From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 98FF17803CC for ; Tue, 23 Apr 2024 02:34:49 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=ehtRfVOOD6fbrfqy85krvbZrRYd6GBQ9Jm3RmADpbzE=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20240206; t=1713839688; v=1; b=gRaS4n9cl2N8/M9ewhqB+KZB9bynFRLWOlQX+yDlEDmxqX4F1jVOrkINEmjpfqE/w3TLWZsz PDx0osa+l7Kv0KosLrvBJPyWO6uvwLTR/6qa/UywYDS9PB0XOiVoSgYzmu4woeTRL3hD0Q4vPuF 8Vo5gbrZp/TiKLBqGTd1s+WGbLiDHj6jHstHQUX3eRjfFn92pqrQdYIhP+AP9XpgmDc/S8d6dt8 7D33YHjRbJoKVCQsQUlGyG2A/wdCd9sxIFk28ilj5sRCLW/+LK477Keh/Pa4e4gOjackF5W6CIt fdJe8AegLacBA/jPDirmvQ0zN2D1IyrHXvM5aJuZQENRg== X-Received: by 127.0.0.2 with SMTP id sbL6YY7687511xplNOGotTU7; Mon, 22 Apr 2024 19:34:48 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.9]) by mx.groups.io with SMTP id smtpd.web11.9729.1713839676006757263 for ; Mon, 22 Apr 2024 19:34:47 -0700 X-CSE-ConnectionGUID: 6ecf++8PSOWBi+NjFo5Z9w== X-CSE-MsgGUID: hi/sswo0SMm36Qb1br4o0g== X-IronPort-AV: E=McAfee;i="6600,9927,11052"; a="20102786" X-IronPort-AV: E=Sophos;i="6.07,222,1708416000"; d="scan'208";a="20102786" X-Received: from fmviesa001.fm.intel.com ([10.60.135.141]) by fmvoesa103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 Apr 2024 19:34:48 -0700 X-CSE-ConnectionGUID: 6pkxVTXZQgSEEKvB+fxZJw== X-CSE-MsgGUID: I7f7YJRnROO/t10AZznXwQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.07,222,1708416000"; d="scan'208";a="55429022" X-Received: from shwdejointd777.ccr.corp.intel.com ([10.239.58.116]) by fmviesa001.fm.intel.com with ESMTP; 22 Apr 2024 19:34:46 -0700 From: "Wenxing Hou" To: devel@edk2.groups.io Cc: Jiewen Yao , Yi Li Subject: [edk2-devel] [PATCH v2 9/9] CryptoPkg: Add ImageTimestampVerify based on Mbedtls Date: Tue, 23 Apr 2024 10:34:32 +0800 Message-Id: <20240423023432.2147-10-wenxing.hou@intel.com> In-Reply-To: <20240423023432.2147-1-wenxing.hou@intel.com> References: <20240423023432.2147-1-wenxing.hou@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Mon, 22 Apr 2024 19:34:47 -0700 Resent-From: wenxing.hou@intel.com Reply-To: devel@edk2.groups.io,wenxing.hou@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: FAvuW3aH8AYTBsBWZw1TCElox7686176AA= Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=gRaS4n9c; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4177 Timestamp Countersignature Verification implementaion based on Mbedtls. Cc: Jiewen Yao Cc: Yi Li Signed-off-by: Wenxing Hou --- .../Library/BaseCryptLibMbedTls/Pk/CryptTs.c | 381 ++++++++++++++++++ 1 file changed, 381 insertions(+) create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTs.c diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTs.c b/CryptoPkg= /Library/BaseCryptLibMbedTls/Pk/CryptTs.c new file mode 100644 index 0000000000..d3fa205f9c --- /dev/null +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTs.c @@ -0,0 +1,381 @@ +/** @file=0D + RFC3161 Timestamp Countersignature Verification Wrapper Implementation w= hich does=0D + not provide real capabilities.=0D +=0D +Copyright (c) 2024, Intel Corporation. All rights reserved.
=0D +SPDX-License-Identifier: BSD-2-Clause-Patent=0D +=0D +**/=0D +=0D +#include "InternalCryptLib.h"=0D +#include =0D +=0D +//=0D +// OID ASN.1 Value for SPC_RFC3161_OBJID ("1.3.6.1.4.1.311.3.3.1")=0D +//=0D +GLOBAL_REMOVE_IF_UNREFERENCED const UINT8 mSpcRFC3161OidValue[] =3D {=0D + 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x03, 0x03, 0x01=0D +};=0D +=0D +/**=0D + Convert ASN.1 GeneralizedTime to EFI Time.=0D +=0D + @param[in] Ptr Pointer to the ASN.1 GeneralizedTime to be conv= erted.=0D + @param[out] EfiTime Return the corresponding EFI Time.=0D +=0D + @retval TRUE The time conversion succeeds.=0D + @retval FALSE Invalid parameters.=0D +=0D +**/=0D +STATIC=0D +BOOLEAN=0D +ConvertAsn1TimeToEfiTime (=0D + IN UINT8 *Ptr,=0D + OUT EFI_TIME *EfiTime=0D + )=0D +{=0D + CONST CHAR8 *Str;=0D + UINTN Index;=0D +=0D + if ((Ptr =3D=3D NULL) || (EfiTime =3D=3D NULL)) {=0D + return FALSE;=0D + }=0D +=0D + Str =3D (CONST CHAR8 *)Ptr;=0D + SetMem (EfiTime, sizeof (EFI_TIME), 0);=0D +=0D + Index =3D 0;=0D +=0D + /* four digit year */=0D + EfiTime->Year =3D (Str[Index++] - '0') * 1000;=0D + EfiTime->Year +=3D (Str[Index++] - '0') * 100;=0D + EfiTime->Year +=3D (Str[Index++] - '0') * 10;=0D + EfiTime->Year +=3D (Str[Index++] - '0');=0D + if ((EfiTime->Year < 1900) || (EfiTime->Year > 9999)) {=0D + return FALSE;=0D + }=0D +=0D + EfiTime->Month =3D (Str[Index++] - '0') * 10;=0D + EfiTime->Month +=3D (Str[Index++] - '0');=0D + if ((EfiTime->Month < 1) || (EfiTime->Month > 12)) {=0D + return FALSE;=0D + }=0D +=0D + EfiTime->Day =3D (Str[Index++] - '0') * 10;=0D + EfiTime->Day +=3D (Str[Index++] - '0');=0D + if ((EfiTime->Day < 1) || (EfiTime->Day > 31)) {=0D + return FALSE;=0D + }=0D +=0D + EfiTime->Hour =3D (Str[Index++] - '0') * 10;=0D + EfiTime->Hour +=3D (Str[Index++] - '0');=0D + if (EfiTime->Hour > 23) {=0D + return FALSE;=0D + }=0D +=0D + EfiTime->Minute =3D (Str[Index++] - '0') * 10;=0D + EfiTime->Minute +=3D (Str[Index++] - '0');=0D + if (EfiTime->Minute > 59) {=0D + return FALSE;=0D + }=0D +=0D + EfiTime->Second =3D (Str[Index++] - '0') * 10;=0D + EfiTime->Second +=3D (Str[Index++] - '0');=0D + if (EfiTime->Second > 59) {=0D + return FALSE;=0D + }=0D +=0D + /* Note: we did not adjust the time based on time zone information */=0D +=0D + return TRUE;=0D +}=0D +=0D +/**=0D + Verifies the validity of a RFC3161 Timestamp CounterSignature embedded i= n PE/COFF Authenticode=0D + signature.=0D +=0D + Return FALSE to indicate this interface is not supported.=0D +=0D + @param[in] AuthData Pointer to the Authenticode Signature retrieved= from signed=0D + PE/COFF image to be verified.=0D + @param[in] DataSize Size of the Authenticode Signature in bytes.=0D + @param[in] TsaCert Pointer to a trusted/root TSA certificate encod= ed in DER, which=0D + is used for TSA certificate chain verification.= =0D + @param[in] CertSize Size of the trusted certificate in bytes.=0D + @param[out] SigningTime Return the time of timestamp generation time if= the timestamp=0D + signature is valid.=0D +=0D + @retval FALSE This interface is not supported.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +ImageTimestampVerify (=0D + IN CONST UINT8 *AuthData,=0D + IN UINTN DataSize,=0D + IN CONST UINT8 *TsaCert,=0D + IN UINTN CertSize,=0D + OUT EFI_TIME *SigningTime=0D + )=0D +{=0D + BOOLEAN Status;=0D + UINT8 *Ptr;=0D + UINT8 *End;=0D + INT32 Len;=0D + UINTN ObjLen;=0D + UINT8 *TempPtr;=0D +=0D + //=0D + // Initializations=0D + //=0D + if (SigningTime !=3D NULL) {=0D + SetMem (SigningTime, sizeof (EFI_TIME), 0);=0D + }=0D +=0D + //=0D + // Input Parameters Checking.=0D + //=0D + if ((AuthData =3D=3D NULL) || (TsaCert =3D=3D NULL)) {=0D + return FALSE;=0D + }=0D +=0D + if ((DataSize > INT_MAX) || (CertSize > INT_MAX)) {=0D + return FALSE;=0D + }=0D +=0D + Ptr =3D (UINT8 *)(UINTN)AuthData;=0D + Len =3D (UINT32)DataSize;=0D + End =3D Ptr + Len;=0D +=0D + // ContentInfo=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // ContentType=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_OID) !=3D 0) = {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D + // content=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_CONTEXT_SPECIFIC) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + End =3D Ptr + ObjLen;=0D + // signedData=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // version=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_INTEGER) !