From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id E097AAC10F7 for ; Tue, 30 Jan 2024 09:49:13 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=kKQre/XuDOmmRElo9QP8i5a2B4IJ1kxvEY7urg/JGjE=; c=relaxed/simple; d=groups.io; h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:Message-ID:Date:User-Agent:Subject:To:Cc:References:From:In-Reply-To:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1706608152; v=1; b=EezNalQbvKG4NK5lPyr9HvL2LdhAR0zJi/i3Nj4OyBboN3KopRQqULFQwUA190NEasuYiH3o uwNM53rUt9kOoOzXQDnxUc7aiEYrLPNWQ9pKRwLBo9/xALvkeACARUSKqX6TCYLClfP/IyAqt1g QoePwMgBc1/E19iWodLbYu2E= X-Received: by 127.0.0.2 with SMTP id ThimYY7687511xQKZoraW13I; Tue, 30 Jan 2024 01:49:12 -0800 X-Received: from NAM10-MW2-obe.outbound.protection.outlook.com (NAM10-MW2-obe.outbound.protection.outlook.com [40.107.94.103]) by mx.groups.io with SMTP id smtpd.web10.14922.1706608151553953084 for ; Tue, 30 Jan 2024 01:49:11 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oKK8CG5c/LC4+UldO3Jzx1VmJqrpFectDwqIXBViG9hYyimPZ/jTAtYsTVnOP7Jdd7Ll4VuPYYqDlCaSJFfYF2sr/e3oChI33hmGa5hvN3rZy14MJC+kHdkjypQSmnDgANaxWeu5b/9mDdAjJpvLV3oSMc8LRNmCMKUzTsaCwqzbbDOcySJfkEswfljH2kgpa+aqK7GDIQZ0Xi2CfjFJn+laFqGKi+TZbFv/cc8+P734+nQeITTPatUOn9t8bh7ze4GEYilhuN+umHf8vi9Tu+LAUmbTHnVBzlmezUtI58W74U6IOrkjilhS5DMeFQd4EjJPZdH17yEcmDCJjFI/vg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cHUqxTfmyUXdJoWKi/yjVib3X78oqSwQfaUFKkCMHu0=; b=JWIVzIoR3OXYIvmgQycfOSI8e+vfHPjEzES7eHptnapOU4EvwdnPc1CnZ0E5uUS8MZho/wZHizpOD5rPCkzt/zoDG+CBXNyFvP84Iz8CyPr0lyNM4DCAnkuj5dAncaXatxnw+ia7K85HAuWdRhB39Wne2MNgQAFDzFm2HaYUakK7C+y7h8PJXMob24upeXL5vMmiZNSkCSwv18KH280bh7Q8fVQtoWsOH1VDKemYFk8/V/PMMhZsV4+XCXDuQDBjd0tJIXCnAwPmgOLicwxIJJLdV/531YzER7YIalAlyNAMJxwD80MsP+DteSu2z3XT1KMOK5Z7n1l7p/L+wJlCIA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=os.amperecomputing.com; dmarc=pass action=none header.from=os.amperecomputing.com; dkim=pass header.d=os.amperecomputing.com; arc=none X-Received: from PH0PR01MB7287.prod.exchangelabs.com (2603:10b6:510:10a::21) by DM4PR01MB7665.prod.exchangelabs.com (2603:10b6:8:64::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7228.35; Tue, 30 Jan 2024 09:49:06 +0000 X-Received: from PH0PR01MB7287.prod.exchangelabs.com ([fe80::2ff9:8f07:ec56:77f9]) by PH0PR01MB7287.prod.exchangelabs.com ([fe80::2ff9:8f07:ec56:77f9%3]) with mapi id 15.20.7228.036; Tue, 30 Jan 2024 09:49:06 +0000 Message-ID: <32f064a1-f435-4173-92e0-9dfd7e708317@os.amperecomputing.com> Date: Tue, 30 Jan 2024 16:48:55 +0700 User-Agent: Mozilla Thunderbird Subject: Re: [edk2-devel] [PATCH 1/1] CryptoPkg: Add new API to get PKCS7 Signature To: "Hou, Wenxing" , "devel@edk2.groups.io" Cc: Tam Chi Nguyen , "Yao, Jiewen" , "Li, Yi1" References: <20240130054428.3838412-1-nhi@os.amperecomputing.com> From: "Nhi Pham via groups.io" In-Reply-To: X-ClientProxiedBy: SG2PR06CA0223.apcprd06.prod.outlook.com (2603:1096:4:68::31) To PH0PR01MB7287.prod.exchangelabs.com (2603:10b6:510:10a::21) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH0PR01MB7287:EE_|DM4PR01MB7665:EE_ X-MS-Office365-Filtering-Correlation-Id: 8e808778-8e50-4421-b01e-08dc2178b291 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Message-Info: HJ/8MDBNlh1wO20rpLhghMhu9i13owXk3+3CEnVrorOnMG4jFJBg7WZinSAJJqh7ULYLY//ongaDy95mELfrwG+awuPtSUQGcfhDehnMZlKzLGd2f2oAas/S1CUUwpwJTg/Xg/Fd2i2peq0fnI1ZSDliVxuPamhAiAQnwM0DCntmHE7XJYeE7zCYogj4sDlJvFLEmB9tT/I2C5ldefQWYSz6YIb4HlqOcyD7IEPnzy45nw5I1jvqrakMducIZAA9p4TuWAzqs+1ok3z9QwTMOoqo+b444+L34NBGs78TLmuctKj/ByrnVyMWF+grGft4I1IpG28uXVgheEGvV2fhaNB4DTu71KzMMvOEYZmUh/nvHtJK3fvZ53rlEY+iAXimq6ylUUQ/8Wh5XTqSWk9pcSufnOG9adT718JEXWC6dpftknwG+fS/6MojhLfHS9eY0sfgNzlOOTng20O8N+H1KjSyWgkF/9waMh30BaoMq3Cz0u4413lVs8Vdq8baUx/7LymKKHCTuFShYKetkr763nAdIGe5yI3rhwNsw3KLlGSi/v0pTJcjqIVZRLXgygoqWUmNXAaNL5SlwhuPIe9svkwYb+VqYKvuTZefOptZB72wW0glJ2iPp/Zjn/GWY2Ho X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?VWZJVWR6M0d1b0NWbVozRFZOUFVsb1ozMHYzdlVTbzJyYnFSaGJNSHdFRHUw?= =?utf-8?B?ZU9Td2JmcEZwWENFUTNrTGNtdjgzb3lpaTB2Qm5pcGwvTTZMRkdEeHgvWFc5?= =?utf-8?B?Y04zc2NHQ295NzVvZE13SXQvM2YzQkg2cGRHbkhFb2V3NlhyeFdiM1hLNjVo?= =?utf-8?B?RzRsaGd5Mng0d054eXpoOGFsOWRLZld0TkpUY1l1aWlxQjBVVGFZS0FQZDMv?= =?utf-8?B?SUNlUnJocnBaTTE2c3FHV1QydEgyNXJVcW9oRGJXRVgyRUxldDF2MVhpbGw3?= =?utf-8?B?MGpXNXVQQ1M4ckNCajNiam9sek9vbHJBbnhCQjNZa2t0Mlc1VXNSelhSUjlL?= =?utf-8?B?ZnhSbXFwd1RYT1h2am1HVmpRa3lDQXZoREdKQXlSZGpsbUllMnRVbGg3bmFU?= =?utf-8?B?TjBVYUxFMWFManYyUWxGaUJMK3QxZmREYmhrZHBJdXE3ZTFwRUJTWEJNWnhU?= =?utf-8?B?SjV3TlBZVjB1OGM0dUFFWS9TYTBqQUdFcGdab0tjY2dLWmtxZkw5MHkwUXpk?= =?utf-8?B?MEQ2ajl3VFZyd3NqN25QR05CTjFZVGxKZnp2eWMxUjVMbHd3dUZUQmhDUmR5?= =?utf-8?B?enBOb3htVHVFUkpSYVJiVDlEMVdsSGR1MkxESlNVb3NmZDB1eDNzZVloY25V?= =?utf-8?B?WWFoVGlrQkozQVRUMUZsK2JLSGZ3QnJueWUvWVhnUnpvaGJxTEt6bnlIVHlE?= =?utf-8?B?R1hLQUJQQnYyN3hJRG16dDdCQTU1K0JobDdCbE4yVU43MGw3YU13T0Nwc09M?= =?utf-8?B?SXVqdGNMOUVTZFc0TWRhZHN3emxvZHAxbWVSay94M2RtVWh0ejFESW9VMWxv?= =?utf-8?B?MHRuR00xWGhQQ2lSeHdpcExIcEZhd2hFNlNlSXcwYXJpWStlaldweU5JN1R0?= =?utf-8?B?MGtWYnNqUzc5QUhqdzdmNGllMGMzd0p2ZWR0YUovYUFQZlgzMVBpMUtKYnJZ?= =?utf-8?B?MlNNYURwbFNwN2g4S1BlUDE4TkpWRE4wZnRxVUlBdktZSmpFUG9MZW13eDM5?= =?utf-8?B?cDQ1cXJEN3QyMmxIK0RWTUpwWmI4UGRIRGx1RGZldHhLd3hJQ2tDVEhSaENM?= =?utf-8?B?ZUZXNUkyc3orZ2FIV3lCNU0weUNIVHFNT2hENHc4VDlsNy8xMWd3cnpxZmhR?= =?utf-8?B?cFRqSEk0V3JiNmI4ZU9GRHNUMmJFVTBoOXZna245UUhhcDE5VnhKSmZIeDgr?