|
iPXE
|
Cryptographic Message Syntax (PKCS #7) More...
#include <stdint.h>#include <string.h>#include <time.h>#include <errno.h>#include <ipxe/asn1.h>#include <ipxe/x509.h>#include <ipxe/image.h>#include <ipxe/malloc.h>#include <ipxe/privkey.h>#include <ipxe/cms.h>Go to the source code of this file.
Functions | |
| FILE_LICENCE (GPL2_OR_LATER_OR_UBDL) | |
| FILE_SECBOOT (PERMITTED) | |
| static int | cms_parse_signed (struct cms_message *cms, const struct asn1_cursor *raw) |
| Parse CMS signed data. | |
| static int | cms_parse_enveloped (struct cms_message *cms, const struct asn1_cursor *raw) |
| Parse CMS enveloped data. | |
| static int | cms_parse_content_type (struct cms_message *cms, const struct asn1_cursor *raw) |
| Parse CMS message content type. | |
| static int | cms_parse_certificates (struct cms_message *cms, const struct asn1_cursor *raw) |
| Parse CMS message certificate list. | |
| static int | cms_parse_identifier (struct cms_message *cms, struct cms_participant *part, const struct asn1_cursor *raw) |
| Parse CMS message participant identifier. | |
| static int | cms_parse_digest_algorithm (struct cms_message *cms, struct cms_participant *part, const struct asn1_cursor *raw) |
| Parse CMS message digest algorithm. | |
| static int | cms_parse_pubkey_algorithm (struct cms_message *cms, struct cms_participant *part, const struct asn1_cursor *raw) |
| Parse CMS message public-key algorithm. | |
| static int | cms_parse_cipher_algorithm (struct cms_message *cms, const struct asn1_cursor *raw) |
| Parse CMS message cipher algorithm. | |
| static int | cms_parse_value (struct cms_message *cms, struct cms_participant *part, const struct asn1_cursor *raw) |
| Parse CMS message signature or key value. | |
| static int | cms_parse_participant (struct cms_message *cms, struct cms_participant *part, const struct asn1_cursor *raw) |
| Parse CMS message participant information. | |
| static int | cms_parse_participants (struct cms_message *cms, const struct asn1_cursor *raw) |
| Parse CMS message participants information. | |
| static int | cms_parse_encrypted (struct cms_message *cms, const struct asn1_cursor *raw) |
| Parse CMS message encrypted content information. | |
| static int | cms_parse_mac (struct cms_message *cms, const struct asn1_cursor *raw) |
| Parse CMS message MAC. | |
| static int | cms_parse (struct cms_message *cms) |
| Parse CMS message from ASN.1 data. | |
| static void | cms_free (struct refcnt *refcnt) |
| Free CMS message. | |
| int | cms_message (struct image *image, struct cms_message **cms) |
| Create CMS message. | |
| static void | cms_digest (struct cms_message *cms, struct cms_participant *part, const void *data, size_t len, void *out) |
| Calculate digest of CMS-signed data. | |
| static int | cms_verify_digest (struct cms_message *cms, struct cms_participant *part, struct x509_certificate *cert, const void *data, size_t len) |
| Verify digest of CMS-signed data. | |
| static int | cms_verify_signer (struct cms_message *cms, struct cms_participant *part, const void *data, size_t len, time_t time, struct x509_chain *store, struct x509_root *root) |
| Verify CMS message signer. | |
| int | cms_verify (struct cms_message *cms, struct image *image, const char *name, time_t time, struct x509_chain *store, struct x509_root *root) |
| Verify CMS signature. | |
| static struct cms_participant * | cms_recipient (struct cms_message *cms, struct private_key *private_key) |
| Identify CMS recipient corresponding to private key. | |
| static int | cms_cipher_key (struct cms_message *cms, struct cms_participant *part, struct private_key *private_key, void *ctx) |
| Set CMS cipher key. | |
| static int | cms_cipher (struct cms_message *cms, struct private_key *private_key, void *ctx) |
| Initialise cipher for CMS decryption. | |
| static int | cms_verify_padding (struct cms_message *cms, const void *data, size_t len) |
| Check CMS padding. | |
| int | cms_decrypt (struct cms_message *cms, struct image *image, const char *name, struct private_key *private_key) |
| Decrypt CMS message. | |
Variables | |
| static uint8_t | oid_signeddata [] = { ASN1_OID_SIGNEDDATA } |
| "id-signedData" object identifier | |
| static uint8_t | oid_envelopeddata [] = { ASN1_OID_ENVELOPEDDATA } |
| "id-envelopedData" object identifier | |
| static uint8_t | oid_authenvelopeddata [] = { ASN1_OID_AUTHENVELOPEDDATA } |
| "id-authEnvelopedData" object identifier | |
| static struct cms_type | cms_types [] |
| CMS message types. | |
Cryptographic Message Syntax (PKCS #7)
The format of CMS messages is defined in RFC 5652.
Definition in file cms.c.
| #define EACCES_NON_SIGNING __einfo_error ( EINFO_EACCES_NON_SIGNING ) |
Definition at line 47 of file cms.c.
Referenced by cms_verify_signer().
| #define EINFO_EACCES_NON_SIGNING __einfo_uniqify ( EINFO_EACCES, 0x01, "Not a signing certificate" ) |
| #define EACCES_NON_CODE_SIGNING __einfo_error ( EINFO_EACCES_NON_CODE_SIGNING ) |
Definition at line 51 of file cms.c.
Referenced by cms_verify_signer().
| #define EINFO_EACCES_NON_CODE_SIGNING __einfo_uniqify ( EINFO_EACCES, 0x02, "Not a code-signing certificate" ) |
| #define EACCES_WRONG_NAME __einfo_error ( EINFO_EACCES_WRONG_NAME ) |
Definition at line 55 of file cms.c.
Referenced by cms_verify(), and x509_check_name().
| #define EINFO_EACCES_WRONG_NAME __einfo_uniqify ( EINFO_EACCES, 0x04, "Incorrect certificate name" ) |
| #define EACCES_NO_SIGNATURES __einfo_error ( EINFO_EACCES_NO_SIGNATURES ) |
Definition at line 59 of file cms.c.
Referenced by cms_verify().
| #define EINFO_EACCES_NO_SIGNATURES __einfo_uniqify ( EINFO_EACCES, 0x05, "No signatures present" ) |
| #define EACCES_NO_RECIPIENTS __einfo_error ( EINFO_EACCES_NO_RECIPIENTS ) |
Definition at line 63 of file cms.c.
Referenced by cms_cipher().
| #define EINFO_EACCES_NO_RECIPIENTS __einfo_uniqify ( EINFO_EACCES, 0x06, "No usable recipients" ) |
| #define EACCES_LEN __einfo_error ( EINFO_EACCES_LEN ) |
Definition at line 67 of file cms.c.
Referenced by cms_decrypt().
| #define EINFO_EACCES_LEN __einfo_uniqify ( EINFO_EACCES, 0x07, "Bad file length" ) |
| #define EACCES_PAD __einfo_error ( EINFO_EACCES_PAD ) |
Definition at line 71 of file cms.c.
Referenced by cms_verify_padding().
| #define EINFO_EACCES_PAD __einfo_uniqify ( EINFO_EACCES, 0x08, "Bad block padding" ) |
| #define EACCES_MAC __einfo_error ( EINFO_EACCES_MAC ) |
Definition at line 75 of file cms.c.
Referenced by cms_decrypt().
| #define EINFO_EACCES_MAC __einfo_uniqify ( EINFO_EACCES, 0x09, "Invalid MAC" ) |
| #define ENOTSUP_TYPE __einfo_error ( EINFO_ENOTSUP_TYPE ) |
| #define EINFO_ENOTSUP_TYPE __einfo_uniqify ( EINFO_ENOTSUP, 0x01, "Unrecognised message type" ) |
| FILE_LICENCE | ( | GPL2_OR_LATER_OR_UBDL | ) |
| FILE_SECBOOT | ( | PERMITTED | ) |
|
static |
Parse CMS signed data.
| cms | CMS message |
| raw | ASN.1 cursor |
| rc | Return status code |
Definition at line 530 of file cms.c.
References asn1_enter(), ASN1_EXPLICIT_TAG, ASN1_INTEGER, ASN1_SEQUENCE, ASN1_SET, asn1_skip(), asn1_skip_any(), asn1_skip_if_exists(), cms_message::certificates, cms_parse_certificates(), cms_parse_participants(), ENOMEM, memcpy(), raw, rc, and x509_alloc_chain().
|
static |
Parse CMS enveloped data.
| cms | CMS message |
| raw | ASN.1 cursor |
| rc | Return status code |
Definition at line 575 of file cms.c.
