From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM04-BN8-obe.outbound.protection.outlook.com (NAM04-BN8-obe.outbound.protection.outlook.com [40.107.100.98]) by mx.groups.io with SMTP id smtpd.web11.15216.1684220051070354576 for ; Mon, 15 May 2023 23:54:11 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@os.amperecomputing.com header.s=selector2 header.b=ALwtYKUB; spf=pass (domain: os.amperecomputing.com, ip: 40.107.100.98, mailfrom: minhnguyen1@os.amperecomputing.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KR/ikpRRBR5383HMMqwXH2C6YPpzoyLDnyQRFQhFsXiv3wuReIGyj2z4Ih14KQkm9RJGBfXKHkAQJfjqVnN61ijSCdrWgua+ZvbjVwLfwIehb+1S0r6fYxmVd2E1VbpXFaYTKYMGpFfyKfROlkMkvwFIhD3bVjGEqU9vue+054+9xVX48W72J/j2b0DuPIXKncoR997VK+hotUDNrIWqAp/4iMQto+FYOcoV7vNPD86isd2i1DZZSm8VHwJL3TXpx0xEGIRifz6y65X0XWjca2giuLUm9ULJMMUUaiDE5wBLXBavvKU4eeplh8aVCPy055elQl7LBuHI9ZgANjGV9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oeu1YjRowvLFiyfsR3AUy0X60e2SM2z9p/uh80xgdT0=; b=DA8pMlKLjFFmqMLsip3otA9vvwZ7T3i+nlHcNSw0osBiWXvUvi6l0hyx6FADUnaF9ATHy5AyEQVpYMizLvN1ApSp9ndFdXkg27I5SCJgXCqIIjMw/cRRgsRXk9Tq784IPAyzlku+1HO6tQYwe6kCG8IKZHkO0E+aZFYkmPIjK9vGyJzPDQa6c9xZitwXYY/AKv0R3kydeLn0EBkVHJkZEwCtX1jZhJm0qV+X+uJdjkmh6hrfSiNDtwxRePTKROpTPsKLlRErHf89vGuv1+zFyrat0iAjptfJnM6fgngvf+suB7+7b29aYC527EA9IFjdyemWrOAfql/FeGKQ2i8CHw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=os.amperecomputing.com; dmarc=pass action=none header.from=os.amperecomputing.com; dkim=pass header.d=os.amperecomputing.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=os.amperecomputing.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oeu1YjRowvLFiyfsR3AUy0X60e2SM2z9p/uh80xgdT0=; b=ALwtYKUB0Hg5D8oW0+ELPK9ZdKiPT39+3aISajJosKU3fn41ISUtv80HCXfbMTJguYMGeAUbrRY9iePxXKnYqwOxxIRKDgcxLTD8gwg34nbmd3tOSJZ50CfSTHzW7IcA75yqtpY5QkiEyiQU0Y/mnY/akj9fTnNKujiXOszytZw= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=os.amperecomputing.com; Received: from PH0PR01MB8048.prod.exchangelabs.com (2603:10b6:510:280::7) by DM6PR01MB3996.prod.exchangelabs.com (2603:10b6:5:83::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6387.30; Tue, 16 May 2023 06:54:06 +0000 Received: from PH0PR01MB8048.prod.exchangelabs.com ([fe80::bbdb:b58c:140e:c4e1]) by PH0PR01MB8048.prod.exchangelabs.com ([fe80::bbdb:b58c:140e:c4e1%6]) with mapi id 15.20.6387.030; Tue, 16 May 2023 06:54:06 +0000 From: Minh Nguyen To: devel@edk2.groups.io CC: tamnguyenchi@os.amperecomputing.com, nhi@os.amperecomputing.com, Jiewen Yao , Jian J Wang , Xiaoyu Lu , Guomin Jiang , Minh Nguyen Subject: [PATCH 1/1] CryptoPkg: Add new API to get PKCS7 Signature Date: Tue, 16 May 2023 13:53:35 +0700 Message-ID: <20230516065335.3603101-1-minhnguyen1@os.amperecomputing.com> X-Mailer: git-send-email 2.39.0 X-ClientProxiedBy: SI2PR04CA0001.apcprd04.prod.outlook.com (2603:1096:4:197::12) To PH0PR01MB8048.prod.exchangelabs.com (2603:10b6:510:280::7) Return-Path: minhnguyen1@os.amperecomputing.