]>
Commit | Line | Data |
---|---|---|
1 | /** @file\r | |
2 | EFI_PKCS7_VERIFY_PROTOCOL as defined in UEFI 2.5.\r | |
3 | The EFI_PKCS7_VERIFY_PROTOCOL is used to verify data signed using PKCS#7\r | |
4 | formatted authentication. The PKCS#7 data to be verified must be binary\r | |
5 | DER encoded.\r | |
6 | PKCS#7 is a general-purpose cryptographic standard (defined by RFC2315,\r | |
7 | available at http://tools.ietf.org/html/rfc2315).\r | |
8 | \r | |
9 | Copyright (c) 2015 - 2017, Intel Corporation. All rights reserved.<BR>\r | |
10 | SPDX-License-Identifier: BSD-2-Clause-Patent\r | |
11 | \r | |
12 | **/\r | |
13 | \r | |
14 | #ifndef __EFI_PKCS7_VERIFY_PROTOCOL_H__\r | |
15 | #define __EFI_PKCS7_VERIFY_PROTOCOL_H__\r | |
16 | \r | |
17 | #include <Guid/ImageAuthentication.h>\r | |
18 | \r | |
19 | ///\r | |
20 | /// Global ID for the PKCS7 Verification Protocol\r | |
21 | ///\r | |
22 | #define EFI_PKCS7_VERIFY_PROTOCOL_GUID \\r | |
23 | { \\r | |
24 | 0x47889fb2, 0xd671, 0x4fab, {0xa0, 0xca, 0xdf, 0x0e, 0x44, 0xdf, 0x70, 0xd6 } \\r | |
25 | }\r | |
26 | \r | |
27 | typedef struct _EFI_PKCS7_VERIFY_PROTOCOL EFI_PKCS7_VERIFY_PROTOCOL;\r | |
28 | \r | |
29 | \r | |
30 | /**\r | |
31 | Processes a buffer containing binary DER-encoded PKCS7 signature.\r | |
32 | The signed data content may be embedded within the buffer or separated. Funtion\r | |
33 | verifies the signature of the content is valid and signing certificate was not\r | |
34 | revoked and is contained within a list of trusted signers.\r | |
35 | \r | |
36 | @param[in] This Pointer to EFI_PKCS7_VERIFY_PROTOCOL instance.\r | |
37 | @param[in] SignedData Points to buffer containing ASN.1 DER-encoded PKCS7\r | |
38 | signature.\r | |
39 | @param[in] SignedDataSize The size of SignedData buffer in bytes.\r | |
40 | @param[in] InData In case of detached signature, InData points to\r | |
41 | buffer containing the raw message data previously\r | |
42 | signed and to be verified by function. In case of\r | |
43 | SignedData containing embedded data, InData must be\r | |
44 | NULL.\r | |
45 | @param[in] InDataSize When InData is used, the size of InData buffer in\r | |
46 | bytes. When InData is NULL. This parameter must be\r | |
47 | 0.\r | |
48 | @param[in] AllowedDb Pointer to a list of pointers to EFI_SIGNATURE_LIST\r | |
49 | structures. The list is terminated by a null\r | |
50 | pointer. The EFI_SIGNATURE_LIST structures contain\r | |
51 | lists of X.509 certificates of approved signers.\r | |
52 | Function recognizes signer certificates of type\r | |
53 | EFI_CERT_X509_GUID. Any hash certificate in AllowedDb\r | |
54 | list is ignored by this function. Function returns\r | |
55 | success if signer of the buffer is within this list\r | |
56 | (and not within RevokedDb). This parameter is\r | |
57 | required.\r | |
58 | @param[in] RevokedDb Optional pointer to a list of pointers to\r | |
59 | EFI_SIGNATURE_LIST structures. The list is terminated\r | |
60 | by a null pointer. List of X.509 certificates of\r | |
61 | revoked signers and revoked file hashes. Except as\r | |
62 | noted in description of TimeStampDb signature\r | |
63 | verification will always fail if the signer of the\r | |
64 | file or the hash of the data component of the buffer\r | |
65 | is in RevokedDb list. This list is optional and\r | |
66 | caller may pass Null or pointer to NULL if not\r | |
67 | required.\r | |
68 | @param[in] TimeStampDb Optional pointer to a list of pointers to\r | |
69 | EFI_SIGNATURE_LIST structures. The list is terminated\r | |
70 | by a null pointer. This parameter can be used to pass\r | |
71 | a list of X.509 certificates of trusted time stamp\r | |
72 | signers. This list is optional and caller must pass\r | |
73 | Null or pointer to NULL if not required.\r | |
74 | @param[out] Content On input, points to an optional caller-allocated\r | |
75 | buffer into which the function will copy the content\r | |
76 | portion of the file after verification succeeds.\r | |
