u-boot.git/lib/crypto, branch v2022.07 Unnamed repository; edit this file 'description' to name the repository. lib: crypto: add mscode_parser 2022-07-05T12:37:16+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2022-07-05T05:48:11+00:00 b124efc09fc5f62cc2e17d956ba3c5c9168738e8 In MS authenticode, pkcs7 should have data in its contentInfo field. This data is tagged with SpcIndirectData type and, for a signed PE image, provides a image's message digest as SpcPeImageData. This parser is used in image authentication to parse the field and retrieve a message digest. Imported from linux v5.19-rc, crypto/asymmetric_keys/mscode*. Checkpatch.pl generates tones of warnings, but those are not fixed for the sake of maintainability (importing from another source). Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
In MS authenticode, pkcs7 should have data in its contentInfo field.
This data is tagged with SpcIndirectData type and, for a signed PE image,
provides a image's message digest as SpcPeImageData.

This parser is used in image authentication to parse the field and
retrieve a message digest.

Imported from linux v5.19-rc, crypto/asymmetric_keys/mscode*.
Checkpatch.pl generates tones of warnings, but those are not fixed
for the sake of maintainability (importing from another source).

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
lib/crypto: support sha384/sha512 in x509/pkcs7 2022-04-11T15:39:19+00:00 Dhananjay Phadke dphadke@linux.microsoft.com 2022-03-15T17:19:32+00:00 e146a2c12ff1e9138f564ae6815a131bd850d8ef Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509, (not set by ported linux code, but needed by __UBOOT__ part). EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for correctness if certificates contain sha384WithRSAEncryption or sha512WithRSAEncryption OIDs. Signed-off-by: Dhananjay Phadke <dphadke@linux.microsoft.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Set digest_size SHA384 and SHA512 algorithms in pkcs7 and x509,
(not set by ported linux code, but needed by __UBOOT__ part).

EFI_CAPSULE_AUTHENTICATE doesn't select these algos but required for
correctness if certificates contain sha384WithRSAEncryption or
sha512WithRSAEncryption OIDs.

Signed-off-by: Dhananjay Phadke <dphadke@linux.microsoft.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Make ASYMMETRIC_KEY_TYPE depend on FIT_SIGNATURE 2022-04-06T18:03:17+00:00 Simon Glass sjg@chromium.org 2022-02-28T19:08:31+00:00 b7463f198da65257a3e0308f920ff8b3631c955b Add this dependency to avoid a build error if FIT_SIGNATURE is not enabled. Signed-off-by: Simon Glass <sjg@chromium.org> 
Add this dependency to avoid a build error if FIT_SIGNATURE is not
enabled.

Signed-off-by: Simon Glass <sjg@chromium.org>
lib: crypto: allow to build crypyo in SPL 2022-03-31T18:12:01+00:00 Philippe Reynes philippe.reynes@softathome.com 2022-03-28T20:56:57+00:00 e44ec9f7095ddccc33b19dd636aebc7bc0bf4789 This commit adds the options: - SPL_ASYMMETRIC_KEY_TYPE - SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE - SPL_RSA_PUBLIC_KEY_PARSER Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> 
This commit adds the options:
- SPL_ASYMMETRIC_KEY_TYPE
- SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
- SPL_RSA_PUBLIC_KEY_PARSER

Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
lib/crypto: Enable more algorithms in cert verification 2022-01-19T15:16:33+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2022-01-19T11:54:41+00:00 8699af63b8a5ea36c415b97079651ca02a0aafa5 Right now the code explicitly limits us to sha1,256 hashes with RSA2048 encryption. But the limitation is artificial since U-Boot supports a wider range of algorithms. The internal image_get_[checksum|crypto]_algo() functions expect an argument in the format of <checksum>,<crypto>. So let's remove the size checking and create the needed string on the fly in order to support more hash/signing combinations. Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Right now the code explicitly limits us to sha1,256 hashes with RSA2048
encryption.  But the limitation is artificial since U-Boot supports
a wider range of algorithms.

