public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH 0/6] Add new APIs for BaseCryptLib
@ 2019-03-25  4:01 Zhichao Gao
  2019-03-25  4:01 ` [PATCH 1/6] CryptoPkg/BaseCryptLib.h: Add new API to get organization name Zhichao Gao
                   ` (6 more replies)
  0 siblings, 7 replies; 11+ messages in thread
From: Zhichao Gao @ 2019-03-25  4:01 UTC (permalink / raw)
  To: edk2-devel
  Cc: Ting Ye, Gang Wei, Wang Jian J, Liming Gao, Sean Brogan,
	Michael Turner, Bret Barkelew

Add new API to get organization name
Add new API VerifyEKUsInPkcs7Signature
Add PKCS1v2 (RSAES-OAEP) support

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Cc: Wang Jian J <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>

Bret Barkelew (6):
  CryptoPkg/BaseCryptLib.h: Add new API to get organization name
  CryptoPkg/BaseCryptLib: Add new API to get organization name
  CryptoPkg/BaseCryptLib.h: Add new API VerifyEKUsInPkcs7Signature
  CryptoPkg/BaseCryptLib: Add new API VerifyEKUsInPkcs7Signature
  CryptoPkg/BaseCryptLib.h: Add PKCS1v2 (RSAES-OAEP) support.
  CryptoPkg/BaseCryptLib: Add PKCS1v2 (RSAES-OAEP) support.

 CryptoPkg/Include/Library/BaseCryptLib.h           | 121 ++++-
 CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf    |   2 +
 CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf     |   4 +-
 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c | 218 +++++++++
 .../Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c   |  61 +++
 .../Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c  | 539 +++++++++++++++++++++
 .../BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c   |  75 +++
 CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c      | 102 +++-
 CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c  |  32 ++
 CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf |   2 +
 CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf     |   2 +
 11 files changed, 1144 insertions(+), 14 deletions(-)
 create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c
 create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c
 create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
 create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c

-- 
2.16.2.windows.1



^ permalink raw reply	[flat|nested] 11+ messages in thread

* [PATCH 1/6] CryptoPkg/BaseCryptLib.h: Add new API to get organization name
  2019-03-25  4:01 [PATCH 0/6] Add new APIs for BaseCryptLib Zhichao Gao
@ 2019-03-25  4:01 ` Zhichao Gao
  2019-03-25  4:01 ` [PATCH 2/6] CryptoPkg/BaseCryptLib: " Zhichao Gao
                   ` (5 subsequent siblings)
  6 siblings, 0 replies; 11+ messages in thread
From: Zhichao Gao @ 2019-03-25  4:01 UTC (permalink / raw)
  To: edk2-devel
  Cc: Bret Barkelew, Ting Ye, Gang Wei, Wang Jian J, Liming Gao,
	Sean Brogan, Michael Turner

From: Bret Barkelew <Bret.Barkelew@microsoft.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1401

Add a prototype declaration of the new API X509GetOrganizationName
in the header file.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Cc: Wang Jian J <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
---
 CryptoPkg/Include/Library/BaseCryptLib.h | 35 ++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 52ab2316db..011e908ee4 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -2206,6 +2206,41 @@ X509GetCommonName (
   IN OUT  UINTN        *CommonNameSize
   );
 
+/**
+  Retrieve the organization name (ON) string from one X.509 certificate.
+
+  @param[in]      Cert             Pointer to the DER-encoded X509 certificate.
+  @param[in]      CertSize         Size of the X509 certificate in bytes.
+  @param[out]     NameBuffer       Buffer to contain the retrieved certificate organization
+                                   name string. At most NameBufferSize bytes will be
+                                   written and the string will be null terminated. May be
+                                   NULL in order to determine the size buffer needed.
+  @param[in,out]  NameBufferSize   The size in bytes of the Name buffer on input,
+                                   and the size of buffer returned Name on output.
+                                   If NameBuffer is NULL then the amount of space needed
+                                   in buffer (including the final null) is returned.
+
+  @retval RETURN_SUCCESS           The certificate Organization Name retrieved successfully.
+  @retval RETURN_INVALID_PARAMETER If Cert is NULL.
+                                   If NameBufferSize is NULL.
+                                   If NameBuffer is not NULL and *CommonNameSize is 0.
+                                   If Certificate is invalid.
+  @retval RETURN_NOT_FOUND         If no Organization Name entry exists.
+  @retval RETURN_BUFFER_TOO_SMALL  If the NameBuffer is NULL. The required buffer size
+                                   (including the final null) is returned in the
+                                   CommonNameSize parameter.
+  @retval RETURN_UNSUPPORTED       The operation is not supported.
+
+**/
+RETURN_STATUS
+EFIAPI
+X509GetOrganizationName (
+  IN      CONST UINT8   *Cert,
+  IN      UINTN         CertSize,
+  OUT     CHAR8         *NameBuffer,  OPTIONAL
+  IN OUT  UINTN         *NameBufferSize
+  );
+
 /**
   Verify one X509 certificate was issued by the trusted CA.
 
-- 
2.16.2.windows.1



^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [PATCH 2/6] CryptoPkg/BaseCryptLib: Add new API to get organization name
  2019-03-25  4:01 [PATCH 0/6] Add new APIs for BaseCryptLib Zhichao Gao
  2019-03-25  4:01 ` [PATCH 1/6] CryptoPkg/BaseCryptLib.h: Add new API to get organization name Zhichao Gao
@ 2019-03-25  4:01 ` Zhichao Gao
  2019-03-25  4:01 ` [PATCH 3/6] CryptoPkg/BaseCryptLib.h: Add new API VerifyEKUsInPkcs7Signature Zhichao Gao
                   ` (4 subsequent siblings)
  6 siblings, 0 replies; 11+ messages in thread
From: Zhichao Gao @ 2019-03-25  4:01 UTC (permalink / raw)
  To: edk2-devel
  Cc: Bret Barkelew, Ting Ye, Gang Wei, Wang Jian J, Liming Gao,
	Sean Brogan, Michael Turner

From: Bret Barkelew <Bret.Barkelew@microsoft.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1401

Implement a common function to get the NID name. And use
this function to get common name and organization name.

Add a null function API X509GetOrganizationName of null
function source file.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Cc: Wang Jian J <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
---
 CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c     | 102 +++++++++++++++++++---
 CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c |  32 +++++++
 2 files changed, 122 insertions(+), 12 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 75337ed32b..bcdefabbb7 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -298,10 +298,11 @@ _Exit:
 }
 
 /**
-  Retrieve the common name (CN) string from one X.509 certificate.
+  Retrieve a string from one X.509 certificate base on the Request_NID.
 
   @param[in]      Cert             Pointer to the DER-encoded X509 certificate.
   @param[in]      CertSize         Size of the X509 certificate in bytes.
+  @param[in]      Request_NID      NID of string to obtain
   @param[out]     CommonName       Buffer to contain the retrieved certificate common
                                    name string (UTF8). At most CommonNameSize bytes will be
                                    written and the string will be null terminated. May be
@@ -316,20 +317,21 @@ _Exit:
                                    If CommonNameSize is NULL.
                                    If CommonName is not NULL and *CommonNameSize is 0.
                                    If Certificate is invalid.
-  @retval RETURN_NOT_FOUND         If no CommonName entry exists.
+  @retval RETURN_NOT_FOUND         If no NID Name entry exists.
   @retval RETURN_BUFFER_TOO_SMALL  If the CommonName is NULL. The required buffer size
                                    (including the final null) is returned in the
                                    CommonNameSize parameter.
   @retval RETURN_UNSUPPORTED       The operation is not supported.
 
 **/
+STATIC
 RETURN_STATUS
-EFIAPI
-X509GetCommonName (
-  IN      CONST UINT8  *Cert,
-  IN      UINTN        CertSize,
-  OUT     CHAR8        *CommonName,  OPTIONAL
-  IN OUT  UINTN        *CommonNameSize
+InternalX509GetNIDName (
+  IN      CONST UINT8   *Cert,
+  IN      UINTN         CertSize,
+  IN      INT32         Request_NID,
+  OUT     CHAR8         *CommonName,  OPTIONAL
+  IN OUT  UINTN         *CommonNameSize
   )
 {
   RETURN_STATUS    ReturnStatus;
@@ -381,12 +383,12 @@ X509GetCommonName (
   }
 
   //
-  // Retrieve the CommonName information from X.509 Subject
+  // Retrive the string from X.509 Subject base on the Request_NID
   //
-  Index = X509_NAME_get_index_by_NID (X509Name, NID_commonName, -1);
+  Index = X509_NAME_get_index_by_NID (X509Name, Request_NID, -1);
   if (Index < 0) {
     //
-    // No CommonName entry exists in X509_NAME object
+    // No Request_NID name entry exists in X509_NAME object
     //
     *CommonNameSize = 0;
     ReturnStatus    = RETURN_NOT_FOUND;
@@ -408,7 +410,7 @@ X509GetCommonName (
   Length = ASN1_STRING_to_UTF8 (&UTF8Name, EntryData);
   if (Length < 0) {
     //
-    // Fail to convert the commonName string
+    // Fail to convert the Name string
     //
     *CommonNameSize = 0;
     ReturnStatus    = RETURN_INVALID_PARAMETER;
@@ -439,6 +441,82 @@ _Exit:
   return ReturnStatus;
 }
 
+/**
+  Retrieve the common name (CN) string from one X.509 certificate.
+
+  @param[in]      Cert             Pointer to the DER-encoded X509 certificate.
+  @param[in]      CertSize         Size of the X509 certificate in bytes.
+  @param[out]     CommonName       Buffer to contain the retrieved certificate common
+                                   name string. At most CommonNameSize bytes will be
+                                   written and the string will be null terminated. May be
+                                   NULL in order to determine the size buffer needed.
+  @param[in,out]  CommonNameSize   The size in bytes of the CommonName buffer on input,
+                                   and the size of buffer returned CommonName on output.
+                                   If CommonName is NULL then the amount of space needed
+                                   in buffer (including the final null) is returned.
+
+  @retval RETURN_SUCCESS           The certificate CommonName retrieved successfully.
+  @retval RETURN_INVALID_PARAMETER If Cert is NULL.
+                                   If CommonNameSize is NULL.
+                                   If CommonName is not NULL and *CommonNameSize is 0.
+                                   If Certificate is invalid.
+  @retval RETURN_NOT_FOUND         If no CommonName entry exists.
+  @retval RETURN_BUFFER_TOO_SMALL  If the CommonName is NULL. The required buffer size
+                                   (including the final null) is returned in the
+                                   CommonNameSize parameter.
+  @retval RETURN_UNSUPPORTED       The operation is not supported.
+
+**/
+RETURN_STATUS
+EFIAPI
+X509GetCommonName (
+  IN      CONST UINT8  *Cert,
+  IN      UINTN        CertSize,
+  OUT     CHAR8        *CommonName,  OPTIONAL
+  IN OUT  UINTN        *CommonNameSize
+  )
+{
+  return InternalX509GetNIDName (Cert, CertSize, NID_commonName, CommonName, CommonNameSize);
+}
+
+/**
+  Retrieve the organization name (ON) string from one X.509 certificate.
+
+  @param[in]      Cert             Pointer to the DER-encoded X509 certificate.
+  @param[in]      CertSize         Size of the X509 certificate in bytes.
+  @param[out]     NameBuffer       Buffer to contain the retrieved certificate organization
+                                   name string. At most NameBufferSize bytes will be
+                                   written and the string will be null terminated. May be
+                                   NULL in order to determine the size buffer needed.
+  @param[in,out]  NameBufferSize   The size in bytes of the Name buffer on input,
+                                   and the size of buffer returned Name on output.
+                                   If NameBuffer is NULL then the amount of space needed
+                                   in buffer (including the final null) is returned.
+
+  @retval RETURN_SUCCESS           The certificate Organization Name retrieved successfully.
+  @retval RETURN_INVALID_PARAMETER If Cert is NULL.
+                                   If NameBufferSize is NULL.
+                                   If NameBuffer is not NULL and *CommonNameSize is 0.
+                                   If Certificate is invalid.
+  @retval RETURN_NOT_FOUND         If no Organization Name entry exists.
+  @retval RETURN_BUFFER_TOO_SMALL  If the NameBuffer is NULL. The required buffer size
+                                   (including the final null) is returned in the
+                                   CommonNameSize parameter.
+  @retval RETURN_UNSUPPORTED       The operation is not supported.
+
+**/
+RETURN_STATUS
+EFIAPI
+X509GetOrganizationName (
+  IN      CONST UINT8   *Cert,
+  IN      UINTN         CertSize,
+  OUT     CHAR8         *NameBuffer,  OPTIONAL
+  IN OUT  UINTN         *NameBufferSize
+  )
+{
+  return InternalX509GetNIDName (Cert, CertSize, NID_organizationName, NameBuffer, NameBufferSize);
+}
+
 /**
   Retrieve the RSA Public Key from one DER-encoded X509 certificate.
 
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c
index 31cae46154..cfbb02791f 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c
@@ -159,6 +159,38 @@ X509GetCommonName (
   return RETURN_UNSUPPORTED;
 }
 
+/**
+  Retrieve the organization name (ON) string from one X.509 certificate.
+
+  Return RETURN_UNSUPPORTED to indicate this interface is not supported.
+
+  @param[in]      Cert             Pointer to the DER-encoded X509 certificate.
+  @param[in]      CertSize         Size of the X509 certificate in bytes.
+  @param[out]     NameBuffer       Buffer to contain the retrieved certificate organization
+                                   name string. At most NameBufferSize bytes will be
+                                   written and the string will be null terminated. May be
+                                   NULL in order to determine the size buffer needed.
+  @param[in,out]  NameBufferSize   The size in bytes of the Name buffer on input,
+                                   and the size of buffer returned Name on output.
+                                   If NameBuffer is NULL then the amount of space needed
+                                   in buffer (including the final null) is returned.
+
+  @retval RETURN_UNSUPPORTED       The operation is not supported.
+
+**/
+RETURN_STATUS
+EFIAPI
+X509GetOrganizationName (
+  IN      CONST UINT8   *Cert,
+  IN      UINTN         CertSize,
+  OUT     CHAR8         *NameBuffer,  OPTIONAL
+  IN OUT  UINTN         *NameBufferSize
+  )
+{
+  ASSERT (FALSE);
+  return RETURN_UNSUPPORTED;
+}
+
 /**
   Retrieve the RSA Public Key from one DER-encoded X509 certificate.
 
-- 
2.16.2.windows.1



^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [PATCH 3/6] CryptoPkg/BaseCryptLib.h: Add new API VerifyEKUsInPkcs7Signature
  2019-03-25  4:01 [PATCH 0/6] Add new APIs for BaseCryptLib Zhichao Gao
  2019-03-25  4:01 ` [PATCH 1/6] CryptoPkg/BaseCryptLib.h: Add new API to get organization name Zhichao Gao
  2019-03-25  4:01 ` [PATCH 2/6] CryptoPkg/BaseCryptLib: " Zhichao Gao
@ 2019-03-25  4:01 ` Zhichao Gao
  2019-03-25  4:01 ` [PATCH 4/6] CryptoPkg/BaseCryptLib: " Zhichao Gao
                   ` (3 subsequent siblings)
  6 siblings, 0 replies; 11+ messages in thread
From: Zhichao Gao @ 2019-03-25  4:01 UTC (permalink / raw)
  To: edk2-devel
  Cc: Bret Barkelew, Ting Ye, Gang Wei, Wang Jian J, Liming Gao,
	Sean Brogan, Michael Turner

From: Bret Barkelew <Bret.Barkelew@microsoft.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1402

Add a prototype of new API VerifyEKUsInPkcs7Signature.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Cc: Wang Jian J <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
---
 CryptoPkg/Include/Library/BaseCryptLib.h | 42 ++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 011e908ee4..37b93a2c63 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -2599,6 +2599,48 @@ Pkcs7Verify (
   IN  UINTN        DataLength
   );
 
+/**
+  This function receives a PKCS7 formatted signature, and then verifies that
+  the specified Enhanced or Extended Key Usages (EKU's) are present in the end-entity
+  leaf signing certificate.
+  Note that this function does not validate the certificate chain.
+
+  Applications for custom EKU's are quite flexible. For example, a policy EKU
+  may be present in an Issuing Certificate Authority (CA), and any sub-ordinate
+  certificate issued might also contain this EKU, thus constraining the
+  sub-ordinate certificate.  Other applications might allow a certificate
+  embedded in a device to specify that other Object Identifiers (OIDs) are
+  present which contains binary data specifying custom capabilities that
+  the device is able to do.
+
+  @param[in]  Pkcs7Signature       The PKCS#7 signed information content block. An array
+                                   containing the content block with both the signature,
+                                   the signer's certificate, and any necessary intermediate
+                                   certificates.
+  @param[in]  Pkcs7SignatureSize   Number of bytes in Pkcs7Signature.
+  @param[in]  RequiredEKUs         Array of null-terminated strings listing OIDs of
+                                   required EKUs that must be present in the signature.
+  @param[in]  RequiredEKUsSize     Number of elements in the RequiredEKUs string array.
+  @param[in]  RequireAllPresent    If this is TRUE, then all of the specified EKU's
+                                   must be present in the leaf signer.  If it is
+                                   FALSE, then we will succeed if we find any
+                                   of the specified EKU's.
+
+  @retval EFI_SUCCESS              The required EKUs were found in the signature.
+  @retval EFI_INVALID_PARAMETER    A parameter was invalid.
+  @retval EFI_NOT_FOUND            One or more EKU's were not found in the signature.
+
+**/
+RETURN_STATUS
+EFIAPI
+VerifyEKUsInPkcs7Signature (
+  IN  CONST UINT8   *Pkcs7Signature,
+  IN  CONST UINT32  SignatureSize,
+  IN  CONST CHAR8   *RequiredEKUs[],
+  IN  CONST UINT32  RequiredEKUsSize,
+  IN  BOOLEAN       RequireAllPresent
+  );
+
 /**
   Extracts the attached content from a PKCS#7 signed data if existed. The input signed
   data could be wrapped in a ContentInfo structure.
-- 
2.16.2.windows.1



^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [PATCH 4/6] CryptoPkg/BaseCryptLib: Add new API VerifyEKUsInPkcs7Signature
  2019-03-25  4:01 [PATCH 0/6] Add new APIs for BaseCryptLib Zhichao Gao
                   ` (2 preceding siblings ...)
  2019-03-25  4:01 ` [PATCH 3/6] CryptoPkg/BaseCryptLib.h: Add new API VerifyEKUsInPkcs7Signature Zhichao Gao
@ 2019-03-25  4:01 ` Zhichao Gao
  2019-03-25  4:01 ` [PATCH 5/6] CryptoPkg/BaseCryptLib.h: Add PKCS1v2 (RSAES-OAEP) support Zhichao Gao
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 11+ messages in thread
From: Zhichao Gao @ 2019-03-25  4:01 UTC (permalink / raw)
  To: edk2-devel
  Cc: Bret Barkelew, Ting Ye, Gang Wei, Wang Jian J, Liming Gao,
	Sean Brogan, Michael Turner

From: Bret Barkelew <Bret.Barkelew@microsoft.com>

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1402

Add the API VerifyEKUsInPkcs7Signature to check if x509 cert
has any or all EKUs.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Cc: Wang Jian J <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
---
 CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf    |   1 +
 CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf     |   3 +-
 .../Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c  | 539 +++++++++++++++++++++
 .../BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c   |  75 +++
 CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf |   1 +
 CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf     |   1 +
 6 files changed, 619 insertions(+), 1 deletion(-)
 create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
 create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c

diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 5988c103c6..dbddd98c59 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -51,6 +51,7 @@
   Pk/CryptPkcs7Sign.c
   Pk/CryptPkcs7VerifyCommon.c
   Pk/CryptPkcs7VerifyBase.c
+  Pk/CryptPkcs7VerifyEku.c
   Pk/CryptDh.c
   Pk/CryptX509.c
   Pk/CryptAuthenticode.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index e84d7f91e4..5dbb115734 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -13,7 +13,7 @@
 #  PEM handler functions, and pseudorandom number generator functions are not
 #  supported in this instance.
 #
-#  Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
 #  This program and the accompanying materials
 #  are licensed and made available under the terms and conditions of the BSD License
 #  which accompanies this distribution.  The full text of the license may be found at
@@ -58,6 +58,7 @@
   Pk/CryptPkcs7SignNull.c
   Pk/CryptPkcs7VerifyCommon.c
   Pk/CryptPkcs7VerifyBase.c
+  Pk/CryptPkcs7VerifyEku.c
 
   Pk/CryptDhNull.c
   Pk/CryptX509Null.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
new file mode 100644
index 0000000000..0384b53476
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
@@ -0,0 +1,539 @@
+/** @file
+  This module verifies that Enhanced Key Usages (EKU's) are present within
+  a PKCS7 signature blob using OpenSSL.
+
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+  THE POSSIBILITY OF SUCH DAMAGE.
+
+  Copyright (C) Microsoft Corporation. All Rights Reserved.
+  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+
+  Redistribution and use in source and binary forms, with or without
+  modification, are permitted provided that the following conditions are met:
+  1. Redistributions of source code must retain the above copyright notice,
+  this list of conditions and the following disclaimer.
+  2. Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+**/
+
+#include <Base.h>
+#include "InternalCryptLib.h"
+#include <openssl/x509v3.h>
+#include <openssl/asn1.h>
+#include <openssl/x509.h>
+#include <openssl/bio.h>
+#include <internal/x509_int.h>
+#include <openssl/pkcs7.h>
+#include <openssl/bn.h>
+#include <openssl/x509_vfy.h>
+#include <openssl/pem.h>
+#include <openssl/evp.h>
+#include <internal/asn1_int.h>
+
+/**
+  This function will return the leaf signer certificate in a chain.  This is
+  required because certificate chains are not guaranteed to have the
+  certificates in the order that they were issued.
+
+  A typical certificate chain looks like this:
+
+
+                 ----------------------------
+                |            Root            |
+                 ----------------------------
+                               ^
+                               |
+                 ----------------------------
+                |          Policy CA         | <-- Typical Trust Anchor.
+                 ----------------------------
+                               ^
+                               |
+                 ----------------------------
+                |         Issuing CA         |
+                 ----------------------------
+                               ^
+                               |
+                 -----------------------------
+                /  End-Entity (leaf) signer  / <-- Bottom certificate.
+                -----------------------------  EKU: "1.3.6.1.4.1.311.76.9.21.1"
+                                                    (Firmware Signing)
+
+
+  @param[in]   CertChain            Certificate chain.
+
+  @param[out]  SignerCert           Last certificate in the chain.  For PKCS7 signatures,
+                                    this will be the end-entity (leaf) signer cert.
+
+  @retval EFI_SUCCESS               The required EKUs were found in the signature.
+  @retval EFI_INVALID_PARAMETER     A parameter was invalid.
+  @retval EFI_NOT_FOUND             The number of signers found was not 1.
+
+**/
+EFI_STATUS
+GetSignerCertificate (
+  IN CONST PKCS7 *CertChain,
+  OUT X509       **SignerCert
+  )
+{
+  EFI_STATUS      Status;
+  STACK_OF(X509)  *Signers;
+  INT32           NumberSigners;
+
+  Status         = EFI_SUCCESS;
+  Signers        = NULL;
+  NumberSigners  = 0;
+
+  if (CertChain == NULL || SignerCert == NULL) {
+    Status = EFI_INVALID_PARAMETER;
+    goto Exit;
+  }
+
+  //
+  // Get the signers from the chain.
+  //
+  Signers = PKCS7_get0_signers ((PKCS7*) CertChain, NULL, PKCS7_BINARY);
+  if (Signers == NULL) {
+    //
+    // Fail to get signers form PKCS7
+    //
+    Status = EFI_INVALID_PARAMETER;
+    goto Exit;
+  }
+
+  //
+  // There should only be one signer in the PKCS7 stack.
+  //
+  NumberSigners = sk_X509_num (Signers);
+  if (NumberSigners != 1) {
+    //
+    // The number of singers should have been 1
+    //
+    Status = EFI_NOT_FOUND;
+    goto Exit;
+  }
+
+  *SignerCert = sk_X509_value (Signers, 0);
+
+Exit:
+  //
+  // Release Resources
+  //
+  if (Signers) {
+    sk_X509_free (Signers);
+  }
+
+  return Status;
+}
+
+
+/**
+  Determines if the specified EKU represented in ASN1 form is present
+  in a given certificate.
+
+  @param[in]  Cert                  The certificate to check.
+
+  @param[in]  Asn1ToFind            The EKU to look for.
+
+  @retval EFI_SUCCESS               We successfully identified the signing type.
+  @retval EFI_INVALID_PARAMETER     A parameter was invalid.
+  @retval EFI_NOT_FOUND             One or more EKU's were not found in the signature.
+
+**/
+EFI_STATUS
+IsEkuInCertificate (
+  IN CONST X509  *Cert,
+  IN ASN1_OBJECT *Asn1ToFind
+  )
+{
+  EFI_STATUS          Status;
+  X509                *ClonedCert;
+  X509_EXTENSION      *Extension;
+  EXTENDED_KEY_USAGE  *Eku;
+  INT32               ExtensionIndex;
+  INTN                NumExtensions;
+  ASN1_OBJECT         *Asn1InCert;
+  INTN                Index;
+
+  Status            = EFI_NOT_FOUND;
+  ClonedCert        = NULL;
+  Extension         = NULL;
+  Eku               = NULL;
+  ExtensionIndex    = -1;
+  NumExtensions     = 0;
+  Asn1InCert        = NULL;
+
+  if (Cert == NULL || Asn1ToFind == NULL) {
+    Status = EFI_INVALID_PARAMETER;
+    goto Exit;
+  }
+
+  //
+  // Clone the certificate.  This is required because the Extension API's
+  // only work once per instance of an X509 object.
+  //
+  ClonedCert = X509_dup ((X509*)Cert);
+  if (ClonedCert == NULL) {
+    //
+    // Fail to duplicate cert.
+    //
+    Status = EFI_INVALID_PARAMETER;
+    goto Exit;
+  }
+
+  //
+  // Look for the extended key usage.
+  //
+  ExtensionIndex = X509_get_ext_by_NID (ClonedCert, NID_ext_key_usage, -1);
+
+  if (ExtensionIndex < 0) {
+    //
+    // Fail to find 'NID_ext_key_usage' in Cert.
+    //
+    goto Exit;
+  }
+
+  Extension = X509_get_ext (ClonedCert, ExtensionIndex);
+  if (Extension == NULL) {
+    //
+    // Fail to get Extension form cert.
+    //
+    goto Exit;
+  }
+
+  Eku = (EXTENDED_KEY_USAGE*)X509V3_EXT_d2i (Extension);
+  if (Eku == NULL) {
+    //
+    // Fail to get Eku from extension.
+    //
+    goto Exit;
+  }
+
+  NumExtensions = sk_ASN1_OBJECT_num (Eku);
+
+  //
+  // Now loop through the extensions, looking for the specified Eku.
+  //
+  for (Index = 0; Index < NumExtensions; Index++) {
+    Asn1InCert = sk_ASN1_OBJECT_value (Eku, (INT32)Index);
+    if (Asn1InCert == NULL) {
+      //
+      // Fail to get ASN object from Eku.
+      //
+      goto Exit;
+    }
+
+    if (Asn1InCert->length == Asn1ToFind->length &&
+        CompareMem (Asn1InCert->data, Asn1ToFind->data, Asn1InCert->length) == 0) {
+      //
+      // Found Eku in certificate.
+      //
+      Status = EFI_SUCCESS;
+      goto Exit;
+    }
+  }
+
+Exit:
+
+  //
+  // Release Resources
+  //
+  if (ClonedCert) {
+    X509_free (ClonedCert);
+  }
+
+  if (Eku) {
+    sk_ASN1_OBJECT_pop_free (Eku, ASN1_OBJECT_free);
+  }
+
+  return Status;
+}
+
+
+/**
+  Determines if the specified EKUs are present in a signing certificate.
+
+  @param[in]  SignerCert            The certificate to check.
+  @param[in]  RequiredEKUs          The EKUs to look for.
+  @param[in]  RequiredEKUsSize      The number of EKUs
+  @param[in]  RequireAllPresent     If TRUE, then all the specified EKUs
+                                    must be present in the certificate.
+
+  @retval EFI_SUCCESS               We successfully identified the signing type.
+  @retval EFI_INVALID_PARAMETER     A parameter was invalid.
+  @retval EFI_NOT_FOUND             One or more EKU's were not found in the signature.
+**/
+EFI_STATUS
+CheckEKUs(
+  IN CONST X509     *SignerCert,
+  IN CONST CHAR8    *RequiredEKUs[],
+  IN CONST UINT32   RequiredEKUsSize,
+  IN BOOLEAN        RequireAllPresent
+  )
+{
+  EFI_STATUS    Status;
+  ASN1_OBJECT   *Asn1ToFind;
+  UINT32        NumEkusFound;
+  UINT32        Index;
+
+  Status       = EFI_SUCCESS;
+  Asn1ToFind   = NULL;
+  NumEkusFound = 0;
+
+  if (SignerCert == NULL || RequiredEKUs == NULL || RequiredEKUsSize == 0) {
+    Status = EFI_INVALID_PARAMETER;
+    goto Exit;
+  }
+
+  for (Index = 0; Index < RequiredEKUsSize; Index++) {
+    //
+    // Finding required EKU in cert.
+    //
+    if (Asn1ToFind) {
+      ASN1_OBJECT_free(Asn1ToFind);
+      Asn1ToFind = NULL;
+    }
+
+    Asn1ToFind = OBJ_txt2obj (RequiredEKUs[Index], 0);
+    if (!Asn1ToFind) {
+      //
+      // Fail to convert required EKU to ASN1.
+      //
+      Status = EFI_INVALID_PARAMETER;
+      goto Exit;
+    }
+
+    Status = IsEkuInCertificate (SignerCert, Asn1ToFind);
+    if (Status == EFI_SUCCESS) {
+      NumEkusFound++;
+      if (!RequireAllPresent) {
+        //
+        // Found at least one, so we are done.
+        //
+        goto Exit;
+      }
+    } else {
+      //
+      // Fail to find Eku in cert
+      break;
+    }
+  }
+
+Exit:
+
+  if (Asn1ToFind) {
+    ASN1_OBJECT_free(Asn1ToFind);
+  }
+
+  if (RequireAllPresent &&
+      NumEkusFound == RequiredEKUsSize) {
+    //
+    // Found all required EKUs in certificate.
+    //
+    Status = EFI_SUCCESS;
+  }
+
+  return Status;
+}
+
+/**
+  This function receives a PKCS#7 formatted signature blob,
+  looks for the EKU SEQUENCE blob, and if found then looks
+  for all the required EKUs. This function was created so that
+  the Surface team can cut down on the number of Certificate
+  Authorities (CA's) by checking EKU's on leaf signers for
+  a specific product. This prevents one product's certificate
+  from signing another product's firmware or unlock blobs.
+
+  Note that this function does not validate the certificate chain.
+  That needs to be done before using this function.
+
+  @param[in]  Pkcs7Signature       The PKCS#7 signed information content block. An array
+                                   containing the content block with both the signature,
+                                   the signer's certificate, and any necessary intermediate
+                                   certificates.
+  @param[in]  Pkcs7SignatureSize   Number of bytes in Pkcs7Signature.
+  @param[in]  RequiredEKUs         Array of null-terminated strings listing OIDs of
+                                   required EKUs that must be present in the signature.
+  @param[in]  RequiredEKUsSize     Number of elements in the RequiredEKUs string array.
+  @param[in]  RequireAllPresent    If this is TRUE, then all of the specified EKU's
+                                   must be present in the leaf signer.  If it is
+                                   FALSE, then we will succeed if we find any
+                                   of the specified EKU's.
+
+  @retval EFI_SUCCESS              The required EKUs were found in the signature.
+  @retval EFI_INVALID_PARAMETER    A parameter was invalid.
+  @retval EFI_NOT_FOUND            One or more EKU's were not found in the signature.
+
+**/
+EFI_STATUS
+EFIAPI
+VerifyEKUsInPkcs7Signature (
+  IN CONST UINT8    *Pkcs7Signature,
+  IN CONST UINT32   SignatureSize,
+  IN CONST CHAR8    *RequiredEKUs[],
+  IN CONST UINT32   RequiredEKUsSize,
+  IN BOOLEAN        RequireAllPresent
+  )
+{
+  EFI_STATUS        Status;
+  PKCS7             *Pkcs7;
+  STACK_OF(X509)    *CertChain;
+  INT32             SignatureType;
+  INT32             NumberCertsInSignature;
+  X509              *SignerCert;
+  UINT8             *SignedData;
+  UINT8             *Temp;
+  UINTN             SignedDataSize;
+  BOOLEAN           IsWrapped;
+  BOOLEAN           Ok;
+
+  Status                    = EFI_SUCCESS;
+  Pkcs7                     = NULL;
+  CertChain                 = NULL;
+  SignatureType             = 0;
+  NumberCertsInSignature    = 0;
+  SignerCert                = NULL;
+  SignedData                = NULL;
+  SignedDataSize            = 0;
+  IsWrapped                 = FALSE;
+  Ok                        = FALSE;
+
+  //
+  //Validate the input parameters.
+  //
+  if (Pkcs7Signature   == NULL ||
+      SignatureSize    == 0    ||
+      RequiredEKUs     == NULL ||
+      RequiredEKUsSize == 0) {
+    Status = EFI_INVALID_PARAMETER;
+    goto Exit;
+  }
+
+  if (RequiredEKUsSize == 1) {
+    RequireAllPresent = TRUE;
+  }
+
+  //
+  // Wrap the PKCS7 data if needed.
+  //
+  Ok = WrapPkcs7Data (Pkcs7Signature,
+                      SignatureSize,
+                      &IsWrapped,
+                      &SignedData,
+                      &SignedDataSize);
+  if (!Ok) {
+    //
+    // Fail to Wrap the PKCS7 data.
+    //
+    Status = EFI_INVALID_PARAMETER;
+    goto Exit;
+  }
+
+  Temp = SignedData;
+
+  //
+  // Create the PKCS7 object.
+  //
+  Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **)&Temp, (INT32)SignedDataSize);
+  if (Pkcs7 == NULL) {
+    //
+    // Fail to read PKCS7 data.
+    //
+    Status = EFI_INVALID_PARAMETER;
+    goto Exit;
+  }
+
+  //
+  // Get the certificate chain.
+  //
+  SignatureType = OBJ_obj2nid (Pkcs7->type);
+  switch (SignatureType) {
+  case NID_pkcs7_signed:
+    if (Pkcs7->d.sign != NULL) {
+      CertChain = Pkcs7->d.sign->cert;
+    }
+    break;
+  case NID_pkcs7_signedAndEnveloped:
+    if (Pkcs7->d.signed_and_enveloped != NULL) {
+      CertChain = Pkcs7->d.signed_and_enveloped->cert;
+    }
+    break;
+  default:
+    break;
+  }
+
+  //
+  // Ensure we have a certificate stack
+  //
+  if (CertChain == NULL) {
+    //
+    // Fail to get the certificate stack from signature.
+    //
+    Status = EFI_INVALID_PARAMETER;
+    goto Exit;
+  }
+
+  //
+  // Find out how many certificates were in the PKCS7 signature.
+  //
+  NumberCertsInSignature = sk_X509_num (CertChain);
+
+  if (NumberCertsInSignature == 0) {
+    //
+    // Fail to find any certificates in signature.
+    //
+    Status = EFI_INVALID_PARAMETER;
+    goto Exit;
+  }
+
+  //
+  // Get the leaf signer.
+  //
+  Status = GetSignerCertificate (Pkcs7, &SignerCert);
+  if (Status != EFI_SUCCESS || SignerCert == NULL) {
+    //
+    // Fail to get the end-entity leaf signer certificate.
+    //
+    Status = EFI_INVALID_PARAMETER;
+    goto Exit;
+  }
+
+  Status = CheckEKUs (SignerCert, RequiredEKUs, RequiredEKUsSize, RequireAllPresent);
+  if (Status != EFI_SUCCESS) {
+    goto Exit;
+  }
+
+Exit:
+
+  //
+  // Release Resources
+  //
+  // If the signature was not wrapped, then the call to WrapData() will allocate
+  // the data and add a header to it
+  //
+  if (!IsWrapped && SignedData) {
+    free (SignedData);
+  }
+
+  if (SignerCert) {
+    X509_free (SignerCert);
+  }
+
+  if (Pkcs7) {
+    PKCS7_free (Pkcs7);
+  }
+
+  return Status;
+}
+
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c
new file mode 100644
index 0000000000..4133975162
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c
@@ -0,0 +1,75 @@
+/** @file
+  This module verifies that Enhanced Key Usages (EKU's) are present within
+  a PKCS7 signature blob using OpenSSL.
+
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+  THE POSSIBILITY OF SUCH DAMAGE.
+
+  Copyright (C) Microsoft Corporation. All Rights Reserved.
+  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+
+  Redistribution and use in source and binary forms, with or without
+  modification, are permitted provided that the following conditions are met:
+  1. Redistributions of source code must retain the above copyright notice,
+  this list of conditions and the following disclaimer.
+  2. Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+  This function receives a PKCS#7 formatted signature blob,
+  looks for the EKU SEQUENCE blob, and if found then looks
+  for all the required EKUs.  This function was created so that
+  the Surface team can cut down on the number of Certificate
+  Authorities (CA's) by checking EKU's on leaf signers for
+  a specific product.  This prevents one product's certificate
+  from signing another product's firmware or unlock blobs.
+
+  Return RETURN_UNSUPPORTED to indicate this interface is not supported.
+
+  @param[in]  Pkcs7Signature        The PKCS#7 signed information content block. An array
+                                    containing the content block with both the signature,
+                                    the signer's certificate, and any necessary intermediate
+                                    certificates.
+  @param[in]  Pkcs7SignatureSize    Number of bytes in pPkcs7Signature.
+  @param[in]  RequiredEKUs          Array of null-terminated strings listing OIDs of
+                                    required EKUs that must be present in the signature.
+                                    All specified EKU's must be present in order to
+                                    succeed.
+  @param[in]  RequiredEKUsSize      Number of elements in the rgRequiredEKUs string.
+                                    This parameter has a maximum of MAX_EKU_SEARCH.
+  @param[in]  RequireAllPresent     If this is TRUE, then all of the specified EKU's
+                                    must be present in the leaf signer.  If it is
+                                    FALSE, then we will succeed if we find any
+                                    of the specified EKU's.
+
+  @retval RETURN_UNSUPPORTED        The operation is not supported.
+
+**/
+EFI_STATUS
+EFIAPI
+VerifyEKUsInPkcs7Signature (
+  IN CONST UINT8    *Pkcs7Signature,
+  IN CONST UINT32   SignatureSize,
+  IN CONST CHAR8    *RequiredEKUs[],
+  IN CONST UINT32   RequiredEKUsSize,
+  IN BOOLEAN        RequireAllPresent
+  )
+{
+  ASSERT (FALSE);
+  return RETURN_UNSUPPORTED;
+}
+
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index 95d4278090..f24cb91f33 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -56,6 +56,7 @@
   Pk/CryptPkcs7SignNull.c
   Pk/CryptPkcs7VerifyCommon.c
   Pk/CryptPkcs7VerifyRuntime.c
+  Pk/CryptPkcs7VerifyEkuRuntime.c
   Pk/CryptDhNull.c
   Pk/CryptX509.c
   Pk/CryptAuthenticodeNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index c3aa9c9eab..81d4bbe463 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -56,6 +56,7 @@
   Pk/CryptPkcs7SignNull.c
   Pk/CryptPkcs7VerifyCommon.c
   Pk/CryptPkcs7VerifyBase.c
+  Pk/CryptPkcs7VerifyEku.c
   Pk/CryptDhNull.c
   Pk/CryptX509.c
   Pk/CryptAuthenticodeNull.c
-- 
2.16.2.windows.1



^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [PATCH 5/6] CryptoPkg/BaseCryptLib.h: Add PKCS1v2 (RSAES-OAEP) support.
  2019-03-25  4:01 [PATCH 0/6] Add new APIs for BaseCryptLib Zhichao Gao
                   ` (3 preceding siblings ...)
  2019-03-25  4:01 ` [PATCH 4/6] CryptoPkg/BaseCryptLib: " Zhichao Gao
@ 2019-03-25  4:01 ` Zhichao Gao
  2019-03-25  4:01 ` [PATCH 6/6] CryptoPkg/BaseCryptLib: " Zhichao Gao
  2019-03-25  8:22 ` [PATCH 0/6] Add new APIs for BaseCryptLib Yao, Jiewen
  6 siblings, 0 replies; 11+ messages in thread
From: Zhichao Gao @ 2019-03-25  4:01 UTC (permalink / raw)
  To: edk2-devel
  Cc: Bret Barkelew, Ting Ye, Gang Wei, Wang Jian J, Liming Gao,
	Sean Brogan, Michael Turner

From: Bret Barkelew <Bret.Barkelew@microsoft.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1403

Add prototype of new API Pkcs1v2Encrypt in header file to
support PKCS1v2 (RSAES-OAEP) encrypt.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Cc: Wang Jian J <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
---
 CryptoPkg/Include/Library/BaseCryptLib.h | 44 +++++++++++++++++++++++++++++++-
 1 file changed, 43 insertions(+), 1 deletion(-)

diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 37b93a2c63..f0f0021469 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -4,7 +4,7 @@
   primitives (Hash Serials, HMAC, RSA, Diffie-Hellman, etc) for UEFI security
   functionality enabling.
 
-Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -2411,6 +2411,48 @@ Pkcs5HashPassword (
   OUT UINT8        *OutKey
   );
 
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to parse X509 certificate.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  PublicKey           A pointer to the DER-encoded X509 certificate that
+                                  will be used to encrypt the data.
+  @param[in]  PublicKeySize       Size of the X509 cert buffer.
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Encrypt (
+  IN   CONST UINT8  *PublicKey,
+  IN   UINTN        PublicKeySize,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed,  OPTIONAL
+  IN   UINTN        PrngSeedSize,  OPTIONAL
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  );
+
 /**
   The 3rd parameter of Pkcs7GetSigners will return all embedded
   X.509 certificate in one given PKCS7 signature. The format is:
-- 
2.16.2.windows.1



^ permalink raw reply related	[flat|nested] 11+ messages in thread

* [PATCH 6/6] CryptoPkg/BaseCryptLib: Add PKCS1v2 (RSAES-OAEP) support.
  2019-03-25  4:01 [PATCH 0/6] Add new APIs for BaseCryptLib Zhichao Gao
                   ` (4 preceding siblings ...)
  2019-03-25  4:01 ` [PATCH 5/6] CryptoPkg/BaseCryptLib.h: Add PKCS1v2 (RSAES-OAEP) support Zhichao Gao
@ 2019-03-25  4:01 ` Zhichao Gao
  2019-03-25  8:22 ` [PATCH 0/6] Add new APIs for BaseCryptLib Yao, Jiewen
  6 siblings, 0 replies; 11+ messages in thread
From: Zhichao Gao @ 2019-03-25  4:01 UTC (permalink / raw)
  To: edk2-devel
  Cc: Bret Barkelew, Ting Ye, Gang Wei, Wang Jian J, Liming Gao,
	Sean Brogan, Michael Turner

From: Bret Barkelew <Bret.Barkelew@microsoft.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1403

Add support for PKCS 1v2 RSAES-OAEP PKI encryption in BaseCryptLib.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Cc: Wang Jian J <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
---
 CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf    |   1 +
 CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf     |   1 +
 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c | 218 +++++++++++++++++++++
 .../Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c   |  61 ++++++
 CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf |   1 +
 CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf     |   1 +
 6 files changed, 283 insertions(+)
 create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c
 create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c

diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index dbddd98c59..55a6be83c6 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -47,6 +47,7 @@
   Cipher/CryptArc4.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExt.c
+  Pk/CryptPkcs1Oaep.c
   Pk/CryptPkcs5Pbkdf2.c
   Pk/CryptPkcs7Sign.c
   Pk/CryptPkcs7VerifyCommon.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index 5dbb115734..3427000416 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -54,6 +54,7 @@
 
