Appended signatures support, unify GRUB config location and some fixes
- Remove -fcf-protection compiler flag to allow i386 builds (law) Related: rhbz#1915452 - Unify GRUB configuration file location across all platforms Related: rhbz#1918817 - Add 'at_keyboard_fallback_set' var to force the set manually (rmetrich) - Add appended signatures support for ppc64le LPAR Secure Boot (daxtens) Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
This commit is contained in:
parent
4fe0f66632
commit
b141171629
251
0280-Add-at_keyboard_fallback_set-var-to-force-the-set-ma.patch
Normal file
251
0280-Add-at_keyboard_fallback_set-var-to-force-the-set-ma.patch
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
|
||||||
|
Date: Fri, 18 Dec 2020 15:39:26 +0100
|
||||||
|
Subject: [PATCH] Add 'at_keyboard_fallback_set' var to force the set manually
|
||||||
|
|
||||||
|
This seems required with HP DL380p Gen 8 systems.
|
||||||
|
Indeed, with this system, we can see the following sequence:
|
||||||
|
|
||||||
|
1. controller is queried to get current configuration (returns 0x30 which is quite standard)
|
||||||
|
2. controller is queried to get the current keyboard set in used, using code 0xf0 (first part)
|
||||||
|
3. controller answers with 0xfa which means "ACK" (== ok)
|
||||||
|
4. then we send "0" to tell "we want to know which set your are supporting"
|
||||||
|
5. controller answers with 0xfa ("ACK")
|
||||||
|
6. controller should then give us 1, 2, 3 or 0x43, 0x41, 0x3f, but here it gives us 0xfe which means "NACK"
|
||||||
|
|
||||||
|
Since there seems no way to determine the current set, and in fact the
|
||||||
|
controller expects set2 to be used, we need to rely on an environment
|
||||||
|
variable.
|
||||||
|
Everything has been tested on this system: using 0xFE (resend command),
|
||||||
|
making sure we wait for ACK in the 2 steps "write_mode", etc.
|
||||||
|
|
||||||
|
Below is litterature I used to come up with "there is no other
|
||||||
|
solution":
|
||||||
|
- https://wiki.osdev.org/%228042%22_PS/2_Controller
|
||||||
|
- http://www-ug.eecg.toronto.edu/msl/nios_devices/datasheets/PS2%20Keyboard%20Protocol.htm
|
||||||
|
- http://www.s100computers.com/My%20System%20Pages/MSDOS%20Board/PC%20Keyboard.pdf
|
||||||
|
---
|
||||||
|
grub-core/term/at_keyboard.c | 127 ++++++++++++++++++++++++++++++++++---------
|
||||||
|
1 file changed, 101 insertions(+), 26 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/term/at_keyboard.c b/grub-core/term/at_keyboard.c
|
||||||
|
index 69d99b61df5..e7d51b249ad 100644
|
||||||
|
--- a/grub-core/term/at_keyboard.c
|
||||||
|
+++ b/grub-core/term/at_keyboard.c
|
||||||
|
@@ -31,6 +31,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
static grub_uint8_t grub_keyboard_controller_orig;
|
||||||
|
static grub_uint8_t grub_keyboard_orig_set;
|
||||||
|
struct grub_ps2_state ps2_state;
|
||||||
|
+static int fallback_set;
|
||||||
|
|
||||||
|
static int ping_sent;
|
||||||
|
|
||||||
|
@@ -76,6 +77,8 @@ at_command (grub_uint8_t data)
|
||||||
|
break;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+ if (i == GRUB_AT_TRIES)
|
||||||
|
+ grub_dprintf ("atkeyb", "at_command() timed out! (stopped after %d tries)\n", i);
|
||||||
|
return (i != GRUB_AT_TRIES);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -105,6 +108,21 @@ grub_keyboard_controller_read (void)
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+resend_last_result (void)
|
||||||
|
+{
|
||||||
|
+ grub_uint8_t ret;
|
||||||
|
+ keyboard_controller_wait_until_ready ();
|
||||||
|
+ grub_dprintf ("atkeyb", "resend_last_result: sending 0xfe\n");
|
||||||
|
+ grub_outb (0xfe, KEYBOARD_REG_DATA);
|
||||||
|
+ ret = wait_ack ();
|
||||||
|
+ grub_dprintf ("atkeyb", "resend_last_result: wait_ack() returned 0x%x\n", ret);
|
||||||
|
+ keyboard_controller_wait_until_ready ();
|
||||||
|
+ ret = grub_inb (KEYBOARD_REG_DATA);
|
||||||
|
+ grub_dprintf ("atkeyb", "resend_last_result: read 0x%x from controller\n", ret);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int
|
||||||
|
write_mode (int mode)
|
||||||
|
{
|
||||||
|
@@ -113,11 +131,17 @@ write_mode (int mode)
|
||||||
|
{
|
||||||
|
grub_uint8_t ack;
|
||||||
|
keyboard_controller_wait_until_ready ();
|
||||||
|
+ grub_dprintf ("atkeyb", "write_mode: sending 0xf0\n");
|
||||||
|
grub_outb (0xf0, KEYBOARD_REG_DATA);
|
||||||
|
+ ack = wait_ack ();
|
||||||
|
+ grub_dprintf ("atkeyb", "write_mode: wait_ack() returned 0x%x\n", ack);
|
||||||
|
+ if (ack != GRUB_AT_ACK)
|
||||||
|
+ continue;
|
||||||
|
keyboard_controller_wait_until_ready ();
|
||||||
|
+ grub_dprintf ("atkeyb", "write_mode: sending mode %d\n", mode);
|
||||||
|
grub_outb (mode, KEYBOARD_REG_DATA);
|
||||||
|
- keyboard_controller_wait_until_ready ();
|
||||||
|
ack = wait_ack ();
|
||||||
|
+ grub_dprintf ("atkeyb", "write_mode: wait_ack() returned 0x%x\n", ack);
|
||||||
|
if (ack == GRUB_AT_NACK)
|
||||||
|
continue;
|
||||||
|
if (ack == GRUB_AT_ACK)
|
||||||
|
@@ -125,6 +149,9 @@ write_mode (int mode)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (i == GRUB_AT_TRIES)
|
||||||
|
+ grub_dprintf ("atkeyb", "write_mode() timed out! (stopped after %d tries)\n", i);
|
||||||
|
+
|
||||||
|
return (i != GRUB_AT_TRIES);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -132,31 +159,66 @@ static int
|
||||||
|
query_mode (void)
|
||||||
|
{
|
||||||
|
grub_uint8_t ret;
|
||||||
|
+ grub_uint64_t endtime;
|
||||||
|
+ unsigned i;
|
||||||
|
int e;
|
||||||
|
+ char *envvar;
|
||||||
|
|
||||||
|
- e = write_mode (0);
|
||||||
|
- if (!e) {
|
||||||
|
- grub_dprintf("atkeyb", "query_mode: write_mode(0) failed\n");
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
+ for (i = 0; i < GRUB_AT_TRIES; i++) {
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: sending command to controller\n");
|
||||||
|
+ e = write_mode (0);
|
||||||
|
+ if (!e) {
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: write_mode(0) failed\n");
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- do {
|
||||||
|
- keyboard_controller_wait_until_ready ();
|
||||||
|
- ret = grub_inb (KEYBOARD_REG_DATA);
|
||||||
|
- } while (ret == GRUB_AT_ACK);
|
||||||
|
- /* QEMU translates the set even in no-translate mode. */
|
||||||
|
- if (ret == 0x43 || ret == 1) {
|
||||||
|
- grub_dprintf("atkeyb", "query_mode: returning 1 (ret=0x%x)\n", ret);
|
||||||
|
- return 1;
|
||||||
|
- }
|
||||||
|
- if (ret == 0x41 || ret == 2) {
|
||||||
|
- grub_dprintf("atkeyb", "query_mode: returning 2 (ret=0x%x)\n", ret);
|
||||||
|
- return 2;
|
||||||
|
+ endtime = grub_get_time_ms () + 20;
|
||||||
|
+ do {
|
||||||
|
+ keyboard_controller_wait_until_ready ();
|
||||||
|
+ ret = grub_inb (KEYBOARD_REG_DATA);
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode/loop: read 0x%x from controller\n", ret);
|
||||||
|
+ } while ((ret == GRUB_AT_ACK || ret == GRUB_AT_NACK) && grub_get_time_ms () < endtime);
|
||||||
|
+ if (ret == 0xfe) {
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: asking controller to resend last result\n");
|
||||||
|
+ ret = resend_last_result();
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: read 0x%x from controller\n", ret);
|
||||||
|
+ }
|
||||||
|
+ /* QEMU translates the set even in no-translate mode. */
|
||||||
|
+ if (ret == 0x43 || ret == 1) {
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: controller returned 0x%x, returning 1\n", ret);
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ if (ret == 0x41 || ret == 2) {
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: controller returned 0x%x, returning 2\n", ret);
|
||||||
|
+ return 2;
|
||||||
|
+ }
|
||||||
|
+ if (ret == 0x3f || ret == 3) {
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: controller returned 0x%x, returning 3\n", ret);
|
||||||
|
+ return 3;
|
||||||
|
+ }
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: controller returned unexpected value 0x%x, retrying\n", ret);
|
||||||
|
}
|
||||||
|
- if (ret == 0x3f || ret == 3) {
|
||||||
|
- grub_dprintf("atkeyb", "query_mode: returning 3 (ret=0x%x)\n", ret);
|
||||||
|
- return 3;
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Falling here means we tried querying and the controller returned something
|
||||||
|
+ * we don't understand, try to use 'at_keyboard_fallback_set' if it exists,
|
||||||
|
+ * otherwise return 0.
|
||||||
|
+ */
|
||||||
|
+ envvar = grub_env_get ("at_keyboard_fallback_set");
|
||||||
|
+ if (envvar) {
|
||||||
|
+ fallback_set = grub_strtoul (envvar, 0, 10);
|
||||||
|
+ if ((grub_errno) || (fallback_set < 1) || (fallback_set > 3)) {
|
||||||
|
+ grub_dprintf ("atkeyb", "WARNING: ignoring unexpected value '%s' for '%s' variable\n",
|
||||||
|
+ envvar, "at_keyboard_fallback_set");
|
||||||
|
+ fallback_set = 0;
|
||||||
|
+ } else {
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: '%s' specified in environment, returning %d\n",
|
||||||
|
+ "at_keyboard_fallback_set", fallback_set);
|
||||||
|
+ }
|
||||||
|
+ return fallback_set;
|
||||||
|
}
|
||||||
|
+ grub_dprintf ("atkeyb", "WARNING: no '%s' specified in environment, returning 0\n",
|
||||||
|
+ "at_keyboard_fallback_set");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -165,14 +227,25 @@ set_scancodes (void)
|
||||||
|
{
|
||||||
|
/* You must have visited computer museum. Keyboard without scancode set
|
||||||
|
knowledge. Assume XT. */
|
||||||
|
- if (!grub_keyboard_orig_set)
|
||||||
|
- {
|
||||||
|
- grub_dprintf ("atkeyb", "No sets support assumed\n");
|
||||||
|
- ps2_state.current_set = 1;
|
||||||
|
+ if (!grub_keyboard_orig_set) {
|
||||||
|
+ if (fallback_set) {
|
||||||
|
+ grub_dprintf ("atkeyb", "No sets support assumed but set forced to %d\n", fallback_set);
|
||||||
|
+ ps2_state.current_set = fallback_set;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
+ grub_dprintf ("atkeyb", "No sets support assumed, forcing to set 1\n");
|
||||||
|
+ ps2_state.current_set = 1;
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
#if !USE_SCANCODE_SET
|
||||||
|
+ if (fallback_set) {
|
||||||
|
+ grub_dprintf ("atkeyb", "queried set is %d but set forced to %d\n",
|
||||||
|
+ grub_keyboard_orig_set, fallback_set);
|
||||||
|
+ ps2_state.current_set = fallback_set;
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if ((grub_keyboard_controller_orig & KEYBOARD_AT_TRANSLATE) == KEYBOARD_AT_TRANSLATE) {
|
||||||
|
grub_dprintf ("atkeyb", "queried set is %d but keyboard in Translate mode, so actually in set 1\n", grub_keyboard_orig_set);
|
||||||
|
ps2_state.current_set = 1;
|
||||||
|
@@ -229,6 +302,7 @@ grub_at_keyboard_is_alive (void)
|
||||||
|
|
||||||
|
if (KEYBOARD_COMMAND_ISREADY (grub_inb (KEYBOARD_REG_STATUS)))
|
||||||
|
{
|
||||||
|
+ grub_dprintf ("atkeyb", "grub_at_keyboard_is_alive: controller mode before self-test: 0x%x\n", grub_keyboard_controller_read());
|
||||||
|
grub_outb (0xaa, KEYBOARD_REG_STATUS);
|
||||||
|
ping_sent = 1;
|
||||||
|
}
|
||||||
|
@@ -261,6 +335,7 @@ grub_at_keyboard_getkey (struct grub_term_input *term __attribute__ ((unused)))
|
||||||
|
static void
|
||||||
|
grub_keyboard_controller_init (void)
|
||||||
|
{
|
||||||
|
+ grub_dprintf ("atkeyb", "initializing the controller\n");
|
||||||
|
ps2_state.at_keyboard_status = 0;
|
||||||
|
/* Drain input buffer. */
|
||||||
|
while (1)
|
||||||
|
@@ -282,6 +357,7 @@ grub_keyboard_controller_init (void)
|
||||||
|
grub_keyboard_controller_orig = grub_keyboard_controller_read ();
|
||||||
|
grub_dprintf ("atkeyb", "grub_keyboard_controller_orig = 0x%x\n", grub_keyboard_controller_orig);
|
||||||
|
grub_keyboard_orig_set = query_mode ();
|
||||||
|
+ grub_dprintf ("atkeyb", "grub_keyboard_orig_set = %d\n", grub_keyboard_orig_set);
|
||||||
|
#endif
|
||||||
|
set_scancodes ();
|
||||||
|
keyboard_controller_led (ps2_state.led_status);
|
||||||
|
@@ -329,7 +405,6 @@ grub_at_restore_hw (void)
|
||||||
|
return GRUB_ERR_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
static struct grub_term_input grub_at_keyboard_term =
|
||||||
|
{
|
||||||
|
.name = "at_keyboard",
|
@ -0,0 +1,41 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Chang <mchang@suse.com>
|
||||||
|
Date: Tue, 18 Feb 2020 18:08:18 +0800
|
||||||
|
Subject: [PATCH] verifiers: Fix calling uninitialized function pointer
|
||||||
|
|
||||||
|
The necessary check for NULL before use of function ver->close is not
|
||||||
|
taking place in the failure path. This patch simply adds the missing
|
||||||
|
check and fixes the problem that GRUB hangs indefinitely after booting
|
||||||
|
rogue image without valid signature if secure boot is turned on.
|
||||||
|
|
||||||
|
Now it displays like this for booting rogue UEFI image:
|
||||||
|
|
||||||
|
error: bad shim signature
|
||||||
|
error: you need to load the kernel first
|
||||||
|
|
||||||
|
Press any key to continue...
|
||||||
|
|
||||||
|
and then you can go back to boot menu by pressing any key or after a few
|
||||||
|
seconds expired.
|
||||||
|
|
||||||
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||||
|
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
---
|
||||||
|
grub-core/commands/verifiers.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/verifiers.c b/grub-core/commands/verifiers.c
|
||||||
|
index 0dde4818267..7b9297cd345 100644
|
||||||
|
--- a/grub-core/commands/verifiers.c
|
||||||
|
+++ b/grub-core/commands/verifiers.c
|
||||||
|
@@ -196,7 +196,8 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
|
||||||
|
return ret;
|
||||||
|
|
||||||
|
fail:
|
||||||
|
- ver->close (context);
|
||||||
|
+ if (ver->close)
|
||||||
|
+ ver->close (context);
|
||||||
|
fail_noclose:
|
||||||
|
verified_free (verified);
|
||||||
|
grub_free (ret);
|
52
0282-ieee1275-claim-up-to-256MB-memory.patch
Normal file
52
0282-ieee1275-claim-up-to-256MB-memory.patch
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Wed, 28 Oct 2020 11:44:29 +1100
|
||||||
|
Subject: [PATCH] ieee1275: claim up to 256MB memory
|
||||||
|
|
||||||
|
If we are verifying large kernels, we need more that 32MB. (Many distro
|
||||||
|
kernels are quite large, and debug kernels can be even bigger!)
|
||||||
|
|
||||||
|
We originally went with 512MB: qemu pseries gives you all the memory a
|
||||||
|
32-bit number can handle, so there was lots left over to place a linux image
|
||||||
|
and initrd.
|
||||||
|
|
||||||
|
Here's what we said then:
|
||||||
|
| This is possibly not the way we want to go with for upstream as it breaks
|
||||||
|
| booting on systems with <= 512MB. We're working on a more upstream-friendly
|
||||||
|
| solution and will post it shortly. However, for an end-user or packager with
|
||||||
|
| a higher minimum memory requirement, this will work fine.
|
||||||
|
|
||||||
|
However, we've since discovered that (at least on one P8 test system), PFW
|
||||||
|
doesn't expose all of the memory allocated to the LPAR: it looks like it just
|
||||||
|
exposes 512MB - at least unless we mess with the CHRP note section.
|
||||||
|
Therefore, if we try to claim 512MB in grub, things _do not_ work when we try
|
||||||
|
to load linux. As a compromise, and again we'd like a better upstream solution,
|
||||||
|
go for 256MB. This is at least enough to verify distro kernels.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/kern/ieee1275/init.c | 6 ++----
|
||||||
|
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
|
||||||
|
index 937c1bc44cb..d84fba44d10 100644
|
||||||
|
--- a/grub-core/kern/ieee1275/init.c
|
||||||
|
+++ b/grub-core/kern/ieee1275/init.c
|
||||||
|
@@ -52,15 +52,13 @@
|
||||||
|
#ifdef __i386__
|
||||||
|
#define HEAP_MAX_SIZE (unsigned long) (64 * 1024 * 1024)
|
||||||
|
#else
|
||||||
|
-#define HEAP_MAX_SIZE (unsigned long) (32 * 1024 * 1024)
|
||||||
|
+#define HEAP_MAX_SIZE (unsigned long) (256 * 1024 * 1024)
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-/* If possible, we will avoid claiming heap above this address, because it
|
||||||
|
- seems to cause relocation problems with OSes that link at 4 MiB */
|
||||||
|
#ifdef __i386__
|
||||||
|
#define HEAP_MAX_ADDR (unsigned long) (64 * 1024 * 1024)
|
||||||
|
#else
|
||||||
|
-#define HEAP_MAX_ADDR (unsigned long) (32 * 1024 * 1024)
|
||||||
|
+#define HEAP_MAX_ADDR (unsigned long) (256 * 1024 * 1024)
|
||||||
|
#endif
|
||||||
|
|
||||||
|
extern char _end[];
|
309
0283-Add-suport-for-signing-grub-with-an-appended-signatu.patch
Normal file
309
0283-Add-suport-for-signing-grub-with-an-appended-signatu.patch
Normal file
@ -0,0 +1,309 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rashmica Gupta <rashmica.g@gmail.com>
|
||||||
|
Date: Thu, 11 Jun 2020 11:26:23 +1000
|
||||||
|
Subject: [PATCH] Add suport for signing grub with an appended signature
|
||||||
|
|
||||||
|
Add infrastructure to allow firmware to verify the integrity of grub
|
||||||
|
by use of a Linux-kernel-module-style appended signature. We initially
|
||||||
|
target powerpc-ieee1275, but the code should be extensible to other
|
||||||
|
platforms.
|
||||||
|
|
||||||
|
Usually these signatures are appended to a file without modifying the
|
||||||
|
ELF file itself. (This is what the 'sign-file' tool does, for example.)
|
||||||
|
The verifier loads the signed file from the file system and looks at the
|
||||||
|
end of the file for the appended signature. However, on powerpc-ieee1275
|
||||||
|
platforms, the bootloader is often stored directly in the PReP partition
|
||||||
|
as raw bytes without a file-system. This makes determining the location
|
||||||
|
of an appended signature more difficult.
|
||||||
|
|
||||||
|
To address this, we add a new ELF note.
|
||||||
|
|
||||||
|
The name field of shall be the string "Appended-Signature", zero-padded
|
||||||
|
to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values
|
||||||
|
for the string "ASig"). It must be the final section in the ELF binary.
|
||||||
|
|
||||||
|
The description shall contain the appended signature structure as defined
|
||||||
|
by the Linux kernel. The description will also be padded to be a multiple
|
||||||
|
of 4 bytes. The padding shall be added before the appended signature
|
||||||
|
structure (not at the end) so that the final bytes of a signed ELF file
|
||||||
|
are the appended signature magic.
|
||||||
|
|
||||||
|
A subsequent patch documents how to create a grub core.img validly signed
|
||||||
|
under this scheme.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
Signed-off-by: Rashmica Gupta <rashmica.g@gmail.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
You can experiment with this code with a patched version of SLOF
|
||||||
|
that verifies these signatures. You can find one at:
|
||||||
|
https://github.com/daxtens/SLOF
|
||||||
|
|
||||||
|
I will be proposing this for inclusion in a future Power Architecture
|
||||||
|
Platform Reference (PAPR).
|
||||||
|
---
|
||||||
|
util/grub-install-common.c | 16 +++++++++++++---
|
||||||
|
util/grub-mkimage.c | 11 +++++++++++
|
||||||
|
util/grub-mkimagexx.c | 39 ++++++++++++++++++++++++++++++++++++++-
|
||||||
|
util/mkimage.c | 10 +++++-----
|
||||||
|
include/grub/util/install.h | 8 ++++++--
|
||||||
|
include/grub/util/mkimage.h | 4 ++--
|
||||||
|
6 files changed, 75 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/util/grub-install-common.c b/util/grub-install-common.c
|
||||||
|
index 0295d40f5e4..e2be0a3e305 100644
|
||||||
|
--- a/util/grub-install-common.c
|
||||||
|
+++ b/util/grub-install-common.c
|
||||||
|
@@ -308,10 +308,12 @@ handle_install_list (struct install_list *il, const char *val,
|
||||||
|
static char **pubkeys;
|
||||||
|
static size_t npubkeys;
|
||||||
|
static grub_compression_t compression;
|
||||||
|
+static size_t appsig_size;
|
||||||
|
|
||||||
|
int
|
||||||
|
grub_install_parse (int key, char *arg)
|
||||||
|
{
|
||||||
|
+ const char *end;
|
||||||
|
switch (key)
|
||||||
|
{
|
||||||
|
case 'C':
|
||||||
|
@@ -400,6 +402,12 @@ grub_install_parse (int key, char *arg)
|
||||||
|
grub_util_error (_("Unrecognized compression `%s'"), arg);
|
||||||
|
case GRUB_INSTALL_OPTIONS_GRUB_MKIMAGE:
|
||||||
|
return 1;
|
||||||
|
+ case GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE:
|
||||||
|
+ grub_errno = 0;
|
||||||
|
+ appsig_size = grub_strtol(arg, &end, 10);
|
||||||
|
+ if (grub_errno)
|
||||||
|
+ return 0;
|
||||||
|
+ return 1;
|
||||||
|
default:
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
@@ -498,10 +506,12 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||||||
|
grub_util_info ("grub-mkimage --directory '%s' --prefix '%s'"
|
||||||
|
" --output '%s' "
|
||||||
|
" --dtb '%s' "
|
||||||
|
- "--format '%s' --compression '%s' %s %s\n",
|
||||||
|
+ "--format '%s' --compression '%s' "
|
||||||
|
+ "--appended-signature-size %zu %s %s\n",
|
||||||
|
dir, prefix,
|
||||||
|
outname, dtb ? : "", mkimage_target,
|
||||||
|
- compnames[compression], note ? "--note" : "", s);
|
||||||
|
+ compnames[compression], appsig_size,
|
||||||
|
+ note ? "--note" : "", s);
|
||||||
|
free (s);
|
||||||
|
|
||||||
|
tgt = grub_install_get_image_target (mkimage_target);
|
||||||
|
@@ -511,7 +521,7 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||||||
|
grub_install_generate_image (dir, prefix, fp, outname,
|
||||||
|
modules.entries, memdisk_path,
|
||||||
|
pubkeys, npubkeys, config_path, tgt,
|
||||||
|
- note, compression, dtb);
|
||||||
|
+ note, appsig_size, compression, dtb);
|
||||||
|
while (dc--)
|
||||||
|
grub_install_pop_module ();
|
||||||
|
}
|
||||||
|
diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
|
||||||
|
index 912564e3622..c1e07c70dc7 100644
|
||||||
|
--- a/util/grub-mkimage.c
|
||||||
|
+++ b/util/grub-mkimage.c
|
||||||
|
@@ -82,6 +82,7 @@ static struct argp_option options[] = {
|
||||||
|
{"format", 'O', N_("FORMAT"), 0, 0, 0},
|
||||||
|
{"compression", 'C', "(xz|none|auto)", 0, N_("choose the compression to use for core image"), 0},
|
||||||
|
{"verbose", 'v', 0, 0, N_("print verbose messages."), 0},
|
||||||
|
+ {"appended-signature-size", 's', N_("SIZE"), 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 0},
|
||||||
|
{ 0, 0, 0, 0, 0, 0 }
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -124,6 +125,7 @@ struct arguments
|
||||||
|
char *font;
|
||||||
|
char *config;
|
||||||
|
int note;
|
||||||
|
+ size_t appsig_size;
|
||||||
|
const struct grub_install_image_target_desc *image_target;
|
||||||
|
grub_compression_t comp;
|
||||||
|
};
|
||||||
|
@@ -134,6 +136,7 @@ argp_parser (int key, char *arg, struct argp_state *state)
|
||||||
|
/* Get the input argument from argp_parse, which we
|
||||||
|
know is a pointer to our arguments structure. */
|
||||||
|
struct arguments *arguments = state->input;
|
||||||
|
+ const char* end;
|
||||||
|
|
||||||
|
switch (key)
|
||||||
|
{
|
||||||
|
@@ -166,6 +169,13 @@ argp_parser (int key, char *arg, struct argp_state *state)
|
||||||
|
arguments->note = 1;
|
||||||
|
break;
|
||||||
|
|
||||||
|
+ case 's':
|
||||||
|
+ grub_errno = 0;
|
||||||
|
+ arguments->appsig_size = grub_strtol(arg, &end, 10);
|
||||||
|
+ if (grub_errno)
|
||||||
|
+ return 0;
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
case 'm':
|
||||||
|
if (arguments->memdisk)
|
||||||
|
free (arguments->memdisk);
|
||||||
|
@@ -309,6 +319,7 @@ main (int argc, char *argv[])
|
||||||
|
arguments.memdisk, arguments.pubkeys,
|
||||||
|
arguments.npubkeys, arguments.config,
|
||||||
|
arguments.image_target, arguments.note,
|
||||||
|
+ arguments.appsig_size,
|
||||||
|
arguments.comp, arguments.dtb);
|
||||||
|
|
||||||
|
if (grub_util_file_sync (fp) < 0)
|
||||||
|
diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
|
||||||
|
index 52bc9c848d9..bd2e2e9a52a 100644
|
||||||
|
--- a/util/grub-mkimagexx.c
|
||||||
|
+++ b/util/grub-mkimagexx.c
|
||||||
|
@@ -84,6 +84,15 @@ struct grub_ieee1275_note
|
||||||
|
struct grub_ieee1275_note_desc descriptor;
|
||||||
|
};
|
||||||
|
|
||||||
|
+#define GRUB_APPENDED_SIGNATURE_NOTE_NAME "Appended-Signature"
|
||||||
|
+#define GRUB_APPENDED_SIGNATURE_NOTE_TYPE 0x41536967 /* "ASig" */
|
||||||
|
+
|
||||||
|
+struct grub_appended_signature_note
|
||||||
|
+{
|
||||||
|
+ Elf32_Nhdr header;
|
||||||
|
+ char name[ALIGN_UP(sizeof (GRUB_APPENDED_SIGNATURE_NOTE_NAME), 4)];
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
#define GRUB_XEN_NOTE_NAME "Xen"
|
||||||
|
|
||||||
|
struct fixup_block_list
|
||||||
|
@@ -207,7 +216,7 @@ grub_arm_reloc_jump24 (grub_uint32_t *target, Elf32_Addr sym_addr)
|
||||||
|
|
||||||
|
void
|
||||||
|
SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc *image_target,
|
||||||
|
- int note, char **core_img, size_t *core_size,
|
||||||
|
+ int note, size_t appsig_size, char **core_img, size_t *core_size,
|
||||||
|
Elf_Addr target_addr,
|
||||||
|
struct grub_mkimage_layout *layout)
|
||||||
|
{
|
||||||
|
@@ -221,6 +230,12 @@ SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc
|
||||||
|
int shnum = 4;
|
||||||
|
int string_size = sizeof (".text") + sizeof ("mods") + 1;
|
||||||
|
|
||||||
|
+ if (appsig_size)
|
||||||
|
+ {
|
||||||
|
+ phnum++;
|
||||||
|
+ footer_size += ALIGN_UP(sizeof (struct grub_appended_signature_note) + appsig_size, 4);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (image_target->id != IMAGE_LOONGSON_ELF)
|
||||||
|
phnum += 2;
|
||||||
|
|
||||||
|
@@ -484,6 +499,28 @@ SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc
|
||||||
|
phdr->p_offset = grub_host_to_target32 (header_size + program_size);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (appsig_size) {
|
||||||
|
+ int note_size = ALIGN_UP(sizeof (struct grub_appended_signature_note) + appsig_size, 4);
|
||||||
|
+ struct grub_appended_signature_note *note_ptr = (struct grub_appended_signature_note *)
|
||||||
|
+ (elf_img + program_size + header_size + (note ? sizeof (struct grub_ieee1275_note) : 0));
|
||||||
|
+
|
||||||
|
+ note_ptr->header.n_namesz = grub_host_to_target32 (sizeof (GRUB_APPENDED_SIGNATURE_NOTE_NAME));
|
||||||
|
+ /* needs to sit at the end, so we round this up and sign some zero padding */
|
||||||
|
+ note_ptr->header.n_descsz = grub_host_to_target32 (ALIGN_UP(appsig_size, 4));
|
||||||
|
+ note_ptr->header.n_type = grub_host_to_target32 (GRUB_APPENDED_SIGNATURE_NOTE_TYPE);
|
||||||
|
+ strcpy (note_ptr->name, GRUB_APPENDED_SIGNATURE_NOTE_NAME);
|
||||||
|
+
|
||||||
|
+ phdr++;
|
||||||
|
+ phdr->p_type = grub_host_to_target32 (PT_NOTE);
|
||||||
|
+ phdr->p_flags = grub_host_to_target32 (PF_R);
|
||||||
|
+ phdr->p_align = grub_host_to_target32 (image_target->voidp_sizeof);
|
||||||
|
+ phdr->p_vaddr = 0;
|
||||||
|
+ phdr->p_paddr = 0;
|
||||||
|
+ phdr->p_filesz = grub_host_to_target32 (note_size);
|
||||||
|
+ phdr->p_memsz = 0;
|
||||||
|
+ phdr->p_offset = grub_host_to_target32 (header_size + program_size + (note ? sizeof (struct grub_ieee1275_note) : 0));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
{
|
||||||
|
char *str_start = (elf_img + sizeof (*ehdr) + phnum * sizeof (*phdr)
|
||||||
|
+ shnum * sizeof (*shdr));
|
||||||
|
diff --git a/util/mkimage.c b/util/mkimage.c
|
||||||
|
index 37d6249f16b..bd06968decc 100644
|
||||||
|
--- a/util/mkimage.c
|
||||||
|
+++ b/util/mkimage.c
|
||||||
|
@@ -822,7 +822,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
char *memdisk_path, char **pubkey_paths,
|
||||||
|
size_t npubkeys, char *config_path,
|
||||||
|
const struct grub_install_image_target_desc *image_target,
|
||||||
|
- int note, grub_compression_t comp, const char *dtb_path)
|
||||||
|
+ int note, size_t appsig_size, grub_compression_t comp, const char *dtb_path)
|
||||||
|
{
|
||||||
|
char *kernel_img, *core_img;
|
||||||
|
size_t total_module_size, core_size;
|
||||||
|
@@ -1742,11 +1742,11 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
else
|
||||||
|
target_addr = image_target->link_addr;
|
||||||
|
if (image_target->voidp_sizeof == 4)
|
||||||
|
- grub_mkimage_generate_elf32 (image_target, note, &core_img, &core_size,
|
||||||
|
- target_addr, &layout);
|
||||||
|
+ grub_mkimage_generate_elf32 (image_target, note, appsig_size, &core_img,
|
||||||
|
+ &core_size, target_addr, &layout);
|
||||||
|
else
|
||||||
|
- grub_mkimage_generate_elf64 (image_target, note, &core_img, &core_size,
|
||||||
|
- target_addr, &layout);
|
||||||
|
+ grub_mkimage_generate_elf64 (image_target, note, appsig_size, &core_img,
|
||||||
|
+ &core_size, target_addr, &layout);
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
diff --git a/include/grub/util/install.h b/include/grub/util/install.h
|
||||||
|
index 2631b107451..eb1b83b6d94 100644
|
||||||
|
--- a/include/grub/util/install.h
|
||||||
|
+++ b/include/grub/util/install.h
|
||||||
|
@@ -63,6 +63,9 @@
|
||||||
|
/* TRANSLATORS: "embed" is a verb (command description). "*/ \
|
||||||
|
{ "pubkey", 'k', N_("FILE"), 0, \
|
||||||
|
N_("embed FILE as public key for signature checking"), 0}, \
|
||||||
|
+ { "appended-signature-size", GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE,\
|
||||||
|
+ "SIZE", 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), \
|
||||||
|
+ 1}, \
|
||||||
|
{ "verbose", 'v', 0, 0, \
|
||||||
|
N_("print verbose messages."), 1 }
|
||||||
|
|
||||||
|
@@ -122,7 +125,8 @@ enum grub_install_options {
|
||||||
|
GRUB_INSTALL_OPTIONS_THEMES_DIRECTORY,
|
||||||
|
GRUB_INSTALL_OPTIONS_GRUB_MKIMAGE,
|
||||||
|
GRUB_INSTALL_OPTIONS_INSTALL_CORE_COMPRESS,
|
||||||
|
- GRUB_INSTALL_OPTIONS_DTB
|
||||||
|
+ GRUB_INSTALL_OPTIONS_DTB,
|
||||||
|
+ GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE
|
||||||
|
};
|
||||||
|
|
||||||
|
extern char *grub_install_source_directory;
|
||||||
|
@@ -182,7 +186,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
size_t npubkeys,
|
||||||
|
char *config_path,
|
||||||
|
const struct grub_install_image_target_desc *image_target,
|
||||||
|
- int note,
|
||||||
|
+ int note, size_t appsig_size,
|
||||||
|
grub_compression_t comp, const char *dtb_file);
|
||||||
|
|
||||||
|
const struct grub_install_image_target_desc *
|
||||||
|
diff --git a/include/grub/util/mkimage.h b/include/grub/util/mkimage.h
|
||||||
|
index ba9f568f692..2000d6fbdf1 100644
|
||||||
|
--- a/include/grub/util/mkimage.h
|
||||||
|
+++ b/include/grub/util/mkimage.h
|
||||||
|
@@ -50,12 +50,12 @@ grub_mkimage_load_image64 (const char *kernel_path,
|
||||||
|
const struct grub_install_image_target_desc *image_target);
|
||||||
|
void
|
||||||
|
grub_mkimage_generate_elf32 (const struct grub_install_image_target_desc *image_target,
|
||||||
|
- int note, char **core_img, size_t *core_size,
|
||||||
|
+ int note, size_t appsig_size, char **core_img, size_t *core_size,
|
||||||
|
Elf32_Addr target_addr,
|
||||||
|
struct grub_mkimage_layout *layout);
|
||||||
|
void
|
||||||
|
grub_mkimage_generate_elf64 (const struct grub_install_image_target_desc *image_target,
|
||||||
|
- int note, char **core_img, size_t *core_size,
|
||||||
|
+ int note, size_t appsig_size, char **core_img, size_t *core_size,
|
||||||
|
Elf64_Addr target_addr,
|
||||||
|
struct grub_mkimage_layout *layout);
|
||||||
|
|
59
0284-docs-grub-Document-signing-grub-under-UEFI.patch
Normal file
59
0284-docs-grub-Document-signing-grub-under-UEFI.patch
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Sat, 15 Aug 2020 02:00:57 +1000
|
||||||
|
Subject: [PATCH] docs/grub: Document signing grub under UEFI
|
||||||
|
|
||||||
|
Before adding information about how grub is signed with an appended
|
||||||
|
signature scheme, it's worth adding some information about how it
|
||||||
|
can currently be signed for UEFI.
|
||||||
|
|
||||||
|
(adjusted from upstream - s/grub/grub2/ in the docs)
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
docs/grub.texi | 19 ++++++++++++++++++-
|
||||||
|
1 file changed, 18 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
|
index 085b9974cc5..abb1d0fae54 100644
|
||||||
|
--- a/docs/grub.texi
|
||||||
|
+++ b/docs/grub.texi
|
||||||
|
@@ -5645,6 +5645,7 @@ environment variables and commands are listed in the same order.
|
||||||
|
@menu
|
||||||
|
* Authentication and authorisation:: Users and access control
|
||||||
|
* Using digital signatures:: Booting digitally signed code
|
||||||
|
+* Signing GRUB itself:: Ensuring the integrity of the GRUB core image
|
||||||
|
* UEFI secure boot and shim:: Booting digitally signed PE files
|
||||||
|
* Measured Boot:: Measuring boot components
|
||||||
|
@end menu
|
||||||
|
@@ -5724,7 +5725,7 @@ commands.
|
||||||
|
|
||||||
|
GRUB's @file{core.img} can optionally provide enforcement that all files
|
||||||
|
subsequently read from disk are covered by a valid digital signature.
|
||||||
|
-This document does @strong{not} cover how to ensure that your
|
||||||
|
+This section does @strong{not} cover how to ensure that your
|
||||||
|
platform's firmware (e.g., Coreboot) validates @file{core.img}.
|
||||||
|
|
||||||
|
If environment variable @code{check_signatures}
|
||||||
|
@@ -5809,6 +5810,22 @@ or BIOS) configuration to cause the machine to boot from a different
|
||||||
|
(attacker-controlled) device. GRUB is at best only one link in a
|
||||||
|
secure boot chain.
|
||||||
|
|
||||||
|
+@node Signing GRUB itself
|
||||||
|
+@section Signing GRUB itself
|
||||||
|
+
|
||||||
|
+To ensure a complete secure-boot chain, there must be a way for the code that
|
||||||
|
+loads GRUB to verify the integrity of the core image.
|
||||||
|
+
|
||||||
|
+This is ultimately platform-specific and individual platforms can define their
|
||||||
|
+own mechanisms. However, there are general-purpose mechanisms that can be used
|
||||||
|
+with GRUB.
|
||||||
|
+
|
||||||
|
+@section Signing GRUB for UEFI secure boot
|
||||||
|
+
|
||||||
|
+On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed
|
||||||
|
+with a tool such as @command{pesign} or @command{sbsign}. It will also be
|
||||||
|
+necessary to enrol the public key used into a relevant firmware key database.
|
||||||
|
+
|
||||||
|
@node UEFI secure boot and shim
|
||||||
|
@section UEFI secure boot and shim support
|
||||||
|
|
@ -0,0 +1,66 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||||
|
Date: Mon, 8 Feb 2021 19:17:55 +0100
|
||||||
|
Subject: [PATCH] docs/grub: Document signing grub with an appended signature
|
||||||
|
|
||||||
|
Signing grub for firmware that verifies an appended signature is a
|
||||||
|
bit fiddly. I don't want people to have to figure it out from scratch
|
||||||
|
so document it here.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
docs/grub.texi | 41 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 41 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
|
index abb1d0fae54..e8bfe7ee7e8 100644
|
||||||
|
--- a/docs/grub.texi
|
||||||
|
+++ b/docs/grub.texi
|
||||||
|
@@ -5826,6 +5826,47 @@ On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed
|
||||||
|
with a tool such as @command{pesign} or @command{sbsign}. It will also be
|
||||||
|
necessary to enrol the public key used into a relevant firmware key database.
|
||||||
|
|
||||||
|
+@section Signing GRUB with an appended signature
|
||||||
|
+
|
||||||
|
+The @file{core.img} itself can be signed with a Linux kernel module-style
|
||||||
|
+appended signature.
|
||||||
|
+
|
||||||
|
+To support IEEE1275 platforms where the boot image is often loaded directly
|
||||||
|
+from a disk partition rather than from a file system, the @file{core.img}
|
||||||
|
+can specify the size and location of the appended signature with an ELF
|
||||||
|
+note added by @command{grub-install}.
|
||||||
|
+
|
||||||
|
+An image can be signed this way using the @command{sign-file} command from
|
||||||
|
+the Linux kernel:
|
||||||
|
+
|
||||||
|
+@example
|
||||||
|
+@group
|
||||||
|
+# grub.key is your private key and certificate.der is your public key
|
||||||
|
+
|
||||||
|
+# Determine the size of the appended signature. It depends on the signing
|
||||||
|
+# certificate and the hash algorithm
|
||||||
|
+touch empty
|
||||||
|
+sign-file SHA256 grub.key certificate.der empty empty.sig
|
||||||
|
+SIG_SIZE=`stat -c '%s' empty.sig`
|
||||||
|
+rm empty empty.sig
|
||||||
|
+
|
||||||
|
+# Build a grub image with $SIG_SIZE reserved for the signature
|
||||||
|
+grub-install --appended-signature-size $SIG_SIZE --modules="..." ...
|
||||||
|
+
|
||||||
|
+# Replace the reserved size with a signature:
|
||||||
|
+# cut off the last $SIG_SIZE bytes with truncate's minus modifier
|
||||||
|
+truncate -s -$SIG_SIZE /boot/grub/powerpc-ieee1275/core.elf core.elf.unsigned
|
||||||
|
+# sign the trimmed file with an appended signature, restoring the correct size
|
||||||
|
+sign-file SHA256 grub.key certificate.der core.elf.unsigned core.elf.signed
|
||||||
|
+
|
||||||
|
+# Don't forget to install the signed image as required
|
||||||
|
+# (e.g. on powerpc-ieee1275, to the PReP partition)
|
||||||
|
+@end group
|
||||||
|
+@end example
|
||||||
|
+
|
||||||
|
+As with UEFI secure boot, it is necessary to build in the required modules,
|
||||||
|
+or sign them separately.
|
||||||
|
+
|
||||||
|
@node UEFI secure boot and shim
|
||||||
|
@section UEFI secure boot and shim support
|
||||||
|
|
@ -0,0 +1,33 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Sat, 15 Aug 2020 01:00:11 +1000
|
||||||
|
Subject: [PATCH] docs/grub: grub-install is no longer a shell script
|
||||||
|
|
||||||
|
Since commit cd46aa6cefab in 2013, grub-install hasn't been a shell
|
||||||
|
script. The para doesn't really add that much, especially since it's
|
||||||
|
the user manual, so just drop it.
|
||||||
|
|
||||||
|
(adjust docs: s/grub/grub2)
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
docs/grub.texi | 7 -------
|
||||||
|
1 file changed, 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
|
index e8bfe7ee7e8..2436c57f598 100644
|
||||||
|
--- a/docs/grub.texi
|
||||||
|
+++ b/docs/grub.texi
|
||||||
|
@@ -695,13 +695,6 @@ floppy instead of exposing the USB drive as a hard disk (they call it
|
||||||
|
This install doesn't conflict with standard install as long as they are in
|
||||||
|
separate directories.
|
||||||
|
|
||||||
|
-Note that @command{grub2-install} is actually just a shell script and the
|
||||||
|
-real task is done by other tools such as @command{grub2-mkimage}. Therefore,
|
||||||
|
-you may run those commands directly to install GRUB, without using
|
||||||
|
-@command{grub2-install}. Don't do that, however, unless you are very familiar
|
||||||
|
-with the internals of GRUB. Installing a boot loader on a running OS may be
|
||||||
|
-extremely dangerous.
|
||||||
|
-
|
||||||
|
On EFI systems for fixed disk install you have to mount EFI System Partition.
|
||||||
|
If you mount it at @file{/boot/efi} then you don't need any special arguments:
|
||||||
|
|
36
0287-docs-grub-pubkey-has-been-supported-for-some-time.patch
Normal file
36
0287-docs-grub-pubkey-has-been-supported-for-some-time.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Sat, 15 Aug 2020 02:04:01 +1000
|
||||||
|
Subject: [PATCH] docs/grub: --pubkey has been supported for some time
|
||||||
|
|
||||||
|
--pubkey is supported, so we can now document it.
|
||||||
|
|
||||||
|
(adjust docs: s/grub/grub2)
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
docs/grub.texi | 12 +++---------
|
||||||
|
1 file changed, 3 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
|
index 2436c57f598..7fc2a62a4f8 100644
|
||||||
|
--- a/docs/grub.texi
|
||||||
|
+++ b/docs/grub.texi
|
||||||
|
@@ -5732,15 +5732,9 @@ verified with a public key currently trusted by GRUB
|
||||||
|
validation fails, then file @file{foo} cannot be opened. This failure
|
||||||
|
may halt or otherwise impact the boot process.
|
||||||
|
|
||||||
|
-@comment Unfortunately --pubkey is not yet supported by grub2-install,
|
||||||
|
-@comment but we should not bring up internal detail grub2-mkimage here
|
||||||
|
-@comment in the user guide (as opposed to developer's manual).
|
||||||
|
-
|
||||||
|
-@comment An initial trusted public key can be embedded within the GRUB
|
||||||
|
-@comment @file{core.img} using the @code{--pubkey} option to
|
||||||
|
-@comment @command{grub2-mkimage} (@pxref{Invoking grub2-install}). Presently it
|
||||||
|
-@comment is necessary to write a custom wrapper around @command{grub2-mkimage}
|
||||||
|
-@comment using the @code{--grub-mkimage} flag to @command{grub2-install}.
|
||||||
|
+An initial trusted public key can be embedded within the GRUB
|
||||||
|
+@file{core.img} using the @code{--pubkey} option to
|
||||||
|
+@command{grub2-install} (@pxref{Invoking grub2-install}).
|
||||||
|
|
||||||
|
GRUB uses GPG-style detached signatures (meaning that a file
|
||||||
|
@file{foo.sig} will be produced when file @file{foo} is signed), and
|
@ -0,0 +1,44 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Thu, 30 Jul 2020 00:13:21 +1000
|
||||||
|
Subject: [PATCH] dl: provide a fake grub_dl_set_persistent for the emu target
|
||||||
|
|
||||||
|
Trying to start grub-emu with a module that calls grub_dl_set_persistent
|
||||||
|
will crash because grub-emu fakes modules and passes NULL to the module
|
||||||
|
init function.
|
||||||
|
|
||||||
|
Provide an empty function for the emu case.
|
||||||
|
|
||||||
|
Fixes: ee7808e2197c (dl: Add support for persistent modules)
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
include/grub/dl.h | 11 +++++++++++
|
||||||
|
1 file changed, 11 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/include/grub/dl.h b/include/grub/dl.h
|
||||||
|
index 4fe2b524f73..177bcd67a25 100644
|
||||||
|
--- a/include/grub/dl.h
|
||||||
|
+++ b/include/grub/dl.h
|
||||||
|
@@ -243,11 +243,22 @@ grub_dl_get (const char *name)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef GRUB_MACHINE_EMU
|
||||||
|
+/*
|
||||||
|
+ * Under grub-emu, modules are faked and NULL is passed to GRUB_MOD_INIT.
|
||||||
|
+ * So we fake this out to avoid a NULL deref.
|
||||||
|
+ */
|
||||||
|
+static inline void
|
||||||
|
+grub_dl_set_persistent (grub_dl_t mod __attribute__((unused)))
|
||||||
|
+{
|
||||||
|
+}
|
||||||
|
+#else
|
||||||
|
static inline void
|
||||||
|
grub_dl_set_persistent (grub_dl_t mod)
|
||||||
|
{
|
||||||
|
mod->persistent = 1;
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
static inline int
|
||||||
|
grub_dl_is_persistent (grub_dl_t mod)
|
97
0289-verifiers-provide-unsafe-module-list.patch
Normal file
97
0289-verifiers-provide-unsafe-module-list.patch
Normal file
@ -0,0 +1,97 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Wed, 29 Jul 2020 17:46:16 +1000
|
||||||
|
Subject: [PATCH] verifiers: provide unsafe module list
|
||||||
|
|
||||||
|
Other verifiers that implement secure boot may want to be able to
|
||||||
|
use this list and behaviour.
|
||||||
|
|
||||||
|
Upstream, this factors the list out of the shim_lock verifier.
|
||||||
|
However, that hasn't hit the RHEL8.4 tree yet, so instead
|
||||||
|
of factoring it out of that we just create it.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/commands/verifiers.c | 46 ++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
include/grub/verify.h | 13 ++++++++++++
|
||||||
|
2 files changed, 59 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/verifiers.c b/grub-core/commands/verifiers.c
|
||||||
|
index 7b9297cd345..4ced984cfed 100644
|
||||||
|
--- a/grub-core/commands/verifiers.c
|
||||||
|
+++ b/grub-core/commands/verifiers.c
|
||||||
|
@@ -218,6 +218,52 @@ grub_verify_string (char *str, enum grub_verify_string_type type)
|
||||||
|
return GRUB_ERR_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* List of modules which may allow for verifcation to be bypassed. */
|
||||||
|
+static const char *const disabled_mods[] = { "iorw", "memrw", "wrmsr", NULL };
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Does the module in file `io' allow for the a verifier to be bypassed?
|
||||||
|
+ *
|
||||||
|
+ * Returns 1 if so, otherwise 0.
|
||||||
|
+ */
|
||||||
|
+char
|
||||||
|
+grub_is_dangerous_module (grub_file_t io)
|
||||||
|
+{
|
||||||
|
+ char *b, *e;
|
||||||
|
+ int i;
|
||||||
|
+
|
||||||
|
+ /* Establish GRUB module name. */
|
||||||
|
+ b = grub_strrchr (io->name, '/');
|
||||||
|
+ e = grub_strrchr (io->name, '.');
|
||||||
|
+
|
||||||
|
+ b = b ? (b + 1) : io->name;
|
||||||
|
+ e = e ? e : io->name + grub_strlen (io->name);
|
||||||
|
+ e = (e > b) ? e : io->name + grub_strlen (io->name);
|
||||||
|
+
|
||||||
|
+ for (i = 0; disabled_mods[i]; i++)
|
||||||
|
+ if (!grub_strncmp (b, disabled_mods[i],
|
||||||
|
+ grub_strlen (b) - grub_strlen (e)))
|
||||||
|
+ return 1;
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Is there already an unsafe module in memory?
|
||||||
|
+ * Returns the name if one is loaded, otherwise NULL.
|
||||||
|
+ */
|
||||||
|
+const char *
|
||||||
|
+grub_dangerous_module_loaded (void)
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+
|
||||||
|
+ for (i = 0; disabled_mods[i]; i++)
|
||||||
|
+ if (grub_dl_get (disabled_mods[i]))
|
||||||
|
+ {
|
||||||
|
+ return disabled_mods[i];
|
||||||
|
+ }
|
||||||
|
+ return NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
GRUB_MOD_INIT(verifiers)
|
||||||
|
{
|
||||||
|
grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open);
|
||||||
|
diff --git a/include/grub/verify.h b/include/grub/verify.h
|
||||||
|
index ea049143368..8c2de132051 100644
|
||||||
|
--- a/include/grub/verify.h
|
||||||
|
+++ b/include/grub/verify.h
|
||||||
|
@@ -81,4 +81,17 @@ grub_verifier_unregister (struct grub_file_verifier *ver)
|
||||||
|
grub_err_t
|
||||||
|
grub_verify_string (char *str, enum grub_verify_string_type type);
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Does the module in file `io' allow for the a verifier to be bypassed?
|
||||||
|
+ *
|
||||||
|
+ * Returns 1 if so, otherwise 0.
|
||||||
|
+ */
|
||||||
|
+char grub_is_dangerous_module (grub_file_t io);
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Is there already an unsafe module in memory?
|
||||||
|
+ * Returns the name if one is loaded, otherwise NULL.
|
||||||
|
+ */
|
||||||
|
+const char *grub_dangerous_module_loaded (void);
|
||||||
|
+
|
||||||
|
#endif /* ! GRUB_VERIFY_HEADER */
|
191
0290-pgp-factor-out-rsa_pad.patch
Normal file
191
0290-pgp-factor-out-rsa_pad.patch
Normal file
@ -0,0 +1,191 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Thu, 1 Oct 2020 20:23:48 +1000
|
||||||
|
Subject: [PATCH] pgp: factor out rsa_pad
|
||||||
|
|
||||||
|
rsa_pad does the PKCS#1 v1.5 padding for the RSA signature scheme.
|
||||||
|
We want to use it in other RSA signature verification applications.
|
||||||
|
|
||||||
|
I considered and rejected putting it in lib/crypto.c. That file doesn't
|
||||||
|
currently require any MPI functions, but rsa_pad does. That's not so
|
||||||
|
much of a problem for the grub kernel and modules, but crypto.c also
|
||||||
|
gets built into all the grub utilities. So - despite the utils not
|
||||||
|
using any asymmetric ciphers - we would need to built the entire MPI
|
||||||
|
infrastructure in to them.
|
||||||
|
|
||||||
|
A better and simpler solution is just to spin rsa_pad out into its own
|
||||||
|
PKCS#1 v1.5 module.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/Makefile.core.def | 8 ++++++
|
||||||
|
grub-core/commands/pgp.c | 28 ++-------------------
|
||||||
|
grub-core/lib/pkcs1_v15.c | 59 +++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
include/grub/pkcs1_v15.h | 27 +++++++++++++++++++++
|
||||||
|
4 files changed, 96 insertions(+), 26 deletions(-)
|
||||||
|
create mode 100644 grub-core/lib/pkcs1_v15.c
|
||||||
|
create mode 100644 include/grub/pkcs1_v15.h
|
||||||
|
|
||||||
|
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||||
|
index b283c502b9c..58bf113e7c1 100644
|
||||||
|
--- a/grub-core/Makefile.core.def
|
||||||
|
+++ b/grub-core/Makefile.core.def
|
||||||
|
@@ -2488,6 +2488,14 @@ module = {
|
||||||
|
cppflags = '$(CPPFLAGS_GCRY)';
|
||||||
|
};
|
||||||
|
|
||||||
|
+module = {
|
||||||
|
+ name = pkcs1_v15;
|
||||||
|
+ common = lib/pkcs1_v15.c;
|
||||||
|
+
|
||||||
|
+ cflags = '$(CFLAGS_GCRY) -Wno-redundant-decls -Wno-sign-compare';
|
||||||
|
+ cppflags = '$(CPPFLAGS_GCRY)';
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
module = {
|
||||||
|
name = all_video;
|
||||||
|
common = lib/fake_module.c;
|
||||||
|
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
|
||||||
|
index bbf6871fe71..2032afa4ec6 100644
|
||||||
|
--- a/grub-core/commands/pgp.c
|
||||||
|
+++ b/grub-core/commands/pgp.c
|
||||||
|
@@ -24,6 +24,7 @@
|
||||||
|
#include <grub/file.h>
|
||||||
|
#include <grub/command.h>
|
||||||
|
#include <grub/crypto.h>
|
||||||
|
+#include <grub/pkcs1_v15.h>
|
||||||
|
#include <grub/i18n.h>
|
||||||
|
#include <grub/gcrypt/gcrypt.h>
|
||||||
|
#include <grub/pubkey.h>
|
||||||
|
@@ -411,32 +412,7 @@ static int
|
||||||
|
rsa_pad (gcry_mpi_t *hmpi, grub_uint8_t *hval,
|
||||||
|
const gcry_md_spec_t *hash, struct grub_public_subkey *sk)
|
||||||
|
{
|
||||||
|
- grub_size_t tlen, emlen, fflen;
|
||||||
|
- grub_uint8_t *em, *emptr;
|
||||||
|
- unsigned nbits = gcry_mpi_get_nbits (sk->mpis[0]);
|
||||||
|
- int ret;
|
||||||
|
- tlen = hash->mdlen + hash->asnlen;
|
||||||
|
- emlen = (nbits + 7) / 8;
|
||||||
|
- if (emlen < tlen + 11)
|
||||||
|
- return 1;
|
||||||
|
-
|
||||||
|
- em = grub_malloc (emlen);
|
||||||
|
- if (!em)
|
||||||
|
- return 1;
|
||||||
|
-
|
||||||
|
- em[0] = 0x00;
|
||||||
|
- em[1] = 0x01;
|
||||||
|
- fflen = emlen - tlen - 3;
|
||||||
|
- for (emptr = em + 2; emptr < em + 2 + fflen; emptr++)
|
||||||
|
- *emptr = 0xff;
|
||||||
|
- *emptr++ = 0x00;
|
||||||
|
- grub_memcpy (emptr, hash->asnoid, hash->asnlen);
|
||||||
|
- emptr += hash->asnlen;
|
||||||
|
- grub_memcpy (emptr, hval, hash->mdlen);
|
||||||
|
-
|
||||||
|
- ret = gcry_mpi_scan (hmpi, GCRYMPI_FMT_USG, em, emlen, 0);
|
||||||
|
- grub_free (em);
|
||||||
|
- return ret;
|
||||||
|
+ return grub_crypto_rsa_pad(hmpi, hval, hash, sk->mpis[0]);
|
||||||
|
}
|
||||||
|
|
||||||
|
struct grub_pubkey_context
|
||||||
|
diff --git a/grub-core/lib/pkcs1_v15.c b/grub-core/lib/pkcs1_v15.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..dbacd563d01
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/grub-core/lib/pkcs1_v15.c
|
||||||
|
@@ -0,0 +1,59 @@
|
||||||
|
+/*
|
||||||
|
+ * GRUB -- GRand Unified Bootloader
|
||||||
|
+ * Copyright (C) 2013 Free Software Foundation, Inc.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is free software: you can redistribute it and/or modify
|
||||||
|
+ * it under the terms of the GNU General Public License as published by
|
||||||
|
+ * the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+ * (at your option) any later version.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is distributed in the hope that it will be useful,
|
||||||
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+ * GNU General Public License for more details.
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU General Public License
|
||||||
|
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <grub/dl.h>
|
||||||
|
+#include <grub/gcrypt/gcrypt.h>
|
||||||
|
+
|
||||||
|
+GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Given a hash value 'hval', of hash specification 'hash', perform
|
||||||
|
+ * the EMSA-PKCS1-v1_5 padding suitable for a key with modulus 'mod'
|
||||||
|
+ * (see RFC 8017 s 9.2) and place the result in 'hmpi'.
|
||||||
|
+ */
|
||||||
|
+gcry_err_code_t
|
||||||
|
+grub_crypto_rsa_pad (gcry_mpi_t * hmpi, grub_uint8_t * hval,
|
||||||
|
+ const gcry_md_spec_t * hash, gcry_mpi_t mod)
|
||||||
|
+{
|
||||||
|
+ grub_size_t tlen, emlen, fflen;
|
||||||
|
+ grub_uint8_t *em, *emptr;
|
||||||
|
+ unsigned nbits = gcry_mpi_get_nbits (mod);
|
||||||
|
+ int ret;
|
||||||
|
+ tlen = hash->mdlen + hash->asnlen;
|
||||||
|
+ emlen = (nbits + 7) / 8;
|
||||||
|
+ if (emlen < tlen + 11)
|
||||||
|
+ return GPG_ERR_TOO_SHORT;
|
||||||
|
+
|
||||||
|
+ em = grub_malloc (emlen);
|
||||||
|
+ if (!em)
|
||||||
|
+ return 1;
|
||||||
|
+
|
||||||
|
+ em[0] = 0x00;
|
||||||
|
+ em[1] = 0x01;
|
||||||
|
+ fflen = emlen - tlen - 3;
|
||||||
|
+ for (emptr = em + 2; emptr < em + 2 + fflen; emptr++)
|
||||||
|
+ *emptr = 0xff;
|
||||||
|
+ *emptr++ = 0x00;
|
||||||
|
+ grub_memcpy (emptr, hash->asnoid, hash->asnlen);
|
||||||
|
+ emptr += hash->asnlen;
|
||||||
|
+ grub_memcpy (emptr, hval, hash->mdlen);
|
||||||
|
+
|
||||||
|
+ ret = gcry_mpi_scan (hmpi, GCRYMPI_FMT_USG, em, emlen, 0);
|
||||||
|
+ grub_free (em);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
diff --git a/include/grub/pkcs1_v15.h b/include/grub/pkcs1_v15.h
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..5c338c84a15
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/include/grub/pkcs1_v15.h
|
||||||
|
@@ -0,0 +1,27 @@
|
||||||
|
+/*
|
||||||
|
+ * GRUB -- GRand Unified Bootloader
|
||||||
|
+ * Copyright (C) 2013 Free Software Foundation, Inc.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is free software: you can redistribute it and/or modify
|
||||||
|
+ * it under the terms of the GNU General Public License as published by
|
||||||
|
+ * the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+ * (at your option) any later version.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is distributed in the hope that it will be useful,
|
||||||
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+ * GNU General Public License for more details.
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU General Public License
|
||||||
|
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Given a hash value 'hval', of hash specification 'hash', perform
|
||||||
|
+ * the EMSA-PKCS1-v1_5 padding suitable for a key with modulus 'mod'
|
||||||
|
+ * (See RFC 8017 s 9.2)
|
||||||
|
+ */
|
||||||
|
+gcry_err_code_t
|
||||||
|
+grub_crypto_rsa_pad (gcry_mpi_t * hmpi, grub_uint8_t * hval,
|
||||||
|
+ const gcry_md_spec_t * hash, gcry_mpi_t mod);
|
||||||
|
+
|
@ -0,0 +1,71 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Fri, 2 Oct 2020 10:49:26 +1000
|
||||||
|
Subject: [PATCH] crypto: move storage for grub_crypto_pk_* to crypto.c
|
||||||
|
|
||||||
|
The way gcry_rsa and friends (the asymmetric ciphers) are loaded for the
|
||||||
|
pgp module is a bit quirky.
|
||||||
|
|
||||||
|
include/grub/crypto.h contains:
|
||||||
|
extern struct gcry_pk_spec *grub_crypto_pk_rsa;
|
||||||
|
|
||||||
|
commands/pgp.c contains the actual storage:
|
||||||
|
struct gcry_pk_spec *grub_crypto_pk_rsa;
|
||||||
|
|
||||||
|
And the module itself saves to the storage in pgp.c:
|
||||||
|
GRUB_MOD_INIT(gcry_rsa)
|
||||||
|
{
|
||||||
|
grub_crypto_pk_rsa = &_gcry_pubkey_spec_rsa;
|
||||||
|
}
|
||||||
|
|
||||||
|
This is annoying: gcry_rsa now has a dependency on pgp!
|
||||||
|
|
||||||
|
We want to be able to bring in gcry_rsa without bringing in PGP,
|
||||||
|
so move the storage to crypto.c.
|
||||||
|
|
||||||
|
Previously, gcry_rsa depended on pgp and mpi. Now it depends on
|
||||||
|
crypto and mpi. As pgp depends on crypto, this doesn't add any new
|
||||||
|
module dependencies using the PGP verfier.
|
||||||
|
|
||||||
|
[FWIW, the story is different for the symmetric ciphers. cryptodisk
|
||||||
|
and friends (zfs encryption etc) use grub_crypto_lookup_cipher_by_name()
|
||||||
|
to get a cipher handle. That depends on grub_ciphers being populated
|
||||||
|
by people calling grub_cipher_register. import_gcry.py ensures that the
|
||||||
|
symmetric ciphers call it.]
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/commands/pgp.c | 4 ----
|
||||||
|
grub-core/lib/crypto.c | 4 ++++
|
||||||
|
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
|
||||||
|
index 2032afa4ec6..4e0667c1cd0 100644
|
||||||
|
--- a/grub-core/commands/pgp.c
|
||||||
|
+++ b/grub-core/commands/pgp.c
|
||||||
|
@@ -147,10 +147,6 @@ const char *hashes[] = {
|
||||||
|
[0x0b] = "sha224"
|
||||||
|
};
|
||||||
|
|
||||||
|
-struct gcry_pk_spec *grub_crypto_pk_dsa;
|
||||||
|
-struct gcry_pk_spec *grub_crypto_pk_ecdsa;
|
||||||
|
-struct gcry_pk_spec *grub_crypto_pk_rsa;
|
||||||
|
-
|
||||||
|
static int
|
||||||
|
dsa_pad (gcry_mpi_t *hmpi, grub_uint8_t *hval,
|
||||||
|
const gcry_md_spec_t *hash, struct grub_public_subkey *sk);
|
||||||
|
diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c
|
||||||
|
index e6c78d16d39..ff62fa30e1a 100644
|
||||||
|
--- a/grub-core/lib/crypto.c
|
||||||
|
+++ b/grub-core/lib/crypto.c
|
||||||
|
@@ -121,6 +121,10 @@ grub_md_unregister (gcry_md_spec_t *cipher)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+struct gcry_pk_spec *grub_crypto_pk_dsa;
|
||||||
|
+struct gcry_pk_spec *grub_crypto_pk_ecdsa;
|
||||||
|
+struct gcry_pk_spec *grub_crypto_pk_rsa;
|
||||||
|
+
|
||||||
|
void
|
||||||
|
grub_crypto_hash (const gcry_md_spec_t *hash, void *out, const void *in,
|
||||||
|
grub_size_t inlen)
|
64
0292-posix_wrap-tweaks-in-preparation-for-libtasn1.patch
Normal file
64
0292-posix_wrap-tweaks-in-preparation-for-libtasn1.patch
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Sat, 2 May 2020 00:27:57 +1000
|
||||||
|
Subject: [PATCH] posix_wrap: tweaks in preparation for libtasn1
|
||||||
|
|
||||||
|
- Define SIZEOF_UNSIGNED_LONG_INT, it's the same as
|
||||||
|
SIZEOF_UNSIGNED_LONG.
|
||||||
|
|
||||||
|
- Define WORD_BIT, the size in bits of an int. This is a defined
|
||||||
|
in the Single Unix Specification and in gnulib's limits.h. gnulib
|
||||||
|
assumes it's 32 bits on all our platforms, including 64 bit
|
||||||
|
platforms, so we also use that value.
|
||||||
|
|
||||||
|
- Provide strto[u]l[l] preprocessor macros that resolve to
|
||||||
|
grub_strto[u]l[l]. To avoid gcrypt redefining strtoul, we
|
||||||
|
also define HAVE_STRTOUL here.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/lib/posix_wrap/limits.h | 1 +
|
||||||
|
grub-core/lib/posix_wrap/stdlib.h | 8 ++++++++
|
||||||
|
grub-core/lib/posix_wrap/sys/types.h | 1 +
|
||||||
|
3 files changed, 10 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/grub-core/lib/posix_wrap/limits.h b/grub-core/lib/posix_wrap/limits.h
|
||||||
|
index 7217138ffd6..591dbf3289d 100644
|
||||||
|
--- a/grub-core/lib/posix_wrap/limits.h
|
||||||
|
+++ b/grub-core/lib/posix_wrap/limits.h
|
||||||
|
@@ -37,5 +37,6 @@
|
||||||
|
#define LONG_MAX GRUB_LONG_MAX
|
||||||
|
|
||||||
|
#define CHAR_BIT 8
|
||||||
|
+#define WORD_BIT 32
|
||||||
|
|
||||||
|
#endif
|
||||||
|
diff --git a/grub-core/lib/posix_wrap/stdlib.h b/grub-core/lib/posix_wrap/stdlib.h
|
||||||
|
index 7a8d385e973..4634db09f29 100644
|
||||||
|
--- a/grub-core/lib/posix_wrap/stdlib.h
|
||||||
|
+++ b/grub-core/lib/posix_wrap/stdlib.h
|
||||||
|
@@ -58,4 +58,12 @@ abs (int c)
|
||||||
|
return (c >= 0) ? c : -c;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#define strtol grub_strtol
|
||||||
|
+
|
||||||
|
+/* for libgcrypt */
|
||||||
|
+#define HAVE_STRTOUL
|
||||||
|
+#define strtoul grub_strtoul
|
||||||
|
+
|
||||||
|
+#define strtoull grub_strtoull
|
||||||
|
+
|
||||||
|
#endif
|
||||||
|
diff --git a/grub-core/lib/posix_wrap/sys/types.h b/grub-core/lib/posix_wrap/sys/types.h
|
||||||
|
index 854eb0122ef..f63412c8da0 100644
|
||||||
|
--- a/grub-core/lib/posix_wrap/sys/types.h
|
||||||
|
+++ b/grub-core/lib/posix_wrap/sys/types.h
|
||||||
|
@@ -51,6 +51,7 @@ typedef grub_uint8_t byte;
|
||||||
|
typedef grub_addr_t uintptr_t;
|
||||||
|
|
||||||
|
#define SIZEOF_UNSIGNED_LONG GRUB_CPU_SIZEOF_LONG
|
||||||
|
+#define SIZEOF_UNSIGNED_LONG_INT GRUB_CPU_SIZEOF_LONG
|
||||||
|
#define SIZEOF_UNSIGNED_INT 4
|
||||||
|
#define SIZEOF_UNSIGNED_LONG_LONG 8
|
||||||
|
#define SIZEOF_UNSIGNED_SHORT 2
|
8934
0293-libtasn1-import-libtasn1-4.16.0.patch
Normal file
8934
0293-libtasn1-import-libtasn1-4.16.0.patch
Normal file
File diff suppressed because it is too large
Load Diff
307
0294-libtasn1-disable-code-not-needed-in-grub.patch
Normal file
307
0294-libtasn1-disable-code-not-needed-in-grub.patch
Normal file
@ -0,0 +1,307 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Fri, 1 May 2020 17:12:23 +1000
|
||||||
|
Subject: [PATCH] libtasn1: disable code not needed in grub
|
||||||
|
|
||||||
|
We don't expect to be able to write ASN.1, only read it,
|
||||||
|
so we can disable some code.
|
||||||
|
|
||||||
|
Do that with #if 0/#endif, rather than deletion. This means
|
||||||
|
that the difference between upstream and grub is smaller,
|
||||||
|
which should make updating libtasn1 easier in the future.
|
||||||
|
|
||||||
|
With these exclusions we also avoid the need for minmax.h,
|
||||||
|
which is convenient because it means we don't have to
|
||||||
|
import it from gnulib.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/lib/libtasn1/lib/coding.c | 12 ++++++++++--
|
||||||
|
grub-core/lib/libtasn1/lib/decoding.c | 2 ++
|
||||||
|
grub-core/lib/libtasn1/lib/element.c | 4 ++--
|
||||||
|
grub-core/lib/libtasn1/lib/errors.c | 3 +++
|
||||||
|
grub-core/lib/libtasn1/lib/structure.c | 10 ++++++----
|
||||||
|
include/grub/libtasn1.h | 15 +++++++++++++++
|
||||||
|
6 files changed, 38 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/coding.c b/grub-core/lib/libtasn1/lib/coding.c
|
||||||
|
index 245ea64cf0a..52def598368 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/coding.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/coding.c
|
||||||
|
@@ -30,11 +30,11 @@
|
||||||
|
#include "parser_aux.h"
|
||||||
|
#include <gstr.h>
|
||||||
|
#include "element.h"
|
||||||
|
-#include "minmax.h"
|
||||||
|
#include <structure.h>
|
||||||
|
|
||||||
|
#define MAX_TAG_LEN 16
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
/******************************************************/
|
||||||
|
/* Function : _asn1_error_description_value_not_found */
|
||||||
|
/* Description: creates the ErrorDescription string */
|
||||||
|
@@ -58,6 +58,7 @@ _asn1_error_description_value_not_found (asn1_node node,
|
||||||
|
Estrcat (ErrorDescription, "' not found");
|
||||||
|
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* asn1_length_der:
|
||||||
|
@@ -244,6 +245,7 @@ asn1_encode_simple_der (unsigned int etype, const unsigned char *str,
|
||||||
|
return ASN1_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
/******************************************************/
|
||||||
|
/* Function : _asn1_time_der */
|
||||||
|
/* Description: creates the DER coding for a TIME */
|
||||||
|
@@ -281,7 +283,7 @@ _asn1_time_der (unsigned char *str, int str_len, unsigned char *der,
|
||||||
|
|
||||||
|
return ASN1_SUCCESS;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
void
|
||||||
|
@@ -520,6 +522,7 @@ asn1_bit_der (const unsigned char *str, int bit_len,
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
/******************************************************/
|
||||||
|
/* Function : _asn1_complete_explicit_tag */
|
||||||
|
/* Description: add the length coding to the EXPLICIT */
|
||||||
|
@@ -596,6 +599,7 @@ _asn1_complete_explicit_tag (asn1_node node, unsigned char *der,
|
||||||
|
|
||||||
|
return ASN1_SUCCESS;
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
const tag_and_class_st _asn1_tags[] = {
|
||||||
|
[ASN1_ETYPE_GENERALSTRING] =
|
||||||
|
@@ -648,6 +652,8 @@ const tag_and_class_st _asn1_tags[] = {
|
||||||
|
|
||||||
|
unsigned int _asn1_tags_size = sizeof (_asn1_tags) / sizeof (_asn1_tags[0]);
|
||||||
|
|
||||||
|
+
|
||||||
|
+#if 0
|
||||||
|
/******************************************************/
|
||||||
|
/* Function : _asn1_insert_tag_der */
|
||||||
|
/* Description: creates the DER coding of tags of one */
|
||||||
|
@@ -1413,3 +1419,5 @@ error:
|
||||||
|
asn1_delete_structure (&node);
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
\ No newline at end of file
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/decoding.c b/grub-core/lib/libtasn1/lib/decoding.c
|
||||||
|
index ff04eb778cb..42f9a92b5d4 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/decoding.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/decoding.c
|
||||||
|
@@ -1613,6 +1613,7 @@ asn1_der_decoding (asn1_node * element, const void *ider, int ider_len,
|
||||||
|
return asn1_der_decoding2 (element, ider, &ider_len, 0, errorDescription);
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
/**
|
||||||
|
* asn1_der_decoding_element:
|
||||||
|
* @structure: pointer to an ASN1 structure
|
||||||
|
@@ -1643,6 +1644,7 @@ asn1_der_decoding_element (asn1_node * structure, const char *elementName,
|
||||||
|
{
|
||||||
|
return asn1_der_decoding(structure, ider, len, errorDescription);
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* asn1_der_decoding_startEnd:
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/element.c b/grub-core/lib/libtasn1/lib/element.c
|
||||||
|
index 997eb2725dc..539008d8e94 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/element.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/element.c
|
||||||
|
@@ -191,7 +191,7 @@ _asn1_append_sequence_set (asn1_node node, struct node_tail_cache_st *pcache)
|
||||||
|
return ASN1_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
+#if 0
|
||||||
|
/**
|
||||||
|
* asn1_write_value:
|
||||||
|
* @node_root: pointer to a structure
|
||||||
|
@@ -645,7 +645,7 @@ asn1_write_value (asn1_node node_root, const char *name,
|
||||||
|
|
||||||
|
return ASN1_SUCCESS;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
#define PUT_VALUE( ptr, ptr_size, data, data_size) \
|
||||||
|
*len = data_size; \
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/errors.c b/grub-core/lib/libtasn1/lib/errors.c
|
||||||
|
index cee74daf795..42785e8622b 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/errors.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/errors.c
|
||||||
|
@@ -57,6 +57,8 @@ static const libtasn1_error_entry error_algorithms[] = {
|
||||||
|
{0, 0}
|
||||||
|
};
|
||||||
|
|
||||||
|
+
|
||||||
|
+#if 0
|
||||||
|
/**
|
||||||
|
* asn1_perror:
|
||||||
|
* @error: is an error returned by a libtasn1 function.
|
||||||
|
@@ -73,6 +75,7 @@ asn1_perror (int error)
|
||||||
|
const char *str = asn1_strerror (error);
|
||||||
|
fprintf (stderr, "LIBTASN1 ERROR: %s\n", str ? str : "(null)");
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* asn1_strerror:
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/structure.c b/grub-core/lib/libtasn1/lib/structure.c
|
||||||
|
index 8189c56a4c9..fcfde01a393 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/structure.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/structure.c
|
||||||
|
@@ -76,7 +76,7 @@ _asn1_find_left (asn1_node_const node)
|
||||||
|
return node->left;
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
+#if 0
|
||||||
|
int
|
||||||
|
_asn1_create_static_structure (asn1_node_const pointer, char *output_file_name,
|
||||||
|
char *vector_name)
|
||||||
|
@@ -155,7 +155,7 @@ _asn1_create_static_structure (asn1_node_const pointer, char *output_file_name,
|
||||||
|
|
||||||
|
return ASN1_SUCCESS;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* asn1_array2tree:
|
||||||
|
@@ -718,7 +718,7 @@ asn1_create_element (asn1_node_const definitions, const char *source_name,
|
||||||
|
return res;
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
+#if 0
|
||||||
|
/**
|
||||||
|
* asn1_print_structure:
|
||||||
|
* @out: pointer to the output file (e.g. stdout).
|
||||||
|
@@ -1058,7 +1058,7 @@ asn1_print_structure (FILE * out, asn1_node_const structure, const char *name,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
@@ -1153,6 +1153,7 @@ asn1_find_structure_from_oid (asn1_node_const definitions, const char *oidValue)
|
||||||
|
return NULL; /* ASN1_ELEMENT_NOT_FOUND; */
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
/**
|
||||||
|
* asn1_copy_node:
|
||||||
|
* @dst: Destination asn1 node.
|
||||||
|
@@ -1202,6 +1203,7 @@ asn1_copy_node (asn1_node dst, const char *dst_name,
|
||||||
|
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* asn1_dup_node:
|
||||||
|
diff --git a/include/grub/libtasn1.h b/include/grub/libtasn1.h
|
||||||
|
index 6fd7a30dc35..785eda2ae3f 100644
|
||||||
|
--- a/include/grub/libtasn1.h
|
||||||
|
+++ b/include/grub/libtasn1.h
|
||||||
|
@@ -319,6 +319,8 @@ typedef struct asn1_data_node_st asn1_data_node_st;
|
||||||
|
/* Functions definitions */
|
||||||
|
/***********************************/
|
||||||
|
|
||||||
|
+/* These functions are not used in grub and should not be referenced. */
|
||||||
|
+#if 0
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_parser2tree (const char *file,
|
||||||
|
asn1_node * definitions, char *error_desc);
|
||||||
|
@@ -327,14 +329,17 @@ extern ASN1_API int
|
||||||
|
asn1_parser2array (const char *inputFileName,
|
||||||
|
const char *outputFileName,
|
||||||
|
const char *vectorName, char *error_desc);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_array2tree (const asn1_static_node * array,
|
||||||
|
asn1_node * definitions, char *errorDescription);
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
extern ASN1_API void
|
||||||
|
asn1_print_structure (FILE * out, asn1_node_const structure,
|
||||||
|
const char *name, int mode);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_create_element (asn1_node_const definitions,
|
||||||
|
@@ -347,9 +352,11 @@ extern ASN1_API int asn1_delete_structure2 (asn1_node * structure, unsigned int
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_delete_element (asn1_node structure, const char *element_name);
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_write_value (asn1_node node_root, const char *name,
|
||||||
|
const void *ivalue, int len);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_read_value (asn1_node_const root, const char *name,
|
||||||
|
@@ -365,9 +372,11 @@ extern ASN1_API int
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_number_of_elements (asn1_node_const element, const char *name, int *num);
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_der_coding (asn1_node_const element, const char *name,
|
||||||
|
void *ider, int *len, char *ErrorDescription);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_der_decoding2 (asn1_node *element, const void *ider,
|
||||||
|
@@ -378,12 +387,14 @@ extern ASN1_API int
|
||||||
|
asn1_der_decoding (asn1_node * element, const void *ider,
|
||||||
|
int ider_len, char *errorDescription);
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
/* Do not use. Use asn1_der_decoding() instead. */
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_der_decoding_element (asn1_node * structure,
|
||||||
|
const char *elementName,
|
||||||
|
const void *ider, int len,
|
||||||
|
char *errorDescription) _ASN1_GCC_ATTR_DEPRECATED;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_der_decoding_startEnd (asn1_node element,
|
||||||
|
@@ -408,13 +419,17 @@ extern ASN1_API const char *asn1_find_structure_from_oid (asn1_node_const
|
||||||
|
const char
|
||||||
|
*oidValue);
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
__LIBTASN1_PURE__
|
||||||
|
extern ASN1_API const char *asn1_check_version (const char *req_version);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
__LIBTASN1_PURE__
|
||||||
|
extern ASN1_API const char *asn1_strerror (int error);
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
extern ASN1_API void asn1_perror (int error);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
#define ASN1_MAX_TAG_SIZE 4
|
||||||
|
#define ASN1_MAX_LENGTH_SIZE 9
|
202
0295-libtasn1-changes-for-grub-compatibility.patch
Normal file
202
0295-libtasn1-changes-for-grub-compatibility.patch
Normal file
@ -0,0 +1,202 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Fri, 1 May 2020 20:44:29 +1000
|
||||||
|
Subject: [PATCH] libtasn1: changes for grub compatibility
|
||||||
|
|
||||||
|
Do a few things to make libtasn1 compile as part of grub:
|
||||||
|
|
||||||
|
- replace strcat. grub removed strcat so replace it with the appropriate
|
||||||
|
calls to memcpy and strlen.
|
||||||
|
|
||||||
|
- replace c_isdigit with grub_isdigit (and don't import c-ctype from
|
||||||
|
gnulib) grub_isdigit provides the same functionality as c_isdigit: it
|
||||||
|
determines if the input is an ASCII digit without regard for locale.
|
||||||
|
|
||||||
|
- replace GL_ATTRIBUTE_PURE with __attribute__((pure)) which been
|
||||||
|
supported since gcc-2.96. This avoids messing around with gnulib.
|
||||||
|
|
||||||
|
- adjust libtasn1.h: drop the ASN1_API logic, it's not needed for our
|
||||||
|
modules. Unconditionally support const and pure attributes and adjust
|
||||||
|
header paths.
|
||||||
|
|
||||||
|
- adjust header paths to "grub/libtasn1.h".
|
||||||
|
|
||||||
|
- replace a 64 bit division with a call to grub_divmod64, preventing
|
||||||
|
creation of __udivdi3 calls on 32 bit platforms.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/lib/libtasn1/lib/decoding.c | 11 ++++++-----
|
||||||
|
grub-core/lib/libtasn1/lib/element.c | 3 ++-
|
||||||
|
grub-core/lib/libtasn1/lib/gstr.c | 4 ++--
|
||||||
|
grub-core/lib/libtasn1/lib/parser_aux.c | 7 ++++---
|
||||||
|
grub-core/lib/libtasn1/lib/int.h | 4 ++--
|
||||||
|
include/grub/libtasn1.h | 26 ++++++--------------------
|
||||||
|
6 files changed, 22 insertions(+), 33 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/decoding.c b/grub-core/lib/libtasn1/lib/decoding.c
|
||||||
|
index 42f9a92b5d4..7856858b272 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/decoding.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/decoding.c
|
||||||
|
@@ -32,7 +32,8 @@
|
||||||
|
#include <element.h>
|
||||||
|
#include <limits.h>
|
||||||
|
#include <intprops.h>
|
||||||
|
-#include <c-ctype.h>
|
||||||
|
+
|
||||||
|
+#define c_isdigit grub_isdigit
|
||||||
|
|
||||||
|
#ifdef DEBUG
|
||||||
|
# define warn() fprintf(stderr, "%s: %d\n", __func__, __LINE__)
|
||||||
|
@@ -2008,8 +2009,8 @@ asn1_expand_octet_string (asn1_node_const definitions, asn1_node * element,
|
||||||
|
(p2->type & CONST_ASSIGN))
|
||||||
|
{
|
||||||
|
strcpy (name, definitions->name);
|
||||||
|
- strcat (name, ".");
|
||||||
|
- strcat (name, p2->name);
|
||||||
|
+ memcpy (name + strlen(name), ".", sizeof(" . "));
|
||||||
|
+ memcpy (name + strlen(name), p2->name, strlen(p2->name) + 1);
|
||||||
|
|
||||||
|
len = sizeof (value);
|
||||||
|
result = asn1_read_value (definitions, name, value, &len);
|
||||||
|
@@ -2026,8 +2027,8 @@ asn1_expand_octet_string (asn1_node_const definitions, asn1_node * element,
|
||||||
|
if (p2)
|
||||||
|
{
|
||||||
|
strcpy (name, definitions->name);
|
||||||
|
- strcat (name, ".");
|
||||||
|
- strcat (name, p2->name);
|
||||||
|
+ memcpy (name + strlen(name), ".", sizeof(" . "));
|
||||||
|
+ memcpy (name + strlen(name), p2->name, strlen(p2->name) + 1);
|
||||||
|
|
||||||
|
result = asn1_create_element (definitions, name, &aux);
|
||||||
|
if (result == ASN1_SUCCESS)
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/element.c b/grub-core/lib/libtasn1/lib/element.c
|
||||||
|
index 539008d8e94..ed761ff56bd 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/element.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/element.c
|
||||||
|
@@ -30,9 +30,10 @@
|
||||||
|
#include "parser_aux.h"
|
||||||
|
#include <gstr.h>
|
||||||
|
#include "structure.h"
|
||||||
|
-#include "c-ctype.h"
|
||||||
|
#include "element.h"
|
||||||
|
|
||||||
|
+#define c_isdigit grub_isdigit
|
||||||
|
+
|
||||||
|
void
|
||||||
|
_asn1_hierarchical_name (asn1_node_const node, char *name, int name_size)
|
||||||
|
{
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/gstr.c b/grub-core/lib/libtasn1/lib/gstr.c
|
||||||
|
index e91a3a151c0..e33875c2c7c 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/gstr.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/gstr.c
|
||||||
|
@@ -36,13 +36,13 @@ _asn1_str_cat (char *dest, size_t dest_tot_size, const char *src)
|
||||||
|
|
||||||
|
if (dest_tot_size - dest_size > str_size)
|
||||||
|
{
|
||||||
|
- strcat (dest, src);
|
||||||
|
+ memcpy (dest + dest_size, src, str_size + 1);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
if (dest_tot_size - dest_size > 0)
|
||||||
|
{
|
||||||
|
- strncat (dest, src, (dest_tot_size - dest_size) - 1);
|
||||||
|
+ memcpy (dest + dest_size, src, (dest_tot_size - dest_size) - 1);
|
||||||
|
dest[dest_tot_size - 1] = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/parser_aux.c b/grub-core/lib/libtasn1/lib/parser_aux.c
|
||||||
|
index d5dbbf8765d..89c9be69dc2 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/parser_aux.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/parser_aux.c
|
||||||
|
@@ -26,7 +26,8 @@
|
||||||
|
#include "gstr.h"
|
||||||
|
#include "structure.h"
|
||||||
|
#include "element.h"
|
||||||
|
-#include "c-ctype.h"
|
||||||
|
+
|
||||||
|
+#define c_isdigit grub_isdigit
|
||||||
|
|
||||||
|
char _asn1_identifierMissing[ASN1_MAX_NAME_SIZE + 1]; /* identifier name not found */
|
||||||
|
|
||||||
|
@@ -40,7 +41,7 @@ char _asn1_identifierMissing[ASN1_MAX_NAME_SIZE + 1]; /* identifier name not fou
|
||||||
|
#ifdef __clang__
|
||||||
|
__attribute__((no_sanitize("integer")))
|
||||||
|
#endif
|
||||||
|
-_GL_ATTRIBUTE_PURE
|
||||||
|
+__attribute__((__pure__))
|
||||||
|
static unsigned int
|
||||||
|
_asn1_hash_name (const char *x)
|
||||||
|
{
|
||||||
|
@@ -634,7 +635,7 @@ _asn1_ltostr (int64_t v, char str[LTOSTR_MAX_SIZE])
|
||||||
|
count = 0;
|
||||||
|
do
|
||||||
|
{
|
||||||
|
- d = val / 10;
|
||||||
|
+ d = grub_divmod64(val, 10, NULL);
|
||||||
|
r = val - d * 10;
|
||||||
|
temp[start + count] = '0' + (char) r;
|
||||||
|
count++;
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/int.h b/grub-core/lib/libtasn1/lib/int.h
|
||||||
|
index ea1625786c1..4a568efee9c 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/int.h
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/int.h
|
||||||
|
@@ -35,7 +35,7 @@
|
||||||
|
#include <sys/types.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-#include <libtasn1.h>
|
||||||
|
+#include "grub/libtasn1.h"
|
||||||
|
|
||||||
|
#define ASN1_SMALL_VALUE_SIZE 16
|
||||||
|
|
||||||
|
@@ -115,7 +115,7 @@ extern const tag_and_class_st _asn1_tags[];
|
||||||
|
#define _asn1_strtoul(n,e,b) strtoul((const char *) n, e, b)
|
||||||
|
#define _asn1_strcmp(a,b) strcmp((const char *)a, (const char *)b)
|
||||||
|
#define _asn1_strcpy(a,b) strcpy((char *)a, (const char *)b)
|
||||||
|
-#define _asn1_strcat(a,b) strcat((char *)a, (const char *)b)
|
||||||
|
+#define _asn1_strcat(a,b) memcpy((char *)a + strlen((const char *)a), (const char *)b, strlen((const char *)b) + 1)
|
||||||
|
|
||||||
|
#if SIZEOF_UNSIGNED_LONG_INT == 8
|
||||||
|
# define _asn1_strtou64(n,e,b) strtoul((const char *) n, e, b)
|
||||||
|
diff --git a/include/grub/libtasn1.h b/include/grub/libtasn1.h
|
||||||
|
index 785eda2ae3f..28dbf16c4e0 100644
|
||||||
|
--- a/include/grub/libtasn1.h
|
||||||
|
+++ b/include/grub/libtasn1.h
|
||||||
|
@@ -38,29 +38,15 @@
|
||||||
|
#ifndef LIBTASN1_H
|
||||||
|
#define LIBTASN1_H
|
||||||
|
|
||||||
|
-#ifndef ASN1_API
|
||||||
|
-#if defined ASN1_BUILDING && defined HAVE_VISIBILITY && HAVE_VISIBILITY
|
||||||
|
-#define ASN1_API __attribute__((__visibility__("default")))
|
||||||
|
-#elif defined ASN1_BUILDING && defined _MSC_VER && ! defined ASN1_STATIC
|
||||||
|
-#define ASN1_API __declspec(dllexport)
|
||||||
|
-#elif defined _MSC_VER && ! defined ASN1_STATIC
|
||||||
|
-#define ASN1_API __declspec(dllimport)
|
||||||
|
-#else
|
||||||
|
+/* grub: ASN1_API is not used */
|
||||||
|
#define ASN1_API
|
||||||
|
-#endif
|
||||||
|
-#endif
|
||||||
|
|
||||||
|
-#ifdef __GNUC__
|
||||||
|
-# define __LIBTASN1_CONST__ __attribute__((const))
|
||||||
|
-# define __LIBTASN1_PURE__ __attribute__((pure))
|
||||||
|
-#else
|
||||||
|
-# define __LIBTASN1_CONST__
|
||||||
|
-# define __LIBTASN1_PURE__
|
||||||
|
-#endif
|
||||||
|
+/* grub: all our supported compilers support these attributes */
|
||||||
|
+#define __LIBTASN1_CONST__ __attribute__((const))
|
||||||
|
+#define __LIBTASN1_PURE__ __attribute__((pure))
|
||||||
|
|
||||||
|
-#include <sys/types.h>
|
||||||
|
-#include <time.h>
|
||||||
|
-#include <stdio.h> /* for FILE* */
|
||||||
|
+#include <grub/types.h>
|
||||||
|
+#include <grub/time.h>
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C"
|
70
0296-libtasn1-compile-into-asn1-module.patch
Normal file
70
0296-libtasn1-compile-into-asn1-module.patch
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Fri, 5 Jun 2020 17:47:25 +1000
|
||||||
|
Subject: [PATCH] libtasn1: compile into asn1 module
|
||||||
|
|
||||||
|
Create a wrapper file that specifies the module license.
|
||||||
|
Set up the makefile so it is built.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/Makefile.core.def | 15 +++++++++++++++
|
||||||
|
grub-core/lib/libtasn1_wrap/wrap.c | 26 ++++++++++++++++++++++++++
|
||||||
|
2 files changed, 41 insertions(+)
|
||||||
|
create mode 100644 grub-core/lib/libtasn1_wrap/wrap.c
|
||||||
|
|
||||||
|
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||||
|
index 58bf113e7c1..a9f589a7b99 100644
|
||||||
|
--- a/grub-core/Makefile.core.def
|
||||||
|
+++ b/grub-core/Makefile.core.def
|
||||||
|
@@ -2554,3 +2554,18 @@ module = {
|
||||||
|
common = commands/i386/wrmsr.c;
|
||||||
|
enable = x86;
|
||||||
|
};
|
||||||
|
+
|
||||||
|
+module = {
|
||||||
|
+ name = asn1;
|
||||||
|
+ common = lib/libtasn1/lib/decoding.c;
|
||||||
|
+ common = lib/libtasn1/lib/coding.c;
|
||||||
|
+ common = lib/libtasn1/lib/element.c;
|
||||||
|
+ common = lib/libtasn1/lib/structure.c;
|
||||||
|
+ common = lib/libtasn1/lib/parser_aux.c;
|
||||||
|
+ common = lib/libtasn1/lib/gstr.c;
|
||||||
|
+ common = lib/libtasn1/lib/errors.c;
|
||||||
|
+ common = lib/libtasn1_wrap/wrap.c;
|
||||||
|
+ cflags = '$(CFLAGS_POSIX) $(CFLAGS_GNULIB)';
|
||||||
|
+ // -Wno-type-limits comes from libtasn1's configure.ac
|
||||||
|
+ cppflags = '$(CPPFLAGS_POSIX) $(CPPFLAGS_GNULIB) -I$(srcdir)/lib/libtasn1/lib -Wno-type-limits';
|
||||||
|
+};
|
||||||
|
diff --git a/grub-core/lib/libtasn1_wrap/wrap.c b/grub-core/lib/libtasn1_wrap/wrap.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..622ba942e33
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/grub-core/lib/libtasn1_wrap/wrap.c
|
||||||
|
@@ -0,0 +1,26 @@
|
||||||
|
+/*
|
||||||
|
+ * GRUB -- GRand Unified Bootloader
|
||||||
|
+ * Copyright (C) 2020 IBM Corporation
|
||||||
|
+ *
|
||||||
|
+ * GRUB is free software: you can redistribute it and/or modify
|
||||||
|
+ * it under the terms of the GNU General Public License as published by
|
||||||
|
+ * the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+ * (at your option) any later version.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is distributed in the hope that it will be useful,
|
||||||
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+ * GNU General Public License for more details.
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU General Public License
|
||||||
|
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <grub/dl.h>
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * libtasn1 is provided under LGPL2.1+, which is compatible
|
||||||
|
+ * with GPL3+. As Grub as a whole is under GPL3+, this module
|
||||||
|
+ * is therefore under GPL3+ also.
|
||||||
|
+ */
|
||||||
|
+GRUB_MOD_LICENSE ("GPLv3+");
|
1455
0297-test_asn1-test-module-for-libtasn1.patch
Normal file
1455
0297-test_asn1-test-module-for-libtasn1.patch
Normal file
File diff suppressed because one or more lines are too long
255
0298-grub-install-support-embedding-x509-certificates.patch
Normal file
255
0298-grub-install-support-embedding-x509-certificates.patch
Normal file
@ -0,0 +1,255 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alastair D'Silva <alastair@d-silva.org>
|
||||||
|
Date: Mon, 6 Jul 2020 13:33:04 +1000
|
||||||
|
Subject: [PATCH] grub-install: support embedding x509 certificates
|
||||||
|
|
||||||
|
To support verification of appended signatures, we need a way to
|
||||||
|
embed the necessary public keys. Existing appended signature schemes
|
||||||
|
in the Linux kernel use X.509 certificates, so allow certificates to
|
||||||
|
be embedded in the grub core image in the same way as PGP keys.
|
||||||
|
|
||||||
|
Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/commands/pgp.c | 2 +-
|
||||||
|
util/grub-install-common.c | 23 ++++++++++++++++++++++-
|
||||||
|
util/grub-mkimage.c | 15 +++++++++++++--
|
||||||
|
util/mkimage.c | 41 ++++++++++++++++++++++++++++++++++++++---
|
||||||
|
include/grub/kernel.h | 3 ++-
|
||||||
|
include/grub/util/install.h | 7 +++++--
|
||||||
|
6 files changed, 81 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
|
||||||
|
index 4e0667c1cd0..3cd31f50b5b 100644
|
||||||
|
--- a/grub-core/commands/pgp.c
|
||||||
|
+++ b/grub-core/commands/pgp.c
|
||||||
|
@@ -944,7 +944,7 @@ GRUB_MOD_INIT(pgp)
|
||||||
|
grub_memset (&pseudo_file, 0, sizeof (pseudo_file));
|
||||||
|
|
||||||
|
/* Not an ELF module, skip. */
|
||||||
|
- if (header->type != OBJ_TYPE_PUBKEY)
|
||||||
|
+ if (header->type != OBJ_TYPE_GPG_PUBKEY)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
pseudo_file.fs = &pseudo_fs;
|
||||||
|
diff --git a/util/grub-install-common.c b/util/grub-install-common.c
|
||||||
|
index e2be0a3e305..65cde2fa2f0 100644
|
||||||
|
--- a/util/grub-install-common.c
|
||||||
|
+++ b/util/grub-install-common.c
|
||||||
|
@@ -307,6 +307,8 @@ handle_install_list (struct install_list *il, const char *val,
|
||||||
|
|
||||||
|
static char **pubkeys;
|
||||||
|
static size_t npubkeys;
|
||||||
|
+static char **x509keys;
|
||||||
|
+static size_t nx509keys;
|
||||||
|
static grub_compression_t compression;
|
||||||
|
static size_t appsig_size;
|
||||||
|
|
||||||
|
@@ -339,6 +341,12 @@ grub_install_parse (int key, char *arg)
|
||||||
|
* (npubkeys + 1));
|
||||||
|
pubkeys[npubkeys++] = xstrdup (arg);
|
||||||
|
return 1;
|
||||||
|
+ case 'x':
|
||||||
|
+ x509keys = xrealloc (x509keys,
|
||||||
|
+ sizeof (x509keys[0])
|
||||||
|
+ * (nx509keys + 1));
|
||||||
|
+ x509keys[nx509keys++] = xstrdup (arg);
|
||||||
|
+ return 1;
|
||||||
|
|
||||||
|
case GRUB_INSTALL_OPTIONS_VERBOSITY:
|
||||||
|
verbosity++;
|
||||||
|
@@ -465,6 +473,9 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||||||
|
for (pk = pubkeys; pk < pubkeys + npubkeys; pk++)
|
||||||
|
slen += 20 + grub_strlen (*pk);
|
||||||
|
|
||||||
|
+ for (pk = x509keys; pk < x509keys + nx509keys; pk++)
|
||||||
|
+ slen += 10 + grub_strlen (*pk);
|
||||||
|
+
|
||||||
|
for (md = modules.entries; *md; md++)
|
||||||
|
{
|
||||||
|
slen += 10 + grub_strlen (*md);
|
||||||
|
@@ -493,6 +504,14 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||||||
|
*p++ = ' ';
|
||||||
|
}
|
||||||
|
|
||||||
|
+ for (pk = x509keys; pk < x509keys + nx509keys; pk++)
|
||||||
|
+ {
|
||||||
|
+ p = grub_stpcpy (p, "--x509 '");
|
||||||
|
+ p = grub_stpcpy (p, *pk);
|
||||||
|
+ *p++ = '\'';
|
||||||
|
+ *p++ = ' ';
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
for (md = modules.entries; *md; md++)
|
||||||
|
{
|
||||||
|
*p++ = '\'';
|
||||||
|
@@ -520,7 +539,9 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||||||
|
|
||||||
|
grub_install_generate_image (dir, prefix, fp, outname,
|
||||||
|
modules.entries, memdisk_path,
|
||||||
|
- pubkeys, npubkeys, config_path, tgt,
|
||||||
|
+ pubkeys, npubkeys,
|
||||||
|
+ x509keys, nx509keys,
|
||||||
|
+ config_path, tgt,
|
||||||
|
note, appsig_size, compression, dtb);
|
||||||
|
while (dc--)
|
||||||
|
grub_install_pop_module ();
|
||||||
|
diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
|
||||||
|
index c1e07c70dc7..6034c51ece4 100644
|
||||||
|
--- a/util/grub-mkimage.c
|
||||||
|
+++ b/util/grub-mkimage.c
|
||||||
|
@@ -75,7 +75,8 @@ static struct argp_option options[] = {
|
||||||
|
/* TRANSLATORS: "embed" is a verb (command description). "*/
|
||||||
|
{"config", 'c', N_("FILE"), 0, N_("embed FILE as an early config"), 0},
|
||||||
|
/* TRANSLATORS: "embed" is a verb (command description). "*/
|
||||||
|
- {"pubkey", 'k', N_("FILE"), 0, N_("embed FILE as public key for signature checking"), 0},
|
||||||
|
+ {"pubkey", 'k', N_("FILE"), 0, N_("embed FILE as public key for PGP signature checking"), 0},
|
||||||
|
+ {"x509", 'x', N_("FILE"), 0, N_("embed FILE as an x509 certificate for appended signature checking"), 0},
|
||||||
|
/* TRANSLATORS: NOTE is a name of segment. */
|
||||||
|
{"note", 'n', 0, 0, N_("add NOTE segment for CHRP IEEE1275"), 0},
|
||||||
|
{"output", 'o', N_("FILE"), 0, N_("output a generated image to FILE [default=stdout]"), 0},
|
||||||
|
@@ -122,6 +123,8 @@ struct arguments
|
||||||
|
char *dtb;
|
||||||
|
char **pubkeys;
|
||||||
|
size_t npubkeys;
|
||||||
|
+ char **x509keys;
|
||||||
|
+ size_t nx509keys;
|
||||||
|
char *font;
|
||||||
|
char *config;
|
||||||
|
int note;
|
||||||
|
@@ -202,6 +205,13 @@ argp_parser (int key, char *arg, struct argp_state *state)
|
||||||
|
arguments->pubkeys[arguments->npubkeys++] = xstrdup (arg);
|
||||||
|
break;
|
||||||
|
|
||||||
|
+ case 'x':
|
||||||
|
+ arguments->x509keys = xrealloc (arguments->x509keys,
|
||||||
|
+ sizeof (arguments->x509keys[0])
|
||||||
|
+ * (arguments->nx509keys + 1));
|
||||||
|
+ arguments->x509keys[arguments->nx509keys++] = xstrdup (arg);
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
case 'c':
|
||||||
|
if (arguments->config)
|
||||||
|
free (arguments->config);
|
||||||
|
@@ -317,7 +327,8 @@ main (int argc, char *argv[])
|
||||||
|
grub_install_generate_image (arguments.dir, arguments.prefix, fp,
|
||||||
|
arguments.output, arguments.modules,
|
||||||
|
arguments.memdisk, arguments.pubkeys,
|
||||||
|
- arguments.npubkeys, arguments.config,
|
||||||
|
+ arguments.npubkeys, arguments.x509keys,
|
||||||
|
+ arguments.nx509keys, arguments.config,
|
||||||
|
arguments.image_target, arguments.note,
|
||||||
|
arguments.appsig_size,
|
||||||
|
arguments.comp, arguments.dtb);
|
||||||
|
diff --git a/util/mkimage.c b/util/mkimage.c
|
||||||
|
index bd06968decc..5702a00d06f 100644
|
||||||
|
--- a/util/mkimage.c
|
||||||
|
+++ b/util/mkimage.c
|
||||||
|
@@ -819,8 +819,10 @@ grub_install_get_image_targets_string (void)
|
||||||
|
void
|
||||||
|
grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
FILE *out, const char *outname, char *mods[],
|
||||||
|
- char *memdisk_path, char **pubkey_paths,
|
||||||
|
- size_t npubkeys, char *config_path,
|
||||||
|
+ char *memdisk_path,
|
||||||
|
+ char **pubkey_paths, size_t npubkeys,
|
||||||
|
+ char **x509key_paths, size_t nx509keys,
|
||||||
|
+ char *config_path,
|
||||||
|
const struct grub_install_image_target_desc *image_target,
|
||||||
|
int note, size_t appsig_size, grub_compression_t comp, const char *dtb_path)
|
||||||
|
{
|
||||||
|
@@ -864,6 +866,19 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ {
|
||||||
|
+ size_t i;
|
||||||
|
+ for (i = 0; i < nx509keys; i++)
|
||||||
|
+ {
|
||||||
|
+ size_t curs;
|
||||||
|
+ curs = ALIGN_ADDR (grub_util_get_image_size (x509key_paths[i]));
|
||||||
|
+ grub_util_info ("the size of x509 public key %u is 0x%"
|
||||||
|
+ GRUB_HOST_PRIxLONG_LONG,
|
||||||
|
+ (unsigned) i, (unsigned long long) curs);
|
||||||
|
+ total_module_size += curs + sizeof (struct grub_module_header);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (memdisk_path)
|
||||||
|
{
|
||||||
|
memdisk_size = ALIGN_UP(grub_util_get_image_size (memdisk_path), 512);
|
||||||
|
@@ -979,7 +994,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
curs = grub_util_get_image_size (pubkey_paths[i]);
|
||||||
|
|
||||||
|
header = (struct grub_module_header *) (kernel_img + offset);
|
||||||
|
- header->type = grub_host_to_target32 (OBJ_TYPE_PUBKEY);
|
||||||
|
+ header->type = grub_host_to_target32 (OBJ_TYPE_GPG_PUBKEY);
|
||||||
|
header->size = grub_host_to_target32 (curs + sizeof (*header));
|
||||||
|
offset += sizeof (*header);
|
||||||
|
|
||||||
|
@@ -988,6 +1003,26 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ {
|
||||||
|
+ size_t i;
|
||||||
|
+ for (i = 0; i < nx509keys; i++)
|
||||||
|
+ {
|
||||||
|
+ size_t curs;
|
||||||
|
+ struct grub_module_header *header;
|
||||||
|
+
|
||||||
|
+ curs = grub_util_get_image_size (x509key_paths[i]);
|
||||||
|
+
|
||||||
|
+ header = (struct grub_module_header *) (kernel_img + offset);
|
||||||
|
+ header->type = grub_host_to_target32 (OBJ_TYPE_X509_PUBKEY);
|
||||||
|
+ header->size = grub_host_to_target32 (curs + sizeof (*header));
|
||||||
|
+ offset += sizeof (*header);
|
||||||
|
+
|
||||||
|
+ grub_util_load_image (x509key_paths[i], kernel_img + offset);
|
||||||
|
+ offset += ALIGN_ADDR (curs);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+
|
||||||
|
if (memdisk_path)
|
||||||
|
{
|
||||||
|
struct grub_module_header *header;
|
||||||
|
diff --git a/include/grub/kernel.h b/include/grub/kernel.h
|
||||||
|
index de48cd44ccb..5d54c45cb70 100644
|
||||||
|
--- a/include/grub/kernel.h
|
||||||
|
+++ b/include/grub/kernel.h
|
||||||
|
@@ -28,7 +28,8 @@ enum
|
||||||
|
OBJ_TYPE_MEMDISK,
|
||||||
|
OBJ_TYPE_CONFIG,
|
||||||
|
OBJ_TYPE_PREFIX,
|
||||||
|
- OBJ_TYPE_PUBKEY,
|
||||||
|
+ OBJ_TYPE_GPG_PUBKEY,
|
||||||
|
+ OBJ_TYPE_X509_PUBKEY,
|
||||||
|
OBJ_TYPE_DTB
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/include/grub/util/install.h b/include/grub/util/install.h
|
||||||
|
index eb1b83b6d94..8353bafb00a 100644
|
||||||
|
--- a/include/grub/util/install.h
|
||||||
|
+++ b/include/grub/util/install.h
|
||||||
|
@@ -63,6 +63,8 @@
|
||||||
|
/* TRANSLATORS: "embed" is a verb (command description). "*/ \
|
||||||
|
{ "pubkey", 'k', N_("FILE"), 0, \
|
||||||
|
N_("embed FILE as public key for signature checking"), 0}, \
|
||||||
|
+ { "x509key", 'x', N_("FILE"), 0, \
|
||||||
|
+ N_("embed FILE as an x509 certificate for signature checking"), 0}, \
|
||||||
|
{ "appended-signature-size", GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE,\
|
||||||
|
"SIZE", 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), \
|
||||||
|
1}, \
|
||||||
|
@@ -182,8 +184,9 @@ void
|
||||||
|
grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
FILE *out,
|
||||||
|
const char *outname, char *mods[],
|
||||||
|
- char *memdisk_path, char **pubkey_paths,
|
||||||
|
- size_t npubkeys,
|
||||||
|
+ char *memdisk_path,
|
||||||
|
+ char **pubkey_paths, size_t npubkeys,
|
||||||
|
+ char **x509key_paths, size_t nx509keys,
|
||||||
|
char *config_path,
|
||||||
|
const struct grub_install_image_target_desc *image_target,
|
||||||
|
int note, size_t appsig_size,
|
639
0299-appended-signatures-import-GNUTLS-s-ASN.1-descriptio.patch
Normal file
639
0299-appended-signatures-import-GNUTLS-s-ASN.1-descriptio.patch
Normal file
@ -0,0 +1,639 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Thu, 30 Jul 2020 01:35:10 +1000
|
||||||
|
Subject: [PATCH] appended signatures: import GNUTLS's ASN.1 description files
|
||||||
|
|
||||||
|
In order to parse PKCS#7 messages and X.509 certificates with libtasn1,
|
||||||
|
we need some information about how they are encoded.
|
||||||
|
|
||||||
|
We get these from GNUTLS, which has the benefit that they support the
|
||||||
|
features we need and are well tested.
