From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga18.intel.com (mga18.intel.com [134.134.136.126])
 by mx.groups.io with SMTP id smtpd.web12.4885.1618885786155289591
 for <devel@edk2.groups.io>;
 Mon, 19 Apr 2021 19:29:46 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=LMmGwl4L;
 spf=pass (domain: intel.com, ip: 134.134.136.126, mailfrom: jiewen.yao@intel.com)
IronPort-SDR: 2pq8I2Vxqa0pO5OvdZYp1Lf/Hsw7sLfzttiTeH3KaQjzWaMrqiLFcAIYWjn/iJ+jnENw66mY5g
 ompNOjrpuvJA==
X-IronPort-AV: E=McAfee;i="6200,9189,9959"; a="182924623"
X-IronPort-AV: E=Sophos;i="5.82,235,1613462400"; 
   d="scan'208";a="182924623"
Received: from orsmga007.jf.intel.com ([10.7.209.58])
  by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Apr 2021 19:29:44 -0700
IronPort-SDR: fD3ESP9oxnahWuNo7kXHuJUCYWQTrO2hhb0jlRkhdxBbko105D5KUn1UHdpW7u0jA+1CSRR0QJ
 PEMgGiFvLsag==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.82,235,1613462400"; 
   d="scan'208";a="422881643"
Received: from fmsmsx603.amr.corp.intel.com ([10.18.126.83])
  by orsmga007.jf.intel.com with ESMTP; 19 Apr 2021 19:29:44 -0700
Received: from fmsmsx612.amr.corp.intel.com (10.18.126.92) by
 fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2106.2; Mon, 19 Apr 2021 19:29:44 -0700
Received: from fmsedg601.ED.cps.intel.com (10.1.192.135) by
 fmsmsx612.amr.corp.intel.com (10.18.126.92) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2
 via Frontend Transport; Mon, 19 Apr 2021 19:29:43 -0700
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (104.47.45.56) by
 edgegateway.intel.com (192.55.55.70) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2106.2; Mon, 19 Apr 2021 19:29:43 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=gBHcolhyNGhdPtYqzQFyyz+EFtuwn0UWpr6XWv5/xqLqjsNmfTJ4KbMltm/Iq/3Ji+vcYNQq29D5oZbXQ0kN5d5fagPs5Uuik5zX94OFa7v04aCXdJs9qyAn1zHIg1D+x79lNCYdhwEkil6VUtTM18pik6cF0HF6KgQFAadVeDj3nIL0IQjDTT6n5E7tMhlAKaG4wtvA/uFg3rtMRR9DiJl+s1JHKaW6n5oxA/T++irmyGCog4t6LMloEYxQSrJabuL7r5Km5O1w5geLTnfnvOwTi3bliuvhd343nE9b/btGXYkc7NqXxtPHCrtzd+0HRDDMpuReiB9+r7F7TUFdrQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=E9bnvOLMonR94213wzPZ7wOuiPkjTqFIIlyTyODjxAw=;
 b=iEAARQK9r28gFPZdlLZbAbJ2EIFsUSHNjrcEw1x89sXpuqha64QCnFnI8noD5n9QBptuzYPupN2axe1nq0r6LY+vOjZrRX5h15bZ40cu66vLgCPsFgSgT80FxD7JH6KtcXIwy1/lXIPXsHfwt6E17OKKRBmd52qo1lSjkXsD5HqIy16wl0izxT51gqas+LkcYMAH2lHOHsWE1BXoxuVwsAtN6RRKs1kMnsY6tEjeiPqzO6UyTofhissjVl9/NAvuTFj3Ywo/0Nlaw++NVXy1n0Hru5+mIP1W1JoGqYeXeno9evJs6cqMB4/YypO0qBTOctGt8h2ZiS2BwR22/o1bFg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com;
 s=selector2-intel-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=E9bnvOLMonR94213wzPZ7wOuiPkjTqFIIlyTyODjxAw=;
 b=LMmGwl4Lh5vawROS9qBKgZkbgQ/Xv1tMeCMgtYj8q1D/3Ulv0YdohuL/F8t6TYgklhB1IUzEn9gmntCMSWpOHPVsP6M8aOUfITHG2b4zcnIeiblHeGpBCUSuIDnk58bwQWHQaU//Mz/9jcBaVDlHTKY2GerJSVVJ3TPbMxrpU+w=
Received: from BY5PR11MB4166.namprd11.prod.outlook.com (2603:10b6:a03:191::25)
 by BY5PR11MB3991.namprd11.prod.outlook.com (2603:10b6:a03:186::26) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.19; Tue, 20 Apr
 2021 02:29:42 +0000
Received: from BY5PR11MB4166.namprd11.prod.outlook.com
 ([fe80::c9d9:1b92:3014:6f17]) by BY5PR11MB4166.namprd11.prod.outlook.com
 ([fe80::c9d9:1b92:3014:6f17%3]) with mapi id 15.20.4042.024; Tue, 20 Apr 2021
 02:29:42 +0000
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Agrawal, Sachin" <sachin.agrawal@intel.com>, "devel@edk2.groups.io"
	<devel@edk2.groups.io>
CC: "Wang, Jian J" <jian.j.wang@intel.com>, "Lu, XiaoyuX"
	<xiaoyux.lu@intel.com>, "Jiang, Guomin" <guomin.jiang@intel.com>
Subject: Re: [PATCH v1 1/1] CryptoPkg: BaseCryptLib: Add RSA PSS verify support
Thread-Topic: [PATCH v1 1/1] CryptoPkg: BaseCryptLib: Add RSA PSS verify
 support
Thread-Index: AQHXNYklz3Rjg2QaiUSFN9fpAiRHjqq8rqtA
Date: Tue, 20 Apr 2021 02:29:42 +0000
Message-ID: <BY5PR11MB41668D908E90E662DC28EE758C489@BY5PR11MB4166.namprd11.prod.outlook.com>
References: <20210420020150.29212-1-sachin.agrawal@intel.com>
 <20210420020150.29212-2-sachin.agrawal@intel.com>
In-Reply-To: <20210420020150.29212-2-sachin.agrawal@intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-version: 11.5.1.3
dlp-product: dlpe-windows
dlp-reaction: no-action
authentication-results: intel.com; dkim=none (message not signed)
 header.d=none;intel.com; dmarc=none action=none header.from=intel.com;
x-originating-ip: [192.198.147.199]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5e5cefc7-a623-4929-71ef-08d903a427d4
x-ms-traffictypediagnostic: BY5PR11MB3991:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BY5PR11MB399104C30CDE743BD4CB65E18C489@BY5PR11MB3991.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:3383;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uoic3mWN0jIbq8uFM2uvZtceJnEptqmij6CBctvJB8OFrdusaQ28xlb46j7Nnowur4i0FhCi2vJRVsMmat+hyc6IynDmp850VJPjpUv7MOZ2sTmXt9kfTiHvbMSK80wHJkxzB0gv2QVaffWxvLuIIhAP5404NNNCxwfp3lX+NgEG6iAgt16557vfMB94f/o7prmxmx5MT4+9I3RoDZw5f96FG0wG2FPabh0zRsrRa9tC4nLABHV1YTNNBO9UYAFqJRN3+QztR7Q35LggI2lnADtpyAXd7eDJKZ8IPtKqWUodlfewOBCEDQ9CU/070gDU4J3xpkof0R2jtucV1KosELf+V1L+nFQcdDCHQRNYMJ4f/MX/Go1gX0Ln1ttw0V69xy2a1QWOSdkrKjEbpURb2arsdXHCW5lrj+RG+14UzSkYMKbE99JJThX21JlmEcMGO9HgMYFRcjq01co0YFA+a1fsXbAPAZTTjcq2t/7scqZ6ksAfEwWINif62NKqoohCYxq6+rb7QUqlaxOfJJv+Fds7/FQajzR7C+NimhvLiKvNYZCi6Wj6r0mq68BIfCbPNaTZ1WU12M+WXsv7oSPPG4mABn2xqJahlzR73PlXqOfeNUo8xy4aX9U6fOFf+YSC2WuzFiRSqA5LVOiJqgpQ7BO0//iayo0CwjZO3EbvPGzVAihTMd0kGxwOENPMf24z
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BY5PR11MB4166.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(136003)(39860400002)(376002)(366004)(346002)(396003)(71200400001)(15650500001)(966005)(83380400001)(5660300002)(8676002)(107886003)(6506007)(66946007)(110136005)(33656002)(66476007)(66556008)(66446008)(478600001)(64756008)(2906002)(8936002)(7696005)(76116006)(316002)(54906003)(9686003)(38100700002)(186003)(52536014)(122000001)(86362001)(4326008)(55016002)(53546011)(26005);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?nEeztE0WyiTDuAMhZZSI7ZVcpUTcywUqFb0znhiy/RqTQGh4WXiXU4x6PznY?=
 =?us-ascii?Q?XY4NxJOE/NAbCFLdodPUGMeKFEYVsPtunHrSw2CVVtwmDFup561SHO1cOQqv?=
 =?us-ascii?Q?feNfHmao5Da9H18l7XBNqOBkrYmjztC6wgA4aru0GXsq4rx2TjjTG8YhIctt?=
 =?us-ascii?Q?1MrvECt2t42dFEntYjukwfAQWUH+fdPh3UAxfMw3YacZrrwKehCSDMyOgz5r?=
 =?us-ascii?Q?5wPapxe/zvqLDWohbQb7uEZ+aPaEz78TKBStf4H4ngPR3Qdx1vsECUgWhaVK?=
 =?us-ascii?Q?5N72lKZfHr6nhI1NS3N431iGb7vxSrQLAURuhOlt1Fc5C7faxOJ8Gpwiy8VB?=
 =?us-ascii?Q?5ECwwUkwUxtVEpTKssUFH14HXeqn2BIHU2aeFNEAs+tSAgS4Og1ddmUh+D0t?=
 =?us-ascii?Q?6TaJsdvUB3Br4uKtu8q9BaWbnbZh6Jmh2l226zmB+HbpjGDT+ghuOSqCSRav?=
 =?us-ascii?Q?fGuWibFP98lToWl8pMyoHZO3Ososi+1ku3qOY6s16eVexe/TM+1RoKqIHFi9?=
 =?us-ascii?Q?w1CxLnmgesv4cBSw8cwZuuJ01dTWPyW39MWjHCMm9kFYSuX8BDDV3G/VIBj8?=
 =?us-ascii?Q?caKFQvwfkVubAMrpC4vSrJQlFPX2/6V2ZenGuIH36tLj86Be7ftESntfjddv?=
 =?us-ascii?Q?tDxId1BnnceXVDhEqEUa3nEfL77LlGfLiWTSxtmkP6SJN97OKOjfCDWIdsF6?=
 =?us-ascii?Q?17NtFc2++HgsRYUf3AsFzOtT7yu9mMCtNTwFXi5X3eCm+Iv2G+QLDeBM43Cb?=
 =?us-ascii?Q?IHaQp7L6qqA2QIrTGwXOij4pb0A7a/pifZed82f8v9HRMZb6p+1dsynNXi/C?=
 =?us-ascii?Q?FnE5R91URDVFAS/T+1Qu+XHMLB5dqW1cFk0It1bJKLOJkowM0fsaZhabwuVI?=
 =?us-ascii?Q?teQ35oou2DxnUx2qK7YxnFyo2mJvdhClzsWjU1QYlEjXUG624qy+Eo11OvX4?=
 =?us-ascii?Q?Z94NGg6kQOF5+3HcjXC78grdhPpAsKWZ4fwFrUNUzW/bQDujb9l4X8IUghz0?=
 =?us-ascii?Q?2TNf6in+dUvaMA+kUsGaoYgK3PrT8aBcT64Bb1w8Lxy3UzAaL/rzZaFaD+pO?=
 =?us-ascii?Q?lgoiFLagFYPofhg+j6fWORdmUI38zdJSvA5/NR4t1MSiaUSa8V2sknsXt7yf?=
 =?us-ascii?Q?wkpqLeYPkKfOe/WOgP0Uf4f15vnTYBSY9r5lMfk71HewVPQPBN25cf99kx8g?=
 =?us-ascii?Q?PgNtiPLG2gg2UYdT15rTIHok8s5vDL7s1hkKVw9RgtXxEjG1SancbPIPzqlK?=
 =?us-ascii?Q?20q+ssFjqON/dfuLO8We6t9BFbOHh/MrB1yloSLzjpAYoJGWSLZOMVtFFSSD?=
 =?us-ascii?Q?/2tM/fGSNEG4pVUSJQl6EYkT?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4166.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5e5cefc7-a623-4929-71ef-08d903a427d4
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Apr 2021 02:29:42.6580
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: E79baIkq4DJJ0wmwbtDOu406RexCwnF7VlCQLn3z5D8B/hTKO4PVZL0uQUAB1KBdi4+0Mgs41irPcMCKZgHfBg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR11MB3991
Return-Path: jiewen.yao@intel.com
X-OriginatorOrg: intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi Sachin
May I know why you hardcode PSS salt length to be RSA_PSS_SALTLEN_AUTO ?

Thank you
Yao Jiewen


> -----Original Message-----
> From: Agrawal, Sachin <sachin.agrawal@intel.com>
> Sent: Tuesday, April 20, 2021 10:02 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.c=
om>;
> Lu, XiaoyuX <xiaoyux.lu@intel.com>; Jiang, Guomin <guomin.jiang@intel.com=
>;
> Agrawal, Sachin <sachin.agrawal@intel.com>
> Subject: [PATCH v1 1/1] CryptoPkg: BaseCryptLib: Add RSA PSS verify suppo=
rt
>=20
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3314
>=20
> This patch uses Openssl's EVP API's to perform RSASSA-PSS verification
> of a binary blob.
>=20
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Guomin Jiang <guomin.jiang@intel.com>
>=20
> Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com>
> ---
>  CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c     | 139
> ++++++++++++++++++++
>  CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssNull.c |  43 ++++++
>  CryptoPkg/Include/Library/BaseCryptLib.h            |  27 ++++
>  CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf     |   1 +
>  CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf      |   1 +
>  CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf  |   1 +
>  CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf      |   1 +
>  7 files changed, 213 insertions(+)
>=20
> diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c
> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c
> new file mode 100644
> index 000000000000..acf5eb689cd8
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPss.c
> @@ -0,0 +1,139 @@
> +/** @file
> +  RSA Asymmetric Cipher Wrapper Implementation over OpenSSL.
> +
> +  This file implements following APIs which provide basic capabilities f=
or RSA:
> +  1) RsaPssVerify
> +
> +Copyright (c) 2021, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include "InternalCryptLib.h"
> +
> +#include <openssl/bn.h>
> +#include <openssl/rsa.h>
> +#include <openssl/objects.h>
> +#include <openssl/evp.h>
> +
> +
> +/**
> +  Retrieve a pointer to EVP message digest object.
> +
> +  @param[in]  DigestLen   Length of the message digest.
> +
> +**/
> +static
> +EVP_MD*
> +GetEvpMD (
> +  IN UINT16 DigestLen
> +  )
> +{
> +  switch (DigestLen){
> +    case SHA256_DIGEST_SIZE:
> +      return EVP_sha256();
> +      break;
> +    case SHA384_DIGEST_SIZE:
> +      return EVP_sha384();
> +      break;
> +    case SHA512_DIGEST_SIZE:
> +      return EVP_sha512();
> +      break;
> +    default:
> +      return NULL;
> +  }
> +}
> +
> +
> +/**
> +  Verifies the RSA signature with RSASSA-PSS signature scheme defined in=
 RFC
> 8017.
> +  Implementation determines salt length automatically from the signature
> encoding.
> +  Mask generation function is the same as the message digest algorithm.
> +
> +  @param[in]  RsaContext      Pointer to RSA context for signature verif=
ication.
> +  @param[in]  Message         Pointer to octet message to be verified.
> +  @param[in]  MsgSize         Size of the message in bytes.
> +  @param[in]  Signature       Pointer to RSASSA-PSS signature to be veri=
fied.
> +  @param[in]  SigSize         Size of signature in bytes.
> +  @param[in]  DigestLen       Length of digest for RSA operation.
> +
> +  @retval  TRUE   Valid signature encoded in RSASSA-PSS.
> +  @retval  FALSE  Invalid signature or invalid RSA context.
> +
> +**/
> +BOOLEAN
> +EFIAPI
> +RsaPssVerify (
> +  IN  VOID         *RsaContext,
> +  IN  CONST UINT8  *Message,
> +  IN  UINTN        MsgSize,
> +  IN  CONST UINT8  *Signature,
> +  IN  UINTN        SigSize,
> +  IN  UINT16       DigestLen
> +  )
> +{
> +  BOOLEAN Result;
> +  EVP_PKEY *pEvpRsaKey =3D NULL;
> +  EVP_MD_CTX *pEvpVerifyCtx =3D NULL;
> +  EVP_PKEY_CTX *pKeyCtx =3D NULL;
> +  CONST EVP_MD  *HashAlg =3D NULL;
> +
> +  if (RsaContext =3D=3D NULL) {
> +    return FALSE;
> +  }
> +  if (Message =3D=3D NULL || MsgSize =3D=3D 0 || MsgSize > INT_MAX) {
> +    return FALSE;
> +  }
> +  if (Signature =3D=3D NULL || SigSize =3D=3D 0 || SigSize > INT_MAX) {
> +    return FALSE;
> +  }
> +
> +  HashAlg =3D GetEvpMD(DigestLen);
> +
> +  if (HashAlg =3D=3D NULL) {
> +    return FALSE;
> +  }
> +
> +  pEvpRsaKey =3D EVP_PKEY_new();
> +  if (pEvpRsaKey =3D=3D NULL) {
> +    goto _Exit;
> +  }
> +
> +  EVP_PKEY_set1_RSA(pEvpRsaKey, RsaContext);
> +
> +  pEvpVerifyCtx =3D EVP_MD_CTX_create();
> +  if (pEvpVerifyCtx =3D=3D NULL) {
> +    goto _Exit;
> +  }
> +
> +  Result =3D EVP_DigestVerifyInit(pEvpVerifyCtx, &pKeyCtx, HashAlg, NULL=
,
> pEvpRsaKey) > 0;
> +  if (pKeyCtx =3D=3D NULL) {
> +    goto _Exit;
> +  }
> +
> +  if (Result) {
> +    Result =3D EVP_PKEY_CTX_set_rsa_padding(pKeyCtx,
> RSA_PKCS1_PSS_PADDING) > 0;
> +  }
> +  if (Result) {
> +    Result =3D EVP_PKEY_CTX_set_rsa_pss_saltlen(pKeyCtx,
> RSA_PSS_SALTLEN_AUTO) > 0;
> +  }
> +  if (Result) {
> +    Result =3D EVP_PKEY_CTX_set_rsa_mgf1_md(pKeyCtx, HashAlg) > 0;
> +  }
> +  if (Result) {
> +    Result =3D EVP_DigestVerifyUpdate(pEvpVerifyCtx, Message,
> (UINT32)MsgSize) > 0;
> +  }
> +  if (Result) {
> +    Result =3D EVP_DigestVerifyFinal(pEvpVerifyCtx, Signature, (UINT32)S=
igSize) > 0;
> +  }
> +
> +_Exit :
> +  if (pEvpRsaKey) {
> +    EVP_PKEY_free(pEvpRsaKey);
> +  }
> +  if (pEvpVerifyCtx) {
> +    EVP_MD_CTX_destroy(pEvpVerifyCtx);
> +  }
> +
> +  return Result;
> +}
> diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssNull.c
> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssNull.c
> new file mode 100644
> index 000000000000..8d84b4c1426c
> --- /dev/null
> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaPssNull.c
> @@ -0,0 +1,43 @@
> +/** @file
> +  RSA-PSS Asymmetric Cipher Wrapper Implementation over OpenSSL.
> +
> +  This file does not provide real capabilities for following APIs in RSA=
 handling:
> +  1) RsaPssVerify
> +
> +Copyright (c) 2021, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include "InternalCryptLib.h"
> +
> +/**
> +  Verifies the RSA signature with RSASSA-PSS signature scheme defined in=
 RFC
> 8017.
> +  Implementation determines salt length automatically from the signature
> encoding.
> +  Mask generation function is the same as the message digest algorithm.
> +
> +  @param[in]  RsaContext      Pointer to RSA context for signature verif=
ication.
> +  @param[in]  Message         Pointer to octet message to be verified.
> +  @param[in]  MsgSize         Size of the message in bytes.
> +  @param[in]  Signature       Pointer to RSASSA-PSS signature to be veri=
fied.
> +  @param[in]  SigSize         Size of signature in bytes.
> +  @param[in]  DigestLen       Length of digest for RSA operation.
> +
> +  @retval  TRUE   Valid signature encoded in RSASSA-PSS.
> +  @retval  FALSE  Invalid signature or invalid RSA context.
> +
> +**/
> +BOOLEAN
> +EFIAPI
> +RsaPssVerify (
> +  IN  VOID         *RsaContext,
> +  IN  CONST UINT8  *Message,
> +  IN  UINTN        MsgSize,
> +  IN  CONST UINT8  *Signature,
> +  IN  UINTN        SigSize,
> +  IN  UINT16       DigestLen
> +  )
> +{
> +  ASSERT (FALSE);
> +  return FALSE;
> +}
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index 496121e6a4ed..36d560b8d691 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -1363,6 +1363,33 @@ RsaPkcs1Verify (
>    IN  UINTN        SigSize
>    );
>=20
> +/**
> +  Verifies the RSA signature with RSASSA-PSS signature scheme defined in=
 RFC
> 8017.
> +  Implementation determines salt length automatically from the signature
> encoding.
> +  Mask generation function is the same as the message digest algorithm.
> +
> +  @param[in]  RsaContext      Pointer to RSA context for signature verif=
ication.
> +  @param[in]  Message         Pointer to octet message to be verified.
> +  @param[in]  MsgSize         Size of the message in bytes.
> +  @param[in]  Signature       Pointer to RSASSA-PSS signature to be veri=
fied.
> +  @param[in]  SigSize         Size of signature in bytes.
> +  @param[in]  DigestLen       Length of digest for RSA operation.
> +
> +  @retval  TRUE   Valid signature encoded in RSASSA-PSS.
> +  @retval  FALSE  Invalid signature or invalid RSA context.
> +
> +**/
> +BOOLEAN
> +EFIAPI
> +RsaPssVerify (
> +  IN  VOID         *RsaContext,
> +  IN  CONST UINT8  *Message,
> +  IN  UINTN        MsgSize,
> +  IN  CONST UINT8  *Signature,
> +  IN  UINTN        SigSize,
> +  IN  UINT16       DigestLen
> +  );
> +
>  /**
>    Retrieve the RSA Private Key from the password-protected PEM key data.
>=20