summaryrefslogtreecommitdiff
path: root/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7.c
diff options
context:
space:
mode:
Diffstat (limited to 'CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7.c')
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7.c368
1 files changed, 305 insertions, 63 deletions
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7.c
index 1617642323..036412af59 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7.c
@@ -57,7 +57,7 @@ X509VerifyCb (
//
if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) ||
(Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {
- Obj = (X509_OBJECT *) OPENSSL_malloc (sizeof (X509_OBJECT));
+ Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT));
if (Obj == NULL) {
return 0;
}
@@ -224,7 +224,7 @@ Pkcs7Sign (
goto _Exit;
}
- P7Data = OPENSSL_malloc (P7DataSize);
+ P7Data = malloc (P7DataSize);
if (P7Data == NULL) {
Status = FALSE;
goto _Exit;
@@ -238,7 +238,7 @@ Pkcs7Sign (
// is totally 19 bytes.
//
*SignedDataSize = P7DataSize - 19;
- *SignedData = OPENSSL_malloc (*SignedDataSize);
+ *SignedData = malloc (*SignedDataSize);
if (*SignedData == NULL) {
Status = FALSE;
OPENSSL_free (P7Data);
@@ -278,69 +278,35 @@ _Exit:
}
/**
- Verifies the validility of a PKCS#7 signed data as described in "PKCS #7:
- Cryptographic Message Syntax Standard". The input signed data could be wrapped
- in a ContentInfo structure.
-
- If P7Data, TrustedCert or InData is NULL, then return FALSE.
- If P7Length, CertLength or DataLength overflow, then return FAlSE.
+ Check input P7Data is a wrapped ContentInfo structure or not. If not construct
+ a new structure to wrap P7Data.
@param[in] P7Data Pointer to the PKCS#7 message to verify.
@param[in] P7Length Length of the PKCS#7 message in bytes.
- @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which
- is used for certificate chain verification.
- @param[in] CertLength Length of the trusted certificate in bytes.
- @param[in] InData Pointer to the content to be verified.
- @param[in] DataLength Length of InData in bytes.
-
- @retval TRUE The specified PKCS#7 signed data is valid.
- @retval FALSE Invalid PKCS#7 signed data.
+ @param[out] WrapFlag If TRUE P7Data is a ContentInfo structure, otherwise
+ return FALSE.
+ @param[out] WrapData If return status of this function is TRUE:
+ 1) when WrapFlag is TRUE, pointer to P7Data.
+ 2) when WrapFlag is FALSE, pointer to a new ContentInfo
+ structure. It's caller's responsibility to free this
+ buffer.
+ @param[out] WrapDataSize Length of ContentInfo structure in bytes.
+
+ @retval TRUE The operation is finished successfully.
+ @retval FALSE The operation is failed due to lack of resources.
**/
BOOLEAN
-EFIAPI
-Pkcs7Verify (
+WrapPkcs7Data (
IN CONST UINT8 *P7Data,
IN UINTN P7Length,
- IN CONST UINT8 *TrustedCert,
- IN UINTN CertLength,
- IN CONST UINT8 *InData,
- IN UINTN DataLength
+ OUT BOOLEAN *WrapFlag,
+ OUT UINT8 **WrapData,
+ OUT UINTN *WrapDataSize
)
{
- PKCS7 *Pkcs7;
- BIO *CertBio;
- BIO *DataBio;
- BOOLEAN Status;
- X509 *Cert;
- X509_STORE *CertStore;
- UINT8 *SignedData;
- UINT8 *Temp;
- UINTN SignedDataSize;
- BOOLEAN Wrapped;
-
- //
- // Check input parameters.
- //
- if (P7Data == NULL || TrustedCert == NULL || InData == NULL ||
- P7Length > INT_MAX || CertLength > INT_MAX || DataLength > INT_MAX) {
- return FALSE;
- }
-
- Status = FALSE;
- Pkcs7 = NULL;
- CertBio = NULL;
- DataBio = NULL;
- Cert = NULL;
- CertStore = NULL;
-
- //
- // Register & Initialize necessary digest algorithms for PKCS#7 Handling
- //
- EVP_add_digest (EVP_md5());
- EVP_add_digest (EVP_sha1());
- EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA);
- EVP_add_digest (EVP_sha256());
+ BOOLEAN Wrapped;
+ UINT8 *SignedData;
//
// Check whether input P7Data is a wrapped ContentInfo structure or not.
@@ -355,18 +321,21 @@ Pkcs7Verify (
}
if (Wrapped) {
- SignedData = (UINT8 *) P7Data;
- SignedDataSize = P7Length;
+ *WrapData = (UINT8 *) P7Data;
+ *WrapDataSize = P7Length;
} else {
//
// Wrap PKCS#7 signeddata to a ContentInfo structure - add a header in 19 bytes.
//
- SignedDataSize = P7Length + 19;
- SignedData = OPENSSL_malloc (SignedDataSize);
- if (SignedData == NULL) {
+ *WrapDataSize = P7Length + 19;
+ *WrapData = malloc (*WrapDataSize);
+ if (*WrapData == NULL) {
+ *WrapFlag = Wrapped;
return FALSE;
}
+ SignedData = *WrapData;
+
//
// Part1: 0x30, 0x82.
//
@@ -376,8 +345,8 @@ Pkcs7Verify (
//
// Part2: Length1 = P7Length + 19 - 4, in big endian.
//
- SignedData[2] = (UINT8) (((UINT16) (SignedDataSize - 4)) >> 8);
- SignedData[3] = (UINT8) (((UINT16) (SignedDataSize - 4)) & 0xff);
+ SignedData[2] = (UINT8) (((UINT16) (*WrapDataSize - 4)) >> 8);
+ SignedData[3] = (UINT8) (((UINT16) (*WrapDataSize - 4)) & 0xff);
//
// Part3: 0x06, 0x09.
@@ -407,6 +376,279 @@ Pkcs7Verify (
//
CopyMem (SignedData + 19, P7Data, P7Length);
}
+
+ *WrapFlag = Wrapped;
+ return TRUE;
+}
+
+/**
+ Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7:
+ Cryptographic Message Syntax Standard". The input signed data could be wrapped
+ in a ContentInfo structure.
+
+ If P7Data, CertStack, StackLength, TrustedCert or CertLength is NULL, then
+ return FALSE. If P7Length overflow, then return FAlSE.
+
+ @param[in] P7Data Pointer to the PKCS#7 message to verify.
+ @param[in] P7Length Length of the PKCS#7 message in bytes.
+ @param[out] CertStack Pointer to Signer's certificates retrieved from P7Data.
+ It's caller's responsiblity to free the buffer.
+ @param[out] StackLength Length of signer's certificates in bytes.
+ @param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates.
+ It's caller's responsiblity to free the buffer.
+ @param[out] CertLength Length of the trusted certificate in bytes.
+
+ @retval TRUE The operation is finished successfully.
+ @retval FALSE Error occurs during the operation.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetSigners (
+ IN CONST UINT8 *P7Data,
+ IN UINTN P7Length,
+ OUT UINT8 **CertStack,
+ OUT UINTN *StackLength,
+ OUT UINT8 **TrustedCert,
+ OUT UINTN *CertLength
+ )
+{
+ PKCS7 *Pkcs7;
+ BOOLEAN Status;
+ UINT8 *SignedData;
+ UINT8 *Temp;
+ UINTN SignedDataSize;
+ BOOLEAN Wrapped;
+ STACK_OF(X509) *Stack;
+ UINT8 Index;
+ UINT8 *CertBuf;
+ UINT8 *OldBuf;
+ UINTN BufferSize;
+ UINTN OldSize;
+ UINT8 *SingleCert;
+ UINTN SingleCertSize;
+
+ if ((P7Data == NULL) || (CertStack == NULL) || (StackLength == NULL) ||
+ (TrustedCert == NULL) || (CertLength == NULL) || (P7Length > INT_MAX)) {
+ return FALSE;
+ }
+
+ Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);
+ if (!Status) {
+ return Status;
+ }
+
+ Status = FALSE;
+ Pkcs7 = NULL;
+ Stack = NULL;
+ CertBuf = NULL;
+ OldBuf = NULL;
+ SingleCert = NULL;
+
+ //
+ // Retrieve PKCS#7 Data (DER encoding)
+ //
+ if (SignedDataSize > INT_MAX) {
+ goto _Exit;
+ }
+
+ Temp = SignedData;
+ Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) SignedDataSize);
+ if (Pkcs7 == NULL) {
+ goto _Exit;
+ }
+
+ //
+ // Check if it's PKCS#7 Signed Data (for Authenticode Scenario)
+ //
+ if (!PKCS7_type_is_signed (Pkcs7)) {
+ goto _Exit;
+ }
+
+ Stack = PKCS7_get0_signers(Pkcs7, NULL, PKCS7_BINARY);
+ if (Stack == NULL) {
+ goto _Exit;
+ }
+
+ //
+ // Convert CertStack to buffer in following format:
+ // UINT8 CertNumber;
+ // UINT32 Cert1Length;
+ // UINT8 Cert1[];
+ // UINT32 Cert2Length;
+ // UINT8 Cert2[];
+ // ...
+ // UINT32 CertnLength;
+ // UINT8 Certn[];
+ //
+ BufferSize = sizeof (UINT8);
+ OldSize = BufferSize;
+
+ for (Index = 0; ; Index++) {
+ Status = X509PopCertificate (Stack, &SingleCert, &SingleCertSize);
+ if (!Status) {
+ break;
+ }
+
+ OldSize = BufferSize;
+ OldBuf = CertBuf;
+ BufferSize = OldSize + SingleCertSize + sizeof (UINT32);
+ CertBuf = malloc (BufferSize);
+
+ if (CertBuf == NULL) {
+ goto _Exit;
+ }
+
+ if (OldBuf != NULL) {
+ CopyMem (CertBuf, OldBuf, OldSize);
+ free (OldBuf);
+ OldBuf = NULL;
+ }
+
+ WriteUnaligned32 ((UINT32 *) (CertBuf + OldSize), (UINT32) SingleCertSize);
+ CopyMem (CertBuf + OldSize + sizeof (UINT32), SingleCert, SingleCertSize);
+
+ free (SingleCert);
+ SingleCert = NULL;
+ }
+
+ if (CertBuf != NULL) {
+ //
+ // Update CertNumber.
+ //
+ CertBuf[0] = Index;
+
+ *CertLength = BufferSize - OldSize - sizeof (UINT32);
+ *TrustedCert = malloc (*CertLength);
+ if (*TrustedCert == NULL) {
+ goto _Exit;
+ }
+
+ CopyMem (*TrustedCert, CertBuf + OldSize + sizeof (UINT32), *CertLength);
+ *CertStack = CertBuf;
+ *StackLength = BufferSize;
+ Status = TRUE;
+ }
+
+_Exit:
+ //
+ // Release Resources
+ //
+ if (!Wrapped) {
+ free (SignedData);
+ }
+
+ if (Pkcs7 != NULL) {
+ PKCS7_free (Pkcs7);
+ }
+
+ if (Stack != NULL) {
+ sk_X509_pop_free(Stack, X509_free);
+ }
+
+ if (SingleCert != NULL) {
+ free (SingleCert);
+ }
+
+ if (!Status && (CertBuf != NULL)) {
+ free (CertBuf);
+ *CertStack = NULL;
+ }
+
+ if (OldBuf != NULL) {
+ free (OldBuf);
+ }
+
+ return Status;
+}
+
+/**
+ Wrap function to use free() to free allocated memory for certificates.
+
+ @param[in] Certs Pointer to the certificates to be freed.
+
+**/
+VOID
+EFIAPI
+Pkcs7FreeSigners (
+ IN UINT8 *Certs
+ )
+{
+ if (Certs == NULL) {
+ return;
+ }
+
+ free (Certs);
+}
+
+/**
+ Verifies the validility of a PKCS#7 signed data as described in "PKCS #7:
+ Cryptographic Message Syntax Standard". The input signed data could be wrapped
+ in a ContentInfo structure.
+
+ If P7Data, TrustedCert or InData is NULL, then return FALSE.
+ If P7Length, CertLength or DataLength overflow, then return FAlSE.
+
+ @param[in] P7Data Pointer to the PKCS#7 message to verify.
+ @param[in] P7Length Length of the PKCS#7 message in bytes.
+ @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which
+ is used for certificate chain verification.
+ @param[in] CertLength Length of the trusted certificate in bytes.
+ @param[in] InData Pointer to the content to be verified.
+ @param[in] DataLength Length of InData in bytes.
+
+ @retval TRUE The specified PKCS#7 signed data is valid.
+ @retval FALSE Invalid PKCS#7 signed data.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7Verify (
+ IN CONST UINT8 *P7Data,
+ IN UINTN P7Length,
+ IN CONST UINT8 *TrustedCert,
+ IN UINTN CertLength,
+ IN CONST UINT8 *InData,
+ IN UINTN DataLength
+ )
+{
+ PKCS7 *Pkcs7;
+ BIO *CertBio;
+ BIO *DataBio;
+ BOOLEAN Status;
+ X509 *Cert;
+ X509_STORE *CertStore;
+ UINT8 *SignedData;
+ UINT8 *Temp;
+ UINTN SignedDataSize;
+ BOOLEAN Wrapped;
+
+ //
+ // Check input parameters.
+ //
+ if (P7Data == NULL || TrustedCert == NULL || InData == NULL ||
+ P7Length > INT_MAX || CertLength > INT_MAX || DataLength > INT_MAX) {
+ return FALSE;
+ }
+
+ Pkcs7 = NULL;
+ CertBio = NULL;
+ DataBio = NULL;
+ Cert = NULL;
+ CertStore = NULL;
+
+ //
+ // Register & Initialize necessary digest algorithms for PKCS#7 Handling
+ //
+ EVP_add_digest (EVP_md5());
+ EVP_add_digest (EVP_sha1());
+ EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA);
+ EVP_add_digest (EVP_sha256());
+
+ Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);
+ if (!Status) {
+ return Status;
+ }
//
// Retrieve PKCS#7 Data (DER encoding)
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-04 15:08:40 +0000