|
||||||
|
|
||||||
|
The GNUTLS license is LGPLv2.1+, which is GPLv3 compatible, allowing
|
||||||
|
us to import it without issue.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/commands/appendedsig/gnutls_asn1_tab.c | 121 ++++++
|
||||||
|
grub-core/commands/appendedsig/pkix_asn1_tab.c | 484 +++++++++++++++++++++++
|
||||||
|
2 files changed, 605 insertions(+)
|
||||||
|
create mode 100644 grub-core/commands/appendedsig/gnutls_asn1_tab.c
|
||||||
|
create mode 100644 grub-core/commands/appendedsig/pkix_asn1_tab.c
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/appendedsig/gnutls_asn1_tab.c b/grub-core/commands/appendedsig/gnutls_asn1_tab.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..ddd1314e63b
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/grub-core/commands/appendedsig/gnutls_asn1_tab.c
|
||||||
|
@@ -0,0 +1,121 @@
|
||||||
|
+#include <grub/mm.h>
|
||||||
|
+#include <grub/libtasn1.h>
|
||||||
|
+
|
||||||
|
+const asn1_static_node gnutls_asn1_tab[] = {
|
||||||
|
+ { "GNUTLS", 536872976, NULL },
|
||||||
|
+ { NULL, 1073741836, NULL },
|
||||||
|
+ { "RSAPublicKey", 1610612741, NULL },
|
||||||
|
+ { "modulus", 1073741827, NULL },
|
||||||
|
+ { "publicExponent", 3, NULL },
|
||||||
|
+ { "RSAPrivateKey", 1610612741, NULL },
|
||||||
|
+ { "version", 1073741827, NULL },
|
||||||
|
+ { "modulus", 1073741827, NULL },
|
||||||
|
+ { "publicExponent", 1073741827, NULL },
|
||||||
|
+ { "privateExponent", 1073741827, NULL },
|
||||||
|
+ { "prime1", 1073741827, NULL },
|
||||||
|
+ { "prime2", 1073741827, NULL },
|
||||||
|
+ { "exponent1", 1073741827, NULL },
|
||||||
|
+ { "exponent2", 1073741827, NULL },
|
||||||
|
+ { "coefficient", 1073741827, NULL },
|
||||||
|
+ { "otherPrimeInfos", 16386, "OtherPrimeInfos"},
|
||||||
|
+ { "ProvableSeed", 1610612741, NULL },
|
||||||
|
+ { "algorithm", 1073741836, NULL },
|
||||||
|
+ { "seed", 7, NULL },
|
||||||
|
+ { "OtherPrimeInfos", 1612709899, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "OtherPrimeInfo"},
|
||||||
|
+ { "OtherPrimeInfo", 1610612741, NULL },
|
||||||
|
+ { "prime", 1073741827, NULL },
|
||||||
|
+ { "exponent", 1073741827, NULL },
|
||||||
|
+ { "coefficient", 3, NULL },
|
||||||
|
+ { "AlgorithmIdentifier", 1610612741, NULL },
|
||||||
|
+ { "algorithm", 1073741836, NULL },
|
||||||
|
+ { "parameters", 541081613, NULL },
|
||||||
|
+ { "algorithm", 1, NULL },
|
||||||
|
+ { "DigestInfo", 1610612741, NULL },
|
||||||
|
+ { "digestAlgorithm", 1073741826, "DigestAlgorithmIdentifier"},
|
||||||
|
+ { "digest", 7, NULL },
|
||||||
|
+ { "DigestAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "DSAPublicKey", 1073741827, NULL },
|
||||||
|
+ { "DSAParameters", 1610612741, NULL },
|
||||||
|
+ { "p", 1073741827, NULL },
|
||||||
|
+ { "q", 1073741827, NULL },
|
||||||
|
+ { "g", 3, NULL },
|
||||||
|
+ { "DSASignatureValue", 1610612741, NULL },
|
||||||
|
+ { "r", 1073741827, NULL },
|
||||||
|
+ { "s", 3, NULL },
|
||||||
|
+ { "DSAPrivateKey", 1610612741, NULL },
|
||||||
|
+ { "version", 1073741827, NULL },
|
||||||
|
+ { "p", 1073741827, NULL },
|
||||||
|
+ { "q", 1073741827, NULL },
|
||||||
|
+ { "g", 1073741827, NULL },
|
||||||
|
+ { "Y", 1073741827, NULL },
|
||||||
|
+ { "priv", 3, NULL },
|
||||||
|
+ { "DHParameter", 1610612741, NULL },
|
||||||
|
+ { "prime", 1073741827, NULL },
|
||||||
|
+ { "base", 1073741827, NULL },
|
||||||
|
+ { "privateValueLength", 16387, NULL },
|
||||||
|
+ { "ECParameters", 1610612754, NULL },
|
||||||
|
+ { "namedCurve", 12, NULL },
|
||||||
|
+ { "ECPrivateKey", 1610612741, NULL },
|
||||||
|
+ { "Version", 1073741827, NULL },
|
||||||
|
+ { "privateKey", 1073741831, NULL },
|
||||||
|
+ { "parameters", 1610637314, "ECParameters"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "publicKey", 536895494, NULL },
|
||||||
|
+ { NULL, 2056, "1"},
|
||||||
|
+ { "PrincipalName", 1610612741, NULL },
|
||||||
|
+ { "name-type", 1610620931, NULL },
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "name-string", 536879115, NULL },
|
||||||
|
+ { NULL, 1073743880, "1"},
|
||||||
|
+ { NULL, 27, NULL },
|
||||||
|
+ { "KRB5PrincipalName", 1610612741, NULL },
|
||||||
|
+ { "realm", 1610620955, NULL },
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "principalName", 536879106, "PrincipalName"},
|
||||||
|
+ { NULL, 2056, "1"},
|
||||||
|
+ { "RSAPSSParameters", 1610612741, NULL },
|
||||||
|
+ { "hashAlgorithm", 1610637314, "AlgorithmIdentifier"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "maskGenAlgorithm", 1610637314, "AlgorithmIdentifier"},
|
||||||
|
+ { NULL, 2056, "1"},
|
||||||
|
+ { "saltLength", 1610653699, NULL },
|
||||||
|
+ { NULL, 1073741833, "20"},
|
||||||
|
+ { NULL, 2056, "2"},
|
||||||
|
+ { "trailerField", 536911875, NULL },
|
||||||
|
+ { NULL, 1073741833, "1"},
|
||||||
|
+ { NULL, 2056, "3"},
|
||||||
|
+ { "GOSTParameters", 1610612741, NULL },
|
||||||
|
+ { "publicKeyParamSet", 1073741836, NULL },
|
||||||
|
+ { "digestParamSet", 16396, NULL },
|
||||||
|
+ { "GOSTParametersOld", 1610612741, NULL },
|
||||||
|
+ { "publicKeyParamSet", 1073741836, NULL },
|
||||||
|
+ { "digestParamSet", 1073741836, NULL },
|
||||||
|
+ { "encryptionParamSet", 16396, NULL },
|
||||||
|
+ { "GOSTPrivateKey", 1073741831, NULL },
|
||||||
|
+ { "GOSTPrivateKeyOld", 1073741827, NULL },
|
||||||
|
+ { "IssuerSignTool", 1610612741, NULL },
|
||||||
|
+ { "signTool", 1073741858, NULL },
|
||||||
|
+ { "cATool", 1073741858, NULL },
|
||||||
|
+ { "signToolCert", 1073741858, NULL },
|
||||||
|
+ { "cAToolCert", 34, NULL },
|
||||||
|
+ { "Gost28147-89-EncryptedKey", 1610612741, NULL },
|
||||||
|
+ { "encryptedKey", 1073741831, NULL },
|
||||||
|
+ { "maskKey", 1610637319, NULL },
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "macKey", 7, NULL },
|
||||||
|
+ { "SubjectPublicKeyInfo", 1610612741, NULL },
|
||||||
|
+ { "algorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "subjectPublicKey", 6, NULL },
|
||||||
|
+ { "GostR3410-TransportParameters", 1610612741, NULL },
|
||||||
|
+ { "encryptionParamSet", 1073741836, NULL },
|
||||||
|
+ { "ephemeralPublicKey", 1610637314, "SubjectPublicKeyInfo"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "ukm", 7, NULL },
|
||||||
|
+ { "GostR3410-KeyTransport", 536870917, NULL },
|
||||||
|
+ { "sessionEncryptedKey", 1073741826, "Gost28147-89-EncryptedKey"},
|
||||||
|
+ { "transportParameters", 536895490, "GostR3410-TransportParameters"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { NULL, 0, NULL }
|
||||||
|
+};
|
||||||
|
diff --git a/grub-core/commands/appendedsig/pkix_asn1_tab.c b/grub-core/commands/appendedsig/pkix_asn1_tab.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..adef69d95ce
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/grub-core/commands/appendedsig/pkix_asn1_tab.c
|
||||||
|
@@ -0,0 +1,484 @@
|
||||||
|
+#include <grub/mm.h>
|
||||||
|
+#include <grub/libtasn1.h>
|
||||||
|
+
|
||||||
|
+const asn1_static_node pkix_asn1_tab[] = {
|
||||||
|
+ { "PKIX1", 536875024, NULL },
|
||||||
|
+ { NULL, 1073741836, NULL },
|
||||||
|
+ { "PrivateKeyUsagePeriod", 1610612741, NULL },
|
||||||
|
+ { "notBefore", 1610637349, NULL },
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "notAfter", 536895525, NULL },
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "AuthorityKeyIdentifier", 1610612741, NULL },
|
||||||
|
+ { "keyIdentifier", 1610637319, NULL },
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "authorityCertIssuer", 1610637314, "GeneralNames"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "authorityCertSerialNumber", 536895490, "CertificateSerialNumber"},
|
||||||
|
+ { NULL, 4104, "2"},
|
||||||
|
+ { "SubjectKeyIdentifier", 1073741831, NULL },
|
||||||
|
+ { "KeyUsage", 1073741830, NULL },
|
||||||
|
+ { "DirectoryString", 1610612754, NULL },
|
||||||
|
+ { "teletexString", 1612709918, NULL },
|
||||||
|
+ { "MAX", 524298, "1"},
|
||||||
|
+ { "printableString", 1612709919, NULL },
|
||||||
|
+ { "MAX", 524298, "1"},
|
||||||
|
+ { "universalString", 1612709920, NULL },
|
||||||
|
+ { "MAX", 524298, "1"},
|
||||||
|
+ { "utf8String", 1612709922, NULL },
|
||||||
|
+ { "MAX", 524298, "1"},
|
||||||
|
+ { "bmpString", 1612709921, NULL },
|
||||||
|
+ { "MAX", 524298, "1"},
|
||||||
|
+ { "ia5String", 538968093, NULL },
|
||||||
|
+ { "MAX", 524298, "1"},
|
||||||
|
+ { "SubjectAltName", 1073741826, "GeneralNames"},
|
||||||
|
+ { "GeneralNames", 1612709899, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "GeneralName"},
|
||||||
|
+ { "GeneralName", 1610612754, NULL },
|
||||||
|
+ { "otherName", 1610620930, "AnotherName"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "rfc822Name", 1610620957, NULL },
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "dNSName", 1610620957, NULL },
|
||||||
|
+ { NULL, 4104, "2"},
|
||||||
|
+ { "x400Address", 1610620941, NULL },
|
||||||
|
+ { NULL, 4104, "3"},
|
||||||
|
+ { "directoryName", 1610620939, NULL },
|
||||||
|
+ { NULL, 1073743880, "4"},
|
||||||
|
+ { NULL, 2, "RelativeDistinguishedName"},
|
||||||
|
+ { "ediPartyName", 1610620941, NULL },
|
||||||
|
+ { NULL, 4104, "5"},
|
||||||
|
+ { "uniformResourceIdentifier", 1610620957, NULL },
|
||||||
|
+ { NULL, 4104, "6"},
|
||||||
|
+ { "iPAddress", 1610620935, NULL },
|
||||||
|
+ { NULL, 4104, "7"},
|
||||||
|
+ { "registeredID", 536879116, NULL },
|
||||||
|
+ { NULL, 4104, "8"},
|
||||||
|
+ { "AnotherName", 1610612741, NULL },
|
||||||
|
+ { "type-id", 1073741836, NULL },
|
||||||
|
+ { "value", 541073421, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { "type-id", 1, NULL },
|
||||||
|
+ { "IssuerAltName", 1073741826, "GeneralNames"},
|
||||||
|
+ { "BasicConstraints", 1610612741, NULL },
|
||||||
|
+ { "cA", 1610645508, NULL },
|
||||||
|
+ { NULL, 131081, NULL },
|
||||||
|
+ { "pathLenConstraint", 537411587, NULL },
|
||||||
|
+ { "0", 10, "MAX"},
|
||||||
|
+ { "CRLDistributionPoints", 1612709899, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "DistributionPoint"},
|
||||||
|
+ { "DistributionPoint", 1610612741, NULL },
|
||||||
|
+ { "distributionPoint", 1610637314, "DistributionPointName"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "reasons", 1610637314, "ReasonFlags"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "cRLIssuer", 536895490, "GeneralNames"},
|
||||||
|
+ { NULL, 4104, "2"},
|
||||||
|
+ { "DistributionPointName", 1610612754, NULL },
|
||||||
|
+ { "fullName", 1610620930, "GeneralNames"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "nameRelativeToCRLIssuer", 536879106, "RelativeDistinguishedName"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "ReasonFlags", 1073741830, NULL },
|
||||||
|
+ { "ExtKeyUsageSyntax", 1612709899, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 12, NULL },
|
||||||
|
+ { "AuthorityInfoAccessSyntax", 1612709899, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "AccessDescription"},
|
||||||
|
+ { "AccessDescription", 1610612741, NULL },
|
||||||
|
+ { "accessMethod", 1073741836, NULL },
|
||||||
|
+ { "accessLocation", 2, "GeneralName"},
|
||||||
|
+ { "Attribute", 1610612741, NULL },
|
||||||
|
+ { "type", 1073741836, NULL },
|
||||||
|
+ { "values", 536870927, NULL },
|
||||||
|
+ { NULL, 13, NULL },
|
||||||
|
+ { "AttributeTypeAndValue", 1610612741, NULL },
|
||||||
|
+ { "type", 1073741836, NULL },
|
||||||
|
+ { "value", 13, NULL },
|
||||||
|
+ { "Name", 1610612754, NULL },
|
||||||
|
+ { "rdnSequence", 536870923, NULL },
|
||||||
|
+ { NULL, 2, "RelativeDistinguishedName"},
|
||||||
|
+ { "DistinguishedName", 1610612747, NULL },
|
||||||
|
+ { NULL, 2, "RelativeDistinguishedName"},
|
||||||
|
+ { "RelativeDistinguishedName", 1612709903, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "AttributeTypeAndValue"},
|
||||||
|
+ { "Certificate", 1610612741, NULL },
|
||||||
|
+ { "tbsCertificate", 1073741826, "TBSCertificate"},
|
||||||
|
+ { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "signature", 6, NULL },
|
||||||
|
+ { "TBSCertificate", 1610612741, NULL },
|
||||||
|
+ { "version", 1610653699, NULL },
|
||||||
|
+ { NULL, 1073741833, "0"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "serialNumber", 1073741826, "CertificateSerialNumber"},
|
||||||
|
+ { "signature", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "issuer", 1073741826, "Name"},
|
||||||
|
+ { "validity", 1073741826, "Validity"},
|
||||||
|
+ { "subject", 1073741826, "Name"},
|
||||||
|
+ { "subjectPublicKeyInfo", 1073741826, "SubjectPublicKeyInfo"},
|
||||||
|
+ { "issuerUniqueID", 1610637314, "UniqueIdentifier"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "subjectUniqueID", 1610637314, "UniqueIdentifier"},
|
||||||
|
+ { NULL, 4104, "2"},
|
||||||
|
+ { "extensions", 536895490, "Extensions"},
|
||||||
|
+ { NULL, 2056, "3"},
|
||||||
|
+ { "CertificateSerialNumber", 1073741827, NULL },
|
||||||
|
+ { "Validity", 1610612741, NULL },
|
||||||
|
+ { "notBefore", 1073741826, "Time"},
|
||||||
|
+ { "notAfter", 2, "Time"},
|
||||||
|
+ { "Time", 1610612754, NULL },
|
||||||
|
+ { "utcTime", 1073741860, NULL },
|
||||||
|
+ { "generalTime", 37, NULL },
|
||||||
|
+ { "UniqueIdentifier", 1073741830, NULL },
|
||||||
|
+ { "SubjectPublicKeyInfo", 1610612741, NULL },
|
||||||
|
+ { "algorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "subjectPublicKey", 6, NULL },
|
||||||
|
+ { "Extensions", 1612709899, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "Extension"},
|
||||||
|
+ { "Extension", 1610612741, NULL },
|
||||||
|
+ { "extnID", 1073741836, NULL },
|
||||||
|
+ { "critical", 1610645508, NULL },
|
||||||
|
+ { NULL, 131081, NULL },
|
||||||
|
+ { "extnValue", 7, NULL },
|
||||||
|
+ { "CertificateList", 1610612741, NULL },
|
||||||
|
+ { "tbsCertList", 1073741826, "TBSCertList"},
|
||||||
|
+ { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "signature", 6, NULL },
|
||||||
|
+ { "TBSCertList", 1610612741, NULL },
|
||||||
|
+ { "version", 1073758211, NULL },
|
||||||
|
+ { "signature", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "issuer", 1073741826, "Name"},
|
||||||
|
+ { "thisUpdate", 1073741826, "Time"},
|
||||||
|
+ { "nextUpdate", 1073758210, "Time"},
|
||||||
|
+ { "revokedCertificates", 1610629131, NULL },
|
||||||
|
+ { NULL, 536870917, NULL },
|
||||||
|
+ { "userCertificate", 1073741826, "CertificateSerialNumber"},
|
||||||
|
+ { "revocationDate", 1073741826, "Time"},
|
||||||
|
+ { "crlEntryExtensions", 16386, "Extensions"},
|
||||||
|
+ { "crlExtensions", 536895490, "Extensions"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "AlgorithmIdentifier", 1610612741, NULL },
|
||||||
|
+ { "algorithm", 1073741836, NULL },
|
||||||
|
+ { "parameters", 541081613, NULL },
|
||||||
|
+ { "algorithm", 1, NULL },
|
||||||
|
+ { "Dss-Sig-Value", 1610612741, NULL },
|
||||||
|
+ { "r", 1073741827, NULL },
|
||||||
|
+ { "s", 3, NULL },
|
||||||
|
+ { "Dss-Parms", 1610612741, NULL },
|
||||||
|
+ { "p", 1073741827, NULL },
|
||||||
|
+ { "q", 1073741827, NULL },
|
||||||
|
+ { "g", 3, NULL },
|
||||||
|
+ { "pkcs-7-ContentInfo", 1610612741, NULL },
|
||||||
|
+ { "contentType", 1073741836, NULL },
|
||||||
|
+ { "content", 541073421, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { "contentType", 1, NULL },
|
||||||
|
+ { "pkcs-7-DigestInfo", 1610612741, NULL },
|
||||||
|
+ { "digestAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "digest", 7, NULL },
|
||||||
|
+ { "pkcs-7-SignedData", 1610612741, NULL },
|
||||||
|
+ { "version", 1073741827, NULL },
|
||||||
|
+ { "digestAlgorithms", 1073741826, "pkcs-7-DigestAlgorithmIdentifiers"},
|
||||||
|
+ { "encapContentInfo", 1073741826, "pkcs-7-EncapsulatedContentInfo"},
|
||||||
|
+ { "certificates", 1610637314, "pkcs-7-CertificateSet"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "crls", 1610637314, "pkcs-7-CertificateRevocationLists"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "signerInfos", 2, "pkcs-7-SignerInfos"},
|
||||||
|
+ { "pkcs-7-DigestAlgorithmIdentifiers", 1610612751, NULL },
|
||||||
|
+ { NULL, 2, "AlgorithmIdentifier"},
|
||||||
|
+ { "pkcs-7-EncapsulatedContentInfo", 1610612741, NULL },
|
||||||
|
+ { "eContentType", 1073741836, NULL },
|
||||||
|
+ { "eContent", 536895501, NULL },
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "pkcs-7-CertificateRevocationLists", 1610612751, NULL },
|
||||||
|
+ { NULL, 13, NULL },
|
||||||
|
+ { "pkcs-7-CertificateChoices", 1610612754, NULL },
|
||||||
|
+ { "certificate", 13, NULL },
|
||||||
|
+ { "pkcs-7-CertificateSet", 1610612751, NULL },
|
||||||
|
+ { NULL, 2, "pkcs-7-CertificateChoices"},
|
||||||
|
+ { "IssuerAndSerialNumber", 1610612741, NULL },
|
||||||
|
+ { "issuer", 1073741826, "Name"},
|
||||||
|
+ { "serialNumber", 2, "CertificateSerialNumber"},
|
||||||
|
+ { "pkcs-7-SignerInfo", 1610612741, NULL },
|
||||||
|
+ { "version", 1073741827, NULL },
|
||||||
|
+ { "sid", 1073741826, "SignerIdentifier"},
|
||||||
|
+ { "digestAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "signedAttrs", 1610637314, "SignedAttributes"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "signature", 1073741831, NULL },
|
||||||
|
+ { "unsignedAttrs", 536895490, "SignedAttributes"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "SignedAttributes", 1612709903, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "Attribute"},
|
||||||
|
+ { "SignerIdentifier", 1610612754, NULL },
|
||||||
|
+ { "issuerAndSerialNumber", 1073741826, "IssuerAndSerialNumber"},
|
||||||
|
+ { "subjectKeyIdentifier", 536879111, NULL },
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "pkcs-7-SignerInfos", 1610612751, NULL },
|
||||||
|
+ { NULL, 2, "pkcs-7-SignerInfo"},
|
||||||
|
+ { "pkcs-10-CertificationRequestInfo", 1610612741, NULL },
|
||||||
|
+ { "version", 1073741827, NULL },
|
||||||
|
+ { "subject", 1073741826, "Name"},
|
||||||
|
+ { "subjectPKInfo", 1073741826, "SubjectPublicKeyInfo"},
|
||||||
|
+ { "attributes", 536879106, "Attributes"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "Attributes", 1610612751, NULL },
|
||||||
|
+ { NULL, 2, "Attribute"},
|
||||||
|
+ { "pkcs-10-CertificationRequest", 1610612741, NULL },
|
||||||
|
+ { "certificationRequestInfo", 1073741826, "pkcs-10-CertificationRequestInfo"},
|
||||||
|
+ { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "signature", 6, NULL },
|
||||||
|
+ { "pkcs-9-at-challengePassword", 1879048204, NULL },
|
||||||
|
+ { "iso", 1073741825, "1"},
|
||||||
|
+ { "member-body", 1073741825, "2"},
|
||||||
|
+ { "us", 1073741825, "840"},
|
||||||
|
+ { "rsadsi", 1073741825, "113549"},
|
||||||
|
+ { "pkcs", 1073741825, "1"},
|
||||||
|
+ { NULL, 1073741825, "9"},
|
||||||
|
+ { NULL, 1, "7"},
|
||||||
|
+ { "pkcs-9-challengePassword", 1610612754, NULL },
|
||||||
|
+ { "printableString", 1073741855, NULL },
|
||||||
|
+ { "utf8String", 34, NULL },
|
||||||
|
+ { "pkcs-9-localKeyId", 1073741831, NULL },
|
||||||
|
+ { "pkcs-8-PrivateKeyInfo", 1610612741, NULL },
|
||||||
|
+ { "version", 1073741827, NULL },
|
||||||
|
+ { "privateKeyAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "privateKey", 1073741831, NULL },
|
||||||
|
+ { "attributes", 536895490, "Attributes"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "pkcs-8-EncryptedPrivateKeyInfo", 1610612741, NULL },
|
||||||
|
+ { "encryptionAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "encryptedData", 2, "pkcs-8-EncryptedData"},
|
||||||
|
+ { "pkcs-8-EncryptedData", 1073741831, NULL },
|
||||||
|
+ { "pkcs-5-des-CBC-params", 1612709895, NULL },
|
||||||
|
+ { NULL, 1048586, "8"},
|
||||||
|
+ { "pkcs-5-des-EDE3-CBC-params", 1612709895, NULL },
|
||||||
|
+ { NULL, 1048586, "8"},
|
||||||
|
+ { "pkcs-5-aes128-CBC-params", 1612709895, NULL },
|
||||||
|
+ { NULL, 1048586, "16"},
|
||||||
|
+ { "pkcs-5-aes192-CBC-params", 1612709895, NULL },
|
||||||
|
+ { NULL, 1048586, "16"},
|
||||||
|
+ { "pkcs-5-aes256-CBC-params", 1612709895, NULL },
|
||||||
|
+ { NULL, 1048586, "16"},
|
||||||
|
+ { "Gost28147-89-Parameters", 1610612741, NULL },
|
||||||
|
+ { "iv", 1073741831, NULL },
|
||||||
|
+ { "encryptionParamSet", 12, NULL },
|
||||||
|
+ { "pkcs-5-PBE-params", 1610612741, NULL },
|
||||||
|
+ { "salt", 1073741831, NULL },
|
||||||
|
+ { "iterationCount", 3, NULL },
|
||||||
|
+ { "pkcs-5-PBES2-params", 1610612741, NULL },
|
||||||
|
+ { "keyDerivationFunc", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "encryptionScheme", 2, "AlgorithmIdentifier"},
|
||||||
|
+ { "pkcs-5-PBKDF2-params", 1610612741, NULL },
|
||||||
|
+ { "salt", 1610612754, NULL },
|
||||||
|
+ { "specified", 1073741831, NULL },
|
||||||
|
+ { "otherSource", 2, "AlgorithmIdentifier"},
|
||||||
|
+ { "iterationCount", 1611137027, NULL },
|
||||||
|
+ { "1", 10, "MAX"},
|
||||||
|
+ { "keyLength", 1611153411, NULL },
|
||||||
|
+ { "1", 10, "MAX"},
|
||||||
|
+ { "prf", 16386, "AlgorithmIdentifier"},
|
||||||
|
+ { "pkcs-12-PFX", 1610612741, NULL },
|
||||||
|
+ { "version", 1610874883, NULL },
|
||||||
|
+ { "v3", 1, "3"},
|
||||||
|
+ { "authSafe", 1073741826, "pkcs-7-ContentInfo"},
|
||||||
|
+ { "macData", 16386, "pkcs-12-MacData"},
|
||||||
|
+ { "pkcs-12-PbeParams", 1610612741, NULL },
|
||||||
|
+ { "salt", 1073741831, NULL },
|
||||||
|
+ { "iterations", 3, NULL },
|
||||||
|
+ { "pkcs-12-MacData", 1610612741, NULL },
|
||||||
|
+ { "mac", 1073741826, "pkcs-7-DigestInfo"},
|
||||||
|
+ { "macSalt", 1073741831, NULL },
|
||||||
|
+ { "iterations", 536903683, NULL },
|
||||||
|
+ { NULL, 9, "1"},
|
||||||
|
+ { "pkcs-12-AuthenticatedSafe", 1610612747, NULL },
|
||||||
|
+ { NULL, 2, "pkcs-7-ContentInfo"},
|
||||||
|
+ { "pkcs-12-SafeContents", 1610612747, NULL },
|
||||||
|
+ { NULL, 2, "pkcs-12-SafeBag"},
|
||||||
|
+ { "pkcs-12-SafeBag", 1610612741, NULL },
|
||||||
|
+ { "bagId", 1073741836, NULL },
|
||||||
|
+ { "bagValue", 1614815245, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { "badId", 1, NULL },
|
||||||
|
+ { "bagAttributes", 536887311, NULL },
|
||||||
|
+ { NULL, 2, "Attribute"},
|
||||||
|
+ { "pkcs-12-CertBag", 1610612741, NULL },
|
||||||
|
+ { "certId", 1073741836, NULL },
|
||||||
|
+ { "certValue", 541073421, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { "certId", 1, NULL },
|
||||||
|
+ { "pkcs-12-CRLBag", 1610612741, NULL },
|
||||||
|
+ { "crlId", 1073741836, NULL },
|
||||||
|
+ { "crlValue", 541073421, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { "crlId", 1, NULL },
|
||||||
|
+ { "pkcs-12-SecretBag", 1610612741, NULL },
|
||||||
|
+ { "secretTypeId", 1073741836, NULL },
|
||||||
|
+ { "secretValue", 541073421, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { "secretTypeId", 1, NULL },
|
||||||
|
+ { "pkcs-7-Data", 1073741831, NULL },
|
||||||
|
+ { "pkcs-7-EncryptedData", 1610612741, NULL },
|
||||||
|
+ { "version", 1073741827, NULL },
|
||||||
|
+ { "encryptedContentInfo", 1073741826, "pkcs-7-EncryptedContentInfo"},
|
||||||
|
+ { "unprotectedAttrs", 536895490, "pkcs-7-UnprotectedAttributes"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "pkcs-7-EncryptedContentInfo", 1610612741, NULL },
|
||||||
|
+ { "contentType", 1073741836, NULL },
|
||||||
|
+ { "contentEncryptionAlgorithm", 1073741826, "pkcs-7-ContentEncryptionAlgorithmIdentifier"},
|
||||||
|
+ { "encryptedContent", 536895495, NULL },
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "pkcs-7-ContentEncryptionAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "pkcs-7-UnprotectedAttributes", 1612709903, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "Attribute"},
|
||||||
|
+ { "ProxyCertInfo", 1610612741, NULL },
|
||||||
|
+ { "pCPathLenConstraint", 1611153411, NULL },
|
||||||
|
+ { "0", 10, "MAX"},
|
||||||
|
+ { "proxyPolicy", 2, "ProxyPolicy"},
|
||||||
|
+ { "ProxyPolicy", 1610612741, NULL },
|
||||||
|
+ { "policyLanguage", 1073741836, NULL },
|
||||||
|
+ { "policy", 16391, NULL },
|
||||||
|
+ { "certificatePolicies", 1612709899, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "PolicyInformation"},
|
||||||
|
+ { "PolicyInformation", 1610612741, NULL },
|
||||||
|
+ { "policyIdentifier", 1073741836, NULL },
|
||||||
|
+ { "policyQualifiers", 538984459, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "PolicyQualifierInfo"},
|
||||||
|
+ { "PolicyQualifierInfo", 1610612741, NULL },
|
||||||
|
+ { "policyQualifierId", 1073741836, NULL },
|
||||||
|
+ { "qualifier", 541065229, NULL },
|
||||||
|
+ { "policyQualifierId", 1, NULL },
|
||||||
|
+ { "CPSuri", 1073741853, NULL },
|
||||||
|
+ { "UserNotice", 1610612741, NULL },
|
||||||
|
+ { "noticeRef", 1073758210, "NoticeReference"},
|
||||||
|
+ { "explicitText", 16386, "DisplayText"},
|
||||||
|
+ { "NoticeReference", 1610612741, NULL },
|
||||||
|
+ { "organization", 1073741826, "DisplayText"},
|
||||||
|
+ { "noticeNumbers", 536870923, NULL },
|
||||||
|
+ { NULL, 3, NULL },
|
||||||
|
+ { "DisplayText", 1610612754, NULL },
|
||||||
|
+ { "ia5String", 1612709917, NULL },
|
||||||
|
+ { "200", 524298, "1"},
|
||||||
|
+ { "visibleString", 1612709923, NULL },
|
||||||
|
+ { "200", 524298, "1"},
|
||||||
|
+ { "bmpString", 1612709921, NULL },
|
||||||
|
+ { "200", 524298, "1"},
|
||||||
|
+ { "utf8String", 538968098, NULL },
|
||||||
|
+ { "200", 524298, "1"},
|
||||||
|
+ { "OCSPRequest", 1610612741, NULL },
|
||||||
|
+ { "tbsRequest", 1073741826, "TBSRequest"},
|
||||||
|
+ { "optionalSignature", 536895490, "Signature"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "TBSRequest", 1610612741, NULL },
|
||||||
|
+ { "version", 1610653699, NULL },
|
||||||
|
+ { NULL, 1073741833, "0"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "requestorName", 1610637314, "GeneralName"},
|
||||||
|
+ { NULL, 2056, "1"},
|
||||||
|
+ { "requestList", 1610612747, NULL },
|
||||||
|
+ { NULL, 2, "Request"},
|
||||||
|
+ { "requestExtensions", 536895490, "Extensions"},
|
||||||
|
+ { NULL, 2056, "2"},
|
||||||
|
+ { "Signature", 1610612741, NULL },
|
||||||
|
+ { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "signature", 1073741830, NULL },
|
||||||
|
+ { "certs", 536895499, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { NULL, 2, "Certificate"},
|
||||||
|
+ { "Request", 1610612741, NULL },
|
||||||
|
+ { "reqCert", 1073741826, "CertID"},
|
||||||
|
+ { "singleRequestExtensions", 536895490, "Extensions"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "CertID", 1610612741, NULL },
|
||||||
|
+ { "hashAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "issuerNameHash", 1073741831, NULL },
|
||||||
|
+ { "issuerKeyHash", 1073741831, NULL },
|
||||||
|
+ { "serialNumber", 2, "CertificateSerialNumber"},
|
||||||
|
+ { "OCSPResponse", 1610612741, NULL },
|
||||||
|
+ { "responseStatus", 1073741826, "OCSPResponseStatus"},
|
||||||
|
+ { "responseBytes", 536895490, "ResponseBytes"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "OCSPResponseStatus", 1610874901, NULL },
|
||||||
|
+ { "successful", 1073741825, "0"},
|
||||||
|
+ { "malformedRequest", 1073741825, "1"},
|
||||||
|
+ { "internalError", 1073741825, "2"},
|
||||||
|
+ { "tryLater", 1073741825, "3"},
|
||||||
|
+ { "sigRequired", 1073741825, "5"},
|
||||||
|
+ { "unauthorized", 1, "6"},
|
||||||
|
+ { "ResponseBytes", 1610612741, NULL },
|
||||||
|
+ { "responseType", 1073741836, NULL },
|
||||||
|
+ { "response", 7, NULL },
|
||||||
|
+ { "BasicOCSPResponse", 1610612741, NULL },
|
||||||
|
+ { "tbsResponseData", 1073741826, "ResponseData"},
|
||||||
|
+ { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "signature", 1073741830, NULL },
|
||||||
|
+ { "certs", 536895499, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { NULL, 2, "Certificate"},
|
||||||
|
+ { "ResponseData", 1610612741, NULL },
|
||||||
|
+ { "version", 1610653699, NULL },
|
||||||
|
+ { NULL, 1073741833, "0"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "responderID", 1073741826, "ResponderID"},
|
||||||
|
+ { "producedAt", 1073741861, NULL },
|
||||||
|
+ { "responses", 1610612747, NULL },
|
||||||
|
+ { NULL, 2, "SingleResponse"},
|
||||||
|
+ { "responseExtensions", 536895490, "Extensions"},
|
||||||
|
+ { NULL, 2056, "1"},
|
||||||
|
+ { "ResponderID", 1610612754, NULL },
|
||||||
|
+ { "byName", 1610620939, NULL },
|
||||||
|
+ { NULL, 1073743880, "1"},
|
||||||
|
+ { NULL, 2, "RelativeDistinguishedName"},
|
||||||
|
+ { "byKey", 536879111, NULL },
|
||||||
|
+ { NULL, 2056, "2"},
|
||||||
|
+ { "SingleResponse", 1610612741, NULL },
|
||||||
|
+ { "certID", 1073741826, "CertID"},
|
||||||
|
+ { "certStatus", 1073741826, "CertStatus"},
|
||||||
|
+ { "thisUpdate", 1073741861, NULL },
|
||||||
|
+ { "nextUpdate", 1610637349, NULL },
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "singleExtensions", 536895490, "Extensions"},
|
||||||
|
+ { NULL, 2056, "1"},
|
||||||
|
+ { "CertStatus", 1610612754, NULL },
|
||||||
|
+ { "good", 1610620948, NULL },
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "revoked", 1610620930, "RevokedInfo"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "unknown", 536879106, "UnknownInfo"},
|
||||||
|
+ { NULL, 4104, "2"},
|
||||||
|
+ { "RevokedInfo", 1610612741, NULL },
|
||||||
|
+ { "revocationTime", 1073741861, NULL },
|
||||||
|
+ { "revocationReason", 537157653, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { "unspecified", 1, "0"},
|
||||||
|
+ { "UnknownInfo", 1073741844, NULL },
|
||||||
|
+ { "NameConstraints", 1610612741, NULL },
|
||||||
|
+ { "permittedSubtrees", 1610637314, "GeneralSubtrees"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "excludedSubtrees", 536895490, "GeneralSubtrees"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "GeneralSubtrees", 1612709899, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "GeneralSubtree"},
|
||||||
|
+ { "GeneralSubtree", 1610612741, NULL },
|
||||||
|
+ { "base", 1073741826, "GeneralName"},
|
||||||
|
+ { "minimum", 1610653699, NULL },
|
||||||
|
+ { NULL, 1073741833, "0"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "maximum", 536895491, NULL },
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "TlsFeatures", 536870923, NULL },
|
||||||
|
+ { NULL, 3, NULL },
|
||||||
|
+ { NULL, 0, NULL }
|
||||||
|
+};
|
1542
0300-appended-signatures-parse-PKCS-7-signedData-and-X.50.patch
Normal file
1542
0300-appended-signatures-parse-PKCS-7-signedData-and-X.50.patch
Normal file
File diff suppressed because it is too large
Load Diff
719
0301-appended-signatures-support-verifying-appended-signa.patch
Normal file
719
0301-appended-signatures-support-verifying-appended-signa.patch
Normal file
@ -0,0 +1,719 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Thu, 30 Jul 2020 01:35:43 +1000
|
||||||
|
Subject: [PATCH] appended signatures: support verifying appended signatures
|
||||||
|
|
||||||
|
Building on the parsers and the ability to embed x509 certificates, as
|
||||||
|
well as the existing gcrypt functionality, add a module for verifying
|
||||||
|
appended signatures.
|
||||||
|
|
||||||
|
This includes:
|
||||||
|
|
||||||
|
- a verifier that requires that kernels and grub modules have appended
|
||||||
|
signatures. It shares lots of logic with shim-lock verifier about what
|
||||||
|
files need to be verified and what modules are unsafe to have loaded.
|
||||||
|
|
||||||
|
- commands to manage the list of trusted certificates for verification.
|
||||||
|
|
||||||
|
Similar to the PGP verifier, if a certificate is embedded in the core
|
||||||
|
image, verification will be enforced unless disabled on the the grub
|
||||||
|
command line or by load_env.
|
||||||
|
|
||||||
|
Thus, as with the PGP verifier, it is not a complete secure-boot solution:
|
||||||
|
other mechanisms must be used to ensure that a user cannot drop to the
|
||||||
|
grub shell and disable verification.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/Makefile.core.def | 12 +
|
||||||
|
grub-core/commands/appendedsig/appendedsig.c | 644 +++++++++++++++++++++++++++
|
||||||
|
include/grub/file.h | 2 +
|
||||||
|
3 files changed, 658 insertions(+)
|
||||||
|
create mode 100644 grub-core/commands/appendedsig/appendedsig.c
|
||||||
|
|
||||||
|
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||||
|
index 78071360529..30bd9a4a587 100644
|
||||||
|
--- a/grub-core/Makefile.core.def
|
||||||
|
+++ b/grub-core/Makefile.core.def
|
||||||
|
@@ -977,6 +977,18 @@ module = {
|
||||||
|
cppflags = '-I$(srcdir)/lib/posix_wrap';
|
||||||
|
};
|
||||||
|
|
||||||
|
+module = {
|
||||||
|
+ name = appendedsig;
|
||||||
|
+ common = commands/appendedsig/appendedsig.c;
|
||||||
|
+ common = commands/appendedsig/x509.c;
|
||||||
|
+ common = commands/appendedsig/pkcs7.c;
|
||||||
|
+ common = commands/appendedsig/asn1util.c;
|
||||||
|
+ common = commands/appendedsig/gnutls_asn1_tab.c;
|
||||||
|
+ common = commands/appendedsig/pkix_asn1_tab.c;
|
||||||
|
+ cflags = '$(CFLAGS_POSIX)';
|
||||||
|
+ cppflags = '-I$(srcdir)/lib/posix_wrap';
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
module = {
|
||||||
|
name = verifiers;
|
||||||
|
common = commands/verifiers.c;
|
||||||
|
diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..1fbc942254a
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/grub-core/commands/appendedsig/appendedsig.c
|
||||||
|
@@ -0,0 +1,644 @@
|
||||||
|
+/*
|
||||||
|
+ * GRUB -- GRand Unified Bootloader
|
||||||
|
+ * Copyright (C) 2020 IBM Corporation.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is free software: you can redistribute it and/or modify
|
||||||
|
+ * it under the terms of the GNU General Public License as published by
|
||||||
|
+ * the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+ * (at your option) any later version.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is distributed in the hope that it will be useful,
|
||||||
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+ * GNU General Public License for more details.
