Re: [PATCH v9 08/21] appended signatures: Parse X.509 certificates

Thu, 28 Aug 2025 10:18:36 -0700 

On Mon, Aug 25, 2025 at 04:38:30PM +0530, Sudhakar Kuppusamy wrote:
> This code allows us to parse:
>
>  - X.509 certificates: at least enough to verify the signatures on the
>    PKCS#7 messages. We expect that the certificates embedded in GRUB will
>    be leaf certificates, not CA certificates. The parser enforces this.
>
>  - X.509 certificates support the Extended Key Usage extension and handle
>    it by verifying that the certificate has a Code Signing usage.
>
> Signed-off-by: Javier Martinez Canillas <javi...@redhat.com> # EKU support
> Reported-by: Michal Suchanek <msucha...@suse.com> # key usage issue
> Signed-off-by: Daniel Axtens <d...@axtens.net>
> Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
> Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
> Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com>
> Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
> ---
>  grub-core/commands/appendedsig/appendedsig.h |  38 +
>  grub-core/commands/appendedsig/x509.c        | 962 +++++++++++++++++++
>  2 files changed, 1000 insertions(+)
>  create mode 100644 grub-core/commands/appendedsig/x509.c
>
> diff --git a/grub-core/commands/appendedsig/appendedsig.h 
> b/grub-core/commands/appendedsig/appendedsig.h
> index cac7fb02c..ef172cc40 100644
> --- a/grub-core/commands/appendedsig/appendedsig.h
> +++ b/grub-core/commands/appendedsig/appendedsig.h
> @@ -25,6 +25,29 @@ extern asn1_node grub_gnutls_pkix_asn;
>
>  #define MAX_OID_LEN 32
>
> +/*
> + * One or more x509 certificates.
> + * We do limited parsing:
> + * extracting only the version, serial, issuer, subject, RSA public key
> + * and key size.
> + * Also, hold the sha256, sha384, and sha512 fingerprint of the certificate.
> + */
> +struct x509_certificate
> +{
> +  struct x509_certificate *next;
> +  grub_uint8_t version;
> +  grub_uint8_t *serial;
> +  grub_size_t serial_len;
> +  char *issuer;
> +  grub_size_t issuer_len;
> +  char *subject;
> +  grub_size_t subject_len;
> +  /* We only support RSA public keys. This encodes [modulus, 
> publicExponent]. */
> +  gcry_mpi_t mpis[2];
> +  int modulus_size;
> +  char fingerprint[3][64];

This should be grub_uint8_t and here you should define all constants
mentioned earlier in the comments to another patch.

... and if you use plain numbers for mpis[] indexing you should define
relevant constants as well...

Daniel

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to