Add porting layer for MSCode on top of MbedTLS ASN1 library.
Signed-off-by: Raymond Mao <raymond....@linaro.org>
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- None.
lib/mbedtls/Makefile | 1 +
lib/mbedtls/mscode_parser.c | 111 ++++++++++++++++++++++++++++++++++++
2 files changed, 112 insertions(+)
create mode 100644 lib/mbedtls/mscode_parser.c
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index 005b8a25320..f0b8a1c4003 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -26,6 +26,7 @@ obj-$(CONFIG_MBEDTLS_LIB_X509) += x509_mbedtls.o
x509_mbedtls-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
x509_mbedtls-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += x509_cert_parser.o
x509_mbedtls-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_parser.o
+x509_mbedtls-$(CONFIG_$(SPL_)MSCODE_PARSER) += mscode_parser.o
obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o
mbedtls_lib_crypto-y := \
diff --git a/lib/mbedtls/mscode_parser.c b/lib/mbedtls/mscode_parser.c
new file mode 100644
index 00000000000..34715f3a137
--- /dev/null
+++ b/lib/mbedtls/mscode_parser.c
@@ -0,0 +1,111 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * MSCode parser using MbedTLS ASN1 library
+ *
+ * Copyright (c) 2024 Linaro Limited
+ * Author: Raymond Mao <raymond....@linaro.org>
+ */
+
+#include <linux/kernel.h>
+#include <linux/err.h>
+#include <crypto/pkcs7.h>
+#include <crypto/mscode.h>
+
+/*
+ * Parse a Microsoft Individual Code Signing blob
+ *
+ * U.P.SEQUENCE {
+ * U.P.OBJECTIDENTIFIER 1.3.6.1.4.1.311.2.1.15 (SPC_PE_IMAGE_DATA_OBJID)
+ * U.P.SEQUENCE {
+ * U.P.BITSTRING NaN : 0 unused bit(s);
+ * [C.P.0] {
+ * [C.P.2] {
+ * [C.P.0] <arbitrary string>
+ * }
+ * }
+ * }
+ * }
+ * U.P.SEQUENCE {
+ * U.P.SEQUENCE {
+ * U.P.OBJECTIDENTIFIER <digest algorithm OID>
+ * U.P.NULL
+ * }
+ * U.P.OCTETSTRING <PE image digest>
+ * }
+ *
+ */
+int mscode_parse(void *_ctx, const void *content_data, size_t data_len,
+ size_t asn1hdrlen)
+{
+ struct pefile_context *ctx = _ctx;
+ unsigned char *p = (unsigned char *)content_data;
+ unsigned char *end = (unsigned char *)content_data + data_len;
+ size_t len = 0;
+ int ret;
+ unsigned char *inner_p;
+ size_t seq_len = 0;
+
+ ret = mbedtls_asn1_get_tag(&p, end, &seq_len,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE);
+ if (ret)
+ return ret;
+
+ inner_p = p;
+ ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len,
MBEDTLS_ASN1_OID);
+ if (ret)
+ return ret;
+
+ /* Sanity check on the PE Image Data OID (1.3.6.1.4.1.311.2.1.15) */
+ if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_MICROSOFT_PEIMAGEDATA, inner_p,
len))
+ return -EINVAL;
+
+ p += seq_len;
+ ret = mbedtls_asn1_get_tag(&p, end, &seq_len,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE);
+ if (ret)
+ return ret;
+
+ ret = mbedtls_asn1_get_tag(&p, p + seq_len, &seq_len,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE);
+ if (ret)
+ return ret;
+
+ inner_p = p;
+
+ /*
+ * Check if the inner sequence contains a supported hash
+ * algorithm OID
+ */
+ ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len,
MBEDTLS_ASN1_OID);
+ if (ret)
+ return ret;
+
+ if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_MD5, inner_p, len))
+ ctx->digest_algo = "md5";
+ else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA1, inner_p,
len))
+ ctx->digest_algo = "sha1";
+ else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA224, inner_p,
len))
+ ctx->digest_algo = "sha224";
+ else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA256, inner_p,
len))
+ ctx->digest_algo = "sha256";
+ else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA384, inner_p,
len))
+ ctx->digest_algo = "sha384";
+ else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA512, inner_p,
len))
+ ctx->digest_algo = "sha512";
+
+ if (!ctx->digest_algo)
+ return -EINVAL;
+
+ p += seq_len;
+ ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING);
+ if (ret)
+ return ret;
+
+ ctx->digest = p;
+ ctx->digest_len = len;
+
+ return 0;
+}
--
2.25.1
