mbedtls
mbedtls copied to clipboard
Mbed-TLS
Add PKCS#7 parser features for integrating MbedTLS with U-Boot
Description
This PR is to implement below PKCS#7 parser features which are curently missing for integrating MbedTLS with U-Boot EFI Loader.
- Multiple certs support
- Populating MicroSoft Authentication Code if it exists
- Populating PKCS#9 Authenticate Attributes if it exists
All above features are tested with U-Boot EFI Loader.
PR checklist
Please tick as appropriate and edit the reasons (e.g.: "backport: not needed because this is a new feature")
- [ ] changelog : required
- [ ] backport : not needed because this is a new feature
- [x] tests : PKCS#7 test suites passed. Additionally tested with U-Boot EFI loader Secure Boot unit tests.
Notes for the submitter
Please refer to the contributing guidelines, especially the checklist for PR contributors.
Help make review efficient:
- Multiple simple commits
- please structure your PR into a series of small commits, each of which does one thing
- Avoid force-push
- please do not force-push to update your PR - just add new commit(s)
- See our Guidelines for Contributors for more details about the review process.
@bensze01 It took two days but CI still shows "Waiting for status to be reported", anything I need to do?
The CI needs to be started manually. I've just done that.
Please note that we have just released what is planned to be the last 3.x release and we have started a long pause in releases to work on the ambitious plan for 4.0. As a consequence, it will likely take a while before we can review this new feature.
Thanks @gilles-peskine-arm, fixed some CI check coding style failures, please help to re-trigger CI.
Thanks for the update! The CI has passed (the ABI check failures are probably false positives, reviewers will have to check this). It's now on us to review, but as I mentioned this might unfortunately take a while.
@gilles-peskine-arm For the information, the latest U-Boot patch series (V4) for integrating MBedTLS with U-Boot is under review at below link: https://lore.kernel.org/u-boot/[email protected]/T/#t Since it depends on this PR for the new PKCS#7 parser features, it will be great if this PR can be reviewed and merged before the U-Boot series.
@gilles-peskine-arm For the information, a new U-Boot patch serie (V5) for integrating MBedTLS with U-Boot is under review at below link: https://lore.kernel.org/u-boot/[email protected]/
I am playing around with this MR. I noticed that this code only correctly parses a subset of Authenticode Signatures and does not seem to work with any certificates with Time Stamping per https://learn.microsoft.com/en-us/windows/win32/seccrypto/time-stamping-authenticode-signatures
You can test this by running mbedtls_pkcs7_parse_der against any PE file signed by Microsoft. e.g. when I do it against explorer.exe I get MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO as the code doesn't seem to know what to do with the Time Stamping Certificate.
I'm trying to debug this as I have some interest in using mbedtls' pkcs7 support in my application specifically with Authenticode Signatures
I am playing around with this MR. I noticed that this code only correctly parses a subset of Authenticode Signatures and does not seem to work with any certificates with Time Stamping per https://learn.microsoft.com/en-us/windows/win32/seccrypto/time-stamping-authenticode-signatures
You can test this by running
mbedtls_pkcs7_parse_deragainst any PE file signed by Microsoft. e.g. when I do it against explorer.exe I getMBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFOas the code doesn't seem to know what to do with the Time Stamping Certificate.I'm trying to debug this as I have some interest in using mbedtls' pkcs7 support in my application specifically with Authenticode Signatures
For signer's info, this patch set is to implement the missing features for integration with U-Boot EFI loader - "authenticatedAttributes". Other ones that are not required by U-Boot EFI loader is remained as what they was but can be extended in the future.