The internal image_get_[checksum|crypto]_algo() functions expect an
argument in the format of <checksum>,<crypto>.  So let's remove the size
checking and create the needed string on the fly in order to support
more hash/signing combinations.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
lib: Rename rsa-checksum.c to hash-checksum.c 2021-04-14T19:06:08+00:00 Alexandru Gagniuc mr.nuke.me@gmail.com 2021-02-19T18:45:10+00:00 0bcb28dfb946b32ed7550fc4c24c5dcea6718554 rsa-checksum.c sontains the hash_calculate() implementations. Despite the "rsa-" file prefix, this function is useful for other algorithms. To prevent confusion, move this file to lib/, and rename it to hash-checksum.c, to give it a more "generic" feel. Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
rsa-checksum.c sontains the hash_calculate() implementations. Despite
the "rsa-" file prefix, this function is useful for other algorithms.

To prevent confusion, move this file to lib/, and rename it to
hash-checksum.c, to give it a more "generic" feel.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
crypto: Fix the logic to calculate hash with authattributes set 2020-12-31T13:41:31+00:00 Sughosh Ganu sughosh.ganu@linaro.org 2020-12-30T13:57:01+00:00 4366a2440ae141c44d2041c92f3662016c6869e6 RFC 2315 Section 9.3 describes the message digesting process. The digest calculated depends on whether the authenticated attributes are present. In case of a scenario where the authenticated attributes are present, the message digest that gets signed and is part of the pkcs7 message is computed from the auth attributes rather than the contents field. Check if the auth attributes are present, and if set, use the auth attributes to compute the hash that would be compared with the encrypted hash on the pkcs7 message. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> 
RFC 2315 Section 9.3 describes the message digesting process. The
digest calculated depends on whether the authenticated attributes are
present. In case of a scenario where the authenticated attributes are
present, the message digest that gets signed and is part of the pkcs7
message is computed from the auth attributes rather than the contents
field.

Check if the auth attributes are present, and if set, use the auth
attributes to compute the hash that would be compared with the
encrypted hash on the pkcs7 message.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
lib/crypto: simplify public_key_verify_signature 2020-08-08T17:03:12+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-08-08T16:57:47+00:00 9bdbc8ef983547e85704fe2f75431c88e1989e33 The variable region is filled but never used. Remove it. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
The variable region is filled but never used. Remove it.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
lib: crypto: export and enhance pkcs7_verify_one() 2020-07-22T10:37:17+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-07-21T10:35:21+00:00 5ee81c6e3f9f6f851c69b1e3d2661d96671d1dd1 The function, pkcs7_verify_one(), will be utilized to rework signature verification logic aiming to support intermediate certificates in "chain of trust." To do that, its function interface is expanded, adding an extra argument which is expected to return the last certificate in trusted chain. Then, this last one must further be verified with signature database, db and/or dbx. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
The function, pkcs7_verify_one(), will be utilized to rework signature
verification logic aiming to support intermediate certificates in
"chain of trust."

To do that, its function interface is expanded, adding an extra argument
which is expected to return the last certificate in trusted chain.
Then, this last one must further be verified with signature database, db
and/or dbx.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
lib: crypto: add pkcs7_digest() 2020-07-22T10:36:29+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2020-07-21T10:35:20+00:00 05329fa4c0c7774d01945d94ad2e9079a338baa8 This function was nullified when the file, pkcs7_verify.c, was imported because it calls further linux-specific interfaces inside, hence that could lead to more files being imported from linux. We need this function in pkcs7_verify_one() and so simply re-implement it here instead of re-using the code. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
This function was nullified when the file, pkcs7_verify.c, was imported
because it calls further linux-specific interfaces inside, hence that
could lead to more files being imported from linux.

We need this function in pkcs7_verify_one() and so simply re-implement it
here instead of re-using the code.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>