mirror of
https://github.com/AsahiLinux/u-boot
synced 2024-11-28 15:41:40 +00:00
lib: crypto: export and enhance pkcs7_verify_one()
The function, pkcs7_verify_one(), will be utilized to rework signature verification logic aiming to support intermediate certificates in "chain of trust." To do that, its function interface is expanded, adding an extra argument which is expected to return the last certificate in trusted chain. Then, this last one must further be verified with signature database, db and/or dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
This commit is contained in:
AKASHI Takahiro
Heinrich Schuchardt
parent
05329fa4c0
commit
5ee81c6e3f
2 changed files with 62 additions and 8 deletions
|
|
@ -27,7 +27,14 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
|
|||
const void **_data, size_t *_datalen,
|
||||
size_t *_headerlen);
|
||||
|
||||
#ifndef __UBOOT__
|
||||
#ifdef __UBOOT__
|
||||
struct pkcs7_signed_info;
|
||||
struct x509_certificate;
|
||||
|
||||
int pkcs7_verify_one(struct pkcs7_message *pkcs7,
|
||||
struct pkcs7_signed_info *sinfo,
|
||||
struct x509_certificate **signer);
|
||||
#else
|
||||
/*
|
||||
* pkcs7_trust.c
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -301,10 +301,27 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7,
|
|||
}
|
||||
|
||||
/*
|
||||
* Verify the internal certificate chain as best we can.
|
||||
* pkcs7_verify_sig_chain - Verify the internal certificate chain as best
|
||||
* as we can.
|
||||
* @pkcs7: PKCS7 Signed Data
|
||||
* @sinfo: PKCS7 Signed Info
|
||||
* @signer: Singer's certificate
|
||||
*
|
||||
* Build up and verify the internal certificate chain against a signature
|
||||
* in @sinfo, using certificates contained in @pkcs7 as best as we can.
|
||||
* If the chain reaches the end, the last certificate will be returned
|
||||
* in @signer.
|
||||
*
|
||||
* Return: 0 - on success, non-zero error code - otherwise
|
||||
*/
|
||||
#ifdef __UBOOT__
|
||||
static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
|
||||
struct pkcs7_signed_info *sinfo,
|
||||
struct x509_certificate **signer)
|
||||
#else
|
||||
static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
|
||||
struct pkcs7_signed_info *sinfo)
|
||||
#endif
|
||||
{
|
||||
struct public_key_signature *sig;
|
||||
struct x509_certificate *x509 = sinfo->signer, *p;
|
||||
|
|
@ -313,6 +330,8 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
|
|||
|
||||
kenter("");
|
||||
|
||||
*signer = NULL;
|
||||
|
||||
for (p = pkcs7->certs; p; p = p->next)
|
||||
p->seen = false;
|
||||
|
||||
|
|
@ -330,6 +349,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
|
|||
for (p = sinfo->signer; p != x509; p = p->signer)
|
||||
p->blacklisted = true;
|
||||
pr_debug("- blacklisted\n");
|
||||
#ifdef __UBOOT__
|
||||
*signer = x509;
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -355,6 +377,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
|
|||
goto unsupported_crypto_in_x509;
|
||||
x509->signer = x509;
|
||||
pr_debug("- self-signed\n");
|
||||
#ifdef __UBOOT__
|
||||
*signer = x509;
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -385,6 +410,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
|
|||
|
||||
/* We didn't find the root of this chain */
|
||||
pr_debug("- top\n");
|
||||
#ifdef __UBOOT__
|
||||
*signer = x509;
|
||||
#endif
|
||||
return 0;
|
||||
|
||||
found_issuer_check_skid:
|
||||
|
|
@ -402,6 +430,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
|
|||
if (p->seen) {
|
||||
pr_warn("Sig %u: X.509 chain contains loop\n",
|
||||
sinfo->index);
|
||||
#ifdef __UBOOT__
|
||||
*signer = p;
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
ret = public_key_verify_signature(p->pub, x509->sig);
|
||||
|
|
@ -410,6 +441,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
|
|||
x509->signer = p;
|
||||
if (x509 == p) {
|
||||
pr_debug("- self-signed\n");
|
||||
#ifdef __UBOOT__
|
||||
*signer = p;
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
x509 = p;
|
||||
|
|
@ -429,13 +463,26 @@ unsupported_crypto_in_x509:
|
|||
}
|
||||
|
||||
/*
|
||||
* Verify one signed information block from a PKCS#7 message.
|
||||
* pkcs7_verify_one - Verify one signed information block from a PKCS#7
|
||||
* message.
|
||||
* @pkcs7: PKCS7 Signed Data
|
||||
* @sinfo: PKCS7 Signed Info
|
||||
* @signer: Signer's certificate
|
||||
*
|
||||
* Verify one signature in @sinfo and follow the certificate chain.
|
||||
* If the chain reaches the end, the last certificate will be returned
|
||||
* in @signer.
|
||||
*
|
||||
* Return: 0 - on success, non-zero error code - otherwise
|
||||
*/
|
||||
#ifndef __UBOOT__
|
||||
static
|
||||
#endif
|
||||
#ifdef __UBOOT__
|
||||
int pkcs7_verify_one(struct pkcs7_message *pkcs7,
|
||||
struct pkcs7_signed_info *sinfo)
|
||||
struct pkcs7_signed_info *sinfo,
|
||||
struct x509_certificate **signer)
|
||||
#else
|
||||
static int pkcs7_verify_one(struct pkcs7_message *pkcs7,
|
||||
struct pkcs7_signed_info *sinfo)
|
||||
#endif
|
||||
{
|
||||
int ret;
|
||||
|
||||
|
|
@ -479,7 +526,7 @@ int pkcs7_verify_one(struct pkcs7_message *pkcs7,
|
|||
pr_devel("Verified signature %u\n", sinfo->index);
|
||||
|
||||
/* Verify the internal certificate chain */
|
||||
return pkcs7_verify_sig_chain(pkcs7, sinfo);
|
||||
return pkcs7_verify_sig_chain(pkcs7, sinfo, signer);
|
||||
}
|
||||
|
||||
#ifndef __UBOOT__
|
||||
|
|
|
|||
Loading…
Reference in a new issue