= =?utf-8?B?ZHpsaVF1QWJSSStjdEdXZWc5b2R2UFZseWpwcmoyZFJFNjYwSnhLQ281cDhi?= =?utf-8?B?NTNoRXN2SzNvK1ZINmJYeU5qekp3eW1jQXpDbFlScGkya09qcGYyRk9sZVZF?= =?utf-8?B?Y1ZuaFkwb0sxbzk4WWpNbjBWTElneGdka0F2UUQxZ1B2YVFnTjkrY3dtT016?= =?utf-8?B?bFZkL1ZIZ2lJQm1nNTJXbHNhekJCdjQvQ2R6ZSs0QytScVpMc3pNQUE1dDV6?= =?utf-8?B?TFBpWlBGN3JwZXBmQ2NYWWxQZGgxbzA3czRRUnQ0L1BmN3ltY3dRM3FSQStK?= =?utf-8?B?NXQ2YjJlSlA1UVZWWTJkdDRiNjNERHM0a055cDJFT0xlTC94M1RFRVptbU5o?= =?utf-8?B?M1ZMNWRDREhTdFJOSE1sbWdvYk8ybXZsNHdYOFFpMXkzdXZibnJBeVBPOGgw?= =?utf-8?B?SWNWUDhQbyt1aUR6WEpJeGtZSDFJenVwS24vaXBxckEvQklENCtjemlkOWZU?= =?utf-8?B?aFdkbGtCdmZWYjZEcDVzenc4dzc5QmZXYm1obERQLzZGZmhiaEM4OEhrN3Fa?= =?utf-8?B?MlkxT0ptTzdSK2xncWxTVzJGSUp4Qklyd0FwVG93WjlPVWx0ZjhmMFVpY3F6?= =?utf-8?B?K0xzQWZ6cDFMRWg0R09uRmtBakhyS0tiS3MwSEJNZjVkdTAwNUJoT21KNXBZ?= =?utf-8?B?RFdrdTlUdkVLME9YRkxGQmNaZWlOaE0vUnEyaFV3c21wekpOcHRKK2dnSDNv?= =?utf-8?B?UHlIazNuR3ZTVTA4L2kySGt3a1k5ZU5GZ0dSclVicGZuUnA3Z1Z0UmdDRGFx?= =?utf-8?B?RmYwdkpuY01ndk9nUmlldE8zdlIzSnB6RU14SmZGQ3BYZjU1L0Rrck11WlVz?= =?utf-8?B?YnV3ZUFXc1k5aytsdVFHSlhjT2UyK0xyNjJBOXkrdDQ0Y3lhZ2tnUGJjK3RH?= =?utf-8?B?L3dSN0l3ZS9hRiszaU1DY2NJSFNmeUlFRWpaYVpoWGNkZS9DMmFuN3RsU2Rz?= =?utf-8?Q?qBymLw9Ng0cchA6BLMzmiTI=3D?= X-OriginatorOrg: os.amperecomputing.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8e808778-8e50-4421-b01e-08dc2178b291 X-MS-Exchange-CrossTenant-AuthSource: PH0PR01MB7287.prod.exchangelabs.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jan 2024 09:49:05.9252 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 3bc2b170-fd94-476d-b0ce-4229bdc904a7 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: T/Zdi4cWyr97QJp9dOY+JRcKslDJnDiG0F6Y/R/nEZ6xyxV9IhaeyjVtM31gfjdSoBxl/8ZcTs5prSNpDosWX7PVBz8vVf7AY3PaYLzwke8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR01MB7665 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,nhi@os.amperecomputing.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: zytp0UIU9TKkHleixKt6FNESx7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=EezNalQb; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}"); dmarc=none; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Thanks Wenxing. I'll do that. Regards, Nhi On 1/30/2024 4:46 PM, Hou, Wenxing wrote: > Hi Pham, >=20 > Thanks for your contribution. >=20 > I think there are two works you need to do: > Firstly, submit an EDKII PR to ensure the patch can pass the CI. > Secondly, add unit-test to test the new API(such as: get signature then = compare). >=20 >=20 > Thanks > Wenxing >=20 >=20 > -----Original Message----- > From: Nhi Pham > Sent: Tuesday, January 30, 2024 1:44 PM > To: devel@edk2.groups.io > Cc: Tam Chi Nguyen ; Yao, Jiewen ; Hou, Wenxing ; Li, Yi1 ; Nhi Pham > Subject: [PATCH 1/1] CryptoPkg: Add new API to get PKCS7 Signature >=20 > From: Tam Chi Nguyen >=20 > This patch adds a new Pkcs7GetSignature() API to support extracting the s= ignature data from PKCS7 certificate. >=20 > Cc: Jiewen Yao > Cc: Wenxing Hou > Cc: Yi Li > Signed-off-by: Nhi Pham > --- > CryptoPkg/Include/Library/BaseCryptLib.h | 29 +++++ > CryptoPkg/Private/Protocol/Crypto.h | 29 +++++ > CryptoPkg/Driver/Crypto.c | 33 ++++++ > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c | 120 ++++++= ++++++++++++++ > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c | 33 ++++++ > CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 32 ++++++ > 6 files changed, 276 insertions(+) >=20 > diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include= /Library/BaseCryptLib.h > index a52bd91ad664..d52a91244482 100644 > --- a/CryptoPkg/Include/Library/BaseCryptLib.h > +++ b/CryptoPkg/Include/Library/BaseCryptLib.h > @@ -5,6 +5,7 @@ > functionality enabling. > =20 > Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved.
> +Copyright (c) 2024, Ampere Computing LLC. All rights reserved.
> SPDX-License-Identifier: BSD-2-Clause-Patent > =20 > **/ > @@ -2471,6 +2472,34 @@ ImageTimestampVerify ( > OUT EFI_TIME *SigningTime > ); > =20 > +/** > + Get the data signature from PKCS#7 signed data as described in "PKCS #= 7: > + Cryptographic Message Syntax Standard". The input signed data could > +be wrapped > + in a ContentInfo structure. > + > + If P7Data, Signature, SignatureLength is NULL, then return FALSE. > + If P7Length overflow, then return FALSE. > + If this interface is not supported, then return FALSE. > + > + @param[in] P7Data Pointer to the PKCS#7 message to verify. > + @param[in] P7Length Length of the PKCS#7 message in bytes. > + @param[out] Signature Pointer to Signature data > + @param[out] SignatureLength Length of signature in bytes. > + > + @retval TRUE The operation is finished successfully. > + @retval FALSE Error occurs during the operation. > + @retval FALSE This interface is not supported. > + > +**/ > +BOOLEAN > +EFIAPI > +Pkcs7GetSignature ( > + IN CONST UINT8 *P7Data, > + IN UINTN P7Length, > + OUT UINT8 **Signature, > + OUT UINTN *SignatureLength > + ); > + > /** > Retrieve the version from one X.509 certificate. > =20 > diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Prot= ocol/Crypto.h > index 0e0b1d94018d..d228cea0453b 100644 > --- a/CryptoPkg/Private/Protocol/Crypto.h > +++ b/CryptoPkg/Private/Protocol/Crypto.h > @@ -3,6 +3,7 @@ > =20 > Copyright (C) Microsoft Corporation. All rights reserved. > Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved. > + Copyright (c) 2024, Ampere Computing LLC. All rights reserved.
> SPDX-License-Identifier: BSD-2-Clause-Patent > =20 > **/ > @@ -1036,6 +1037,34 @@ BOOLEAN > OUT EFI_TIME *SigningTime > ); > =20 > +/** > + Get the data signature from PKCS#7 signed data as described in "PKCS #= 7: > + Cryptographic Message Syntax Standard". The input signed data could > +be wrapped > + in a ContentInfo structure. > + > + If P7Data, Signature, SignatureLength is NULL, then return FALSE. > + If P7Length overflow, then return FALSE. > + If this interface is not supported, then return FALSE. > + > + @param[in] P7Data Pointer to the PKCS#7 message to verify. > + @param[in] P7Length Length of the PKCS#7 message in bytes. > + @param[out] Signature Pointer to Signature data > + @param[out] SignatureLength Length of signature in bytes. > + > + @retval TRUE The operation is finished successfully. > + @retval FALSE Error occurs during the operation. > + @retval FALSE This interface is not supported. > + > +**/ > +typedef > +BOOLEAN > +(EFIAPI *EDKII_CRYPTO_PKCS7_GET_SIGNATURE) ( > + IN CONST UINT8 *P7Data, > + IN UINTN P7Length, > + OUT UINT8 **Signature, > + OUT UINTN *SignatureLength > + ); > + > // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > // DH Key Exchange Primitive > // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c index = bdbb4863a97e..83094e73c33a 100644 > --- a/CryptoPkg/Driver/Crypto.c > +++ b/CryptoPkg/Driver/Crypto.c > @@ -4,6 +4,7 @@ > =20 > Copyright (C) Microsoft Corporation. All rights reserved. > Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved. > + Copyright (c) 2024, Ampere Computing LLC. All rights reserved.
> SPDX-License-Identifier: BSD-2-Clause-Patent > =20 > **/ > @@ -3910,6 +3911,37 @@ CryptoServiceImageTimestampVerify ( > return CALL_BASECRYPTLIB (Pkcs.Services.ImageTimestampVerify, ImageTi= mestampVerify, (AuthData, DataSize, TsaCert, CertSize, SigningTime), FALSE)= ; } > =20 > +/** > + Get the data signature from PKCS#7 signed data as described in "PKCS #= 7: > + Cryptographic Message Syntax Standard". The input signed data could > +be wrapped > + in a ContentInfo structure. > + > + If P7Data, Signature, SignatureLength is NULL, then return FALSE. > + If P7Length overflow, then return FALSE. > + If this interface is not supported, then return FALSE. > + > + @param[in] P7Data Pointer to the PKCS#7 message to verify. > + @param[in] P7Length Length of the PKCS#7 message in bytes. > + @param[out] Signature Pointer to Signature data > + @param[out] SignatureLength Length of signature in bytes. > + > + @retval TRUE The operation is finished successfully. > + @retval FALSE Error occurs during the operation. > + @retval FALSE This interface is not supported. > + > +**/ > +BOOLEAN > +EFIAPI > +CryptoServicePkcs7GetSignature ( > + IN CONST UINT8 *P7Data, > + IN UINTN P7Length, > + OUT UINT8 **Signature, > + OUT UINTN *SignatureLength > + ) > +{ > + return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs7GetSignature, > +Pkcs7GetSignature, (P7Data, P7Length, Signature, SignatureLength), > +FALSE); } > + > // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > // DH Key Exchange Primitive > // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > @@ -6748,6 +6780,7 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto =3D { > CryptoServicePkcs7GetCertificatesList, > CryptoServiceAuthenticodeVerify, > CryptoServiceImageTimestampVerify, > + CryptoServicePkcs7GetSignature, > /// DH > CryptoServiceDhNew, > CryptoServiceDhFree, > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c b= /CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c > index 4e5a14e35210..9e3fccf1bb4e 100644 > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c > @@ -11,6 +11,7 @@ > Variable and will do basic check for data structure. > =20 > Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
> +Copyright (c) 2024, Ampere Computing LLC. All rights reserved.
