Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PKCS7: Add support for authenticated attributes #8072

Open
wants to merge 3 commits into
base: development
Choose a base branch
from

Conversation

beni-sandu
Copy link
Contributor

@beni-sandu beni-sandu commented Aug 14, 2023

Description

Add support for authenticated attributes as per RFC2315.

Section 9.2:
    authenticatedAttributes
        [0] IMPLICIT Attributes OPTIONAL

If authenticated attributes are present, it must contain at minimum two attributes:
        - A PKCS9 content-type attribute having as its value the content type of the
         ContentInfo value being signed.
        - A PKCS9 message-digest attribute, having as its value the message digest
        of the content.

Section 9.3:
When they are present, the result of the message digesting process is the digest
of the complete DER encoding of the section, and the expected leading tag is
SET OF and not the IMPLICIT [0] tag.

PR checklist

  • changelog provided
  • backport not required
  • tests provided

@beni-sandu beni-sandu force-pushed the auth_attr branch 3 times, most recently from 24be9c3 to 088f71d Compare August 15, 2023 14:15
@beni-sandu
Copy link
Contributor Author

Fixed some coding style issues and a memory leak caught by the CI runs.

@beni-sandu
Copy link
Contributor Author

Hey @dave-rodgman , any chance someone can give some feedback on this? Thanks.

@gilles-peskine-arm gilles-peskine-arm added enhancement needs-review Every commit must be reviewed by at least two team members, component-x509 needs-reviewer This PR needs someone to pick it up for review size-m Estimated task size: medium (~1w) priority-medium Medium priority - this can be reviewed as time permits labels Aug 17, 2023
@beni-sandu beni-sandu force-pushed the auth_attr branch 2 times, most recently from e6138f3 to 6b93b44 Compare August 21, 2023 19:55
@beni-sandu beni-sandu changed the title PKCS7: Add initial support for authenticated attributes PKCS7: Add support for authenticated attributes Aug 31, 2023
@daverodgman
Copy link
Contributor

Hey @dave-rodgman , any chance someone can give some feedback on this? Thanks.

Hi Beni,

Thanks for doing these. I saw that you've intentionally broken your PKCS #7 work up into multiple smaller PRs - this is definitely the right thing to do and should help with review. Please could you let us know the use-case and urgency/desired timeline for these PRs? We are aiming for 3.6 LTS at the end of the year, so the timing may be difficult for us to get into 3.6 - a strong use-case would help here.

@beni-sandu
Copy link
Contributor Author

Hi Dave,

Thanks for the info. The main use-case here for PKCS7 would be part of a secure boot implementation. As you know, the current mbedtls implementation is very limited and cannot be used in a more "real world" scenario, so adding some key missing features should open the door to that.

As for timeline, while it would be nice to get it in 3.6, it's not an urgent matter, as we can use in house patches and switch to upstream when that is available.

Add support for authenticated attributes as per RFC2315.

Section 9.2:
authenticatedAttributes
       [0] IMPLICIT Attributes OPTIONAL

If authenticated attributes are present, it must contain at minimum two attributes:
	- A PKCS9 content-type attribute having as its value the content type of the
	 ContentInfo value being signed.
	- A PKCS9 message-digest attribute, having as its value the message digest
	of the content.

Section 9.3:
When they are present, the result of the message digesting process is the digest
of the complete DER encoding of the section, and the expected leading tag is
SET OF and not the IMPLICIT [0] tag.

Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component-x509 enhancement needs-review Every commit must be reviewed by at least two team members, needs-reviewer This PR needs someone to pick it up for review priority-medium Medium priority - this can be reviewed as time permits size-m Estimated task size: medium (~1w)
Projects
Status: No status
Status: In Review
Development

Successfully merging this pull request may close these issues.

3 participants