From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+27952+114768+7686176+12367111@groups.io>
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108])
	by spool.mail.gandi.net (Postfix) with ESMTPS id B6DA9941791
	for <rebecca@openfw.io>; Tue, 30 Jan 2024 09:46:15 +0000 (UTC)
DKIM-Signature: a=rsa-sha256; bh=gEu9QdA3xhg3AGOjzDSPDHYkaYUsBaSQcTuf+Udu3uk=;
 c=relaxed/simple; d=groups.io;
 h=ARC-Seal:ARC-Message-Signature:ARC-Authentication-Results:From:To:CC:Subject:Thread-Topic:Thread-Index:Date:Message-ID:References:In-Reply-To:Accept-Language:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding;
 s=20140610; t=1706607974; v=1;
 b=a2rKutnWFip3HhOa1UYJgTGl9GbSBXJzBZjHvTlbOA0jW9eMF2l+5MUV26y8bvs7EBDFGuGX
 5jY0RFEWFfVKoVFyM6F0Zi5wjAWrNKJfpIAE//LxvSQ7YXwH9zAWZEKUufir4fdKhoMxFQPgIUC
 2mFC+W041qJmcngKoEfd0Z3Q=
X-Received: by 127.0.0.2 with SMTP id w1GPYY7687511xKEJgBTkjdr; Tue, 30 Jan 2024 01:46:14 -0800
X-Received: from mgamail.intel.com (mgamail.intel.com [134.134.136.31])
 by mx.groups.io with SMTP id smtpd.web11.14661.1706607973295595255
 for <devel@edk2.groups.io>;
 Tue, 30 Jan 2024 01:46:13 -0800
X-IronPort-AV: E=McAfee;i="6600,9927,10968"; a="467480812"
X-IronPort-AV: E=Sophos;i="6.05,707,1701158400"; 
   d="scan'208";a="467480812"
X-Received: from fmsmga005.fm.intel.com ([10.253.24.32])
  by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Jan 2024 01:46:07 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10968"; a="1119207294"
X-IronPort-AV: E=Sophos;i="6.05,707,1701158400"; 
   d="scan'208";a="1119207294"
X-Received: from orsmsx602.amr.corp.intel.com ([10.22.229.15])
  by fmsmga005.fm.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 30 Jan 2024 01:46:07 -0800
X-Received: from orsmsx612.amr.corp.intel.com (10.22.229.25) by
 ORSMSX602.amr.corp.intel.com (10.22.229.15) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.35; Tue, 30 Jan 2024 01:46:06 -0800
X-Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by
 ORSMSX612.amr.corp.intel.com (10.22.229.25) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.35; Tue, 30 Jan 2024 01:46:06 -0800
X-Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by
 orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.35 via Frontend Transport; Tue, 30 Jan 2024 01:46:06 -0800
X-Received: from NAM11-CO1-obe.outbound.protection.outlook.com (104.47.56.169)
 by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.1.2507.35; Tue, 30 Jan 2024 01:46:06 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=dYX5yiVwU35MmLwxac6AqH7w5wKi4MhcJUVD80pg2xGloEb8k+kNaZtHzO3Mtk4LELHB7zj1gAQ7/VvHRR3xDhZrPzyMi5JYz2yM5LFmOLPVkkgKex2MoAj7jmS12uBpbVNnhulEInzjf9WQFM45ZVTj2BEwP7+PVUA+QGe4xJb2RAvHHybt8PhPHMl+ZJFo+ZOjGwyDC/5QRMokTkBahPH2xKfn/U/mlS5g9MLMjC83BaPcVbZZQkfK3Q0L0/yOrr98CJhQvKfQAV0KvF3A16c0rtHj2OosBgNZKBk8nQOBuaixRNW31/Vl5mq52rGGk5NvHQD44xfJd483dQiOeg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=EbJ9vq/ekjtHGpfMk5MFnE1yCcgooiQG/brw0w4qlUY=;
 b=K5BnGRKwt3HkNNU+4GpM1HW4uNRO5IhbOfnJ/BbaMZYovlQShbpoGP4Msv1ZpOO7nv61Z/Z9qi6wiENu3tgMd+H7wDDjcK3tJotsmxaOQZ7a/E0MmdmGvU3bF6lFCaRAZnXipQijTQEpQ/uOQWYvQDViwVTCl4LjxhU+vo6E8z0L+Ri4NUKQ5DXVSFKfVF/pUr0rtjNRncIA3eR57fdZNnys6EePud4JidxcCTgDvyJXK+DwuC4Kwwa7IZTtk32gZ8b6v6qtydl22s5Pwyfra8bOF/ca0ujmyHMaSbD87EFplRuVS05j6eBCLsHJJt8cj7pS4kMd4vLCDxA++86HrA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com;
 dkim=pass header.d=intel.com; arc=none
X-Received: from PH0PR11MB5046.namprd11.prod.outlook.com (2603:10b6:510:3b::20)
 by CH3PR11MB8493.namprd11.prod.outlook.com (2603:10b6:610:1bc::8) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7228.34; Tue, 30 Jan
 2024 09:46:03 +0000
X-Received: from PH0PR11MB5046.namprd11.prod.outlook.com
 ([fe80::eba0:48b8:1c92:1571]) by PH0PR11MB5046.namprd11.prod.outlook.com
 ([fe80::eba0:48b8:1c92:1571%6]) with mapi id 15.20.7228.036; Tue, 30 Jan 2024
 09:46:02 +0000
From: "Wenxing Hou" <wenxing.hou@intel.com>
To: Nhi Pham <nhi@os.amperecomputing.com>, "devel@edk2.groups.io"
	<devel@edk2.groups.io>
CC: Tam Chi Nguyen <tamnguyenchi@os.amperecomputing.com>, "Yao, Jiewen"
	<jiewen.yao@intel.com>, "Li, Yi1" <yi1.li@intel.com>
Subject: Re: [edk2-devel] [PATCH 1/1] CryptoPkg: Add new API to get PKCS7 Signature
Thread-Topic: [PATCH 1/1] CryptoPkg: Add new API to get PKCS7 Signature
Thread-Index: AQHaUz+23lS9uqiekUuw0GtkkCEHKbDyGjxA
Date: Tue, 30 Jan 2024 09:46:02 +0000
Message-ID: <PH0PR11MB50462F1190FC972E7356634CF77D2@PH0PR11MB5046.namprd11.prod.outlook.com>
References: <20240130054428.3838412-1-nhi@os.amperecomputing.com>
In-Reply-To: <20240130054428.3838412-1-nhi@os.amperecomputing.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR11MB5046:EE_|CH3PR11MB8493:EE_
x-ms-office365-filtering-correlation-id: 88b29be6-46ee-4049-35aa-08dc2178453d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam-message-info: oEPKopwbwNaxj72binNGKLe/yxgMaHCKzI850cxfPlV/oIjI1o8Acdm4RynNNRzrrxs7auUkmW11Z2TvG7eqWyrlFcWR3NFK3/TGfAYU6kKIE240K2Vs/Q2D6IoP91papaEsLwZTr0vf/ohrLeHE9dTDOeTGYM4YXYEhLCBhFJVk+bKisR6asnL++N9n2YJovsu+JugOz1FAfLPLvw2cw8gqTqI0bSUdk6jJQAI+9DtwCXqVd8/PLKAiCbLZmvfOWcOAnv1OHq3nKEduMRgVbwUOcBtesgRPxmdG4W/vX+F5wALlPctoRiSFIIxjJumG3p78pHPlWV6n7AFD1HW8Ntg92zPVKQkY4XxR+54AJ0vhxS34yFJoZimFV4lctVBDibknQHHFB+O+IfeAaP576O5vLEit/FqexKxDjX2snAcVjMkCBIsoGs8g2p/wN5B3f3FBXQGRfjkDiTSBTvDW3GxJVGi4PU3VMv2LPGcksu9klK+JbMZ/sWFLhb8TJZjwjvrlEJjzSQA47KdZv3J0xuHFkT3v36zoPfmEdeBCuzO7Y8Ch2o0t6BselaVSXe2uKpqM7uHEKhShYNXY6Cvj+jvsydBNG4RMr1upemRfQLGbMy0Lyju0FpQtxTr/AgVO