> SPDX-License-Identifier: BSD-2-Clause-Patent > =20 > **/ > @@ -926,3 +927,122 @@ _Exit: > =20 > return Status; > } > + > +/** > + Get the data signature from PKCS#7 signed data as described in "PKCS #= 7: > + Cryptographic Message Syntax Standard". The input signed data could > +be wrapped > + in a ContentInfo structure. > + > + If P7Data, Signature, SignatureLength is NULL, then return FALSE. > + If P7Length overflow, then return FALSE. > + If this interface is not supported, then return FALSE. > + > + @param[in] P7Data Pointer to the PKCS#7 message to verify. > + @param[in] P7Length Length of the PKCS#7 message in bytes. > + @param[out] Signature Pointer to Signature data > + @param[out] SignatureLength Length of signature in bytes. > + > + @retval TRUE The operation is finished successfully. > + @retval FALSE Error occurs during the operation. > + @retval FALSE This interface is not supported. > + > +**/ > +BOOLEAN > +EFIAPI > +Pkcs7GetSignature ( > + IN CONST UINT8 *P7Data, > + IN UINTN P7Length, > + OUT UINT8 **Signature, > + OUT UINTN *SignatureLength > + ) > +{ > + PKCS7 *Pkcs7; > + BOOLEAN Wrapped; > + BOOLEAN Status; > + UINT8 *SignedData; > + UINT8 *Temp; > + UINTN SignedDataSize; > + STACK_OF (PKCS7_SIGNER_INFO) *SignerInfos; > + PKCS7_SIGNER_INFO *SignInfo; > + ASN1_OCTET_STRING *EncDigest; > + > + if ((P7Data =3D=3D NULL) || (P7Length > INT_MAX) || > + (Signature =3D=3D NULL && SignatureLength =3D=3D NULL)) { > + return FALSE; > + } > + > + Status =3D WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, > + &SignedDataSize); if (!Status) { > + return Status; > + } > + > + Status =3D FALSE; > + Pkcs7 =3D NULL; > + // > + // Retrieve PKCS#7 Data (DER encoding) // if (SignedDataSize > > + INT_MAX) { > + goto _Exit; > + } > + > + Temp =3D SignedData; > + Pkcs7 =3D d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) > + SignedDataSize); if (Pkcs7 =3D=3D NULL) { > + goto _Exit; > + } > + > + // > + // Check if it's PKCS#7 Signed Data (for Authenticode Scenario) // > + if (!PKCS7_type_is_signed (Pkcs7)) { > + goto _Exit; > + } > + > + // > + // Check if there is one and only one signer. > + // > + SignerInfos =3D PKCS7_get_signer_info (Pkcs7); if (!SignerInfos || > + (sk_PKCS7_SIGNER_INFO_num (SignerInfos) !=3D 1)) { > + goto _Exit; > + } > + > + // > + // Locate the TimeStamp CounterSignature. > + // > + SignInfo =3D sk_PKCS7_SIGNER_INFO_value (SignerInfos, 0); if (SignInf= o > + =3D=3D NULL) { > + goto _Exit; > + } > + > + // > + // Locate Message Digest which will be the data to be time-stamped. > + // > + EncDigest =3D SignInfo->enc_digest; > + if (EncDigest =3D=3D NULL) { > + goto _Exit; > + } > + > + *SignatureLength =3D EncDigest->length; if (Signature !=3D NULL) { > + if (*Signature =3D=3D NULL) { > + Status =3D FALSE; > + goto _Exit; > + } > + CopyMem ((VOID *)*Signature, EncDigest->data, EncDigest->length); > + Status =3D TRUE; > + } > + > +_Exit: > + // > + // Release Resources > + // > + if (!Wrapped) { > + free (SignedData); > + } > + if (Pkcs7 !=3D NULL) { > + PKCS7_free (Pkcs7); > + } > + > + return Status; > +} > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c b/C= ryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c > index b9b7960126de..a080bbfc4237 100644 > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c > @@ -3,6 +3,7 @@ > real capabilities. > =20 > Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.
> +Copyright (c) 2024, Ampere Computing LLC. All rights reserved.
> SPDX-License-Identifier: BSD-2-Clause-Patent > =20 > **/ > @@ -161,3 +162,35 @@ Pkcs7GetAttachedContent ( > ASSERT (FALSE); > return FALSE; > } > + > +/** > + Get the data signature from PKCS#7 signed data as described in "PKCS #= 7: > + Cryptographic Message Syntax Standard". The input signed data could > +be wrapped > + in a ContentInfo structure. > + > + If P7Data, Signature, SignatureLength is NULL, then return FALSE. > + If P7Length overflow, then return FALSE. > + If this interface is not supported, then return FALSE. > + > + @param[in] P7Data Pointer to the PKCS#7 message to verify. > + @param[in] P7Length Length of the PKCS#7 message in bytes. > + @param[out] Signature Pointer to Signature data > + @param[out] SignatureLength Length of signature in bytes. > + > + @retval TRUE The operation is finished successfully. > + @retval FALSE Error occurs during the operation. > + @retval FALSE This interface is not supported. > + > +**/ > +BOOLEAN > +EFIAPI > +Pkcs7GetSignature ( > + IN CONST UINT8 *P7Data, > + IN UINTN P7Length, > + OUT UINT8 **Signature, > + OUT UINTN *SignatureLength > + ) > +{ > + ASSERT (FALSE); > + return FALSE; > +} > diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/Cry= ptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c > index 4e31bc278e0f..55d7b17688a0 100644 > --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c > +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c > @@ -4,6 +4,7 @@ > =20 > Copyright (C) Microsoft Corporation. All rights reserved. > Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved. > + Copyright (c) 2024, Ampere Computing LLC. All rights reserved.
> SPDX-License-Identifier: BSD-2-Clause-Patent > =20 > **/ > @@ -3146,6 +3147,37 @@ ImageTimestampVerify ( > CALL_CRYPTO_SERVICE (ImageTimestampVerify, (AuthData, DataSize, TsaCe= rt, CertSize, SigningTime), FALSE); } > =20 > +/** > + Get the data signature from PKCS#7 signed data as described in "PKCS #= 7: > + Cryptographic Message Syntax Standard". The input signed data could > +be wrapped > + in a ContentInfo structure. > + > + If P7Data, Signature, SignatureLength is NULL, then return FALSE. > + If P7Length overflow, then return FALSE. > + If this interface is not supported, then return FALSE. > + > + @param[in] P7Data Pointer to the PKCS#7 message to verify. > + @param[in] P7Length Length of the PKCS#7 message in bytes. > + @param[out] Signature Pointer to Signature data > + @param[out] SignatureLength Length of signature in bytes. > + > + @retval TRUE The operation is finished successfully. > + @retval FALSE Error occurs during the operation. > + @retval FALSE This interface is not supported. > + > +**/ > +BOOLEAN > +EFIAPI > +Pkcs7GetSignature ( > + IN CONST UINT8 *P7Data, > + IN UINTN P7Length, > + OUT UINT8 **Signature, > + OUT UINTN *SignatureLength > + ) > +{ > + CALL_CRYPTO_SERVICE (Pkcs7GetSignature, (P7Data, P7Length, Signature, > +SignatureLength), FALSE); } > + > // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > // DH Key Exchange Primitive > // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > -- > 2.25.1 >=20 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114769): https://edk2.groups.io/g/devel/message/114769 Mute This Topic: https://groups.io/mt/104048629/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-