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU General Public License
|
||||||
|
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <grub/types.h>
|
||||||
|
+#include <grub/misc.h>
|
||||||
|
+#include <grub/mm.h>
|
||||||
|
+#include <grub/err.h>
|
||||||
|
+#include <grub/dl.h>
|
||||||
|
+#include <grub/file.h>
|
||||||
|
+#include <grub/command.h>
|
||||||
|
+#include <grub/crypto.h>
|
||||||
|
+#include <grub/pkcs1_v15.h>
|
||||||
|
+#include <grub/i18n.h>
|
||||||
|
+#include <grub/gcrypt/gcrypt.h>
|
||||||
|
+#include <grub/kernel.h>
|
||||||
|
+#include <grub/extcmd.h>
|
||||||
|
+#include <grub/verify.h>
|
||||||
|
+#include <grub/libtasn1.h>
|
||||||
|
+#include <grub/env.h>
|
||||||
|
+
|
||||||
|
+#include "appendedsig.h"
|
||||||
|
+
|
||||||
|
+GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
+
|
||||||
|
+const char magic[] = "~Module signature appended~\n";
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * This structure is extracted from scripts/sign-file.c in the linux kernel
|
||||||
|
+ * source. It was licensed as LGPLv2.1+, which is GPLv3+ compatible.
|
||||||
|
+ */
|
||||||
|
+struct module_signature
|
||||||
|
+{
|
||||||
|
+ grub_uint8_t algo; /* Public-key crypto algorithm [0] */
|
||||||
|
+ grub_uint8_t hash; /* Digest algorithm [0] */
|
||||||
|
+ grub_uint8_t id_type; /* Key identifier type [PKEY_ID_PKCS7] */
|
||||||
|
+ grub_uint8_t signer_len; /* Length of signer's name [0] */
|
||||||
|
+ grub_uint8_t key_id_len; /* Length of key identifier [0] */
|
||||||
|
+ grub_uint8_t __pad[3];
|
||||||
|
+ grub_uint32_t sig_len; /* Length of signature data */
|
||||||
|
+} GRUB_PACKED;
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+/* This represents an entire, parsed, appended signature */
|
||||||
|
+struct grub_appended_signature
|
||||||
|
+{
|
||||||
|
+ grub_size_t signature_len; /* Length of PKCS#7 data +
|
||||||
|
+ * metadata + magic */
|
||||||
|
+
|
||||||
|
+ struct module_signature sig_metadata; /* Module signature metadata */
|
||||||
|
+ struct pkcs7_signedData pkcs7; /* Parsed PKCS#7 data */
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+/* Trusted certificates for verifying appended signatures */
|
||||||
|
+struct x509_certificate *grub_trusted_key;
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Force gcry_rsa to be a module dependency.
|
||||||
|
+ *
|
||||||
|
+ * If we use grub_crypto_pk_rsa, then then the gcry_rsa module won't be built
|
||||||
|
+ * in if you add 'appendedsig' to grub-install --modules. You would need to
|
||||||
|
+ * add 'gcry_rsa' too. That's confusing and seems suboptimal, especially when
|
||||||
|
+ * we only support RSA.
|
||||||
|
+ *
|
||||||
|
+ * Dynamic loading also causes some concerns. We can't load gcry_rsa from the
|
||||||
|
+ * the filesystem after we install the verifier - we won't be able to verify
|
||||||
|
+ * it without having it already present. We also shouldn't load it before we
|
||||||
|
+ * install the verifier, because that would mean it wouldn't be verified - an
|
||||||
|
+ * attacker could insert any code they wanted into the module.
|
||||||
|
+ *
|
||||||
|
+ * So instead, reference the internal symbol from gcry_rsa. That creates a
|
||||||
|
+ * direct dependency on gcry_rsa, so it will be built in when this module
|
||||||
|
+ * is built in. Being built in (assuming the core image is itself signed!)
|
||||||
|
+ * also resolves our concerns about loading from the filesystem.
|
||||||
|
+ */
|
||||||
|
+extern gcry_pk_spec_t _gcry_pubkey_spec_rsa;
|
||||||
|
+
|
||||||
|
+static int check_sigs = 0;
|
||||||
|
+
|
||||||
|
+static char *
|
||||||
|
+grub_env_write_sec (struct grub_env_var *var __attribute__((unused)),
|
||||||
|
+ const char *val)
|
||||||
|
+{
|
||||||
|
+ check_sigs = (*val == '1') || (*val == 'e');
|
||||||
|
+ return grub_strdup (check_sigs ? "enforce" : "no");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+read_cert_from_file (grub_file_t f, struct x509_certificate *certificate)
|
||||||
|
+{
|
||||||
|
+ grub_err_t err;
|
||||||
|
+ grub_uint8_t *buf = NULL;
|
||||||
|
+ grub_ssize_t read_size;
|
||||||
|
+ grub_off_t total_read_size = 0;
|
||||||
|
+ grub_off_t file_size = grub_file_size (f);
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ if (file_size == GRUB_FILE_SIZE_UNKNOWN)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
|
+ N_("Cannot parse a certificate file of unknown size"));
|
||||||
|
+
|
||||||
|
+ buf = grub_zalloc (file_size);
|
||||||
|
+ if (!buf)
|
||||||
|
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
||||||
|
+ N_("Could not allocate buffer for certificate file contents"));
|
||||||
|
+
|
||||||
|
+ while (total_read_size < file_size)
|
||||||
|
+ {
|
||||||
|
+ read_size =
|
||||||
|
+ grub_file_read (f, &buf[total_read_size],
|
||||||
|
+ file_size - total_read_size);
|
||||||
|
+ if (read_size < 0)
|
||||||
|
+ {
|
||||||
|
+ err = grub_error (GRUB_ERR_READ_ERROR,
|
||||||
|
+ N_("Error reading certificate file"));
|
||||||
|
+ goto cleanup_buf;
|
||||||
|
+ }
|
||||||
|
+ total_read_size += read_size;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ err = certificate_import (buf, total_read_size, certificate);
|
||||||
|
+ if (err != GRUB_ERR_NONE)
|
||||||
|
+ goto cleanup_buf;
|
||||||
|
+
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+
|
||||||
|
+cleanup_buf:
|
||||||
|
+ grub_free (buf);
|
||||||
|
+ return err;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+extract_appended_signature (grub_uint8_t * buf, grub_size_t bufsize,
|
||||||
|
+ struct grub_appended_signature *sig)
|
||||||
|
+{
|
||||||
|
+ grub_err_t err;
|
||||||
|
+ grub_size_t pkcs7_size;
|
||||||
|
+ grub_size_t remaining_len;
|
||||||
|
+ grub_uint8_t *appsigdata = buf + bufsize - grub_strlen (magic);
|
||||||
|
+
|
||||||
|
+ if (bufsize < grub_strlen (magic))
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
|
||||||
|
+ N_("File too short for signature magic"));
|
||||||
|
+
|
||||||
|
+ if (grub_memcmp (appsigdata, (grub_uint8_t *) magic, grub_strlen (magic)))
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
|
||||||
|
+ N_("Missing or invalid signature magic"));
|
||||||
|
+
|
||||||
|
+ remaining_len = bufsize - grub_strlen (magic);
|
||||||
|
+
|
||||||
|
+ if (remaining_len < sizeof (struct module_signature))
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
|
||||||
|
+ N_("File too short for signature metadata"));
|
||||||
|
+
|
||||||
|
+ appsigdata -= sizeof (struct module_signature);
|
||||||
|
+
|
||||||
|
+ /* extract the metadata */
|
||||||
|
+ grub_memcpy (&(sig->sig_metadata), appsigdata,
|
||||||
|
+ sizeof (struct module_signature));
|
||||||
|
+
|
||||||
|
+ remaining_len -= sizeof (struct module_signature);
|
||||||
|
+
|
||||||
|
+ if (sig->sig_metadata.id_type != 2)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("Wrong signature type"));
|
||||||
|
+
|
||||||
|
+#ifdef GRUB_TARGET_WORDS_BIGENDIAN
|
||||||
|
+ pkcs7_size = sig->sig_metadata.sig_len;
|
||||||
|
+#else
|
||||||
|
+ pkcs7_size = __builtin_bswap32 (sig->sig_metadata.sig_len);
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ if (pkcs7_size > remaining_len)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
|
||||||
|
+ N_("File too short for PKCS#7 message"));
|
||||||
|
+
|
||||||
|
+ grub_dprintf ("appendedsig", "sig len %" PRIuGRUB_SIZE "\n", pkcs7_size);
|
||||||
|
+
|
||||||
|
+ sig->signature_len =
|
||||||
|
+ grub_strlen (magic) + sizeof (struct module_signature) + pkcs7_size;
|
||||||
|
+
|
||||||
|
+ /* rewind pointer and parse pkcs7 data */
|
||||||
|
+ appsigdata -= pkcs7_size;
|
||||||
|
+
|
||||||
|
+ err = parse_pkcs7_signedData (appsigdata, pkcs7_size, &sig->pkcs7);
|
||||||
|
+ if (err != GRUB_ERR_NONE)
|
||||||
|
+ return err;
|
||||||
|
+
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+grub_verify_appended_signature (grub_uint8_t * buf, grub_size_t bufsize)
|
||||||
|
+{
|
||||||
|
+ grub_err_t err = GRUB_ERR_NONE;
|
||||||
|
+ grub_size_t datasize;
|
||||||
|
+ void *context;
|
||||||
|
+ unsigned char *hash;
|
||||||
|
+ gcry_mpi_t hashmpi;
|
||||||
|
+ gcry_err_code_t rc;
|
||||||
|
+ struct x509_certificate *pk;
|
||||||
|
+ struct grub_appended_signature sig;
|
||||||
|
+
|
||||||
|
+ if (!grub_trusted_key)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
|
||||||
|
+ N_("No trusted keys to verify against"));
|
||||||
|
+
|
||||||
|
+ err = extract_appended_signature (buf, bufsize, &sig);
|
||||||
|
+ if (err != GRUB_ERR_NONE)
|
||||||
|
+ return err;
|
||||||
|
+
|
||||||
|
+ datasize = bufsize - sig.signature_len;
|
||||||
|
+
|
||||||
|
+ context = grub_zalloc (sig.pkcs7.hash->contextsize);
|
||||||
|
+ if (!context)
|
||||||
|
+ return grub_errno;
|
||||||
|
+
|
||||||
|
+ sig.pkcs7.hash->init (context);
|
||||||
|
+ sig.pkcs7.hash->write (context, buf, datasize);
|
||||||
|
+ sig.pkcs7.hash->final (context);
|
||||||
|
+ hash = sig.pkcs7.hash->read (context);
|
||||||
|
+ grub_dprintf ("appendedsig",
|
||||||
|
+ "data size %" PRIxGRUB_SIZE ", hash %02x%02x%02x%02x...\n",
|
||||||
|
+ datasize, hash[0], hash[1], hash[2], hash[3]);
|
||||||
|
+
|
||||||
|
+ err = GRUB_ERR_BAD_SIGNATURE;
|
||||||
|
+ for (pk = grub_trusted_key; pk; pk = pk->next)
|
||||||
|
+ {
|
||||||
|
+ rc = grub_crypto_rsa_pad (&hashmpi, hash, sig.pkcs7.hash, pk->mpis[0]);
|
||||||
|
+ if (rc)
|
||||||
|
+ {
|
||||||
|
+ err = grub_error (GRUB_ERR_BAD_SIGNATURE,
|
||||||
|
+ N_("Error padding hash for RSA verification: %d"),
|
||||||
|
+ rc);
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rc = _gcry_pubkey_spec_rsa.verify (0, hashmpi, &sig.pkcs7.sig_mpi,
|
||||||
|
+ pk->mpis, NULL, NULL);
|
||||||
|
+ gcry_mpi_release (hashmpi);
|
||||||
|
+
|
||||||
|
+ if (rc == 0)
|
||||||
|
+ {
|
||||||
|
+ grub_dprintf ("appendedsig", "verify with key '%s' succeeded\n",
|
||||||
|
+ pk->subject);
|
||||||
|
+ err = GRUB_ERR_NONE;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ grub_dprintf ("appendedsig", "verify with key '%s' failed with %d\n",
|
||||||
|
+ pk->subject, rc);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* If we didn't verify, provide a neat message */
|
||||||
|
+ if (err != GRUB_ERR_NONE)
|
||||||
|
+ err = grub_error (GRUB_ERR_BAD_SIGNATURE,
|
||||||
|
+ N_("Failed to verify signature against a trusted key"));
|
||||||
|
+
|
||||||
|
+cleanup:
|
||||||
|
+ grub_free (context);
|
||||||
|
+ pkcs7_signedData_release (&sig.pkcs7);
|
||||||
|
+
|
||||||
|
+ return err;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+grub_cmd_verify_signature (grub_command_t cmd __attribute__((unused)),
|
||||||
|
+ int argc, char **args)
|
||||||
|
+{
|
||||||
|
+ grub_file_t f;
|
||||||
|
+ grub_err_t err = GRUB_ERR_NONE;
|
||||||
|
+ grub_uint8_t *data;
|
||||||
|
+ grub_ssize_t read_size;
|
||||||
|
+ grub_off_t file_size, total_read_size = 0;
|
||||||
|
+
|
||||||
|
+ if (argc < 1)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
|
||||||
|
+
|
||||||
|
+ grub_dprintf ("appendedsig", "verifying %s\n", args[0]);
|
||||||
|
+
|
||||||
|
+ f = grub_file_open (args[0], GRUB_FILE_TYPE_VERIFY_SIGNATURE);
|
||||||
|
+ if (!f)
|
||||||
|
+ {
|
||||||
|
+ err = grub_errno;
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ file_size = grub_file_size (f);
|
||||||
|
+ if (file_size == GRUB_FILE_SIZE_UNKNOWN)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
|
+ N_("Cannot verify the signature of a file of unknown size"));
|
||||||
|
+
|
||||||
|
+ data = grub_malloc (file_size);
|
||||||
|
+ if (!data)
|
||||||
|
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
||||||
|
+ N_("Could not allocate data buffer size "
|
||||||
|
+ PRIuGRUB_UINT64_T " for verification"), file_size);
|
||||||
|
+
|
||||||
|
+ while (total_read_size < file_size)
|
||||||
|
+ {
|
||||||
|
+ read_size =
|
||||||
|
+ grub_file_read (f, &data[total_read_size],
|
||||||
|
+ file_size - total_read_size);
|
||||||
|
+ if (read_size < 0)
|
||||||
|
+ {
|
||||||
|
+ err = grub_error (GRUB_ERR_READ_ERROR,
|
||||||
|
+ N_("Error reading file to verify"));
|
||||||
|
+ goto cleanup_data;
|
||||||
|
+ }
|
||||||
|
+ total_read_size += read_size;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ err = grub_verify_appended_signature (data, file_size);
|
||||||
|
+
|
||||||
|
+cleanup_data:
|
||||||
|
+ grub_free (data);
|
||||||
|
+cleanup:
|
||||||
|
+ if (f)
|
||||||
|
+ grub_file_close (f);
|
||||||
|
+ return err;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+grub_cmd_distrust (grub_command_t cmd __attribute__((unused)),
|
||||||
|
+ int argc, char **args)
|
||||||
|
+{
|
||||||
|
+ unsigned long cert_num, i;
|
||||||
|
+ struct x509_certificate *cert, *prev;
|
||||||
|
+
|
||||||
|
+ if (argc != 1)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("One argument expected"));
|
||||||
|
+
|
||||||
|
+ grub_errno = GRUB_ERR_NONE;
|
||||||
|
+ cert_num = grub_strtoul (args[0], NULL, 10);
|
||||||
|
+ if (grub_errno != GRUB_ERR_NONE)
|
||||||
|
+ return grub_errno;
|
||||||
|
+
|
||||||
|
+ if (cert_num < 1)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
|
+ N_("Certificate number too small - numbers start at 1"));
|
||||||
|
+
|
||||||
|
+ if (cert_num == 1)
|
||||||
|
+ {
|
||||||
|
+ cert = grub_trusted_key;
|
||||||
|
+ grub_trusted_key = cert->next;
|
||||||
|
+
|
||||||
|
+ certificate_release (cert);
|
||||||
|
+ grub_free (cert);
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+ }
|
||||||
|
+ i = 2;
|
||||||
|
+ prev = grub_trusted_key;
|
||||||
|
+ cert = grub_trusted_key->next;
|
||||||
|
+ while (cert)
|
||||||
|
+ {
|
||||||
|
+ if (i == cert_num)
|
||||||
|
+ {
|
||||||
|
+ prev->next = cert->next;
|
||||||
|
+ certificate_release (cert);
|
||||||
|
+ grub_free (cert);
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+ }
|
||||||
|
+ i++;
|
||||||
|
+ prev = cert;
|
||||||
|
+ cert = cert->next;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
|
+ N_("No certificate number %d found - only %d certificates in the store"),
|
||||||
|
+ cert_num, i - 1);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+grub_cmd_trust (grub_command_t cmd __attribute__((unused)),
|
||||||
|
+ int argc, char **args)
|
||||||
|
+{
|
||||||
|
+ grub_file_t certf;
|
||||||
|
+ struct x509_certificate *cert = NULL;
|
||||||
|
+ grub_err_t err;
|
||||||
|
+
|
||||||
|
+ if (argc != 1)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
|
||||||
|
+
|
||||||
|
+ certf = grub_file_open (args[0],
|
||||||
|
+ GRUB_FILE_TYPE_CERTIFICATE_TRUST
|
||||||
|
+ | GRUB_FILE_TYPE_NO_DECOMPRESS);
|
||||||
|
+ if (!certf)
|
||||||
|
+ return grub_errno;
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ cert = grub_zalloc (sizeof (struct x509_certificate));
|
||||||
|
+ if (!cert)
|
||||||
|
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
||||||
|
+ N_("Could not allocate memory for certificate"));
|
||||||
|
+
|
||||||
|
+ err = read_cert_from_file (certf, cert);
|
||||||
|
+ grub_file_close (certf);
|
||||||
|
+ if (err != GRUB_ERR_NONE)
|
||||||
|
+ {
|
||||||
|
+ grub_free (cert);
|
||||||
|
+ return err;
|
||||||
|
+ }
|
||||||
|
+ grub_dprintf ("appendedsig", "Loaded certificate with CN: %s\n",
|
||||||
|
+ cert->subject);
|
||||||
|
+
|
||||||
|
+ cert->next = grub_trusted_key;
|
||||||
|
+ grub_trusted_key = cert;
|
||||||
|
+
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+grub_cmd_list (grub_command_t cmd __attribute__((unused)),
|
||||||
|
+ int argc __attribute__((unused)),
|
||||||
|
+ char **args __attribute__((unused)))
|
||||||
|
+{
|
||||||
|
+ struct x509_certificate *cert;
|
||||||
|
+ int cert_num = 1;
|
||||||
|
+ grub_size_t i;
|
||||||
|
+
|
||||||
|
+ for (cert = grub_trusted_key; cert; cert = cert->next)
|
||||||
|
+ {
|
||||||
|
+ grub_printf (N_("Certificate %d:\n"), cert_num);
|
||||||
|
+
|
||||||
|
+ grub_printf (N_("\tSerial: "));
|
||||||
|
+ for (i = 0; i < cert->serial_len - 1; i++)
|
||||||
|
+ {
|
||||||
|
+ grub_printf ("%02x:", cert->serial[i]);
|
||||||
|
+ }
|
||||||
|
+ grub_printf ("%02x\n", cert->serial[cert->serial_len - 1]);
|
||||||
|
+
|
||||||
|
+ grub_printf ("\tCN: %s\n\n", cert->subject);
|
||||||
|
+ cert_num++;
|
||||||
|
+
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+appendedsig_init (grub_file_t io, enum grub_file_type type,
|
||||||
|
+ void **context __attribute__((unused)),
|
||||||
|
+ enum grub_verify_flags *flags)
|
||||||
|
+{
|
||||||
|
+ const char *dangerous_mod;
|
||||||
|
+
|
||||||
|
+ if (!check_sigs)
|
||||||
|
+ {
|
||||||
|
+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ switch (type & GRUB_FILE_TYPE_MASK)
|
||||||
|
+ {
|
||||||
|
+ case GRUB_FILE_TYPE_GRUB_MODULE:
|
||||||
|
+ if (grub_is_dangerous_module (io))
|
||||||
|
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
|
||||||
|
+ N_("module cannot be loaded in appended signature mode: %s"),
|
||||||
|
+ io->name);
|
||||||
|
+
|
||||||
|
+ *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+
|
||||||
|
+ case GRUB_FILE_TYPE_ACPI_TABLE:
|
||||||
|
+ case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
|
||||||
|
+ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+
|
||||||
|
+ case GRUB_FILE_TYPE_CERTIFICATE_TRUST:
|
||||||
|
+ /*
|
||||||
|
+ * This is a certificate to add to trusted keychain.
|
||||||
|
+ *
|
||||||
|
+ * This needs to be verified or blocked. Ideally we'd write an x509
|
||||||
|
+ * verifier, but we lack the hubris required to take this on. Instead,
|
||||||
|
+ * require that it have an appended signature.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ /* Fall through */
|
||||||
|
+
|
||||||
|
+ case GRUB_FILE_TYPE_LINUX_KERNEL:
|
||||||
|
+ case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
|
||||||
|
+ case GRUB_FILE_TYPE_BSD_KERNEL:
|
||||||
|
+ case GRUB_FILE_TYPE_XNU_KERNEL:
|
||||||
|
+ case GRUB_FILE_TYPE_PLAN9_KERNEL:
|
||||||
|
+
|
||||||
|
+ dangerous_mod = grub_dangerous_module_loaded ();
|
||||||
|
+ if (dangerous_mod)
|
||||||
|
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
|
||||||
|
+ N_("cannot proceed due to dangerous module in memory: %s"),
|
||||||
|
+ dangerous_mod);
|
||||||
|
+
|
||||||
|
+ *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+
|
||||||
|
+ default:
|
||||||
|
+ /*
|
||||||
|
+ * powerpc only supports the linux loader. If you support more,
|
||||||
|
+ * (especially chain loaded binaries) make sure they're checked!
|
||||||
|
+ */
|
||||||
|
+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+appendedsig_write (void *ctxt __attribute__((unused)),
|
||||||
|
+ void *buf, grub_size_t size)
|
||||||
|
+{
|
||||||
|
+ return grub_verify_appended_signature (buf, size);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+struct grub_file_verifier grub_appendedsig_verifier = {
|
||||||
|
+ .name = "appendedsig",
|
||||||
|
+ .init = appendedsig_init,
|
||||||
|
+ .write = appendedsig_write,
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static grub_ssize_t
|
||||||
|
+pseudo_read (struct grub_file *file, char *buf, grub_size_t len)
|
||||||
|
+{
|
||||||
|
+ grub_memcpy (buf, (grub_uint8_t *) file->data + file->offset, len);
|
||||||
|
+ return len;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* Filesystem descriptor. */
|
||||||
|
+static struct grub_fs pseudo_fs = {
|
||||||
|
+ .name = "pseudo",
|
||||||
|
+ .fs_read = pseudo_read
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static grub_command_t cmd_verify, cmd_list, cmd_distrust, cmd_trust;
|
||||||
|
+
|
||||||
|
+GRUB_MOD_INIT (appendedsig)
|
||||||
|
+{
|
||||||
|
+ int rc;
|
||||||
|
+ struct grub_module_header *header;
|
||||||
|
+ const char *val;
|
||||||
|
+
|
||||||
|
+ val = grub_env_get ("check_appended_signatures");
|
||||||
|
+ grub_dprintf ("appendedsig", "check_appended_signatures='%s'\n", val);
|
||||||
|
+
|
||||||
|
+ if (val && (val[0] == '1' || val[0] == 'e'))
|
||||||
|
+ check_sigs = 1;
|
||||||
|
+ else
|
||||||
|
+ check_sigs = 0;
|
||||||
|
+
|
||||||
|
+ grub_trusted_key = NULL;
|
||||||
|
+
|
||||||
|
+ grub_register_variable_hook ("check_appended_signatures", 0,
|
||||||
|
+ grub_env_write_sec);
|
||||||
|
+ grub_env_export ("check_appended_signatures");
|
||||||
|
+
|
||||||
|
+ rc = asn1_init ();
|
||||||
|
+ if (rc)
|
||||||
|
+ grub_fatal ("Error initing ASN.1 data structures: %d: %s\n", rc,
|
||||||
|
+ asn1_strerror (rc));
|
||||||
|
+
|
||||||
|
+ FOR_MODULES (header)
|
||||||
|
+ {
|
||||||
|
+ struct grub_file pseudo_file;
|
||||||
|
+ struct x509_certificate *pk = NULL;
|
||||||
|
+ grub_err_t err;
|
||||||
|
+
|
||||||
|
+ /* Not an ELF module, skip. */
|
||||||
|
+ if (header->type != OBJ_TYPE_X509_PUBKEY)
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ grub_memset (&pseudo_file, 0, sizeof (pseudo_file));
|
||||||
|
+ pseudo_file.fs = &pseudo_fs;
|
||||||
|
+ pseudo_file.size = header->size - sizeof (struct grub_module_header);
|
||||||
|
+ pseudo_file.data = (char *) header + sizeof (struct grub_module_header);
|
||||||
|
+
|
||||||
|
+ grub_dprintf ("appendedsig",
|
||||||
|
+ "Found an x509 key, size=%" PRIuGRUB_UINT64_T "\n",
|
||||||
|
+ pseudo_file.size);
|
||||||
|
+
|
||||||
|
+ pk = grub_zalloc (sizeof (struct x509_certificate));
|
||||||
|
+ if (!pk)
|
||||||
|
+ {
|
||||||
|
+ grub_fatal ("Out of memory loading initial certificates");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ err = read_cert_from_file (&pseudo_file, pk);
|
||||||
|
+ if (err != GRUB_ERR_NONE)
|
||||||
|
+ grub_fatal ("Error loading initial key: %s", grub_errmsg);
|
||||||
|
+
|
||||||
|
+ grub_dprintf ("appendedsig", "loaded certificate CN='%s'\n", pk->subject);
|
||||||
|
+
|
||||||
|
+ pk->next = grub_trusted_key;
|
||||||
|
+ grub_trusted_key = pk;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!val || val[0] == '\0')
|
||||||
|
+ {
|
||||||
|
+ grub_env_set ("check_appended_signatures",
|
||||||
|
+ grub_trusted_key ? "enforce" : "no");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ cmd_trust =
|
||||||
|
+ grub_register_command ("trust_certificate", grub_cmd_trust,
|
||||||
|
+ N_("X509_CERTIFICATE"),
|
||||||
|
+ N_("Add X509_CERTIFICATE to trusted certificates."));
|
||||||
|
+ cmd_list =
|
||||||
|
+ grub_register_command ("list_certificates", grub_cmd_list, 0,
|
||||||
|
+ N_("Show the list of trusted x509 certificates."));
|
||||||
|
+ cmd_verify =
|
||||||
|
+ grub_register_command ("verify_appended", grub_cmd_verify_signature,
|
||||||
|
+ N_("FILE"),
|
||||||
|
+ N_("Verify FILE against the trusted x509 certificates."));
|
||||||
|
+ cmd_distrust =
|
||||||
|
+ grub_register_command ("distrust_certificate", grub_cmd_distrust,
|
||||||
|
+ N_("CERT_NUMBER"),
|
||||||
|
+ N_("Remove CERT_NUMBER (as listed by list_certificates) from trusted certificates."));
|
||||||
|
+
|
||||||
|
+ grub_verifier_register (&grub_appendedsig_verifier);
|
||||||
|
+ grub_dl_set_persistent (mod);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+GRUB_MOD_FINI (appendedsig)
|
||||||
|
+{
|
||||||
|
+ /*
|
||||||
|
+ * grub_dl_set_persistent should prevent this from actually running, but
|
||||||
|
+ * it does still run under emu.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ grub_verifier_unregister (&grub_appendedsig_verifier);
|
||||||
|
+ grub_unregister_command (cmd_verify);
|
||||||
|
+ grub_unregister_command (cmd_list);
|
||||||
|
+ grub_unregister_command (cmd_trust);
|
||||||
|
+ grub_unregister_command (cmd_distrust);
|
||||||
|
+}
|
||||||
|
diff --git a/include/grub/file.h b/include/grub/file.h
|
||||||
|
index 31567483ccf..96827a4f896 100644
|
||||||
|
--- a/include/grub/file.h
|
||||||
|
+++ b/include/grub/file.h
|
||||||
|
@@ -80,6 +80,8 @@ enum grub_file_type
|
||||||
|
GRUB_FILE_TYPE_PUBLIC_KEY,
|
||||||
|
/* File holding public key to add to trused keys. */
|
||||||
|
GRUB_FILE_TYPE_PUBLIC_KEY_TRUST,
|
||||||
|
+ /* File holding x509 certificiate to add to trusted keys. */
|
||||||
|
+ GRUB_FILE_TYPE_CERTIFICATE_TRUST,
|
||||||
|
/* File of which we intend to print a blocklist to the user. */
|
||||||
|
GRUB_FILE_TYPE_PRINT_BLOCKLIST,
|
||||||
|
/* File we intend to use for test loading or testing speed. */
|
897
0302-appended-signatures-verification-tests.patch
Normal file
897
0302-appended-signatures-verification-tests.patch
Normal file
@ -0,0 +1,897 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Thu, 30 Jul 2020 01:31:02 +1000
|
||||||
|
Subject: [PATCH] appended signatures: verification tests
|
||||||
|
|
||||||
|
These tests are run through all_functional_test and test a range
|
||||||
|
of commands and behaviours.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/Makefile.core.def | 6 +
|
||||||
|
grub-core/tests/appended_signature_test.c | 281 +++++++++++++++
|
||||||
|
grub-core/tests/lib/functional_test.c | 1 +
|
||||||
|
grub-core/tests/appended_signatures.h | 557 ++++++++++++++++++++++++++++++
|
||||||
|
4 files changed, 845 insertions(+)
|
||||||
|
create mode 100644 grub-core/tests/appended_signature_test.c
|
||||||
|
create mode 100644 grub-core/tests/appended_signatures.h
|
||||||
|
|
||||||
|
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||||
|
index 30bd9a4a587..640de1b299b 100644
|
||||||
|
--- a/grub-core/Makefile.core.def
|
||||||
|
+++ b/grub-core/Makefile.core.def
|
||||||
|
@@ -2138,6 +2138,12 @@ module = {
|
||||||
|
common = tests/setjmp_test.c;
|
||||||
|
};
|
||||||
|
|
||||||
|
+module = {
|
||||||
|
+ name = appended_signature_test;
|
||||||
|
+ common = tests/appended_signature_test.c;
|
||||||
|
+ common = tests/appended_signatures.h;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
module = {
|
||||||
|
name = signature_test;
|
||||||
|
common = tests/signature_test.c;
|
||||||
|
diff --git a/grub-core/tests/appended_signature_test.c b/grub-core/tests/appended_signature_test.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..88a485200d8
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/grub-core/tests/appended_signature_test.c
|
||||||
|
@@ -0,0 +1,281 @@
|
||||||
|
+/*
|
||||||
|
+ * GRUB -- GRand Unified Bootloader
|
||||||
|
+ * Copyright (C) 2020 IBM Corporation.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is free software: you can redistribute it and/or modify
|
||||||
|
+ * it under the terms of the GNU General Public License as published by
|
||||||
|
+ * the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+ * (at your option) any later version.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is distributed in the hope that it will be useful,
|
||||||
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+ * GNU General Public License for more details.
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU General Public License
|
||||||
|
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <grub/time.h>
|
||||||
|
+#include <grub/misc.h>
|
||||||
|
+#include <grub/dl.h>
|
||||||
|
+#include <grub/command.h>
|
||||||
|
+#include <grub/env.h>
|
||||||
|
+#include <grub/test.h>
|
||||||
|
+#include <grub/mm.h>
|
||||||
|
+#include <grub/procfs.h>
|
||||||
|
+#include <grub/file.h>
|
||||||
|
+
|
||||||
|
+#include "appended_signatures.h"
|
||||||
|
+
|
||||||
|
+GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
+
|
||||||
|
+#define DEFINE_TEST_CASE(case_name) \
|
||||||
|
+static char * \
|
||||||
|
+get_ ## case_name (grub_size_t *sz) \
|
||||||
|
+{ \
|
||||||
|
+ char *ret; \
|
||||||
|
+ *sz = case_name ## _len; \
|
||||||
|
+ ret = grub_malloc (*sz); \
|
||||||
|
+ if (ret) \
|
||||||
|
+ grub_memcpy (ret, case_name, *sz); \
|
||||||
|
+ return ret; \
|
||||||
|
+} \
|
||||||
|
+\
|
||||||
|
+static struct grub_procfs_entry case_name ## _entry = \
|
||||||
|
+{ \
|
||||||
|
+ .name = #case_name, \
|
||||||
|
+ .get_contents = get_ ## case_name \
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#define DO_TEST(case_name, is_valid) \
|
||||||
|
+{ \
|
||||||
|
+ grub_procfs_register (#case_name, &case_name ## _entry); \
|
||||||
|
+ do_verify ("(proc)/" #case_name, is_valid); \
|
||||||
|
+ grub_procfs_unregister (&case_name ## _entry); \
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+DEFINE_TEST_CASE (hi_signed);
|
||||||
|
+DEFINE_TEST_CASE (hi_signed_sha256);
|
||||||
|
+DEFINE_TEST_CASE (hj_signed);
|
||||||
|
+DEFINE_TEST_CASE (short_msg);
|
||||||
|
+DEFINE_TEST_CASE (unsigned_msg);
|
||||||
|
+DEFINE_TEST_CASE (hi_signed_2nd);
|
||||||
|
+
|
||||||
|
+static char *
|
||||||
|
+get_certificate_der (grub_size_t * sz)
|
||||||
|
+{
|
||||||
|
+ char *ret;
|
||||||
|
+ *sz = certificate_der_len;
|
||||||
|
+ ret = grub_malloc (*sz);
|
||||||
|
+ if (ret)
|
||||||
|
+ grub_memcpy (ret, certificate_der, *sz);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static struct grub_procfs_entry certificate_der_entry = {
|
||||||
|
+ .name = "certificate.der",
|
||||||
|
+ .get_contents = get_certificate_der
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static char *
|
||||||
|
+get_certificate2_der (grub_size_t * sz)
|
||||||
|
+{
|
||||||
|
+ char *ret;
|
||||||
|
+ *sz = certificate2_der_len;
|
||||||
|
+ ret = grub_malloc (*sz);
|
||||||
|
+ if (ret)
|
||||||
|
+ grub_memcpy (ret, certificate2_der, *sz);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static struct grub_procfs_entry certificate2_der_entry = {
|
||||||
|
+ .name = "certificate2.der",
|
||||||
|
+ .get_contents = get_certificate2_der
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static char *
|
||||||
|
+get_certificate_printable_der (grub_size_t * sz)
|
||||||
|
+{
|
||||||
|
+ char *ret;
|
||||||
|
+ *sz = certificate_printable_der_len;
|
||||||
|
+ ret = grub_malloc (*sz);
|
||||||
|
+ if (ret)
|
||||||
|
+ grub_memcpy (ret, certificate_printable_der, *sz);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static struct grub_procfs_entry certificate_printable_der_entry = {
|
||||||
|
+ .name = "certificate_printable.der",
|
||||||
|
+ .get_contents = get_certificate_printable_der
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+do_verify (const char *f, int is_valid)
|
||||||
|
+{
|
||||||
|
+ grub_command_t cmd;
|
||||||
|
+ char *args[] = { (char *) f, NULL };
|
||||||
|
+ grub_err_t err;
|
||||||
|
+
|
||||||
|
+ cmd = grub_command_find ("verify_appended");
|
||||||
|
+ if (!cmd)
|
||||||
|
+ {
|
||||||
|
+ grub_test_assert (0, "can't find command `%s'", "verify_appended");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ err = (cmd->func) (cmd, 1, args);
|
||||||
|
+ if (is_valid)
|
||||||
|
+ {
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||||
|
+ "verification of %s failed: %d: %s", f, grub_errno,
|
||||||
|
+ grub_errmsg);
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_BAD_SIGNATURE,
|
||||||
|
+ "verification of %s unexpectedly succeeded", f);
|
||||||
|
+ }
|
||||||
|
+ grub_errno = GRUB_ERR_NONE;
|
||||||
|
+
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+appended_signature_test (void)
|
||||||
|
+{
|
||||||
|
+ grub_command_t cmd_trust, cmd_distrust;
|
||||||
|
+ char *trust_args[] = { (char *) "(proc)/certificate.der", NULL };
|
||||||
|
+ char *trust_args2[] = { (char *) "(proc)/certificate2.der", NULL };
|
||||||
|
+ char *trust_args_printable[] = { (char *) "(proc)/certificate_printable.der",
|
||||||
|
+ NULL };
|
||||||
|
+ char *distrust_args[] = { (char *) "1", NULL };
|
||||||
|
+ char *distrust2_args[] = { (char *) "2", NULL };
|
||||||
|
+ grub_err_t err;
|
||||||
|
+
|
||||||
|
+ grub_procfs_register ("certificate.der", &certificate_der_entry);
|
||||||
|
+ grub_procfs_register ("certificate2.der", &certificate2_der_entry);
|
||||||
|
+ grub_procfs_register ("certificate_printable.der",
|
||||||
|
+ &certificate_printable_der_entry);
|
||||||
|
+
|
||||||
|
+ cmd_trust = grub_command_find ("trust_certificate");
|
||||||
|
+ if (!cmd_trust)
|
||||||
|
+ {
|
||||||
|
+ grub_test_assert (0, "can't find command `%s'", "trust_certificate");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ err = (cmd_trust->func) (cmd_trust, 1, trust_args);
|
||||||
|
+
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||||
|
+ "loading certificate failed: %d: %s", grub_errno,
|
||||||
|
+ grub_errmsg);
|
||||||
|
+
|
||||||
|
+ /* If we have no certificate the remainder of the tests are meaningless */
|
||||||
|
+ if (err != GRUB_ERR_NONE)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Reload the command: this works around some 'interesting' behaviour in the
|
||||||
|
+ * dynamic command dispatcher. The first time you call cmd->func you get a
|
||||||
|
+ * dispatcher that loads the module, finds the real cmd, calls it, and then
|
||||||
|
+ * releases some internal storage. This means it's not safe to call a second
|
||||||
|
+ * time and we need to reload it.
|
||||||
|
+ */
|
||||||
|
+ cmd_trust = grub_command_find ("trust_certificate");
|
||||||
|
+
|
||||||
|
+ DO_TEST (hi_signed, 1);
|
||||||
|
+ DO_TEST (hi_signed_sha256, 1);
|
||||||
|
+ DO_TEST (hj_signed, 0);
|
||||||
|
+ DO_TEST (short_msg, 0);
|
||||||
|
+ DO_TEST (unsigned_msg, 0);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * in enforcing mode, we shouldn't be able to load a certificate that isn't
|
||||||
|
+ * signed by an existing trusted key.
|
||||||
|
+ *
|
||||||
|
+ * However, procfs files automatically skip the verification test, so we can't
|
||||||
|
+ * easily test this.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * verify that testing with 2 trusted certs works
|
||||||
|
+ */
|
||||||
|
+ DO_TEST (hi_signed_2nd, 0);
|
||||||
|
+
|
||||||
|
+ err = (cmd_trust->func) (cmd_trust, 1, trust_args2);
|
||||||
|
+
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||||
|
+ "loading certificate 2 failed: %d: %s", grub_errno,
|
||||||
|
+ grub_errmsg);
|
||||||
|
+
|
||||||
|
+ if (err != GRUB_ERR_NONE)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ DO_TEST (hi_signed_2nd, 1);
|
||||||
|
+ DO_TEST (hi_signed, 1);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Check certificate removal. They're added to the _top_ of the list and
|
||||||
|
+ * removed by position in the list. Current the list looks like [#2, #1].
|
||||||
|
+ *
|
||||||
|
+ * First test removing the second certificate in the list, which is
|
||||||
|
+ * certificate #1, giving us just [#2].
|
||||||
|
+ */
|
||||||
|
+ cmd_distrust = grub_command_find ("distrust_certificate");
|
||||||
|
+ if (!cmd_distrust)
|
||||||
|
+ {
|
||||||
|
+ grub_test_assert (0, "can't find command `%s'", "distrust_certificate");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ err = (cmd_distrust->func) (cmd_distrust, 1, distrust2_args);
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||||
|
+ "distrusting certificate 1 failed: %d: %s", grub_errno,
|
||||||
|
+ grub_errmsg);
|
||||||
|
+ DO_TEST (hi_signed_2nd, 1);
|
||||||
|
+ DO_TEST (hi_signed, 0);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Now reload certificate #1. This will make the list look like [#1, #2]
|
||||||
|
+ */
|
||||||
|
+ err = (cmd_trust->func) (cmd_trust, 1, trust_args);
|
||||||
|
+
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||||
|
+ "reloading certificate 1 failed: %d: %s", grub_errno,
|
||||||
|
+ grub_errmsg);
|
||||||
|
+ DO_TEST (hi_signed, 1);
|
||||||
|
+
|
||||||
|
+ /* Remove the first certificate in the list, giving us just [#2] */
|
||||||
|
+ err = (cmd_distrust->func) (cmd_distrust, 1, distrust_args);
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||||
|
+ "distrusting certificate 1 (first time) failed: %d: %s",
|
||||||
|
+ grub_errno, grub_errmsg);
|
||||||
|
+ DO_TEST (hi_signed_2nd, 1);
|
||||||
|
+ DO_TEST (hi_signed, 0);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Remove the first certificate again, giving an empty list.
|
||||||
|
+ *
|
||||||
|
+ * verify_appended should fail if there are no certificates to verify against.
|
||||||
|
+ */
|
||||||
|
+ err = (cmd_distrust->func) (cmd_distrust, 1, distrust_args);
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||||
|
+ "distrusting certificate 1 (second time) failed: %d: %s",
|
||||||
|
+ grub_errno, grub_errmsg);
|
||||||
|
+ DO_TEST (hi_signed_2nd, 0);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Lastly, check a certificate that uses printableString rather than
|
||||||
|
+ * utf8String loads properly.
|
||||||
|
+ */
|
||||||
|
+ err = (cmd_trust->func) (cmd_trust, 1, trust_args_printable);
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||||
|
+ "distrusting printable certificate failed: %d: %s",
|
||||||
|
+ grub_errno, grub_errmsg);
|
||||||
|
+
|
||||||
|
+ grub_procfs_unregister (&certificate_der_entry);
|
||||||
|
+ grub_procfs_unregister (&certificate2_der_entry);
|
||||||
|
+ grub_procfs_unregister (&certificate_printable_der_entry);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+GRUB_FUNCTIONAL_TEST (appended_signature_test, appended_signature_test);
|
||||||
|
diff --git a/grub-core/tests/lib/functional_test.c b/grub-core/tests/lib/functional_test.c
|
||||||
|
index 96781fb39b5..403fa5c789a 100644
|
||||||
|
--- a/grub-core/tests/lib/functional_test.c
|
||||||
|
+++ b/grub-core/tests/lib/functional_test.c
|
||||||
|
@@ -73,6 +73,7 @@ grub_functional_all_tests (grub_extcmd_context_t ctxt __attribute__ ((unused)),
|
||||||
|
grub_dl_load ("xnu_uuid_test");
|
||||||
|
grub_dl_load ("pbkdf2_test");
|
||||||
|
grub_dl_load ("signature_test");
|
||||||
|
+ grub_dl_load ("appended_signature_test");
|
||||||
|
grub_dl_load ("sleep_test");
|
||||||
|
grub_dl_load ("bswap_test");
|
||||||
|
grub_dl_load ("ctz_test");
|
||||||
|
diff --git a/grub-core/tests/appended_signatures.h b/grub-core/tests/appended_signatures.h
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..aa3dc6278e3
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/grub-core/tests/appended_signatures.h
|
||||||
|
@@ -0,0 +1,557 @@
|
||||||
|
+unsigned char certificate_der[] = {
|
||||||
|
+ 0x30, 0x82, 0x03, 0x88, 0x30, 0x82, 0x02, 0x70, 0xa0, 0x03, 0x02, 0x01,
|
||||||
|
+ 0x02, 0x02, 0x14, 0x25, 0x2e, 0xb8, 0xfd, 0x12, 0x62, 0x2e, 0xcd, 0x5d,
|
||||||
|
+ 0xa7, 0x53, 0xd2, 0x0b, 0xc2, 0x61, 0x7c, 0x14, 0xe0, 0x0f, 0x5c, 0x30,
|
||||||
|
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
|
||||||
|
+ 0x05, 0x00, 0x30, 0x49, 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55, 0x04,
|
||||||
|
+ 0x03, 0x0c, 0x1f, 0x47, 0x72, 0x75, 0x62, 0x20, 0x41, 0x70, 0x70, 0x65,
|
||||||
|
+ 0x6e, 0x64, 0x65, 0x64, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75,
|
||||||
|
+ 0x72, 0x65, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1d,
|
||||||
|
+ 0x30, 0x1b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09,
|
||||||
|
+ 0x01, 0x16, 0x0e, 0x64, 0x6a, 0x61, 0x40, 0x61, 0x78, 0x74, 0x65, 0x6e,
|
||||||
|
+ 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x30, 0x30,
|
||||||
|
+ 0x37, 0x30, 0x39, 0x30, 0x36, 0x32, 0x32, 0x30, 0x37, 0x5a, 0x18, 0x0f,
|
||||||
|
+ 0x32, 0x31, 0x32, 0x30, 0x30, 0x36, 0x31, 0x35, 0x30, 0x36, 0x32, 0x32,
|
||||||
|
+ 0x30, 0x37, 0x5a, 0x30, 0x52, 0x31, 0x31, 0x30, 0x2f, 0x06, 0x03, 0x55,
|
||||||
|
+ 0x04, 0x03, 0x0c, 0x28, 0x47, 0x72, 0x75, 0x62, 0x20, 0x41, 0x70, 0x70,
|
||||||
|
+ 0x65, 0x6e, 0x64, 0x65, 0x64, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74,
|
||||||
|
+ 0x75, 0x72, 0x65, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x69, 0x67,
|
||||||
|
+ 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x4b, 0x65, 0x79, 0x31, 0x1d, 0x30, 0x1b,
|
||||||
|
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16,
|
||||||
|
+ 0x0e, 0x64, 0x6a, 0x61, 0x40, 0x61, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x2e,
|
||||||
|
+ 0x6e, 0x65, 0x74, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
|
||||||
|
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82,
|
||||||
|
+ 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
|
||||||
|
+ 0xcd, 0xe8, 0x1c, 0x08, 0x68, 0x2e, 0xcb, 0xfe, 0x8c, 0x4b, 0x3b, 0x61,
|
||||||
|
+ 0xe7, 0x8e, 0x80, 0x58, 0x85, 0x85, 0xea, 0xc8, 0x3b, 0x42, 0xba, 0x72,
|
||||||
|
+ 0x84, 0x65, 0x20, 0xbc, 0x48, 0xa2, 0x25, 0x49, 0x6e, 0x1c, 0xb9, 0x7d,
|
||||||
|
+ 0xeb, 0xc1, 0x0c, 0xa8, 0xb7, 0xcc, 0x13, 0x78, 0xba, 0x11, 0xa4, 0x98,
|
||||||
|
+ 0xd7, 0xd0, 0x7c, 0xdd, 0xf5, 0x5a, 0xb7, 0xcd, 0x31, 0x0e, 0xcd, 0x9e,
|
||||||
|
+ 0xa7, 0x19, 0xf0, 0xbd, 0x0f, 0xa6, 0xfe, 0x8a, 0x11, 0x97, 0xed, 0x8b,
|
||||||
|
+ 0xe5, 0x16, 0xa6, 0x21, 0x13, 0x36, 0xad, 0x05, 0x49, 0xec, 0x29, 0x12,
|
||||||
|
+ 0x38, 0xa7, 0x4b, 0x0f, 0xa1, 0xfb, 0x72, 0xc0, 0xc0, 0x09, 0x67, 0x78,
|
||||||
|
+ 0xa8, 0xb6, 0xd6, 0x1a, 0x39, 0xc0, 0xa8, 0xbf, 0x5f, 0x14, 0x89, 0x5c,
|
||||||
|
+ 0xbc, 0x41, 0x0c, 0x0c, 0x5d, 0x42, 0x2e, 0x1c, 0xdf, 0x1f, 0x1d, 0xc9,
|
||||||
|
+ 0x43, 0x94, 0x5b, 0x6e, 0x8f, 0x15, 0x8c, 0x8f, 0x94, 0x73, 0x4f, 0x97,
|
||||||
|
+ 0x54, 0xf1, 0x86, 0x8a, 0xbc, 0xe4, 0xe4, 0x93, 0xc1, 0x5e, 0xc2, 0x3e,
|
||||||
|
+ 0x31, 0x5e, 0xd4, 0x85, 0x57, 0x14, 0xd0, 0x11, 0x07, 0x65, 0xf4, 0x7c,
|
||||||
|
+ 0x8f, 0x07, 0x57, 0xe1, 0x22, 0xd4, 0x78, 0x47, 0x65, 0x4e, 0xa9, 0xb3,
|
||||||
|
+ 0xaa, 0xce, 0xc7, 0x36, 0xfe, 0xda, 0x66, 0x02, 0xb6, 0x8d, 0x18, 0x2f,
|
||||||
|
+ 0x3b, 0x41, 0x8d, 0x02, 0x08, 0x72, 0x4b, 0x69, 0xbd, 0x1e, 0x58, 0xfc,
|
||||||
|
+ 0x1b, 0x64, 0x04, 0x52, 0x35, 0x35, 0xe2, 0x3d, 0x3e, 0xde, 0xd6, 0x64,
|
||||||
|
+ 0xf4, 0xec, 0x57, 0x7e, 0x65, 0x59, 0x00, 0xa6, 0xd3, 0x4b, 0x09, 0x93,
|
||||||
|
+ 0x2a, 0x95, 0x0f, 0x30, 0xb6, 0xa1, 0x8c, 0xe7, 0x8b, 0x49, 0xa4, 0x1d,
|
||||||
|
+ 0x25, 0x2d, 0x65, 0x48, 0x8a, 0x0f, 0xcf, 0x2a, 0xa2, 0xe1, 0xef, 0x72,
|
||||||
|
+ 0x92, 0xc3, 0xf5, 0x21, 0x37, 0x83, 0x9b, 0x6d, 0x0b, 0x1b, 0xb3, 0xa2,
|
||||||
|
+ 0x32, 0x38, 0x11, 0xb1, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x5d, 0x30,
|
||||||
|
+ 0x5b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
|
||||||
|
+ 0x02, 0x30, 0x00, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04,
|
||||||
|
+ 0x03, 0x02, 0x07, 0x80, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04,
|
||||||
|
+ 0x16, 0x04, 0x14, 0xe5, 0x2a, 0x4f, 0xf2, 0x84, 0x91, 0x57, 0x91, 0xaf,
|
||||||
|
+ 0x12, 0xd2, 0xf1, 0xa1, 0x87, 0x73, 0x0f, 0x90, 0x25, 0xa0, 0x7a, 0x30,
|
||||||
|
+ 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
|
||||||
|
+ 0x56, 0xd1, 0xfd, 0xe2, 0x1e, 0x7e, 0x1c, 0x63, 0x4f, 0x47, 0xdb, 0xe4,
|
||||||
|
+ 0xc4, 0x51, 0x04, 0x03, 0x9a, 0x48, 0x35, 0x6e, 0x30, 0x0d, 0x06, 0x09,
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
|
||||||
|
+ 0x82, 0x01, 0x01, 0x00, 0x65, 0x82, 0xd5, 0x88, 0x30, 0xe2, 0x2c, 0x47,
|
||||||
|
+ 0xf3, 0x31, 0x39, 0xa1, 0x75, 0x9a, 0xb0, 0x8a, 0x6c, 0x4b, 0xac, 0xdf,
|
||||||
|
+ 0x09, 0x7b, 0x90, 0xb6, 0x9e, 0x76, 0x62, 0x94, 0xc1, 0x3a, 0x99, 0x49,
|
||||||
|
+ 0x68, 0x29, 0x47, 0x42, 0xc3, 0x06, 0xcb, 0x88, 0x75, 0xe6, 0x79, 0x13,
|
||||||
|
+ 0x8c, 0x4b, 0x49, 0x6a, 0xb5, 0x56, 0x95, 0xc0, 0x42, 0x21, 0x9b, 0xd4,
|
||||||
|
+ 0x61, 0xd0, 0x02, 0x41, 0xdd, 0x20, 0x61, 0xe5, 0x91, 0xdf, 0x75, 0x00,
|
||||||
|
+ 0x25, 0x0e, 0x99, 0x65, 0x5c, 0x54, 0x49, 0x32, 0xa3, 0xe2, 0xcd, 0xa1,
|
||||||
|
+ 0x5f, 0x40, 0xf3, 0xc5, 0x81, 0xd9, 0x3c, 0xa3, 0x63, 0x5a, 0x38, 0x79,
|
||||||
|
+ 0xab, 0x77, 0x98, 0xde, 0x8f, 0x4e, 0x9e, 0x26, 0xbc, 0x4e, 0x80, 0x9e,
|
||||||
|
+ 0x8f, 0xbe, 0xf1, 0x00, 0xb3, 0x78, 0xb9, 0x4b, 0x1d, 0xc7, 0xa4, 0x83,
|
||||||
|
+ 0x59, 0x56, 0x11, 0xd1, 0x11, 0x1e, 0x50, 0x39, 0xd5, 0x78, 0x14, 0xf3,
|
||||||
|
+ 0xb9, 0x1d, 0xda, 0xe4, 0xc4, 0x63, 0x74, 0x26, 0xab, 0xa3, 0xfd, 0x9d,
|
||||||
|
+ 0x58, 0xa2, 0xee, 0x7b, 0x28, 0x34, 0xa3, 0xbe, 0x85, 0x7e, 0xaa, 0x97,
|
||||||
|
+ 0xb7, 0x5b, 0x9d, 0xa9, 0x4d, 0x96, 0xdb, 0x6b, 0x21, 0xe1, 0x96, 0x5d,
|
||||||
|
+ 0xc7, 0xad, 0x23, 0x03, 0x9a, 0x16, 0xdb, 0xa4, 0x1f, 0x63, 0xef, 0xaf,
|
||||||
|
+ 0x1e, 0x4f, 0xf8, 0x27, 0xdc, 0x4b, 0xfc, 0x2b, 0x68, 0x2e, 0xa0, 0xd3,
|
||||||
|
+ 0xae, 0xf2, 0xce, 0xf5, 0xfc, 0x97, 0x92, 0xd2, 0x29, 0x0f, 0x4f, 0x4b,
|
||||||
|
+ 0x29, 0xeb, 0x06, 0xcb, 0xf8, 0x21, 0x6e, 0xbc, 0x8b, 0x5c, 0xc5, 0xc9,
|
||||||
|
+ 0xf7, 0xe2, 0x7c, 0x47, 0xcd, 0x43, 0x98, 0xc4, 0xa3, 0x9a, 0xd7, 0x3e,
|
||||||
|
+ 0xdc, 0x01, 0x13, 0x28, 0x96, 0xc4, 0x60, 0x83, 0xe2, 0x79, 0xa1, 0x46,
|
||||||
|
+ 0xef, 0xf5, 0xa4, 0x7b, 0x00, 0xe3, 0x3d, 0x7d, 0xbc, 0xa8, 0x98, 0x49,
|
||||||
|
+ 0xa8, 0xcf, 0x3b, 0x41, 0xb6, 0x09, 0x97, 0x07
|
||||||
|
+};
|
||||||
|
+unsigned int certificate_der_len = 908;
|
||||||
|
+
|
||||||
|
+unsigned char hi_signed[] = {
|
||||||
|
+ 0x68, 0x69, 0x0a, 0x30, 0x82, 0x01, 0xc0, 0x06, 0x09, 0x2a, 0x86, 0x48,
|
||||||
|
+ 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x01, 0xb1, 0x30, 0x82,
|
||||||
|
+ 0x01, 0xad, 0x02, 0x01, 0x01, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09, 0x60,
|
||||||
|
+ 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x30, 0x0b, 0x06, 0x09,
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x31, 0x82, 0x01,
|
||||||
|
+ 0x8a, 0x30, 0x82, 0x01, 0x86, 0x02, 0x01, 0x01, 0x30, 0x61, 0x30, 0x49,
|
||||||
|
+ 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1f, 0x47,
|
||||||
|
+ 0x72, 0x75, 0x62, 0x20, 0x41, 0x70, 0x70, 0x65, 0x6e, 0x64, 0x65, 0x64,
|
||||||
|
+ 0x20, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x20, 0x54,
|
||||||
|
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1d, 0x30, 0x1b, 0x06, 0x09,
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x0e, 0x64,
|
||||||
|
+ 0x6a, 0x61, 0x40, 0x61, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x2e, 0x6e, 0x65,
|
||||||
|
+ 0x74, 0x02, 0x14, 0x25, 0x2e, 0xb8, 0xfd, 0x12, 0x62, 0x2e, 0xcd, 0x5d,
|
||||||
|
+ 0xa7, 0x53, 0xd2, 0x0b, 0xc2, 0x61, 0x7c, 0x14, 0xe0, 0x0f, 0x5c, 0x30,
|
||||||
|
+ 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
|
||||||
|
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
|
||||||
|
+ 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xc7, 0x69, 0x35, 0x21, 0x66,
|
||||||
|
+ 0x4d, 0x50, 0xd4, 0x73, 0xde, 0xbd, 0x3a, 0xf6, 0x45, 0xe3, 0xe4, 0xd0,
|
||||||
|
+ 0xb6, 0xa1, 0xe7, 0xc0, 0xa2, 0xc9, 0xf4, 0xf0, 0x05, 0x8c, 0xa4, 0x16,
|
||||||
|
+ 0x9e, 0x81, 0x0d, 0x21, 0x68, 0xf3, 0xfe, 0x03, 0x96, 0x77, 0x31, 0x69,
|
||||||
|
+ 0x01, 0xd8, 0x26, 0xd9, 0x48, 0x95, 0xcf, 0xd1, 0x17, 0xb1, 0x0b, 0x6b,
|
||||||
|
+ 0x2c, 0xf1, 0xb0, 0xab, 0x65, 0x65, 0x56, 0xf8, 0x0c, 0xa7, 0xf7, 0xbb,
|
||||||
|
+ 0xf6, 0x5a, 0x55, 0x98, 0x14, 0x07, 0x8d, 0x2a, 0xbc, 0x16, 0x48, 0x94,
|
||||||
|
+ 0xab, 0x2f, 0x85, 0x97, 0x90, 0x51, 0x78, 0xa0, 0xda, 0x60, 0xb5, 0x41,
|
||||||
|
+ 0x4b, 0xe8, 0x78, 0xc5, 0xa6, 0x04, 0x9d, 0x54, 0x2a, 0x85, 0xfd, 0x86,
|
||||||
|
+ 0x0b, 0x6d, 0xc2, 0xd2, 0xad, 0x07, 0xff, 0x16, 0x42, 0x82, 0xe3, 0x5c,
|
||||||
|
+ 0xaa, 0x22, 0x59, 0x78, 0x92, 0xea, 0x94, 0xc3, 0x41, 0xb7, 0xa1, 0x86,
|
||||||
|
+ 0x44, 0xea, 0xd1, 0xdb, 0xe5, 0xac, 0x30, 0x32, 0xfb, 0x7d, 0x3f, 0xf7,
|
||||||
|
+ 0x8b, 0x11, 0x7f, 0x80, 0x3b, 0xe5, 0xc7, 0x82, 0x0f, 0x92, 0x07, 0x14,
|
||||||
|
+ 0x66, 0x01, 0x6e, 0x85, 0xab, 0x3a, 0x14, 0xcf, 0x76, 0xd1, 0x7e, 0x14,
|
||||||
|
+ 0x85, 0xca, 0x01, 0x73, 0x72, 0x38, 0xdc, 0xde, 0x30, 0x5c, 0xfb, 0xc0,
|
||||||
|
+ 0x3d, 0x93, 0xef, 0x9c, 0xbc, 0xf8, 0xcc, 0xd2, 0xbf, 0x47, 0xec, 0xf8,
|
||||||
|
+ 0x88, 0x9b, 0xe1, 0x43, 0xbe, 0xa7, 0x47, 0x96, 0xb6, 0x5d, 0x46, 0x0e,
|
||||||
|
+ 0x7a, 0x78, 0x38, 0x19, 0xbc, 0xb5, 0xbc, 0x9b, 0x3c, 0x39, 0x92, 0x70,
|
||||||
|
+ 0x0d, 0x9d, 0x8a, 0x35, 0xaf, 0xb4, 0x9e, 0xf4, 0xef, 0xc1, 0xb8, 0x25,
|
||||||
|
+ 0xd0, 0x14, 0x91, 0xd6, 0xc2, 0xb6, 0xc7, 0x3c, 0x72, 0x91, 0x0f, 0xad,
|
||||||
|
+ 0xde, 0xb2, 0x36, 0xf8, 0x4e, 0x59, 0xd4, 0xa4, 0x21, 0x9f, 0x03, 0x95,
|
||||||
|
+ 0x48, 0x01, 0xb4, 0x05, 0xc3, 0x39, 0x60, 0x51, 0x08, 0xd0, 0xbe, 0x00,
|
||||||
|
+ 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc4, 0x7e,
|
||||||
|
+ 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x61,
|
||||||
|
+ 0x74, 0x75, 0x72, 0x65, 0x20, 0x61, 0x70, 0x70, 0x65, 0x6e, 0x64, 0x65,
|
||||||
|
+ 0x64, 0x7e, 0x0a
|
||||||
|
+};
|
||||||
|
+unsigned int hi_signed_len = 495;
|
||||||
|
+
|
||||||
|
+unsigned char hj_signed[] = {
|
||||||
|
+ 0x68, 0x6a, 0x0a, 0x30, 0x82, 0x01, 0xc0, 0x06, 0x09, 0x2a, 0x86, 0x48,
|
||||||
|
+ 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x01, 0xb1, 0x30, 0x82,
|
||||||
|
+ 0x01, 0xad, 0x02, 0x01, 0x01, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09, 0x60,
|
||||||
|
+ 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x30, 0x0b, 0x06, 0x09,
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x31, 0x82, 0x01,
|
||||||
|
+ 0x8a, 0x30, 0x82, 0x01, 0x86, 0x02, 0x01, 0x01, 0x30, 0x61, 0x30, 0x49,
|
||||||
|
+ 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1f, 0x47,
|
||||||
|
+ 0x72, 0x75, 0x62, 0x20, 0x41, 0x70, 0x70, 0x65, 0x6e, 0x64, 0x65, 0x64,
|
||||||
|
+ 0x20, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x20, 0x54,
|
||||||
|
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1d, 0x30, 0x1b, 0x06, 0x09,
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x0e, 0x64,
|
||||||
|
+ 0x6a, 0x61, 0x40, 0x61, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x2e, 0x6e, 0x65,
|
||||||
|
+ 0x74, 0x02, 0x14, 0x25, 0x2e, 0xb8, 0xfd, 0x12, 0x62, 0x2e, 0xcd, 0x5d,
|
||||||
|
+ 0xa7, 0x53, 0xd2, 0x0b, 0xc2, 0x61, 0x7c, 0x14, 0xe0, 0x0f, 0x5c, 0x30,
|
||||||
|
+ 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
|
||||||
|
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
|
||||||
|
+ 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xc7, 0x69, 0x35, 0x21, 0x66,
|
||||||
|
+ 0x4d, 0x50, 0xd4, 0x73, 0xde, 0xbd, 0x3a, 0xf6, 0x45, 0xe3, 0xe4, 0xd0,
|
||||||
|
+ 0xb6, 0xa1, 0xe7, 0xc0, 0xa2, 0xc9, 0xf4, 0xf0, 0x05, 0x8c, 0xa4, 0x16,
|
||||||
|
+ 0x9e, 0x81, 0x0d, 0x21, 0x68, 0xf3, 0xfe, 0x03, 0x96, 0x77, 0x31, 0x69,
|
||||||
|
+ 0x01, 0xd8, 0x26, 0xd9, 0x48, 0x95, 0xcf, 0xd1, 0x17, 0xb1, 0x0b, 0x6b,
|
||||||
|
+ 0x2c, 0xf1, 0xb0, 0xab, 0x65, 0x65, 0x56, 0xf8, 0x0c, 0xa7, 0xf7, 0xbb,
|
||||||
|
+ 0xf6, 0x5a, 0x55, 0x98, 0x14, 0x07, 0x8d, 0x2a, 0xbc, 0x16, 0x48, 0x94,
|
||||||
|
+ 0xab, 0x2f, 0x85, 0x97, 0x90, 0x51, 0x78, 0xa0, 0xda, 0x60, 0xb5, 0x41,
|
||||||
|
+ 0x4b, 0xe8, 0x78, 0xc5, 0xa6, 0x04, 0x9d, 0x54, 0x2a, 0x85, 0xfd, 0x86,
|
||||||
|
+ 0x0b, 0x6d, 0xc2, 0xd2, 0xad, 0x07, 0xff, 0x16, 0x42, 0x82, 0xe3, 0x5c,
|
||||||
|
+ 0xaa, 0x22, 0x59, 0x78, 0x92, 0xea, 0x94, 0xc3, 0x41, 0xb7, 0xa1, 0x86,
|
||||||
|
+ 0x44, 0xea, 0xd1, 0xdb, 0xe5, 0xac, 0x30, 0x32, 0xfb, 0x7d, 0x3f, 0xf7,
|
||||||
|
+ 0x8b, 0x11, 0x7f, 0x80, 0x3b, 0xe5, 0xc7, 0x82, 0x0f, 0x92, 0x07, 0x14,
|
||||||
|
+ 0x66, 0x01, 0x6e, 0x85, 0xab, 0x3a, 0x14, 0xcf, 0x76, 0xd1, 0x7e, 0x14,
|
||||||
|
+ 0x85, 0xca, 0x01, 0x73, 0x72, 0x38, 0xdc, 0xde, 0x30, 0x5c, 0xfb, 0xc0,
|
||||||
|
+ 0x3d, 0x93, 0xef, 0x9c, 0xbc, 0xf8, 0xcc, 0xd2, 0xbf, 0x47, 0xec, 0xf8,
|
||||||
|
+ 0x88, 0x9b, 0xe1, 0x43, 0xbe, 0xa7, 0x47, 0x96, 0xb6, 0x5d, 0x46, 0x0e,
|
||||||
|
+ 0x7a, 0x78, 0x38, 0x19, 0xbc, 0xb5, 0xbc, 0x9b, 0x3c, 0x39, 0x92, 0x70,
|
||||||
|
+ 0x0d, 0x9d, 0x8a, 0x35, 0xaf, 0xb4, 0x9e, 0xf4, 0xef, 0xc1, 0xb8, 0x25,
|
||||||
|
+ 0xd0, 0x14, 0x91, 0xd6, 0xc2, 0xb6, 0xc7, 0x3c, 0x72, 0x91, 0x0f, 0xad,
|
||||||
|
+ 0xde, 0xb2, 0x36, 0xf8, 0x4e, 0x59, 0xd4, 0xa4, 0x21, 0x9f, 0x03, 0x95,
|
||||||
|
+ 0x48, 0x01, 0xb4, 0x05, 0xc3, 0x39, 0x60, 0x51, 0x08, 0xd0, 0xbe, 0x00,
|
||||||
|
+ 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc4, 0x7e,
|
||||||
|
+ 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x61,
|
||||||
|
+ 0x74, 0x75, 0x72, 0x65, 0x20, 0x61, 0x70, 0x70, 0x65, 0x6e, 0x64, 0x65,
|
||||||
|
+ 0x64, 0x7e, 0x0a
|
||||||
|
+};
|
||||||
|
+unsigned int hj_signed_len = 495;
|
||||||
|
+
|
||||||
|
+unsigned char hi_signed_sha256[] = {
|
||||||
|
+ 0x68, 0x69, 0x0a, 0x30, 0x82, 0x01, 0xc0, 0x06, 0x09, 0x2a, 0x86, 0x48,
|
||||||
|
+ 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x01, 0xb1, 0x30, 0x82,
|
||||||
|
+ 0x01, 0xad, 0x02, 0x01, 0x01, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09, 0x60,
|
||||||
|
+ 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x30, 0x0b, 0x06, 0x09,
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x31, 0x82, 0x01,
|
||||||
|
+ 0x8a, 0x30, 0x82, 0x01, 0x86, 0x02, 0x01, 0x01, 0x30, 0x61, 0x30, 0x49,
|
||||||
|
+ 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1f, 0x47,
|
||||||
|
+ 0x72, 0x75, 0x62, 0x20, 0x41, 0x70, 0x70, 0x65, 0x6e, 0x64, 0x65, 0x64,
|
||||||
|
+ 0x20, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x20, 0x54,
|
||||||
|
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1d, 0x30, 0x1b, 0x06, 0x09,
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x0e, 0x64,
|
||||||
|
+ 0x6a, 0x61, 0x40, 0x61, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x2e, 0x6e, 0x65,
|
||||||
|
+ 0x74, 0x02, 0x14, 0x25, 0x2e, 0xb8, 0xfd, 0x12, 0x62, 0x2e, 0xcd, 0x5d,
|
||||||
|
+ 0xa7, 0x53, 0xd2, 0x0b, 0xc2, 0x61, 0x7c, 0x14, 0xe0, 0x0f, 0x5c, 0x30,
|
||||||
|
+ 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
|
||||||
|
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
|
||||||
|
+ 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0x7b, 0x5e, 0x82, 0x1d, 0x21,
|
||||||
|
+ 0xb6, 0x40, 0xd3, 0x33, 0x79, 0xa7, 0x52, 0x2b, 0xfc, 0x46, 0x51, 0x26,
|
||||||
|
+ 0xfe, 0x0f, 0x81, 0x90, 0x81, 0xab, 0x57, 0x5e, 0xf6, 0x45, 0x41, 0xa3,
|
||||||
|
+ 0x7b, 0x48, 0xdd, 0xd6, 0x59, 0x60, 0x51, 0x31, 0x14, 0x14, 0x7b, 0xb4,
|
||||||
|
+ 0x55, 0x7b, 0x4d, 0xfe, 0x09, 0x7a, 0x5d, 0xae, 0xc4, 0x58, 0x50, 0x80,
|
||||||
|
+ 0x75, 0xf2, 0x23, 0x20, 0x62, 0xe3, 0x7c, 0x26, 0x1d, 0x2a, 0x4d, 0x9f,
|
||||||
|
+ 0x89, 0xf0, 0x4f, 0x95, 0x8a, 0x80, 0x6e, 0x1a, 0xea, 0x87, 0xdb, 0x1f,
|
||||||
|
+ 0xf3, 0xda, 0x04, 0x91, 0x37, 0xea, 0x0a, 0xfb, 0x6c, 0xc9, 0x3d, 0x73,
|
||||||
|
+ 0xf9, 0x58, 0x7c, 0x15, 0x6b, 0xa2, 0x52, 0x5a, 0x97, 0xff, 0xd6, 0xb0,
|
||||||
|
+ 0xf1, 0xbf, 0xa5, 0x04, 0x6d, 0x91, 0xc1, 0x54, 0x05, 0xdc, 0x7f, 0x5d,
|
||||||
|
+ 0x19, 0xaf, 0x55, 0xec, 0x51, 0xfb, 0x66, 0x0a, 0xa4, 0x4e, 0x96, 0x47,
|
||||||
|
+ 0x43, 0x54, 0x7c, 0x64, 0xa8, 0xaa, 0xb4, 0x90, 0x02, 0xf3, 0xa7, 0x0b,
|
||||||
|
+ 0xb7, 0xbf, 0x06, 0xdb, 0x5e, 0x9c, 0x32, 0x6d, 0x45, 0x14, 0x1c, 0xaf,
|
||||||
|
+ 0x46, 0x30, 0x08, 0x55, 0x49, 0x78, 0xfa, 0x57, 0xda, 0x3d, 0xf5, 0xa0,
|
||||||
|
+ 0xef, 0x11, 0x0a, 0x81, 0x0d, 0x82, 0xcd, 0xaf, 0xdb, 0xda, 0x0e, 0x1a,
|
||||||
|
+ 0x44, 0xd1, 0xee, 0xc4, 0xb8, 0xde, 0x97, 0xb4, 0xda, 0xb4, 0x8b, 0x4f,
|
||||||
|
+ 0x58, 0x24, 0x59, 0xc0, 0xe0, 0x08, 0x97, 0x14, 0x68, 0xbe, 0x31, 0x09,
|
||||||
|
+ 0x5e, 0x67, 0x45, 0xf0, 0xcb, 0x81, 0x4f, 0x17, 0x44, 0x61, 0xe0, 0xe2,
|
||||||
|
+ 0xf0, 0xfc, 0x1e, 0xb9, 0x73, 0xaf, 0x42, 0xff, 0x33, 0xde, 0x61, 0x6b,
|
||||||
|
+ 0x7f, 0xc2, 0x69, 0x0d, 0x66, 0x54, 0xae, 0xf6, 0xde, 0x20, 0x47, 0x44,
|
||||||
|
+ 0x9b, 0x73, 0xd1, 0x07, 0x6e, 0x77, 0x37, 0x0a, 0xbb, 0x7f, 0xa0, 0x93,
|
||||||
|
+ 0x2d, 0x8d, 0x44, 0xba, 0xe2, 0xdd, 0x34, 0x32, 0xd7, 0x56, 0x71, 0x00,
|
||||||
|
+ 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc4, 0x7e,
|
||||||
|
+ 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x61,
|
||||||
|
+ 0x74, 0x75, 0x72, 0x65, 0x20, 0x61, 0x70, 0x70, 0x65, 0x6e, 0x64, 0x65,
|
||||||
|
+ 0x64, 0x7e, 0x0a
|
||||||
|
+};
|
||||||
|
+unsigned int hi_signed_sha256_len = 495;
|
||||||
|
+
|
||||||
|
+unsigned char short_msg[] = {
|
||||||
|
+ 0x68, 0x69, 0x0a
|
||||||
|
+};
|
||||||
|
+unsigned int short_msg_len = 3;
|
||||||
|
+
|
||||||
|
+unsigned char unsigned_msg[] = {
|
||||||
|
+ 0x53, 0x65, 0x64, 0x20, 0x75, 0x74, 0x20, 0x70, 0x65, 0x72, 0x73, 0x70,
|
||||||
|
+ 0x69, 0x63, 0x69, 0x61, 0x74, 0x69, 0x73, 0x20, 0x75, 0x6e, 0x64, 0x65,
|
||||||
|
+ 0x20, 0x6f, 0x6d, 0x6e, 0x69, 0x73, 0x20, 0x69, 0x73, 0x74, 0x65, 0x20,
|
||||||
|
+ 0x6e, 0x61, 0x74, 0x75, 0x73, 0x20, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x20,
|
||||||
|
+ 0x73, 0x69, 0x74, 0x20, 0x76, 0x6f, 0x6c, 0x75, 0x70, 0x74, 0x61, 0x74,
|
||||||
|
+ 0x65, 0x6d, 0x20, 0x61, 0x63, 0x63, 0x75, 0x73, 0x61, 0x6e, 0x74, 0x69,
|
||||||
|
+ 0x75, 0x6d, 0x20, 0x64, 0x6f, 0x6c, 0x6f, 0x72, 0x65, 0x6d, 0x71, 0x75,
|
||||||
|
+ 0x65, 0x20, 0x6c, 0x61, 0x75, 0x64, 0x61, 0x6e, 0x74, 0x69, 0x75, 0x6d,
|
||||||
|
+ 0x2c, 0x20, 0x74, 0x6f, 0x74, 0x61, 0x6d, 0x20, 0x72, 0x65, 0x6d, 0x20,
|
||||||
|
+ 0x61, 0x70, 0x65, 0x72, 0x69, 0x61, 0x6d, 0x2c, 0x20, 0x65, 0x61, 0x71,
|
||||||
|
+ 0x75, 0x65, 0x20, 0x69, 0x70, 0x73, 0x61, 0x20, 0x71, 0x75, 0x61, 0x65,
|
||||||
|
+ 0x20, 0x61, 0x62, 0x20, 0x69, 0x6c, 0x6c, 0x6f, 0x20, 0x69, 0x6e, 0x76,
|
||||||
|
+ 0x65, 0x6e, 0x74, 0x6f, 0x72, 0x65, 0x20, 0x76, 0x65, 0x72, 0x69, 0x74,
|
||||||
|
+ 0x61, 0x74, 0x69, 0x73, 0x20, 0x65, 0x74, 0x20, 0x71, 0x75, 0x61, 0x73,
|
||||||
|
+ 0x69, 0x20, 0x61, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x6f,
|
||||||
|
+ 0x20, 0x62, 0x65, 0x61, 0x74, 0x61, 0x65, 0x20, 0x76, 0x69, 0x74, 0x61,
|
||||||
|
+ 0x65, 0x20, 0x64, 0x69, 0x63, 0x74, 0x61, 0x20, 0x73, 0x75, 0x6e, 0x74,
|
||||||
|
+ 0x20, 0x65, 0x78, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x62, 0x6f, 0x2e, 0x20,
|
||||||
|
+ 0x4e, 0x65, 0x6d, 0x6f, 0x20, 0x65, 0x6e, 0x69, 0x6d, 0x20, 0x69, 0x70,
|
||||||
|
+ 0x73, 0x61, 0x6d, 0x20, 0x76, 0x6f, 0x6c, 0x75, 0x70, 0x74, 0x61, 0x74,
|
||||||
|
+ 0x65, 0x6d, 0x20, 0x71, 0x75, 0x69, 0x61, 0x20, 0x76, 0x6f, 0x6c, 0x75,
|
||||||
|
+ 0x70, 0x74, 0x61, 0x73, 0x20, 0x73, 0x69, 0x74, 0x20, 0x61, 0x73, 0x70,
|
||||||
|
+ 0x65, 0x72, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x20, 0x61, 0x75, 0x74, 0x20,
|
||||||
|
+ 0x6f, 0x64, 0x69, 0x74, 0x20, 0x61, 0x75, 0x74, 0x20, 0x66, 0x75, 0x67,
|
||||||
|
+ 0x69, 0x74, 0x2c, 0x20, 0x73, 0x65, 0x64, 0x20, 0x71, 0x75, 0x69, 0x61,
|
||||||
|
+ 0x20, 0x63, 0x6f, 0x6e, 0x73, 0x65, 0x71, 0x75, 0x75, 0x6e, 0x74, 0x75,
|
||||||
|
+ 0x72, 0x20, 0x6d, 0x61, 0x67, 0x6e, 0x69, 0x20, 0x64, 0x6f, 0x6c, 0x6f,
|
||||||
|
+ 0x72, 0x65, 0x73, 0x20, 0x65, 0x6f, 0x73, 0x20, 0x71, 0x75, 0x69, 0x20,
|
||||||
|
+ 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x65, 0x20, 0x76, 0x6f, 0x6c, 0x75,
|
||||||
|
+ 0x70, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x20, 0x73, 0x65, 0x71, 0x75, 0x69,
|
||||||
|
+ 0x20, 0x6e, 0x65, 0x73, 0x63, 0x69, 0x75, 0x6e, 0x74, 0x2e, 0x20, 0x4e,
|
||||||
|
+ 0x65, 0x71, 0x75, 0x65, 0x20, 0x70, 0x6f, 0x72, 0x72, 0x6f, 0x20, 0x71,
|
||||||
|
+ 0x75, 0x69, 0x73, 0x71, 0x75, 0x61, 0x6d, 0x20, 0x65, 0x73, 0x74, 0x2c,
|
||||||
|
+ 0x20, 0x71, 0x75, 0x69, 0x20, 0x64, 0x6f, 0x6c, 0x6f, 0x72, 0x65, 0x6d,
|
||||||
|
+ 0x20, 0x69, 0x70, 0x73, 0x75, 0x6d, 0x20, 0x71, 0x75, 0x69, 0x61, 0x20,
|
||||||
|
+ 0x64, 0x6f, 0x6c, 0x6f, 0x72, 0x20, 0x73, 0x69, 0x74, 0x20, 0x61, 0x6d,
|
||||||
|
+ 0x65, 0x74, 0x2c, 0x20, 0x63, 0x6f, 0x6e, 0x73, 0x65, 0x63, 0x74, 0x65,
|
||||||
|
+ 0x74, 0x75, 0x72, 0x2c, 0x20, 0x61, 0x64, 0x69, 0x70, 0x69, 0x73, 0x63,
|
||||||
|
+ 0x69, 0x20, 0x76, 0x65, 0x6c, 0x69, 0x74, 0x2c, 0x20, 0x73, 0x65, 0x64,
|
||||||
|
+ 0x20, 0x71, 0x75, 0x69, 0x61, 0x20, 0x6e, 0x6f, 0x6e, 0x20, 0x6e, 0x75,
|
||||||
|
+ 0x6d, 0x71, 0x75, 0x61, 0x6d, 0x20, 0x65, 0x69, 0x75, 0x73, 0x20, 0x6d,
|
||||||
|
+ 0x6f, 0x64, 0x69, 0x20, 0x74, 0x65, 0x6d, 0x70, 0x6f, 0x72, 0x61, 0x20,
|
||||||
|
+ 0x69, 0x6e, 0x63, 0x69, 0x64, 0x75, 0x6e, 0x74, 0x20, 0x75, 0x74, 0x20,
|
||||||
|
+ 0x6c, 0x61, 0x62, 0x6f, 0x72, 0x65, 0x20, 0x65, 0x74, 0x20, 0x64, 0x6f,
|
||||||
|
+ 0x6c, 0x6f, 0x72, 0x65, 0x20, 0x6d, 0x61, 0x67, 0x6e, 0x61, 0x6d, 0x20,
|
||||||
|
+ 0x61, 0x6c, 0x69, 0x71, 0x75, 0x61, 0x6d, 0x20, 0x71, 0x75, 0x61, 0x65,
|
||||||
|
+ 0x72, 0x61, 0x74, 0x20, 0x76, 0x6f, 0x6c, 0x75, 0x70, 0x74, 0x61, 0x74,
|
||||||
|
+ 0x65, 0x6d, 0x2e, 0x20, 0x55, 0x74, 0x20, 0x65, 0x6e, 0x69, 0x6d, 0x20,
