* [PATCH 2/2] SecurityPkg/AuthVariableLib: Use EFI_CERT_DATA to parse certificate
@ 2017-11-07 1:04 chenc2
2017-11-07 2:31 ` Long, Qin
0 siblings, 1 reply; 2+ messages in thread
From: chenc2 @ 2017-11-07 1:04 UTC (permalink / raw)
To: edk2-devel; +Cc: chenc2, Long Qin, Zhang Chao
The function Pkcs7GetSigners return certificate stack as binary buffer.
Use EFI_CERT_DATA to parsing certificate stack more clearly, and access
certificate by the field of EFI_CERT_DATA structure.
Cc: Long Qin <qin.long@intel.com>
Cc: Zhang Chao <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: chenc2 <chen.a.chen@intel.com>
---
SecurityPkg/Library/AuthVariableLib/AuthService.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 6cbeb98535..213a524f27 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -1828,6 +1828,7 @@ VerifyTimeBasedPayload (
UINT8 *CertsInCertDb;
UINT32 CertsSizeinDb;
UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
+ EFI_CERT_DATA *CertDataPtr;
//
// 1. TopLevelCert is the top-level issuer certificate in signature Signer Cert Chain
@@ -1841,6 +1842,7 @@ VerifyTimeBasedPayload (
SignerCerts = NULL;
TopLevelCert = NULL;
CertsInCertDb = NULL;
+ CertDataPtr = NULL;
//
// When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is
@@ -2098,9 +2100,10 @@ VerifyTimeBasedPayload (
//
// Check hash of signer cert CommonName + Top-level issuer tbsCertificate against data in CertDb
//
+ CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
Status = CalculatePrivAuthVarSignChainSHA256Digest(
- SignerCerts + sizeof(UINT8) + sizeof(UINT32),
- ReadUnaligned32 ((UINT32 *)(SignerCerts + sizeof(UINT8))),
+ CertDataPtr->CertDataBuffer,
+ ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
TopLevelCert,
TopLevelCertSize,
Sha256Digest
@@ -2135,12 +2138,13 @@ VerifyTimeBasedPayload (
//
// When adding a new common authenticated variable, always save Hash of cn of signer cert + tbsCertificate of Top-level issuer
//
+ CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
Status = InsertCertsToDb (
VariableName,
VendorGuid,
Attributes,
- SignerCerts + sizeof(UINT8) + sizeof(UINT32),
- ReadUnaligned32 ((UINT32 *)(SignerCerts + sizeof(UINT8))),
+ CertDataPtr->CertDataBuffer,
+ ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
TopLevelCert,
TopLevelCertSize
);
--
2.13.2.windows.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH 2/2] SecurityPkg/AuthVariableLib: Use EFI_CERT_DATA to parse certificate
2017-11-07 1:04 [PATCH 2/2] SecurityPkg/AuthVariableLib: Use EFI_CERT_DATA to parse certificate chenc2
@ 2017-11-07 2:31 ` Long, Qin
0 siblings, 0 replies; 2+ messages in thread
From: Long, Qin @ 2017-11-07 2:31 UTC (permalink / raw)
To: Chen, Chen A, edk2-devel@lists.01.org; +Cc: Zhang, Chao B
Reviewed-by: Long Qin <qin.long@intel.com>
Best Regards & Thanks,
LONG, Qin
-----Original Message-----
From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of chenc2
Sent: Tuesday, November 7, 2017 9:05 AM
To: edk2-devel@lists.01.org
Cc: Zhang, Chao B <chao.b.zhang@intel.com>; Long, Qin <qin.long@intel.com>
Subject: [edk2] [PATCH 2/2] SecurityPkg/AuthVariableLib: Use EFI_CERT_DATA to parse certificate
The function Pkcs7GetSigners return certificate stack as binary buffer.
Use EFI_CERT_DATA to parsing certificate stack more clearly, and access certificate by the field of EFI_CERT_DATA structure.
Cc: Long Qin <qin.long@intel.com>
Cc: Zhang Chao <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: chenc2 <chen.a.chen@intel.com>
---
SecurityPkg/Library/AuthVariableLib/AuthService.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 6cbeb98535..213a524f27 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -1828,6 +1828,7 @@ VerifyTimeBasedPayload (
UINT8 *CertsInCertDb;
UINT32 CertsSizeinDb;
UINT8 Sha256Digest[SHA256_DIGEST_SIZE];
+ EFI_CERT_DATA *CertDataPtr;
//
// 1. TopLevelCert is the top-level issuer certificate in signature Signer Cert Chain @@ -1841,6 +1842,7 @@ VerifyTimeBasedPayload (
SignerCerts = NULL;
TopLevelCert = NULL;
CertsInCertDb = NULL;
+ CertDataPtr = NULL;
//
// When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is @@ -2098,9 +2100,10 @@ VerifyTimeBasedPayload (
//
// Check hash of signer cert CommonName + Top-level issuer tbsCertificate against data in CertDb
//
+ CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
Status = CalculatePrivAuthVarSignChainSHA256Digest(
- SignerCerts + sizeof(UINT8) + sizeof(UINT32),
- ReadUnaligned32 ((UINT32 *)(SignerCerts + sizeof(UINT8))),
+ CertDataPtr->CertDataBuffer,
+ ReadUnaligned32 ((UINT32
+ *)&(CertDataPtr->CertDataLength)),
TopLevelCert,
TopLevelCertSize,
Sha256Digest
@@ -2135,12 +2138,13 @@ VerifyTimeBasedPayload (
//
// When adding a new common authenticated variable, always save Hash of cn of signer cert + tbsCertificate of Top-level issuer
//
+ CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
Status = InsertCertsToDb (
VariableName,
VendorGuid,
Attributes,
- SignerCerts + sizeof(UINT8) + sizeof(UINT32),
- ReadUnaligned32 ((UINT32 *)(SignerCerts + sizeof(UINT8))),
+ CertDataPtr->CertDataBuffer,
+ ReadUnaligned32 ((UINT32
+ *)&(CertDataPtr->CertDataLength)),
TopLevelCert,
TopLevelCertSize
);
--
2.13.2.windows.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-11-07 2:27 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-11-07 1:04 [PATCH 2/2] SecurityPkg/AuthVariableLib: Use EFI_CERT_DATA to parse certificate chenc2
2017-11-07 2:31 ` Long, Qin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox