efisecdb: annotate hashes and certs better

This changes the annotated output for certs from:

0000002c                                       30 82 05 a4              |0...|  esl[0].signature[0].data (end:0x000005d4)
00000030  30 82 03 8c a0 03 02 01  02 02 13 33 00 00 00 16  |0..........3....|
00000040  36 bf 36 89 9f 15 75 cc  00 00 00 00 00 16 30 0d  |6.6...u.......0.|
00000050  06 09 2a 86 48 86 f7 0d  01 01 0b 05 00 30 5a 31  |..*.H........0Z1|

to:

0000002c                                                                        esl[0].signature[0].data (end:0x000005d4)
0000002c                                       30 82 05 a4              |0...|  /C=US/O=Microsoft Corporation/CN=Microsoft UEFI CA 2023
00000030  30 82 03 8c a0 03 02 01  02 02 13 33 00 00 00 16  |0..........3....|
00000040  36 bf 36 89 9f 15 75 cc  00 00 00 00 00 16 30 0d  |6.6...u.......0.|
00000050  06 09 2a 86 48 86 f7 0d  01 01 0b 05 00 30 5a 31  |..*.H........0Z1|

and for simple digests from:

0000002c                                       80 b4 d9 69              |...i|  esl[0].signature[0].data (end:0x0000004c)
00000030  31 bf 0d 02 fd 91 a6 1e  19 d1 4f 1d a4 52 e6 6d  |1.........O..R.m|
00000040  b2 40 8c a8 60 4d 41 1f  92 65 9f 0a              |.@..`MA..e..|

to:

0000002c                                                                        esl[0].signature[0].data (end:0x0000004c)
0000002c                                       80 b4 d9 69              |...i|  SHA256:80b4d96931bf0d02fd91a61e19d14f1da452e66db2408ca8604d411f92659f0a
00000030  31 bf 0d 02 fd 91 a6 1e  19 d1 4f 1d a4 52 e6 6d  |1.........O..R.m|
00000040  b2 40 8c a8 60 4d 41 1f  92 65 9f 0a              |.@..`MA..e..|

Signed-off-by: Peter Jones <pjones@redhat.com>

Author: vathpela

src/Makefile

@@ -119,12 +119,12 @@ libefisec.so : | libefisec.map
 libefisec.so : private MAP=libefisec.map
 
 efisecdb : $(EFISECDB_OBJECTS) | libefisec.so
-efisecdb : private LIBS=efivar efisec dl
+efisecdb : private LIBS=crypto efivar efisec dl
 
 efisecdb-static : $(EFISECDB_OBJECTS)
 efisecdb-static : $(patsubst %.o,%.static.o,$(LIBEFISEC_OBJECTS) $(LIBEFIVAR_OBJECTS))
 efisecdb-static : | $(GENERATED_SOURCES)
-efisecdb-static : private LIBS=dl
+efisecdb-static : private LIBS=crypto dl
 
 thread-test : libefivar.so
 # make sure we don't propagate CFLAGS to object files used by 'libefivar.so'

src/secdb-dump.c

@@ -7,6 +7,8 @@
 #include "efisec.h"
 #include "hexdump.h"
 
+#include <openssl/x509.h>
+
 #undef DEBUG_LEVEL
 #define DEBUG_LEVEL LOG_DEBUG_DUMPER
 
@@ -175,11 +177,85 @@ secdb_dump_esl(efi_secdb_t *secdb, int esl, ssize_t offset)
 	return offset;
 }
 
