Add two new interfaces Pkcs7GetSigners and Pkcs7FreeSigners to BaseCryptLib.

Signed-off by: tye1
Reviewed-by: geekboy15a
Reviewed-by: sfu5
Reviewed-by: gdong1

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13158 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
tye1
2012-03-31 04:49:02 +00:00
parent ed47ae0274
commit e8b4eb0417
6 changed files with 475 additions and 80 deletions

View File

@@ -57,7 +57,7 @@ X509VerifyCb (
//
if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) ||
(Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {
Obj = (X509_OBJECT *) OPENSSL_malloc (sizeof (X509_OBJECT));
Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT));
if (Obj == NULL) {
return 0;
}
@@ -224,7 +224,7 @@ Pkcs7Sign (
goto _Exit;
}
P7Data = OPENSSL_malloc (P7DataSize);
P7Data = malloc (P7DataSize);
if (P7Data == NULL) {
Status = FALSE;
goto _Exit;
@@ -238,7 +238,7 @@ Pkcs7Sign (
// is totally 19 bytes.
//
*SignedDataSize = P7DataSize - 19;
*SignedData = OPENSSL_malloc (*SignedDataSize);
*SignedData = malloc (*SignedDataSize);
if (*SignedData == NULL) {
Status = FALSE;
OPENSSL_free (P7Data);
@@ -277,6 +277,310 @@ _Exit:
return Status;
}
/**
Check input P7Data is a wrapped ContentInfo structure or not. If not construct
a new structure to wrap P7Data.
@param[in] P7Data Pointer to the PKCS#7 message to verify.
@param[in] P7Length Length of the PKCS#7 message in bytes.
@param[out] WrapFlag If TRUE P7Data is a ContentInfo structure, otherwise
return FALSE.
@param[out] WrapData If return status of this function is TRUE:
1) when WrapFlag is TRUE, pointer to P7Data.
2) when WrapFlag is FALSE, pointer to a new ContentInfo
structure. It's caller's responsibility to free this
buffer.
@param[out] WrapDataSize Length of ContentInfo structure in bytes.
@retval TRUE The operation is finished successfully.
@retval FALSE The operation is failed due to lack of resources.
**/
BOOLEAN
WrapPkcs7Data (
IN CONST UINT8 *P7Data,
IN UINTN P7Length,
OUT BOOLEAN *WrapFlag,
OUT UINT8 **WrapData,
OUT UINTN *WrapDataSize
)
{
BOOLEAN Wrapped;
UINT8 *SignedData;
//
// Check whether input P7Data is a wrapped ContentInfo structure or not.
//
Wrapped = FALSE;
if ((P7Data[4] == 0x06) && (P7Data[5] == 0x09)) {
if (CompareMem (P7Data + 6, mOidValue, sizeof (mOidValue)) == 0) {
if ((P7Data[15] == 0xA0) && (P7Data[16] == 0x82)) {
Wrapped = TRUE;
}
}
}
if (Wrapped) {
*WrapData = (UINT8 *) P7Data;
*WrapDataSize = P7Length;
} else {
//
// Wrap PKCS#7 signeddata to a ContentInfo structure - add a header in 19 bytes.
//
*WrapDataSize = P7Length + 19;
*WrapData = malloc (*WrapDataSize);
if (*WrapData == NULL) {
*WrapFlag = Wrapped;
return FALSE;
}
SignedData = *WrapData;
//
// Part1: 0x30, 0x82.
//
SignedData[0] = 0x30;
SignedData[1] = 0x82;
//
// Part2: Length1 = P7Length + 19 - 4, in big endian.
//
SignedData[2] = (UINT8) (((UINT16) (*WrapDataSize - 4)) >> 8);
SignedData[3] = (UINT8) (((UINT16) (*WrapDataSize - 4)) & 0xff);
//
// Part3: 0x06, 0x09.
//
SignedData[4] = 0x06;
SignedData[5] = 0x09;
//
// Part4: OID value -- 0x2A 0x86 0x48 0x86 0xF7 0x0D 0x01 0x07 0x02.
//
CopyMem (SignedData + 6, mOidValue, sizeof (mOidValue));
//
// Part5: 0xA0, 0x82.
//
SignedData[15] = 0xA0;
SignedData[16] = 0x82;
//
// Part6: Length2 = P7Length, in big endian.
//
SignedData[17] = (UINT8) (((UINT16) P7Length) >> 8);
SignedData[18] = (UINT8) (((UINT16) P7Length) & 0xff);
//
// Part7: P7Data.
//
CopyMem (SignedData + 19, P7Data, P7Length);
}
*WrapFlag = Wrapped;
return TRUE;
}
/**
Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7:
Cryptographic Message Syntax Standard". The input signed data could be wrapped
in a ContentInfo structure.
If P7Data, CertStack, StackLength, TrustedCert or CertLength is NULL, then
return FALSE. If P7Length overflow, then return FAlSE.
@param[in] P7Data Pointer to the PKCS#7 message to verify.
@param[in] P7Length Length of the PKCS#7 message in bytes.
@param[out] CertStack Pointer to Signer's certificates retrieved from P7Data.
It's caller's responsiblity to free the buffer.
@param[out] StackLength Length of signer's certificates in bytes.
@param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates.
It's caller's responsiblity to free the buffer.
@param[out] CertLength Length of the trusted certificate in bytes.
@retval TRUE The operation is finished successfully.
@retval FALSE Error occurs during the operation.
**/
BOOLEAN
EFIAPI
Pkcs7GetSigners (
IN CONST UINT8 *P7Data,
IN UINTN P7Length,
OUT UINT8 **CertStack,
OUT UINTN *StackLength,
OUT UINT8 **TrustedCert,
OUT UINTN *CertLength
)
{
PKCS7 *Pkcs7;
BOOLEAN Status;
UINT8 *SignedData;
UINT8 *Temp;
UINTN SignedDataSize;
BOOLEAN Wrapped;
STACK_OF(X509) *Stack;
UINT8 Index;
UINT8 *CertBuf;
UINT8 *OldBuf;
UINTN BufferSize;
UINTN OldSize;
UINT8 *SingleCert;
UINTN SingleCertSize;
if ((P7Data == NULL) || (CertStack == NULL) || (StackLength == NULL) ||
(TrustedCert == NULL) || (CertLength == NULL) || (P7Length > INT_MAX)) {
return FALSE;
}
Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);
if (!Status) {
return Status;
}
Status = FALSE;
Pkcs7 = NULL;
Stack = NULL;
CertBuf = NULL;
OldBuf = NULL;
SingleCert = NULL;
//
// Retrieve PKCS#7 Data (DER encoding)
//
if (SignedDataSize > INT_MAX) {
goto _Exit;
}
Temp = SignedData;
Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) SignedDataSize);
if (Pkcs7 == NULL) {
goto _Exit;
}
//
// Check if it's PKCS#7 Signed Data (for Authenticode Scenario)
//
if (!PKCS7_type_is_signed (Pkcs7)) {
goto _Exit;
}
Stack = PKCS7_get0_signers(Pkcs7, NULL, PKCS7_BINARY);
if (Stack == NULL) {
goto _Exit;
}
//
// Convert CertStack to buffer in following format:
// UINT8 CertNumber;
// UINT32 Cert1Length;
// UINT8 Cert1[];
// UINT32 Cert2Length;
// UINT8 Cert2[];
// ...
// UINT32 CertnLength;
// UINT8 Certn[];
//
BufferSize = sizeof (UINT8);
OldSize = BufferSize;
for (Index = 0; ; Index++) {
Status = X509PopCertificate (Stack, &SingleCert, &SingleCertSize);
if (!Status) {
break;
}
OldSize = BufferSize;
OldBuf = CertBuf;
BufferSize = OldSize + SingleCertSize + sizeof (UINT32);
CertBuf = malloc (BufferSize);
if (CertBuf == NULL) {
goto _Exit;
}
if (OldBuf != NULL) {
CopyMem (CertBuf, OldBuf, OldSize);
free (OldBuf);
OldBuf = NULL;
}
WriteUnaligned32 ((UINT32 *) (CertBuf + OldSize), (UINT32) SingleCertSize);
CopyMem (CertBuf + OldSize + sizeof (UINT32), SingleCert, SingleCertSize);
free (SingleCert);
SingleCert = NULL;
}
if (CertBuf != NULL) {
//
// Update CertNumber.
//
CertBuf[0] = Index;
*CertLength = BufferSize - OldSize - sizeof (UINT32);
*TrustedCert = malloc (*CertLength);
if (*TrustedCert == NULL) {
goto _Exit;
}
CopyMem (*TrustedCert, CertBuf + OldSize + sizeof (UINT32), *CertLength);
*CertStack = CertBuf;
*StackLength = BufferSize;
Status = TRUE;
}
_Exit:
//
// Release Resources
//
if (!Wrapped) {
free (SignedData);
}
if (Pkcs7 != NULL) {
PKCS7_free (Pkcs7);
}
if (Stack != NULL) {
sk_X509_pop_free(Stack, X509_free);
}
if (SingleCert != NULL) {
free (SingleCert);
}
if (!Status && (CertBuf != NULL)) {
free (CertBuf);
*CertStack = NULL;
}
if (OldBuf != NULL) {
free (OldBuf);
}
return Status;
}
/**
Wrap function to use free() to free allocated memory for certificates.
@param[in] Certs Pointer to the certificates to be freed.
**/
VOID
EFIAPI
Pkcs7FreeSigners (
IN UINT8 *Certs
)
{
if (Certs == NULL) {
return;
}
free (Certs);
}
/**
Verifies the validility of a PKCS#7 signed data as described in "PKCS #7:
Cryptographic Message Syntax Standard". The input signed data could be wrapped
@@ -327,7 +631,6 @@ Pkcs7Verify (
return FALSE;
}
Status = FALSE;
Pkcs7 = NULL;
CertBio = NULL;
DataBio = NULL;
@@ -342,70 +645,9 @@ Pkcs7Verify (
EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA);
EVP_add_digest (EVP_sha256());
//
// Check whether input P7Data is a wrapped ContentInfo structure or not.
//
Wrapped = FALSE;
if ((P7Data[4] == 0x06) && (P7Data[5] == 0x09)) {
if (CompareMem (P7Data + 6, mOidValue, sizeof (mOidValue)) == 0) {
if ((P7Data[15] == 0xA0) && (P7Data[16] == 0x82)) {
Wrapped = TRUE;
}
}
}
if (Wrapped) {
SignedData = (UINT8 *) P7Data;
SignedDataSize = P7Length;
} else {
//
// Wrap PKCS#7 signeddata to a ContentInfo structure - add a header in 19 bytes.
//
SignedDataSize = P7Length + 19;
SignedData = OPENSSL_malloc (SignedDataSize);
if (SignedData == NULL) {
return FALSE;
}
//
// Part1: 0x30, 0x82.
//
SignedData[0] = 0x30;
SignedData[1] = 0x82;
//
// Part2: Length1 = P7Length + 19 - 4, in big endian.
//
SignedData[2] = (UINT8) (((UINT16) (SignedDataSize - 4)) >> 8);
SignedData[3] = (UINT8) (((UINT16) (SignedDataSize - 4)) & 0xff);
//
// Part3: 0x06, 0x09.
//
SignedData[4] = 0x06;
SignedData[5] = 0x09;
//
// Part4: OID value -- 0x2A 0x86 0x48 0x86 0xF7 0x0D 0x01 0x07 0x02.
//
CopyMem (SignedData + 6, mOidValue, sizeof (mOidValue));
//
// Part5: 0xA0, 0x82.
//
SignedData[15] = 0xA0;
SignedData[16] = 0x82;
//
// Part6: Length2 = P7Length, in big endian.
//
SignedData[17] = (UINT8) (((UINT16) P7Length) >> 8);
SignedData[18] = (UINT8) (((UINT16) P7Length) & 0xff);
//
// Part7: P7Data.
//
CopyMem (SignedData + 19, P7Data, P7Length);
Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);
if (!Status) {
return Status;
}
//

View File

@@ -224,6 +224,91 @@ X509StackFree (
sk_X509_pop_free ((STACK_OF(X509) *) X509Stack, X509_free);
}
/**
Pop single certificate from STACK_OF(X509).
If X509Stack, Cert, or CertSize is NULL, then return FALSE.
@param[in] X509Stack Pointer to a X509 stack object.
@param[out] Cert Pointer to a X509 certificate.
@param[out] CertSize Length of output X509 certificate in bytes.
@retval TRUE The X509 stack pop succeeded.
@retval FALSE The pop operation failed.
**/
BOOLEAN
X509PopCertificate (
IN VOID *X509Stack,
OUT UINT8 **Cert,
OUT UINTN *CertSize
)
{
BIO *CertBio;
X509 *X509Cert;
STACK_OF(X509) *CertStack;
BOOLEAN Status;
int Result;
int Length;
VOID *Buffer;
Status = FALSE;
if ((X509Stack == NULL) || (Cert == NULL) || (CertSize == NULL)) {
return Status;
}
CertStack = (STACK_OF(X509) *) X509Stack;
X509Cert = sk_X509_pop (CertStack);
if (X509Cert == NULL) {
return Status;
}
Buffer = NULL;
CertBio = BIO_new (BIO_s_mem ());
if (CertBio == NULL) {
return Status;
}
Result = i2d_X509_bio (CertBio, X509Cert);
if (Result == 0) {
goto _Exit;
}
Length = ((BUF_MEM *) CertBio->ptr)->length;
if (Length <= 0) {
goto _Exit;
}
Buffer = malloc (Length);
if (Buffer == NULL) {
goto _Exit;
}
Result = BIO_read (CertBio, Buffer, Length);
if (Result != Length) {
goto _Exit;
}
*Cert = Buffer;
*CertSize = Length;
Status = TRUE;
_Exit:
BIO_free (CertBio);
if (!Status && (Buffer != NULL)) {
free (Buffer);
}
return Status;
}
/**
Retrieve the subject bytes from one X.509 certificate.