From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.115; helo=mga14.intel.com; envelope-from=chen.a.chen@intel.com; receiver=edk2-devel@lists.01.org Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 90FC02034EE09 for ; Mon, 6 Nov 2017 17:01:00 -0800 (PST) Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga103.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Nov 2017 17:04:59 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.44,355,1505804400"; d="scan'208";a="918303569" Received: from chenche4.ccr.corp.intel.com ([10.239.158.36]) by FMSMGA003.fm.intel.com with ESMTP; 06 Nov 2017 17:04:58 -0800 From: chenc2 To: edk2-devel@lists.01.org Cc: chenc2 , Long Qin , Zhang Chao Date: Tue, 7 Nov 2017 09:04:51 +0800 Message-Id: <20171107010451.15524-1-chen.a.chen@intel.com> X-Mailer: git-send-email 2.13.2.windows.1 Subject: [PATCH 2/2] SecurityPkg/AuthVariableLib: Use EFI_CERT_DATA to parse certificate X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Nov 2017 01:01:00 -0000 The function Pkcs7GetSigners return certificate stack as binary buffer. Use EFI_CERT_DATA to parsing certificate stack more clearly, and access certificate by the field of EFI_CERT_DATA structure. Cc: Long Qin Cc: Zhang Chao Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: chenc2 --- SecurityPkg/Library/AuthVariableLib/AuthService.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index 6cbeb98535..213a524f27 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -1828,6 +1828,7 @@ VerifyTimeBasedPayload ( UINT8 *CertsInCertDb; UINT32 CertsSizeinDb; UINT8 Sha256Digest[SHA256_DIGEST_SIZE]; + EFI_CERT_DATA *CertDataPtr; // // 1. TopLevelCert is the top-level issuer certificate in signature Signer Cert Chain @@ -1841,6 +1842,7 @@ VerifyTimeBasedPayload ( SignerCerts = NULL; TopLevelCert = NULL; CertsInCertDb = NULL; + CertDataPtr = NULL; // // When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is @@ -2098,9 +2100,10 @@ VerifyTimeBasedPayload ( // // Check hash of signer cert CommonName + Top-level issuer tbsCertificate against data in CertDb // + CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1); Status = CalculatePrivAuthVarSignChainSHA256Digest( - SignerCerts + sizeof(UINT8) + sizeof(UINT32), - ReadUnaligned32 ((UINT32 *)(SignerCerts + sizeof(UINT8))), + CertDataPtr->CertDataBuffer, + ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)), TopLevelCert, TopLevelCertSize, Sha256Digest @@ -2135,12 +2138,13 @@ VerifyTimeBasedPayload ( // // When adding a new common authenticated variable, always save Hash of cn of signer cert + tbsCertificate of Top-level issuer // + CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1); Status = InsertCertsToDb ( VariableName, VendorGuid, Attributes, - SignerCerts + sizeof(UINT8) + sizeof(UINT32), - ReadUnaligned32 ((UINT32 *)(SignerCerts + sizeof(UINT8))), + CertDataPtr->CertDataBuffer, + ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)), TopLevelCert, TopLevelCertSize ); -- 2.13.2.windows.1