* New upstream release.debian/15+1533136590.3beb971-1

- debian/patches/second-stage-path: dropped; the default loader path now includes an arch suffix. - debian/patches/sbsigntool-no-pesign: dropped; no longer needed. * Drop remaining patches that were not being applied. * Sync packaging from Ubuntu: - debian/copyright: Update upstream source location. - debian/control: add a Build-Depends on libelf-dev. - Enable arm64 build. - debian/patches/fixup_git.patch: don't run git in clean; we're not really in a git tree. - debian/rules, debian/shim.install: use the upstream install target as intended, and move files to the target directory using dh_install. - define RELEASE and COMMIT_ID for the snapshot. - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature. - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream options: set MAKELEVEL. - Define an EFI_ARCH variable, and use that for paths to shim. This makes it possible to build a shim for other architectures than amd64. - Set EFIDIR=$distro for dh_auto_install; that will let files be installed in the "right" final directories, and makes boot.csv for us. - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built at compile-time for MokManager and fallback. - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback and MokManager.
author: Steve Langasek <steve.langasek@canonical.com> 2019-02-09 21:28:06 -0800
committer: Steve Langasek <steve.langasek@canonical.com> 2019-02-09 21:32:44 -0800
commit: ab4c731c1dd379acd3e95971af57401fb0a650a1 (patch)
tree: 6a26fb8d0746cbbaa6c2d4b242c73442bcc1df06 /Cryptlib/OpenSSL/crypto/pkcs12/p12_sbag.c
parent: 0d63079c7da8e86104ce4bbdae2f6cb8d2ea40c6 (diff)
parent: 9c12130f9cd2ae11a9336813dd1f1669c0b64ad0 (diff)
download: efi-boot-shim-debian/15+1533136590.3beb971-1.tar.gz
efi-boot-shim-debian/15+1533136590.3beb971-1.zip
1 files changed, 170 insertions, 0 deletions
diff --git a/Cryptlib/OpenSSL/crypto/pkcs12/p12_sbag.c b/Cryptlib/OpenSSL/crypto/pkcs12/p12_sbag.c
new file mode 100644
index 00000000..4a3d2599
--- /dev/null
+++ b/Cryptlib/OpenSSL/crypto/pkcs12/p12_sbag.c
@@ -0,0 +1,170 @@
+/*
+ * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include "internal/cryptlib.h"
+#include <openssl/pkcs12.h>
+#include "p12_lcl.h"
+
+#if OPENSSL_API_COMPAT < 0x10100000L
+ASN1_TYPE *PKCS12_get_attr(const PKCS12_SAFEBAG *bag, int attr_nid)
+{
+    return PKCS12_get_attr_gen(bag->attrib, attr_nid);
+}
+#endif
+
+const ASN1_TYPE *PKCS12_SAFEBAG_get0_attr(const PKCS12_SAFEBAG *bag,
+                                          int attr_nid)
+{
+    return PKCS12_get_attr_gen(bag->attrib, attr_nid);
+}
+
+ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid)
+{
+    return PKCS12_get_attr_gen(PKCS8_pkey_get0_attrs(p8), attr_nid);
+}
+
+const PKCS8_PRIV_KEY_INFO *PKCS12_SAFEBAG_get0_p8inf(const PKCS12_SAFEBAG *bag)
+{
+    if (PKCS12_SAFEBAG_get_nid(bag) != NID_keyBag)
+        return NULL;
+    return bag->value.keybag;
+}
+
+const X509_SIG *PKCS12_SAFEBAG_get0_pkcs8(const PKCS12_SAFEBAG *bag)
+{
+    if (OBJ_obj2nid(bag->type) != NID_pkcs8ShroudedKeyBag)
+        return NULL;
+    return bag->value.shkeybag;
+}
+
+const STACK_OF(PKCS12_SAFEBAG) *
+PKCS12_SAFEBAG_get0_safes(const PKCS12_SAFEBAG *bag)
+{
+    if (OBJ_obj2nid(bag->type) != NID_safeContentsBag)
+        return NULL;
+    return bag->value.safes;
+}
+
+const ASN1_OBJECT *PKCS12_SAFEBAG_get0_type(const PKCS12_SAFEBAG *bag)
+{
+    return bag->type;
+}
+
+int PKCS12_SAFEBAG_get_nid(const PKCS12_SAFEBAG *bag)
+{
+    return OBJ_obj2nid(bag->type);
+}
+
+int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag)
+{
+    int btype = PKCS12_SAFEBAG_get_nid(bag);
+