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?VTyJ2TniLZ3Og10IpCo6MoLOcmRYSeb44xQYIKE9D1v/dKVGb1QeQ5FdR6wb?=
 =?us-ascii?Q?8k9qs1b4DqJf/uz+Y1u8+iTfcIiW9GoBQwoCHerpi6lHJBmp2UJG8GC9TaSS?=
 =?us-ascii?Q?YYsIKlxvV2qbDXlwmYyEkYp5wvVyxGQLtQdq3P8aNj1aZIYnPmp51VS0J0ke?=
 =?us-ascii?Q?xp24nLuJrO3Ibx6g7uoaVWdryH5eND+8olsaRuXNXyUB8hTzsYdNs2qva8E2?=
 =?us-ascii?Q?6HX0cNpXZY9WkvjgTEnFzo01aRyv4HR6ORhkz/dfUJ6k0TF8JmNqXfvmf9Bw?=
 =?us-ascii?Q?aewZBQlDVUuzL7EDMpwzbzxH8fkQGV03KLhdfT8FKJ7NgHGmbZ13pv45qLyq?=
 =?us-ascii?Q?HI65VzNQ17WHX5R8G4E/iZCnN4Ph/KtceWjQQdvEOW7Q8uDP70wUvrz8Lju/?=
 =?us-ascii?Q?1WGlAPf68YbEENLw9e7AOLQJGDYqwpBuA9iIl8rehF11vbD6+vYHViqx6FEn?=
 =?us-ascii?Q?+jy2rw+jAx7YfMv8OpbBSC3hKG0EkvXdeNQ12EajDBWEjK9ACVaWnUHlihVm?=
 =?us-ascii?Q?JOoLIcBXXnnJ9Dwyzeg6G9dyY0VWL4pgibmF6gLOuAJxEtRu2MPKiWM7Avhw?=
 =?us-ascii?Q?2cewB8hSWBBbQRPNww6C6u9iWLPop18c5j73zUHOxJLzoPBA/GoWXGlKf6QX?=
 =?us-ascii?Q?ak2W0BSXkQMx3+udnNHk2oiwRC4UBCZh+Urbr/HTcZuWfvESuRFcGyvlXS+i?=
 =?us-ascii?Q?oK2RLIS+QS5FshH0Mvi5K1BD+b3CmQ/LZUAbtzXeXKXA1eJIArkxiUkxiJNe?=
 =?us-ascii?Q?HB+dxKa4RywlNcnGpqJ66he5Ga8beXEZ1LPeu/xlyIHeIQcmClYqE0KmUbdX?=
 =?us-ascii?Q?PoKQle30HPV988ItfdeoBS95z/uqV5PUMwNLWtXJ7mQKAVyorVYzZTeGpCk0?=
 =?us-ascii?Q?S+W4kdkETHfmolIE+cMqsfZC6IvJMsVBdoA++IhKkRMTvlq97aURbbMlRKxS?=
 =?us-ascii?Q?eYRyjrwBtAnjD1qHlpklAZIVriC4He+hV54Btjy7ynrwomHWMQCeoreCJ3Q5?=
 =?us-ascii?Q?j4pRC8UNz6yP+cWjchtEh61FU1HVp7Ma1JavUqbT7FF3vY/kLbz0WNsM7DwM?=
 =?us-ascii?Q?VcESPppjSTvfatf0+voDt5YvmojTJvmb8xGdRIGIrBa3tl6yj77zErvvtPDF?=
 =?us-ascii?Q?4wLFyUvkPkYGEFLQ5I83wVb5Tfe6Cw0rk9Sg+9/W+CCi6/GO3UdwV8bSGEjf?=
 =?us-ascii?Q?VX3r6je7cI5XFPFUuF5wvD0bFs2NgULaIjw1Np38WE33ch5BbCDuJqWIpWzx?=
 =?us-ascii?Q?YKB6aChRWpYY2kA9uRlpNYwho0lb3NCpnZL8CM+0tfwLtCXkT5q667zoPzee?=
 =?us-ascii?Q?tWRZ23XrZmbEM62zxj9SzFYGyDxwOm8un3ZvsD3dZD6sMEvia0d5dqLyu3Vv?=
 =?us-ascii?Q?4zUuiLElg9lTMgInnrgF3MdECFaWS41OiFbL4cGQx66Zkip/oO1Odx5COrqk?=
 =?us-ascii?Q?MGbl+VTxJGsQwyptqujX4UOQg5Xg1s/luBRFn8l1/jPChEWSbgCrIqEKDSIi?=
 =?us-ascii?Q?rGgTLct4Rok11TnPCQozlfrQwIdAwzcVA98QYRRnKVhFt1hGqEsWlZTXv5ik?=
 =?us-ascii?Q?jtr27uCcdrb0+iauEU2rW1xuHRYdyEhAwA8kljiy?=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB5046.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 88b29be6-46ee-4049-35aa-08dc2178453d
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jan 2024 09:46:02.1024
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 51M5oGmucqWSoaHEVCQcP6djRUECuEtUbB+e7wJztVpdfdC7eyvyocgBYbeD6NIlhSZgzOMQ3n2GS7nV9S8mbQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR11MB8493
X-OriginatorOrg: intel.com
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,wenxing.hou@intel.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: <https://edk2.groups.io/g/devel/leave/12367111/7686176/1913456212/plugh>
X-Gm-Message-State: FNPtt2wu9qIGxksEKbttDnlrx7686176AA=
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-GND-Status: LEGIT
Authentication-Results: spool.mail.gandi.net;
	dkim=pass header.d=groups.io header.s=20140610 header.b=a2rKutnW;
	dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none);
	spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io

Hi Pham,

Thanks for your contribution.

I think there are two works you need to do:
Firstly, submit an EDKII PR to ensure the patch can pass the CI.
Secondly,  add unit-test to test the new API(such as: get signature then co=
mpare).


Thanks
Wenxing


-----Original Message-----
From: Nhi Pham <nhi@os.amperecomputing.com>=20
Sent: Tuesday, January 30, 2024 1:44 PM
To: devel@edk2.groups.io
Cc: Tam Chi Nguyen <tamnguyenchi@os.amperecomputing.com>; Yao, Jiewen <jiew=
en.yao@intel.com>; Hou, Wenxing <wenxing.hou@intel.com>; Li, Yi1 <yi1.li@in=
tel.com>; Nhi Pham <nhi@os.amperecomputing.com>
Subject: [PATCH 1/1] CryptoPkg: Add new API to get PKCS7 Signature

From: Tam Chi Nguyen <tamnguyenchi@os.amperecomputing.com>

This patch adds a new Pkcs7GetSignature() API to support extracting the sig=
nature data from PKCS7 certificate.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Wenxing Hou <wenxing.hou@intel.com>
Cc: Yi Li <yi1.li@intel.com>
Signed-off-by: Nhi Pham <nhi@os.amperecomputing.com>
---
 CryptoPkg/Include/Library/BaseCryptLib.h                   |  29 +++++
 CryptoPkg/Private/Protocol/Crypto.h                        |  29 +++++
 CryptoPkg/Driver/Crypto.c                                  |  33 ++++++
 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c | 120 +++++++++=
+++++++++++
 CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c   |  33 ++++++
 CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c     |  32 ++++++
 6 files changed, 276 insertions(+)

diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/L=
ibrary/BaseCryptLib.h
index a52bd91ad664..d52a91244482 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -5,6 +5,7 @@
   functionality enabling.
=20
 Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2024, Ampere Computing LLC. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
=20
 **/
@@ -2471,6 +2472,34 @@ ImageTimestampVerify (
   OUT EFI_TIME     *SigningTime
   );
=20
+/**
+  Get the data signature from PKCS#7 signed data as described in "PKCS #7:
+  Cryptographic Message Syntax Standard". The input signed data could=20
+be wrapped
+  in a ContentInfo structure.
+
+  If P7Data, Signature, SignatureLength is NULL, then return FALSE.
+  If P7Length overflow, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in]  P7Data       Pointer to the PKCS#7 message to verify.
+  @param[in]  P7Length     Length of the PKCS#7 message in bytes.
+  @param[out] Signature    Pointer to Signature data
+  @param[out] SignatureLength  Length of signature in bytes.
+
+  @retval  TRUE            The operation is finished successfully.
+  @retval  FALSE           Error occurs during the operation.
+  @retval  FALSE           This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetSignature (
+  IN  CONST UINT8  *P7Data,
+  IN  UINTN        P7Length,
+  OUT UINT8        **Signature,
+  OUT UINTN        *SignatureLength
+  );
+
 /**
   Retrieve the version from one X.509 certificate.
=20
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protoc=
ol/Crypto.h
index 0e0b1d94018d..d228cea0453b 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -3,6 +3,7 @@
=20
   Copyright (C) Microsoft Corporation. All rights reserved.
   Copyright (c) 2020 - 2022, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2024, Ampere Computing LLC. All rights reserved.<BR>
   SPDX-License-Identifier: BSD-2-Clause-Patent
=20
 **/
@@ -1036,6 +1037,34 @@ BOOLEAN
   OUT EFI_TIME     *SigningTime
   );
=20
+/**
+  Get the data signature from PKCS#7 signed data as described in "PKCS #7:
+  Cryptographic Message Syntax Standard". The input signed data could=20
+be wrapped
+  in a ContentInfo structure.
+
+  If P7Data, Signature, SignatureLength is NULL, then return FALSE.
+  If P7Length overflow, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in]  P7Data       Pointer to the PKCS#7 message to verify.
+  @param[in]  P7Length     Length of the PKCS#7 message in bytes.
+  @param[out] Signature    Pointer to Signature data
+  @param[out] SignatureLength  Length of signature in bytes.
+
+  @retval  TRUE            The operation is finished successfully.
+  @retval  FALSE           Error occurs during the operation.
+  @retval  FALSE           This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI *EDKII_CRYPTO_PKCS7_GET_SIGNATURE) (
+  IN  CONST UINT8  *P7Data,
+  IN  UINTN        P7Length,
+  OUT UINT8        **Signature,
+  OUT UINTN        *SignatureLength
+  );
+
 // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 //    DH Key Exchange Primitive
 // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c index bd=
bb4863a97e..83094e73c33a 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -4,6 +4,7 @@
=20
   Copyright (C) Microsoft Corporation. All rights reserved.
   Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2024, Ampere Computing LLC. All rights reserved.<BR>
   SPDX-License-Identifier: BSD-2-Clause-Patent
=20
 **/
@@ -3910,6 +3911,37 @@ CryptoServiceImageTimestampVerify (
   return CALL_BASECRYPTLIB (Pkcs.Services.ImageTimestampVerify, ImageTimes=
tampVerify, (AuthData, DataSize, TsaCert, CertSize, SigningTime), FALSE);  =
}
=20
+/**
+  Get the data signature from PKCS#7 signed data as described in "PKCS #7:
+  Cryptographic Message Syntax Standard". The input signed data could=20
+be wrapped
+  in a ContentInfo structure.
+
+  If P7Data, Signature, SignatureLength is NULL, then return FALSE.
+  If P7Length overflow, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in]  P7Data       Pointer to the PKCS#7 message to verify.
+  @param[in]  P7Length     Length of the PKCS#7 message in bytes.
+  @param[out] Signature    Pointer to Signature data
+  @param[out] SignatureLength  Length of signature in bytes.
+
+  @retval  TRUE            The operation is finished successfully.
+  @retval  FALSE           Error occurs during the operation.
+  @retval  FALSE           This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+CryptoServicePkcs7GetSignature (
+  IN  CONST UINT8  *P7Data,
+  IN  UINTN        P7Length,
+  OUT UINT8        **Signature,
+  OUT UINTN        *SignatureLength
+  )
+{
+  return CALL_BASECRYPTLIB (Pkcs.Services.Pkcs7GetSignature,=20
+Pkcs7GetSignature, (P7Data, P7Length, Signature, SignatureLength),=20
+FALSE); }
+
 // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 //    DH Key Exchange Primitive
 // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
@@ -6748,6 +6780,7 @@ const EDKII_CRYPTO_PROTOCOL  mEdkiiCrypto =3D {
   CryptoServicePkcs7GetCertificatesList,
   CryptoServiceAuthenticodeVerify,
   CryptoServiceImageTimestampVerify,
+  CryptoServicePkcs7GetSignature,
   /// DH
   CryptoServiceDhNew,
   CryptoServiceDhFree,
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c b/C=
ryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c
index 4e5a14e35210..9e3fccf1bb4e 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyCommon.c
@@ -11,6 +11,7 @@
   Variable and will do basic check for data structure.
=20
 Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2024, Ampere Computing LLC. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
=20
 **/
@@ -926,3 +927,122 @@ _Exit:
=20
   return Status;
 }
+
+/**
+  Get the data signature from PKCS#7 signed data as described in "PKCS #7:
+  Cryptographic Message Syntax Standard". The input signed data could=20
+be wrapped
+  in a ContentInfo structure.
+
+  If P7Data, Signature, SignatureLength is NULL, then return FALSE.
+  If P7Length overflow, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in]  P7Data       Pointer to the PKCS#7 message to verify.
+  @param[in]  P7Length     Length of the PKCS#7 message in bytes.
+  @param[out] Signature    Pointer to Signature data
+  @param[out] SignatureLength  Length of signature in bytes.
+
+  @retval  TRUE            The operation is finished successfully.
+  @retval  FALSE           Error occurs during the operation.
+  @retval  FALSE           This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetSignature (
+  IN  CONST UINT8  *P7Data,
+  IN  UINTN        P7Length,
+  OUT UINT8        **Signature,
+  OUT UINTN        *SignatureLength
+  )
+{
+  PKCS7                         *Pkcs7;
+  BOOLEAN                       Wrapped;
+  BOOLEAN                       Status;
+  UINT8                         *SignedData;
+  UINT8                         *Temp;
+  UINTN                         SignedDataSize;
+  STACK_OF (PKCS7_SIGNER_INFO)  *SignerInfos;
+  PKCS7_SIGNER_INFO             *SignInfo;
+  ASN1_OCTET_STRING             *EncDigest;
+
+  if ((P7Data =3D=3D NULL) || (P7Length > INT_MAX) ||
+      (Signature =3D=3D NULL && SignatureLength =3D=3D NULL)) {
+    return FALSE;
+  }
+
+  Status =3D WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData,=20
+ &SignedDataSize);  if (!Status) {
+    return Status;
+  }
+
+  Status     =3D FALSE;
+  Pkcs7      =3D NULL;
+  //
+  // Retrieve PKCS#7 Data (DER encoding)  //  if (SignedDataSize >=20
+ INT_MAX) {
+    goto _Exit;
+  }
+
+  Temp =3D SignedData;
+  Pkcs7 =3D d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int)=20
+ SignedDataSize);  if (Pkcs7 =3D=3D NULL) {
+    goto _Exit;
+  }
+
+  //
+  // Check if it's PKCS#7 Signed Data (for Authenticode Scenario)  // =20
+ if (!PKCS7_type_is_signed (Pkcs7)) {
+    goto _Exit;
+  }
+
+  //
+  // Check if there is one and only one signer.
+  //
+  SignerInfos =3D PKCS7_get_signer_info (Pkcs7);  if (!SignerInfos ||=20
+ (sk_PKCS7_SIGNER_INFO_num (SignerInfos) !=3D 1)) {
+    goto _Exit;
+  }
+
+  //
+  // Locate the TimeStamp CounterSignature.
+  //
+  SignInfo =3D sk_PKCS7_SIGNER_INFO_value (SignerInfos, 0);  if (SignInfo=
=20
+ =3D=3D NULL) {
+    goto _Exit;
+  }
+
+  //
+  // Locate Message Digest which will be the data to be time-stamped.