77 | This parameter is optional and if NULL, no copy of\r | |
78 | content from file is performed.\r | |
79 | @param[in,out] ContentSize On input, points to the size in bytes of the optional\r | |
80 | buffer Content previously allocated by caller. On\r | |
81 | output, if the verification succeeds, the value\r | |
82 | referenced by ContentSize will contain the actual\r | |
83 | size of the content from signed file. If ContentSize\r | |
84 | indicates the caller-allocated buffer is too small\r | |
85 | to contain content, an error is returned, and\r | |
86 | ContentSize will be updated with the required size.\r | |
87 | This parameter must be 0 if Content is Null.\r | |
88 | \r | |
89 | @retval EFI_SUCCESS Content signature was verified against hash of\r | |
90 | content, the signer's certificate was not found in\r | |
91 | RevokedDb, and was found in AllowedDb or if in signer\r | |
92 | is found in both AllowedDb and RevokedDb, the\r | |
93 | signing was allowed by reference to TimeStampDb as\r | |
94 | described above, and no hash matching content hash\r | |
95 | was found in RevokedDb.\r | |
96 | @retval EFI_SECURITY_VIOLATION The SignedData buffer was correctly formatted but\r | |
97 | signer was in RevokedDb or not in AllowedDb. Also\r | |
98 | returned if matching content hash found in RevokedDb.\r | |
99 | @retval EFI_COMPROMISED_DATA Calculated hash differs from signed hash.\r | |
100 | @retval EFI_INVALID_PARAMETER SignedData is NULL or SignedDataSize is zero.\r | |
101 | AllowedDb is NULL.\r | |
102 | @retval EFI_INVALID_PARAMETER Content is not NULL and ContentSize is NULL.\r | |
103 | @retval EFI_ABORTED Unsupported or invalid format in TimeStampDb,\r | |
104 | RevokedDb or AllowedDb list contents was detected.\r | |
105 | @retval EFI_NOT_FOUND Content not found because InData is NULL and no\r | |
106 | content embedded in SignedData.\r | |
107 | @retval EFI_UNSUPPORTED The SignedData buffer was not correctly formatted\r | |
108 | for processing by the function.\r | |
109 | @retval EFI_UNSUPPORTED Signed data embedded in SignedData but InData is not\r | |
110 | NULL.\r | |
111 | @retval EFI_BUFFER_TOO_SMALL The size of buffer indicated by ContentSize is too\r | |
112 | small to hold the content. ContentSize updated to\r | |
113 | required size.\r | |
114 | \r | |
115 | **/\r | |
116 | typedef\r | |
117 | EFI_STATUS\r | |
118 | (EFIAPI *EFI_PKCS7_VERIFY_BUFFER) (\r | |
119 | IN EFI_PKCS7_VERIFY_PROTOCOL *This,\r | |
120 | IN VOID *SignedData,\r | |
121 | IN UINTN SignedDataSize,\r | |
122 | IN VOID *InData OPTIONAL,\r | |
123 | IN UINTN InDataSize,\r | |
124 | IN EFI_SIGNATURE_LIST **AllowedDb,\r | |
125 | IN EFI_SIGNATURE_LIST **RevokedDb OPTIONAL,\r | |
126 | IN EFI_SIGNATURE_LIST **TimeStampDb OPTIONAL,\r | |
127 | OUT VOID *Content OPTIONAL,\r | |
128 | IN OUT UINTN *ContentSize\r | |
129 | );\r | |
130 | \r | |
131 | /**\r | |
132 | Processes a buffer containing binary DER-encoded detached PKCS7 signature.\r | |
133 | The hash of the signed data content is calculated and passed by the caller. Function\r | |
134 | verifies the signature of the content is valid and signing certificate was not revoked\r | |
135 | and is contained within a list of trusted signers.\r | |
136 | \r | |
137 | Note: because this function uses hashes and the specification contains a variety of\r | |
138 | hash choices, you should be aware that the check against the RevokedDb list\r | |
139 | will improperly succeed if the signature is revoked using a different hash\r | |
140 | algorithm. For this reason, you should either cycle through all UEFI supported\r | |
141 | hashes to see if one is forbidden, or rely on a single hash choice only if the\r | |
142 | UEFI signature authority only signs and revokes with a single hash (at time\r | |
143 | of writing, this hash choice is SHA256).\r | |
144 | \r | |
145 | @param[in] This Pointer to EFI_PKCS7_VERIFY_PROTOCOL instance.\r | |
146 | @param[in] Signature Points to buffer containing ASN.1 DER-encoded PKCS\r | |
