[PATCH v2 0/5] Signed-Boot OpenSSL support
Samuel Mendoza-Jonas
sam at mendozajonas.com
Wed May 23 11:04:09 AEST 2018
On Tue, 2018-05-15 at 10:55 +1000, Brett Grandbois wrote:
> Changes in v2:
> * add build support for openssl 1.1.x
Reviewed-by: Samuel Mendoza-Jonas <sam at mendozajonas.com>
Looking good to me. Timothy, this of course touches on your GPGME work
but shouldn't make any functional changes to it. Any thoughts?
Cheers,
Sam
>
> Add support for configuration choice between GPGME or OpenSSL for signed-boot.
>
> For configuration the --with-signed-boot option now takes the following values:
>
> no - disable signed boot (as before)
> gpgme - configure for gpgme (as before), fail if not found
> openssl - configure for openssl, fail if not found
> yes - look first for gpgme and the openssl using first found, fail on none
> this should behave as before if gpgme is installed
>
> fail on any other invalid options
>
> Add the following variables:
>
> KEYRING_PATH - path to the gpgme home dir, currently unused in openssl but could
> be expanded to be the certificate store for verification. default
> is /etc/gpg as before
>
> VERIFY_DIGEST - string to specify signature verifcation MD in OpenSSL raw dgst mode
>
> The OpenSSL support works like this:
>
> he pb-lockdown file is a PKCS12 file or X509 certificate or PEM-encoded
> raw public key. To follow the current conventions the presence of a
> PKCS12 file as a lockdown signals decrypt mode because of the presence
> of the private key, anything else signals signature verification mode.
> The keyring path is currently ignored but in the future could be used to
> point to an X509 certificate chain for validity checking. Because of
> this self-signed certificates are currently supported and really just
> used as a public key container.
>
> Signature verification mode supports:
>
> * Cryptographic Message Syntax (CMS) as detached S/MIME, this is really
> more for consistency for the encryption mode (see below). This mode
> requires the lockdown file to be an X509 certificate.
>
> A sample creation command would be:
> openssl cms -sign -in (infile) -out (outfile) -binary -nocerts \
> -inkey (private key) -signer (recipient certificate)
>
> * Raw signature digest as output from openssl dgst -sign command. This
> mode can have the lockdown file be an X509 certificate or a PEM raw
> public key but the digest algorithm must be pre-defined by the
> VERIFY_DIGEST configure argument. The default is SHA256.
>
> A sample creation command would be:
> openssl dgst -sign (private key) -out (outfile) -(digest mode) \
> (infile)
>
> Decryption mode supports:
>
> * CMS signed-envelope as attached S/MIME. This is for consistency with
> the current expectation of no external file for decryption. Some
> future enhancement could be to come up with some proprietary external
> file format containing the cipher used, the encrypted cipher key, and
> the IV (if necessary).
>
> A sample creation command would be:
> openssl cms -sign -in (infile) -signer (recipient certificate) \
> -binary -nocerts -nodetach -inkey (private key) | \
> openssl cms -encrypt -(cipher mode) -out (outfile) \
> (recipient certificate)
>
> The PKCS12 file is expecting the private key to have password of NULL or
> "" as there is currently no mechanism to supply a custom one.
>
> Brett Grandbois (5):
> configure: Add signed-boot openssl configuration support
> lib/security: add in openssl support
> discover: Update to reflect generic signed boot API
> ui/ncurses: Update LOCKDOWN_FILE check to reflect generic SIGNED_BOOT
> test/lib: Add OpenSSL verify and decrypt tests
>
> configure.ac | 95 +++--
> discover/Makefile.am | 3 +-
> discover/boot.c | 12 +-
> lib/Makefile.am | 42 ++-
> lib/security/common.c | 230 +++++++++++++
> lib/security/gpg.c | 202 +----------
> lib/security/gpg.h | 83 -----
> lib/security/none.c | 61 ++++
> lib/security/openssl.c | 476 ++++++++++++++++++++++++++
> lib/security/security.h | 46 +++
> m4/ax_check_openssl.m4 | 124 +++++++
> test/lib/Makefile.am | 7 +
> test/lib/data/security/cert.p12 | Bin 0 -> 2469 bytes
> test/lib/data/security/cert.pem | 21 ++
> test/lib/data/security/key.pem | 28 ++
> test/lib/data/security/pubkey.pem | 9 +
> test/lib/data/security/rootdata.cmsenc | 17 +
> test/lib/data/security/rootdata.cmsencver | 41 +++
> test/lib/data/security/rootdata.cmsver | 31 ++
> test/lib/data/security/rootdata.txt | 2 +
> test/lib/data/security/rootdata_different.txt | 2 +
> test/lib/data/security/rootdatasha256.sig | Bin 0 -> 256 bytes
> test/lib/data/security/rootdatasha512.sig | Bin 0 -> 256 bytes
> test/lib/data/security/wrong_cert.pem | 21 ++
> test/lib/data/security/wrong_key.pem | 28 ++
> test/lib/test-security-openssl-decrypt.c | 82 +++++
> test/lib/test-security-openssl-verify.c | 103 ++++++
> ui/ncurses/nc-boot-editor.c | 2 +-
> 28 files changed, 1419 insertions(+), 349 deletions(-)
> create mode 100644 lib/security/common.c
> delete mode 100644 lib/security/gpg.h
> create mode 100644 lib/security/none.c
> create mode 100644 lib/security/openssl.c
> create mode 100644 lib/security/security.h
> create mode 100644 m4/ax_check_openssl.m4
> create mode 100644 test/lib/data/security/cert.p12
> create mode 100644 test/lib/data/security/cert.pem
> create mode 100644 test/lib/data/security/key.pem
> create mode 100644 test/lib/data/security/pubkey.pem
> create mode 100644 test/lib/data/security/rootdata.cmsenc
> create mode 100644 test/lib/data/security/rootdata.cmsencver
> create mode 100644 test/lib/data/security/rootdata.cmsver
> create mode 100644 test/lib/data/security/rootdata.txt
> create mode 100644 test/lib/data/security/rootdata_different.txt
> create mode 100644 test/lib/data/security/rootdatasha256.sig
> create mode 100644 test/lib/data/security/rootdatasha512.sig
> create mode 100644 test/lib/data/security/wrong_cert.pem
> create mode 100644 test/lib/data/security/wrong_key.pem
> create mode 100644 test/lib/test-security-openssl-decrypt.c
> create mode 100644 test/lib/test-security-openssl-verify.c
>
More information about the Petitboot
mailing list