+static int
+fmt_digest(char *buf, size_t bufsz, efi_secdb_type_t algorithm,
+	   uint8_t *data, size_t datasz)
+{
+	int pos = 0;
+	int rc;
+
+	const char * const alg_names[EFI_SECDB_TYPE_MAX] = {
+		[EFI_SECDB_TYPE_SHA1] = "SHA1",
+		[EFI_SECDB_TYPE_SHA224] = "SHA224",
+		[EFI_SECDB_TYPE_SHA256] = "SHA256",
+		[EFI_SECDB_TYPE_SHA384] = "SHA384",
+		[EFI_SECDB_TYPE_SHA512] = "SHA512",
+	};
+
+	if (algorithm < 0 || algorithm > EFI_SECDB_TYPE_SHA512) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (datasz != efi_secdb_algs_[algorithm].size) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	datasz = MIN(efi_secdb_algs_[algorithm].size, datasz);
+	if (bufsz == 0) {
+		return strlen(alg_names[algorithm]) // string
+			+ 1 // colon
+			+ datasz * 2 // hex
+			+ 1; // NUL
+	}
+	rc = snprintf(&buf[pos], bufsz-pos, "%s:", alg_names[algorithm]);
+	if (rc < 0)
+		return rc;
+	pos += rc;
+	for (size_t i = 0; i < datasz && (i * 2 + 1) < bufsz; i++) {
+		rc = snprintf(&buf[pos], bufsz-pos, "%02x", data[i]);
+		if (rc < 0)
+			return rc;
+		pos += rc;
+	}
+
+	return pos;
+}
+
+static int
+fmt_x509_cert(char *buf, size_t bufsz, uint8_t *data, size_t datasz)
+{
+	X509 *cert = NULL;
+	X509_NAME *subject = NULL;
+
+	cert = d2i_X509(NULL, (const unsigned char **)&data, datasz);
+	if (!cert)
+		return 0;
+
+	subject = X509_get_subject_name(cert);
+	if (!subject)
+		goto err;
+
+	X509_NAME_oneline(subject, buf, bufsz);
+	buf[bufsz-1] = '\0';
+	X509_free(cert);
+	return strlen(buf) + 1;
+err:
+	if (cert) {
+		X509_free(cert);
+		cert = NULL;
+	}
+	return 0;
+}
+
 static inline ssize_t
-secdb_dump_esd(secdb_entry_t *entry, int esl, int esd, size_t data_size,
-               ssize_t offset)
+secdb_dump_esd(secdb_entry_t *entry, efi_secdb_type_t algorithm, int esl,
+	       int esd, size_t data_size, ssize_t offset)
 {
 	char *id_guid = NULL;
+	char buf[1024] = "";
+	int rc = 0;
 
 	efi_guid_to_id_guid(&entry->owner, &id_guid);
 	offset = secdb_dump_value((char *)&entry->owner,
@@ -189,9 +265,36 @@ secdb_dump_esd(secdb_entry_t *entry, int esl, int esd, size_t data_size,
 	xfree(id_guid);
 	if (offset < 0)
 		return offset;
-	offset = secdb_dump_value((char *)&entry->data, data_size, offset,
-				  "esl[%d].signature[%d].data (end:0x%08zx)",
+
+	debug("formatting algorithm %d", algorithm);
+	switch(algorithm) {
+		case EFI_SECDB_TYPE_SHA1:
+		case EFI_SECDB_TYPE_SHA224:
+		case EFI_SECDB_TYPE_SHA256:
+		case EFI_SECDB_TYPE_SHA384:
+		case EFI_SECDB_TYPE_SHA512:
+			rc = fmt_digest(buf, sizeof(buf), algorithm,
+					entry->data.raw, data_size);
+
+			break;
+		case EFI_SECDB_TYPE_X509_CERT:
+			rc = fmt_x509_cert(buf, sizeof(buf),
+					   entry->data.raw, data_size);
+			break;
+		default:
+			break;
+	};
+	if (rc > 0) {
+		secdb_dump_value((char *)&entry->data, 0, offset,
+				 "esl[%d].signature[%d].data (end:0x%08zx)",
 				  esl, esd, offset+data_size);
+		offset = secdb_dump_value((char *)&entry->data, data_size,
+					  offset, "%s", buf);
+	} else {
+		offset = secdb_dump_value((char *)&entry->data, data_size,
+				offset, "esl[%d].signature[%d].data (end:0x%08zx) %s",
+				esl, esd, offset+data_size);
+	}
 	return offset;
 }
 
@@ -238,7 +341,8 @@ secdb_dump(efi_secdb_t *secdb, bool annotations)
 			debug("esl[%d].esd[%d]:%p owner:%p data:%p-%p datasz:%zd",
 			      esln, esdn, esd, &esd->owner,
 			      &esd->data, &esd->data+datasz, datasz);
-			offset = secdb_dump_esd(esd, esln, esdn, datasz, offset);
+			offset = secdb_dump_esd(esd, esl->algorithm, esln,
+						esdn, datasz, offset);
 			esdn += 1;
 			if (offset < 0)
 				break;

tests/test.esl.annotation.esl.goal.txt

@@ -5,22 +5,26 @@
 0000001c                                                                        esl[0].signature_header (end:0x0000001c)
 0000001c                                       db ed 23 02              |..#.|  esl[0].signature[0].owner = {redhat}
 00000020  79 90 88 43 af 77 2d 65  b1 c3 5d 3b              |y..C.w-e..];|    
-0000002c                                       87 42 8f c5              |.B..|  esl[0].signature[0].data (end:0x0000004c)
+0000002c                                                                        esl[0].signature[0].data (end:0x0000004c)
+0000002c                                       87 42 8f c5              |.B..|  SHA256:87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7
 00000030  22 80 3d 31 06 5e 7b ce  3c f0 3f e4 75 09 66 31  |".=1.^{.<.?.u.f1|
 00000040  e5 e0 7b bd 7a 0f de 60  c4 cf 25 c7              |..{.z..`..%.|    
 0000004c                                       db ed 23 02              |..#.|  esl[0].signature[1].owner = {redhat}
 00000050  79 90 88 43 af 77 2d 65  b1 c3 5d 3b              |y..C.w-e..];|    
-0000005c                                       02 63 82 99              |.c..|  esl[0].signature[1].data (end:0x0000007c)
+0000005c                                                                        esl[0].signature[1].data (end:0x0000007c)
+0000005c                                       02 63 82 99              |.c..|  SHA256:0263829989b6fd954f72baaf2fc64bc2e2f01d692d4de72986ea808f6e99813f
 00000060  89 b6 fd 95 4f 72 ba af  2f c6 4b c2 e2 f0 1d 69  |....Or../.K....i|
 00000070  2d 4d e7 29 86 ea 80 8f  6e 99 81 3f              |-M.)....n..?|    
 0000007c                                       db ed 23 02              |..#.|  esl[0].signature[2].owner = {redhat}
 00000080  79 90 88 43 af 77 2d 65  b1 c3 5d 3b              |y..C.w-e..];|    
-0000008c                                       8d 74 be ec              |.t..|  esl[0].signature[2].data (end:0x000000ac)
+0000008c                                                                        esl[0].signature[2].data (end:0x000000ac)
+0000008c                                       8d 74 be ec              |.t..|  SHA256:8d74beec1be996322ad76813bafb92d40839895d6dd7ee808b17ca201eac98be
 00000090  1b e9 96 32 2a d7 68 13  ba fb 92 d4 08 39 89 5d  |...2*.h......9.]|
 000000a0  6d d7 ee 80 8b 17 ca 20  1e ac 98 be              |m...... ....|    
 000000ac                                       db ed 23 02              |..#.|  esl[0].signature[3].owner = {redhat}
 000000b0  79 90 88 43 af 77 2d 65  b1 c3 5d 3b              |y..C.w-e..];|    
-000000bc                                       a3 a5 e7 15              |....|  esl[0].signature[3].data (end:0x000000dc)
+000000bc                                                                        esl[0].signature[3].data (end:0x000000dc)
+000000bc                                       a3 a5 e7 15              |....|  SHA256:a3a5e715f0cc574a73c3f9bebb6bc24f32ffd5b67b387244c2c909da779a1478
 000000c0  f0 cc 57 4a 73 c3 f9 be  bb 6b c2 4f 32 ff d5 b6  |..WJs....k.O2...|
 000000d0  7b 38 72 44 c2 c9 09 da  77 9a 14 78              |{8rD....w..x|    
 000000dc

