From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web08.12308.1653184484313245119 for ; Sat, 21 May 2022 18:54:52 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=StnuBIs8; spf=pass (domain: intel.com, ip: 134.134.136.24, mailfrom: yi1.li@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1653184492; x=1684720492; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=QMBAiimausoSaWams7zwDXbakPQM6qaCfZ0W2FUyLxk=; b=StnuBIs8mHI0jaWyX2+4Vm4YpI7rhA4OGC8XQL8Un/2H5nR9EgEmy4tt mpTlZmE6alTVMQEB0g2SKqz2/6/fUZaR1uFn3lu+pnPLRq8/+LCKQKgBm fI1ip6ftHYHTeqhi1U2VLGaXAwLKXfik+hMlUB+rdm7BKH2Ko1ySSOW1A 4qbH9CF4quiWn/Frd7zxiAa1sWfPbroUv8Jvn8C4CIVbR0g/sAsSuByKA gBsIBMcjn89CntNrLfW5Jh8St9uXwwnJLPS4/4exuDHarrN9B897vtP1E rFUDyyZ8+5NrQ2lk0d2sUlcU5PpP0euPl0ssQS1Zk3u1Ox9zRpoQ2qk+6 g==; X-IronPort-AV: E=McAfee;i="6400,9594,10354"; a="272638260" X-IronPort-AV: E=Sophos;i="5.91,243,1647327600"; d="scan'208";a="272638260" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 May 2022 18:54:52 -0700 X-IronPort-AV: E=Sophos;i="5.91,243,1647327600"; d="scan'208";a="599981621" Received: from shwdejointd178.ccr.corp.intel.com ([10.239.153.103]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 May 2022 18:54:49 -0700 From: "yi1 li" To: devel@edk2.groups.io Cc: yi1 li , Jiewen Yao , Jian J Wang , Xiaoyu Lu , Guomin Jiang , Maciej Rabeda , Jiaxin Wu , Siyuan Fu Subject: [PATCH 4/5] CryptoPkg: Add implementation for TlsSetHostPrivateKey() Date: Sun, 22 May 2022 09:54:18 +0800 Message-Id: X-Mailer: git-send-email 2.31.1.windows.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: yi1 li Add Password to TlsSetHostPrivateKey() param list, Set Password to NULL when useless. This function adds the local private key (PEM-encoded RSA or PKCS#8 private key) into the specified TLS object for TLS negotiation. Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Cc: Maciej Rabeda Cc: Jiaxin Wu Cc: Siyuan Fu Signed-off-by: Yi Li --- CryptoPkg/Driver/Crypto.c | 6 +- CryptoPkg/Include/Library/TlsLib.h | 4 +- .../BaseCryptLibOnProtocolPpi/CryptLib.c | 6 +- CryptoPkg/Library/TlsLib/TlsConfig.c | 81 ++++++++++++++++++- CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 4 +- CryptoPkg/Private/Protocol/Crypto.h | 4 +- 6 files changed, 96 insertions(+), 9 deletions(-) diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c index 6a86c4dba6a2..b2e3cbde5bd3 100644 --- a/CryptoPkg/Driver/Crypto.c +++ b/CryptoPkg/Driver/Crypto.c @@ -4136,6 +4136,7 @@ CryptoServiceTlsSetHostPublicCert ( @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL if not used. @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -4147,10 +4148,11 @@ EFIAPI CryptoServiceTlsSetHostPrivateKey ( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ) { - return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKey, TlsSetHostPrivateKey, (Tls, Data, DataSize), EFI_UNSUPPORTED); + return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKey, TlsSetHostPrivateKey, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED); } /** diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h index 8a109ec89d3d..01b1087e3d2e 100644 --- a/CryptoPkg/Include/Library/TlsLib.h +++ b/CryptoPkg/Include/Library/TlsLib.h @@ -534,6 +534,7 @@ TlsSetHostPublicCert ( @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL if not used. @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -545,7 +546,8 @@ EFIAPI TlsSetHostPrivateKey ( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ); /** diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c index 1c7c90e432de..d1405e26f9fc 100644 --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c @@ -3279,6 +3279,7 @@ TlsSetHostPublicCert ( @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL if not used. @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -3290,10 +3291,11 @@ EFIAPI TlsSetHostPrivateKey ( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ) { - CALL_CRYPTO_SERVICE (TlsSetHostPrivateKey, (Tls, Data, DataSize), EFI_UNSUPPORTED); + CALL_CRYPTO_SERVICE (TlsSetHostPrivateKey, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED); } /** diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c index b45050c18770..e7d4474dff8d 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -870,6 +870,7 @@ ON_EXIT: @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL if not used. @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -881,10 +882,86 @@ EFIAPI TlsSetHostPrivateKey ( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ) { - return EFI_UNSUPPORTED; + TLS_CONNECTION *TlsConn; + BIO *Bio; + + TlsConn = (TLS_CONNECTION *)Tls; + + if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) { + return EFI_INVALID_PARAMETER; + } + + if (SSL_use_PrivateKey_ASN1 ( + EVP_PKEY_RSA, + TlsConn->Ssl, + Data, + (long)DataSize + ) == 1) + { + goto verify; + } + + if (SSL_use_PrivateKey_ASN1 ( + EVP_PKEY_DSA, + TlsConn->Ssl, + Data, + (long)DataSize + ) == 1) + { + goto verify; + } + + if (SSL_use_PrivateKey_ASN1 ( + EVP_PKEY_EC, + TlsConn->Ssl, + Data, + (long)DataSize + ) == 1) + { + goto verify; + } + + if (SSL_use_RSAPrivateKey_ASN1 ( + TlsConn->Ssl, + Data, + (long)DataSize + ) == 1) + { + goto verify; + } + + // Try to parse the private key in PEM format encoded PKC#8 + Bio = BIO_new_mem_buf (Data, (long)DataSize); + if (Bio != NULL) { + EVP_PKEY *Pkey; + BOOLEAN Verify; + + Verify = FALSE; + Pkey = PEM_read_bio_PrivateKey (Bio, NULL, NULL, Password); + if ((Pkey != NULL) && (SSL_use_PrivateKey (TlsConn->Ssl, Pkey) == 1)) { + Verify = TRUE; + } + + EVP_PKEY_free (Pkey); + BIO_free (Bio); + + if (Verify) { + goto verify; + } + } + + return EFI_ABORTED; + +verify: + if (SSL_check_private_key (TlsConn->Ssl) == 1) { + return EFI_SUCCESS; + } + + return EFI_ABORTED; } /** diff --git a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c index b2c7e6869f53..9ab95f7269ee 100644 --- a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c +++ b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c @@ -250,6 +250,7 @@ TlsSetHostPublicCert ( @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL if not used. @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -261,7 +262,8 @@ EFIAPI TlsSetHostPrivateKey ( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ) { ASSERT (FALSE); diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h index bc94cbb66311..ab01ff985da7 100644 --- a/CryptoPkg/Private/Protocol/Crypto.h +++ b/CryptoPkg/Private/Protocol/Crypto.h @@ -3092,6 +3092,7 @@ EFI_STATUS @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL if not used. @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -3103,7 +3104,8 @@ EFI_STATUS (EFIAPI *EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY)( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ); /** -- 2.31.1.windows.1