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
+  Pk/CryptPkcs1OaepNull.c
   Pk/CryptPkcs5Pbkdf2Null.c
   Pk/CryptPkcs7SignNull.c
   Pk/CryptPkcs7VerifyCommon.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c
new file mode 100644
index 0000000000..df5cd75049
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c
@@ -0,0 +1,218 @@
+/** @file
+  This file contains UEFI wrapper functions for RSA PKCS1v2 OAEP encryption routines.
+
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+  THE POSSIBILITY OF SUCH DAMAGE.
+
+  Copyright (C) 2016 Microsoft Corporation. All Rights Reserved.
+  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+
+**/
+
+#include "InternalCryptLib.h"
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+#include <openssl/x509.h>
+#include <Library/MemoryAllocationLib.h>
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Things that can cause a failure include:
+  - X509 key size does not match any known key size.
+  - Fail to parse X509 certificate.
+  - Fail to allocate an intermediate buffer.
+  - Null pointer provided for a non-optional parameter.
+  - Data size is too large for the provided key size (max size is a function of key size
+    and hash digest size).
+
+  @param[in]  PublicKey           A pointer to the DER-encoded X509 certificate that
+                                  will be used to encrypt the data.
+  @param[in]  PublicKeySize       Size of the X509 cert buffer.
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval     TRUE                Encryption was successful.
+  @retval     FALSE               Encryption failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Encrypt (
+  IN   CONST UINT8  *PublicKey,
+  IN   UINTN        PublicKeySize,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed,  OPTIONAL
+  IN   UINTN        PrngSeedSize,  OPTIONAL
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  BOOLEAN       Result;
+  CONST UINT8   *TempPointer;
+  X509          *CertData;
+  EVP_PKEY      *InternalPublicKey;
+  EVP_PKEY_CTX  *PkeyCtx;
+  UINT8         *OutData;
+  UINTN         OutDataSize;
+
+  //
+  // Check input parameters.
+  //
+  if (PublicKey == NULL || InData == NULL ||
+      EncryptedData == NULL || EncryptedDataSize == NULL) {
+    return FALSE;
+  }
+
+  //
+  // Check public key size.
+  //
+  if (PublicKeySize > 0xFFFFFFFF) {
+    //
+    // Public key size is too large for implementation.
+    //
+    return FALSE;
+  }
+
+  *EncryptedData        = NULL;
+  *EncryptedDataSize    = 0;
+  Result                = FALSE;
+  TempPointer           = NULL;
+  CertData              = NULL;
+  InternalPublicKey     = NULL;
+  PkeyCtx               = NULL;
+  OutData               = NULL;
+  OutDataSize           = 0;
+
+  //
+  // If it provides a seed then use it.
+  // Ohterwise, we'll seed with fixed values and hope that the PRNG has already been
+  // used enough to generate sufficient entropy.
+  //
+  if (PrngSeed != NULL) {
+    RandomSeed (PrngSeed, PrngSeedSize);
+  } else {
+    RandomSeed (NULL, 0);
+  }
+
+  //
+  // Parse the X509 cert and extract the public key.
+  //
+  TempPointer = PublicKey;
+  CertData = d2i_X509 (&CertData, &TempPointer, (UINT32)PublicKeySize);
+  if (CertData == NULL) {
+    //
+    // Fail to parse X509 cert.
+    //
+    goto _Exit;
+  }
+
+  //
+  // Extract the public key from the x509 cert in a format that
+  // OpenSSL can use.
+  //
+  InternalPublicKey = X509_get_pubkey (CertData);
+  if (InternalPublicKey == NULL) {
+    //
+    // Fail to extract public key.
+    //
+    goto _Exit;
+  }
+
+  //
+  // Create a context for the public key operation.
+  //
+  PkeyCtx = EVP_PKEY_CTX_new (InternalPublicKey, NULL);
+  if (PkeyCtx == NULL) {
+    //
+    // Fail to create contex.
+    //
+    goto _Exit;
+  }
+  //
+  // Initialize the context and set the desired padding.
+  //
+  if (EVP_PKEY_encrypt_init (PkeyCtx) <= 0 ||
+      EVP_PKEY_CTX_set_rsa_padding (PkeyCtx, RSA_PKCS1_OAEP_PADDING) <= 0) {
+    //
+    // Fail to initialize the context.
+    //
+    goto _Exit;
+  }
+
+  //
+  // Determine the required buffer length for malloc'ing.
+  //
+  if (EVP_PKEY_encrypt (PkeyCtx, NULL, &OutDataSize, InData, InDataSize) <= 0) {
+    //
+    // Fail to determine output buffer size.
+    //
+    goto _Exit;
+  }
+
+  //
+  // Allocate a buffer for the output data.
+  //
+  OutData = AllocatePool (OutDataSize);
+  if (OutData == NULL) {
+    //
+    // Fail to allocate the output buffer.
+    //
+    goto _Exit;
+  }
+
+  //
+  // Encrypt Data.
+  //
+  if (EVP_PKEY_encrypt (PkeyCtx, OutData, &OutDataSize, InData, InDataSize) <= 0) {
+    //
+    // Fail to encrypt data, need to free the output buffer.
+    //
+    FreePool (OutData);
+    OutData = NULL;
+    OutDataSize = 0;
+    goto _Exit;
+  }
+
+  //
+  // Encrypt done.
+  //
+  *EncryptedData = OutData;
+  *EncryptedDataSize = OutDataSize;
+  Result = TRUE;
+
+_Exit:
+  //
+  // Release Resources
+  //
+  if (CertData != NULL) {
+    X509_free (CertData );
+  }
+  if (InternalPublicKey != NULL) {
+    EVP_PKEY_free (InternalPublicKey);
+  }
+  if (PkeyCtx != NULL) {
+    EVP_PKEY_CTX_free (PkeyCtx);
+  }
+
+  return Result;
+}
+
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c
new file mode 100644
index 0000000000..6e0d2f04a4
--- /dev/null
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c
@@ -0,0 +1,61 @@
+/** @file
+  This file contains UEFI wrapper functions for RSA PKCS1v2 OAEP encryption routines.
+
+  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+  THE POSSIBILITY OF SUCH DAMAGE.
+
+  Copyright (C) 2016 Microsoft Corporation. All Rights Reserved.
+  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+  Encrypts a blob using PKCS1v2 (RSAES-OAEP) schema. On success, will return the
+  encrypted message in a newly allocated buffer.
+
+  Return FALSE to indicate this interface is not supported.
+
+  @param[in]  PublicKey           A pointer to the DER-encoded X509 certificate that
+                                  will be used to encrypt the data.
+  @param[in]  PublicKeySize       Size of the X509 cert buffer.
+  @param[in]  InData              Data to be encrypted.
+  @param[in]  InDataSize          Size of the data buffer.
+  @param[in]  PrngSeed            [Optional] If provided, a pointer to a random seed buffer
+                                  to be used when initializing the PRNG. NULL otherwise.
+  @param[in]  PrngSeedSize        [Optional] If provided, size of the random seed buffer.
+                                  0 otherwise.
+  @param[out] EncryptedData       Pointer to an allocated buffer containing the encrypted
+                                  message.
+  @param[out] EncryptedDataSize   Size of the encrypted message buffer.
+
+  @retval FALSE                   This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs1v2Encrypt (
+  IN   CONST UINT8  *PublicKey,
+  IN   UINTN        PublicKeySize,
+  IN   UINT8        *InData,
+  IN   UINTN        InDataSize,
+  IN   CONST UINT8  *PrngSeed,  OPTIONAL
+  IN   UINTN        PrngSeedSize,  OPTIONAL
+  OUT  UINT8        **EncryptedData,
+  OUT  UINTN        *EncryptedDataSize
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
+
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index f24cb91f33..54b3c8850f 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -52,6 +52,7 @@
   Cipher/CryptArc4Null.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
+  Pk/CryptPkcs1OaepNull.c
   Pk/CryptPkcs5Pbkdf2Null.c
   Pk/CryptPkcs7SignNull.c
   Pk/CryptPkcs7VerifyCommon.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index 81d4bbe463..b5c55b7ab6 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -52,6 +52,7 @@
   Cipher/CryptArc4Null.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
+  Pk/CryptPkcs1Oaep.c
   Pk/CryptPkcs5Pbkdf2.c
   Pk/CryptPkcs7SignNull.c
   Pk/CryptPkcs7VerifyCommon.c
-- 
2.16.2.windows.1



^ permalink raw reply related	[flat|nested] 11+ messages in thread

* Re: [PATCH 0/6] Add new APIs for BaseCryptLib
  2019-03-25  4:01 [PATCH 0/6] Add new APIs for BaseCryptLib Zhichao Gao
                   ` (5 preceding siblings ...)
  2019-03-25  4:01 ` [PATCH 6/6] CryptoPkg/BaseCryptLib: " Zhichao Gao
@ 2019-03-25  8:22 ` Yao, Jiewen
  2019-03-28  4:04   ` Gao, Zhichao
  6 siblings, 1 reply; 11+ messages in thread
From: Yao, Jiewen @ 2019-03-25  8:22 UTC (permalink / raw)
  To: Gao, Zhichao, edk2-devel@lists.01.org
  Cc: Ye, Ting, Michael Turner, Bret Barkelew, Gao, Liming, Gang Wei

Hi
Would you please describe what unit test has been run for the new API ?


> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Zhichao Gao
> Sent: Monday, March 25, 2019 12:01 PM
> To: edk2-devel@lists.01.org
> Cc: Ye, Ting <ting.ye@intel.com>; Michael Turner
> <Michael.Turner@microsoft.com>; Bret Barkelew
> <Bret.Barkelew@microsoft.com>; Gao, Liming <liming.gao@intel.com>;
> Gang Wei <gang.wei@intel.com>
> Subject: [edk2] [PATCH 0/6] Add new APIs for BaseCryptLib
> 
> Add new API to get organization name
> Add new API VerifyEKUsInPkcs7Signature
> Add PKCS1v2 (RSAES-OAEP) support
> 
> Contributed-under: TianoCore Contribution Agreement 1.1
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> Cc: Ting Ye <ting.ye@intel.com>
> Cc: Gang Wei <gang.wei@intel.com>
> Cc: Wang Jian J <jian.j.wang@intel.com>
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Sean Brogan <sean.brogan@microsoft.com>
> Cc: Michael Turner <Michael.Turner@microsoft.com>
> Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
> 
> Bret Barkelew (6):
>   CryptoPkg/BaseCryptLib.h: Add new API to get organization name
>   CryptoPkg/BaseCryptLib: Add new API to get organization name
>   CryptoPkg/BaseCryptLib.h: Add new API VerifyEKUsInPkcs7Signature
>   CryptoPkg/BaseCryptLib: Add new API VerifyEKUsInPkcs7Signature
>   CryptoPkg/BaseCryptLib.h: Add PKCS1v2 (RSAES-OAEP) support.
>   CryptoPkg/BaseCryptLib: Add PKCS1v2 (RSAES-OAEP) support.
> 
>  CryptoPkg/Include/Library/BaseCryptLib.h           | 121 ++++-
>  CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf    |   2 +
>  CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf     |   4 +-
>  CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c | 218 +++++++++
>  .../Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c   |  61 +++
>  .../Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c  | 539
> +++++++++++++++++++++
>  .../BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c   |  75 +++
>  CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c      | 102 +++-
>  CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c  |  32 ++
>  CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf |   2 +
>  CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf     |   2 +
>  11 files changed, 1144 insertions(+), 14 deletions(-)
>  create mode 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c
>  create mode 100644
> CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c
>  create mode 100644
> CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
>  create mode 100644
> CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c
> 
> --
> 2.16.2.windows.1
> 
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [PATCH 0/6] Add new APIs for BaseCryptLib
  2019-03-25  8:22 ` [PATCH 0/6] Add new APIs for BaseCryptLib Yao, Jiewen
@ 2019-03-28  4:04   ` Gao, Zhichao
  2019-04-17  5:57     ` [edk2] " Gao, Zhichao
  0 siblings, 1 reply; 11+ messages in thread
From: Gao, Zhichao @ 2019-03-28  4:04 UTC (permalink / raw)
  To: Yao, Jiewen, edk2-devel@lists.01.org
  Cc: Ye, Ting, Michael Turner, Bret Barkelew, Gao, Liming, Gang Wei

Sorry for late reply. I have write a very simple test case for these new APIs. And the test result is as expected.
Refer to https://github.com/ZhichaoGao/edk2/commit/31938b606c6a6a1fdb560e3d0dd4e41a78e1d7e9
The section to test VerifyEKUsInPkcs7Signature is refer to https://github.com/Microsoft/mu_tiano_plus/tree/release/201808/CryptoPkg/UnitTests/VerifyPkcs7EkuUnitTestApp

Thanks,
Zhichao

> -----Original Message-----
> From: Yao, Jiewen
> Sent: Monday, March 25, 2019 4:22 PM
> To: Gao, Zhichao <zhichao.gao@intel.com>; edk2-devel@lists.01.org
> Cc: Ye, Ting <ting.ye@intel.com>; Michael Turner
> <Michael.Turner@microsoft.com>; Bret Barkelew
> <Bret.Barkelew@microsoft.com>; Gao, Liming <liming.gao@intel.com>;
> Gang Wei <gang.wei@intel.com>
> Subject: RE: [edk2] [PATCH 0/6] Add new APIs for BaseCryptLib
> 
> Hi
> Would you please describe what unit test has been run for the new API ?
> 
> 
> > -----Original Message-----
> > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> > Zhichao Gao
> > Sent: Monday, March 25, 2019 12:01 PM
> > To: edk2-devel@lists.01.org
> > Cc: Ye, Ting <ting.ye@intel.com>; Michael Turner
> > <Michael.Turner@microsoft.com>; Bret Barkelew
> > <Bret.Barkelew@microsoft.com>; Gao, Liming <liming.gao@intel.com>;
> > Gang Wei <gang.wei@intel.com>
> > Subject: [edk2] [PATCH 0/6] Add new APIs for BaseCryptLib
> >
> > Add new API to get organization name
> > Add new API VerifyEKUsInPkcs7Signature Add PKCS1v2 (RSAES-OAEP)
> > support
> >
> > Contributed-under: TianoCore Contribution Agreement 1.1
> > Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> > Cc: Ting Ye <ting.ye@intel.com>
> > Cc: Gang Wei <gang.wei@intel.com>
> > Cc: Wang Jian J <jian.j.wang@intel.com>
> > Cc: Liming Gao <liming.gao@intel.com>
> > Cc: Sean Brogan <sean.brogan@microsoft.com>
> > Cc: Michael Turner <Michael.Turner@microsoft.com>
> > Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
> >
> > Bret Barkelew (6):
> >   CryptoPkg/BaseCryptLib.h: Add new API to get organization name
> >   CryptoPkg/BaseCryptLib: Add new API to get organization name
> >   CryptoPkg/BaseCryptLib.h: Add new API VerifyEKUsInPkcs7Signature
> >   CryptoPkg/BaseCryptLib: Add new API VerifyEKUsInPkcs7Signature
> >   CryptoPkg/BaseCryptLib.h: Add PKCS1v2 (RSAES-OAEP) support.
> >   CryptoPkg/BaseCryptLib: Add PKCS1v2 (RSAES-OAEP) support.
> >
> >  CryptoPkg/Include/Library/BaseCryptLib.h           | 121 ++++-
> >  CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf    |   2 +
> >  CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf     |   4 +-
> >  CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c | 218 +++++++++
> >  .../Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c   |  61 +++
> >  .../Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c  | 539
> > +++++++++++++++++++++
> >  .../BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c   |  75 +++
> >  CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c      | 102 +++-
> >  CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c  |  32 ++
> >  CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf |   2 +
> >  CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf     |   2 +
> >  11 files changed, 1144 insertions(+), 14 deletions(-)  create mode
> > 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c
> >  create mode 100644
> > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c
> >  create mode 100644
> > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
> >  create mode 100644
> > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c
> >
> > --
> > 2.16.2.windows.1
> >
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [edk2] [PATCH 0/6] Add new APIs for BaseCryptLib
  2019-03-28  4:04   ` Gao, Zhichao
@ 2019-04-17  5:57     ` Gao, Zhichao
  2019-04-17  6:09       ` Wang, Jian J
  0 siblings, 1 reply; 11+ messages in thread
From: Gao, Zhichao @ 2019-04-17  5:57 UTC (permalink / raw)
  To: Gao, Zhichao, Yao, Jiewen, devel@edk2.groups.io
  Cc: Ye, Ting, Michael Turner, Bret Barkelew, Gao, Liming,
	Wang, Jian J

Resend to the groups.io.
Testcase is update in my branch. And all unit test is passed. 
By the way, the new interface is not supported in Runtime phase.

Thanks,
Zhichao

> -----Original Message-----
> From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> Gao, Zhichao
> Sent: Thursday, March 28, 2019 12:05 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>; edk2-devel@lists.01.org
> Cc: Ye, Ting <ting.ye@intel.com>; Michael Turner
> <Michael.Turner@microsoft.com>; Bret Barkelew
> <Bret.Barkelew@microsoft.com>; Gang Wei <gang.wei@intel.com>; Gao,
> Liming <liming.gao@intel.com>
> Subject: Re: [edk2] [PATCH 0/6] Add new APIs for BaseCryptLib
> 
> Sorry for late reply. I have write a very simple test case for these new APIs.
> And the test result is as expected.
> Refer to
> https://github.com/ZhichaoGao/edk2/commit/31938b606c6a6a1fdb560e3d0
> dd4e41a78e1d7e9
> The section to test VerifyEKUsInPkcs7Signature is refer to
> https://github.com/Microsoft/mu_tiano_plus/tree/release/201808/CryptoP
> kg/UnitTests/VerifyPkcs7EkuUnitTestApp
> 
> Thanks,
> Zhichao
> 
> > -----Original Message-----
> > From: Yao, Jiewen
> > Sent: Monday, March 25, 2019 4:22 PM
> > To: Gao, Zhichao <zhichao.gao@intel.com>; edk2-devel@lists.01.org
> > Cc: Ye, Ting <ting.ye@intel.com>; Michael Turner
> > <Michael.Turner@microsoft.com>; Bret Barkelew
> > <Bret.Barkelew@microsoft.com>; Gao, Liming <liming.gao@intel.com>;
> > Gang Wei <gang.wei@intel.com>
> > Subject: RE: [edk2] [PATCH 0/6] Add new APIs for BaseCryptLib
> >
> > Hi
> > Would you please describe what unit test has been run for the new API ?
> >
> >
> > > -----Original Message-----
> > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf
> > > Of Zhichao Gao
> > > Sent: Monday, March 25, 2019 12:01 PM
> > > To: edk2-devel@lists.01.org
> > > Cc: Ye, Ting <ting.ye@intel.com>; Michael Turner
> > > <Michael.Turner@microsoft.com>; Bret Barkelew
> > > <Bret.Barkelew@microsoft.com>; Gao, Liming <liming.gao@intel.com>;
> > > Gang Wei <gang.wei@intel.com>
> > > Subject: [edk2] [PATCH 0/6] Add new APIs for BaseCryptLib
> > >
> > > Add new API to get organization name Add new API
> > > VerifyEKUsInPkcs7Signature Add PKCS1v2 (RSAES-OAEP) support
> > >
> > > Contributed-under: TianoCore Contribution Agreement 1.1
> > > Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> > > Cc: Ting Ye <ting.ye@intel.com>
> > > Cc: Gang Wei <gang.wei@intel.com>
> > > Cc: Wang Jian J <jian.j.wang@intel.com>
> > > Cc: Liming Gao <liming.gao@intel.com>
> > > Cc: Sean Brogan <sean.brogan@microsoft.com>
> > > Cc: Michael Turner <Michael.Turner@microsoft.com>
> > > Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
> > >
> > > Bret Barkelew (6):
> > >   CryptoPkg/BaseCryptLib.h: Add new API to get organization name
> > >   CryptoPkg/BaseCryptLib: Add new API to get organization name
> > >   CryptoPkg/BaseCryptLib.h: Add new API VerifyEKUsInPkcs7Signature
> > >   CryptoPkg/BaseCryptLib: Add new API VerifyEKUsInPkcs7Signature
> > >   CryptoPkg/BaseCryptLib.h: Add PKCS1v2 (RSAES-OAEP) support.
> > >   CryptoPkg/BaseCryptLib: Add PKCS1v2 (RSAES-OAEP) support.
> > >
> > >  CryptoPkg/Include/Library/BaseCryptLib.h           | 121 ++++-
> > >  CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf    |   2 +
> > >  CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf     |   4 +-
> > >  CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c | 218 +++++++++
> > >  .../Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c   |  61 +++
> > >  .../Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c  | 539
> > > +++++++++++++++++++++
> > >  .../BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c   |  75 +++
> > >  CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c      | 102 +++-
> > >  CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c  |  32 ++
> > >  CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf |   2 +
> > >  CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf     |   2 +
> > >  11 files changed, 1144 insertions(+), 14 deletions(-)  create mode
> > > 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c
> > >  create mode 100644
> > > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c
> > >  create mode 100644
> > > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
> > >  create mode 100644
> > > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c
> > >
> > > --
> > > 2.16.2.windows.1
> > >
> > > _______________________________________________
> > > edk2-devel mailing list
> > > edk2-devel@lists.01.org
> > > https://lists.01.org/mailman/listinfo/edk2-devel
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [edk2] [PATCH 0/6] Add new APIs for BaseCryptLib
  2019-04-17  5:57     ` [edk2] " Gao, Zhichao
@ 2019-04-17  6:09       ` Wang, Jian J
  0 siblings, 0 replies; 11+ messages in thread
From: Wang, Jian J @ 2019-04-17  6:09 UTC (permalink / raw)
  To: Gao, Zhichao, Yao, Jiewen, devel@edk2.groups.io
  Cc: Ye, Ting, Michael Turner, Bret Barkelew, Gao, Liming