=3D= 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D + // digestAlgo=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SET) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // encapContentInfo=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // cert=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_CONTEXT_SPECIFIC) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + TempPtr =3D Ptr;=0D + // OPTIONAL CRLs=0D + if (mbedtls_asn1_get_tag (&TempPtr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCT= ED | MBEDTLS_ASN1_CONTEXT_SPECIFIC) =3D=3D 0) {=0D + Ptr =3D TempPtr + ObjLen;=0D + }=0D +=0D + // signerInfo=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SET) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // sub parse=0D + // signerInfo=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + End =3D Ptr + ObjLen;=0D +=0D + // version=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_INTEGER) !=3D= 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // sid=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // digestalgo=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // OPTIONAL AuthenticatedAttributes=0D + TempPtr =3D Ptr;=0D + if (mbedtls_asn1_get_tag (&TempPtr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCT= ED | MBEDTLS_ASN1_CONTEXT_SPECIFIC) =3D=3D 0) {=0D + Ptr =3D TempPtr + ObjLen;=0D + }=0D +=0D + // signaturealgo=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // signature=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_OCTET_STRING)= !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // OPTIONAL UnauthenticatedAttributes=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, 0xA1) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // Attribute=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // type=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_OID) !=3D 0) = {=0D + return FALSE;=0D + }=0D +=0D + if (CompareMem (Ptr, mSpcRFC3161OidValue, sizeof (mSpcRFC3161OidValue)) = !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // values=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SET) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // values=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // signedData OID=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_OID) !=3D 0) = {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // [0]=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_CONTEXT_SPECIFIC) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // integer=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_INTEGER) !=3D= 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D + // SET=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SET) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // tST OID=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_OID) !=3D 0) = {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_CONTEXT_SPECIFIC) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_OCTET_STRING)= !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // Integer=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_INTEGER) !=3D= 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D + // policy OID=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_OID) !=3D 0) = {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D + // sequence=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D + // Integer=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_INTEGER) !=3D= 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // GeneralizedTime=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_GENERALIZED_T= IME) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + //=0D + // Retrieve the signing time from TS_TST_INFO structure.=0D + //=0D + if (SigningTime !=3D NULL) {=0D + SetMem (SigningTime, sizeof (EFI_TIME), 0);=0D + Status =3D ConvertAsn1TimeToEfiTime (Ptr, SigningTime);=0D + }=0D +=0D + return Status;=0D +}=0D --=20 2.26.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#118119): https://edk2.groups.io/g/devel/message/118119 Mute This Topic: https://groups.io/mt/105683593/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-