1 /* SPDX-License-Identifier: GPL-2.0-or-later */
2 /* PKCS#7 crypto data parser internal definitions
3  *
4  * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #ifndef _PKCS7_PARSER_H
9 #define _PKCS7_PARSER_H
10 
11 #include <linux/oid_registry.h>
12 #include <crypto/pkcs7.h>
13 #include <crypto/x509_parser.h>
14 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
15 #include "mbedtls_options.h"
16 #include <mbedtls/pkcs7.h>
17 #include <library/x509_internal.h>
18 #include <mbedtls/asn1.h>
19 #include <mbedtls/oid.h>
20 #endif
21 #include <linux/printk.h>
22 
23 #define kenter(FMT, ...) \
24 	pr_devel("==> %s("FMT")\n", __func__, ##__VA_ARGS__)
25 #define kleave(FMT, ...) \
26 	pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
27 
28 /* Backup the parsed MedTLS context that we need */
29 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
30 struct pkcs7_mbedtls_ctx {
31 	void *content_data;
32 };
33 
34 struct pkcs7_sinfo_mbedtls_ctx {
35 	void *authattrs_data;
36 	void *content_data_digest;
37 };
38 #endif
39 
40 /*
41  * MbedTLS integration Notes:
42  *
43  * MbedTLS PKCS#7 library does not originally support parsing MicroSoft
44  * Authentication Code which is used for verifying the PE image digest.
45  *
46  * 1.	Authenticated Attributes (authenticatedAttributes)
47  *	MbedTLS assumes unauthenticatedAttributes and authenticatedAttributes
48  *	fields not exist.
49  *	See MbedTLS function 'pkcs7_get_signer_info' for details.
50  *
51  * 2.	MicroSoft Authentication Code (mscode)
52  *	MbedTLS only supports Content Data type defined as 1.2.840.113549.1.7.1
53  *	(MBEDTLS_OID_PKCS7_DATA, aka OID_data).
54  *	1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code, aka
55  *	OID_msIndirectData) is not supported.
56  *	See MbedTLS function 'pkcs7_get_content_info_type' for details.
57  *
58  * But the EFI loader assumes that a PKCS#7 message with an EFI image always
59  * contains MicroSoft Authentication Code as Content Data (msg->data is NOT
60  * NULL), see function 'efi_signature_verify'.
61  *
62  * MbedTLS patch "0002-support-MicroSoft-authentication-code-in-PKCS7-lib.patch"
63  * is to support both above features by parsing the Content Data and
64  * Authenticate Attributes from a given PKCS#7 message.
65  *
66  * Other fields we don't need to populate from MbedTLS, which are used
67  * internally by pkcs7_verify:
68  * 'signer', 'unsupported_crypto', 'blacklisted'
69  * 'sig->digest' is used internally by pkcs7_digest to calculate the hash of
70  * Content Data or Authenticate Attributes.
71  */
72 struct pkcs7_signed_info {
73 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
74 	struct pkcs7_sinfo_mbedtls_ctx *mbedtls_ctx;
75 #endif
76 	struct pkcs7_signed_info *next;
77 	struct x509_certificate *signer; /* Signing certificate (in msg->certs) */
78 	unsigned	index;
79 	bool		unsupported_crypto;	/* T if not usable due to missing crypto */
80 	bool		blacklisted;
81 
82 	/* Message digest - the digest of the Content Data (or NULL) */
83 	const void	*msgdigest;
84 	unsigned	msgdigest_len;
85 
86 	/* Authenticated Attribute data (or NULL) */
87 	unsigned	authattrs_len;
88 	const void	*authattrs;
89 	unsigned long	aa_set;
90 #define	sinfo_has_content_type		0
91 #define	sinfo_has_signing_time		1
92 #define	sinfo_has_message_digest	2
93 #define sinfo_has_smime_caps		3
94 #define	sinfo_has_ms_opus_info		4
95 #define	sinfo_has_ms_statement_type	5
96 	time64_t	signing_time;
97 
98 	/* Message signature.
99 	 *
100 	 * This contains the generated digest of _either_ the Content Data or
101 	 * the Authenticated Attributes [RFC2315 9.3].  If the latter, one of
102 	 * the attributes contains the digest of the the Content Data within
103 	 * it.
104 	 *
105 	 * THis also contains the issuing cert serial number and issuer's name
106 	 * [PKCS#7 or CMS ver 1] or issuing cert's SKID [CMS ver 3].
107 	 */
108 	struct public_key_signature *sig;
109 };
110 
111 struct pkcs7_message {
112 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
113 	struct pkcs7_mbedtls_ctx *mbedtls_ctx;
114 #endif
115 	struct x509_certificate *certs;	/* Certificate list */
116 	struct x509_certificate *crl;	/* Revocation list */
117 	struct pkcs7_signed_info *signed_infos;
118 	u8		version;	/* Version of cert (1 -> PKCS#7 or CMS; 3 -> CMS) */
119 	bool		have_authattrs;	/* T if have authattrs */
120 
121 	/* Content Data (or NULL) */
122 	enum OID	data_type;	/* Type of Data */
123 	size_t		data_len;	/* Length of Data */
124 	size_t		data_hdrlen;	/* Length of Data ASN.1 header */
125 	const void	*data;		/* Content Data (or 0) */
126 };
127 #endif /* _PKCS7_PARSER_H */
128