Zhichao,

Thanks for update.  Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

Jian

> -----Original Message-----
> From: Gao, Zhichao
> Sent: Wednesday, April 17, 2019 1:57 PM
> To: Gao, Zhichao <zhichao.gao@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; devel@edk2.groups.io
> Cc: Ye, Ting <ting.ye@intel.com>; Michael Turner
> <Michael.Turner@microsoft.com>; Bret Barkelew
> <Bret.Barkelew@microsoft.com>; Gao, Liming <liming.gao@intel.com>; Wang,
> Jian J <jian.j.wang@intel.com>
> Subject: RE: [edk2] [PATCH 0/6] Add new APIs for BaseCryptLib
> 
> Resend to the groups.io.
> Testcase is update in my branch. And all unit test is passed.
> By the way, the new interface is not supported in Runtime phase.
> 
> Thanks,
> Zhichao
> 
> > -----Original Message-----
> > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of
> > Gao, Zhichao
> > Sent: Thursday, March 28, 2019 12:05 PM
> > To: Yao, Jiewen <jiewen.yao@intel.com>; edk2-devel@lists.01.org
> > Cc: Ye, Ting <ting.ye@intel.com>; Michael Turner
> > <Michael.Turner@microsoft.com>; Bret Barkelew
> > <Bret.Barkelew@microsoft.com>; Gang Wei <gang.wei@intel.com>; Gao,
> > Liming <liming.gao@intel.com>
> > Subject: Re: [edk2] [PATCH 0/6] Add new APIs for BaseCryptLib
> >
> > Sorry for late reply. I have write a very simple test case for these new APIs.
> > And the test result is as expected.
> > Refer to
> > https://github.com/ZhichaoGao/edk2/commit/31938b606c6a6a1fdb560e3d0
> > dd4e41a78e1d7e9
> > The section to test VerifyEKUsInPkcs7Signature is refer to
> > https://github.com/Microsoft/mu_tiano_plus/tree/release/201808/CryptoP
> > kg/UnitTests/VerifyPkcs7EkuUnitTestApp
> >
> > Thanks,
> > Zhichao
> >
> > > -----Original Message-----
> > > From: Yao, Jiewen
> > > Sent: Monday, March 25, 2019 4:22 PM
> > > To: Gao, Zhichao <zhichao.gao@intel.com>; edk2-devel@lists.01.org
> > > Cc: Ye, Ting <ting.ye@intel.com>; Michael Turner
> > > <Michael.Turner@microsoft.com>; Bret Barkelew
> > > <Bret.Barkelew@microsoft.com>; Gao, Liming <liming.gao@intel.com>;
> > > Gang Wei <gang.wei@intel.com>
> > > Subject: RE: [edk2] [PATCH 0/6] Add new APIs for BaseCryptLib
> > >
> > > Hi
> > > Would you please describe what unit test has been run for the new API ?
> > >
> > >
> > > > -----Original Message-----
> > > > From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf
> > > > Of Zhichao Gao
> > > > Sent: Monday, March 25, 2019 12:01 PM
> > > > To: edk2-devel@lists.01.org
> > > > Cc: Ye, Ting <ting.ye@intel.com>; Michael Turner
> > > > <Michael.Turner@microsoft.com>; Bret Barkelew
> > > > <Bret.Barkelew@microsoft.com>; Gao, Liming <liming.gao@intel.com>;
> > > > Gang Wei <gang.wei@intel.com>
> > > > Subject: [edk2] [PATCH 0/6] Add new APIs for BaseCryptLib
> > > >
> > > > Add new API to get organization name Add new API
> > > > VerifyEKUsInPkcs7Signature Add PKCS1v2 (RSAES-OAEP) support
> > > >
> > > > Contributed-under: TianoCore Contribution Agreement 1.1
> > > > Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> > > > Cc: Ting Ye <ting.ye@intel.com>
> > > > Cc: Gang Wei <gang.wei@intel.com>
> > > > Cc: Wang Jian J <jian.j.wang@intel.com>
> > > > Cc: Liming Gao <liming.gao@intel.com>
> > > > Cc: Sean Brogan <sean.brogan@microsoft.com>
> > > > Cc: Michael Turner <Michael.Turner@microsoft.com>
> > > > Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
> > > >
> > > > Bret Barkelew (6):
> > > >   CryptoPkg/BaseCryptLib.h: Add new API to get organization name
> > > >   CryptoPkg/BaseCryptLib: Add new API to get organization name
> > > >   CryptoPkg/BaseCryptLib.h: Add new API VerifyEKUsInPkcs7Signature
> > > >   CryptoPkg/BaseCryptLib: Add new API VerifyEKUsInPkcs7Signature
> > > >   CryptoPkg/BaseCryptLib.h: Add PKCS1v2 (RSAES-OAEP) support.
> > > >   CryptoPkg/BaseCryptLib: Add PKCS1v2 (RSAES-OAEP) support.
> > > >
> > > >  CryptoPkg/Include/Library/BaseCryptLib.h           | 121 ++++-
> > > >  CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf    |   2 +
> > > >  CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf     |   4 +-
> > > >  CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c | 218 +++++++++
> > > >  .../Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c   |  61 +++
> > > >  .../Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c  | 539
> > > > +++++++++++++++++++++
> > > >  .../BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c   |  75 +++
> > > >  CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c      | 102 +++-
> > > >  CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c  |  32 ++
> > > >  CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf |   2 +
> > > >  CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf     |   2 +
> > > >  11 files changed, 1144 insertions(+), 14 deletions(-)  create mode
> > > > 100644 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1Oaep.c
> > > >  create mode 100644
> > > > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs1OaepNull.c
> > > >  create mode 100644
> > > > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
> > > >  create mode 100644
> > > > CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c
> > > >
> > > > --
> > > > 2.16.2.windows.1
> > > >
> > > > _______________________________________________
> > > > edk2-devel mailing list
> > > > edk2-devel@lists.01.org
> > > > https://lists.01.org/mailman/listinfo/edk2-devel
> > _______________________________________________
> > edk2-devel mailing list
> > edk2-devel@lists.01.org
> > https://lists.01.org/mailman/listinfo/edk2-devel

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2019-04-17  6:09 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-03-25  4:01 [PATCH 0/6] Add new APIs for BaseCryptLib Zhichao Gao
2019-03-25  4:01 ` [PATCH 1/6] CryptoPkg/BaseCryptLib.h: Add new API to get organization name Zhichao Gao
2019-03-25  4:01 ` [PATCH 2/6] CryptoPkg/BaseCryptLib: " Zhichao Gao
2019-03-25  4:01 ` [PATCH 3/6] CryptoPkg/BaseCryptLib.h: Add new API VerifyEKUsInPkcs7Signature Zhichao Gao
2019-03-25  4:01 ` [PATCH 4/6] CryptoPkg/BaseCryptLib: " Zhichao Gao
2019-03-25  4:01 ` [PATCH 5/6] CryptoPkg/BaseCryptLib.h: Add PKCS1v2 (RSAES-OAEP) support Zhichao Gao
2019-03-25  4:01 ` [PATCH 6/6] CryptoPkg/BaseCryptLib: " Zhichao Gao
2019-03-25  8:22 ` [PATCH 0/6] Add new APIs for BaseCryptLib Yao, Jiewen
2019-03-28  4:04   ` Gao, Zhichao
2019-04-17  5:57     ` [edk2] " Gao, Zhichao
2019-04-17  6:09       ` Wang, Jian J

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox