-08  6:37     ` AKASHI Takahiro [this message]
2020-06-16  5:26 ` [PATCH v2 7/8] efi_loader: signature: rework for intermediate certificates support AKASHI Takahiro
2020-07-07 10:33   ` Heinrich Schuchardt
2020-06-16  5:26 ` [PATCH v2 8/8] test/py: efi_secboot: add test for intermediate certificates AKASHI Takahiro
2020-07-07 10:42   ` Heinrich Schuchardt
2020-07-08  6:39     ` AKASHI Takahiro
2020-07-09  0:58     ` using sudo?, " AKASHI Takahiro
2020-07-09  3:15       ` Tom Rini
2020-07-09  5:33         ` AKASHI Takahiro
2020-07-09 12:34           ` Tom Rini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200708063727.GA21477@laputa \
    --to=takahiro.akashi@linaro.org \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox