From patchwork Tue Jul 21 10:35:21 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: AKASHI Takahiro <takahiro.akashi@linaro.org>
X-Patchwork-Id: 245591
Delivered-To: patch@linaro.org
Received: by 2002:a92:d244:0:0:0:0:0 with SMTP id v4csp2791242ilg;
 Tue, 21 Jul 2020 03:37:03 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyfhyqUdoBi6xap3DAS6I+P4YeEsysWYTFDr21vp2SY8WDERHAmZCwikBsb45FkhttVP9CG
X-Received: by 2002:a05:6402:377:: with SMTP id
 s23mr25935790edw.200.1595327823591; 
 Tue, 21 Jul 2020 03:37:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1595327823; cv=none;
 d=google.com; s=arc-20160816;
 b=R1krWgTcu+2uqqMjg3oFq4va6tROdl5thvRfI3LLEsA4WrmOcanbeedaGbXU0gYFpd
 LVAlt7NWwFwXrqY9ajUMwVTfGuij3wRCBO23bDa9qHuwbWpQr5xBzer8ZF8EtrCYrDhl
 a1ZlpnKqcz64OMFlqRPzJXrh20q8YUF3uX6VFBupHIKyRAbLCJ3ORdGRmdu+SxyTdkbr
 7G03MT9knFLwbX7y3Eh5tXsY/NA4gIO4onDbKiqMqpynr2MAaPqCkmjLJoU6R4muv3dI
 /eK/hJgtByNPsCddrh1ucAYrolF883YEEE4ok95klPjlLaRpevzLyzzBefHigSmxC/Kr
 jB5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
 :list-unsubscribe:list-id:precedence:content-transfer-encoding
 :mime-version:references:in-reply-to:message-id:date:subject:cc:to
 :from:dkim-signature;
 bh=aHm4tV4+KHXMAw+QFnCSaZ4RJNSuqDkSnV2izkwy+98=;
 b=ZlRSkT0bUmYgHad2e4sNMuTdXwkGWhDoCd4F/9uDD+xdkV/7aXELMj4UL9tfR9Pfag
 fltEoTjJ7TJhIQxk4DWA+ovqBUH8d9xrggJUo+BRG+0uP+z6OTC8QAZVVfFyCzEVfaCf
 kJHX67TtFaeLNe8bHXz8ayyKCoCM9YiC5rpFThwStAGkrzmH4+e52osPUd6/g7cRMyCa
 6dTpB3XG99+JXd8VLdl3aaLeQnasq9qyw35ZlKsudyz+hxd3I4cdpJgk4421zdFlEmx6
 Eym65uDRJ9my1YIAsnGq9Ocij9/qYjKHYg2qL2EexgH8oe1t+njoUOnRKRHOnyJDqUW9
 n/1A==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=i8WAugE5;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 85.214.62.61 as permitted sender)
 smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <u-boot-bounces@lists.denx.de>
Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61])
 by mx.google.com with ESMTPS id
 y18si12062395edw.583.2020.07.21.03.37.03
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 21 Jul 2020 03:37:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 85.214.62.61 as permitted sender)
 client-ip=85.214.62.61; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=i8WAugE5;
 spf=pass (google.com: domain of u-boot-bounces@lists.denx.de
 designates 85.214.62.61 as permitted sender)
 smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
 by phobos.denx.de (Postfix) with ESMTP id A7A8681F04;
 Tue, 21 Jul 2020 12:36:42 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key;
 unprotected) header.d=linaro.org header.i=@linaro.org
 header.b="i8WAugE5"; dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 39FFD81C3C; Tue, 21 Jul 2020 12:36:25 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham
 autolearn_force=no version=3.4.2
Received: from mail-pf1-x444.google.com (mail-pf1-x444.google.com
 [IPv6:2607:f8b0:4864:20::444])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id BFE5A81C17
 for <u-boot@lists.denx.de>; Tue, 21 Jul 2020 12:36:19 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=takahiro.akashi@linaro.org
Received: by mail-pf1-x444.google.com with SMTP id m9so10541851pfh.0
 for <u-boot@lists.denx.de>; Tue, 21 Jul 2020 03:36:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=aHm4tV4+KHXMAw+QFnCSaZ4RJNSuqDkSnV2izkwy+98=;
 b=i8WAugE5XkJHUjP6yjrHVDH4oMWKx2EthRd2UVfS8RUx7rBvsUUg4eAkRONvQ9Edfi
 2KGfQlIps+iaH+8n+IhSQ9nAhBQ8fXznGCE7xIrYGUorPwkLCWSQ5DMXpL2qMR6VNVJg
 WK/q8U6ldNJzk18HRuHr0e499ULjgx7/qZaiBnhIRW99quGWUuixuO+HBMKvBJ3cqSZn
 MuUh4PP68bmnPjZQ13Q2pLEZQYxgQEt0yI4Xamo+pP5ga1vcSXDD3CAIabJr2Oq0OO86
 D/Mx0Jik3ia+r7guB59v0gk6hS8LVAbYIcTVK1uFUf1n1RTBwFgR09fp8mllyeDSlTDF
 ev+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=aHm4tV4+KHXMAw+QFnCSaZ4RJNSuqDkSnV2izkwy+98=;
 b=J0CrT3/B+Y6i00h3e4HzjOpkYTZqCIRjAnPcp0zqwMflC73PUZiAPGw2MmTatWBKb6
 NIKV1yeADS3kitQncZE/UyOIzULrPUqsyBogN64aEeuj/PAdXetEzcyaybwojOBQ5O1M
 mpZJjuT9g9bPw60C3E6zOuvqcOi42wufhPf3uFm4du6DvZKrzm1SbNdQ6KGlwGIxbLcF
 /mV9c1Gdn/bvW4+EW3NYZDd0CL0XKcDnsmvLJR1AxFqLroni8NW4yDuUxBfxFb+xMyyQ
 oOGRqAkVNaPhfpAh+RKMAfne2MUZKNhTYKzvzwZecWh2ktnUBRhMKRvRAPoL2vrzUNrQ
 iMUg==
X-Gm-Message-State: AOAM532yXs8ZLqbiSiY9BGODN8DicK51eAI0yB/5VdZcLCTHbS3eTWpo
 wsZD5GrkW/D6pqpB9M2OpRo2TA==
X-Received: by 2002:a63:3587:: with SMTP id
 c129mr22926183pga.322.1595327777972; 
 Tue, 21 Jul 2020 03:36:17 -0700 (PDT)
Received: from localhost.localdomain (p6e424d9a.tkyea130.ap.so-net.ne.jp.
 [110.66.77.154]) by smtp.gmail.com with ESMTPSA id
 q20sm19838276pfn.111.2020.07.21.03.36.15
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 21 Jul 2020 03:36:17 -0700 (PDT)
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: xypron.glpk@gmx.de,
	agraf@csgraf.de
Cc: sughosh.ganu@linaro.org, mail@patrick-wildt.de, u-boot@lists.denx.de,
 AKASHI Takahiro <takahiro.akashi@linaro.org>
Subject: [PATCH v5 5/8] lib: crypto: export and enhance pkcs7_verify_one()
Date: Tue, 21 Jul 2020 19:35:21 +0900
Message-Id: <20200721103524.5956-6-takahiro.akashi@linaro.org>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20200721103524.5956-1-takahiro.akashi@linaro.org>
References: <20200721103524.5956-1-takahiro.akashi@linaro.org>
MIME-Version: 1.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de
X-Virus-Status: Clean

The function, pkcs7_verify_one(), will be utilized to rework signature
verification logic aiming to support intermediate certificates in
"chain of trust."

To do that, its function interface is expanded, adding an extra argument
which is expected to return the last certificate in trusted chain.
Then, this last one must further be verified with signature database, db
and/or dbx.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 include/crypto/pkcs7.h    |  9 +++++-
 lib/crypto/pkcs7_verify.c | 61 ++++++++++++++++++++++++++++++++++-----
 2 files changed, 62 insertions(+), 8 deletions(-)

-- 
2.27.0

diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
index 8f5c8a7ee3b9..ca35df29f6fb 100644
--- a/include/crypto/pkcs7.h
+++ b/include/crypto/pkcs7.h
@@ -27,7 +27,14 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
 				  const void **_data, size_t *_datalen,
 				  size_t *_headerlen);
 
-#ifndef __UBOOT__
+#ifdef __UBOOT__
+struct pkcs7_signed_info;
+struct x509_certificate;
+
+int pkcs7_verify_one(struct pkcs7_message *pkcs7,
+		     struct pkcs7_signed_info *sinfo,
+		     struct x509_certificate **signer);
+#else
 /*
  * pkcs7_trust.c
  */
diff --git a/lib/crypto/pkcs7_verify.c b/lib/crypto/pkcs7_verify.c
index 706358f09b5e..320ba49f79df 100644
--- a/lib/crypto/pkcs7_verify.c
+++ b/lib/crypto/pkcs7_verify.c
@@ -301,10 +301,27 @@ static int pkcs7_find_key(struct pkcs7_message *pkcs7,
 }
 
