[PATCH 2/2] Hide forced-signer-name from non-CMS and wolfSSL
18 views
Skip to first unread message
Bastian Germann
Mar 21, 2023, 9:07:26 AM3/21/23
to swup...@googlegroups.com, Bastian Germann
The common name comparison is not implemented for PKCS#7 (wolfSSL),
so prevent using it. It cannot be implemented with the plain RSA
verification, so hide it from those configurations as well.
Signed-off-by: Bastian Germann <ba...@debian.org>
---
core/swupdate.c | 4 ++++
scripts/acceptance-tests/CheckImage.mk | 2 ++
2 files changed, 6 insertions(+)
diff --git a/core/swupdate.c b/core/swupdate.c
index 9955b4b..dff2baf 100644
--- a/core/swupdate.c
+++ b/core/swupdate.c
@@ -93,8 +93,10 @@ static struct option long_options[] = {
{"key", required_argument, NULL, 'k'},
{"ca-path", required_argument, NULL, 'k'},
{"cert-purpose", required_argument, NULL, '1'},
+#if defined(CONFIG_SIGALG_CMS) && !defined(CONFIG_SSL_IMPL_WOLFSSL)
{"forced-signer-name", required_argument, NULL, '2'},
#endif
+#endif
#ifdef CONFIG_ENCRYPTED_IMAGES
{"key-aes", required_argument, NULL, 'K'},
#endif
@@ -149,7 +151,9 @@ static void usage(char *programname)
" -k, --key <public key file> : file with public key to verify images\n"
" --cert-purpose <purpose> : set expected certificate purpose\n"
" [emailProtection|codeSigning] (default: emailProtection)\n"
+#if defined(CONFIG_SIGALG_CMS) && !defined(CONFIG_SSL_IMPL_WOLFSSL)
" --forced-signer-name <cn> : set expected common name of signer certificate\n"
+#endif
" --ca-path : path to the Certificate Authority (PEM)\n"
#endif
#ifdef CONFIG_ENCRYPTED_IMAGES
diff --git a/scripts/acceptance-tests/CheckImage.mk b/scripts/acceptance-tests/CheckImage.mk
index ab691ad..b7c8791 100644
--- a/scripts/acceptance-tests/CheckImage.mk
+++ b/scripts/acceptance-tests/CheckImage.mk
@@ -43,7 +43,9 @@ endif
tests-y += InvOptsNoImg
tests-$(CONFIG_MONGOOSE) += InvOptsCheckWithWeb
tests-$(CONFIG_SURICATTA) += InvOptsCheckWithSur
+ifneq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
tests-$(CONFIG_SIGALG_CMS) += InvSigNameCheck
+endif
tests-$(CONFIG_SIGALG_CMS) += ValidSigNameCheck
#
--
2.39.2
so prevent using it. It cannot be implemented with the plain RSA
verification, so hide it from those configurations as well.
Signed-off-by: Bastian Germann <ba...@debian.org>
---
core/swupdate.c | 4 ++++
scripts/acceptance-tests/CheckImage.mk | 2 ++
2 files changed, 6 insertions(+)
diff --git a/core/swupdate.c b/core/swupdate.c
index 9955b4b..dff2baf 100644
--- a/core/swupdate.c
+++ b/core/swupdate.c
@@ -93,8 +93,10 @@ static struct option long_options[] = {
{"key", required_argument, NULL, 'k'},
{"ca-path", required_argument, NULL, 'k'},
{"cert-purpose", required_argument, NULL, '1'},
+#if defined(CONFIG_SIGALG_CMS) && !defined(CONFIG_SSL_IMPL_WOLFSSL)
{"forced-signer-name", required_argument, NULL, '2'},
#endif
+#endif
#ifdef CONFIG_ENCRYPTED_IMAGES
{"key-aes", required_argument, NULL, 'K'},
#endif
@@ -149,7 +151,9 @@ static void usage(char *programname)
" -k, --key <public key file> : file with public key to verify images\n"
" --cert-purpose <purpose> : set expected certificate purpose\n"
" [emailProtection|codeSigning] (default: emailProtection)\n"
+#if defined(CONFIG_SIGALG_CMS) && !defined(CONFIG_SSL_IMPL_WOLFSSL)
" --forced-signer-name <cn> : set expected common name of signer certificate\n"
+#endif
" --ca-path : path to the Certificate Authority (PEM)\n"
#endif
#ifdef CONFIG_ENCRYPTED_IMAGES
diff --git a/scripts/acceptance-tests/CheckImage.mk b/scripts/acceptance-tests/CheckImage.mk
index ab691ad..b7c8791 100644
--- a/scripts/acceptance-tests/CheckImage.mk
+++ b/scripts/acceptance-tests/CheckImage.mk
@@ -43,7 +43,9 @@ endif
tests-y += InvOptsNoImg
tests-$(CONFIG_MONGOOSE) += InvOptsCheckWithWeb
tests-$(CONFIG_SURICATTA) += InvOptsCheckWithSur
+ifneq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
tests-$(CONFIG_SIGALG_CMS) += InvSigNameCheck
+endif
tests-$(CONFIG_SIGALG_CMS) += ValidSigNameCheck
#
--
2.39.2
Reply all
Reply to author
Forward
0 new messages