From e77f9ef656bf0462ddf61524b45e8a966c7d7c9b Mon Sep 17 00:00:00 2001 From: sfu5 Date: Wed, 25 Jul 2012 02:01:58 +0000 Subject: Use RsaGetPublicKeyFromX509() to validate the given X.509 certificate for PK/KEK/db/dbx database. Signed-off-by: Fu Siyuan Reviewed-by: Dong Guo Reviewed-by: Ye Ting git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13553 6f19259b-4bc3-4df7-8a09-765794883524 --- .../VariableAuthenticated/RuntimeDxe/AuthService.c | 33 ++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c index b25c043684..09c58db985 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -746,7 +746,7 @@ UpdatePlatformMode ( } /** - Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK variable. + Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK/db/dbx variable. @param[in] VariableName Name of Variable to be check. @param[in] VendorGuid Variable vendor GUID. @@ -770,6 +770,9 @@ CheckSignatureListFormat( UINT32 Index; UINT32 SigCount; BOOLEAN IsPk; + VOID *RsaContext; + EFI_SIGNATURE_DATA *CertData; + UINTN CertLen; if (DataSize == 0) { return EFI_SUCCESS; @@ -779,7 +782,9 @@ CheckSignatureListFormat( if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0)){ IsPk = TRUE; - } else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)) { + } else if ((CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0) || + (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) && + (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0 || StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0))){ IsPk = FALSE; } else { return EFI_SUCCESS; @@ -788,6 +793,7 @@ CheckSignatureListFormat( SigCount = 0; SigList = (EFI_SIGNATURE_LIST *) Data; SigDataSize = DataSize; + RsaContext = NULL; // // Walk throuth the input signature list and check the data format. @@ -819,6 +825,24 @@ CheckSignatureListFormat( return EFI_INVALID_PARAMETER; } + if (CompareGuid (&SigList->SignatureType, &gEfiCertX509Guid)) { + // + // Try to retrieve the RSA public key from the X.509 certificate. + // If this operation fails, it's not a valid certificate. + // + RsaContext = RsaNew (); + if (RsaContext == NULL) { + return EFI_INVALID_PARAMETER; + } + CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) SigList + sizeof (EFI_SIGNATURE_LIST) + SigList->SignatureHeaderSize); + CertLen = SigList->SignatureSize - sizeof (EFI_GUID); + if (!RsaGetPublicKeyFromX509 (CertData->SignatureData, CertLen, &RsaContext)) { + RsaFree (RsaContext); + return EFI_INVALID_PARAMETER; + } + RsaFree (RsaContext); + } + if ((SigList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - SigList->SignatureHeaderSize) % SigList->SignatureSize != 0) { return EFI_INVALID_PARAMETER; } @@ -1029,6 +1053,11 @@ ProcessVarWithKek ( Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data); PayloadSize = DataSize - AUTHINFO2_SIZE (Data); + Status = CheckSignatureListFormat(VariableName, VendorGuid, Payload, PayloadSize); + if (EFI_ERROR (Status)) { + return Status; + } + Status = UpdateVariable ( VariableName, VendorGuid, -- cgit v1.2.3