From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.65; helo=mga03.intel.com; envelope-from=qin.long@intel.com; receiver=edk2-devel@lists.01.org Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id EE6E92034EE0C for ; Mon, 6 Nov 2017 18:27:09 -0800 (PST) Received: from orsmga004.jf.intel.com ([10.7.209.38]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Nov 2017 18:31:08 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.44,355,1505804400"; d="scan'208";a="146716457" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by orsmga004.jf.intel.com with ESMTP; 06 Nov 2017 18:31:08 -0800 Received: from fmsmsx121.amr.corp.intel.com (10.18.125.36) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 6 Nov 2017 18:31:08 -0800 Received: from shsmsx102.ccr.corp.intel.com (10.239.4.154) by fmsmsx121.amr.corp.intel.com (10.18.125.36) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 6 Nov 2017 18:31:08 -0800 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.213]) by shsmsx102.ccr.corp.intel.com ([169.254.2.175]) with mapi id 14.03.0319.002; Tue, 7 Nov 2017 10:31:05 +0800 From: "Long, Qin" To: "Chen, Chen A" , "edk2-devel@lists.01.org" CC: "Zhang, Chao B" Thread-Topic: [PATCH 1/2] CryptoPkg/BaseCryptLib: Add C-structure to matching certificate stack Thread-Index: AQHTV2RtgQQkKs7dLUuETbMIb7PJEKMIMVAw Date: Tue, 7 Nov 2017 02:31:05 +0000 Message-ID: References: <20171107010437.17404-1-chen.a.chen@intel.com> In-Reply-To: <20171107010437.17404-1-chen.a.chen@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH 1/2] CryptoPkg/BaseCryptLib: Add C-structure to matching certificate stack X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Nov 2017 02:27:11 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Long Qin One minor comment: please leave one space before the structure name: +} EFI_CERT_DATA; and +} EFI_CERT_STACK; Best Regards & Thanks, LONG, Qin -----Original Message----- From: Chen, Chen A=20 Sent: Tuesday, November 7, 2017 9:05 AM To: edk2-devel@lists.01.org Cc: Chen, Chen A ; Long, Qin ; Z= hang, Chao B Subject: [PATCH 1/2] CryptoPkg/BaseCryptLib: Add C-structure to matching ce= rtificate stack The parameter CertStack of Pkcs7GetSigners will return all embedded X.509 c= ertificate in one given PKCS7 signature. The format is: // // UINT8 CertNumber; // UINT32 Cert1Length; // UINT8 Cert1[]; // UINT32 Cert2Length; // UINT8 Cert2[]; // ... // UINT32 CertnLength; // UINT8 Certn[]; // Add EFI_CERT_STACK and EFI_CERT_DATA structure, these two C-structure are u= sed for parsing CertStack more clearly. Cc: Long Qin Cc: Zhang Chao Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: chenc2 --- CryptoPkg/Include/Library/BaseCryptLib.h | 33 ++++++++++++++++++= ++++ .../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 3 ++ .../Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c | 3 ++ 3 files changed, 39 insertions(+) diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/L= ibrary/BaseCryptLib.h index e2b6a95666..3fd9a3c911 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -2377,6 +2377,36 @@ Pkcs5HashPassword ( ); =20 /** + The 3rd parameter of Pkcs7GetSigners will return all embedded + X.509 certificate in one given PKCS7 signature. The format is: + // + // UINT8 CertNumber; + // UINT32 Cert1Length; + // UINT8 Cert1[]; + // UINT32 Cert2Length; + // UINT8 Cert2[]; + // ... + // UINT32 CertnLength; + // UINT8 Certn[]; + // + + The two following C-structure are used for parsing CertStack more clearl= y. +**/ +#pragma pack(1) + +typedef struct { + UINT32 CertDataLength; // The length in bytes of X.509 certific= ate. + UINT8 CertDataBuffer[0]; // The X.509 certificate content (DER). +}EFI_CERT_DATA; + +typedef struct { + UINT8 CertNumber; // Number of X.509 certificate. + //EFI_CERT_DATA CertArray[]; // An array of X.509 certificate. +}EFI_CERT_STACK; + +#pragma pack() + +/** Get the signer's certificates from PKCS#7 signed data as described in "P= KCS #7: Cryptographic Message Syntax Standard". The input signed data could be w= rapped in a ContentInfo structure. @@ -2390,6 +2420,7 @@ Pkcs5HashPassword ( @param[out] CertStack Pointer to Signer's certificates retrieved from= P7Data. It's caller's responsibility to free the buffer= with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. @param[out] StackLength Length of signer's certificates in bytes. @param[out] TrustedCert Pointer to a trusted certificate from Signer's = certificates. It's caller's responsibility to free the buffer= with @@ -2437,9 +2468,11 @@ Pkcs7FreeSigners ( @param[out] SignerChainCerts Pointer to the certificates list chained t= o signer's certificate. It's caller's responsibility = to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type= . @param[out] ChainLength Length of the chained certificates list bu= ffer in bytes. @param[out] UnchainCerts Pointer to the unchained certificates list= s. It's caller's responsibility to free the buffer with Pkc= s7FreeSigners(). + This data structure is EFI_CERT_STACK type= . @param[out] UnchainLength Length of the unchained certificates list = buffer in bytes. =20 @retval TRUE The operation is finished successfully. diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoP= kg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c index 296df028b1..fe8e5950f9 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c @@ -242,6 +242,7 @@ _Exit: @param[out] CertStack Pointer to Signer's certificates retrieved from= P7Data. It's caller's responsibility to free the buffer= with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. @param[out] StackLength Length of signer's certificates in bytes. @param[out] TrustedCert Pointer to a trusted certificate from Signer's = certificates. It's caller's responsibility to free the buffer= with @@ -442,9 +443,11 @@ Pkcs7FreeSigners ( @param[out] SignerChainCerts Pointer to the certificates list chained t= o signer's certificate. It's caller's responsibility = to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type= . @param[out] ChainLength Length of the chained certificates list bu= ffer in bytes. @param[out] UnchainCerts Pointer to the unchained certificates list= s. It's caller's responsibility to free the buffer with Pkc= s7FreeSigners(). + This data structure is EFI_CERT_STACK type= . @param[out] UnchainLength Length of the unchained certificates list = buffer in bytes. =20 @retval TRUE The operation is finished successfully. diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c b/Cry= ptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c index d3e8ec89a7..5490b1f3d6 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c @@ -27,6 +27,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER= EXPRESS OR IMPLIED. @param[out] CertStack Pointer to Signer's certificates retrieved from= P7Data. It's caller's responsibility to free the buffer= with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. @param[out] StackLength Length of signer's certificates in bytes. @param[out] TrustedCert Pointer to a trusted certificate from Signer's = certificates. It's caller's responsibility to free the buffer= with @@ -79,9 +80,11 @@ Pkcs7FreeSigners ( @param[out] SignerChainCerts Pointer to the certificates list chained t= o signer's certificate. It's caller's responsibility = to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type= . @param[out] ChainLength Length of the chained certificates list bu= ffer in bytes. @param[out] UnchainCerts Pointer to the unchained certificates list= s. It's caller's responsibility to free the buffer with Pkc= s7FreeSigners(). + This data structure is EFI_CERT_STACK type= . @param[out] UnchainLength Length of the unchained certificates list = buffer in bytes. =20 @retval TRUE The operation is finished successfully. -- 2.13.2.windows.1