summaryrefslogtreecommitdiff
path: root/CryptoPkg/Library/BaseCryptLib
diff options
context:
space:
mode:
Diffstat (limited to 'CryptoPkg/Library/BaseCryptLib')
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c18
-rw-r--r--CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c22
2 files changed, 12 insertions, 28 deletions
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index 745cf8729f..471fbbbe25 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -25,6 +25,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <openssl/objects.h>
#include <openssl/x509.h>
+#include <openssl/x509v3.h>
#include <openssl/pkcs7.h>
UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
@@ -543,7 +544,6 @@ Pkcs7Verify (
)
{
PKCS7 *Pkcs7;
- BIO *CertBio;
BIO *DataBio;
BOOLEAN Status;
X509 *Cert;
@@ -562,7 +562,6 @@ Pkcs7Verify (
}
Pkcs7 = NULL;
- CertBio = NULL;
DataBio = NULL;
Cert = NULL;
CertStore = NULL;
@@ -614,12 +613,7 @@ Pkcs7Verify (
//
// Read DER-encoded root certificate and Construct X509 Certificate
//
- CertBio = BIO_new (BIO_s_mem ());
- BIO_write (CertBio, TrustedCert, (int)CertLength);
- if (CertBio == NULL) {
- goto _Exit;
- }
- Cert = d2i_X509_bio (CertBio, NULL);
+ Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength);
if (Cert == NULL) {
goto _Exit;
}
@@ -649,6 +643,13 @@ Pkcs7Verify (
BIO_write (DataBio, InData, (int)DataLength);
//
+ // OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and
+ // doesn't support the extended key usage for Authenticode Code Signing.
+ // Bypass the certificate purpose checking by enabling any purposes setting.
+ //
+ X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);
+
+ //
// Verifies the PKCS#7 signedData structure
//
Status = (BOOLEAN) PKCS7_verify (Pkcs7, NULL, CertStore, DataBio, NULL, PKCS7_BINARY);
@@ -658,7 +659,6 @@ _Exit:
// Release Resources
//
BIO_free (DataBio);
- BIO_free (CertBio);
X509_free (Cert);
X509_STORE_free (CertStore);
PKCS7_free (Pkcs7);
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 5959dfe7d9..5abe970cce 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -38,9 +38,7 @@ X509ConstructCertificate (
OUT UINT8 **SingleX509Cert
)
{
- BIO *CertBio;
X509 *X509Cert;
- BOOLEAN Status;
//
// Check input parameters.
@@ -49,31 +47,17 @@ X509ConstructCertificate (
return FALSE;
}
- Status = FALSE;
-
//
// Read DER-encoded X509 Certificate and Construct X509 object.
//
- CertBio = BIO_new (BIO_s_mem ());
- BIO_write (CertBio, Cert, (int) CertSize);
- if (CertBio == NULL) {
- goto _Exit;
- }
- X509Cert = d2i_X509_bio (CertBio, NULL);
+ X509Cert = d2i_X509 (NULL, &Cert, (long) CertSize);
if (X509Cert == NULL) {
- goto _Exit;
+ return FALSE;
}
*SingleX509Cert = (UINT8 *) X509Cert;
- Status = TRUE;
-_Exit:
- //
- // Release Resources.
- //
- BIO_free (CertBio);
-
- return Status;
+ return TRUE;
}
/**