tests/test.parse.db.var.goal.txt

@@ -5,7 +5,8 @@
 0000001c                                                                        esl[0].signature_header (end:0x0000001c)
 0000001c                                       bd 9a fa 77              |...w|  esl[0].signature[0].owner = {microsoft}
 00000020  59 03 32 4d bd 60 28 f4  e7 8f 78 4b              |Y.2M.`(...xK|    
-0000002c                                       30 82 06 10              |0...|  esl[0].signature[0].data (end:0x00000640)
+0000002c                                                                        esl[0].signature[0].data (end:0x00000640)
+0000002c                                       30 82 06 10              |0...|  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 00000030  30 82 03 f8 a0 03 02 01  02 02 0a 61 08 d3 c4 00  |0..........a....|
 00000040  00 00 00 00 04 30 0d 06  09 2a 86 48 86 f7 0d 01  |.....0...*.H....|
 00000050  01 0b 05 00 30 81 91 31  0b 30 09 06 03 55 04 06  |....0..1.0...U..|
@@ -110,7 +111,8 @@
 0000065c                                                                        esl[1].signature_header (end:0x0000065c)
 0000065c                                       bd 9a fa 77              |...w|  esl[1].signature[0].owner = {microsoft}
 00000660  59 03 32 4d bd 60 28 f4  e7 8f 78 4b              |Y.2M.`(...xK|    
-0000066c                                       30 82 05 d7              |0...|  esl[1].signature[0].data (end:0x00000c47)
+0000066c                                                                        esl[1].signature[0].data (end:0x00000c47)
+0000066c                                       30 82 05 d7              |0...|  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011
 00000670  30 82 03 bf a0 03 02 01  02 02 0a 61 07 76 56 00  |0..........a.vV.|
 00000680  00 00 00 00 08 30 0d 06  09 2a 86 48 86 f7 0d 01  |.....0...*.H....|
 00000690  01 0b 05 00 30 81 88 31  0b 30 09 06 03 55 04 06  |....0..1.0...U..|
@@ -214,7 +216,8 @@
 00000c63                                                                        esl[2].signature_header (end:0x00000c63)
 00000c63           51 48 dc 26 5f  19 e1 4a 9a 19 fb f8 83     |QH.&_..J.....|  esl[2].signature[0].owner = {supermicro}
 00000c70  bb b3 5e                                          |..^|             
-00000c73           30 82 04 17 30  82 02 ff a0 03 02 01 02     |0...0........|  esl[2].signature[0].data (end:0x0000108e)
+00000c73                                                                        esl[2].signature[0].data (end:0x0000108e)
+00000c73           30 82 04 17 30  82 02 ff a0 03 02 01 02     |0...0........|  /CN=Unco\xC3\xB6perative Secure Boot Signer/OU=The Unco\xC3\xB6perative CA/O=The Unco\xC3\xB6perative Organization
 00000c80  02 11 00 b9 36 b3 dd 63  21 4c 30 ae 31 b4 2f 0a  |....6..c!L0.1./.|
 00000c90  48 36 0d 30 0d 06 09 2a  86 48 86 f7 0d 01 01 0b  |H6.0...*.H......|
 00000ca0  05 00 30 72 31 26 30 24  06 03 55 04 03 0c 1d 55  |..0r1&0$..U....U|
@@ -289,7 +292,8 @@
 000010aa                                                                        esl[3].signature_header (end:0x000010aa)
 000010aa                                 91 30 05 3b 9f 6c            |.0.;.l|  esl[3].signature[0].owner = {asus}
 000010b0  cc 04 b1 ac e2 a5 1e 3b  e5 f5                    |.......;..|      
-000010ba                                 30 82 03 52 30 82            |0..R0.|  esl[3].signature[0].data (end:0x00001410)
+000010ba                                                                        esl[3].signature[0].data (end:0x00001410)
+000010ba                                 30 82 03 52 30 82            |0..R0.|  /CN=ASUSTeK MotherBoard SW Key Certificate
 000010c0  02 3a a0 03 02 01 02 02  10 da 83 b9 90 42 2e bc  |.:...........B..|
 000010d0  8c 44 1f 8d 8b 03 9a 65  a2 30 0d 06 09 2a 86 48  |.D.....e.0...*.H|
 000010e0  86 f7 0d 01 01 0b 05 00  30 31 31 2f 30 2d 06 03  |........011/0-..|
@@ -350,7 +354,8 @@
 0000142c                                                                        esl[4].signature_header (end:0x0000142c)
 0000142c                                       91 30 05 3b              |.0.;|  esl[4].signature[0].owner = {asus}
 00001430  9f 6c cc 04 b1 ac e2 a5  1e 3b e5 f5              |.l.......;..|    
-0000143c                                       30 82 03 49              |0..I|  esl[4].signature[0].data (end:0x00001789)
+0000143c                                                                        esl[4].signature[0].data (end:0x00001789)
+0000143c                                       30 82 03 49              |0..I|  /CN=ASUSTeK Notebook SW Key Certificate
 00001440  30 82 02 31 a0 03 02 01  02 02 10 b8 e5 81 e4 df  |0..1............|
 00001450  77 a5 bb 42 82 d5 cc fc  00 c0 71 30 0d 06 09 2a  |w..B......q0...*|
 00001460  86 48 86 f7 0d 01 01 0b  05 00 30 2e 31 2c 30 2a  |.H........0.1,0*|
