On Mon, Jul 14, 2025 at 11:05:02PM +0530, Sudhakar Kuppusamy wrote:
> This code allows us to parse:
>
> - X.509 certificates: at least enough to verify the signatures on the
> PKCS#7 messages. We expect that the certificates embedded in GRUB will
> be leaf certificates, not CA certificates. The parser enforces this.
>
> - X.509 certificates support the Extended Key Usage extension and handle
> it by verifying that the certificate has a Code Signing usage.
>
> Signed-off-by: Javier Martinez Canillas <[email protected]> # EKU support
> Reported-by: Michal Suchanek <[email protected]> # key usage issue
> Signed-off-by: Daniel Axtens <[email protected]>
> Signed-off-by: Sudhakar Kuppusamy <[email protected]>
> Reviewed-by: Stefan Berger <[email protected]>
> Reviewed-by: Avnish Chouhan <[email protected]>
> Reviewed-by: Daniel Kiper <[email protected]>
[...]
> +static grub_err_t
> +grub_x509_read_subject_public_key (asn1_node asn, struct x509_certificate
> *results)
> +{
> + int result;
> + grub_err_t err;
> + const char *algo_name =
> "tbsCertificate.subjectPublicKeyInfo.algorithm.algorithm";
> + const char *params_name =
> "tbsCertificate.subjectPublicKeyInfo.algorithm.parameters";
> + const char *pk_name =
> "tbsCertificate.subjectPublicKeyInfo.subjectPublicKey";
> + char algo_oid[MAX_OID_LEN];
> + int algo_size = sizeof (algo_oid);
> + char params_value[2];
> + int params_size = sizeof (params_value);
> + grub_uint8_t *key_data = NULL;
> + int key_size = 0;
> + unsigned int key_type;
> +
> + /* Algorithm: see notes for rsaEncryption_oid. */
> + result = asn1_read_value (asn, algo_name, algo_oid, &algo_size);
> + if (result != ASN1_SUCCESS)
> + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "error reading x509 public
> key algorithm: %s",
> + asn1_strerror (result));
> +
> + if (grub_strncmp (algo_oid, rsaEncryption_oid, sizeof (rsaEncryption_oid))
> != 0)
> + return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
> + "unsupported x509 public key algorithm: %s",
> algo_oid);
> +
> + /*
> + * RFC 3279 2.3.1
> + * The rsaEncryption OID is intended to be used in the algorithm field
> + * of a value of type AlgorithmIdentifier. The parameters field MUST
> + * have ASN.1 type NULL for this algorithm identifier.
> + */
> + result = asn1_read_value (asn, params_name, params_value, ¶ms_size);
> + if (result != ASN1_SUCCESS)
> + return grub_error (GRUB_ERR_BAD_FILE_TYPE, "error reading x509 public
> key parameters: %s",
> + asn1_strerror (result));
> +
> + if (params_value[0] != ASN1_TAG_NULL)
> + return grub_error (GRUB_ERR_BAD_FILE_TYPE,
> + "invalid x509 public key parameters: expected NULL.");
Error messages does not end with full stop. I saw it in a few places here.
Please fix it in all patches if needed. If you do that you can retain my RB...
Daniel
_______________________________________________
Grub-devel mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/grub-devel