+  //
+  EncDigest =3D SignInfo->enc_digest;
+  if (EncDigest =3D=3D NULL) {
+    goto _Exit;
+  }
+
+  *SignatureLength =3D EncDigest->length;  if (Signature !=3D NULL)  {
+    if (*Signature =3D=3D NULL) {
+      Status =3D FALSE;
+      goto _Exit;
+    }
+    CopyMem ((VOID *)*Signature, EncDigest->data, EncDigest->length);
+    Status =3D TRUE;
+  }
+
+_Exit:
+  //
+  // Release Resources
+  //
+  if (!Wrapped) {
+    free (SignedData);
+  }
+  if (Pkcs7 !=3D NULL) {
+    PKCS7_free (Pkcs7);
+  }
+
+  return Status;
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c b/Cry=
ptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c
index b9b7960126de..a080bbfc4237 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c
@@ -3,6 +3,7 @@
   real capabilities.
=20
 Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2024, Ampere Computing LLC. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
=20
 **/
@@ -161,3 +162,35 @@ Pkcs7GetAttachedContent (
   ASSERT (FALSE);
   return FALSE;
 }
+
+/**
+  Get the data signature from PKCS#7 signed data as described in "PKCS #7:
+  Cryptographic Message Syntax Standard". The input signed data could=20
+be wrapped
+  in a ContentInfo structure.
+
+  If P7Data, Signature, SignatureLength is NULL, then return FALSE.
+  If P7Length overflow, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in]  P7Data       Pointer to the PKCS#7 message to verify.
+  @param[in]  P7Length     Length of the PKCS#7 message in bytes.
+  @param[out] Signature    Pointer to Signature data
+  @param[out] SignatureLength  Length of signature in bytes.
+
+  @retval  TRUE            The operation is finished successfully.
+  @retval  FALSE           Error occurs during the operation.
+  @retval  FALSE           This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetSignature (
+  IN  CONST UINT8  *P7Data,
+  IN  UINTN        P7Length,
+  OUT UINT8        **Signature,
+  OUT UINTN        *SignatureLength
+  )
+{
+  ASSERT (FALSE);
+  return FALSE;
+}
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/Crypt=
oPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 4e31bc278e0f..55d7b17688a0 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -4,6 +4,7 @@
=20
   Copyright (C) Microsoft Corporation. All rights reserved.
   Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2024, Ampere Computing LLC. All rights reserved.<BR>
   SPDX-License-Identifier: BSD-2-Clause-Patent
=20
 **/
@@ -3146,6 +3147,37 @@ ImageTimestampVerify (
   CALL_CRYPTO_SERVICE (ImageTimestampVerify, (AuthData, DataSize, TsaCert,=
 CertSize, SigningTime), FALSE);  }
=20
+/**
+  Get the data signature from PKCS#7 signed data as described in "PKCS #7:
+  Cryptographic Message Syntax Standard". The input signed data could=20
+be wrapped
+  in a ContentInfo structure.
+
+  If P7Data, Signature, SignatureLength is NULL, then return FALSE.
+  If P7Length overflow, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in]  P7Data       Pointer to the PKCS#7 message to verify.
+  @param[in]  P7Length     Length of the PKCS#7 message in bytes.
+  @param[out] Signature    Pointer to Signature data
+  @param[out] SignatureLength  Length of signature in bytes.
+
+  @retval  TRUE            The operation is finished successfully.
+  @retval  FALSE           Error occurs during the operation.
+  @retval  FALSE           This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetSignature (
+  IN  CONST UINT8  *P7Data,
+  IN  UINTN        P7Length,
+  OUT UINT8        **Signature,
+  OUT UINTN        *SignatureLength
+  )
+{
+  CALL_CRYPTO_SERVICE (Pkcs7GetSignature, (P7Data, P7Length, Signature,=20
+SignatureLength), FALSE); }
+
 // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 //    DH Key Exchange Primitive
 // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--
2.25.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#114768): https://edk2.groups.io/g/devel/message/114768
Mute This Topic: https://groups.io/mt/104048629/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-