On Tue, Jun 10, 2025 at 09:20:45PM +0530, Sudhakar wrote: > From: Daniel Axtens <d...@axtens.net> > > This code allows us to parse: > > - PKCS#7 signedData messages. Only a single signerInfo is supported, > which is all that the Linux sign-file utility supports creating > out-of-the-box. Only RSA, SHA-256 and SHA-512 are supported. > Any certificate embedded in the PKCS#7 message will be ignored. > > Signed-off-by: Javier Martinez Canillas <javi...@redhat.com> # EKU support > Reported-by: Michal Suchanek <msucha...@suse.com> # key usage issue > Signed-off-by: Daniel Axtens <d...@axtens.net> > Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com> > Reviewed-by: Stefan Berger <stef...@linux.ibm.com> > Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com> > --- > grub-core/commands/appendedsig/appendedsig.h | 36 ++ > grub-core/commands/appendedsig/pkcs7.c | 454 +++++++++++++++++++ > 2 files changed, 490 insertions(+) > create mode 100644 grub-core/commands/appendedsig/pkcs7.c > > diff --git a/grub-core/commands/appendedsig/appendedsig.h > b/grub-core/commands/appendedsig/appendedsig.h > index 5e133bee5..c3dc8a9a9 100644 > --- a/grub-core/commands/appendedsig/appendedsig.h > +++ b/grub-core/commands/appendedsig/appendedsig.h > @@ -17,11 +17,47 @@ > * along with GRUB. If not, see <http://www.gnu.org/licenses/>. > */ > > +#include <grub/crypto.h> > #include <libtasn1.h> > > extern asn1_node grub_gnutls_gnutls_asn; > extern asn1_node grub_gnutls_pkix_asn; > > +#define MAX_OID_LEN 32 > + > +/* A PKCS#7 signedData signerInfo.Add commentMore actions */ > +struct pkcs7_signerInfo > +{ > + const gcry_md_spec_t *hash; > + gcry_mpi_t sig_mpi; > +}; > + > +/* > + * A PKCS#7 signedData message. > + * We make no attempt to match intelligently, so we don't save any info about > + * the signer. > + */ > +struct pkcs7_signedData > +{ > + int signerInfo_count; > + struct pkcs7_signerInfo *signerInfos; > +}; > + > +/* > + * Parse a PKCS#7 message, which must be a signedData message.Add > commentMore actions
Probably "Add commentMore actions" has to be dropped... > + * The message must be in 'sigbuf' and of size 'data_size'. The result is > + * placed in 'msg', which must already be allocated. > + */ > +extern grub_err_t > +parse_pkcs7_signedData (const void *sigbuf, grub_size_t data_size, struct > pkcs7_signedData *msg); > + > +/* > + * Release all the storage associated with the PKCS#7 message. > + * If the caller dynamically allocated the message, it must free it. > + */ > +extern void > +pkcs7_signedData_release (struct pkcs7_signedData *msg); > + > /* Do libtasn1 init */ > extern int > asn1_init (void); > diff --git a/grub-core/commands/appendedsig/pkcs7.c > b/grub-core/commands/appendedsig/pkcs7.c > new file mode 100644 > index 000000000..9dd1cdc3a > --- /dev/null > +++ b/grub-core/commands/appendedsig/pkcs7.c > @@ -0,0 +1,454 @@ > +/* > + * GRUB -- GRand Unified Bootloader > + * Copyright (C) 2020, 2022 Free Software Foundation, Inc. > + * Copyright (C) 2020, 2022, 2025 IBM Corporation > + * > + * GRUB is free software: you can redistribute it and/or modify > + * it under the terms of the GNU General Public License as published by > + * the Free Software Foundation, either version 3 of the License, or > + * (at your option) any later version. > + * > + * GRUB is distributed in the hope that it will be useful, > + * but WITHOUT ANY WARRANTY; without even the implied warranty of > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > + * GNU General Public License for more details. > + * > + * You should have received a copy of the GNU General Public License > + * along with GRUB. If not, see <http://www.gnu.org/licenses/>. > + */ > + > +#include "appendedsig.h" > +#include <grub/misc.h> > +#include <grub/crypto.h> > +#include <grub/gcrypt/gcrypt.h> > +#include <sys/types.h> > + > +static char asn1_error[ASN1_MAX_ERROR_DESCRIPTION_SIZE]; > + > +/* RFC 5652 s 5.1 */ > +static const char *signedData_oid = "1.2.840.113549.1.7.2"; > + > +/* RFC 4055 s 2.1 */ > +static const char *sha256_oid = "2.16.840.1.101.3.4.2.1"; > +static const char *sha512_oid = "2.16.840.1.101.3.4.2.3"; > + > +static grub_err_t > +process_content (grub_uint8_t *content, int size, struct pkcs7_signedData > *msg) > +{ > + int res; > + asn1_node signed_part; > + grub_err_t err = GRUB_ERR_NONE; > + char algo_oid[MAX_OID_LEN]; > + int algo_oid_size = sizeof (algo_oid); It seems to me that you can drop this initialization... [...] > +grub_err_t > +parse_pkcs7_signedData (const void *sigbuf, grub_size_t data_size, struct > pkcs7_signedData *msg) > +{ > + int res; > + asn1_node content_info; > + grub_err_t err = GRUB_ERR_NONE; > + char content_oid[MAX_OID_LEN]; > + grub_uint8_t *content; > + int content_size; > + int content_oid_size = sizeof (content_oid); > + int size; > + > + if (data_size > GRUB_INT_MAX) > + return grub_error (GRUB_ERR_OUT_OF_RANGE, > + "cannot parse a PKCS#7 message where data size > > INT_MAX"); s/INT_MAX/GRUB_INT_MAX/ And probably I would consider dropping some more N_() from various cryptic error messages. Anyway, if you fix these minor issues you can add my RB to this patch. Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