References asn1_enter(), ASN1_IMPLICIT_TAG, ASN1_INTEGER, ASN1_SEQUENCE, asn1_skip(), asn1_skip_any(), asn1_skip_if_exists(), assert, cipher_algorithm::authsize, cms_message::cipher, cms_parse_encrypted(), cms_parse_mac(), cms_parse_participants(), memcpy(), NULL, raw, and rc.
|
static |
Parse CMS message content type.
| cms | CMS message |
| raw | ASN.1 cursor |
| rc | Return status code |
Definition at line 124 of file cms.c.
References asn1_compare(), asn1_enter(), ASN1_OID, cms_types, DBGC, DBGC_HDA, ENOTSUP_TYPE, memcpy(), raw, cms_message::type, and type.
Referenced by cms_parse().
|
static |
Parse CMS message certificate list.
| cms | CMS message |
| raw | ASN.1 cursor |
| rc | Return status code |
Definition at line 158 of file cms.c.
References asn1_enter(), ASN1_EXPLICIT_TAG, asn1_skip_any(), cms_message::certificates, asn1_cursor::data, DBGC, DBGC_HDA, asn1_cursor::len, memcpy(), raw, rc, strerror(), x509_append_raw(), x509_last(), and x509_name().
Referenced by cms_parse_signed().
|
static |
Parse CMS message participant identifier.
| cms | CMS message |
| part | Participant information to fill in |
| raw | ASN.1 cursor |
| rc | Return status code |
Definition at line 198 of file cms.c.
References asn1_enter(), ASN1_INTEGER, ASN1_SEQUENCE, asn1_shrink(), asn1_skip_any(), cms_message::certificates, cms_participant::chain, cms_is_signature(), DBGC, DBGC_HDA, ENOENT, x509_certificate::issuer, memcpy(), raw, rc, serial, strerror(), x509_append(), x509_auto_append(), and x509_find_issuer_serial().
Referenced by cms_parse_participant().
|
static |
Parse CMS message digest algorithm.
| cms | CMS message |
| part | Participant information to fill in |
| raw | ASN.1 cursor |
| rc | Return status code |
Definition at line 268 of file cms.c.
References algorithm, asn1_digest_algorithm(), DBGC, DBGC_HDA, cms_participant::digest, raw, rc, and strerror().
Referenced by cms_parse_participant().
|
static |
Parse CMS message public-key algorithm.
| cms | CMS message |
| part | Participant information to fill in |
| raw | ASN.1 cursor |
| rc | Return status code |
Definition at line 298 of file cms.c.
References algorithm, asn1_pubkey_algorithm(), DBGC, DBGC_HDA, cms_participant::pubkey, raw, rc, and strerror().
Referenced by cms_parse_participant().
|
static |
Parse CMS message cipher algorithm.
| cms | CMS message |
| raw | ASN.1 cursor |
| rc | Return status code |
Definition at line 327 of file cms.c.
References algorithm, asn1_cipher_algorithm(), cms_message::cipher, DBGC, DBGC_HDA, cms_message::iv, raw, rc, and strerror().
Referenced by cms_parse_encrypted().
|
static |
Parse CMS message signature or key value.
| cms | CMS message |
| part | Participant information to fill in |
| raw | ASN.1 cursor |
| rc | Return status code |
Definition at line 356 of file cms.c.
References asn1_enter(), ASN1_OCTET_STRING, asn1_cursor::data, DBGC, DBGC_HDA, asn1_cursor::len, memcpy(), raw, rc, and cms_participant::value.
Referenced by cms_parse_participant().
|
static |
Parse CMS message participant information.
| cms | CMS message |
| part | Participant information to fill in |
| raw | ASN.1 cursor |
| rc | Return status code |
Definition at line 383 of file cms.c.
References asn1_enter(), ASN1_EXPLICIT_TAG, ASN1_INTEGER, ASN1_SEQUENCE, asn1_skip(), asn1_skip_any(), asn1_skip_if_exists(), cms_is_signature(), cms_parse_digest_algorithm(), cms_parse_identifier(), cms_parse_pubkey_algorithm(), cms_parse_value(), memcpy(), raw, and rc.
Referenced by cms_parse_participants().
|
static |
Parse CMS message participants information.
| cms | CMS message |
| raw | ASN.1 cursor |
| rc | Return status code |
Definition at line 433 of file cms.c.
References asn1_enter(), ASN1_SET, asn1_skip_any(), cms_participant::chain, cms_parse_participant(), cms_participant::digest, digest_null, ENOMEM, asn1_cursor::len, cms_participant::list, list_add, memcpy(), cms_message::participants, cms_participant::pubkey, pubkey_null, raw, rc, x509_alloc_chain(), and zalloc().
Referenced by cms_parse_enveloped(), and cms_parse_signed().
|
static |
Parse CMS message encrypted content information.
| cms | CMS message |
| raw | ASN.1 cursor |
| rc | Return status code |
Definition at line 479 of file cms.c.
References asn1_enter(), ASN1_OID, ASN1_SEQUENCE, asn1_skip(), cms_parse_cipher_algorithm(), memcpy(), raw, and rc.
Referenced by cms_parse_enveloped().
|
static |
Parse CMS message MAC.
| cms | CMS message |
| raw | ASN.1 cursor |
| rc | Return status code |
Definition at line 505 of file cms.c.
References asn1_enter(), ASN1_OCTET_STRING, asn1_cursor::data, DBGC, DBGC_HDA, asn1_cursor::len, cms_message::mac, memcpy(), raw, rc, and strerror().
Referenced by cms_parse_enveloped().
|
static |
Parse CMS message from ASN.1 data.
| cms | CMS message |
| rc | Return status code |
Definition at line 618 of file cms.c.
References asn1_enter(), ASN1_EXPLICIT_TAG, ASN1_SEQUENCE, asn1_skip_any(), cms_parse_content_type(), memcpy(), cms_type::parse, cms_message::raw, rc, and cms_message::type.
Referenced by cms_message().
|
static |
Free CMS message.
| refcnt | Reference count |
Definition at line 646 of file cms.c.
References cms_message::certificates, cms_participant::chain, container_of, free, cms_participant::list, list_del, list_for_each_entry_safe, cms_message::participants, cms_message::raw, tmp, and x509_chain_put().
Referenced by cms_message().
| int cms_message | ( | struct image * | image, |
| struct cms_message ** | cms ) |
Create CMS message.
| image | Image |
| sig | CMS message |
| rc | Return status code |
On success, the caller holds a reference to the CMS message, and is responsible for ultimately calling cms_put().
Definition at line 672 of file cms.c.
References asn1_shrink_any(), cipher_null, cms_free(), cms_parse(), cms_put(), DBGC, ENOMEM, image_asn1(), INIT_LIST_HEAD, next, rc, ref_init, strerror(), and zalloc().
|
static |
Calculate digest of CMS-signed data.
| cms | CMS message |
| part | Participant information |
| data | Signed data |
| len | Length of signed data |
| out | Digest output |
Definition at line 720 of file cms.c.
References ctx, digest_algorithm::ctxsize, data, DBGC, DBGC_HDA, cms_participant::digest, digest_final(), digest_init(), digest_update(), digest_algorithm::digestsize, len, and out.
Referenced by cms_verify_digest().
|
static |
Verify digest of CMS-signed data.
| cms | CMS message |
| part | Participant information |
| cert | Corresponding certificate |
| data | Signed data |
| len | Length of signed data |
| rc | Return status code |
Definition at line 745 of file cms.c.
References cms_digest(), data, DBGC, cms_participant::digest, digest_algorithm::digestsize, key, len, cms_participant::pubkey, pubkey_verify(), x509_subject::public_key, x509_public_key::raw, rc, strerror(), x509_certificate::subject, cms_participant::value, and value.
Referenced by cms_verify_signer().
|
static |
Verify CMS message signer.
| cms | CMS message |
| part | Participant information |
| data | Signed data |
| len | Length of signed data |
| time | Time at which to validate certificates |
| store | Certificate store, or NULL to use default |
| root | Root certificate list, or NULL to use default |
| rc | Return status code |
Definition at line 782 of file cms.c.
References assert, x509_extended_key_usage::bits, x509_key_usage::bits, cms_participant::chain, cms_verify_digest(), data, DBGC, EACCES_NON_CODE_SIGNING, EACCES_NON_SIGNING, x509_extensions::ext_usage, x509_certificate::extensions, len, NULL, rc, root, x509_certificate::store, strerror(), x509_extensions::usage, X509_CODE_SIGNING, X509_DIGITAL_SIGNATURE, x509_first(), and x509_validate_chain().
Referenced by cms_verify().
| int cms_verify | ( | struct cms_message * | cms, |
| struct image * | image, | ||
| const char * | name, | ||
| time_t | time, | ||
| struct x509_chain * | store, | ||
| struct x509_root * | root ) |
Verify CMS signature.
| cms | CMS message |
| image | Signed image |
| name | Required common name, or NULL to check all signatures |
| time | Time at which to validate certificates |
| store | Certificate store, or NULL to use default |
| root | Root certificate list, or NULL to use default |
| rc | Return status code |
Definition at line 834 of file cms.c.
References cms_participant::chain, cms_is_signature(), cms_verify_signer(), count, image::data, DBGC, EACCES_NO_SIGNATURES, EACCES_WRONG_NAME, ENOTTY, image_trust(), image_untrust(), image::len, list_for_each_entry, name, cms_message::participants, rc, root, x509_certificate::store, x509_check_name(), and x509_first().
Referenced by cms_verify_fail_okx(), cms_verify_okx(), and imgverify().
|
static |
Identify CMS recipient corresponding to private key.
| cms | CMS message |
| private_key | Private key |
| part | Participant information, or NULL if not found |
Definition at line 887 of file cms.c.
References cms_participant::chain, list_for_each_entry, NULL, cms_message::participants, x509_find_key(), and x509_first().
Referenced by cms_cipher().
|
static |
Set CMS cipher key.
| cms | CMS message |
| part | Participant information |
| private_key | Private key |
| ctx | Cipher context |
| rc | Return status code |
Definition at line 914 of file cms.c.
References cms_message::cipher, cipher_setiv(), cipher_setkey(), ctx, asn1_builder::data, asn1_cursor::data, DBGC, DBGC_HDA, free, cms_message::iv, key, asn1_builder::len, asn1_cursor::len, NULL, privkey_cursor(), cms_participant::pubkey, pubkey_decrypt(), rc, strerror(), cms_participant::value, and value.
Referenced by cms_cipher().
|
static |
Initialise cipher for CMS decryption.
| cms | CMS message |
| private_key | Private key |
| ctx | Cipher context |
| rc | Return status code |
Definition at line 964 of file cms.c.
References cms_cipher_key(), cms_recipient(), ctx, DBGC, EACCES_NO_RECIPIENTS, and rc.
Referenced by cms_decrypt().
|
static |
Check CMS padding.
| cms | CMS message |
| data | Final block |
| len | Final block length |
| len | Padding length, or negative error |
Definition at line 991 of file cms.c.
References assert, cipher_algorithm::blocksize, cms_message::cipher, data, DBGC, DBGC_HDA, EACCES_PAD, is_block_cipher(), len, pad, and pad_len.
Referenced by cms_decrypt().
| int cms_decrypt | ( | struct cms_message * | cms, |
| struct image * | image, | ||
| const char * | name, | ||
| struct private_key * | private_key ) |
Decrypt CMS message.
| cms | CMS message |
| image | Image to decrypt |
| name | Decrypted image name, or NULL to use default |
| private_key | Private key |
| rc | Return status code |
Definition at line 1039 of file cms.c.
References cipher_algorithm::auth, cipher_algorithm::authsize, cipher_algorithm::blocksize, cms_message::cipher, cipher_auth(), cipher_decrypt, cipher_encrypt, cms_cipher(), cms_verify_padding(), ctx, cipher_algorithm::ctxsize, asn1_cursor::data, image::data, DBGC, DBGC_HDA, EACCES_LEN, EACCES_MAC, image::flags, image_get(), image_put(), IMAGE_REGISTERED, image_set_name(), image_strip_suffix(), image_untrust(), is_block_cipher(), asn1_cursor::len, image::len, cms_message::mac, memcmp(), memcpy(), name, NULL, pad_len, rc, register_image(), image::rwdata, image::type, and unregister_image().
Referenced by cms_decrypt_okx(), and imgdecrypt().
|
static |
"id-signedData" object identifier
Definition at line 90 of file cms.c.
|
static |
"id-envelopedData" object identifier
Definition at line 93 of file cms.c.
|
static |
"id-authEnvelopedData" object identifier
Definition at line 96 of file cms.c.
|
static |
CMS message types.
Definition at line 99 of file cms.c.
Referenced by cms_parse_content_type().