CryptoPkg: Add SecCryptLib
RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853 This is the Cryptographic library instance for SEC. The motivation of this library is to support SHA384 in SEC phase for Td guest. So only Hash/CryptSha512.c is included which supports SHA384 and SHA512. Other cryptographics are added with the null version, such as CryptMd5Null.c. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com> Cc: Guomin Jiang <guomin.jiang@intel.com> Cc: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com> Signed-off-by: Min Xu <min.m.xu@intel.com>
This commit is contained in:
152
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c
Normal file
152
CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c
Normal file
@@ -0,0 +1,152 @@
|
||||
/** @file
|
||||
PKCS7 Verify Null implementation.
|
||||
|
||||
Copyright (C) Microsoft Corporation. All Rights Reserved.
|
||||
Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
|
||||
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
**/
|
||||
|
||||
#include "InternalCryptLib.h"
|
||||
|
||||
/**
|
||||
This function will return the leaf signer certificate in a chain. This is
|
||||
required because certificate chains are not guaranteed to have the
|
||||
certificates in the order that they were issued.
|
||||
|
||||
A typical certificate chain looks like this:
|
||||
|
||||
|
||||
----------------------------
|
||||
| Root |
|
||||
----------------------------
|
||||
^
|
||||
|
|
||||
----------------------------
|
||||
| Policy CA | <-- Typical Trust Anchor.
|
||||
----------------------------
|
||||
^
|
||||
|
|
||||
----------------------------
|
||||
| Issuing CA |
|
||||
----------------------------
|
||||
^
|
||||
|
|
||||
-----------------------------
|
||||
/ End-Entity (leaf) signer / <-- Bottom certificate.
|
||||
----------------------------- EKU: "1.3.6.1.4.1.311.76.9.21.1"
|
||||
(Firmware Signing)
|
||||
|
||||
|
||||
@param[in] CertChain Certificate chain.
|
||||
|
||||
@param[out] SignerCert Last certificate in the chain. For PKCS7 signatures,
|
||||
this will be the end-entity (leaf) signer cert.
|
||||
|
||||
@retval EFI_SUCCESS The required EKUs were found in the signature.
|
||||
@retval EFI_INVALID_PARAMETER A parameter was invalid.
|
||||
@retval EFI_NOT_FOUND The number of signers found was not 1.
|
||||
|
||||
**/
|
||||
EFI_STATUS
|
||||
GetSignerCertificate (
|
||||
IN CONST VOID *CertChain,
|
||||
OUT VOID **SignerCert
|
||||
)
|
||||
{
|
||||
ASSERT (FALSE);
|
||||
return EFI_NOT_READY;
|
||||
}
|
||||
|
||||
/**
|
||||
Determines if the specified EKU represented in ASN1 form is present
|
||||
in a given certificate.
|
||||
|
||||
@param[in] Cert The certificate to check.
|
||||
|
||||
@param[in] Asn1ToFind The EKU to look for.
|
||||
|
||||
@retval EFI_SUCCESS We successfully identified the signing type.
|
||||
@retval EFI_INVALID_PARAMETER A parameter was invalid.
|
||||
@retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
|
||||
|
||||
**/
|
||||
EFI_STATUS
|
||||
IsEkuInCertificate (
|
||||
IN CONST VOID *Cert,
|
||||
IN VOID *Asn1ToFind
|
||||
)
|
||||
{
|
||||
ASSERT (FALSE);
|
||||
return EFI_NOT_READY;
|
||||
}
|
||||
|
||||
/**
|
||||
Determines if the specified EKUs are present in a signing certificate.
|
||||
|
||||
@param[in] SignerCert The certificate to check.
|
||||
@param[in] RequiredEKUs The EKUs to look for.
|
||||
@param[in] RequiredEKUsSize The number of EKUs
|
||||
@param[in] RequireAllPresent If TRUE, then all the specified EKUs
|
||||
must be present in the certificate.
|
||||
|
||||
@retval EFI_SUCCESS We successfully identified the signing type.
|
||||
@retval EFI_INVALID_PARAMETER A parameter was invalid.
|
||||
@retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
|
||||
**/
|
||||
EFI_STATUS
|
||||
CheckEKUs (
|
||||
IN CONST VOID *SignerCert,
|
||||
IN CONST CHAR8 *RequiredEKUs[],
|
||||
IN CONST UINT32 RequiredEKUsSize,
|
||||
IN BOOLEAN RequireAllPresent
|
||||
)
|
||||
{
|
||||
ASSERT (FALSE);
|
||||
return EFI_NOT_READY;
|
||||
}
|
||||
|
||||
/**
|
||||
This function receives a PKCS#7 formatted signature blob,
|
||||
looks for the EKU SEQUENCE blob, and if found then looks
|
||||
for all the required EKUs. This function was created so that
|
||||
the Surface team can cut down on the number of Certificate
|
||||
Authorities (CA's) by checking EKU's on leaf signers for
|
||||
a specific product. This prevents one product's certificate
|
||||
from signing another product's firmware or unlock blobs.
|
||||
|
||||
Note that this function does not validate the certificate chain.
|
||||
That needs to be done before using this function.
|
||||
|
||||
@param[in] Pkcs7Signature The PKCS#7 signed information content block. An array
|
||||
containing the content block with both the signature,
|
||||
the signer's certificate, and any necessary intermediate
|
||||
certificates.
|
||||
@param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature.
|
||||
@param[in] RequiredEKUs Array of null-terminated strings listing OIDs of
|
||||
required EKUs that must be present in the signature.
