Gitiles
Code Review Sign In
git01.mediatek.com / filogic / uboot / 5985ac863cc0816635b3254b7e2d720a18a8ca31 / . / include / crypto / pkcs7_parser.h
blob: 469c2711fa6272d4f122d282837448d710fc4060 [file] [log] [blame]
AKASHI Takahiro5ace6ff2019-11-13 09:45:01 +0900[diff] [blame]1/* SPDX-License-Identifier: GPL-2.0-or-later */
2/* PKCS#7 crypto data parser internal definitions
3 *
4 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
6 */
7
AKASHI Takahiro5180e1a2020-04-21 09:37:52 +0900[diff] [blame]8#ifndef _PKCS7_PARSER_H
9#define _PKCS7_PARSER_H
10
AKASHI Takahiro5ace6ff2019-11-13 09:45:01 +0900[diff] [blame]11#include <linux/oid_registry.h>
12#include <crypto/pkcs7.h>
Heinrich Schuchardt35e64022020-07-08 07:48:06 +0200[diff] [blame]13#include <crypto/x509_parser.h>
Raymond Maoc3dc1f82024-10-03 14:50:33 -0700[diff] [blame]14#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
15#include <mbedtls/pkcs7.h>
16#include <library/x509_internal.h>
17#include <mbedtls/asn1.h>
18#include <mbedtls/oid.h>
19#endif
Simon Glassbdd5f812023-09-14 18:21:46 -0600[diff] [blame]20#include <linux/printk.h>
AKASHI Takahiro5ace6ff2019-11-13 09:45:01 +0900[diff] [blame]21
22#define kenter(FMT, ...) \
23 pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
24#define kleave(FMT, ...) \
25 pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
26
Raymond Maoc3dc1f82024-10-03 14:50:33 -0700[diff] [blame]27/* Backup the parsed MedTLS context that we need */
28#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
29struct pkcs7_mbedtls_ctx {
30 void *content_data;
31};
32
33struct pkcs7_sinfo_mbedtls_ctx {
34 void *authattrs_data;
35 void *content_data_digest;
36};
37#endif
38
39/*
40 * MbedTLS integration Notes:
41 *
42 * MbedTLS PKCS#7 library does not originally support parsing MicroSoft
43 * Authentication Code which is used for verifying the PE image digest.
44 *
45 * 1. Authenticated Attributes (authenticatedAttributes)
46 * MbedTLS assumes unauthenticatedAttributes and authenticatedAttributes
47 * fields not exist.
48 * See MbedTLS function 'pkcs7_get_signer_info' for details.
49 *
50 * 2. MicroSoft Authentication Code (mscode)
51 * MbedTLS only supports Content Data type defined as 1.2.840.113549.1.7.1
52 * (MBEDTLS_OID_PKCS7_DATA, aka OID_data).
53 * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code, aka
54 * OID_msIndirectData) is not supported.
55 * See MbedTLS function 'pkcs7_get_content_info_type' for details.
56 *
57 * But the EFI loader assumes that a PKCS#7 message with an EFI image always
58 * contains MicroSoft Authentication Code as Content Data (msg->data is NOT
59 * NULL), see function 'efi_signature_verify'.
60 *
61 * MbedTLS patch "0002-support-MicroSoft-authentication-code-in-PKCS7-lib.patch"
62 * is to support both above features by parsing the Content Data and
63 * Authenticate Attributes from a given PKCS#7 message.
64 *
65 * Other fields we don't need to populate from MbedTLS, which are used
66 * internally by pkcs7_verify:
67 * 'signer', 'unsupported_crypto', 'blacklisted'
68 * 'sig->digest' is used internally by pkcs7_digest to calculate the hash of
69 * Content Data or Authenticate Attributes.
70 */
AKASHI Takahiro5ace6ff2019-11-13 09:45:01 +0900[diff] [blame]71struct pkcs7_signed_info {
Raymond Maoc3dc1f82024-10-03 14:50:33 -0700[diff] [blame]72#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
73 struct pkcs7_sinfo_mbedtls_ctx *mbedtls_ctx;
74#endif
AKASHI Takahiro5ace6ff2019-11-13 09:45:01 +0900[diff] [blame]75 struct pkcs7_signed_info *next;
76 struct x509_certificate *signer; /* Signing certificate (in msg->certs) */
77 unsigned index;
78 bool unsupported_crypto; /* T if not usable due to missing crypto */
79 bool blacklisted;
80
81 /* Message digest - the digest of the Content Data (or NULL) */
82 const void *msgdigest;
83 unsigned msgdigest_len;
84
85 /* Authenticated Attribute data (or NULL) */
86 unsigned authattrs_len;
87 const void *authattrs;
88 unsigned long aa_set;
89#define sinfo_has_content_type 0
90#define sinfo_has_signing_time 1
91#define sinfo_has_message_digest 2
92#define sinfo_has_smime_caps 3
93#define sinfo_has_ms_opus_info 4
94#define sinfo_has_ms_statement_type 5
95 time64_t signing_time;
96
97 /* Message signature.
98 *
99 * This contains the generated digest of _either_ the Content Data or
100 * the Authenticated Attributes [RFC2315 9.3]. If the latter, one of
101 * the attributes contains the digest of the the Content Data within
102 * it.
103 *
104 * THis also contains the issuing cert serial number and issuer's name
105 * [PKCS#7 or CMS ver 1] or issuing cert's SKID [CMS ver 3].
106 */
107 struct public_key_signature *sig;
108};
109
110struct pkcs7_message {
Raymond Maoc3dc1f82024-10-03 14:50:33 -0700[diff] [blame]111#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
112 struct pkcs7_mbedtls_ctx *mbedtls_ctx;
113#endif
AKASHI Takahiro5ace6ff2019-11-13 09:45:01 +0900[diff] [blame]114 struct x509_certificate *certs; /* Certificate list */
115 struct x509_certificate *crl; /* Revocation list */
116 struct pkcs7_signed_info *signed_infos;
117 u8 version; /* Version of cert (1 -> PKCS#7 or CMS; 3 -> CMS) */
118 bool have_authattrs; /* T if have authattrs */
119
120 /* Content Data (or NULL) */
121 enum OID data_type; /* Type of Data */
122 size_t data_len; /* Length of Data */
123 size_t data_hdrlen; /* Length of Data ASN.1 header */
124 const void *data; /* Content Data (or 0) */
125};
AKASHI Takahiro5180e1a2020-04-21 09:37:52 +0900[diff] [blame]126#endif /* _PKCS7_PARSER_H */