 /*
- * Verify the internal certificate chain as best we can.
+ * pkcs7_verify_sig_chain - Verify the internal certificate chain as best
+ *                          as we can.
+ * @pkcs7:	PKCS7 Signed Data
+ * @sinfo:	PKCS7 Signed Info
+ * @signer:	Singer's certificate
+ *
+ * Build up and verify the internal certificate chain against a signature
+ * in @sinfo, using certificates contained in @pkcs7 as best as we can.
+ * If the chain reaches the end, the last certificate will be returned
+ * in @signer.
+ *
+ * Return:	0 - on success, non-zero error code - otherwise
  */
+#ifdef __UBOOT__
+static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
+				  struct pkcs7_signed_info *sinfo,
+				  struct x509_certificate **signer)
+#else
 static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
 				  struct pkcs7_signed_info *sinfo)
+#endif
 {
 	struct public_key_signature *sig;
 	struct x509_certificate *x509 = sinfo->signer, *p;
@@ -313,6 +330,8 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
 
 	kenter("");
 
+	*signer = NULL;
+
 	for (p = pkcs7->certs; p; p = p->next)
 		p->seen = false;
 
@@ -330,6 +349,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
 			for (p = sinfo->signer; p != x509; p = p->signer)
 				p->blacklisted = true;
 			pr_debug("- blacklisted\n");
+#ifdef __UBOOT__
+			*signer = x509;
+#endif
 			return 0;
 		}
 
@@ -355,6 +377,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
 				goto unsupported_crypto_in_x509;
 			x509->signer = x509;
 			pr_debug("- self-signed\n");
+#ifdef __UBOOT__
+			*signer = x509;
+#endif
 			return 0;
 		}
 
@@ -385,6 +410,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
 
 		/* We didn't find the root of this chain */
 		pr_debug("- top\n");
+#ifdef __UBOOT__
+		*signer = x509;
+#endif
 		return 0;
 
 	found_issuer_check_skid:
@@ -402,6 +430,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
 		if (p->seen) {
 			pr_warn("Sig %u: X.509 chain contains loop\n",
 				sinfo->index);
+#ifdef __UBOOT__
+			*signer = p;
+#endif
 			return 0;
 		}
 		ret = public_key_verify_signature(p->pub, x509->sig);
@@ -410,6 +441,9 @@ static int pkcs7_verify_sig_chain(struct pkcs7_message *pkcs7,
 		x509->signer = p;
 		if (x509 == p) {
 			pr_debug("- self-signed\n");
+#ifdef __UBOOT__
+			*signer = p;
+#endif
 			return 0;
 		}
 		x509 = p;
@@ -429,13 +463,26 @@ unsupported_crypto_in_x509:
 }
 
 /*
- * Verify one signed information block from a PKCS#7 message.
+ * pkcs7_verify_one - Verify one signed information block from a PKCS#7
+ *                    message.
+ * @pkcs7:	PKCS7 Signed Data
+ * @sinfo:	PKCS7 Signed Info
+ * @signer:	Signer's certificate
+ *
+ * Verify one signature in @sinfo and follow the certificate chain.
+ * If the chain reaches the end, the last certificate will be returned
+ * in @signer.
+ *
+ * Return:	0 - on success, non-zero error code - otherwise
  */
-#ifndef __UBOOT__
-static
-#endif
+#ifdef __UBOOT__
 int pkcs7_verify_one(struct pkcs7_message *pkcs7,
-		     struct pkcs7_signed_info *sinfo)
+		     struct pkcs7_signed_info *sinfo,
+		     struct x509_certificate **signer)
+#else
+static int pkcs7_verify_one(struct pkcs7_message *pkcs7,
+			    struct pkcs7_signed_info *sinfo)
+#endif
 {
 	int ret;
 
@@ -479,7 +526,7 @@ int pkcs7_verify_one(struct pkcs7_message *pkcs7,
 	pr_devel("Verified signature %u\n", sinfo->index);
 
 	/* Verify the internal certificate chain */
-	return pkcs7_verify_sig_chain(pkcs7, sinfo);
+	return pkcs7_verify_sig_chain(pkcs7, sinfo, signer);
 }
 
 #ifndef __UBOOT__