Gitiles
Code Review Sign In
git01.mediatek.com / filogic / uboot / 8e79549cbeb49091203a45c963e463880f686bc9 / . / include / crypto / pkcs7_parser.h
blob: fd1e48da09e4b901ec0093546b4885bd4523c072 [file] [log] [blame]
AKASHI Takahiro5ace6ff2019-11-13 09:45:01 +0900[diff] [blame]1/* SPDX-License-Identifier: GPL-2.0-or-later */
2/* PKCS#7 crypto data parser internal definitions
3 *
4 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
6 */
7
AKASHI Takahiro5180e1a2020-04-21 09:37:52 +0900[diff] [blame]8#ifndef _PKCS7_PARSER_H
9#define _PKCS7_PARSER_H
10
AKASHI Takahiro5ace6ff2019-11-13 09:45:01 +0900[diff] [blame]11#include <linux/oid_registry.h>
12#include <crypto/pkcs7.h>
Heinrich Schuchardt35e64022020-07-08 07:48:06 +0200[diff] [blame]13#include <crypto/x509_parser.h>
Raymond Maoc3dc1f82024-10-03 14:50:33 -0700[diff] [blame]14#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
Raymond Mao8e795492025-02-03 14:08:13 -0800[diff] [blame^]15#include "mbedtls_options.h"
Raymond Maoc3dc1f82024-10-03 14:50:33 -0700[diff] [blame]16#include <mbedtls/pkcs7.h>
17#include <library/x509_internal.h>
18#include <mbedtls/asn1.h>
19#include <mbedtls/oid.h>
20#endif
Simon Glassbdd5f812023-09-14 18:21:46 -0600[diff] [blame]21#include <linux/printk.h>
AKASHI Takahiro5ace6ff2019-11-13 09:45:01 +0900[diff] [blame]22
23#define kenter(FMT, ...) \
24 pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
25#define kleave(FMT, ...) \
26 pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
27
Raymond Maoc3dc1f82024-10-03 14:50:33 -0700[diff] [blame]28/* Backup the parsed MedTLS context that we need */
29#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
30struct pkcs7_mbedtls_ctx {
31 void *content_data;
32};
33
34struct pkcs7_sinfo_mbedtls_ctx {
35 void *authattrs_data;
36 void *content_data_digest;
37};
38#endif
39
40/*
41 * MbedTLS integration Notes:
42 *
43 * MbedTLS PKCS#7 library does not originally support parsing MicroSoft
44 * Authentication Code which is used for verifying the PE image digest.
45 *
46 * 1. Authenticated Attributes (authenticatedAttributes)
47 * MbedTLS assumes unauthenticatedAttributes and authenticatedAttributes
48 * fields not exist.
49 * See MbedTLS function 'pkcs7_get_signer_info' for details.
50 *
51 * 2. MicroSoft Authentication Code (mscode)
52 * MbedTLS only supports Content Data type defined as 1.2.840.113549.1.7.1
53 * (MBEDTLS_OID_PKCS7_DATA, aka OID_data).
54 * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code, aka
55 * OID_msIndirectData) is not supported.
56 * See MbedTLS function 'pkcs7_get_content_info_type' for details.
57 *
58 * But the EFI loader assumes that a PKCS#7 message with an EFI image always
59 * contains MicroSoft Authentication Code as Content Data (msg->data is NOT
60 * NULL), see function 'efi_signature_verify'.
61 *
62 * MbedTLS patch "0002-support-MicroSoft-authentication-code-in-PKCS7-lib.patch"
63 * is to support both above features by parsing the Content Data and
64 * Authenticate Attributes from a given PKCS#7 message.
65 *
66 * Other fields we don't need to populate from MbedTLS, which are used
67 * internally by pkcs7_verify:
68 * 'signer', 'unsupported_crypto', 'blacklisted'
69 * 'sig->digest' is used internally by pkcs7_digest to calculate the hash of
70 * Content Data or Authenticate Attributes.
71 */
AKASHI Takahiro5ace6ff2019-11-13 09:45:01 +0900[diff] [blame]72struct pkcs7_signed_info {
Raymond Maoc3dc1f82024-10-03 14:50:33 -0700[diff] [blame]73#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
74 struct pkcs7_sinfo_mbedtls_ctx *mbedtls_ctx;
75#endif
AKASHI Takahiro5ace6ff2019-11-13 09:45:01 +0900[diff] [blame]76 struct pkcs7_signed_info *next;
77 struct x509_certificate *signer; /* Signing certificate (in msg->certs) */
78 unsigned index;
79 bool unsupported_crypto; /* T if not usable due to missing crypto */
80 bool blacklisted;
81
82 /* Message digest - the digest of the Content Data (or NULL) */
83 const void *msgdigest;
84 unsigned msgdigest_len;
85
86 /* Authenticated Attribute data (or NULL) */
87 unsigned authattrs_len;
88 const void *authattrs;
89 unsigned long aa_set;
90#define sinfo_has_content_type 0
91#define sinfo_has_signing_time 1
92#define sinfo_has_message_digest 2
93#define sinfo_has_smime_caps 3
94#define sinfo_has_ms_opus_info 4
95#define sinfo_has_ms_statement_type 5
96 time64_t signing_time;
97
98 /* Message signature.
99 *
100 * This contains the generated digest of _either_ the Content Data or
101 * the Authenticated Attributes [RFC2315 9.3]. If the latter, one of
102 * the attributes contains the digest of the the Content Data within
103 * it.
104 *
105 * THis also contains the issuing cert serial number and issuer's name
106 * [PKCS#7 or CMS ver 1] or issuing cert's SKID [CMS ver 3].
107 */
108 struct public_key_signature *sig;
109};
110
111struct pkcs7_message {
Raymond Maoc3dc1f82024-10-03 14:50:33 -0700[diff] [blame]112#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
113 struct pkcs7_mbedtls_ctx *mbedtls_ctx;
114#endif
AKASHI Takahiro5ace6ff2019-11-13 09:45:01 +0900[diff] [blame]115 struct x509_certificate *certs; /* Certificate list */
116 struct x509_certificate *crl; /* Revocation list */
117 struct pkcs7_signed_info *signed_infos;
118 u8 version; /* Version of cert (1 -> PKCS#7 or CMS; 3 -> CMS) */
119 bool have_authattrs; /* T if have authattrs */
120
121 /* Content Data (or NULL) */
122 enum OID data_type; /* Type of Data */
123 size_t data_len; /* Length of Data */
124 size_t data_hdrlen; /* Length of Data ASN.1 header */
125 const void *data; /* Content Data (or 0) */
126};
AKASHI Takahiro5180e1a2020-04-21 09:37:52 +0900[diff] [blame]127#endif /* _PKCS7_PARSER_H */