Hi Raymond On Sat, 17 Aug 2024 at 00:48, Raymond Mao <raymond....@linaro.org> wrote: > > Populate PKCS9 Authenticate Attributes from signer info if it exists > in a PKCS7 message. > Add OIDs for describing objects using for Authenticate Attributes. > > The PR for this patch is at: > https://github.com/Mbed-TLS/mbedtls/pull/9001 > > For enabling EFI loader PKCS7 features with MbedTLS build, > we need this patch on top of MbedTLS v3.6.0 before it is merged into > the next MbedTLS LTS release. > > Signed-off-by: Raymond Mao <raymond....@linaro.org> > --- > Changes in v2 > - None. > Changes in v3 > - Update commit message. > Changes in v4 > - None. > Changes in v5 > - None. > Changes in v6 > - None. > > .../external/mbedtls/include/mbedtls/oid.h | 5 +++++ > .../external/mbedtls/include/mbedtls/pkcs7.h | 11 +++++++++++ > lib/mbedtls/external/mbedtls/library/pkcs7.c | 19 ++++++++++++++++++- > 3 files changed, 34 insertions(+), 1 deletion(-) > > diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h > b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h > index 2ee982808fa..43cef99f1e3 100644 > --- a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h > +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h > @@ -238,6 +238,11 @@ > #define MBEDTLS_OID_RSA_SHA_OBS "\x2B\x0E\x03\x02\x1D" > > #define MBEDTLS_OID_PKCS9_EMAIL MBEDTLS_OID_PKCS9 "\x01" /**< > emailAddress AttributeType ::= { pkcs-9 1 } */ > +#define MBEDTLS_OID_PKCS9_CONTENTTYPE MBEDTLS_OID_PKCS9 "\x03" /**< > contentType AttributeType ::= { pkcs-9 3 } */ > +#define MBEDTLS_OID_PKCS9_MESSAGEDIGEST MBEDTLS_OID_PKCS9 "\x04" /**< > messageDigest AttributeType ::= { pkcs-9 4 } */ > +#define MBEDTLS_OID_PKCS9_SIGNINGTIME MBEDTLS_OID_PKCS9 "\x05" /**< > signingTime AttributeType ::= { pkcs-9 5 } */ > +#define MBEDTLS_OID_PKCS9_SMIMECAP MBEDTLS_OID_PKCS9 "\x0f" /**< > smimeCapabilites AttributeType ::= { pkcs-9 15 } */ > +#define MBEDTLS_OID_PKCS9_SMIMEAA MBEDTLS_OID_PKCS9 "\x10\x02\x0b" > /**< smimeCapabilites AttributeType ::= { pkcs-9 16 2 11} */ > > /* RFC 4055 */ > #define MBEDTLS_OID_RSASSA_PSS MBEDTLS_OID_PKCS1 "\x0a" /**< > id-RSASSA-PSS ::= { pkcs-1 10 } */ > diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h > b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h > index 9e29b74af70..a88a5e858fc 100644 > --- a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h > +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h > @@ -102,6 +102,16 @@ typedef enum { > } > mbedtls_pkcs7_type; > > +/* > + * Authenticate Attributes for MicroSoft Authentication Code using in U-Boot > + * Secure Boot > + */ > +typedef struct mbedtls_pkcs7_authattrs { > + size_t data_len; > + void *data; > +} > +mbedtls_pkcs7_authattrs; > + > /** > * Structure holding PKCS #7 signer info > */ > @@ -113,6 +123,7 @@ typedef struct mbedtls_pkcs7_signer_info { > mbedtls_x509_buf MBEDTLS_PRIVATE(alg_identifier); > mbedtls_x509_buf MBEDTLS_PRIVATE(sig_alg_identifier); > mbedtls_x509_buf MBEDTLS_PRIVATE(sig); > + mbedtls_pkcs7_authattrs authattrs; > struct mbedtls_pkcs7_signer_info *MBEDTLS_PRIVATE(next); > } > mbedtls_pkcs7_signer_info; > diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c > b/lib/mbedtls/external/mbedtls/library/pkcs7.c > index 0c2436b56b7..da73fb341d6 100644 > --- a/lib/mbedtls/external/mbedtls/library/pkcs7.c > +++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c > @@ -288,6 +288,7 @@ static int pkcs7_get_signer_info(unsigned char **p, > unsigned char *end, > unsigned char *end_signer, *end_issuer_and_sn; > int asn1_ret = 0, ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; > size_t len = 0; > + unsigned char *tmp_p; > > asn1_ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED > | MBEDTLS_ASN1_SEQUENCE); > @@ -349,7 +350,23 @@ static int pkcs7_get_signer_info(unsigned char **p, > unsigned char *end, > goto out; > } > > - /* Assume authenticatedAttributes is nonexistent */ > + /* Save authenticatedAttributes if present */ > + if (*p < end_signer && > + **p == (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | > 0)) { > + tmp_p = *p; > + > + ret = mbedtls_asn1_get_tag(p, end_signer, &len, > + MBEDTLS_ASN1_CONTEXT_SPECIFIC | > + MBEDTLS_ASN1_CONSTRUCTED | 0); > + if (ret != 0) { > + goto out; > + } > + > + signer->authattrs.data = tmp_p; > + signer->authattrs.data_len = len + *p - tmp_p; > + *p += len; > + } > + > ret = pkcs7_get_digest_algorithm(p, end_signer, > &signer->sig_alg_identifier); > if (ret != 0) { > goto out; > -- > 2.25.1 >
Acked-by: Ilias Apalodimas <ilias.apalodi...@linaro.org>