|
||||
@param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array.
|
||||
@param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's
|
||||
must be present in the leaf signer. If it is
|
||||
FALSE, then we will succeed if we find any
|
||||
of the specified EKU's.
|
||||
|
||||
@retval EFI_SUCCESS The required EKUs were found in the signature.
|
||||
@retval EFI_INVALID_PARAMETER A parameter was invalid.
|
||||
@retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
|
||||
|
||||
**/
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
VerifyEKUsInPkcs7Signature (
|
||||
IN CONST UINT8 *Pkcs7Signature,
|
||||
IN CONST UINT32 SignatureSize,
|
||||
IN CONST CHAR8 *RequiredEKUs[],
|
||||
IN CONST UINT32 RequiredEKUsSize,
|
||||
IN BOOLEAN RequireAllPresent
|
||||
)
|
||||
{
|
||||
ASSERT (FALSE);
|
||||
return EFI_NOT_READY;
|
||||
}
|
121
CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c
Normal file
121
CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c
Normal file
@@ -0,0 +1,121 @@
|
||||
/** @file
|
||||
RSA Asymmetric Cipher Wrapper Null Implementation.
|
||||
|
||||
This file implements following APIs which provide basic capabilities for RSA:
|
||||
1) RsaNew
|
||||
2) RsaFree
|
||||
3) RsaSetKey
|
||||
4) RsaPkcs1Verify
|
||||
|
||||
Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
**/
|
||||
|
||||
#include "InternalCryptLib.h"
|
||||
|
||||
/**
|
||||
Allocates and initializes one RSA context for subsequent use.
|
||||
|
||||
@return Pointer to the RSA context that has been initialized.
|
||||
If the allocations fails, RsaNew() returns NULL.
|
||||
|
||||
**/
|
||||
VOID *
|
||||
EFIAPI
|
||||
RsaNew (
|
||||
VOID
|
||||
)
|
||||
{
|
||||
//
|
||||
// Allocates & Initializes RSA Context
|
||||
//
|
||||
ASSERT (FALSE);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/**
|
||||
Release the specified RSA context.
|
||||
|
||||
@param[in] RsaContext Pointer to the RSA context to be released.
|
||||
|
||||
**/
|
||||
VOID
|
||||
EFIAPI
|
||||
RsaFree (
|
||||
IN VOID *RsaContext
|
||||
)
|
||||
{
|
||||
//
|
||||
// Free RSA Context
|
||||
//
|
||||
ASSERT (FALSE);
|
||||
}
|
||||
|
||||
/**
|
||||
Sets the tag-designated key component into the established RSA context.
|
||||
|
||||
This function sets the tag-designated RSA key component into the established
|
||||
RSA context from the user-specified non-negative integer (octet string format
|
||||
represented in RSA PKCS#1).
|
||||
If BigNumber is NULL, then the specified key component in RSA context is cleared.
|
||||
|
||||
If RsaContext is NULL, then return FALSE.
|
||||
|
||||
@param[in, out] RsaContext Pointer to RSA context being set.
|
||||
@param[in] KeyTag Tag of RSA key component being set.
|
||||
@param[in] BigNumber Pointer to octet integer buffer.
|
||||
If NULL, then the specified key component in RSA
|
||||
context is cleared.
|
||||
@param[in] BnSize Size of big number buffer in bytes.
|
||||
If BigNumber is NULL, then it is ignored.
|
||||
|
||||
@retval TRUE RSA key component was set successfully.
|
||||
@retval FALSE Invalid RSA key component tag.
|
||||
|
||||
**/
|
||||
BOOLEAN
|
||||
EFIAPI
|
||||
RsaSetKey (
|
||||
IN OUT VOID *RsaContext,
|
||||
IN RSA_KEY_TAG KeyTag,
|
||||
IN CONST UINT8 *BigNumber,
|
||||
IN UINTN BnSize
|
||||
)
|
||||
{
|
||||
ASSERT (FALSE);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/**
|
||||
Verifies the RSA-SSA signature with EMSA-PKCS1-v1_5 encoding scheme defined in
|
||||
RSA PKCS#1.
|
||||
|
||||
If RsaContext is NULL, then return FALSE.
|
||||
If MessageHash is NULL, then return FALSE.
|
||||
If Signature is NULL, then return FALSE.
|
||||
If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE.
|
||||
|
||||
@param[in] RsaContext Pointer to RSA context for signature verification.
|
||||
@param[in] MessageHash Pointer to octet message hash to be checked.
|
||||
@param[in] HashSize Size of the message hash in bytes.
|
||||
@param[in] Signature Pointer to RSA PKCS1-v1_5 signature to be verified.
|
||||
@param[in] SigSize Size of signature in bytes.
|
||||
|
||||
@retval TRUE Valid signature encoded in PKCS1-v1_5.
|
||||
@retval FALSE Invalid signature or invalid RSA context.
|
||||
|
||||
**/
|
||||
BOOLEAN
|
||||
EFIAPI
|
||||
RsaPkcs1Verify (
|
||||
IN VOID *RsaContext,
|
||||
IN CONST UINT8 *MessageHash,
|
||||
IN UINTN HashSize,
|
||||
IN CONST UINT8 *Signature,
|
||||
IN UINTN SigSize
|
||||
)
|
||||
{
|
||||
ASSERT (FALSE);
|
||||
return FALSE;
|
||||
}
|
Reference in New Issue
Block a user