lib/crypto: Adapt PKCS7 parser to MbedTLS

Previous patch has introduced MbedTLS porting layer for PKCS7 parser,
here to adjust the header and makefiles accordingly.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>

diff --git a/include/crypto/pkcs7_parser.h b/include/crypto/pkcs7_parser.h
index 2c45cce52348b6f06c9e65716ca5a799158ed746..469c2711fa6272d4f122d282837448d710fc4060 100644 (file)
--- a/include/crypto/pkcs7_parser.h
+++ b/include/crypto/pkcs7_parser.h
@@ -11,6 +11,12 @@
 #include <linux/oid_registry.h>
 #include <crypto/pkcs7.h>
 #include <crypto/x509_parser.h>
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+#include <mbedtls/pkcs7.h>
+#include <library/x509_internal.h>
+#include <mbedtls/asn1.h>
+#include <mbedtls/oid.h>
+#endif
 #include <linux/printk.h>
 
 #define kenter(FMT, ...) \
@@ -18,7 +24,54 @@
 #define kleave(FMT, ...) \
        pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
 
+/* Backup the parsed MedTLS context that we need */
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+struct pkcs7_mbedtls_ctx {
+       void *content_data;
+};
+
+struct pkcs7_sinfo_mbedtls_ctx {
+       void *authattrs_data;
+       void *content_data_digest;
+};
+#endif
+
+/*
+ * MbedTLS integration Notes:
+ *
+ * MbedTLS PKCS#7 library does not originally support parsing MicroSoft
+ * Authentication Code which is used for verifying the PE image digest.
+ *
+ * 1.  Authenticated Attributes (authenticatedAttributes)
+ *     MbedTLS assumes unauthenticatedAttributes and authenticatedAttributes
+ *     fields not exist.
+ *     See MbedTLS function 'pkcs7_get_signer_info' for details.
+ *
+ * 2.  MicroSoft Authentication Code (mscode)
+ *     MbedTLS only supports Content Data type defined as 1.2.840.113549.1.7.1
+ *     (MBEDTLS_OID_PKCS7_DATA, aka OID_data).
+ *     1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code, aka
+ *     OID_msIndirectData) is not supported.
+ *     See MbedTLS function 'pkcs7_get_content_info_type' for details.
+ *
+ * But the EFI loader assumes that a PKCS#7 message with an EFI image always
+ * contains MicroSoft Authentication Code as Content Data (msg->data is NOT
+ * NULL), see function 'efi_signature_verify'.
+ *
+ * MbedTLS patch "0002-support-MicroSoft-authentication-code-in-PKCS7-lib.patch"
+ * is to support both above features by parsing the Content Data and
+ * Authenticate Attributes from a given PKCS#7 message.
+ *
+ * Other fields we don't need to populate from MbedTLS, which are used
+ * internally by pkcs7_verify:
+ * 'signer', 'unsupported_crypto', 'blacklisted'
+ * 'sig->digest' is used internally by pkcs7_digest to calculate the hash of
+ * Content Data or Authenticate Attributes.
+ */
 struct pkcs7_signed_info {
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+       struct pkcs7_sinfo_mbedtls_ctx *mbedtls_ctx;
+#endif
        struct pkcs7_signed_info *next;
        struct x509_certificate *signer; /* Signing certificate (in msg->certs) */
        unsigned        index;
@@ -55,6 +108,9 @@ struct pkcs7_signed_info {
 };
 
 struct pkcs7_message {
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+       struct pkcs7_mbedtls_ctx *mbedtls_ctx;
+#endif
        struct x509_certificate *certs; /* Certificate list */
        struct x509_certificate *crl;   /* Revocation list */
        struct pkcs7_signed_info *signed_infos;

diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 4302f1972978144d41c8326bd7ecee75440f30e4..7129315393fa3204235f371e0c3bb4e6ca42c431 100644 (file)
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -50,15 +50,16 @@ $(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c $(obj)/x509_akid.asn1.h
 # PKCS#7 message handling
 #
 obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o
-pkcs7_message-y := \
+pkcs7_message-y := pkcs7_helper.o
+pkcs7_message-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_LEGACY) += \
        pkcs7.asn1.o \
-       pkcs7_helper.o \
        pkcs7_parser.o
-obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o
 
 $(obj)/pkcs7_parser.o: $(obj)/pkcs7.asn1.h
 $(obj)/pkcs7.asn1.o: $(obj)/pkcs7.asn1.c $(obj)/pkcs7.asn1.h
 
+obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o
+
 #
 # Signed PE binary-wrapped key handling
 #