1 /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 /* PKCS#7 crypto data parser internal definitions 3 * 4 * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #ifndef _PKCS7_PARSER_H 9 #define _PKCS7_PARSER_H 10 11 #include <linux/oid_registry.h> 12 #include <crypto/pkcs7.h> 13 #include <crypto/x509_parser.h> 14 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) 15 #include "mbedtls_options.h" 16 #include <mbedtls/pkcs7.h> 17 #include <library/x509_internal.h> 18 #include <mbedtls/asn1.h> 19 #include <mbedtls/oid.h> 20 #endif 21 #include <linux/printk.h> 22 23 #define kenter(FMT, ...) \ 24 pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__) 25 #define kleave(FMT, ...) \ 26 pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__) 27 28 /* Backup the parsed MedTLS context that we need */ 29 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) 30 struct pkcs7_mbedtls_ctx { 31 void *content_data; 32 }; 33 34 struct pkcs7_sinfo_mbedtls_ctx { 35 void *authattrs_data; 36 void *content_data_digest; 37 }; 38 #endif 39 40 /* 41 * MbedTLS integration Notes: 42 * 43 * MbedTLS PKCS#7 library does not originally support parsing MicroSoft 44 * Authentication Code which is used for verifying the PE image digest. 45 * 46 * 1. Authenticated Attributes (authenticatedAttributes) 47 * MbedTLS assumes unauthenticatedAttributes and authenticatedAttributes 48 * fields not exist. 49 * See MbedTLS function 'pkcs7_get_signer_info' for details. 50 * 51 * 2. MicroSoft Authentication Code (mscode) 52 * MbedTLS only supports Content Data type defined as 1.2.840.113549.1.7.1 53 * (MBEDTLS_OID_PKCS7_DATA, aka OID_data). 54 * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code, aka 55 * OID_msIndirectData) is not supported. 56 * See MbedTLS function 'pkcs7_get_content_info_type' for details. 57 * 58 * But the EFI loader assumes that a PKCS#7 message with an EFI image always 59 * contains MicroSoft Authentication Code as Content Data (msg->data is NOT 60 * NULL), see function 'efi_signature_verify'. 61 * 62 * MbedTLS patch "0002-support-MicroSoft-authentication-code-in-PKCS7-lib.patch" 63 * is to support both above features by parsing the Content Data and 64 * Authenticate Attributes from a given PKCS#7 message. 65 * 66 * Other fields we don't need to populate from MbedTLS, which are used 67 * internally by pkcs7_verify: 68 * 'signer', 'unsupported_crypto', 'blacklisted' 69 * 'sig->digest' is used internally by pkcs7_digest to calculate the hash of 70 * Content Data or Authenticate Attributes. 71 */ 72 struct pkcs7_signed_info { 73 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) 74 struct pkcs7_sinfo_mbedtls_ctx *mbedtls_ctx; 75 #endif 76 struct pkcs7_signed_info *next; 77 struct x509_certificate *signer; /* Signing certificate (in msg->certs) */ 78 unsigned index; 79 bool unsupported_crypto; /* T if not usable due to missing crypto */ 80 bool blacklisted; 81 82 /* Message digest - the digest of the Content Data (or NULL) */ 83 const void *msgdigest; 84 unsigned msgdigest_len; 85 86 /* Authenticated Attribute data (or NULL) */ 87 unsigned authattrs_len; 88 const void *authattrs; 89 unsigned long aa_set; 90 #define sinfo_has_content_type 0 91 #define sinfo_has_signing_time 1 92 #define sinfo_has_message_digest 2 93 #define sinfo_has_smime_caps 3 94 #define sinfo_has_ms_opus_info 4 95 #define sinfo_has_ms_statement_type 5 96 time64_t signing_time; 97 98 /* Message signature. 99 * 100 * This contains the generated digest of _either_ the Content Data or 101 * the Authenticated Attributes [RFC2315 9.3]. If the latter, one of 102 * the attributes contains the digest of the the Content Data within 103 * it. 104 * 105 * THis also contains the issuing cert serial number and issuer's name 106 * [PKCS#7 or CMS ver 1] or issuing cert's SKID [CMS ver 3]. 107 */ 108 struct public_key_signature *sig; 109 }; 110 111 struct pkcs7_message { 112 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) 113 struct pkcs7_mbedtls_ctx *mbedtls_ctx; 114 #endif 115 struct x509_certificate *certs; /* Certificate list */ 116 struct x509_certificate *crl; /* Revocation list */ 117 struct pkcs7_signed_info *signed_infos; 118 u8 version; /* Version of cert (1 -> PKCS#7 or CMS; 3 -> CMS) */ 119 bool have_authattrs; /* T if have authattrs */ 120 121 /* Content Data (or NULL) */ 122 enum OID data_type; /* Type of Data */ 123 size_t data_len; /* Length of Data */ 124 size_t data_hdrlen; /* Length of Data ASN.1 header */ 125 const void *data; /* Content Data (or 0) */ 126 }; 127 #endif /* _PKCS7_PARSER_H */ 128