projects / mirror_edk2.git / blame
| Commit | Line | Data |
|---|---|---|
| 97f98500 HT |
1 | /** @file\r |
| 2 | PKCS#7 SignedData Verification Wrapper Implementation over OpenSSL.\r | |
| 3 | \r | |
| 4 | Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>\r | |
| 5 | This program and the accompanying materials\r | |
| 6 | are licensed and made available under the terms and conditions of the BSD License\r | |
| 7 | which accompanies this distribution. The full text of the license may be found at\r | |
| 8 | http://opensource.org/licenses/bsd-license.php\r | |
| 9 | \r | |
| 10 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r | |
| 11 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r | |
| 12 | \r | |
| 13 | **/\r | |
| 14 | \r | |
| 15 | #include <Library/BaseLib.h>\r | |
| 16 | #include <Library/BaseMemoryLib.h>\r | |
| 17 | #include <Library/DebugLib.h>\r | |
| 18 | \r | |
| 19 | #include <Library/BaseCryptLib.h>\r | |
| 20 | #include <openssl/objects.h>\r | |
| 21 | #include <openssl/x509.h>\r | |
| 22 | #include <openssl/pkcs7.h>\r | |
| 23 | \r | |
| 24 | \r | |
| 25 | /**\r | |
| 26 | Verifies the validility of a PKCS#7 signed data as described in "PKCS #7: Cryptographic\r | |
| 27 | Message Syntax Standard".\r | |
| 28 | \r | |
| 29 | If P7Data is NULL, then ASSERT().\r | |
| 30 | \r | |
| 31 | @param[in] P7Data Pointer to the PKCS#7 message to verify.\r | |
| 32 | @param[in] P7Length Length of the PKCS#7 message in bytes.\r | |
| 33 | @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which\r | |
| 34 | is used for certificate chain verification.\r | |
| 35 | @param[in] CertLength Length of the trusted certificate in bytes.\r | |
| 36 | @param[in] InData Pointer to the content to be verified.\r | |
| 37 | @param[in] DataLength Length of InData in bytes.\r | |
| 38 | \r | |
| 39 | @return TRUE The specified PKCS#7 signed data is valid.\r | |
| 40 | @return FALSE Invalid PKCS#7 signed data.\r | |
| 41 | \r | |
| 42 | **/\r | |
| 43 | BOOLEAN\r | |
| 44 | EFIAPI\r | |
| 45 | Pkcs7Verify (\r | |
| 46 | IN CONST UINT8 *P7Data,\r | |
| 47 | IN UINTN P7Length,\r | |
| 48 | IN CONST UINT8 *TrustedCert,\r | |
| 49 | IN UINTN CertLength,\r | |
| 50 | IN CONST UINT8 *InData,\r | |
| 51 | IN UINTN DataLength\r | |
| 52 | )\r | |
| 53 | {\r | |
| 54 | PKCS7 *Pkcs7;\r | |
| 55 | UINT8 *Content;\r | |
| 56 | BIO *CertBio;\r | |
| 57 | BIO *DataBio;\r | |
| 58 | BOOLEAN Status;\r | |
| 59 | X509 *Cert;\r | |
| 60 | X509_STORE *CertStore;\r | |
| 61 | \r | |
| 62 | //\r | |
| 63 | // ASSERT if P7Data is NULL\r | |
| 64 | //\r | |
| 65 | ASSERT (P7Data != NULL);\r | |
| 66 | \r | |
| 67 | Status = FALSE;\r | |
| 68 | Pkcs7 = NULL;\r | |
| 69 | CertBio = NULL;\r | |
| 70 | DataBio = NULL;\r | |
| 71 | Cert = NULL;\r | |
| 72 | CertStore = NULL;\r | |
| 73 | \r | |
| 74 | //\r | |
| 75 | // Register & Initialize necessary digest algorithms for PKCS#7 Handling\r | |
| 76 | //\r | |
| 77 | EVP_add_digest (EVP_md5());\r | |
| 78 | EVP_add_digest (EVP_sha1());\r | |
| 79 | EVP_add_digest (EVP_sha256());\r | |
| 80 | \r | |
| 81 | //\r | |
| 82 | // Retrieve PKCS#7 Data (DER encoding)\r | |
| 83 | //\r | |
| 84 | Pkcs7 = d2i_PKCS7 (NULL, &P7Data, (int)P7Length);\r | |
| 85 | if (Pkcs7 == NULL) {\r | |
| 86 | goto _Exit;\r | |
| 87 | }\r | |
| 88 | \r | |
| 89 | //\r | |
| 90 | // Check if it's PKCS#7 Signed Data (for Authenticode Scenario)\r | |
| 91 | //\r | |
| 92 | if (!PKCS7_type_is_signed (Pkcs7)) {\r | |
| 93 | goto _Exit;\r | |
| 94 | }\r | |
| 95 | \r | |
| 96 | //\r | |
| 97 | // Check PKCS#7 embedded signed content with InData.\r | |
| 98 | //\r | |
| 99 | if (InData != NULL) {\r | |
| 100 | //\r | |
| 101 | // NOTE: PKCS7_dataDecode() didn't work for Authenticode-format signed data due to\r | |
| 102 | // some authenticode-specific structure. Use opaque ASN.1 string to retrieve\r | |
| 103 | // PKCS#7 ContentInfo here.\r | |
| 104 | //\r | |
| 105 | Content = (UINT8 *)(Pkcs7->d.sign->contents->d.other->value.asn1_string->data);\r | |
| 106 | \r | |
| 107 | // Ignore two bytes for DER encoding of ASN.1 "SEQUENCE"\r | |
| 108 | if (CompareMem (Content + 2, InData, DataLength) != 0) {\r | |
| 109 | goto _Exit;\r | |
| 110 | }\r | |
| 111 | }\r | |
| 112 | \r | |
| 113 | //\r | |
| 114 | // Read DER-encoded root certificate and Construct X509 Certificate\r | |
| 115 | //\r | |
| 116 | CertBio = BIO_new (BIO_s_mem ());\r | |
| 117 | BIO_write (CertBio, TrustedCert, (int)CertLength);\r | |
| 118 | if (CertBio == NULL) {\r | |
| 119 | goto _Exit;\r | |
| 120 | }\r | |
| 121 | Cert = d2i_X509_bio (CertBio, NULL);\r | |
| 122 | if (Cert == NULL) {\r | |
| 123 | goto _Exit;\r | |
| 124 | }\r | |
| 125 | \r | |
| 126 | //\r | |
| 127 | // Setup X509 Store for trusted certificate\r | |
| 128 | //\r | |
| 129 | CertStore = X509_STORE_new ();\r | |
| 130 | if (CertStore == NULL) {\r | |
| 131 | goto _Exit;\r | |
| 132 | }\r | |
| 133 | if (!(X509_STORE_add_cert (CertStore, Cert))) {\r | |
| 134 | goto _Exit;\r | |
| 135 | }\r | |
| 136 | \r | |
| 137 | //\r | |
| 138 | // For generic PKCS#7 handling, InData may be NULL if the content is present\r | |
| 139 | // in PKCS#7 structure. So ignore NULL checking here.\r | |
| 140 | //\r | |
| 141 | DataBio = BIO_new (BIO_s_mem ());\r | |
| 142 | BIO_write (DataBio, InData, (int)DataLength);\r | |
| 143 | \r | |
| 144 | //\r | |
| 145 | // Verifies the PKCS#7 signedData structure\r | |
| 146 | //\r | |
| 147 | Status = (BOOLEAN) PKCS7_verify (Pkcs7, NULL, CertStore, DataBio, NULL, 0);\r | |
| 148 | \r | |
| 149 | _Exit:\r | |
| 150 | //\r | |
| 151 | // Release Resources\r | |
| 152 | //\r | |
| 153 | BIO_free (DataBio);\r | |
| 154 | BIO_free (CertBio);\r | |
| 155 | X509_free (Cert);\r | |
| 156 | X509_STORE_free (CertStore);\r | |
| 157 | PKCS7_free (Pkcs7);\r | |
| 158 | \r | |
| 159 | return Status;\r | |
| 160 | }\r |