* [PATCH v5] CryptoPkg/Pkcs7: Extend support for other OID types
@ 2020-04-28 0:49 Guomin Jiang
2020-04-28 3:27 ` [edk2-devel] " Wang, Jian J
0 siblings, 1 reply; 2+ messages in thread
From: Guomin Jiang @ 2020-04-28 0:49 UTC (permalink / raw)
To: devel; +Cc: Jian J Wang, Xiaoyu Lu
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2539
Microsoft signtool supports creation of attached P7's with any OID payload
via the "/p7co" parameter. It is necessary to check the data before get
the string.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
---
.../BaseCryptLib/Pk/CryptPkcs7VerifyBase.c | 66 ++++++++++++++++++-
1 file changed, 65 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c
index 313f459b11..1b23ec99af 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c
@@ -13,6 +13,66 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <openssl/x509v3.h>
#include <openssl/pkcs7.h>
+/**
+ Check the contents of PKCS7 is not data.
+
+ It is copied from PKCS7_type_is_other() in pk7_doit.c.
+
+ @param[in] P7 Pointer to the location at which the PKCS7 is located.
+
+ @return INTN The content type.
+**/
+STATIC
+INTN
+Pkcs7TypeIsOther (
+ IN PKCS7 *P7
+ )
+{
+ INTN Others = 1;
+ INTN Nid = OBJ_obj2nid (P7->type);
+
+ switch (Nid) {
+ case NID_pkcs7_data:
+ case NID_pkcs7_signed:
+ case NID_pkcs7_enveloped:
+ case NID_pkcs7_signedAndEnveloped:
+ case NID_pkcs7_encrypted:
+ Others = 0;
+ break;
+ default:
+ Others = 1;
+ }
+
+ return Others;
+}
+
+/**
+ Get the ASN.1 string for the PKCS7.
+
+ It is copied from PKCS7_get_octet_string() in pk7_doit.c.
+
+ @param[in] P7 Pointer to the location at which the PKCS7 is located.
+
+ @return ASN1_OCTET_STRING ASN.1 string.
+**/
+STATIC
+ASN1_OCTET_STRING*
+Pkcs7GetOctetString (
+ IN PKCS7 *P7
+ )
+{
+ if (PKCS7_type_is_data (P7)) {
+ return P7->d.data;
+ }
+
+ if ((Pkcs7TypeIsOther(P7) == 1) && P7->d.other &&
+ (P7->d.other->type == V_ASN1_OCTET_STRING)) {
+ return P7->d.other->value.octet_string;
+ }
+
+ return NULL;
+}
+
/**
Extracts the attached content from a PKCS#7 signed data if existed. The input signed
data could be wrapped in a ContentInfo structure.
@@ -98,7 +158,11 @@ Pkcs7GetAttachedContent (
//
// Retrieve the attached content in PKCS7 signedData
//
- OctStr = Pkcs7->d.sign->contents->d.data;
+ OctStr = Pkcs7GetOctetString (Pkcs7->d.sign->contents);
+ if (OctStr == NULL) {
+ goto _Exit;
+ }
+
if ((OctStr->length > 0) && (OctStr->data != NULL)) {
*ContentSize = OctStr->length;
*Content = AllocatePool (*ContentSize);
--
2.25.1.windows.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [edk2-devel] [PATCH v5] CryptoPkg/Pkcs7: Extend support for other OID types
2020-04-28 0:49 [PATCH v5] CryptoPkg/Pkcs7: Extend support for other OID types Guomin Jiang
@ 2020-04-28 3:27 ` Wang, Jian J
0 siblings, 0 replies; 2+ messages in thread
From: Wang, Jian J @ 2020-04-28 3:27 UTC (permalink / raw)
To: devel@edk2.groups.io, Jiang, Guomin; +Cc: Lu, XiaoyuX
Guomin,
Sorry I didn't check carefully on the return type of function Pkcs7TypeIsOther().
I think BOOLEAN should be more appropriate. INTN looks strange, although it
works. It's actually used to check if the PKCS7 is data or not. Son in this function
TRUE or FALSE should be returned instead of 1 or 0.
If using BOOLEAN, you can also use this function directly in following expression,
without comparing to '1', which looks strange to me too.
+ if (Pkcs7TypeIsOther(P7) && P7->d.other &&
In addition, 'P7->d.other' should use explicit check against NULL.
With above addressed,
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Regards,
Jian
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Guomin
> Jiang
> Sent: Tuesday, April 28, 2020 8:50 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>
> Subject: [edk2-devel] [PATCH v5] CryptoPkg/Pkcs7: Extend support for other OID
> types
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2539
>
> Microsoft signtool supports creation of attached P7's with any OID payload
> via the "/p7co" parameter. It is necessary to check the data before get
> the string.
>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Signed-off-by: Guomin Jiang <guomin.jiang@intel.com>
> ---
> .../BaseCryptLib/Pk/CryptPkcs7VerifyBase.c | 66 ++++++++++++++++++-
> 1 file changed, 65 insertions(+), 1 deletion(-)
>
> diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c
> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c
> index 313f459b11..1b23ec99af 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyBase.c
> @@ -13,6 +13,66 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> #include <openssl/x509v3.h>
>
> #include <openssl/pkcs7.h>
>
>
>
> +/**
>
> + Check the contents of PKCS7 is not data.
>
> +
>
> + It is copied from PKCS7_type_is_other() in pk7_doit.c.
>
> +
>
> + @param[in] P7 Pointer to the location at which the PKCS7 is located.
>
> +
>
> + @return INTN The content type.
>
> +**/
>
> +STATIC
>
> +INTN
>
> +Pkcs7TypeIsOther (
>
> + IN PKCS7 *P7
>
> + )
>
> +{
>
> + INTN Others = 1;
>
> + INTN Nid = OBJ_obj2nid (P7->type);
>
> +
>
> + switch (Nid) {
>
> + case NID_pkcs7_data:
>
> + case NID_pkcs7_signed:
>
> + case NID_pkcs7_enveloped:
>
> + case NID_pkcs7_signedAndEnveloped:
>
> + case NID_pkcs7_encrypted:
>
> + Others = 0;
>
> + break;
>
> + default:
>
> + Others = 1;
>
> + }
>
> +
>
> + return Others;
>
> +}
>
> +
>
> +/**
>
> + Get the ASN.1 string for the PKCS7.
>
> +
>
> + It is copied from PKCS7_get_octet_string() in pk7_doit.c.
>
> +
>
> + @param[in] P7 Pointer to the location at which the PKCS7 is located.
>
> +
>
> + @return ASN1_OCTET_STRING ASN.1 string.
>
> +**/
>
> +STATIC
>
> +ASN1_OCTET_STRING*
>
> +Pkcs7GetOctetString (
>
> + IN PKCS7 *P7
>
> + )
>
> +{
>
> + if (PKCS7_type_is_data (P7)) {
>
> + return P7->d.data;
>
> + }
>
> +
>
> + if ((Pkcs7TypeIsOther(P7) == 1) && P7->d.other &&
>
> + (P7->d.other->type == V_ASN1_OCTET_STRING)) {
>
> + return P7->d.other->value.octet_string;
>
> + }
>
> +
>
> + return NULL;
>
> +}
>
> +
>
> /**
>
> Extracts the attached content from a PKCS#7 signed data if existed. The input
> signed
>
> data could be wrapped in a ContentInfo structure.
>
> @@ -98,7 +158,11 @@ Pkcs7GetAttachedContent (
> //
>
> // Retrieve the attached content in PKCS7 signedData
>
> //
>
> - OctStr = Pkcs7->d.sign->contents->d.data;
>
> + OctStr = Pkcs7GetOctetString (Pkcs7->d.sign->contents);
>
> + if (OctStr == NULL) {
>
> + goto _Exit;
>
> + }
>
> +
>
> if ((OctStr->length > 0) && (OctStr->data != NULL)) {
>
> *ContentSize = OctStr->length;
>
> *Content = AllocatePool (*ContentSize);
>
> --
> 2.25.1.windows.1
>
>
> -=-=-=-=-=-=
> Groups.io Links: You receive all messages sent to this group.
>
> View/Reply Online (#58197): https://edk2.groups.io/g/devel/message/58197
> Mute This Topic: https://groups.io/mt/73318347/1768734
> Group Owner: devel+owner@edk2.groups.io
> Unsubscribe: https://edk2.groups.io/g/devel/unsub [jian.j.wang@intel.com]
> -=-=-=-=-=-=
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-04-28 3:27 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-04-28 0:49 [PATCH v5] CryptoPkg/Pkcs7: Extend support for other OID types Guomin Jiang
2020-04-28 3:27 ` [edk2-devel] " Wang, Jian J
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox