1. Enable the whole X509v3 extension checking.

2. Replace d2i_X509_bio with d2i_X509.

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ling Qin <qin.long@intel.com>
Reviewed-by: Ouyang Qian <qian.ouyang@intel.com>


git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14026 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
sfu5
2012-12-28 01:20:57 +00:00
parent bf29dc16e6
commit 02ee8d3b4c
3 changed files with 14 additions and 43 deletions

View File

@@ -25,6 +25,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pkcs7.h>
UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
@@ -543,7 +544,6 @@ Pkcs7Verify (
)
{
PKCS7 *Pkcs7;
BIO *CertBio;
BIO *DataBio;
BOOLEAN Status;
X509 *Cert;
@@ -562,7 +562,6 @@ Pkcs7Verify (
}
Pkcs7 = NULL;
CertBio = NULL;
DataBio = NULL;
Cert = NULL;
CertStore = NULL;
@@ -614,12 +613,7 @@ Pkcs7Verify (
//
// Read DER-encoded root certificate and Construct X509 Certificate
//
CertBio = BIO_new (BIO_s_mem ());
BIO_write (CertBio, TrustedCert, (int)CertLength);
if (CertBio == NULL) {
goto _Exit;
}
Cert = d2i_X509_bio (CertBio, NULL);
Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength);
if (Cert == NULL) {
goto _Exit;
}
@@ -648,6 +642,13 @@ Pkcs7Verify (
DataBio = BIO_new (BIO_s_mem ());
BIO_write (DataBio, InData, (int)DataLength);
//
// OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and
// doesn't support the extended key usage for Authenticode Code Signing.
// Bypass the certificate purpose checking by enabling any purposes setting.
//
X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);
//
// Verifies the PKCS#7 signedData structure
//
@@ -658,7 +659,6 @@ _Exit:
// Release Resources
//
BIO_free (DataBio);
BIO_free (CertBio);
X509_free (Cert);
X509_STORE_free (CertStore);
PKCS7_free (Pkcs7);