[PATCH] crypto: wolfssl: implement forced-signer-name
15 views
Skip to first unread message
Bastian Germann
Apr 7, 2026, 2:38:37 PMApr 7
to swup...@googlegroups.com, Bastian Germann
Enable the forced-signer-name for builds with enabled wolfSSL.
Implement the check by using the native wolfSSL API instead of the
misbehaving wrapper.
Copy the check_common_name helper function from the OpenSSL CMS
implementation.
Signed-off-by: Bastian Germann <ba...@debian.org>
---
core/swupdate.c | 4 +-
crypto/swupdate_pkcs7_verify_wolfssl.c | 72 +++++++++++++++++++++++---
scripts/acceptance-tests/CheckImage.mk | 2 -
3 files changed, 68 insertions(+), 10 deletions(-)
diff --git a/core/swupdate.c b/core/swupdate.c
index f8ce085c..e98301c7 100644
--- a/core/swupdate.c
+++ b/core/swupdate.c
@@ -98,7 +98,7 @@ static struct option long_options[] = {
{"key", required_argument, NULL, 'k'},
{"ca-path", required_argument, NULL, 'k'},
{"cert-purpose", required_argument, NULL, '1'},
-#if defined(CONFIG_SIGALG_CMS) && !defined(CONFIG_SSL_IMPL_WOLFSSL)
+#if defined(CONFIG_SIGALG_CMS)
{"forced-signer-name", required_argument, NULL, '2'},
#endif
#ifdef CONFIG_SIGALG_GPG
@@ -169,7 +169,7 @@ static void usage(char *programname)
" -k, --key <public key file> : file with public key to verify images\n"
" --cert-purpose <purpose> : set expected certificate purpose\n"
" [emailProtection|codeSigning] (default: emailProtection)\n"
-#if defined(CONFIG_SIGALG_CMS) && !defined(CONFIG_SSL_IMPL_WOLFSSL)
+#if defined(CONFIG_SIGALG_CMS)
" --forced-signer-name <cn> : set expected common name of signer certificate\n"
#endif
" --ca-path : path to the Certificate Authority (PEM)\n"
diff --git a/crypto/swupdate_pkcs7_verify_wolfssl.c b/crypto/swupdate_pkcs7_verify_wolfssl.c
index 39a29c89..8473359a 100644
--- a/crypto/swupdate_pkcs7_verify_wolfssl.c
+++ b/crypto/swupdate_pkcs7_verify_wolfssl.c
@@ -97,12 +97,72 @@ static X509_STORE *load_cert_chain(const char *file)
return castore;
}
-static int check_signer_name(const char *name)
+static inline int next_common_name(X509_NAME *subject, int i)
{
- // TODO work around wolfSSL's PKCS7_get0_signers always returning NULL
- if (name)
- WARN("The X.509 common name might not be equal to %s.", name);
- return 0;
+ return X509_NAME_get_index_by_NID(subject, NID_commonName, i);
+}
+
+static int check_common_name(X509_NAME *subject, const char *name)
+{
+ int i = -1, ret = 1;
+
+ while ((i = next_common_name(subject, i)) > -1) {
+ X509_NAME_ENTRY *e = X509_NAME_get_entry(subject, i);
+ ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
+ unsigned char *cn;
+ size_t len = strlen(name);
+ bool matches = (ASN1_STRING_to_UTF8(&cn, d) == (int)len)
+ && (strncmp(name, (const char *)cn, len) == 0);
+
+ OPENSSL_free(cn);
+ if (!matches) {
+ char *subj = X509_NAME_oneline(subject, NULL, 0);
+
+ ERROR("common name of '%s' does not match expected '%s'",
+ subj, name);
+ OPENSSL_free(subj);
+ return 2;
+ } else {
+ ret = 0;
+ }
+ }
+
+ if (ret == 0) {
+ char *subj = X509_NAME_oneline(subject, NULL, 0);
+
+ TRACE("verified signer cert: %s", subj);
+ OPENSSL_free(subj);
+ }
+
+ return ret;
+}
+
