From: "Zhang, Chao B" <chao.b.zhang@intel.com>
To: "Chen, Chen A" <chen.a.chen@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Long, Qin" <qin.long@intel.com>
Subject: Re: [PATCH 1/2] CryptoPkg/BaseCryptLib: Add C-structure to matching certificate stack
Date: Mon, 13 Nov 2017 01:01:39 +0000 [thread overview]
Message-ID: <FF72C7E4248F3C4E9BDF19D4918E90F2495FBF7D@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <20171107010437.17404-1-chen.a.chen@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
-----Original Message-----
From: Chen, Chen A
Sent: Tuesday, November 7, 2017 9:05 AM
To: edk2-devel@lists.01.org
Cc: Chen, Chen A <chen.a.chen@intel.com>; Long, Qin <qin.long@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>
Subject: [PATCH 1/2] CryptoPkg/BaseCryptLib: Add C-structure to matching certificate stack
The parameter CertStack of Pkcs7GetSigners will return all embedded X.509 certificate in one given PKCS7 signature. The format is:
//
// UINT8 CertNumber;
// UINT32 Cert1Length;
// UINT8 Cert1[];
// UINT32 Cert2Length;
// UINT8 Cert2[];
// ...
// UINT32 CertnLength;
// UINT8 Certn[];
//
Add EFI_CERT_STACK and EFI_CERT_DATA structure, these two C-structure are used for parsing CertStack more clearly.
Cc: Long Qin <qin.long@intel.com>
Cc: Zhang Chao <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: chenc2 <chen.a.chen@intel.com>
---
CryptoPkg/Include/Library/BaseCryptLib.h | 33 ++++++++++++++++++++++
.../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 3 ++
.../Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c | 3 ++
3 files changed, 39 insertions(+)
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index e2b6a95666..3fd9a3c911 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -2377,6 +2377,36 @@ Pkcs5HashPassword (
);
/**
+ The 3rd parameter of Pkcs7GetSigners will return all embedded
+ X.509 certificate in one given PKCS7 signature. The format is:
+ //
+ // UINT8 CertNumber;
+ // UINT32 Cert1Length;
+ // UINT8 Cert1[];
+ // UINT32 Cert2Length;
+ // UINT8 Cert2[];
+ // ...
+ // UINT32 CertnLength;
+ // UINT8 Certn[];
+ //
+
+ The two following C-structure are used for parsing CertStack more clearly.
+**/
+#pragma pack(1)
+
+typedef struct {
+ UINT32 CertDataLength; // The length in bytes of X.509 certificate.
+ UINT8 CertDataBuffer[0]; // The X.509 certificate content (DER).
+}EFI_CERT_DATA;
+
+typedef struct {
+ UINT8 CertNumber; // Number of X.509 certificate.
+ //EFI_CERT_DATA CertArray[]; // An array of X.509 certificate.
+}EFI_CERT_STACK;
+
+#pragma pack()
+
+/**
Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7:
Cryptographic Message Syntax Standard". The input signed data could be wrapped
in a ContentInfo structure.
@@ -2390,6 +2420,7 @@ Pkcs5HashPassword (
@param[out] CertStack Pointer to Signer's certificates retrieved from P7Data.
It's caller's responsibility to free the buffer with
Pkcs7FreeSigners().
+ This data structure is EFI_CERT_STACK type.
@param[out] StackLength Length of signer's certificates in bytes.
@param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates.
It's caller's responsibility to free the buffer with @@ -2437,9 +2468,11 @@ Pkcs7FreeSigners (
@param[out] SignerChainCerts Pointer to the certificates list chained to signer's
certificate. It's caller's responsibility to free the buffer
with Pkcs7FreeSigners().
+ This data structure is EFI_CERT_STACK type.
@param[out] ChainLength Length of the chained certificates list buffer in bytes.
@param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's
responsibility to free the buffer with Pkcs7FreeSigners().
+ This data structure is EFI_CERT_STACK type.
@param[out] UnchainLength Length of the unchained certificates list buffer in bytes.
@retval TRUE The operation is finished successfully.
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index 296df028b1..fe8e5950f9 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -242,6 +242,7 @@ _Exit:
@param[out] CertStack Pointer to Signer's certificates retrieved from P7Data.
It's caller's responsibility to free the buffer with
Pkcs7FreeSigners().
+ This data structure is EFI_CERT_STACK type.
@param[out] StackLength Length of signer's certificates in bytes.
@param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates.
It's caller's responsibility to free the buffer with @@ -442,9 +443,11 @@ Pkcs7FreeSigners (
@param[out] SignerChainCerts Pointer to the certificates list chained to signer's
certificate. It's caller's responsibility to free the buffer
with Pkcs7FreeSigners().
+ This data structure is EFI_CERT_STACK type.
@param[out] ChainLength Length of the chained certificates list buffer in bytes.
@param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's
responsibility to free the buffer with Pkcs7FreeSigners().
+ This data structure is EFI_CERT_STACK type.
@param[out] UnchainLength Length of the unchained certificates list buffer in bytes.
@retval TRUE The operation is finished successfully.
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c
index d3e8ec89a7..5490b1f3d6 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c
@@ -27,6 +27,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
@param[out] CertStack Pointer to Signer's certificates retrieved from P7Data.
It's caller's responsibility to free the buffer with
Pkcs7FreeSigners().
+ This data structure is EFI_CERT_STACK type.
@param[out] StackLength Length of signer's certificates in bytes.
@param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates.
It's caller's responsibility to free the buffer with @@ -79,9 +80,11 @@ Pkcs7FreeSigners (
@param[out] SignerChainCerts Pointer to the certificates list chained to signer's
certificate. It's caller's responsibility to free the buffer
with Pkcs7FreeSigners().
+ This data structure is EFI_CERT_STACK type.
@param[out] ChainLength Length of the chained certificates list buffer in bytes.
@param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's
responsibility to free the buffer with Pkcs7FreeSigners().
+ This data structure is EFI_CERT_STACK type.
@param[out] UnchainLength Length of the unchained certificates list buffer in bytes.
@retval TRUE The operation is finished successfully.
--
2.13.2.windows.1
prev parent reply other threads:[~2017-11-13 0:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-07 1:04 [PATCH 1/2] CryptoPkg/BaseCryptLib: Add C-structure to matching certificate stack chenc2
2017-11-07 2:31 ` Long, Qin
2017-11-07 2:43 ` Yao, Jiewen
2017-11-13 1:01 ` Zhang, Chao B [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=FF72C7E4248F3C4E9BDF19D4918E90F2495FBF7D@shsmsx102.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox