sysadmin/ipxe
1
0
Fork 0
mirror of https://github.com/ipxe/ipxe synced 2026-01-24 13:13:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

[crypto] Generalise cms_signature to cms_message

Browse Source 
There is some exploitable similarity between the data structures used
for representing CMS signatures and CMS encryption keys.  In both
cases, the CMS message fundamentally encodes a list of participants
(either message signers or message recipients), where each participant
has an associated certificate and an opaque octet string representing
the signature or encrypted cipher key.  The ASN.1 structures are not
identical, but are sufficiently similar to be worth exploiting: for
example, the SignerIdentifier and RecipientIdentifier data structures
are defined identically.

Rename data structures and functions, and add the concept of a CMS
message type.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown
2024-08-12 12:36:41 +01:00
parent 998edc6ec5
commit 97635eb71b
5 changed files with 366 additions and 286 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/tests/cms_test.c
View File

@@ -55,8 +55,8 @@ struct cms_test_code {
struct cms_test_signature {
/** Signature image */
struct image image;
/** Parsed signature */
struct cms_signature *sig;
/** Parsed message */
struct cms_message *cms;
};
/** Define inline data */
@@ -1366,7 +1366,7 @@ static void cms_signature_okx ( struct cms_test_signature *sgn,
sgn->image.data = virt_to_user ( data );
/* Check ability to parse signature */
okx ( cms_signature ( &sgn->image, &sgn->sig ) == 0, file, line );
okx ( cms_message ( &sgn->image, &sgn->cms ) == 0, file, line );
/* Reset image data pointer */
sgn->image.data = ( ( userptr_t ) data );
@@ -1397,10 +1397,10 @@ static void cms_verify_okx ( struct cms_test_signature *sgn,
code->image.data = virt_to_user ( data );
/* Invalidate any certificates from previous tests */
x509_invalidate_chain ( sgn->sig->certificates );
x509_invalidate_chain ( sgn->cms->certificates );
/* Check ability to verify signature */
okx ( cms_verify ( sgn->sig, &code->image, name, time, store,
okx ( cms_verify ( sgn->cms, &code->image, name, time, store,
root ) == 0, file, line );
okx ( code->image.flags & IMAGE_TRUSTED, file, line );
@@ -1434,10 +1434,10 @@ static void cms_verify_fail_okx ( struct cms_test_signature *sgn,
code->image.data = virt_to_user ( data );
/* Invalidate any certificates from previous tests */
x509_invalidate_chain ( sgn->sig->certificates );
x509_invalidate_chain ( sgn->cms->certificates );
/* Check inability to verify signature */
okx ( cms_verify ( sgn->sig, &code->image, name, time, store,
okx ( cms_verify ( sgn->cms, &code->image, name, time, store,
root ) != 0, file, line );
okx ( ! ( code->image.flags & IMAGE_TRUSTED ), file, line );
@@ -1498,11 +1498,11 @@ static void cms_test_exec ( void ) {
/* Sanity check */
assert ( list_empty ( &empty_store.links ) );
/* Drop signature references */
cms_put ( nonsigned_sig.sig );
cms_put ( genericsigned_sig.sig );
cms_put ( brokenchain_sig.sig );
cms_put ( codesigned_sig.sig );
/* Drop message references */
cms_put ( nonsigned_sig.cms );
cms_put ( genericsigned_sig.cms );
cms_put ( brokenchain_sig.cms );
cms_put ( codesigned_sig.cms );
}
/** CMS self-test */