+    if (btype != NID_certBag && btype != NID_crlBag && btype != NID_secretBag)
+        return -1;
+    return OBJ_obj2nid(bag->value.bag->type);
+}
+
+X509 *PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag)
+{
+    if (PKCS12_SAFEBAG_get_nid(bag) != NID_certBag)
+        return NULL;
+    if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Certificate)
+        return NULL;
+    return ASN1_item_unpack(bag->value.bag->value.octet,
+                            ASN1_ITEM_rptr(X509));
+}
+
+X509_CRL *PKCS12_SAFEBAG_get1_crl(const PKCS12_SAFEBAG *bag)
+{
+    if (PKCS12_SAFEBAG_get_nid(bag) != NID_crlBag)
+        return NULL;
+    if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Crl)
+        return NULL;
+    return ASN1_item_unpack(bag->value.bag->value.octet,
+                            ASN1_ITEM_rptr(X509_CRL));
+}
+
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_cert(X509 *x509)
+{
+    return PKCS12_item_pack_safebag(x509, ASN1_ITEM_rptr(X509),
+                                    NID_x509Certificate, NID_certBag);
+}
+
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_crl(X509_CRL *crl)
+{
+    return PKCS12_item_pack_safebag(crl, ASN1_ITEM_rptr(X509_CRL),
+                                    NID_x509Crl, NID_crlBag);
+}
+
+/* Turn PKCS8 object into a keybag */
+
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8)
+{
+    PKCS12_SAFEBAG *bag = PKCS12_SAFEBAG_new();
+
+    if (bag == NULL) {
+        PKCS12err(PKCS12_F_PKCS12_SAFEBAG_CREATE0_P8INF, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    bag->type = OBJ_nid2obj(NID_keyBag);
+    bag->value.keybag = p8;
+    return bag;
+}
+
+/* Turn PKCS8 object into a shrouded keybag */
+
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_pkcs8(X509_SIG *p8)
+{
+    PKCS12_SAFEBAG *bag = PKCS12_SAFEBAG_new();
+
+    /* Set up the safe bag */
+    if (bag == NULL) {
+        PKCS12err(PKCS12_F_PKCS12_SAFEBAG_CREATE0_PKCS8, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    bag->type = OBJ_nid2obj(NID_pkcs8ShroudedKeyBag);
+    bag->value.shkeybag = p8;
+    return bag;
+}
+
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid,
+                                                    const char *pass,
+                                                    int passlen,
+                                                    unsigned char *salt,
+                                                    int saltlen, int iter,
+                                                    PKCS8_PRIV_KEY_INFO *p8inf)
+{
+    PKCS12_SAFEBAG *bag;
+    const EVP_CIPHER *pbe_ciph;
+    X509_SIG *p8;
+
+    pbe_ciph = EVP_get_cipherbynid(pbe_nid);
+
+    if (pbe_ciph)
+        pbe_nid = -1;
+
+    p8 = PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, iter,
+                       p8inf);
+
+    if (p8 == NULL) {
+        PKCS12err(PKCS12_F_PKCS12_SAFEBAG_CREATE_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+
+    bag = PKCS12_SAFEBAG_create0_pkcs8(p8);
+
+    if (bag == NULL) {
+        PKCS12err(PKCS12_F_PKCS12_SAFEBAG_CREATE_PKCS8_ENCRYPT, ERR_R_MALLOC_FAILURE);
+        X509_SIG_free(p8);
+        return NULL;
+    }
+
+    return bag;
+}
author	Steve Langasek <steve.langasek@canonical.com>	2019-02-09 21:28:06 -0800
committer	Steve Langasek <steve.langasek@canonical.com>	2019-02-09 21:32:44 -0800
commit	ab4c731c1dd379acd3e95971af57401fb0a650a1 (patch)
tree	6a26fb8d0746cbbaa6c2d4b242c73442bcc1df06 /Cryptlib/OpenSSL/crypto/pkcs12/p12_sbag.c
parent	0d63079c7da8e86104ce4bbdae2f6cb8d2ea40c6 (diff)
parent	9c12130f9cd2ae11a9336813dd1f1669c0b64ad0 (diff)
download	efi-boot-shim-debian/15+1533136590.3beb971-1.tar.gz efi-boot-shim-debian/15+1533136590.3beb971-1.zip