From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id D0B5F941193 for ; Fri, 17 May 2024 10:27:04 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=Dc4g7HFKTMFwnlMHu+yNjDhPzzM8wmO1Yv8JpGLRp9U=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Resent-Date:Resent-From:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20240206; t=1715941623; v=1; b=4lkaDSQ1R8ejXSo7vBVCH4GNlgPaWmbypfIbRhCWXeOR0Q73y0PUL9UQh6HgwdzGackm7lO7 KTp/8dP5CwDpW10ZCUnlFsqgCFzVukwJZLAxBrhm4O2Yaq/Q98tTwqHP9nwm7D2lxeOggtRhxM7 i6Mm30qkEHCEywr/CPjZKyVE3aJV9KXqU/guhcN5ZMHugXEmtY+9+3WjAPwUx5lr3tGyQV9CgAk KbTWul2rmhVvI4ZIadwdJjkowMfoO02yJKbOYih52eCzE2x8HFT9hvTV3WEkIWT65O2b3ejQELM xnS8gn66IiFtQ21KxetIgLdGtODfGS1+yGs9CltG8JWfw== X-Received: by 127.0.0.2 with SMTP id 4hwqYY7687511xwvDJJRb9Jd; Fri, 17 May 2024 03:27:03 -0700 X-Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.7]) by mx.groups.io with SMTP id smtpd.web10.36833.1715941605520178194 for ; Fri, 17 May 2024 03:27:02 -0700 X-CSE-ConnectionGUID: dpQMJRBcRIeTC4OYcTLiQw== X-CSE-MsgGUID: bWfjJSk4SyevJ2MaHxfBjA== X-IronPort-AV: E=McAfee;i="6600,9927,11074"; a="37488640" X-IronPort-AV: E=Sophos;i="6.08,167,1712646000"; d="scan'208";a="37488640" X-Received: from orviesa006.jf.intel.com ([10.64.159.146]) by fmvoesa101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 May 2024 03:27:02 -0700 X-CSE-ConnectionGUID: FRllgxwrR6WjjhmGHdgOIw== X-CSE-MsgGUID: 0nNHAu0VSVK1DnZgywh93w== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.08,167,1712646000"; d="scan'208";a="32171540" X-Received: from shwdejointd777.ccr.corp.intel.com ([10.239.58.116]) by orviesa006.jf.intel.com with ESMTP; 17 May 2024 03:27:01 -0700 From: "Wenxing Hou" To: devel@edk2.groups.io Cc: Jiewen Yao , Yi Li , Jiewen Yao Subject: [edk2-devel] [PATCH v4 09/11] CryptoPkg: Add ImageTimestampVerify based on Mbedtls Date: Fri, 17 May 2024 18:26:39 +0800 Message-Id: <20240517102641.4586-10-wenxing.hou@intel.com> In-Reply-To: <20240517102641.4586-1-wenxing.hou@intel.com> References: <20240517102641.4586-1-wenxing.hou@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Resent-Date: Fri, 17 May 2024 03:27:02 -0700 Resent-From: wenxing.hou@intel.com Reply-To: devel@edk2.groups.io,wenxing.hou@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: Q8cCFBbwEjieYZ8zFQdJT8Ndx7686176AA= Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240206 header.b=4lkaDSQ1; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4177 Timestamp Countersignature Verification implementaion based on Mbedtls. Cc: Jiewen Yao Cc: Yi Li Signed-off-by: Wenxing Hou Reviewed-by: Yi Li Acked-by: Jiewen Yao --- .../Library/BaseCryptLibMbedTls/Pk/CryptTs.c | 381 ++++++++++++++++++ 1 file changed, 381 insertions(+) create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTs.c diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTs.c b/CryptoPkg= /Library/BaseCryptLibMbedTls/Pk/CryptTs.c new file mode 100644 index 0000000000..d3fa205f9c --- /dev/null +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTs.c @@ -0,0 +1,381 @@ +/** @file=0D + RFC3161 Timestamp Countersignature Verification Wrapper Implementation w= hich does=0D + not provide real capabilities.=0D +=0D +Copyright (c) 2024, Intel Corporation. All rights reserved.
=0D +SPDX-License-Identifier: BSD-2-Clause-Patent=0D +=0D +**/=0D +=0D +#include "InternalCryptLib.h"=0D +#include =0D +=0D +//=0D +// OID ASN.1 Value for SPC_RFC3161_OBJID ("1.3.6.1.4.1.311.3.3.1")=0D +//=0D +GLOBAL_REMOVE_IF_UNREFERENCED const UINT8 mSpcRFC3161OidValue[] =3D {=0D + 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x03, 0x03, 0x01=0D +};=0D +=0D +/**=0D + Convert ASN.1 GeneralizedTime to EFI Time.=0D +=0D + @param[in] Ptr Pointer to the ASN.1 GeneralizedTime to be conv= erted.=0D + @param[out] EfiTime Return the corresponding EFI Time.=0D +=0D + @retval TRUE The time conversion succeeds.=0D + @retval FALSE Invalid parameters.=0D +=0D +**/=0D +STATIC=0D +BOOLEAN=0D +ConvertAsn1TimeToEfiTime (=0D + IN UINT8 *Ptr,=0D + OUT EFI_TIME *EfiTime=0D + )=0D +{=0D + CONST CHAR8 *Str;=0D + UINTN Index;=0D +=0D + if ((Ptr =3D=3D NULL) || (EfiTime =3D=3D NULL)) {=0D + return FALSE;=0D + }=0D +=0D + Str =3D (CONST CHAR8 *)Ptr;=0D + SetMem (EfiTime, sizeof (EFI_TIME), 0);=0D +=0D + Index =3D 0;=0D +=0D + /* four digit year */=0D + EfiTime->Year =3D (Str[Index++] - '0') * 1000;=0D + EfiTime->Year +=3D (Str[Index++] - '0') * 100;=0D + EfiTime->Year +=3D (Str[Index++] - '0') * 10;=0D + EfiTime->Year +=3D (Str[Index++] - '0');=0D + if ((EfiTime->Year < 1900) || (EfiTime->Year > 9999)) {=0D + return FALSE;=0D + }=0D +=0D + EfiTime->Month =3D (Str[Index++] - '0') * 10;=0D + EfiTime->Month +=3D (Str[Index++] - '0');=0D + if ((EfiTime->Month < 1) || (EfiTime->Month > 12)) {=0D + return FALSE;=0D + }=0D +=0D + EfiTime->Day =3D (Str[Index++] - '0') * 10;=0D + EfiTime->Day +=3D (Str[Index++] - '0');=0D + if ((EfiTime->Day < 1) || (EfiTime->Day > 31)) {=0D + return FALSE;=0D + }=0D +=0D + EfiTime->Hour =3D (Str[Index++] - '0') * 10;=0D + EfiTime->Hour +=3D (Str[Index++] - '0');=0D + if (EfiTime->Hour > 23) {=0D + return FALSE;=0D + }=0D +=0D + EfiTime->Minute =3D (Str[Index++] - '0') * 10;=0D + EfiTime->Minute +=3D (Str[Index++] - '0');=0D + if (EfiTime->Minute > 59) {=0D + return FALSE;=0D + }=0D +=0D + EfiTime->Second =3D (Str[Index++] - '0') * 10;=0D + EfiTime->Second +=3D (Str[Index++] - '0');=0D + if (EfiTime->Second > 59) {=0D + return FALSE;=0D + }=0D +=0D + /* Note: we did not adjust the time based on time zone information */=0D +=0D + return TRUE;=0D +}=0D +=0D +/**=0D + Verifies the validity of a RFC3161 Timestamp CounterSignature embedded i= n PE/COFF Authenticode=0D + signature.=0D +=0D + Return FALSE to indicate this interface is not supported.=0D +=0D + @param[in] AuthData Pointer to the Authenticode Signature retrieved= from signed=0D + PE/COFF image to be verified.=0D + @param[in] DataSize Size of the Authenticode Signature in bytes.=0D + @param[in] TsaCert Pointer to a trusted/root TSA certificate encod= ed in DER, which=0D + is used for TSA certificate chain verification.= =0D + @param[in] CertSize Size of the trusted certificate in bytes.=0D + @param[out] SigningTime Return the time of timestamp generation time if= the timestamp=0D + signature is valid.=0D +=0D + @retval FALSE This interface is not supported.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +ImageTimestampVerify (=0D + IN CONST UINT8 *AuthData,=0D + IN UINTN DataSize,=0D + IN CONST UINT8 *TsaCert,=0D + IN UINTN CertSize,=0D + OUT EFI_TIME *SigningTime=0D + )=0D +{=0D + BOOLEAN Status;=0D + UINT8 *Ptr;=0D + UINT8 *End;=0D + INT32 Len;=0D + UINTN ObjLen;=0D + UINT8 *TempPtr;=0D +=0D + //=0D + // Initializations=0D + //=0D + if (SigningTime !=3D NULL) {=0D + SetMem (SigningTime, sizeof (EFI_TIME), 0);=0D + }=0D +=0D + //=0D + // Input Parameters Checking.=0D + //=0D + if ((AuthData =3D=3D NULL) || (TsaCert =3D=3D NULL)) {=0D + return FALSE;=0D + }=0D +=0D + if ((DataSize > INT_MAX) || (CertSize > INT_MAX)) {=0D + return FALSE;=0D + }=0D +=0D + Ptr =3D (UINT8 *)(UINTN)AuthData;=0D + Len =3D (UINT32)DataSize;=0D + End =3D Ptr + Len;=0D +=0D + // ContentInfo=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // ContentType=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_OID) !=3D 0) = {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D + // content=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_CONTEXT_SPECIFIC) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + End =3D Ptr + ObjLen;=0D + // signedData=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // version=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_INTEGER) !=3D= 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D + // digestAlgo=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SET) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // encapContentInfo=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // cert=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_CONTEXT_SPECIFIC) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + TempPtr =3D Ptr;=0D + // OPTIONAL CRLs=0D + if (mbedtls_asn1_get_tag (&TempPtr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCT= ED | MBEDTLS_ASN1_CONTEXT_SPECIFIC) =3D=3D 0) {=0D + Ptr =3D TempPtr + ObjLen;=0D + }=0D +=0D + // signerInfo=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SET) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // sub parse=0D + // signerInfo=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + End =3D Ptr + ObjLen;=0D +=0D + // version=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_INTEGER) !=3D= 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // sid=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // digestalgo=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // OPTIONAL AuthenticatedAttributes=0D + TempPtr =3D Ptr;=0D + if (mbedtls_asn1_get_tag (&TempPtr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCT= ED | MBEDTLS_ASN1_CONTEXT_SPECIFIC) =3D=3D 0) {=0D + Ptr =3D TempPtr + ObjLen;=0D + }=0D +=0D + // signaturealgo=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // signature=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_OCTET_STRING)= !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // OPTIONAL UnauthenticatedAttributes=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, 0xA1) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // Attribute=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // type=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_OID) !=3D 0) = {=0D + return FALSE;=0D + }=0D +=0D + if (CompareMem (Ptr, mSpcRFC3161OidValue, sizeof (mSpcRFC3161OidValue)) = !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // values=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SET) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // values=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // signedData OID=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_OID) !=3D 0) = {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // [0]=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_CONTEXT_SPECIFIC) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // integer=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_INTEGER) !=3D= 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D + // SET=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SET) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // tST OID=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_OID) !=3D 0) = {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_CONTEXT_SPECIFIC) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_OCTET_STRING)= !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + // Integer=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_INTEGER) !=3D= 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D + // policy OID=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_OID) !=3D 0) = {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D + // sequence=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_CONSTRUCTED |= MBEDTLS_ASN1_SEQUENCE) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D + // Integer=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_INTEGER) !=3D= 0) {=0D + return FALSE;=0D + }=0D +=0D + Ptr +=3D ObjLen;=0D +=0D + // GeneralizedTime=0D + if (mbedtls_asn1_get_tag (&Ptr, End, &ObjLen, MBEDTLS_ASN1_GENERALIZED_T= IME) !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + //=0D + // Retrieve the signing time from TS_TST_INFO structure.=0D + //=0D + if (SigningTime !=3D NULL) {=0D + SetMem (SigningTime, sizeof (EFI_TIME), 0);=0D + Status =3D ConvertAsn1TimeToEfiTime (Ptr, SigningTime);=0D + }=0D +=0D + return Status;=0D +}=0D --=20 2.26.2.windows.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#119036): https://edk2.groups.io/g/devel/message/119036 Mute This Topic: https://groups.io/mt/106151226/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-