|
||||||
|
+ 0x61, 0x64, 0x20, 0x6d, 0x69, 0x6e, 0x69, 0x6d, 0x61, 0x20, 0x76, 0x65,
|
||||||
|
+ 0x6e, 0x69, 0x61, 0x6d, 0x2c, 0x20, 0x71, 0x75, 0x69, 0x73, 0x20, 0x6e,
|
||||||
|
+ 0x6f, 0x73, 0x74, 0x72, 0x75, 0x6d, 0x20, 0x65, 0x78, 0x65, 0x72, 0x63,
|
||||||
|
+ 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x65, 0x6d, 0x20, 0x75, 0x6c,
|
||||||
|
+ 0x6c, 0x61, 0x6d, 0x20, 0x63, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x69, 0x73,
|
||||||
|
+ 0x20, 0x73, 0x75, 0x73, 0x63, 0x69, 0x70, 0x69, 0x74, 0x20, 0x6c, 0x61,
|
||||||
|
+ 0x62, 0x6f, 0x72, 0x69, 0x6f, 0x73, 0x61, 0x6d, 0x2c, 0x20, 0x6e, 0x69,
|
||||||
|
+ 0x73, 0x69, 0x20, 0x75, 0x74, 0x20, 0x61, 0x6c, 0x69, 0x71, 0x75, 0x69,
|
||||||
|
+ 0x64, 0x20, 0x65, 0x78, 0x20, 0x65, 0x61, 0x20, 0x63, 0x6f, 0x6d, 0x6d,
|
||||||
|
+ 0x6f, 0x64, 0x69, 0x20, 0x63, 0x6f, 0x6e, 0x73, 0x65, 0x71, 0x75, 0x61,
|
||||||
|
+ 0x74, 0x75, 0x72, 0x3f, 0x20, 0x51, 0x75, 0x69, 0x73, 0x20, 0x61, 0x75,
|
||||||
|
+ 0x74, 0x65, 0x6d, 0x20, 0x76, 0x65, 0x6c, 0x20, 0x65, 0x75, 0x6d, 0x20,
|
||||||
|
+ 0x69, 0x75, 0x72, 0x65, 0x20, 0x72, 0x65, 0x70, 0x72, 0x65, 0x68, 0x65,
|
||||||
|
+ 0x6e, 0x64, 0x65, 0x72, 0x69, 0x74, 0x20, 0x71, 0x75, 0x69, 0x20, 0x69,
|
||||||
|
+ 0x6e, 0x20, 0x65, 0x61, 0x20, 0x76, 0x6f, 0x6c, 0x75, 0x70, 0x74, 0x61,
|
||||||
|
+ 0x74, 0x65, 0x20, 0x76, 0x65, 0x6c, 0x69, 0x74, 0x20, 0x65, 0x73, 0x73,
|
||||||
|
+ 0x65, 0x20, 0x71, 0x75, 0x61, 0x6d, 0x20, 0x6e, 0x69, 0x68, 0x69, 0x6c,
|
||||||
|
+ 0x20, 0x6d, 0x6f, 0x6c, 0x65, 0x73, 0x74, 0x69, 0x61, 0x65, 0x20, 0x63,
|
||||||
|
+ 0x6f, 0x6e, 0x73, 0x65, 0x71, 0x75, 0x61, 0x74, 0x75, 0x72, 0x2c, 0x20,
|
||||||
|
+ 0x76, 0x65, 0x6c, 0x20, 0x69, 0x6c, 0x6c, 0x75, 0x6d, 0x20, 0x71, 0x75,
|
||||||
|
+ 0x69, 0x20, 0x64, 0x6f, 0x6c, 0x6f, 0x72, 0x65, 0x6d, 0x20, 0x65, 0x75,
|
||||||
|
+ 0x6d, 0x20, 0x66, 0x75, 0x67, 0x69, 0x61, 0x74, 0x20, 0x71, 0x75, 0x6f,
|
||||||
|
+ 0x20, 0x76, 0x6f, 0x6c, 0x75, 0x70, 0x74, 0x61, 0x73, 0x20, 0x6e, 0x75,
|
||||||
|
+ 0x6c, 0x6c, 0x61, 0x20, 0x70, 0x61, 0x72, 0x69, 0x61, 0x74, 0x75, 0x72,
|
||||||
|
+ 0x3f, 0x0a
|
||||||
|
+};
|
||||||
|
+unsigned int unsigned_msg_len = 866;
|
||||||
|
+
|
||||||
|
+unsigned char certificate2_der[] = {
|
||||||
|
+ 0x30, 0x82, 0x05, 0x52, 0x30, 0x82, 0x03, 0x3a, 0xa0, 0x03, 0x02, 0x01,
|
||||||
|
+ 0x02, 0x02, 0x14, 0x5b, 0x5e, 0x59, 0xf2, 0x5f, 0x75, 0x4c, 0x8e, 0xc5,
|
||||||
|
+ 0x3a, 0x91, 0x07, 0xe9, 0xe7, 0x6d, 0x3c, 0xd0, 0x7f, 0x91, 0xff, 0x30,
|
||||||
|
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
|
||||||
|
+ 0x05, 0x00, 0x30, 0x3a, 0x31, 0x38, 0x30, 0x36, 0x06, 0x03, 0x55, 0x04,
|
||||||
|
+ 0x03, 0x0c, 0x2f, 0x47, 0x72, 0x75, 0x62, 0x20, 0x32, 0x6e, 0x64, 0x20,
|
||||||
|
+ 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20,
|
||||||
|
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
|
||||||
|
+ 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
|
||||||
|
+ 0x74, 0x79, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x30, 0x30, 0x37, 0x32, 0x38,
|
||||||
|
+ 0x31, 0x33, 0x32, 0x34, 0x32, 0x39, 0x5a, 0x18, 0x0f, 0x32, 0x31, 0x32,
|
||||||
|
+ 0x30, 0x30, 0x37, 0x30, 0x34, 0x31, 0x33, 0x32, 0x34, 0x32, 0x39, 0x5a,
|
||||||
|
+ 0x30, 0x2b, 0x31, 0x29, 0x30, 0x27, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
|
||||||
|
+ 0x20, 0x47, 0x72, 0x75, 0x62, 0x20, 0x32, 0x6e, 0x64, 0x20, 0x43, 0x65,
|
||||||
|
+ 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x53, 0x69,
|
||||||
|
+ 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x4b, 0x65, 0x79, 0x30, 0x82, 0x02,
|
||||||
|
+ 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
|
||||||
|
+ 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0f, 0x00, 0x30, 0x82, 0x02,
|
||||||
|
+ 0x0a, 0x02, 0x82, 0x02, 0x01, 0x00, 0xb0, 0x2f, 0x50, 0x01, 0x9c, 0x0e,
|
||||||
|
+ 0xd6, 0x8c, 0x07, 0xca, 0xc1, 0xcf, 0xbc, 0x03, 0xdd, 0xd3, 0xfa, 0xe3,
|
||||||
|
+ 0x4f, 0x71, 0xc1, 0x30, 0xaa, 0x09, 0x96, 0xe4, 0xd0, 0x6c, 0x42, 0x93,
|
||||||
|
+ 0xdb, 0x35, 0xf6, 0x7e, 0x1b, 0x67, 0xc0, 0xc2, 0x2d, 0x5b, 0xec, 0xca,
|
||||||
|
+ 0x35, 0x06, 0x32, 0x6c, 0x7b, 0x2c, 0xd3, 0x71, 0x2b, 0xe9, 0x7a, 0x19,
|
||||||
|
+ 0xd1, 0xf2, 0xa0, 0x7f, 0xd7, 0x4d, 0x6e, 0x28, 0xbb, 0xae, 0x49, 0x4a,
|
||||||
|
+ 0xbc, 0xea, 0x47, 0x67, 0xb8, 0x36, 0xa6, 0xf5, 0x0d, 0x0e, 0x20, 0x14,
|
||||||
|
+ 0x0c, 0x66, 0x67, 0x28, 0xb5, 0x97, 0x8b, 0x1f, 0x5e, 0x32, 0x06, 0x29,
|
||||||
|
+ 0x9c, 0x99, 0x92, 0x0f, 0x73, 0xac, 0xfd, 0xd2, 0x1d, 0xf2, 0xa8, 0x55,
|
||||||
|
+ 0x9d, 0x1b, 0xd8, 0x3d, 0xb0, 0x76, 0x9a, 0xb6, 0x6c, 0x9f, 0x62, 0x37,
|
||||||
|
+ 0x2f, 0xc0, 0xef, 0x44, 0xb3, 0x0d, 0x4a, 0x3e, 0x4f, 0x7d, 0xbd, 0xdb,
|
||||||
|
+ 0xd8, 0x75, 0x5f, 0x68, 0xe3, 0xf0, 0xec, 0x82, 0x66, 0x7c, 0x31, 0x70,
|
||||||
|
+ 0xa9, 0xa1, 0x6f, 0x38, 0x9f, 0xdf, 0xf5, 0xf0, 0x7d, 0x23, 0x9d, 0x34,
|
||||||
|
+ 0xa5, 0x85, 0xd3, 0xdf, 0x68, 0x41, 0xfc, 0x4f, 0x89, 0x45, 0x3c, 0x24,
|
||||||
|
+ 0x81, 0xa6, 0xf2, 0x3c, 0x02, 0x26, 0x09, 0x48, 0xdd, 0xfe, 0x4b, 0xb6,
|
||||||
|
+ 0x66, 0xbf, 0x8f, 0xe5, 0x5f, 0xf0, 0x5d, 0x8a, 0x61, 0x2e, 0x5f, 0x9f,
|
||||||
|
+ 0x80, 0xd9, 0xd5, 0xe6, 0x41, 0xd8, 0x10, 0x5e, 0x7a, 0xc6, 0xdb, 0x89,
|
||||||
|
+ 0xc7, 0xca, 0x6c, 0x5b, 0xb1, 0x4e, 0x7d, 0x0c, 0x03, 0xfd, 0x50, 0xca,
|
||||||
|
+ 0xbf, 0xbb, 0xe2, 0x69, 0x4b, 0x4e, 0xc2, 0x3d, 0x75, 0xfa, 0xd1, 0xcc,
|
||||||
|
+ 0xd6, 0xf9, 0x39, 0xb9, 0xdc, 0x53, 0xad, 0x62, 0xfb, 0x1b, 0x94, 0x26,
|
||||||
|
+ 0x7f, 0x21, 0x54, 0x5c, 0xb7, 0xdc, 0xe7, 0x96, 0x8c, 0xce, 0x75, 0xe0,
|
||||||
|
+ 0x17, 0x01, 0x3a, 0x3c, 0x77, 0x6e, 0xa4, 0x8b, 0x7a, 0x83, 0x28, 0x7a,
|
||||||
|
+ 0xf7, 0xb0, 0x5f, 0xfc, 0x7f, 0x2d, 0x2e, 0xec, 0xf5, 0xeb, 0x9c, 0x63,
|
||||||
|
+ 0x74, 0xd0, 0xe5, 0xdc, 0x19, 0xe4, 0x71, 0xc5, 0x4a, 0x8a, 0x54, 0xa4,
|
||||||
|
+ 0xe0, 0x7d, 0x4e, 0xbf, 0x53, 0x30, 0xaf, 0xd0, 0xeb, 0x96, 0xc3, 0xbb,
|
||||||
|
+ 0x65, 0xf7, 0x67, 0xf5, 0xae, 0xd3, 0x96, 0xf2, 0x63, 0xc8, 0x69, 0xf7,
|
||||||
|
+ 0x47, 0xcb, 0x27, 0x79, 0xe1, 0xff, 0x2f, 0x68, 0xdf, 0x1e, 0xb3, 0xb8,
|
||||||
|
+ 0x0c, 0xc5, 0x58, 0x73, 0xcc, 0xfe, 0x8c, 0xda, 0x4e, 0x3b, 0x01, 0x04,
|
||||||
|
+ 0xcd, 0xcb, 0xb8, 0x3e, 0x06, 0xfd, 0x4c, 0x0a, 0x9f, 0x5e, 0x76, 0x8c,
|
||||||
|
+ 0x0c, 0x83, 0x75, 0x09, 0x08, 0xb2, 0xdb, 0xf4, 0x49, 0x4e, 0xa0, 0xf2,
|
||||||
|
+ 0x0c, 0x7b, 0x87, 0x38, 0x9e, 0x22, 0x67, 0xbd, 0xd1, 0x97, 0x57, 0x24,
|
||||||
|
+ 0xf1, 0x46, 0x07, 0xf9, 0xd2, 0x1b, 0xec, 0x25, 0x5e, 0x67, 0xd9, 0x66,
|
||||||
|
+ 0x23, 0x1b, 0xd3, 0xe4, 0xaa, 0xec, 0x88, 0xf0, 0x7e, 0x15, 0x83, 0x51,
|
||||||
|
+ 0x31, 0x67, 0x51, 0x76, 0x5f, 0x55, 0xd7, 0x36, 0xdf, 0x4a, 0x84, 0x0b,
|
||||||
|
+ 0x6f, 0x5c, 0xbb, 0x5b, 0x8f, 0x37, 0x23, 0x7f, 0xf8, 0x17, 0x84, 0xa2,
|
||||||
|
+ 0x70, 0x20, 0x07, 0x0c, 0x90, 0x3a, 0x04, 0xfd, 0xf0, 0x08, 0x4a, 0xb1,
|
||||||
|
+ 0x16, 0x0f, 0xe6, 0xf6, 0x40, 0x51, 0x83, 0xd2, 0x87, 0x40, 0x9c, 0x1c,
|
||||||
|
+ 0x9f, 0x13, 0x38, 0x17, 0xd3, 0x34, 0x58, 0xad, 0x05, 0x71, 0xa0, 0x73,
|
||||||
|
+ 0xca, 0x40, 0xa6, 0xa4, 0x81, 0x02, 0xee, 0xa8, 0x72, 0x41, 0xa1, 0x41,
|
||||||
|
+ 0x18, 0x64, 0x8a, 0x86, 0x8a, 0x5d, 0xe6, 0x4f, 0x0a, 0xc5, 0x95, 0x98,
|
||||||
|
+ 0xf9, 0x78, 0xfe, 0x19, 0x0d, 0xc9, 0xb3, 0x89, 0xc1, 0x2b, 0x09, 0xbe,
|
||||||
|
+ 0xf1, 0xd2, 0x04, 0x5d, 0xcc, 0x28, 0xf5, 0x4b, 0xd2, 0x20, 0x4f, 0xc5,
|
||||||
|
+ 0x41, 0x9d, 0x8c, 0x85, 0xd8, 0xb0, 0x68, 0x5e, 0xc1, 0x0c, 0xb7, 0x24,
|
||||||
|
+ 0x4d, 0x67, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x5d, 0x30, 0x5b, 0x30,
|
||||||
|
+ 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30,
|
||||||
|
+ 0x00, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
|
||||||
|
+ 0x07, 0x80, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
|
||||||
|
+ 0x14, 0xac, 0xf5, 0x47, 0x17, 0xd9, 0x7d, 0xc1, 0xb1, 0xc4, 0x41, 0xe1,
|
||||||
|
+ 0x41, 0x60, 0xcb, 0x37, 0x11, 0x60, 0x28, 0x78, 0x5f, 0x30, 0x1f, 0x06,
|
||||||
|
+ 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x21, 0x94,
|
||||||
|
+ 0xfb, 0xf9, 0xb2, 0x43, 0xe9, 0x33, 0xd7, 0x50, 0x7d, 0xc7, 0x37, 0xdb,
|
||||||
|
+ 0xd5, 0x82, 0x5a, 0x4e, 0xbe, 0x1b, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
|
||||||
|
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02,
|
||||||
|
+ 0x01, 0x00, 0x96, 0x70, 0x65, 0x26, 0x42, 0xf8, 0xdc, 0x69, 0xde, 0xcf,
|
||||||
|
+ 0x41, 0x3a, 0x2e, 0x7f, 0x5b, 0xf1, 0xf9, 0x3b, 0x9b, 0xd2, 0x4e, 0x64,
|
||||||
|
+ 0x48, 0x81, 0xe4, 0x5d, 0x1e, 0x22, 0xce, 0x68, 0x63, 0x62, 0xe5, 0x1b,
|
||||||
|
+ 0x9b, 0xf2, 0xc7, 0x12, 0xda, 0x1e, 0x9b, 0x90, 0x84, 0x79, 0x48, 0x12,
|
||||||
|
+ 0xe6, 0x21, 0x6f, 0x2f, 0x7e, 0x18, 0x77, 0xdb, 0x8c, 0xc4, 0xd1, 0x0d,
|
||||||
|
+ 0x91, 0xbf, 0x39, 0x22, 0x0f, 0x64, 0xcf, 0x25, 0x2e, 0x8c, 0x1f, 0x91,
|
||||||
|
+ 0x81, 0xb5, 0xe9, 0x6c, 0x02, 0x3a, 0xf8, 0x07, 0xa2, 0x6f, 0x46, 0x5d,
|
||||||
|
+ 0x7b, 0xfd, 0x43, 0xff, 0x41, 0x0f, 0xe2, 0x57, 0x1c, 0xbd, 0x48, 0x60,
|
||||||
|
+ 0x53, 0x11, 0x48, 0x87, 0x88, 0x9d, 0x13, 0x82, 0x40, 0x68, 0x44, 0x2c,
|
||||||
|
+ 0xc6, 0xc8, 0x95, 0x27, 0x4f, 0xb6, 0xb9, 0x4a, 0x22, 0x0a, 0xfd, 0xe4,
|
||||||
|
+ 0x46, 0x8f, 0x35, 0x12, 0x98, 0x5a, 0x34, 0x6f, 0x2b, 0x57, 0x62, 0xa1,
|
||||||
|
+ 0x4d, 0x8d, 0x79, 0x37, 0xe4, 0x6b, 0x8a, 0x32, 0x5b, 0xcb, 0xef, 0x79,
|
||||||
|
+ 0x11, 0xed, 0xa7, 0xf8, 0x7a, 0x1c, 0xbd, 0x86, 0xdc, 0x0e, 0x2e, 0xfd,
|
||||||
|
+ 0xd3, 0x51, 0xbb, 0x73, 0xad, 0x00, 0xa0, 0x1b, 0xf9, 0x1d, 0xd1, 0x4a,
|
||||||
|
+ 0xe4, 0xd4, 0x02, 0x63, 0x2b, 0x39, 0x5f, 0x18, 0x08, 0x2f, 0x42, 0xb7,
|
||||||
|
+ 0x23, 0x4b, 0x48, 0x46, 0x1f, 0x63, 0x87, 0xae, 0x6d, 0xd5, 0xdb, 0x60,
|
||||||
|
+ 0xf8, 0x5f, 0xd3, 0x13, 0xec, 0xca, 0xdd, 0x60, 0x60, 0x79, 0x52, 0x70,
|
||||||
|
+ 0x47, 0xae, 0x1d, 0x38, 0x78, 0x71, 0xcf, 0xb3, 0x04, 0x03, 0xbe, 0xba,
|
||||||
|
+ 0x81, 0xba, 0x74, 0xb1, 0x30, 0x35, 0xdc, 0xea, 0x21, 0x4a, 0x9b, 0x70,
|
||||||
|
+ 0xfb, 0xd6, 0x60, 0x59, 0x78, 0x0c, 0x4d, 0x39, 0x19, 0x1d, 0xe5, 0x75,
|
||||||
|
+ 0xba, 0x07, 0xf4, 0x22, 0x37, 0x64, 0xb7, 0xf2, 0x9a, 0xc9, 0x11, 0x2d,
|
||||||
|
+ 0x8e, 0x58, 0xa6, 0xcf, 0x83, 0xf1, 0xcb, 0x6c, 0x7f, 0x02, 0xbd, 0xda,
|
||||||
|
+ 0x03, 0x92, 0xa9, 0x45, 0x24, 0x56, 0xc5, 0xbd, 0x41, 0xd1, 0x20, 0x86,
|
||||||
|
+ 0xc0, 0xb6, 0xb7, 0xe8, 0xa7, 0xb2, 0x46, 0xf7, 0x8e, 0xa9, 0x38, 0x0e,
|
||||||
|
+ 0x23, 0x77, 0x3c, 0x0d, 0x66, 0x83, 0x6a, 0x1a, 0x6b, 0x7f, 0x54, 0x11,
|
||||||
|
+ 0x58, 0x0d, 0x4a, 0xb5, 0x74, 0x60, 0xca, 0xed, 0xff, 0x91, 0x47, 0xd9,
|
||||||
|
+ 0x29, 0xe0, 0xaa, 0x8c, 0xa8, 0x8f, 0x10, 0x4c, 0x15, 0x7d, 0xce, 0x95,
|
||||||
|
+ 0xf9, 0x87, 0x1e, 0x18, 0x38, 0x18, 0xfc, 0xcc, 0xaf, 0x91, 0x17, 0x3f,
|
||||||
|
+ 0xfa, 0xf0, 0x8a, 0x09, 0x6f, 0xba, 0x4e, 0x53, 0xf7, 0xfa, 0x4f, 0x20,
|
||||||
|
+ 0xa3, 0xf4, 0x4a, 0x5a, 0xde, 0x17, 0x1c, 0x29, 0x6a, 0x6f, 0x03, 0x48,
|
||||||
|
+ 0xdf, 0xad, 0x4f, 0xe4, 0xbc, 0x71, 0xc4, 0x72, 0x32, 0x11, 0x84, 0xac,
|
||||||
|
+ 0x09, 0xd2, 0x18, 0x44, 0x35, 0xf1, 0xcd, 0xaf, 0xa8, 0x98, 0xe0, 0x8b,
|
||||||
|
+ 0xec, 0xa0, 0x83, 0x37, 0xc3, 0x35, 0x85, 0xd6, 0xd8, 0x1b, 0xe0, 0x75,
|
||||||
|
+ 0xdc, 0xfd, 0xde, 0xc9, 0xeb, 0xd5, 0x18, 0x0f, 0xd3, 0x4c, 0x2f, 0x71,
|
||||||
|
+ 0xdc, 0x48, 0xe3, 0x14, 0xeb, 0xda, 0x00, 0x24, 0x24, 0x9e, 0xa3, 0x8e,
|
||||||
|
+ 0x3e, 0x08, 0x6f, 0x22, 0x24, 0xd6, 0xc4, 0x85, 0x8f, 0x68, 0x00, 0x4a,
|
||||||
|
+ 0x82, 0x4c, 0x33, 0x6e, 0xa5, 0x35, 0x7b, 0xeb, 0x4b, 0xdc, 0xa0, 0xa6,
|
||||||
|
+ 0x65, 0x6f, 0x5a, 0x7a, 0xdf, 0x8a, 0x01, 0x52, 0xa1, 0x6c, 0xff, 0x59,
|
||||||
|
+ 0x22, 0x7f, 0xe1, 0x96, 0x1b, 0x19, 0xb8, 0xf9, 0x5d, 0x44, 0x9f, 0x91,
|
||||||
|
+ 0x03, 0x3c, 0x3d, 0xa1, 0x2a, 0xb6, 0x5a, 0x51, 0xa0, 0xce, 0x4a, 0x88,
|
||||||
|
+ 0x22, 0x72, 0x9c, 0xdc, 0xc0, 0x47, 0x76, 0x35, 0x84, 0x75, 0x9b, 0x87,
|
||||||
|
+ 0x5c, 0xd3, 0xcf, 0xe7, 0xdd, 0xa3, 0x57, 0x14, 0xdf, 0x00, 0xfd, 0x19,
|
||||||
|
+ 0x2a, 0x7d, 0x89, 0x27, 0x1c, 0x78, 0x97, 0x04, 0x58, 0x48
|
||||||
|
+};
|
||||||
|
+unsigned int certificate2_der_len = 1366;
|
||||||
|
+
|
||||||
|
+unsigned char hi_signed_2nd[] = {
|
||||||
|
+ 0x68, 0x69, 0x0a, 0x30, 0x82, 0x02, 0xb1, 0x06, 0x09, 0x2a, 0x86, 0x48,
|
||||||
|
+ 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x02, 0xa2, 0x30, 0x82,
|
||||||
|
+ 0x02, 0x9e, 0x02, 0x01, 0x01, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09, 0x60,
|
||||||
|
+ 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x30, 0x0b, 0x06, 0x09,
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x31, 0x82, 0x02,
|
||||||
|
+ 0x7b, 0x30, 0x82, 0x02, 0x77, 0x02, 0x01, 0x01, 0x30, 0x52, 0x30, 0x3a,
|
||||||
|
+ 0x31, 0x38, 0x30, 0x36, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x2f, 0x47,
|
||||||
|
+ 0x72, 0x75, 0x62, 0x20, 0x32, 0x6e, 0x64, 0x20, 0x43, 0x65, 0x72, 0x74,
|
||||||
|
+ 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x54, 0x65, 0x73, 0x74,
|
||||||
|
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
|
||||||
|
+ 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x02, 0x14,
|
||||||
|
+ 0x5b, 0x5e, 0x59, 0xf2, 0x5f, 0x75, 0x4c, 0x8e, 0xc5, 0x3a, 0x91, 0x07,
|
||||||
|
+ 0xe9, 0xe7, 0x6d, 0x3c, 0xd0, 0x7f, 0x91, 0xff, 0x30, 0x0b, 0x06, 0x09,
|
||||||
|
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x30, 0x0d, 0x06,
|
||||||
|
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
|
||||||
|
+ 0x04, 0x82, 0x02, 0x00, 0x0e, 0xc2, 0x30, 0x38, 0x81, 0x23, 0x68, 0x90,
|
||||||
|
+ 0xae, 0x5f, 0xce, 0xf7, 0x27, 0xb1, 0x8c, 0x2e, 0x12, 0x10, 0xc6, 0x99,
|
||||||
|
+ 0xdc, 0x4d, 0x4b, 0x79, 0xda, 0xe4, 0x32, 0x10, 0x46, 0x1c, 0x16, 0x07,
|
||||||
|
+ 0x87, 0x66, 0x55, 0xff, 0x64, 0x1c, 0x61, 0x25, 0xd5, 0xb9, 0xe1, 0xfe,
|
||||||
|
+ 0xea, 0x5a, 0xcd, 0x56, 0xa5, 0xc3, 0xbe, 0xb1, 0x61, 0xc7, 0x6f, 0x5f,
|
||||||
|
+ 0x69, 0x20, 0x64, 0x50, 0x6f, 0x12, 0x78, 0xb6, 0x0c, 0x72, 0x44, 0x4f,
|
||||||
|
+ 0x60, 0x0f, 0x9f, 0xa2, 0x83, 0x3b, 0xc2, 0x83, 0xd5, 0x14, 0x1f, 0x6f,
|
||||||
|
+ 0x3e, 0xb2, 0x47, 0xb5, 0x58, 0xc5, 0xa7, 0xb4, 0x82, 0x53, 0x2e, 0x53,
|
||||||
|
+ 0x95, 0x4e, 0x3d, 0xe4, 0x62, 0xe8, 0xa1, 0xaf, 0xae, 0xbf, 0xa9, 0xd2,
|
||||||
|
+ 0x22, 0x07, 0xbe, 0x71, 0x37, 0x2c, 0x5a, 0xa7, 0x6c, 0xaf, 0x14, 0xc0,
|
||||||
|
+ 0x6c, 0x2f, 0xbf, 0x4f, 0x15, 0xc2, 0x0f, 0x8b, 0xdc, 0x68, 0x45, 0xdf,
|
||||||
|
+ 0xf3, 0xa5, 0x7f, 0x11, 0x6a, 0x54, 0xcd, 0x67, 0xb9, 0x2e, 0x7d, 0x05,
|
||||||
|
+ 0xe3, 0x1c, 0x1d, 0xcc, 0x77, 0x8e, 0x97, 0xb1, 0xa0, 0x11, 0x09, 0x3d,
|
||||||
|
+ 0x90, 0x54, 0xfc, 0x7e, 0xbb, 0xbb, 0x21, 0x23, 0x03, 0x44, 0xbf, 0x7d,
|
||||||
|
+ 0x2c, 0xc9, 0x15, 0x42, 0xe5, 0xa0, 0x3b, 0xa2, 0xd1, 0x5b, 0x73, 0x81,
|
||||||
|
+ 0xff, 0xfa, 0x90, 0xfc, 0x27, 0x7b, 0x2f, 0x86, 0x9c, 0x1d, 0x14, 0x36,
|
||||||
|
+ 0x94, 0xa2, 0x6e, 0xe8, 0x9d, 0xa0, 0x5f, 0xfc, 0x5a, 0x0d, 0xa4, 0xd5,
|
||||||
|
+ 0x2f, 0x8d, 0xd6, 0x00, 0xfa, 0x93, 0x5b, 0x09, 0x7f, 0x42, 0x78, 0xcc,
|
||||||
|
+ 0x8c, 0x49, 0xda, 0xd9, 0xf6, 0x43, 0xe7, 0xe1, 0x3c, 0xa2, 0xe2, 0x70,
|
||||||
|
+ 0xe2, 0x6a, 0x99, 0xc5, 0xd6, 0xa2, 0xe3, 0x0b, 0xd4, 0x09, 0xac, 0x94,
|
||||||
|
+ 0xaf, 0xb7, 0xf0, 0xb3, 0x0c, 0x1e, 0xf5, 0x16, 0x4f, 0x53, 0x9a, 0xe3,
|
||||||
|
+ 0xcc, 0xe2, 0x0c, 0x4a, 0xb9, 0xe6, 0x06, 0xbb, 0xf7, 0x41, 0x43, 0x20,
|
||||||
|
+ 0x04, 0xee, 0x99, 0x2f, 0xd8, 0x9f, 0xda, 0x3f, 0xfd, 0x49, 0xb8, 0xc2,
|
||||||
|
+ 0xbd, 0xd9, 0xc5, 0x72, 0xfd, 0xe3, 0xce, 0x1c, 0xbc, 0xe4, 0x39, 0xac,
|
||||||
|
+ 0x2a, 0x99, 0xe9, 0xb4, 0x3e, 0x74, 0x10, 0xeb, 0xd5, 0x14, 0xcc, 0xdb,
|
||||||
|
+ 0xf1, 0x04, 0x63, 0x36, 0xfb, 0x1f, 0x2b, 0xe2, 0x73, 0xd4, 0xd8, 0x49,
|
||||||
|
+ 0x31, 0xa8, 0x55, 0xcc, 0xa7, 0x76, 0x36, 0x6e, 0x18, 0xdc, 0xb9, 0xb0,
|
||||||
|
+ 0x29, 0x99, 0xcf, 0x49, 0xbf, 0xf9, 0xdb, 0x7f, 0x24, 0x42, 0x02, 0xcb,
|
||||||
|
+ 0xc1, 0xaa, 0xcb, 0xba, 0x18, 0x85, 0x86, 0xc7, 0xf4, 0x1c, 0x62, 0x76,
|
||||||
|
+ 0xbc, 0x73, 0xfb, 0xe4, 0x15, 0xb8, 0xdd, 0x5d, 0xa6, 0x68, 0x39, 0xa5,
|
||||||
|
+ 0x3d, 0x33, 0xaf, 0xd5, 0x92, 0x4d, 0x48, 0xdb, 0x22, 0xc0, 0xdc, 0x49,
|
||||||
|
+ 0x5f, 0x7b, 0xa8, 0xd2, 0x62, 0x2d, 0xa7, 0x39, 0x93, 0x48, 0xe7, 0x6b,
|
||||||
|
+ 0x23, 0xba, 0xd4, 0xe0, 0xc1, 0x29, 0x55, 0xc4, 0x34, 0xe3, 0xac, 0x25,
|
||||||
|
+ 0xa7, 0x15, 0xad, 0xab, 0xb3, 0xb7, 0x25, 0xca, 0x37, 0x88, 0x40, 0x2e,
|
||||||
|
+ 0x47, 0x6e, 0x92, 0x20, 0x09, 0x2e, 0x5a, 0xec, 0xf2, 0xfb, 0xb3, 0xa0,
|
||||||
|
+ 0x16, 0xb6, 0x93, 0xf2, 0xf5, 0x8b, 0xfe, 0xaf, 0x25, 0xee, 0x2e, 0x98,
|
||||||
|
+ 0x6c, 0x0a, 0xfe, 0xae, 0x0b, 0x57, 0xf5, 0x9f, 0x3c, 0x80, 0xe9, 0x8b,
|
||||||
|
+ 0xaf, 0x92, 0x8a, 0xad, 0xe7, 0xa0, 0xe4, 0xe6, 0x0a, 0xa0, 0xc7, 0x83,
|
||||||
|
+ 0xb5, 0x48, 0x58, 0x5f, 0x55, 0x9e, 0x9b, 0x27, 0xcd, 0x31, 0x1f, 0x3e,
|
||||||
|
+ 0x50, 0x5a, 0x91, 0xad, 0x21, 0x1b, 0x97, 0x5b, 0xe8, 0xfa, 0x29, 0x8a,
|
||||||
|
+ 0xa4, 0x17, 0xe8, 0xab, 0x87, 0x02, 0xd6, 0x18, 0x8c, 0x9f, 0x65, 0xb7,
|
||||||
|
+ 0x2a, 0xfa, 0xde, 0x5f, 0x77, 0x30, 0x6c, 0x04, 0x22, 0xe6, 0x58, 0x26,
|
||||||
|
+ 0x14, 0x0d, 0x9c, 0x41, 0x0a, 0x82, 0x77, 0xdb, 0x40, 0xa1, 0x58, 0xac,
|
||||||
|
+ 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xb5,
|
||||||
|
+ 0x7e, 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x20, 0x73, 0x69, 0x67, 0x6e,
|
||||||
|
+ 0x61, 0x74, 0x75, 0x72, 0x65, 0x20, 0x61, 0x70, 0x70, 0x65, 0x6e, 0x64,
|
||||||
|
+ 0x65, 0x64, 0x7e, 0x0a
|
||||||
|
+};
|
||||||
|
+unsigned int hi_signed_2nd_len = 736;
|
||||||
|
+
|
||||||
|
+unsigned char certificate_printable_der[] = {
|
||||||
|
+ 0x30, 0x82, 0x03, 0x39, 0x30, 0x82, 0x02, 0x21, 0xa0, 0x03, 0x02, 0x01,
|
||||||
|
+ 0x02, 0x02, 0x09, 0x00, 0xde, 0xf6, 0x22, 0xc4, 0xf2, 0xf1, 0x86, 0x02,
|
||||||
|
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
|
||||||
|
+ 0x0b, 0x05, 0x00, 0x30, 0x2a, 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55,
|
||||||
|
+ 0x04, 0x03, 0x13, 0x1f, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20,
|
||||||
|
+ 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20,
|
||||||
|
+ 0x43, 0x41, 0x20, 0x32, 0x20, 0x28, 0x62, 0x65, 0x74, 0x61, 0x29, 0x30,
|
||||||
|
+ 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30, 0x33, 0x31, 0x31, 0x34, 0x31,
|
||||||
|
+ 0x39, 0x32, 0x33, 0x5a, 0x17, 0x0d, 0x33, 0x37, 0x31, 0x30, 0x32, 0x35,
|
||||||
|
+ 0x31, 0x34, 0x31, 0x39, 0x32, 0x33, 0x5a, 0x30, 0x2f, 0x31, 0x2d, 0x30,
|
||||||
|
+ 0x2b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x24, 0x52, 0x65, 0x64, 0x20,
|
||||||
|
+ 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x42,
|
||||||
|
+ 0x6f, 0x6f, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20,
|
||||||
|
+ 0x33, 0x20, 0x28, 0x62, 0x65, 0x74, 0x61, 0x29, 0x30, 0x82, 0x01, 0x22,
|
||||||
|
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
|
||||||
|
+ 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a,
|
||||||
|
+ 0x02, 0x82, 0x01, 0x01, 0x00, 0xbd, 0xda, 0xa1, 0xed, 0x8d, 0x8e, 0x15,
|
||||||
|
+ 0x5c, 0xf8, 0x01, 0x77, 0x48, 0x4a, 0x60, 0x96, 0xf9, 0x27, 0xfa, 0xe2,
|
||||||
|
+ 0xb1, 0x69, 0x0f, 0x51, 0x19, 0x52, 0x7e, 0xc4, 0x34, 0x8e, 0xe1, 0x9b,
|
||||||
|
+ 0x9c, 0xa4, 0xb1, 0x5c, 0xd6, 0x81, 0x98, 0x78, 0xfe, 0xa9, 0xe5, 0x0b,
|
||||||
|
+ 0x00, 0xba, 0x9c, 0x64, 0x7e, 0xc7, 0xcc, 0x72, 0xb1, 0x73, 0x4b, 0x11,
|
||||||
|
+ 0x07, 0x52, 0xf0, 0x20, 0x96, 0x8b, 0x99, 0x39, 0xde, 0xdb, 0xfa, 0x3d,
|
||||||
|
+ 0x45, 0xe2, 0x98, 0x7b, 0x0c, 0x41, 0xe4, 0x0c, 0xb5, 0x5d, 0x92, 0x74,
|
||||||
|
+ 0x39, 0x96, 0xe1, 0x97, 0x97, 0xa1, 0xad, 0x2e, 0xcc, 0xd0, 0x1b, 0x4d,
|
||||||
|
+ 0x9d, 0xbd, 0x3e, 0xa9, 0x36, 0x8e, 0xcc, 0xc7, 0x5f, 0x6a, 0x7d, 0x39,
|
||||||
|
+ 0x5e, 0x0b, 0x8d, 0xca, 0xe4, 0x83, 0xe9, 0x3b, 0x5c, 0x86, 0x47, 0xd4,
|
||||||
|
+ 0xba, 0x7d, 0x98, 0x26, 0xa1, 0xf4, 0xe8, 0x90, 0x6b, 0x0f, 0xf1, 0x6b,
|
||||||
|
+ 0x8c, 0xe3, 0xa2, 0x80, 0x3c, 0x96, 0xf1, 0x0a, 0xb6, 0x66, 0xc0, 0x4b,
|
||||||
|
+ 0x61, 0xf7, 0x74, 0xcd, 0xd3, 0x7b, 0x8e, 0x5e, 0x39, 0xda, 0x99, 0x20,
|
||||||
|
+ 0x33, 0x93, 0xd3, 0xf0, 0x7f, 0xad, 0x35, 0xe9, 0x88, 0x8d, 0x9c, 0xbf,
|
||||||
|
+ 0x65, 0xf1, 0x47, 0x02, 0xf9, 0x7c, 0xed, 0x27, 0x5f, 0x4a, 0x65, 0x3c,
|
||||||
|
+ 0xcf, 0x5f, 0x0e, 0x88, 0x95, 0x74, 0xde, 0xfb, 0x9e, 0x2e, 0x91, 0x9b,
|
||||||
|
+ 0x45, 0x37, 0xc8, 0x85, 0xff, 0xe3, 0x41, 0x70, 0xfe, 0xd5, 0xef, 0x0e,
|
||||||
|
+ 0x82, 0x22, 0x08, 0xb7, 0x3b, 0x44, 0x3e, 0xdc, 0x5b, 0x7f, 0xba, 0xbf,
|
||||||
|
+ 0xe6, 0x58, 0x9d, 0x02, 0x6e, 0x75, 0xbf, 0x50, 0xec, 0xcf, 0x3f, 0xa5,
|
||||||
|
+ 0x91, 0x0a, 0xe2, 0x59, 0x2c, 0xc3, 0xe7, 0x05, 0x03, 0xe8, 0xf2, 0x6f,
|
||||||
|
+ 0x2a, 0x04, 0x68, 0x9a, 0x31, 0x32, 0x8f, 0x04, 0x35, 0xcd, 0x1f, 0x34,
|
||||||
|
+ 0xcc, 0x4f, 0x79, 0x5a, 0x99, 0x8d, 0x9d, 0x5c, 0xf5, 0x02, 0x03, 0x01,
|
||||||
|
+ 0x00, 0x01, 0xa3, 0x5d, 0x30, 0x5b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d,
|
||||||
|
+ 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0b, 0x06, 0x03,
|
||||||
|
+ 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x1d, 0x06,
|
||||||
|
+ 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x65, 0xc5, 0xbe, 0xca,
|
||||||
|
+ 0xe6, 0x59, 0x6a, 0xfd, 0x6c, 0x71, 0xc4, 0xa7, 0x98, 0xc6, 0x25, 0x8d,
|
||||||
|
+ 0x7b, 0x67, 0x05, 0xd0, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
|
||||||
|
+ 0x18, 0x30, 0x16, 0x80, 0x14, 0x81, 0xf8, 0xee, 0x47, 0x5c, 0x3e, 0xed,
|
||||||
|
+ 0xfb, 0xce, 0xa5, 0x84, 0xbe, 0xd7, 0xae, 0xdb, 0xd3, 0x7d, 0x64, 0xb3,
|
||||||
|
+ 0x2a, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
|
||||||
|
+ 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x66, 0x1e, 0x3d,
|
||||||
|
+ 0x1d, 0x53, 0x33, 0xde, 0x4e, 0xc7, 0xc4, 0xf4, 0xdf, 0xda, 0x18, 0x19,
|
||||||
|
+ 0x8a, 0xa9, 0xff, 0xe2, 0x63, 0x2b, 0xbe, 0xf2, 0x61, 0x63, 0xe2, 0xf6,
|
||||||
|
+ 0xed, 0x47, 0x1a, 0x71, 0x02, 0xec, 0x2a, 0xef, 0x89, 0x77, 0xe3, 0xfd,
|
||||||
|
+ 0x86, 0x69, 0xf1, 0x3f, 0x0d, 0xf9, 0x6e, 0xf9, 0x3b, 0xad, 0x26, 0x47,
|
||||||
|
+ 0xb7, 0xf2, 0x0d, 0xad, 0x23, 0xa3, 0x67, 0x3b, 0xcb, 0x6d, 0x9e, 0x03,
|
||||||
|
+ 0x0f, 0xbc, 0x69, 0x73, 0x9f, 0xd4, 0xa5, 0x0f, 0x6f, 0xf8, 0xab, 0x4d,
|
||||||
|
+ 0x36, 0xd1, 0xe0, 0xe0, 0x5d, 0x20, 0x43, 0x90, 0xc4, 0x65, 0x61, 0x93,
|
||||||
|
+ 0xe2, 0x0f, 0x51, 0x59, 0x0a, 0xf7, 0x88, 0x70, 0x57, 0xb9, 0x04, 0xa9,
|
||||||
|
+ 0x32, 0x57, 0x9c, 0xb3, 0x57, 0x38, 0x8b, 0x8e, 0x46, 0xc8, 0x32, 0x6c,
|
||||||
|
+ 0xb4, 0xf3, 0x96, 0x7f, 0x4b, 0xf0, 0x88, 0xf9, 0x7f, 0xe2, 0x71, 0xe1,
|
||||||
|
+ 0x8b, 0xe2, 0x14, 0xf1, 0x4b, 0x25, 0x00, 0x48, 0x1c, 0x7e, 0xe5, 0x8d,
|
||||||
|
+ 0x65, 0x2d, 0xeb, 0x72, 0x4f, 0x92, 0x44, 0xf3, 0xe6, 0xe0, 0xd0, 0xdf,
|
||||||
|
+ 0x85, 0xa8, 0x13, 0x4a, 0xfb, 0x99, 0xca, 0x14, 0x2c, 0x97, 0x80, 0x93,
|
||||||
|
+ 0x27, 0xd3, 0x20, 0xf8, 0x6d, 0x29, 0x28, 0x2c, 0xb9, 0x77, 0xea, 0xb1,
|
||||||
|
+ 0x63, 0xbd, 0x7d, 0x53, 0xfd, 0x4a, 0x62, 0x64, 0x0b, 0x98, 0xa8, 0xae,
|
||||||
|
+ 0x11, 0xfc, 0x6e, 0x8d, 0x63, 0xd4, 0x15, 0x55, 0xc6, 0x4c, 0x74, 0xf5,
|
||||||
|
+ 0x5f, 0xa0, 0xb9, 0x2c, 0x2d, 0x9a, 0x7a, 0x87, 0x6e, 0xf0, 0x5e, 0x25,
|
||||||
|
+ 0xed, 0xfc, 0xd8, 0xc4, 0x34, 0x33, 0x32, 0xad, 0x01, 0xd4, 0x4b, 0x49,
|
||||||
|
+ 0x51, 0xc2, 0x07, 0x7f, 0x90, 0x6d, 0xea, 0xf5, 0x4c, 0x41, 0x71, 0x64,
|
||||||
|
+ 0xeb, 0x1f, 0x29, 0xa3, 0x1f, 0x64, 0xa2, 0x1e, 0x0e, 0x6f, 0xa1, 0x67,
|
||||||
|
+ 0x99, 0x8d, 0x98, 0x1c, 0xb8, 0x53, 0x9d, 0x30, 0x1d, 0xae, 0x32, 0x56,
|
||||||
|
+ 0xd2
|
||||||
|
+};
|
||||||
|
+unsigned int certificate_printable_der_len = 829;
|
333
0303-appended-signatures-documentation.patch
Normal file
333
0303-appended-signatures-documentation.patch
Normal file
@ -0,0 +1,333 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||||
|
Date: Mon, 8 Feb 2021 19:30:54 +0100
|
||||||
|
Subject: [PATCH] appended signatures: documentation
|
||||||
|
|
||||||
|
This explains how appended signatures can be used to form part of
|
||||||
|
a secure boot chain, and documents the commands and variables
|
||||||
|
introduced.
|
||||||
|
|
||||||
|
(docs: s/grub/grub2/)
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
docs/grub.texi | 189 ++++++++++++++++++++++++++++++++++++++++++++++++++++-----
|
||||||
|
1 file changed, 174 insertions(+), 15 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
|
index 7fc2a62a4f8..7fe365414e4 100644
|
||||||
|
--- a/docs/grub.texi
|
||||||
|
+++ b/docs/grub.texi
|
||||||
|
@@ -3160,6 +3160,7 @@ These variables have special meaning to GRUB.
|
||||||
|
|
||||||
|
@menu
|
||||||
|
* biosnum::
|
||||||
|
+* check_appended_signatures::
|
||||||
|
* check_signatures::
|
||||||
|
* chosen::
|
||||||
|
* cmdpath::
|
||||||
|
@@ -3219,11 +3220,18 @@ For an alternative approach which also changes BIOS drive mappings for the
|
||||||
|
chain-loaded system, @pxref{drivemap}.
|
||||||
|
|
||||||
|
|
||||||
|
+@node check_appended_signatures
|
||||||
|
+@subsection check_appended_signatures
|
||||||
|
+
|
||||||
|
+This variable controls whether GRUB enforces appended signature validation on
|
||||||
|
+certain loaded files. @xref{Using appended signatures}.
|
||||||
|
+
|
||||||
|
+
|
||||||
|
@node check_signatures
|
||||||
|
@subsection check_signatures
|
||||||
|
|
||||||
|
-This variable controls whether GRUB enforces digital signature
|
||||||
|
-validation on loaded files. @xref{Using digital signatures}.
|
||||||
|
+This variable controls whether GRUB enforces GPG-style digital signature
|
||||||
|
+validation on loaded files. @xref{Using GPG-style digital signatures}.
|
||||||
|
|
||||||
|
@node chosen
|
||||||
|
@subsection chosen
|
||||||
|
@@ -3937,6 +3945,7 @@ you forget a command, you can run the command @command{help}
|
||||||
|
* date:: Display or set current date and time
|
||||||
|
* devicetree:: Load a device tree blob
|
||||||
|
* distrust:: Remove a pubkey from trusted keys
|
||||||
|
+* distrust_certificate:: Remove a certificate from the list of trusted certificates
|
||||||
|
* drivemap:: Map a drive to another
|
||||||
|
* echo:: Display a line of text
|
||||||
|
* eval:: Evaluate agruments as GRUB commands
|
||||||
|
@@ -3953,6 +3962,7 @@ you forget a command, you can run the command @command{help}
|
||||||
|
* keystatus:: Check key modifier status
|
||||||
|
* linux:: Load a Linux kernel
|
||||||
|
* linux16:: Load a Linux kernel (16-bit mode)
|
||||||
|
+* list_certificates:: List trusted certificates
|
||||||
|
* list_env:: List variables in environment block
|
||||||
|
* list_trusted:: List trusted public keys
|
||||||
|
* load_env:: Load variables from environment block
|
||||||
|
@@ -3990,9 +4000,11 @@ you forget a command, you can run the command @command{help}
|
||||||
|
* test:: Check file types and compare values
|
||||||
|
* true:: Do nothing, successfully
|
||||||
|
* trust:: Add public key to list of trusted keys
|
||||||
|
+* trust_certificate:: Add an x509 certificate to the list of trusted certificates
|
||||||
|
* unset:: Unset an environment variable
|
||||||
|
* uppermem:: Set the upper memory size
|
||||||
|
@comment * vbeinfo:: List available video modes
|
||||||
|
+* verify_appended:: Verify appended digital signature
|
||||||
|
* verify_detached:: Verify detached digital signature
|
||||||
|
* videoinfo:: List available video modes
|
||||||
|
@comment * xen_*:: Xen boot commands for AArch64
|
||||||
|
@@ -4284,9 +4296,28 @@ These keys are used to validate signatures when environment variable
|
||||||
|
@code{check_signatures} is set to @code{enforce}
|
||||||
|
(@pxref{check_signatures}), and by some invocations of
|
||||||
|
@command{verify_detached} (@pxref{verify_detached}). @xref{Using
|
||||||
|
-digital signatures}, for more information.
|
||||||
|
+GPG-style digital signatures}, for more information.
|
||||||
|
@end deffn
|
||||||
|
|
||||||
|
+
|
||||||
|
+@node distrust_certificate
|
||||||
|
+@subsection distrust_certificate
|
||||||
|
+
|
||||||
|
+@deffn Command distrust_certificate cert_number
|
||||||
|
+Remove the x509 certificate numbered @var{cert_number} from GRUB's keyring of
|
||||||
|
+trusted x509 certificates for verifying appended signatures.
|
||||||
|
+
|
||||||
|
+@var{cert_number} is the certificate number as listed by
|
||||||
|
+@command{list_certificates} (@pxref{list_certificates}).
|
||||||
|
+
|
||||||
|
+These certificates are used to validate appended signatures when environment
|
||||||
|
+variable @code{check_appended_signatures} is set to @code{enforce}
|
||||||
|
+(@pxref{check_appended_signatures}), and by @command{verify_appended}
|
||||||
|
+(@pxref{verify_appended}). See @xref{Using appended signatures} for more
|
||||||
|
+information.
|
||||||
|
+@end deffn
|
||||||
|
+
|
||||||
|
+
|
||||||
|
@node drivemap
|
||||||
|
@subsection drivemap
|
||||||
|
|
||||||
|
@@ -4544,6 +4575,21 @@ This command is only available on x86 systems.
|
||||||
|
@end deffn
|
||||||
|
|
||||||
|
|
||||||
|
+@node list_certificates
|
||||||
|
+@subsection list_certificates
|
||||||
|
+
|
||||||
|
+@deffn Command list_certificates
|
||||||
|
+List all x509 certificates trusted by GRUB for validating appended signatures.
|
||||||
|
+The output is a numbered list of certificates, showing the certificate's serial
|
||||||
|
+number and Common Name.
|
||||||
|
+
|
||||||
|
+The certificate number can be used as an argument to
|
||||||
|
+@command{distrust_certificate} (@pxref{distrust_certificate}).
|
||||||
|
+
|
||||||
|
+See @xref{Using appended signatures} for more information.
|
||||||
|
+@end deffn
|
||||||
|
+
|
||||||
|
+
|
||||||
|
@node list_env
|
||||||
|
@subsection list_env
|
||||||
|
|
||||||
|
@@ -4563,7 +4609,7 @@ The output is in GPG's v4 key fingerprint format (i.e., the output of
|
||||||
|
@code{gpg --fingerprint}). The least significant four bytes (last
|
||||||
|
eight hexadecimal digits) can be used as an argument to
|
||||||
|
@command{distrust} (@pxref{distrust}).
|
||||||
|
-@xref{Using digital signatures}, for more information about uses for
|
||||||
|
+@xref{Using GPG-style digital signatures}, for more information about uses for
|
||||||
|
these keys.
|
||||||
|
@end deffn
|
||||||
|
|
||||||
|
@@ -4598,8 +4644,12 @@ When used with care, @option{--skip-sig} and the whitelist enable an
|
||||||
|
administrator to configure a system to boot only signed
|
||||||
|
configurations, but to allow the user to select from among multiple
|
||||||
|
configurations, and to enable ``one-shot'' boot attempts and
|
||||||
|
-``savedefault'' behavior. @xref{Using digital signatures}, for more
|
||||||
|
+``savedefault'' behavior. @xref{Using GPG-style digital signatures}, for more
|
||||||
|
information.
|
||||||
|
+
|
||||||
|
+Extra care should be taken when combining this command with appended signatures
|
||||||
|
+(@pxref{Using appended signatures}), as this file is not validated by an
|
||||||
|
+appended signature and could set @code{check_appended_signatures=no}.
|
||||||
|
@end deffn
|
||||||
|
|
||||||
|
|
||||||
|
@@ -4903,7 +4953,7 @@ read. It is possible to modify a digitally signed environment block
|
||||||
|
file from within GRUB using this command, such that its signature will
|
||||||
|
no longer be valid on subsequent boots. Care should be taken in such
|
||||||
|
advanced configurations to avoid rendering the system
|
||||||
|
-unbootable. @xref{Using digital signatures}, for more information.
|
||||||
|
+unbootable. @xref{Using GPG-style digital signatures}, for more information.
|
||||||
|
@end deffn
|
||||||
|
|
||||||
|
|
||||||
|
@@ -5228,11 +5278,31 @@ signatures when environment variable @code{check_signatures} is set to
|
||||||
|
must itself be properly signed. The @option{--skip-sig} option can be
|
||||||
|
used to disable signature-checking when reading @var{pubkey_file}
|
||||||
|
itself. It is expected that @option{--skip-sig} is useful for testing
|
||||||
|
-and manual booting. @xref{Using digital signatures}, for more
|
||||||
|
+and manual booting. @xref{Using GPG-style digital signatures}, for more
|
||||||
|
information.
|
||||||
|
@end deffn
|
||||||
|
|
||||||
|
|
||||||
|
+@node trust_certificate
|
||||||
|
+@subsection trust_certificate
|
||||||
|
+
|
||||||
|
+@deffn Command trust_certificate x509_certificate
|
||||||
|
+Read an DER-formatted x509 certificate from the file @var{x509_certificate}
|
||||||
|
+and add it to GRUB's internal list of trusted x509 certificates. These
|
||||||
|
+certificates are used to validate appended signatures when the environment
|
||||||
|
+variable @code{check_appended_signatures} is set to @code{enforce}.
|
||||||
|
+
|
||||||
|
+Note that if @code{check_appended_signatures} is set to @code{enforce}
|
||||||
|
+when @command{trust_certificate} is executed, then @var{x509_certificate}
|
||||||
|
+must itself bear an appended signature. (It is not sufficient that
|
||||||
|
+@var{x509_certificate} be signed by a trusted certificate according to the
|
||||||
|
+x509 rules: grub does not include support for validating signatures within x509
|
||||||
|
+certificates themselves.)
|
||||||
|
+
|
||||||
|
+See @xref{Using appended signatures} for more information.
|
||||||
|
+@end deffn
|
||||||
|
+
|
||||||
|
+
|
||||||
|
@node unset
|
||||||
|
@subsection unset
|
||||||
|
|
||||||
|
@@ -5257,6 +5327,18 @@ only on PC BIOS platforms.
|
||||||
|
@end deffn
|
||||||
|
@end ignore
|
||||||
|
|
||||||
|
+@node verify_appended
|
||||||
|
+@subsection verify_appended
|
||||||
|
+
|
||||||
|
+@deffn Command verify_appended file
|
||||||
|
+Verifies an appended signature on @var{file} against the trusted certificates
|
||||||
|
+known to GRUB (See @pxref{list_certificates}, @pxref{trust_certificate}, and
|
||||||
|
+@pxref{distrust_certificate}).
|
||||||
|
+
|
||||||
|
+Exit code @code{$?} is set to 0 if the signature validates
|
||||||
|
+successfully. If validation fails, it is set to a non-zero value.
|
||||||
|
+See @xref{Using appended signatures}, for more information.
|
||||||
|
+@end deffn
|
||||||
|
|
||||||
|
@node verify_detached
|
||||||
|
@subsection verify_detached
|
||||||
|
@@ -5275,7 +5357,7 @@ tried.
|
||||||
|
|
||||||
|
Exit code @code{$?} is set to 0 if the signature validates
|
||||||
|
successfully. If validation fails, it is set to a non-zero value.
|
||||||
|
-@xref{Using digital signatures}, for more information.
|
||||||
|
+@xref{Using GPG-style digital signatures}, for more information.
|
||||||
|
@end deffn
|
||||||
|
|
||||||
|
@node videoinfo
|
||||||
|
@@ -5636,11 +5718,12 @@ environment variables and commands are listed in the same order.
|
||||||
|
@chapter Security
|
||||||
|
|
||||||
|
@menu
|
||||||
|
-* Authentication and authorisation:: Users and access control
|
||||||
|
-* Using digital signatures:: Booting digitally signed code
|
||||||
|
-* Signing GRUB itself:: Ensuring the integrity of the GRUB core image
|
||||||
|
-* UEFI secure boot and shim:: Booting digitally signed PE files
|
||||||
|
-* Measured Boot:: Measuring boot components
|
||||||
|
+* Authentication and authorisation:: Users and access control
|
||||||
|
+* Using GPG-style digital signatures:: Booting digitally signed code
|
||||||
|
+* Using appended signatures:: An alternative approach to booting digitally signed code
|
||||||
|
+* Signing GRUB itself:: Ensuring the integrity of the GRUB core image
|
||||||
|
+* UEFI secure boot and shim:: Booting digitally signed PE files
|
||||||
|
+* Measured Boot:: Measuring boot components
|
||||||
|
@end menu
|
||||||
|
|
||||||
|
@node Authentication and authorisation
|
||||||
|
@@ -5713,8 +5796,8 @@ generating configuration files with authentication. You can use
|
||||||
|
adding @kbd{set superusers=} and @kbd{password} or @kbd{password_pbkdf2}
|
||||||
|
commands.
|
||||||
|
|
||||||
|
-@node Using digital signatures
|
||||||
|
-@section Using digital signatures in GRUB
|
||||||
|
+@node Using GPG-style digital signatures
|
||||||
|
+@section Using GPG-style digital signatures in GRUB
|
||||||
|
|
||||||
|
GRUB's @file{core.img} can optionally provide enforcement that all files
|
||||||
|
subsequently read from disk are covered by a valid digital signature.
|
||||||
|
@@ -5797,6 +5880,82 @@ or BIOS) configuration to cause the machine to boot from a different
|
||||||
|
(attacker-controlled) device. GRUB is at best only one link in a
|
||||||
|
secure boot chain.
|
||||||
|
|
||||||
|
+@node Using appended signatures
|
||||||
|
+@section Using appended signatures in GRUB
|
||||||
|
+
|
||||||
|
+GRUB supports verifying Linux-style 'appended signatures' for secure boot.
|
||||||
|
+Appended signatures are PKCS#7 messages containing a signature over the
|
||||||
|
+contents of a file, plus some metadata, appended to the end of a file. A file
|
||||||
|
+with an appended signature ends with the magic string:
|
||||||
|
+
|
||||||
|
+@example
|
||||||
|
+~Module signature appended~\n
|
||||||
|
+@end example
|
||||||
|
+
|
||||||
|
+where @code{\n} represents the carriage-return character, @code{0x0a}.
|
||||||
|
+
|
||||||
|
+To enable appended signature verification, load the appendedsig module and an
|
||||||
|
+x509 certificate for verification. Building the appendedsig module into the
|
||||||
|
+core grub image is recommended.
|
||||||
|
+
|
||||||
|
+Certificates can be managed at boot time using the @pxref{trust_certificate},
|
||||||
|
+@pxref{distrust_certificate} and @pxref{list_certificates} commands.
|
||||||
|
+Certificates can also be built in to the core image using the @code{--x509}
|
||||||
|
+parameter to @command{grub-install} or @command{grub-mkimage}.
|
||||||
|
+
|
||||||
|
+A file can be explictly verified using the @pxref{verify_appended} command.
|
||||||
|
+
|
||||||
|
+Only signatures made with the SHA-256 or SHA-512 hash algorithm are supported,
|
||||||
|
+and only RSA signatures are supported.
|
||||||
|
+
|
||||||
|
+A file can be signed with the @command{sign-file} utility supplied with the
|
||||||
|
+Linux kernel source. For example, if you have @code{signing.key} as the private
|
||||||
|
+key and @code{certificate.der} as the x509 certificate containing the public key:
|
||||||
|
+
|
||||||
|
+@example
|
||||||
|
+sign-file SHA256 signing.key certificate.der vmlinux vmlinux.signed
|
||||||
|
+@end example
|
||||||
|
+
|
||||||
|
+Enforcement of signature verification is controlled by the
|
||||||
|
+@code{check_appended_signatures} variable. Verification will only take place
|
||||||
|
+when files are loaded if the variable is set to @code{enforce}. If a
|
||||||
|
+certificate is built into the grub core image with the @code{--x509} parameter,
|
||||||
|
+the variable will be automatically set to @code{enforce} when the appendedsig
|
||||||
|
+module is loaded.
|
||||||
|
+
|
||||||
|
+Unlike GPG-style signatures, not all files loaded by GRUB are required to be
|
||||||
|
+signed. Once verification is turned on, the following file types must carry
|
||||||
|
+appended signatures:
|
||||||
|
+
|
||||||
|
+@enumerate
|
||||||
|
+@item Linux, Multiboot, BSD, XNU and Plan9 kernels
|
||||||
|
+@item Grub modules, except those built in to the core image
|
||||||
|
+@item Any new certificate files to be trusted
|
||||||
|
+@end enumerate
|
||||||
|
+
|
||||||
|
+ACPI tables and Device Tree images will not be checked for appended signatures
|
||||||
|
+but must be verified by another mechanism such as GPG-style signatures before
|
||||||
|
+they will be loaded.
|
||||||
|
+
|
||||||
|
+No attempt is made to validate any other file type. In particular,
|
||||||
|
+chain-loaded binaries are not verified - if your platform supports
|
||||||
|
+chain-loading and this cannot be disabled, consider an alternative secure
|
||||||
|
+boot mechanism.
|
||||||
|
+
|
||||||
|
+As with GPG-style appended signatures, signature checking does @strong{not}
|
||||||
|
+stop an attacker with console access from dropping manually to the GRUB
|
||||||
|
+console and executing:
|
||||||
|
+
|
||||||
|
+@example
|
||||||
|
+set check_appended_signatures=no
|
||||||
|
+@end example
|
||||||
|
+
|
||||||
|
+Refer to the section on password-protecting GRUB (@pxref{Authentication
|
||||||
|
+and authorisation}) for more information on preventing this.
|
||||||
|
+
|
||||||
|
+Additionally, special care must be taken around the @command{loadenv} command,
|
||||||
|
+which can be used to turn off @code{check_appended_signature}.
|
||||||
|
+
|
||||||
|
@node Signing GRUB itself
|
||||||
|
@section Signing GRUB itself
|
||||||
|
|
137
0304-ieee1275-link-appended-signature-enforcement-to-ibm-.patch
Normal file
137
0304-ieee1275-link-appended-signature-enforcement-to-ibm-.patch
Normal file
@ -0,0 +1,137 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Mon, 28 Sep 2020 11:11:17 +1000
|
||||||
|
Subject: [PATCH] ieee1275: link appended-signature enforcement to
|
||||||
|
/ibm,secure-boot
|
||||||
|
|
||||||
|
If the 'ibm,secure-boot' property of the root node is 2 or greater,
|
||||||
|
require that the kernel pass appended-signature verification.
|
||||||
|
|
||||||
|
Do not consider the presence of a certificate to enforce verification.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/commands/appendedsig/appendedsig.c | 44 +++++++++++++++++++++-------
|
||||||
|
grub-core/kern/ieee1275/init.c | 26 ++++++++++++++++
|
||||||
|
2 files changed, 60 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c
|
||||||
|
index 1fbc942254a..6efe58ce8b2 100644
|
||||||
|
--- a/grub-core/commands/appendedsig/appendedsig.c
|
||||||
|
+++ b/grub-core/commands/appendedsig/appendedsig.c
|
||||||
|
@@ -95,10 +95,24 @@ static char *
|
||||||
|
grub_env_write_sec (struct grub_env_var *var __attribute__((unused)),
|
||||||
|
const char *val)
|
||||||
|
{
|
||||||
|
+ if (check_sigs == 2)
|
||||||
|
+ return grub_strdup ("forced");
|
||||||
|
check_sigs = (*val == '1') || (*val == 'e');
|
||||||
|
return grub_strdup (check_sigs ? "enforce" : "no");
|
||||||
|
}
|
||||||
|
|
||||||
|
+static const char *
|
||||||
|
+grub_env_read_sec (struct grub_env_var *var __attribute__ ((unused)),
|
||||||
|
+ const char *val __attribute__ ((unused)))
|
||||||
|
+{
|
||||||
|
+ if (check_sigs == 2)
|
||||||
|
+ return "forced";
|
||||||
|
+ else if (check_sigs == 1)
|
||||||
|
+ return "enforce";
|
||||||
|
+ else
|
||||||
|
+ return "no";
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static grub_err_t
|
||||||
|
read_cert_from_file (grub_file_t f, struct x509_certificate *certificate)
|
||||||
|
{
|
||||||
|
@@ -552,14 +566,20 @@ GRUB_MOD_INIT (appendedsig)
|
||||||
|
val = grub_env_get ("check_appended_signatures");
|
||||||
|
grub_dprintf ("appendedsig", "check_appended_signatures='%s'\n", val);
|
||||||
|
|
||||||
|
- if (val && (val[0] == '1' || val[0] == 'e'))
|
||||||
|
- check_sigs = 1;
|
||||||
|
- else
|
||||||
|
- check_sigs = 0;
|
||||||
|
+ if (val)
|
||||||
|
+ {
|
||||||
|
+ if (val[0] == '2' || val[0] == 'f')
|
||||||
|
+ check_sigs = 2;
|
||||||
|
+ else if (val[0] == '1' || val[0] == 'e')
|
||||||
|
+ check_sigs = 1;
|
||||||
|
+ else
|
||||||
|
+ check_sigs = 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
grub_trusted_key = NULL;
|
||||||
|
|
||||||
|
- grub_register_variable_hook ("check_appended_signatures", 0,
|
||||||
|
+ grub_register_variable_hook ("check_appended_signatures",
|
||||||
|
+ grub_env_read_sec,
|
||||||
|
grub_env_write_sec);
|
||||||
|
grub_env_export ("check_appended_signatures");
|
||||||
|
|
||||||
|
@@ -603,11 +623,15 @@ GRUB_MOD_INIT (appendedsig)
|
||||||
|
grub_trusted_key = pk;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!val || val[0] == '\0')
|
||||||
|
- {
|
||||||
|
- grub_env_set ("check_appended_signatures",
|
||||||
|
- grub_trusted_key ? "enforce" : "no");
|
||||||
|
- }
|
||||||
|
+ /*
|
||||||
|
+ * When controlled by ibm,secure-boot, we don't want the presence of
|
||||||
|
+ * a certificate to enforce secure boot.
|
||||||
|
+ * if (!val || val[0] == '\0')
|
||||||
|
+ * {
|
||||||
|
+ * grub_env_set ("check_appended_signatures",
|
||||||
|
+ * grub_trusted_key ? "enforce" : "no");
|
||||||
|
+ * }
|
||||||
|
+ */
|
||||||
|
|
||||||
|
cmd_trust =
|
||||||
|
grub_register_command ("trust_certificate", grub_cmd_trust,
|
||||||
|
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
|
||||||
|
index d84fba44d10..9ffc7919da8 100644
|
||||||
|
--- a/grub-core/kern/ieee1275/init.c
|
||||||
|
+++ b/grub-core/kern/ieee1275/init.c
|
||||||
|
@@ -269,6 +269,30 @@ grub_parse_cmdline (void)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void
|
||||||
|
+grub_get_ieee1275_secure_boot (void)
|
||||||
|
+{
|
||||||
|
+ grub_ieee1275_phandle_t root;
|
||||||
|
+ int rc;
|
||||||
|
+ grub_uint32_t is_sb;
|
||||||
|
+
|
||||||
|
+ grub_ieee1275_finddevice ("/", &root);
|
||||||
|
+
|
||||||
|
+ rc = grub_ieee1275_get_integer_property (root, "ibm,secure-boot", &is_sb,
|
||||||
|
+ sizeof (is_sb), 0);
|
||||||
|
+
|
||||||
|
+ /* ibm,secure-boot:
|
||||||
|
+ * 0 - disabled
|
||||||
|
+ * 1 - audit
|
||||||
|
+ * 2 - enforce
|
||||||
|
+ * 3 - enforce + OS-specific behaviour
|
||||||
|
+ *
|
||||||
|
+ * We only support enforce.
|
||||||
|
+ */
|
||||||
|
+ if (rc >= 0 && is_sb >= 2)
|
||||||
|
+ grub_env_set("check_appended_signatures", "forced");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
grub_addr_t grub_modbase;
|
||||||
|
|
||||||
|
void
|
||||||
|
@@ -294,6 +318,8 @@ grub_machine_init (void)
|
||||||
|
#else
|
||||||
|
grub_install_get_time_ms (grub_rtc_get_time_ms);
|
||||||
|
#endif
|
||||||
|
+
|
||||||
|
+ grub_get_ieee1275_secure_boot ();
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
25
grub.patches
25
grub.patches
@ -277,3 +277,28 @@ Patch0276: 0276-ieee1275-powerpc-implements-fibre-channel-discovery-.patch
|
|||||||
Patch0277: 0277-ieee1275-powerpc-enables-device-mapper-discovery.patch
|
Patch0277: 0277-ieee1275-powerpc-enables-device-mapper-discovery.patch
|
||||||
Patch0278: 0278-btrfs-Add-support-for-new-RAID1C34-profiles.patch
|
Patch0278: 0278-btrfs-Add-support-for-new-RAID1C34-profiles.patch
|
||||||
Patch0279: 0279-at_keyboard-use-set-1-when-keyboard-is-in-Translate-.patch
|
Patch0279: 0279-at_keyboard-use-set-1-when-keyboard-is-in-Translate-.patch
|
||||||
|
Patch0280: 0280-Add-at_keyboard_fallback_set-var-to-force-the-set-ma.patch
|
||||||
|
Patch0281: 0281-verifiers-Fix-calling-uninitialized-function-pointer.patch
|
||||||
|
Patch0282: 0282-ieee1275-claim-up-to-256MB-memory.patch
|
||||||
|
Patch0283: 0283-Add-suport-for-signing-grub-with-an-appended-signatu.patch
|
||||||
|
Patch0284: 0284-docs-grub-Document-signing-grub-under-UEFI.patch
|
||||||
|
Patch0285: 0285-docs-grub-Document-signing-grub-with-an-appended-sig.patch
|
||||||
|
Patch0286: 0286-docs-grub-grub-install-is-no-longer-a-shell-script.patch
|
||||||
|
Patch0287: 0287-docs-grub-pubkey-has-been-supported-for-some-time.patch
|
||||||
|
Patch0288: 0288-dl-provide-a-fake-grub_dl_set_persistent-for-the-emu.patch
|
||||||
|
Patch0289: 0289-verifiers-provide-unsafe-module-list.patch
|
||||||
|
Patch0290: 0290-pgp-factor-out-rsa_pad.patch
|
||||||
|
Patch0291: 0291-crypto-move-storage-for-grub_crypto_pk_-to-crypto.c.patch
|
||||||
|
Patch0292: 0292-posix_wrap-tweaks-in-preparation-for-libtasn1.patch
|
||||||
|
Patch0293: 0293-libtasn1-import-libtasn1-4.16.0.patch
|
||||||
|
Patch0294: 0294-libtasn1-disable-code-not-needed-in-grub.patch
|
||||||
|
Patch0295: 0295-libtasn1-changes-for-grub-compatibility.patch
|
||||||
|
Patch0296: 0296-libtasn1-compile-into-asn1-module.patch
|
||||||
|
Patch0297: 0297-test_asn1-test-module-for-libtasn1.patch
|
||||||
|
Patch0298: 0298-grub-install-support-embedding-x509-certificates.patch
|
||||||
|
Patch0299: 0299-appended-signatures-import-GNUTLS-s-ASN.1-descriptio.patch
|
||||||
|
Patch0300: 0300-appended-signatures-parse-PKCS-7-signedData-and-X.50.patch
|
||||||
|
Patch0301: 0301-appended-signatures-support-verifying-appended-signa.patch
|
||||||
|
Patch0302: 0302-appended-signatures-verification-tests.patch
|
||||||
|
Patch0303: 0303-appended-signatures-documentation.patch
|
||||||
|
Patch0304: 0304-ieee1275-link-appended-signature-enforcement-to-ibm-.patch
|
||||||
|
10
grub2.spec
10
grub2.spec
@ -14,7 +14,7 @@
|
|||||||
Name: grub2
|
Name: grub2
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 2.04
|
Version: 2.04
|
||||||
Release: 34%{?dist}
|
Release: 35%{?dist}
|
||||||
Summary: Bootloader with support for Linux, Multiboot and more
|
Summary: Bootloader with support for Linux, Multiboot and more
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
URL: http://www.gnu.org/software/grub/
|
URL: http://www.gnu.org/software/grub/
|
||||||
@ -518,6 +518,14 @@ rm -r /boot/grub2.tmp/ || :
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Feb 08 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.04-35
|
||||||
|
- Remove -fcf-protection compiler flag to allow i386 builds (law)
|
||||||
|
Related: rhbz#1915452
|
||||||
|
- Unify GRUB configuration file location across all platforms
|
||||||
|
Related: rhbz#1918817
|
||||||
|
- Add 'at_keyboard_fallback_set' var to force the set manually (rmetrich)
|
||||||
|
- Add appended signatures support for ppc64le LPAR Secure Boot (daxtens)
|
||||||
|
|
||||||
* Tue Jan 12 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.04-34
|
* Tue Jan 12 2021 Javier Martinez Canillas <javierm@redhat.com> - 2.04-34
|
||||||
- at_keyboard: use set 1 when keyboard is in Translate mode (rmetrich)
|
- at_keyboard: use set 1 when keyboard is in Translate mode (rmetrich)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user