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH0PR01MB8048:EE_|DM6PR01MB3996:EE_ X-MS-Office365-Filtering-Correlation-Id: 7082af79-97a8-44b3-72d9-08db55da5733 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: YPIHTLhmrBNctlEktWjOHZyb2DqZXlzAoWO7s5Iuiecad2fSVzIUAEk5OsI5Pc/pl3qaW0x6bXE+3q2QgrwEic5eufKnSGs+yPbZdpw9hMjsVE6E4syZq4j7fDDIxlhikWiL1yDdSXPhGSshcUFfEHgJEPLFygfPavRFjP8Htt7a53bmgHSRK8mav9O8LIlkySmyEXjPV5kOuHzvnbca8Pd7HRKKZ3y8+4Qwyy6jWuL2cXQSnf6fiJBiu9BaROCPrM9tvpPp3va1OgVe3+lO7S3BEFtEOKwx3tjBc2csDxc0p2G8Eh7YhmMX6CXsPGJ59wvO2sDHPvOysOH3W6auixd159EZIosrDS5xYYnkauN8ZN8HNQh55/fmIcCQQfDa4n2lxWjkAU8ilnsnY1hdeHn2bEggcAJBib4k6xKJkoKzBbH5+dWcF/HRw5c68LF8rooGlu2bULF5YjGi5xOtqPN/hp64WYlKeupkAcxBsfVuOww0vT4iCQ9wNp5lZQbIMT17J7qpMYKo6o7MiXk9EKS8z0ST+UMuSQ9p4UgU9jqsAdex9fNk5Smd8S1me0Ij2n74p+Yd7lOZNgPCvPVYLD4vR3Gc1F/i2QZZ8FjN9S7Wo4ep+NxOnQCHErZVRN1z X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH0PR01MB8048.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230028)(4636009)(366004)(39850400004)(376002)(346002)(396003)(136003)(451199021)(19627235002)(45080400002)(86362001)(54906003)(478600001)(107886003)(186003)(6512007)(1076003)(6486002)(6506007)(52116002)(26005)(6916009)(4326008)(8676002)(66556008)(66946007)(66476007)(83380400001)(8936002)(6666004)(41300700001)(38350700002)(38100700002)(316002)(2616005)(30864003)(5660300002)(2906002);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?Oxm0rKLZKxMOcxtLdg1/3+uum/1hS4n6NRjsNRMSeDDJFlofrkKRw42X4M2q?= =?us-ascii?Q?BeAocUuk+ctcbc1qOgP3pQ3e5axVo5U+rlpwELnID4x/zNVx/Pu2mRX1UIFP?= =?us-ascii?Q?1yfqISbzxhIZ2OXoG/qLGkB23FNC44E7oFp/uKK9cVSDn5P3I6vaNxapN9c1?= =?us-ascii?Q?fZQEXqbNpdfxYqBRMOBbcwR9A3fr6DNOL922msMMRHaI4EstOHMY/K4KN8HM?= =?us-ascii?Q?d2FkqkcPDHl+nTdrIBG04R3/w2v0UKAmLhWj60e9SNcVWNmVAdr0aDTSrexx?= =?us-ascii?Q?4HrCsORp+WSHi/vRid7OduJTyiOy+mnlvjTQ5TZ9WAGrqY+41+7vU5I/ZbLX?= =?us-ascii?Q?8on3gH8/rbbubcekK3iwNc0ndyOfedG6TkLJcS3+DxwjythtmH1EccFHoLrM?= =?us-ascii?Q?rQWyrNoIug/8uzAAdT2DIP6oUFpiTMr0QtL6Nhf/ElbVvoEFXZT6cbO2sdI8?= =?us-ascii?Q?mSPSBmc9kC3d8nPWnfdkiqAMFOtS1vL8FU9mws1yIjj5t7fq4N/TKEHHGZif?= =?us-ascii?Q?1AZVJadwuF+koAg6ePJh6J0diqNrvak4rBNZux1dlSW6++jFlSPb/bVxTKZR?= =?us-ascii?Q?rq4faKJtsX856A+pNHmZRB0x0jjMZiAXMm/J+c5IfL1UyMGAFq/qh4zbIC2g?= =?us-ascii?Q?XVXSM8RAdaZ7kAECHUCx0rq339hotaAVLr+ltUo46pV/OJi/v0+idPlDIclj?= =?us-ascii?Q?EesKVE7SwoIqMAGBI6uL6+vkq8wg2N6mMNK1WvECJ8oM2O8WCNILOfpdFEU7?= =?us-ascii?Q?5SM58jggFw25osVoKB/GOG6O6LLwbdBpX22sM+1lcRS9jEJiuG/q5vgO8MB0?= =?us-ascii?Q?cU9dTN1CgVEZOljB3D49sFG+u8tVbRTQC+C7l+yUdlYGzVU0x2voSNkHCysq?= =?us-ascii?Q?/dVAeXogqydqG6Vhh0VFUl7ivW9JamEIgQqoABvHqfArfFJbx4BZA3os0Q0w?= =?us-ascii?Q?809p7Vo6ckJHAhQ3Z3aw6TRrFosdAjkEfJfDGivUsYNBC33BBsd4gKfifsmm?= =?us-ascii?Q?OXt3TicnNyVN1VWDBVb0gPUkVs00IVrynQ4ENMLlU4GBe9WRQ6Ufq/F47UxV?= =?us-ascii?Q?oUPy2MpSSM0NQL8vvAA3qUX+c0GNC69uk9MvPfwI8+uted3QhzYoiRqrNlIK?= =?us-ascii?Q?0qc4s8iu1p91+/vrKXNIuLVrDUH0hFPt+r6KgsRdmmF6sv32WIl020cvPtqH?= =?us-ascii?Q?Y+zibmV6Mqf8F2dbwzf+UniqCGRfGDbM1mIi8Y/LvFBxN35GoRpfbuHkHjNP?= =?us-ascii?Q?t1xfiKi7gLdMJWa/binJT41SLTQSutSKIO7wZ8EIdxuvFGULlNKZfoWk2otK?= =?us-ascii?Q?lLecMPMPKAP2L2skHx4PrecdsNLW7xGGiQcnnM07AUQydC/dwOjATzx9i6qA?= =?us-ascii?Q?w2Kk12SNaqzo/kHJlIhwSFCSaoVZpr3SaCwjPh8PxdrpnIYzBZPJaakWrdaR?= =?us-ascii?Q?yndjYFI6uVpT2UqBaSbZ65cUHdgfhXEGKNJr4uaHxAL6r8FA+GK7Nkx0sN/N?= =?us-ascii?Q?VfbFESyyGmJLGQp/50iwnqiLlB8ehZhPxYcW2Sh7i2OoVC7Cz2o4ao1T6S9k?= =?us-ascii?Q?21zpy9y00JpS6Hb4PqACQQDvtyNVkOIbv/GxcAAl2FRFCL/U4jtbvDmrgPvC?= =?us-ascii?Q?8Y+kSvpyFOsvRGYX3cAl0l9EmgTlXrlDGTJd/NTtrcUd?= X-OriginatorOrg: os.amperecomputing.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7082af79-97a8-44b3-72d9-08db55da5733 X-MS-Exchange-CrossTenant-AuthSource: PH0PR01MB8048.prod.exchangelabs.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 May 2023 06:54:05.9364 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3bc2b170-fd94-476d-b0ce-4229bdc904a7 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: xGlfEaSGFKYO9cvtTw7+DuAhSlG42gwKFPXZ0tSQnUONWjlZk7Ry69rcLEnO7m3BpPS4SfHkaMUl1AlmQsjuDsHhEvOy+hLZA+vUiopr6BFyb3JoNm8NsYrFat3Mghd2 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR01MB3996 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain From: Tam Chi Nguyen This patch adds a new Pkcs7GetSignature API to support extracting the signature data from PKCS7 Certificate. Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Signed-off-by: Minh Nguyen --- CryptoPkg/Include/Library/BaseCryptLib.h | 29 +++++ CryptoPkg/Private/Protocol/Crypto.h | 30 +++++ CryptoPkg/Driver/Crypto.c | 33 ++++++ CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c | 120 +++++++++= +++++++++++ CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c | 33 ++++++ CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 32 ++++++ 6 files changed, 277 insertions(+) diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/L= ibrary/BaseCryptLib.h index a52bd91ad664..e277ea188de8 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -5,6 +5,7 @@ functionality enabling. =20 Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved.
+Copyright (c) 2023, Ampere Computing LLC. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ @@ -2471,6 +2472,34 @@ ImageTimestampVerify ( OUT EFI_TIME *SigningTime ); =20 +/** + Get the data signature from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be w= rapped + in a ContentInfo structure. + + If P7Data, Signature, SignatureLength is NULL, then return FALSE. + If P7Length overflow, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] Signature Pointer to Signature data + @param[out] SignatureLength Length of signature in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetSignature ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **Signature, + OUT UINTN *SignatureLength + ); + /** Retrieve the version from one X.509 certificate. =20 diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protoc= ol/Crypto.h index 0e0b1d94018d..25cd03fb08a3 100644 --- a/CryptoPkg/Private/Protocol/Crypto.h +++ b/CryptoPkg/Private/Protocol/Crypto.h @@ -3,6 +3,7 @@ =20 Copyright (C) Microsoft Corporation. All rights reserved. Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved.
+ Copyright (c) 2023, Ampere Computing LLC. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ @@ -1036,6 +1037,34 @@ BOOLEAN OUT EFI_TIME *SigningTime ); =20 +/** + Get the data signature from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be w= rapped + in a ContentInfo structure. + + If P7Data, Signature, SignatureLength is NULL, then return FALSE. + If P7Length overflow, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] Signature Pointer to Signature data + @param[out] SignatureLength Length of signature in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + @retval FALSE This interface is not supported. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_PKCS7_GET_SIGNATURE) ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **Signature, + OUT UINTN *SignatureLength + ); + // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D // DH Key Exchange Primitive // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D @@ -5371,6 +5400,7 @@ struct _EDKII_CRYPTO_PROTOCOL { EDKII_CRYPTO_PKCS7_SIGN Pkcs7Sign; EDKII_CRYPTO_PKCS7_GET_ATTACHED_CONTENT Pkcs7GetAttachedCont= ent; EDKII_CRYPTO_PKCS7_GET_CERTIFICATES_LIST Pkcs7GetCertificates= List; + EDKII_CRYPTO_PKCS7_GET_SIGNATURE Pkcs7GetSignature; EDKII_CRYPTO_AUTHENTICODE_VERIFY AuthenticodeVerify; EDKII_CRYPTO_IMAGE_TIMESTAMP_VERIFY ImageTimestampVerify= ; /// DH diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c index bdbb4863a97e..9b55b70f1c48 100644 --- a/CryptoPkg/Driver/Crypto.c +++ b/CryptoPkg/Driver/Crypto.c @@ -4,6 +4,7 @@ =20 Copyright (C) Microsoft Corporation. All rights reserved. Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.
+ Copyright (c) 2023, Ampere Computing LLC. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ @@ -3910,6 +3911,37 @@ CryptoServiceImageTimestampVerify ( return CALL_BASECRYPTLIB (Pkcs.Services.ImageTimestampVerify, ImageTimes= tampVerify, (AuthData, DataSize, TsaCert, CertSize, SigningTime), FALSE); } =20 +/** + Get the data signature from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be w= rapped + in a ContentInfo structure. + + If P7Data, Signature, SignatureLength is NULL, then return FALSE. + If P7Length overflow, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] Signature Pointer to Signature data + @param[out] SignatureLength Length of signature in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +CryptoServicePkcs7GetSignature ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **Signature, + OUT UINTN *SignatureLength + ) +{ + return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs7GetSignature, Pkcs7GetSigna= ture, (P7Data, P7Length, Signature, SignatureLength), FALSE); +} + // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D // DH Key Exchange Primitive // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D @@ -6746,6 +6778,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto =3D { CryptoServicePkcs7Sign, CryptoServicePkcs7GetAttachedContent, CryptoServicePkcs7GetCertificatesList, + CryptoServicePkcs7GetSignature, CryptoServiceAuthenticodeVerify, CryptoServiceImageTimestampVerify, /// DH diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c b/C= ryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c index 4e5a14e35210..cb3e647c56c9 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c @@ -11,6 +11,7 @@ Variable and will do basic check for data structure. =20 Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
+Copyright (c) 2023, Ampere Computing LLC. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ @@ -926,3 +927,122 @@ Pkcs7Verify ( =20 return Status; } + +/** + Get the data signature from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be w= rapped + in a ContentInfo structure. + + If P7Data, Signature, SignatureLength is NULL, then return FALSE. + If P7Length overflow, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] Signature Pointer to Signature data + @param[out] SignatureLength Length of signature in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetSignature ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **Signature, + OUT UINTN *SignatureLength + ) +{ + PKCS7 *Pkcs7; + BOOLEAN Wrapped; + BOOLEAN Status; + UINT8 *SignedData; + UINT8 *Temp; + UINTN SignedDataSize; + STACK_OF (PKCS7_SIGNER_INFO) *SignerInfos; + PKCS7_SIGNER_INFO *SignInfo; + ASN1_OCTET_STRING *EncDigest; + + if ((P7Data =3D=3D NULL) || (P7Length > INT_MAX) || + (Signature =3D=3D NULL && SignatureLength =3D=3D NULL)) { + return FALSE; + } + + Status =3D WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &Sign= edDataSize); + if (!Status) { + return Status; + } + + Status =3D FALSE; + Pkcs7 =3D NULL; + // + // Retrieve PKCS#7 Data (DER encoding) + // + if (SignedDataSize > INT_MAX) { + goto _Exit; + } + + Temp =3D SignedData; + Pkcs7 =3D d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) SignedD= ataSize); + if (Pkcs7 =3D=3D NULL) { + goto _Exit; + } + + // + // Check if it's PKCS#7 Signed Data (for Authenticode Scenario) + // + if (!PKCS7_type_is_signed (Pkcs7)) { + goto _Exit; + } + + // + // Check if there is one and only one signer. + // + SignerInfos =3D PKCS7_get_signer_info (Pkcs7); + if (!SignerInfos || (sk_PKCS7_SIGNER_INFO_num (SignerInfos) !=3D 1)) { + goto _Exit; + } + + // + // Locate the TimeStamp CounterSignature. + // + SignInfo =3D sk_PKCS7_SIGNER_INFO_value (SignerInfos, 0); + if (SignInfo =3D=3D NULL) { + goto _Exit; + } + + // + // Locate Message Digest which will be the data to be time-stamped. + // + EncDigest =3D SignInfo->enc_digest; + if (EncDigest =3D=3D NULL) { + goto _Exit; + } + + *SignatureLength =3D EncDigest->length; + if (Signature !=3D NULL) + { + if (*Signature =3D=3D NULL) { + Status =3D FALSE; + goto _Exit; + } + CopyMem ((VOID *)*Signature, EncDigest->data, EncDigest->length); + Status =3D TRUE; + } + +_Exit: + // + // Release Resources + // + if (!Wrapped) { + free (SignedData); + } + if (Pkcs7 !=3D NULL) { + PKCS7_free (Pkcs7); + } + + return Status; +} diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c b/Cry= ptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c index b9b7960126de..1b093d509694 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c @@ -3,6 +3,7 @@ real capabilities. =20 Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) 2023, Ampere Computing LLC. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ @@ -161,3 +162,35 @@ Pkcs7GetAttachedContent ( ASSERT (FALSE); return FALSE; } + +/** + Get the data signature from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be w= rapped + in a ContentInfo structure. + + If P7Data, Signature, SignatureLength is NULL, then return FALSE. + If P7Length overflow, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] Signature Pointer to Signature data + @param[out] SignatureLength Length of signature in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetSignature ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **Signature, + OUT UINTN *SignatureLength + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/Crypt= oPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c index 4e31bc278e0f..dcac864cc358 100644 --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c @@ -4,6 +4,7 @@ =20 Copyright (C) Microsoft Corporation. All rights reserved. Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.
+ Copyright (c) 2023, Ampere Computing LLC. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ @@ -3146,6 +3147,37 @@ ImageTimestampVerify ( CALL_CRYPTO_SERVICE (ImageTimestampVerify, (AuthData, DataSize, TsaCert,= CertSize, SigningTime), FALSE); } =20 +/** + Get the data signature from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard". The input signed data could be w= rapped + in a ContentInfo structure. + + If P7Data, Signature, SignatureLength is NULL, then return FALSE. + If P7Length overflow, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] P7Data Pointer to the PKCS#7 message to verify. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] Signature Pointer to Signature data + @param[out] SignatureLength Length of signature in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSE Error occurs during the operation. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetSignature ( + IN CONST UINT8 *P7Data, + IN UINTN P7Length, + OUT UINT8 **Signature, + OUT UINTN *SignatureLength + ) +{ + CALL_CRYPTO_SERVICE (Pkcs7GetSignature, (P7Data, P7Length, Signature, Si= gnatureLength), FALSE); +} + // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D // DH Key Exchange Primitive // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --=20 2.39.0