From 68547181f3c5b1c0a73e748b44be1f454e2f7e3c Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Thu, 29 Oct 2015 14:16:45 +0000 Subject: CryptoPkg/BaseCryptLib: Use X509_V_FLAG_PARTIAL_CHAIN Since OpenSSL 1.0.2 we can set this flag on the X509_STORE to instruct OpenSSL to accept non-self-signed certificates as trusted. So we don't need two entirely identical copies of a verify_cb() function which makes it ignore the resulting errors. We also *didn't* use that verify_cb() function for X509VerifyCert(), but probably should have done. So that can get X509_V_FLAG_PARTIAL_CHAIN for consistency, too. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse Reviewed-by: Qin Long git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18703 6f19259b-4bc3-4df7-8a09-765794883524 --- .../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 93 ++-------------------- CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 87 +------------------- CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 6 ++ 3 files changed, 15 insertions(+), 171 deletions(-) (limited to 'CryptoPkg/Library/BaseCryptLib') diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c index d0b0c838b8..4d23cbfb94 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c @@ -30,87 +30,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 }; -/** - Verification callback function to override any existing callbacks in OpenSSL - for intermediate certificate supports. - - @param[in] Status Original status before calling this callback. - @param[in] Context X509 store context. - - @retval 1 Current X509 certificate is verified successfully. - @retval 0 Verification failed. - -**/ -int -X509VerifyCb ( - IN int Status, - IN X509_STORE_CTX *Context - ) -{ - X509_OBJECT *Obj; - INTN Error; - INTN Index; - INTN Count; - - Obj = NULL; - Error = (INTN) X509_STORE_CTX_get_error (Context); - - // - // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_ - // CERT_LOCALLY mean a X509 certificate is not self signed and its issuer - // can not be found in X509_verify_cert of X509_vfy.c. - // In order to support intermediate certificate node, we override the - // errors if the certification is obtained from X509 store, i.e. it is - // a trusted ceritifcate node that is enrolled by user. - // Besides,X509_V_ERR_CERT_UNTRUSTED and X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE - // are also ignored to enable such feature. - // - if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) || - (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) { - Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT)); - if (Obj == NULL) { - return 0; - } - - Obj->type = X509_LU_X509; - Obj->data.x509 = Context->current_cert; - - CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE); - - if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) { - Status = 1; - } else { - // - // If any certificate in the chain is enrolled as trusted certificate, - // pass the certificate verification. - // - if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) { - Count = (INTN) sk_X509_num (Context->chain); - for (Index = 0; Index < Count; Index++) { - Obj->data.x509 = sk_X509_value (Context->chain, (int) Index); - if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) { - Status = 1; - break; - } - } - } - } - - CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE); - } - - if ((Error == X509_V_ERR_CERT_UNTRUSTED) || - (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) { - Status = 1; - } - - if (Obj != NULL) { - OPENSSL_free (Obj); - } - - return Status; -} - /** Check input P7Data is a wrapped ContentInfo structure or not. If not construct a new structure to wrap P7Data. @@ -635,12 +554,6 @@ Pkcs7Verify ( goto _Exit; } - // - // Register customized X509 verification callback function to support - // trusted intermediate certificate anchor. - // - CertStore->verify_cb = X509VerifyCb; - // // For generic PKCS#7 handling, InData may be NULL if the content is present // in PKCS#7 structure. So ignore NULL checking here. @@ -654,6 +567,12 @@ Pkcs7Verify ( goto _Exit; } + // + // Allow partial certificate chains, terminated by a non-self-signed but + // still trusted intermediate certificate. + // + X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN); + // // OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and // doesn't support the extended key usage for Authenticode Code Signing. diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c index efb40b8234..449a08db2c 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c @@ -136,87 +136,6 @@ ASN1_SEQUENCE (TS_TST_INFO) = { IMPLEMENT_ASN1_FUNCTIONS (TS_TST_INFO) -/** - Verification callback function to override any existing callbacks in OpenSSL - for intermediate TSA certificate supports. - - @param[in] Status Original status before calling this callback. - @param[in] Context X509 store context. - - @retval 1 Current X509 certificate is verified successfully. - @retval 0 Verification failed. - -**/ -int -TSVerifyCallback ( - IN int Status, - IN X509_STORE_CTX *Context - ) -{ - X509_OBJECT *Obj; - INTN Error; - INTN Index; - INTN Count; - - Obj = NULL; - Error = (INTN) X509_STORE_CTX_get_error (Context); - - // - // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_ - // CERT_LOCALLY mean a X509 certificate is not self signed and its issuer - // can not be found in X509_verify_cert of X509_vfy.c. - // In order to support intermediate certificate node, we override the - // errors if the certification is obtained from X509 store, i.e. it is - // a trusted ceritifcate node that is enrolled by user. - // Besides,X509_V_ERR_CERT_UNTRUSTED and X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE - // are also ignored to enable such feature. - // - if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) || - (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) { - Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT)); - if (Obj == NULL) { - return 0; - } - - Obj->type = X509_LU_X509; - Obj->data.x509 = Context->current_cert; - - CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE); - - if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) { - Status = 1; - } else { - // - // If any certificate in the chain is enrolled as trusted certificate, - // pass the certificate verification. - // - if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) { - Count = (INTN) sk_X509_num (Context->chain); - for (Index = 0; Index < Count; Index++) { - Obj->data.x509 = sk_X509_value (Context->chain, (int) Index); - if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) { - Status = 1; - break; - } - } - } - } - - CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE); - } - - if ((Error == X509_V_ERR_CERT_UNTRUSTED) || - (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) { - Status = 1; - } - - if (Obj != NULL) { - OPENSSL_free (Obj); - } - - return Status; -} - /** Convert ASN.1 GeneralizedTime to EFI Time. @@ -506,10 +425,10 @@ TimestampTokenVerify ( } // - // Register customized X509 verification callback function to support - // trusted intermediate TSA certificate anchor. + // Allow partial certificate chains, terminated by a non-self-signed but + // still trusted intermediate certificate. // - CertStore->verify_cb = TSVerifyCallback; + X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN); X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY); diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c index 5d6be6fce9..669a7af3db 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c @@ -463,6 +463,12 @@ X509VerifyCert ( goto _Exit; } + // + // Allow partial certificate chains, terminated by a non-self-signed but + // still trusted intermediate certificate. + // + X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN); + // // Set up X509_STORE_CTX for the subsequent verification operation. // -- cgit v1.2.3