From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+114759+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id 48D99D80F71
	for <rebecca@openfw.io>; Tue, 30 Jan 2024 05:46:41 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=gfRmdGaef0hx4RTBNVN3siYmertnhOfNPRbRsGeAU+k=;
 c=relaxed/simple; d=groups.io;
 h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Date:Message-ID:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding:Content-Type;
 s=20140610; t=1706593599; v=1;
 b=Q2wC9vzTCoPiNyar6YBiVmDNDU/uVU+7Qj4HXziUbBrdFgo1CvcsPdNh7kfoNR3p3hVCA5JV
 l6g3+zx2iFkQ9r2jM0JqP+deogzJuTY60DssjTEoE9eH3o9r+UB1vLYZydElkJUJp8PFisvh08x
 A5Wg0ybUb1fnlLQa83c0UjAc=
X-Received: by 127.0.0.2 with SMTP id MeXmYY7687511xoc4FtqOeVk; Mon, 29 Jan 2024 21:46:39 -0800
X-Received: from NAM11-CO1-obe.outbound.protection.outlook.com (NAM11-CO1-obe.outbound.protection.outlook.com [40.107.220.115])
 by mx.groups.io with SMTP id smtpd.web10.12452.1706593599151222408
 for <devel@edk2.groups.io>;
 Mon, 29 Jan 2024 21:46:39 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=cHbfm/dcRnoIJy77qfhAko0i6n4wpkHM7ZgR/kcXVAWHJsLuwFWHmUGBpc3CbrDeWY0I5o1g1BMmf/eotXxcRM+6+5HZ/zIYzGbBgVKgvMqkEpW0ne7Yox1u/dgf/Ny6fM9h2Oc7HTljiX0Nd9CndyecX99zyOI4m2wz2cEFnS61waSpIlZJTVJPv4rRMRb5anh+k7XxcUbmCwN4Ut8iHhGzVr0v3P7Cy5rnOkRxckPOlKKHXTl/K+CjRlnag94tIlY2EtjSiMTl7tgjzvRofpzDCuJOZo1O+5I2Ujog6qPHG8+I8Oe0UbRQWxBwx3fIH3Oh17hojQkONdU74Ym2ag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=FgIA7w+srnKJDdNhadI35v98eQG0A6C+ABfeyWAdBzY=;
 b=jHUliwRt3C6FttBO1AFvHNI967Td1t5Oezzt4575OZ4TchwVM0pU3p+VXCHvmKNNWhpAhoh5bhk1AIF0Ng2xUyET4fW8ApmuKdbB+bf6JAdj2oagf2gDao1lQU/TarwkXLkeBNPKHh9i6WfEwDQZOTv88deCOYMq+T/J4d4Cfda8bWl5TtLPb00UEUxzgPmY6QSMLHBfrb+M5w/D5sqSgMyL2Qm+bbWPMMGE3o4FpYJ8yqONF4kMiDlnyfk41vPlaTv4oLNFSWBfpzGgHg6p0qB0g36+0L240O/XH0tlGIEcsq7tr0Dwg18zZXfMARNJSRYezjqozibgTrQ010DTJw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=os.amperecomputing.com; dmarc=pass action=none
 header.from=os.amperecomputing.com; dkim=pass
 header.d=os.amperecomputing.com; arc=none
X-Received: from PH0PR01MB7287.prod.exchangelabs.com (2603:10b6:510:10a::21) by
 BN0PR01MB6829.prod.exchangelabs.com (2603:10b6:408:148::11) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.7228.34; Tue, 30 Jan 2024 05:46:36 +0000
X-Received: from PH0PR01MB7287.prod.exchangelabs.com
 ([fe80::2ff9:8f07:ec56:77f9]) by PH0PR01MB7287.prod.exchangelabs.com
 ([fe80::2ff9:8f07:ec56:77f9%3]) with mapi id 15.20.7228.029; Tue, 30 Jan 2024
 05:46:36 +0000
From: "Nhi Pham via groups.io" <nhi=os.amperecomputing.com@groups.io>
To: devel@edk2.groups.io
CC: Tam Chi Nguyen <tamnguyenchi@os.amperecomputing.com>,
	Jiewen Yao <jiewen.yao@intel.com>,
	Wenxing Hou <wenxing.hou@intel.com>,
	Yi Li <yi1.li@intel.com>,
	Nhi Pham <nhi@os.amperecomputing.com>
Subject: [edk2-devel] [PATCH 1/1] CryptoPkg: Add new API to get PKCS7 Signature
Date: Tue, 30 Jan 2024 12:44:28 +0700
Message-ID: <20240130054428.3838412-1-nhi@os.amperecomputing.com>
X-ClientProxiedBy: SGXP274CA0019.SGPP274.PROD.OUTLOOK.COM (2603:1096:4:b8::31)
 To PH0PR01MB7287.prod.exchangelabs.com (2603:10b6:510:10a::21)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: PH0PR01MB7287:EE_|BN0PR01MB6829:EE_
X-MS-Office365-Filtering-Correlation-Id: 440fae72-fd3b-4961-e084-08dc2156d253
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Message-Info: 
	lsGjdJ7hg5fe6GN4gTkWXmHxdOvZ36laMf1O0dR2jaSoZCw4vWT0dj1yAliEjA6uFxp9bOUo2bbH4oNOj7zfS/aVKA9yJSNzZ/sXgB4SFUHP82UCbwLBOJmb0CNQEIkUSbQwyuVINHwZRQ0khJMiK69Ct6F63VgH8Lk1V6Gi3RyMMDMl4Mz6N6xotUj/QMYKEZ9sa0LjEuukLmOyGo/jT1pznmUe0RMaG1FDpZeC1OAOfIUdOkchlGB41eKAOt/foC6wV5xVBPtXoPe2sib1bhz11Svrb4OZTFVIA1g9z6lZ5IiMncrZEnrHCdB/4RyWY1mE5gPYQXRFvVOLZNkMjE5UfhNBOqZcqlBt5xEP0g+B0Gol3gfwkCtwNRdQDrh8KzboS+oFGsr3zDl+FBFyn/+URG9k2WHUCMaHdyzZtZp340Pc95ASosnYJqrmuLRQ4ROZE48FR9WU8XEac94aqbaCy4NTFYFaWJLLHRResxjOFQiE9wzlYhzUKwbklneoA9pTu7+E7UjvyQJBp7qUS4NfhJwBUbBxkXm5GAswod26HaQW4UmluB1uU2xUaWTtWpzpXWqOpwuA7kMupFtCtSX9BDno5dFK+goaT/Nuxt4a05IoUptIRJpqrTBYHz14
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	=?us-ascii?Q?26nii02HXV0UR8T++tjzenRsINzVKL3BY9yNuc4KwDmxdTJjGuqJL8nZECPI?=
 =?us-ascii?Q?TphMki3mMofYBEKabd18Xrwug4Lo/DQJYpqcQYMSDUE8q0LxRnoQ6Y+SSH0o?=
 =?us-ascii?Q?ngXtzHFRd9sYfDZZOSMLlLXy+k3WLSONoqMeyQAUhcmNtqz5QjSM5+CJodXg?=
 =?us-ascii?Q?mS4VcvogR4n/CT8qRWR88ZL6mUn3Q7uy+on1e/wGSQ/C1zBEPNNB79outiPK?=
 =?us-ascii?Q?kbc7bGWlgUezZmjNfI0oolu1tCyMfxPpV5ohBDNRqci1wfaevE3pLB3OTgTy?=
 =?us-ascii?Q?v/ByZIoKSHQ3Sb8dsP4eJOIlU8IQ008islGP6iihw0qB6DmV3mFZrA88r4za?=
 =?us-ascii?Q?QkyXxzw8r6Av4WdWHGZQj2VYsfP7pDj1fIsmQqtAwfk4GKNHq+PXzD6I/84J?=
 =?us-ascii?Q?Jn/HRWz29b2mahSo+BKUHaTlkTlsMhZnZJ6/T8XJyldYJobrxj8kzd3652MK?=
 =?us-ascii?Q?RB0i51UF9X34fpd3c5nKlZ7RFMO5yCiK+kNSLLMh9Iz3krmY/g1wOV/L2rzZ?=
 =?us-ascii?Q?6gMVxiyY12HQm3whyuhbFMSrVOKqDQegRp137reams3pXH8kmvzPOCpOqKHK?=
 =?us-ascii?Q?DBi1E2aLJAFxeAXuVsbyYcX0AaVQG2MtLV6xvHswg8ZDYYYwtFaO6av92T/r?=
 =?us-ascii?Q?2yzj4avmSgNPZHHHA3dy3aRrJg1xdPBBZuD7PIe6ETg6qGEZ3TD36mDzzt5/?=
 =?us-ascii?Q?aR9Ub2WAtiG0WjIlBWxaG5ImPZHwIc/9jlf1a5vgNNEe18DVTX1fMgZGk9xa?=
 =?us-ascii?Q?9NjBmGNNHAsFMHsqZioi3wRHEqWvQ7TcbdVLS6I7jluSXtduhxZfyV3scwZV?=
 =?us-ascii?Q?PMaI0q63e6lW9GqyOkPv4yEMz1v7gJpChv8ZBhd5Glg8VVNQqlUIMYq1PcrF?=
 =?us-ascii?Q?5jwI6/BKytMwyZtONI8xtQo3GeCJIvSt76GRE0DOVfUnJAzoLqNuf3KSChzB?=
 =?us-ascii?Q?eSqAwh77gigItBRlW5WmrsOODfJkFYHL8xtAGy8ygrxDWQW33lgQpuCxTRct?=
 =?us-ascii?Q?m4BmA/D7F3j7iGNAGnxKS4w7TG96Vs1LEnaqPrB5PQqJVzzh8gDXmXOdh9xQ?=
 =?us-ascii?Q?C4srMpZWw/uc6DbfpwsGWZu60v2QnijS6vp4zPjDd6lDZN7fkExc6yHJQUu6?=
 =?us-ascii?Q?agQr5zbX/H3CBuoxyrZ9chJwX22FFjVp3JKdgXSATEEu6qomvEglwmRPg+BA?=
 =?us-ascii?Q?XhyTx4mh1k+Os4vdxj/NryhBynLVJ6MbYiDzmwkFFpjNYgwxSMY3BztMvzPc?=
 =?us-ascii?Q?1JTZ1llEXKv+JENtmwjTriX/hM2hbxxDdbGKHrKhcQ3BKj5kKF+KdjgpdZ+w?=
 =?us-ascii?Q?wJrDCpgCRp6bxNojV6QVB/lHKVC9zvS7B7MH5+iyXTOvfkPwjZaTegxr1mAo?=
 =?us-ascii?Q?AJxDPlYfOyfgD5/Wzjzpzr4H/w+FtwvL1qa0Eju+bR2jlGzvjLd7T6tgwRUg?=
 =?us-ascii?Q?QlIasJ7hk+OzanG0XRsjdFwAoHaYIN0CZHk3x4lJW29y03omCDwkCA6nshJL?=
 =?us-ascii?Q?jdSrhUVK+lGhJf+iwkIZIkFfN6Y5UZf7tekCTDzpS6myzXcBLuOLC7KA/VbF?=
 =?us-ascii?Q?KSIkRT35XulSePHSrXIPAvjESqUmwwccFlwAk3urnkyPP9BZILTcP/Kq9KOa?=
 =?us-ascii?Q?OQ=3D=3D?=
X-OriginatorOrg: os.amperecomputing.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 440fae72-fd3b-4961-e084-08dc2156d253
X-MS-Exchange-CrossTenant-AuthSource: PH0PR01MB7287.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jan 2024 05:46:36.2517
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 3bc2b170-fd94-476d-b0ce-4229bdc904a7
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: xW2cNaSfNsS/U63qaFojCTLs7xe5Sz6Jp7kJ/QOJtoFE1FLKomZDZZrYki2PvLG4+Os9kw67LjcxnAXJXF/T+yEYsc/9lTuOTazEOZ1uBLo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0PR01MB6829
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,nhi@os.amperecomputing.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: g8YLIf9lOFbvctOlRlxYGQoNx7686176AA=
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=Q2wC9vzT;
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io;
	dmarc=none;
	arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}")

From: Tam Chi Nguyen <tamnguyenchi@os.amperecomputing.com>

This patch adds a new Pkcs7GetSignature() API to support extracting the
signature data from PKCS7 certificate.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Wenxing Hou <wenxing.hou@intel.com>
Cc: Yi Li <yi1.li@intel.com>
Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
---
 CryptoPkg/Include/Library/BaseCryptLib.h                   |  29 +++++
 CryptoPkg/Private/Protocol/Crypto.h                        |  29 +++++
 CryptoPkg/Driver/Crypto.c                                  |  33 ++++++
 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c | 120 +++++++++=
+++++++++++
 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c   |  33 ++++++
 CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c     |  32 ++++++
 6 files changed, 276 insertions(+)

diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/L=
ibrary/BaseCryptLib.h
index a52bd91ad664..d52a91244482 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -5,6 +5,7 @@
   functionality enabling.
=20
 Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2024, Ampere Computing LLC. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
=20
 **/
@@ -2471,6 +2472,34 @@ ImageTimestampVerify (
   OUT EFI_TIME     *SigningTime
   );
=20
+/**
+  Get the data signature from PKCS#7 signed data as described in "PKCS #7:
+  Cryptographic Message Syntax Standard". The input signed data could be w=
rapped
+  in a ContentInfo structure.
+
+  If P7Data, Signature, SignatureLength is NULL, then return FALSE.
+  If P7Length overflow, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in]  P7Data       Pointer to the PKCS#7 message to verify.
+  @param[in]  P7Length     Length of the PKCS#7 message in bytes.
+  @param[out] Signature    Pointer to Signature data
+  @param[out] SignatureLength  Length of signature in bytes.
+
+  @retval  TRUE            The operation is finished successfully.
+  @retval  FALSE           Error occurs during the operation.
+  @retval  FALSE           This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetSignature (
+  IN  CONST UINT8  *P7Data,
+  IN  UINTN        P7Length,
+  OUT UINT8        **Signature,
+  OUT UINTN        *SignatureLength
+  );
+
 /**
   Retrieve the version from one X.509 certificate.
=20
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protoc=
ol/Crypto.h
index 0e0b1d94018d..d228cea0453b 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -3,6 +3,7 @@
=20
   Copyright (C) Microsoft Corporation. All rights reserved.
   Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2024, Ampere Computing LLC. All rights reserved.<BR>
   SPDX-License-Identifier: BSD-2-Clause-Patent
=20
 **/
@@ -1036,6 +1037,34 @@ BOOLEAN
   OUT EFI_TIME     *SigningTime
   );
=20
+/**
+  Get the data signature from PKCS#7 signed data as described in "PKCS #7:
+  Cryptographic Message Syntax Standard". The input signed data could be w=
rapped
+  in a ContentInfo structure.
+
+  If P7Data, Signature, SignatureLength is NULL, then return FALSE.
+  If P7Length overflow, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in]  P7Data       Pointer to the PKCS#7 message to verify.
+  @param[in]  P7Length     Length of the PKCS#7 message in bytes.
+  @param[out] Signature    Pointer to Signature data
+  @param[out] SignatureLength  Length of signature in bytes.
+
+  @retval  TRUE            The operation is finished successfully.
+  @retval  FALSE           Error occurs during the operation.
+  @retval  FALSE           This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EDKII_CRYPTO_PKCS7_GET_SIGNATURE) (
+  IN  CONST UINT8  *P7Data,
+  IN  UINTN        P7Length,
+  OUT UINT8        **Signature,
+  OUT UINTN        *SignatureLength
+  );
+
 // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 //    DH Key Exchange Primitive
 // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index bdbb4863a97e..83094e73c33a 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -4,6 +4,7 @@
=20
   Copyright (C) Microsoft Corporation. All rights reserved.
   Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2024, Ampere Computing LLC. All rights reserved.<BR>
   SPDX-License-Identifier: BSD-2-Clause-Patent
=20
 **/
@@ -3910,6 +3911,37 @@ CryptoServiceImageTimestampVerify (
   return CALL_BASECRYPTLIB (Pkcs.Services.ImageTimestampVerify, ImageTimes=
tampVerify, (AuthData, DataSize, TsaCert, CertSize, SigningTime), FALSE);
 }
=20
+/**
+  Get the data signature from PKCS#7 signed data as described in "PKCS #7:
+  Cryptographic Message Syntax Standard". The input signed data could be w=
rapped
+  in a ContentInfo structure.
+
+  If P7Data, Signature, SignatureLength is NULL, then return FALSE.
+  If P7Length overflow, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in]  P7Data       Pointer to the PKCS#7 message to verify.
+  @param[in]  P7Length     Length of the PKCS#7 message in bytes.
+  @param[out] Signature    Pointer to Signature data
+  @param[out] SignatureLength  Length of signature in bytes.
+
+  @retval  TRUE            The operation is finished successfully.
+  @retval  FALSE           Error occurs during the operation.
+  @retval  FALSE           This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+CryptoServicePkcs7GetSignature (
+  IN  CONST UINT8  *P7Data,
+  IN  UINTN        P7Length,
+  OUT UINT8        **Signature,
+  OUT UINTN        *SignatureLength
+  )
+{
+  return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs7GetSignature, Pkcs7GetSigna=
ture, (P7Data, P7Length, Signature, SignatureLength), FALSE);
+}
+
 // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 //    DH Key Exchange Primitive
 // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
@@ -6748,6 +6780,7 @@ const EDKII_CRYPTO_PROTOCOL  mEdkiiCrypto =3D {
   CryptoServicePkcs7GetCertificatesList,
   CryptoServiceAuthenticodeVerify,
   CryptoServiceImageTimestampVerify,
+  CryptoServicePkcs7GetSignature,
   /// DH
   CryptoServiceDhNew,
   CryptoServiceDhFree,
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c b/C=
ryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c
index 4e5a14e35210..9e3fccf1bb4e 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c
@@ -11,6 +11,7 @@
   Variable and will do basic check for data structure.
=20
 Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2024, Ampere Computing LLC. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
=20
 **/
@@ -926,3 +927,122 @@ _Exit:
=20
   return Status;
 }
+
+/**
+  Get the data signature from PKCS#7 signed data as described in "PKCS #7:
+  Cryptographic Message Syntax Standard". The input signed data could be w=
rapped
+  in a ContentInfo structure.
+
+  If P7Data, Signature, SignatureLength is NULL, then return FALSE.
+  If P7Length overflow, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in]  P7Data       Pointer to the PKCS#7 message to verify.
+  @param[in]  P7Length     Length of the PKCS#7 message in bytes.
+  @param[out] Signature    Pointer to Signature data
+  @param[out] SignatureLength  Length of signature in bytes.
+
+  @retval  TRUE            The operation is finished successfully.
+  @retval  FALSE           Error occurs during the operation.
+  @retval  FALSE           This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetSignature (
+  IN  CONST UINT8  *P7Data,
+  IN  UINTN        P7Length,
+  OUT UINT8        **Signature,
+  OUT UINTN        *SignatureLength
+  )
+{
+  PKCS7                         *Pkcs7;
+  BOOLEAN                       Wrapped;
+  BOOLEAN                       Status;
+  UINT8                         *SignedData;
+  UINT8                         *Temp;
+  UINTN                         SignedDataSize;
+  STACK_OF (PKCS7_SIGNER_INFO)  *SignerInfos;
+  PKCS7_SIGNER_INFO             *SignInfo;
+  ASN1_OCTET_STRING             *EncDigest;
+
+  if ((P7Data =3D=3D NULL) || (P7Length > INT_MAX) ||
+      (Signature =3D=3D NULL && SignatureLength =3D=3D NULL)) {
+    return FALSE;
+  }
+
+  Status =3D WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &Sign=
edDataSize);
+  if (!Status) {
+    return Status;
+  }
+
+  Status     =3D FALSE;
+  Pkcs7      =3D NULL;
+  //
+  // Retrieve PKCS#7 Data (DER encoding)
+  //
+  if (SignedDataSize > INT_MAX) {
+    goto _Exit;
+  }
+
+  Temp =3D SignedData;
+  Pkcs7 =3D d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) SignedD=
ataSize);
+  if (Pkcs7 =3D=3D NULL) {
+    goto _Exit;
+  }
+
+  //
+  // Check if it's PKCS#7 Signed Data (for Authenticode Scenario)
+  //
+  if (!PKCS7_type_is_signed (Pkcs7)) {
+    goto _Exit;
+  }
+
+  //
+  // Check if there is one and only one signer.
+  //
+  SignerInfos =3D PKCS7_get_signer_info (Pkcs7);
+  if (!SignerInfos || (sk_PKCS7_SIGNER_INFO_num (SignerInfos) !=3D 1)) {
+    goto _Exit;
+  }
+
+  //
+  // Locate the TimeStamp CounterSignature.
+  //
+  SignInfo =3D sk_PKCS7_SIGNER_INFO_value (SignerInfos, 0);
+  if (SignInfo =3D=3D NULL) {
+    goto _Exit;
+  }
+
+  //
+  // Locate Message Digest which will be the data to be time-stamped.
+  //
+  EncDigest =3D SignInfo->enc_digest;
+  if (EncDigest =3D=3D NULL) {
+    goto _Exit;
+  }
+
+  *SignatureLength =3D EncDigest->length;
+  if (Signature !=3D NULL)
+  {
+    if (*Signature =3D=3D NULL) {
+      Status =3D FALSE;
+      goto _Exit;
+    }
+    CopyMem ((VOID *)*Signature, EncDigest->data, EncDigest->length);
+    Status =3D TRUE;
+  }
+
+_Exit:
+  //
+  // Release Resources
+  //
+  if (!Wrapped) {
+    free (SignedData);
+  }
+  if (Pkcs7 !=3D NULL) {
+    PKCS7_free (Pkcs7);
+  }
+
+  return Status;
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c b/Cry=
ptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c
index b9b7960126de..a080bbfc4237 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c
@@ -3,6 +3,7 @@
   real capabilities.
=20
 Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2024, Ampere Computing LLC. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
=20
 **/
@@ -161,3 +162,35 @@ Pkcs7GetAttachedContent (
   ASSERT (FALSE);
   return FALSE;
 }
+
+/**
+  Get the data signature from PKCS#7 signed data as described in "PKCS #7:
+  Cryptographic Message Syntax Standard". The input signed data could be w=
rapped
+  in a ContentInfo structure.
+
+  If P7Data, Signature, SignatureLength is NULL, then return FALSE.
+  If P7Length overflow, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in]  P7Data       Pointer to the PKCS#7 message to verify.
+  @param[in]  P7Length     Length of the PKCS#7 message in bytes.
+  @param[out] Signature    Pointer to Signature data
+  @param[out] SignatureLength  Length of signature in bytes.
+
+  @retval  TRUE            The operation is finished successfully.
+  @retval  FALSE           Error occurs during the operation.
+  @retval  FALSE           This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetSignature (
+  IN  CONST UINT8  *P7Data,
+  IN  UINTN        P7Length,
+  OUT UINT8        **Signature,
+  OUT UINTN        *SignatureLength
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/Crypt=
oPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 4e31bc278e0f..55d7b17688a0 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -4,6 +4,7 @@
=20
   Copyright (C) Microsoft Corporation. All rights reserved.
   Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2024, Ampere Computing LLC. All rights reserved.<BR>
   SPDX-License-Identifier: BSD-2-Clause-Patent
=20
 **/
@@ -3146,6 +3147,37 @@ ImageTimestampVerify (
   CALL_CRYPTO_SERVICE (ImageTimestampVerify, (AuthData, DataSize, TsaCert,=
 CertSize, SigningTime), FALSE);
 }
=20
+/**
+  Get the data signature from PKCS#7 signed data as described in "PKCS #7:
+  Cryptographic Message Syntax Standard". The input signed data could be w=
rapped
+  in a ContentInfo structure.
+
+  If P7Data, Signature, SignatureLength is NULL, then return FALSE.
+  If P7Length overflow, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in]  P7Data       Pointer to the PKCS#7 message to verify.
+  @param[in]  P7Length     Length of the PKCS#7 message in bytes.
+  @param[out] Signature    Pointer to Signature data
+  @param[out] SignatureLength  Length of signature in bytes.
+
+  @retval  TRUE            The operation is finished successfully.
+  @retval  FALSE           Error occurs during the operation.
+  @retval  FALSE           This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetSignature (
+  IN  CONST UINT8  *P7Data,
+  IN  UINTN        P7Length,
+  OUT UINT8        **Signature,
+  OUT UINTN        *SignatureLength
+  )
+{
+  CALL_CRYPTO_SERVICE (Pkcs7GetSignature, (P7Data, P7Length, Signature, Si=
gnatureLength), FALSE);
+}
+
 // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 //    DH Key Exchange Primitive
 // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--=20
2.25.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#114759): https://edk2.groups.io/g/devel/message/114759
Mute This Topic: https://groups.io/mt/104048629/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-