+static int check_signer_name(WOLFSSL_PKCS7 *pkcs7, const char *name)
+{
+ if ((name == NULL) || (name[0] == '\0'))
+ return 0;
+
+ const unsigned char *cert;
+ X509 *crt;
+ int ret;
+
+ if ((pkcs7->pkcs7.verifyCert == NULL) ||
+ (pkcs7->pkcs7.verifyCertSz == 0)) {
+ ERROR("failed to access signer certificate for common name check");
+ return 1;
+ }
+
+ cert = pkcs7->pkcs7.verifyCert;
+ crt = d2i_X509(NULL, &cert, pkcs7->pkcs7.verifyCertSz);
+ if (crt == NULL) {
+ ERROR("failed to decode signer certificate for common name check");
+ return 1;
+ }
+
+ ret = check_common_name(X509_get_subject_name(crt), name);
+ X509_free(crt);
+
+ return ret;
}
static int wolfssl_pkcs7_dgst_init(struct swupdate_cfg *sw, const char *keyfile)
@@ -202,7 +262,7 @@ static int wolfssl_pkcs7_verify_file(void *ctx, const char *sigfile,
goto out;
}
- if (check_signer_name(signer_name)) {
+ if (check_signer_name(pkcs7, signer_name)) {
ERROR("failed to verify signer name");
status = -EFAULT;
goto out;
diff --git a/scripts/acceptance-tests/CheckImage.mk b/scripts/acceptance-tests/CheckImage.mk
index fdd96af5..1f04f2c8 100644
--- a/scripts/acceptance-tests/CheckImage.mk
+++ b/scripts/acceptance-tests/CheckImage.mk
@@ -43,9 +43,7 @@ endif
tests-y += InvOptsNoImg
tests-$(CONFIG_MONGOOSE) += InvOptsCheckWithWeb
tests-$(CONFIG_SURICATTA) += InvOptsCheckWithSur
-ifneq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
tests-$(CONFIG_SIGALG_CMS) += InvSigNameCheck
-endif
tests-$(CONFIG_SIGALG_CMS) += ValidSigNameCheck
#
Implement the check by using the native wolfSSL API instead of the
misbehaving wrapper.
Copy the check_common_name helper function from the OpenSSL CMS
implementation.
Signed-off-by: Bastian Germann <ba...@debian.org>
---
core/swupdate.c | 4 +-
crypto/swupdate_pkcs7_verify_wolfssl.c | 72 +++++++++++++++++++++++---
scripts/acceptance-tests/CheckImage.mk | 2 -
3 files changed, 68 insertions(+), 10 deletions(-)
diff --git a/core/swupdate.c b/core/swupdate.c
index f8ce085c..e98301c7 100644
--- a/core/swupdate.c
+++ b/core/swupdate.c
@@ -98,7 +98,7 @@ static struct option long_options[] = {
{"key", required_argument, NULL, 'k'},
{"ca-path", required_argument, NULL, 'k'},
{"cert-purpose", required_argument, NULL, '1'},
-#if defined(CONFIG_SIGALG_CMS) && !defined(CONFIG_SSL_IMPL_WOLFSSL)
+#if defined(CONFIG_SIGALG_CMS)
{"forced-signer-name", required_argument, NULL, '2'},
#endif
#ifdef CONFIG_SIGALG_GPG
@@ -169,7 +169,7 @@ static void usage(char *programname)
" -k, --key <public key file> : file with public key to verify images\n"
" --cert-purpose <purpose> : set expected certificate purpose\n"
" [emailProtection|codeSigning] (default: emailProtection)\n"
-#if defined(CONFIG_SIGALG_CMS) && !defined(CONFIG_SSL_IMPL_WOLFSSL)
+#if defined(CONFIG_SIGALG_CMS)
" --forced-signer-name <cn> : set expected common name of signer certificate\n"
#endif
" --ca-path : path to the Certificate Authority (PEM)\n"
diff --git a/crypto/swupdate_pkcs7_verify_wolfssl.c b/crypto/swupdate_pkcs7_verify_wolfssl.c
index 39a29c89..8473359a 100644
--- a/crypto/swupdate_pkcs7_verify_wolfssl.c
+++ b/crypto/swupdate_pkcs7_verify_wolfssl.c
