[PATCH v2 0/5] Signed-Boot OpenSSL support
Brett Grandbois
brett.grandbois at opengear.com
Tue May 15 10:55:47 AEST 2018
Changes in v2:
* add build support for openssl 1.1.x
Add support for configuration choice between GPGME or OpenSSL for signed-boot.
For configuration the --with-signed-boot option now takes the following values:
no - disable signed boot (as before)
gpgme - configure for gpgme (as before), fail if not found
openssl - configure for openssl, fail if not found
yes - look first for gpgme and the openssl using first found, fail on none
this should behave as before if gpgme is installed
fail on any other invalid options
Add the following variables:
KEYRING_PATH - path to the gpgme home dir, currently unused in openssl but could
be expanded to be the certificate store for verification. default
is /etc/gpg as before
VERIFY_DIGEST - string to specify signature verifcation MD in OpenSSL raw dgst mode
The OpenSSL support works like this:
he pb-lockdown file is a PKCS12 file or X509 certificate or PEM-encoded
raw public key. To follow the current conventions the presence of a
PKCS12 file as a lockdown signals decrypt mode because of the presence
of the private key, anything else signals signature verification mode.
The keyring path is currently ignored but in the future could be used to
point to an X509 certificate chain for validity checking. Because of
this self-signed certificates are currently supported and really just
used as a public key container.
Signature verification mode supports:
* Cryptographic Message Syntax (CMS) as detached S/MIME, this is really
more for consistency for the encryption mode (see below). This mode
requires the lockdown file to be an X509 certificate.
A sample creation command would be:
openssl cms -sign -in (infile) -out (outfile) -binary -nocerts \
-inkey (private key) -signer (recipient certificate)
* Raw signature digest as output from openssl dgst -sign command. This
mode can have the lockdown file be an X509 certificate or a PEM raw
public key but the digest algorithm must be pre-defined by the
VERIFY_DIGEST configure argument. The default is SHA256.
A sample creation command would be:
openssl dgst -sign (private key) -out (outfile) -(digest mode) \
(infile)
Decryption mode supports:
* CMS signed-envelope as attached S/MIME. This is for consistency with
the current expectation of no external file for decryption. Some
future enhancement could be to come up with some proprietary external
file format containing the cipher used, the encrypted cipher key, and
the IV (if necessary).
A sample creation command would be:
openssl cms -sign -in (infile) -signer (recipient certificate) \
-binary -nocerts -nodetach -inkey (private key) | \
openssl cms -encrypt -(cipher mode) -out (outfile) \
(recipient certificate)
The PKCS12 file is expecting the private key to have password of NULL or
"" as there is currently no mechanism to supply a custom one.
Brett Grandbois (5):
configure: Add signed-boot openssl configuration support
lib/security: add in openssl support
discover: Update to reflect generic signed boot API
ui/ncurses: Update LOCKDOWN_FILE check to reflect generic SIGNED_BOOT
test/lib: Add OpenSSL verify and decrypt tests
configure.ac | 95 +++--
discover/Makefile.am | 3 +-
discover/boot.c | 12 +-
lib/Makefile.am | 42 ++-
lib/security/common.c | 230 +++++++++++++
lib/security/gpg.c | 202 +----------
lib/security/gpg.h | 83 -----
lib/security/none.c | 61 ++++
lib/security/openssl.c | 476 ++++++++++++++++++++++++++
lib/security/security.h | 46 +++
m4/ax_check_openssl.m4 | 124 +++++++
test/lib/Makefile.am | 7 +
test/lib/data/security/cert.p12 | Bin 0 -> 2469 bytes
test/lib/data/security/cert.pem | 21 ++
test/lib/data/security/key.pem | 28 ++
test/lib/data/security/pubkey.pem | 9 +
test/lib/data/security/rootdata.cmsenc | 17 +
test/lib/data/security/rootdata.cmsencver | 41 +++
test/lib/data/security/rootdata.cmsver | 31 ++
test/lib/data/security/rootdata.txt | 2 +
test/lib/data/security/rootdata_different.txt | 2 +
test/lib/data/security/rootdatasha256.sig | Bin 0 -> 256 bytes
test/lib/data/security/rootdatasha512.sig | Bin 0 -> 256 bytes
test/lib/data/security/wrong_cert.pem | 21 ++
test/lib/data/security/wrong_key.pem | 28 ++
test/lib/test-security-openssl-decrypt.c | 82 +++++
test/lib/test-security-openssl-verify.c | 103 ++++++
ui/ncurses/nc-boot-editor.c | 2 +-
28 files changed, 1419 insertions(+), 349 deletions(-)
create mode 100644 lib/security/common.c
delete mode 100644 lib/security/gpg.h
create mode 100644 lib/security/none.c
create mode 100644 lib/security/openssl.c
create mode 100644 lib/security/security.h
create mode 100644 m4/ax_check_openssl.m4
create mode 100644 test/lib/data/security/cert.p12
create mode 100644 test/lib/data/security/cert.pem
create mode 100644 test/lib/data/security/key.pem
create mode 100644 test/lib/data/security/pubkey.pem
create mode 100644 test/lib/data/security/rootdata.cmsenc
create mode 100644 test/lib/data/security/rootdata.cmsencver
create mode 100644 test/lib/data/security/rootdata.cmsver
create mode 100644 test/lib/data/security/rootdata.txt
create mode 100644 test/lib/data/security/rootdata_different.txt
create mode 100644 test/lib/data/security/rootdatasha256.sig
create mode 100644 test/lib/data/security/rootdatasha512.sig
create mode 100644 test/lib/data/security/wrong_cert.pem
create mode 100644 test/lib/data/security/wrong_key.pem
create mode 100644 test/lib/test-security-openssl-decrypt.c
create mode 100644 test/lib/test-security-openssl-verify.c
--
2.7.4
More information about the Petitboot
mailing list