signature

package
v0.0.0-...-48be911 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 28, 2024 License: MIT Imports: 15 Imported by: 6

Documentation

Index

Constants

View Source 
const (
	CERT_SHA256         CertType = "SHA256"
	CERT_RSA2048                 = "RSA2048"
	CERT_RSA2048_SHA256          = "RSA2048 SHA256"
	CERT_SHA1                    = "SHA1"
	CERT_RSA2048_SHA1            = "RSA2048 SHA1"
	CERT_X509                    = "X509"
	CERT_SHA224                  = "SHA224"
	CERT_SHA384                  = "SHA238"
	CERT_SHA512                  = "SHA512"
	CERT_X509_SHA256             = "X509 SHA256"
)
View Source 
const SizeofSignatureList uint32 = util.SizeofEFIGUID + 4 + 4 + 4

SignatureSize + sizeof(SignatureType) + sizeof(uint32)*3

View Source 
const SizeofWINCertificate = 4 + 2 + 2
View Source 
const SizeofWinCertificateUEFIGUID = SizeofWINCertificate + util.SizeofEFIGUID

Variables

View Source 
var (
	CERT_SHA256_GUID         = util.EFIGUID{0xc1c41626, 0x504c, 0x4092, [8]uint8{0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28}}
	CERT_RSA2048_GUID        = util.EFIGUID{0x3c5766e8, 0x269c, 0x4e34, [8]uint8{0xaa, 0x14, 0xed, 0x77, 0x6e, 0x85, 0xb3, 0xb6}}
	CERT_RSA2048_SHA256_GUID = util.EFIGUID{0xe2b36190, 0x879b, 0x4a3d, [8]uint8{0xad, 0x8d, 0xf2, 0xe7, 0xbb, 0xa3, 0x27, 0x84}}

	CERT_SHA1_GUID         = util.EFIGUID{0x826ca512, 0xcf10, 0x4ac9, [8]uint8{0xb1, 0x87, 0xbe, 0x01, 0x49, 0x66, 0x31, 0xbd}}
	CERT_RSA2048_SHA1_GUID = util.EFIGUID{0x67f8444f, 0x8743, 0x48f1, [8]uint8{0xa3, 0x28, 0x1e, 0xaa, 0xb8, 0x73, 0x60, 0x80}}

	CERT_X509_GUID = util.EFIGUID{0xa5c059a1, 0x94e4, 0x4aa7, [8]uint8{0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72}}

	CERT_SHA224_GUID = util.EFIGUID{0xb6e5233, 0xa65c, 0x44c9, [8]uint8{0x94, 0x07, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd}}

	CERT_SHA384_GUID = util.EFIGUID{0xff3e5307, 0x9fd0, 0x48c9, [8]uint8{0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x01}}

	CERT_SHA512_GUID = util.EFIGUID{0x93e0fae, 0xa6c4, 0x4f50, [8]uint8{0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a}}

	CERT_X509_SHA256_GUID = util.EFIGUID{0x3bd2a492, 0x96c0, 0x4079, [8]uint8{0xb4, 0x20, 0xfc, 0xf9, 0x8e, 0xf1, 0x03, 0xed}}
)

Section 32.4.1 Signature Database Page 1714 -> Page 1717

View Source 
var (
	EFI_CERT_TYPE_RSA2048_SHA256_GUID = util.EFIGUID{0xa7717414, 0xc616, 0x4977, [8]uint8{0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf}}
	EFI_CERT_TYPE_PKCS7_GUID          = util.EFIGUID{0x4aafd29d, 0x68df, 0x49ee, [8]uint8{0x8a, 0xa9, 0x34, 0x7d, 0x37, 0x56, 0x65, 0xa7}}
)
View Source 
var ErrNoSuchSignatureScheme = errors.New("no such signature scheme")
View Source 
var ErrNotFoundSigData = errors.New("signature data not found")
View Source 
var ErrNotFoundSigList = errors.New("signature list not found")
View Source 
var ErrParse = errors.New("could not parse struct")
View Source 
var ErrSigDataExists = errors.New("signature data exists already")
View Source 
var ValidEFISignatureSchemes = map[util.EFIGUID]CertType{
	CERT_SHA256_GUID:         "SHA256",
	CERT_RSA2048_GUID:        "RSA2048",
	CERT_RSA2048_SHA256_GUID: "RSA2048 SHA256",
	CERT_SHA1_GUID:           "SHA1",
	CERT_RSA2048_SHA1_GUID:   "RSA2048 SHA1",
	CERT_X509_GUID:           "X509",
	CERT_SHA224_GUID:         "SHA224",
	CERT_SHA384_GUID:         "SHA238",
	CERT_SHA512_GUID:         "SHA512",
	CERT_X509_SHA256_GUID:    "X509 SHA256",
}

Quick access list Maybe a map[string]EFIGUID?

View Source 
var WINCertTypeString = map[WINCertType]string{
	0x0002: "WIN_CERT_TYPE_PKCS_SIGNED_DATA",
	0x0EF0: "WIN_CERT_TYPE_EFI_PKCS1_15",
	0x0EF1: "WIN_CERT_TYPE_EFI_GUID",
}
View Source 
var WIN_CERTIFICATE_REVISION uint16 = 0x0200

According to page 1705 UEFI Spec February 2020

Functions

func GetSupportedSignatures 

func GetSupportedSignatures(f io.Reader) ([]util.EFIGUID, error)

Section 3.3 - Globally Defined Variables Array of GUIDs representing the type of signatures supported by the platform firmware. Should be treated as read-only

func WriteEFIVariableAuthencation2 

func WriteEFIVariableAuthencation2(b *bytes.Buffer, e EFIVariableAuthentication2)

func WriteSignatureData 

func WriteSignatureData(b io.Writer, s SignatureData)

func WriteSignatureDatabase 

func WriteSignatureDatabase(b io.Writer, sigdb SignatureDatabase)

Write a signature database which contains a slice of SignautureLists

func WriteSignatureList 

func WriteSignatureList(b io.Writer, s SignatureList)

Writes a signature list

func WriteWinCertificate 

func WriteWinCertificate(b *bytes.Buffer, w *WINCertificate)

func WriteWinCertificateUEFIGUID 

func WriteWinCertificateUEFIGUID(b *bytes.Buffer, w *WinCertificateUEFIGUID)

Types

type CertType 

type CertType string

type EFIVariableAuthentication 

type EFIVariableAuthentication struct {
	MonotonicCount uint64
	AuthInfo       util.EFIGUID // WIN_CERTIFICATE_UEFI_GUID
}

Page. 237 Deprecated. But defined because #reasons

type EFIVariableAuthentication2 

type EFIVariableAuthentication2 struct {
	Time     util.EFITime
	AuthInfo WinCertificateUEFIGUID
}

Page. 238 Only accepts the CertType EFI_CERT_TYPE_PKCS7_GUID

func NewEFIVariableAuthentication2 

func NewEFIVariableAuthentication2() *EFIVariableAuthentication2

Returns an EFIVariableAuthencation2 struct no SignedData

func NewSignedEFIVariable 

func NewSignedEFIVariable(ctx *EFIVariableSigningContext) (*EFIVariableAuthentication2, error)

Uses EFIVariableAuthentication2 Section 8.2.2 - Using the EFI_VARIABLE_AUTHENTICATION_2 descriptor

func ReadEFIVariableAuthencation2 

func ReadEFIVariableAuthencation2(f io.Reader) (*EFIVariableAuthentication2, error)

func SignEFIVariable 

func SignEFIVariable(v efivar.Efivar, m efivar.Marshallable, key crypto.Signer, cert *x509.Certificate) (*EFIVariableAuthentication2, efivar.Marshallable, error)

func (*EFIVariableAuthentication2) Marshal 

func (e *EFIVariableAuthentication2) Marshal(b *bytes.Buffer)

func (*EFIVariableAuthentication2) Unmarshal 

func (e *EFIVariableAuthentication2) Unmarshal(b *bytes.Buffer) error

func (*EFIVariableAuthentication2) Verify 

func (e *EFIVariableAuthentication2) Verify(cert *x509.Certificate) (bool, error)

type EFIVariableAuthentication3 

type EFIVariableAuthentication3 struct {
	Version      uint8
	Type         uint8
	MetadataSize uint32
	Flags        uint32
}

Page. 238 Only used when EFI_VARIABLE_ENHANCED_AUTHENTICATED_ACCESS is set

type EFIVariableSigningContext 

type EFIVariableSigningContext struct {
	Cert    *x509.Certificate
	Key     crypto.Signer
	Varname []byte
	Attr    attributes.Attributes
	Guid    util.EFIGUID
	Data    []byte
}

Handles the values we use for EFI Variable signatures

type SignatureData 

type SignatureData struct {
	Owner util.EFIGUID
	Data  []uint8
}

Section 32.4.1 - Signature Database Page 1712

func ReadSignatureData 

func ReadSignatureData(f io.Reader, size uint32) (*SignatureData, error)

func (*SignatureData) Bytes 

func (sd *SignatureData) Bytes() []byte

type SignatureDatabase 

type SignatureDatabase []*SignatureList

SignatureDatabase is a list of EFI signature lists

func NewSignatureDatabase 

func NewSignatureDatabase() *SignatureDatabase

func ReadSignatureDatabase 

func ReadSignatureDatabase(f io.Reader) (SignatureDatabase, error)

Reads several signature lists from a io.Reader. It assumes io.EOF means there are no more signatures to read as opposed to an actual issue

func (*SignatureDatabase) Append 

func (sd *SignatureDatabase) Append(certtype util.EFIGUID, owner util.EFIGUID, data []byte) error

Appends the raw signature values to the database

func (*SignatureDatabase) AppendDatabase 

func (sd *SignatureDatabase) AppendDatabase(s *SignatureDatabase)

Appends a signature database

func (*SignatureDatabase) AppendList 

func (sd *SignatureDatabase) AppendList(sl *SignatureList)

Appends a signature list to the database TODO: Should merge towards a fitting list?

func (*SignatureDatabase) AppendSignature 

func (sd *SignatureDatabase) AppendSignature(certtype util.EFIGUID, sl *SignatureData) error

Appends a signaure to the database. It will scan the database for the appropriate list to append itself to.

func (*SignatureDatabase) Bytes 

func (sd *SignatureDatabase) Bytes() []byte

Serialize the Signature Database into bytes

func (*SignatureDatabase) Exists 

func (sd *SignatureDatabase) Exists(certtype util.EFIGUID, siglist *SignatureList) bool

Checks if all signatures in a list is present in the signature database

func (*SignatureDatabase) Marshal 

func (sd *SignatureDatabase) Marshal(b *bytes.Buffer)

func (*SignatureDatabase) Remove 

func (sd *SignatureDatabase) Remove(certtype util.EFIGUID, owner util.EFIGUID, data []byte) error

Remove the raw signature values to the database

func (*SignatureDatabase) RemoveList 

func (sd *SignatureDatabase) RemoveList(sl *SignatureList) error

Removes a signature list from the database

func (*SignatureDatabase) RemoveSignature 

func (sd *SignatureDatabase) RemoveSignature(certtype util.EFIGUID, sl *SignatureData) error

Removes a signaure to the database. It will scan available lists for something to remove

func (*SignatureDatabase) SigDataExists 

func (sd *SignatureDatabase) SigDataExists(certtype util.EFIGUID, sigdata *SignatureData) bool

Checks if all signatures in a list is present in the signature database

func (*SignatureDatabase) Unmarshal 

func (sd *SignatureDatabase) Unmarshal(b *bytes.Buffer) error

type SignatureList 

type SignatureList struct {
	SignatureType   util.EFIGUID
	ListSize        uint32          // Total size of the signature list, including this header
	HeaderSize      uint32          // Size of SignatureHead
	Size            uint32          // Size of each signature. At least the size of EFI_SIGNATURE_DATA
	SignatureHeader []uint8         // SignatureType defines the content of this header
	Signatures      []SignatureData // SignatureData List
}

Section 32.4.1 - Signature Database Page 1713

func NewSignatureList 

func NewSignatureList(certtype util.EFIGUID) *SignatureList

func ReadSignatureList 

func ReadSignatureList(f io.Reader) (*SignatureList, error)

Read an EFI_SIGNATURE_LIST from io.Reader. It will read until io.EOF. io.EOF should be somewhat expected if we are trying to read multiple lists as they should be either at the end of the file, or the entire file.

func (*SignatureList) AppendBytes 

func (sl *SignatureList) AppendBytes(owner util.EFIGUID, data []byte) error

func (*SignatureList) AppendSignature 

func (sl *SignatureList) AppendSignature(s SignatureData) error

func (*SignatureList) Bytes 

func (sl *SignatureList) Bytes() []byte

func (*SignatureList) CmpHeader 

func (sl *SignatureList) CmpHeader(siglist *SignatureList) bool

Compare the signature lists header to see if they are the same type of list This is usefull if you wonder if you can merge the lists or not

func (*SignatureList) Exists 

func (sl *SignatureList) Exists(sigdata *SignatureData) (bool, int)

Check if signature exists in the signature list Return true if it does along with the index

func (*SignatureList) ExistsInList 

func (sl *SignatureList) ExistsInList(siglist *SignatureList) bool

func (*SignatureList) RemoveBytes 

func (sl *SignatureList) RemoveBytes(owner util.EFIGUID, data []byte) error

func (*SignatureList) RemoveSignature 

func (sl *SignatureList) RemoveSignature(s SignatureData) error

type WINCertType 

type WINCertType uint16
var (
	WIN_CERT_TYPE_PKCS_SIGNED_DATA WINCertType = 0x0002
	WIN_CERT_TYPE_EFI_PKCS1_15     WINCertType = 0x0EF0
	WIN_CERT_TYPE_EFI_GUID         WINCertType = 0x0EF1
)

Page 1705 0x0EF0 to 0x0EFF is the reserved range

type WINCertificate 

type WINCertificate struct {
	Length      uint32
	Revision    uint16
	CertType    WINCertType
	Certificate []uint8
}

PE/COFF structure for signing Page 1705

func ReadWinCertificate 

func ReadWinCertificate(f io.Reader) (WINCertificate, error)

type WinCertificateUEFIGUID 

type WinCertificateUEFIGUID struct {
	Header   WINCertificate
	CertType util.EFIGUID // One of the EFI_CERT types
	CertData []uint8
}

Should implement an interface Page 1707

func ReadWinCertificateUEFIGUID 

func ReadWinCertificateUEFIGUID(f io.Reader) (WinCertificateUEFIGUID, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.