@@ -413,7 +418,8 @@
 000017a5                                                                        esl[5].signature_header (end:0x000017a5)
 000017a5                 e4 0a c4  6d e8 2e 4c 9c a3 14 0f       |...m..L....|  esl[5].signature[0].owner = {canonical}
 000017b0  c7 b2 00 87 10                                    |.....|           
-000017b5                 30 82 04  34 30 82 03 1c a0 03 02       |0..40......|  esl[5].signature[0].data (end:0x00001bed)
+000017b5                                                                        esl[5].signature[0].data (end:0x00001bed)
+000017b5                 30 82 04  34 30 82 03 1c a0 03 02       |0..40......|  /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
 000017c0  01 02 02 09 00 b9 41 24  a0 18 2c 92 67 30 0d 06  |......A$..,.g0..|
 000017d0  09 2a 86 48 86 f7 0d 01  01 0b 05 00 30 81 84 31  |.*.H........0..1|
 000017e0  0b 30 09 06 03 55 04 06  13 02 47 42 31 14 30 12  |.0...U....GB1.0.|
@@ -490,27 +496,32 @@
 00001c09                                                                        esl[6].signature_header (end:0x00001c09)
 00001c09                              00 00 00 00 00 00 00           |.......|  esl[6].signature[0].owner = {zero}
 00001c10  00 00 00 00 00 00 00 00  00                       |.........|       
-00001c19                              f5 8f bd f7 1b e8 c3           |.......|  esl[6].signature[0].data (end:0x00001c39)
+00001c19                                                                        esl[6].signature[0].data (end:0x00001c39)
+00001c19                              f5 8f bd f7 1b e8 c3           |.......|  SHA256:f58fbdf71be8c37cbbd6944e472c450b1043817b972914487c221033f3079e43
 00001c20  7c bb d6 94 4e 47 2c 45  0b 10 43 81 7b 97 29 14  ||...NG,E..C.{.).|
 00001c30  48 7c 22 10 33 f3 07 9e  43                       |H|".3...C|       
 00001c39                              00 00 00 00 00 00 00           |.......|  esl[6].signature[1].owner = {zero}
 00001c40  00 00 00 00 00 00 00 00  00                       |.........|       
-00001c49                              04 97 01 57 de 52 cd           |...W.R.|  esl[6].signature[1].data (end:0x00001c69)
+00001c49                                                                        esl[6].signature[1].data (end:0x00001c69)
+00001c49                              04 97 01 57 de 52 cd           |...W.R.|  SHA256:04970157de52cdae14cf17ee369881d6245b3a6ab6352eabaee588a0584b0303
 00001c50  ae 14 cf 17 ee 36 98 81  d6 24 5b 3a 6a b6 35 2e  |.....6...$[:j.5.|
 00001c60  ab ae e5 88 a0 58 4b 03  03                       |.....XK..|       
 00001c69                              00 00 00 00 00 00 00           |.......|  esl[6].signature[2].owner = {zero}
 00001c70  00 00 00 00 00 00 00 00  00                       |.........|       
-00001c79                              f1 6b 5f c3 61 18 3f           |.k_.a.?|  esl[6].signature[2].data (end:0x00001c99)
+00001c79                                                                        esl[6].signature[2].data (end:0x00001c99)
+00001c79                              f1 6b 5f c3 61 18 3f           |.k_.a.?|  SHA256:f16b5fc361183f587120e602c0d65773afdfe786124184fa70805258d76d594c
 00001c80  58 71 20 e6 02 c0 d6 57  73 af df e7 86 12 41 84  |Xq ....Ws.....A.|
 00001c90  fa 70 80 52 58 d7 6d 59  4c                       |.p.RX.mYL|       
 00001c99                              00 00 00 00 00 00 00           |.......|  esl[6].signature[3].owner = {zero}
 00001ca0  00 00 00 00 00 00 00 00  00                       |.........|       
-00001ca9                              7e 02 1f 15 e3 a6 7b           |~.....{|  esl[6].signature[3].data (end:0x00001cc9)
+00001ca9                                                                        esl[6].signature[3].data (end:0x00001cc9)
+00001ca9                              7e 02 1f 15 e3 a6 7b           |~.....{|  SHA256:7e021f15e3a67b75ace884999bedffe34213792a611e40e562e87e6b9a0cb282
 00001cb0  75 ac e8 84 99 9b ed ff  e3 42 13 79 2a 61 1e 40  |u........B.y*a.@|
 00001cc0  e5 62 e8 7e 6b 9a 0c b2  82                       |.b.~k....|       
 00001cc9                              00 00 00 00 00 00 00           |.......|  esl[6].signature[4].owner = {zero}
 00001cd0  00 00 00 00 00 00 00 00  00                       |.........|       
-00001cd9                              a5 d1 09 b2 af a3 fa           |.......|  esl[6].signature[4].data (end:0x00001cf9)
+00001cd9                                                                        esl[6].signature[4].data (end:0x00001cf9)
+00001cd9                              a5 d1 09 b2 af a3 fa           |.......|  SHA256:a5d109b2afa3fa90878f70382b2388fcd2feaeae8a51b80add048e9f876b2a4e
 00001ce0  90 87 8f 70 38 2b 23 88  fc d2 fe ae ae 8a 51 b8  |...p8+#.......Q.|
 00001cf0  0a dd 04 8e 9f 87 6b 2a  4e                       |......k*N|       
 00001cf9