@@ -97,12 +97,72 @@ static X509_STORE *load_cert_chain(const char *file)
return castore;
}
-static int check_signer_name(const char *name)
+static inline int next_common_name(X509_NAME *subject, int i)
{
- // TODO work around wolfSSL's PKCS7_get0_signers always returning NULL
- if (name)
- WARN("The X.509 common name might not be equal to %s.", name);
- return 0;
+ return X509_NAME_get_index_by_NID(subject, NID_commonName, i);
+}
+
+static int check_common_name(X509_NAME *subject, const char *name)
+{
+ int i = -1, ret = 1;
+
+ while ((i = next_common_name(subject, i)) > -1) {
+ X509_NAME_ENTRY *e = X509_NAME_get_entry(subject, i);
+ ASN1_STRING *d = X509_NAME_ENTRY_get_data(e);
+ unsigned char *cn;
+ size_t len = strlen(name);
+ bool matches = (ASN1_STRING_to_UTF8(&cn, d) == (int)len)
+ && (strncmp(name, (const char *)cn, len) == 0);
+
+ OPENSSL_free(cn);
+ if (!matches) {
+ char *subj = X509_NAME_oneline(subject, NULL, 0);
+
+ ERROR("common name of '%s' does not match expected '%s'",
+ subj, name);
+ OPENSSL_free(subj);
+ return 2;
+ } else {
+ ret = 0;
+ }
+ }
+
+ if (ret == 0) {
+ char *subj = X509_NAME_oneline(subject, NULL, 0);
+
+ TRACE("verified signer cert: %s", subj);
+ OPENSSL_free(subj);
+ }
+
+ return ret;
+}
+
+static int check_signer_name(WOLFSSL_PKCS7 *pkcs7, const char *name)
+{
+ if ((name == NULL) || (name[0] == '\0'))
+ return 0;
+
+ const unsigned char *cert;
+ X509 *crt;
+ int ret;
+
+ if ((pkcs7->pkcs7.verifyCert == NULL) ||
+ (pkcs7->pkcs7.verifyCertSz == 0)) {
+ ERROR("failed to access signer certificate for common name check");
+ return 1;
+ }
+
+ cert = pkcs7->pkcs7.verifyCert;
+ crt = d2i_X509(NULL, &cert, pkcs7->pkcs7.verifyCertSz);
+ if (crt == NULL) {
+ ERROR("failed to decode signer certificate for common name check");
+ return 1;
+ }
+
+ ret = check_common_name(X509_get_subject_name(crt), name);
+ X509_free(crt);
+
+ return ret;
}
static int wolfssl_pkcs7_dgst_init(struct swupdate_cfg *sw, const char *keyfile)
@@ -202,7 +262,7 @@ static int wolfssl_pkcs7_verify_file(void *ctx, const char *sigfile,
goto out;
}
- if (check_signer_name(signer_name)) {
+ if (check_signer_name(pkcs7, signer_name)) {
ERROR("failed to verify signer name");
status = -EFAULT;
goto out;
diff --git a/scripts/acceptance-tests/CheckImage.mk b/scripts/acceptance-tests/CheckImage.mk
index fdd96af5..1f04f2c8 100644
--- a/scripts/acceptance-tests/CheckImage.mk
+++ b/scripts/acceptance-tests/CheckImage.mk
@@ -43,9 +43,7 @@ endif
tests-y += InvOptsNoImg
tests-$(CONFIG_MONGOOSE) += InvOptsCheckWithWeb
tests-$(CONFIG_SURICATTA) += InvOptsCheckWithSur
-ifneq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
tests-$(CONFIG_SIGALG_CMS) += InvSigNameCheck
-endif
tests-$(CONFIG_SIGALG_CMS) += ValidSigNameCheck
#
Stefano Babic
Apr 8, 2026, 8:56:56 AMApr 8
to Bastian Germann, swup...@googlegroups.com
--
_______________________________________________________________________
Nabla Software Engineering GmbH
Hirschstr. 111A | 86156 Augsburg | Tel: +49 821 45592596
Geschäftsführer : Stefano Babic | HRB 40522 Augsburg
E-Mail: sba...@nabladev.com
Reply all
Reply to author
Forward
0 new messages