On Tue, Jun 10, 2025 at 09:20:46PM +0530, Sudhakar wrote:
> From: Daniel Axtens <d...@axtens.net>
>
> This code allows us to parse:
>
> - X.509 certificates: at least enough to verify the signatures on the
> PKCS#7 messages. We expect that the certificates embedded in grub will
s/grub/GRUB/ The project name is GRUB... Please fix this everywhere...
> be leaf certificates, not CA certificates. The parser enforces this.
>
> - X.509 certificates support the Extended Key Usage extension and handle
> it by verifying that the certificate has a Code Signing usage.
>
> Signed-off-by: Javier Martinez Canillas <javi...@redhat.com> # EKU support
> Reported-by: Michal Suchanek <msucha...@suse.com> # key usage issue
> Signed-off-by: Daniel Axtens <d...@axtens.net>
> Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
> Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
> Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com>
> ---
> grub-core/commands/appendedsig/appendedsig.h | 30 +
> grub-core/commands/appendedsig/x509.c | 954 +++++++++++++++++++
> 2 files changed, 984 insertions(+)
> create mode 100644 grub-core/commands/appendedsig/x509.c
[...]
> +/* Decode a string as defined in Appendix A */
> +static grub_err_t
> +decode_string (char *der, int der_size, char **string, grub_size_t
> *string_size)
> +{
> + asn1_node strasn;
> + int result;
> + char *choice;
> + int choice_size = 0;
> + int tmp_size = 0;
> + grub_err_t err = GRUB_ERR_NONE;
> +
> + result = asn1_create_element (grub_gnutls_pkix_asn,
> "PKIX1.DirectoryString", &strasn);
> + if (result != ASN1_SUCCESS)
> + return grub_error (GRUB_ERR_OUT_OF_MEMORY,
> + N_("could not create ASN.1 structure for certificate:
> %s"),
> + asn1_strerror (result));
> +
> + result = asn1_der_decoding2 (&strasn, der, &der_size,
> ASN1_DECODE_FLAG_STRICT_DER, asn1_error);
> + if (result != ASN1_SUCCESS)
> + {
> + err = grub_error (GRUB_ERR_BAD_FILE_TYPE,
> + N_("could not parse DER for DirectoryString: %s"),
> asn1_error);
> + goto cleanup;
> + }
> +
> + choice = grub_asn1_allocate_and_read (strasn, "", "DirectoryString
> choice", &choice_size);
> + if (choice == NULL)
> + {
> + err = grub_errno;
> + goto cleanup;
> + }
> +
> + if (grub_strncmp ("utf8String", choice, choice_size) == 0)
> + {
> + result = asn1_read_value (strasn, "utf8String", NULL, &tmp_size);
> + if (result != ASN1_MEM_ERROR)
> + {
> + err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("error reading size
> of UTF-8 string: %s"),
> + asn1_strerror (result));
> + goto cleanup_choice;
> + }
> + }
> + else if (grub_strncmp ("printableString", choice, choice_size) == 0)
> + {
> + result = asn1_read_value (strasn, "printableString", NULL, &tmp_size);
> + if (result != ASN1_MEM_ERROR)
> + {
> + err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("error reading size
> of UTF-8 string: %s"),
This error message seems like copypasta mistake...
> + asn1_strerror (result));
> + goto cleanup_choice;
> + }
> + }
> + else
> + {
> + err = grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
> + N_("only UTF-8 and printable DirectoryStrings are
> supported, got %s"),
> + choice);
> + goto cleanup_choice;
> + }
> +
> + /* read size does not include trailing null */
s/read size does not include trailing null/Read size does not include trailing
NUL./
> + tmp_size++;
> +
> + *string = grub_malloc (tmp_size);
> + if (*string == NULL)
> + {
> + err = grub_error (GRUB_ERR_OUT_OF_MEMORY,
> + "cannot allocate memory for DirectoryString
> contents");
> + goto cleanup_choice;
> + }
> +
> + result = asn1_read_value (strasn, choice, *string, &tmp_size);
> + if (result != ASN1_SUCCESS)
> + {
> + err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("error reading out %s in
> DirectoryString: %s"),
> + choice, asn1_strerror (result));
> + grub_free (*string);
> + *string = NULL;
> + goto cleanup_choice;
> + }
> +
> + *string_size = tmp_size + 1;
> + (*string)[tmp_size] = '\0';
> +
> + cleanup_choice:
> + grub_free (choice);
> + cleanup:
> + asn1_delete_structure (&strasn);
> +
> + return err;
> +}
[...]
> +static grub_err_t
> +verify_extended_key_usage (grub_uint8_t *value, int value_size)
> +{
> + asn1_node extendedasn;
> + int result, count, i = 0;
> + grub_err_t err = GRUB_ERR_NONE;
> + char usage[MAX_OID_LEN], name[3];
> + int usage_size = sizeof (usage);
> +
> + result = asn1_create_element (grub_gnutls_pkix_asn,
> "PKIX1.ExtKeyUsageSyntax", &extendedasn);
> + if (result != ASN1_SUCCESS)
> + return grub_error (GRUB_ERR_OUT_OF_MEMORY,
> + "could not create ASN.1 structure for Extended Key
> Usage");
> +
> + result = asn1_der_decoding2 (&extendedasn, value, &value_size,
> + ASN1_DECODE_FLAG_STRICT_DER, asn1_error);
> + if (result != ASN1_SUCCESS)
> + {
> + err = grub_error (GRUB_ERR_BAD_FILE_TYPE,
> + N_("error parsing DER for Extended Key Usage: %s"),
> asn1_error);
> + goto cleanup;
> + }
> +
> + /* If EKUs are present, it checks the presents of Code Signing usage */
> + result = asn1_number_of_elements (extendedasn, "", &count);
> + if (result != ASN1_SUCCESS)
> + {
> + err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("error counting number of
> Extended Key Usages: %s"),
> + asn1_strerror (result));
> + goto cleanup;
> + }
> +
> +
Redundant empty line...
> + for (i = 1; i < count + 1; i++)
> + {
> + grub_memset (name, 0, sizeof (name));
> + grub_snprintf (name, sizeof (name), "?%d", i);
> + result = asn1_read_value (extendedasn, name, usage, &usage_size);
> + if (result != ASN1_SUCCESS)
> + {
> + err = grub_error (GRUB_ERR_BAD_FILE_TYPE, N_("error reading
> Extended Key Usage: %s"),
> + asn1_strerror (result));
> + goto cleanup;
> + }
> +
> + if (grub_strncmp (codeSigningUsage_oid, usage, usage_size) == 0)
> + goto cleanup;
> + }
> +
> + err = grub_error (GRUB_ERR_BAD_FILE_TYPE, "extended key usage missing Code
> Signing usage");
> +
> + cleanup:
> + asn1_delete_structure (&extendedasn);
> +
> + return err;
> +}
And probably I would consider dropping some more N_() from various
cryptic error messages. Same for other files in the patch set...
Anyway, if you fix these minor issues you can add my RB to this patch.
Daniel
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
