Open Menu / include / crypto / pkcs7_parser.h
Loading...
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
/* SPDX-License-Identifier: GPL-2.0-or-later */
/* PKCS#7 crypto data parser internal definitions
 *
 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
 * Written by David Howells (dhowells@redhat.com)
 */

#ifndef _PKCS7_PARSER_H
#define _PKCS7_PARSER_H

#include <linux/oid_registry.h>
#include <crypto/pkcs7.h>
#include <crypto/x509_parser.h>
#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
#include <mbedtls/pkcs7.h>
#include <library/x509_internal.h>
#include <mbedtls/asn1.h>
#include <mbedtls/oid.h>
#endif
#include <linux/printk.h>

#define kenter(FMT, ...) \
	pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
#define kleave(FMT, ...) \
	pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)

/* Backup the parsed MedTLS context that we need */
#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
struct pkcs7_mbedtls_ctx {
	void *content_data;
};

struct pkcs7_sinfo_mbedtls_ctx {
	void *authattrs_data;
	void *content_data_digest;
};
#endif

/*
 * MbedTLS integration Notes:
 *
 * MbedTLS PKCS#7 library does not originally support parsing MicroSoft
 * Authentication Code which is used for verifying the PE image digest.
 *
 * 1.	Authenticated Attributes (authenticatedAttributes)
 *	MbedTLS assumes unauthenticatedAttributes and authenticatedAttributes
 *	fields not exist.
 *	See MbedTLS function 'pkcs7_get_signer_info' for details.
 *
 * 2.	MicroSoft Authentication Code (mscode)
 *	MbedTLS only supports Content Data type defined as 1.2.840.113549.1.7.1
 *	(MBEDTLS_OID_PKCS7_DATA, aka OID_data).
 *	1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code, aka
 *	OID_msIndirectData) is not supported.
 *	See MbedTLS function 'pkcs7_get_content_info_type' for details.
 *
 * But the EFI loader assumes that a PKCS#7 message with an EFI image always
 * contains MicroSoft Authentication Code as Content Data (msg->data is NOT
 * NULL), see function 'efi_signature_verify'.
 *
 * MbedTLS patch "0002-support-MicroSoft-authentication-code-in-PKCS7-lib.patch"
 * is to support both above features by parsing the Content Data and
 * Authenticate Attributes from a given PKCS#7 message.
 *
 * Other fields we don't need to populate from MbedTLS, which are used
 * internally by pkcs7_verify:
 * 'signer', 'unsupported_crypto', 'blacklisted'
 * 'sig->digest' is used internally by pkcs7_digest to calculate the hash of
 * Content Data or Authenticate Attributes.
 */
struct pkcs7_signed_info {
#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
	struct pkcs7_sinfo_mbedtls_ctx *mbedtls_ctx;
#endif
	struct pkcs7_signed_info *next;
	struct x509_certificate *signer; /* Signing certificate (in msg->certs) */
	unsigned	index;
	bool		unsupported_crypto;	/* T if not usable due to missing crypto */
	bool		blacklisted;

	/* Message digest - the digest of the Content Data (or NULL) */
	const void	*msgdigest;
	unsigned	msgdigest_len;

	/* Authenticated Attribute data (or NULL) */
	unsigned	authattrs_len;
	const void	*authattrs;
	unsigned long	aa_set;
#define	sinfo_has_content_type		0
#define	sinfo_has_signing_time		1
#define	sinfo_has_message_digest	2
#define sinfo_has_smime_caps		3
#define	sinfo_has_ms_opus_info		4
#define	sinfo_has_ms_statement_type	5
	time64_t	signing_time;

	/* Message signature.
	 *
	 * This contains the generated digest of _either_ the Content Data or
	 * the Authenticated Attributes [RFC2315 9.3].  If the latter, one of
	 * the attributes contains the digest of the the Content Data within
	 * it.
	 *
	 * THis also contains the issuing cert serial number and issuer's name
	 * [PKCS#7 or CMS ver 1] or issuing cert's SKID [CMS ver 3].
	 */
	struct public_key_signature *sig;
};

struct pkcs7_message {
#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
	struct pkcs7_mbedtls_ctx *mbedtls_ctx;
#endif
	struct x509_certificate *certs;	/* Certificate list */
	struct x509_certificate *crl;	/* Revocation list */
	struct pkcs7_signed_info *signed_infos;
	u8		version;	/* Version of cert (1 -> PKCS#7 or CMS; 3 -> CMS) */
	bool		have_authattrs;	/* T if have authattrs */

	/* Content Data (or NULL) */
	enum OID	data_type;	/* Type of Data */
	size_t		data_len;	/* Length of Data */
	size_t		data_hdrlen;	/* Length of Data ASN.1 header */
	const void	*data;		/* Content Data (or 0) */
};
#endif /* _PKCS7_PARSER_H */