147 | detached signature.\r | |
148 | @param[in] SignatureSize The size of Signature buffer in bytes.\r | |
149 | @param[in] InHash InHash points to buffer containing the caller\r | |
150 | calculated hash of the data. The parameter may not\r | |
151 | be NULL.\r | |
152 | @param[in] InHashSize The size in bytes of InHash buffer.\r | |
153 | @param[in] AllowedDb Pointer to a list of pointers to EFI_SIGNATURE_LIST\r | |
154 | structures. The list is terminated by a null\r | |
155 | pointer. The EFI_SIGNATURE_LIST structures contain\r | |
156 | lists of X.509 certificates of approved signers.\r | |
157 | Function recognizes signer certificates of type\r | |
158 | EFI_CERT_X509_GUID. Any hash certificate in AllowedDb\r | |
159 | list is ignored by this function. Function returns\r | |
160 | success if signer of the buffer is within this list\r | |
161 | (and not within RevokedDb). This parameter is\r | |
162 | required.\r | |
163 | @param[in] RevokedDb Optional pointer to a list of pointers to\r | |
164 | EFI_SIGNATURE_LIST structures. The list is terminated\r | |
165 | by a null pointer. List of X.509 certificates of\r | |
166 | revoked signers and revoked file hashes. Signature\r | |
167 | verification will always fail if the signer of the\r | |
168 | file or the hash of the data component of the buffer\r | |
169 | is in RevokedDb list. This parameter is optional\r | |
170 | and caller may pass Null if not required.\r | |
171 | @param[in] TimeStampDb Optional pointer to a list of pointers to\r | |
172 | EFI_SIGNATURE_LIST structures. The list is terminated\r | |
173 | by a null pointer. This parameter can be used to pass\r | |
174 | a list of X.509 certificates of trusted time stamp\r | |
175 | counter-signers.\r | |
176 | \r | |
177 | @retval EFI_SUCCESS Signed hash was verified against caller-provided\r | |
178 | hash of content, the signer's certificate was not\r | |
179 | found in RevokedDb, and was found in AllowedDb or\r | |
180 | if in signer is found in both AllowedDb and\r | |
181 | RevokedDb, the signing was allowed by reference to\r | |
182 | TimeStampDb as described above, and no hash matching\r | |
183 | content hash was found in RevokedDb.\r | |
184 | @retval EFI_SECURITY_VIOLATION The SignedData buffer was correctly formatted but\r | |
185 | signer was in RevokedDb or not in AllowedDb. Also\r | |
186 | returned if matching content hash found in RevokedDb.\r | |
187 | @retval EFI_COMPROMISED_DATA Caller provided hash differs from signed hash. Or,\r | |
188 | caller and encrypted hash are different sizes.\r | |
189 | @retval EFI_INVALID_PARAMETER Signature is NULL or SignatureSize is zero. InHash\r | |
190 | is NULL or InHashSize is zero. AllowedDb is NULL.\r | |
191 | @retval EFI_ABORTED Unsupported or invalid format in TimeStampDb,\r | |
192 | RevokedDb or AllowedDb list contents was detected.\r | |
193 | @retval EFI_UNSUPPORTED The Signature buffer was not correctly formatted\r | |
194 | for processing by the function.\r | |
195 | \r | |
196 | **/\r | |
197 | typedef\r | |
198 | EFI_STATUS\r | |
199 | (EFIAPI *EFI_PKCS7_VERIFY_SIGNATURE) (\r | |
200 | IN EFI_PKCS7_VERIFY_PROTOCOL *This,\r | |
201 | IN VOID *Signature,\r | |
202 | IN UINTN SignatureSize,\r | |
203 | IN VOID *InHash,\r | |
204 | IN UINTN InHashSize,\r | |
205 | IN EFI_SIGNATURE_LIST **AllowedDb,\r | |
206 | IN EFI_SIGNATURE_LIST **RevokedDb OPTIONAL,\r | |
207 | IN EFI_SIGNATURE_LIST **TimeStampDb OPTIONAL\r | |
208 | );\r | |
209 | \r | |
210 | ///\r | |
211 | /// The EFI_PKCS7_VERIFY_PROTOCOL is used to verify data signed using PKCS7\r | |
212 | /// structure. The PKCS7 data to be verified must be ASN.1 (DER) encoded.\r | |
213 | /// SHA256 must be supported as digest algorithm with RSA digest encryption.\r | |
214 | /// Support of other hash algorithms is optional.\r | |
215 | ///\r | |
216 | struct _EFI_PKCS7_VERIFY_PROTOCOL {\r | |
217 | EFI_PKCS7_VERIFY_BUFFER VerifyBuffer;\r | |
218 | EFI_PKCS7_VERIFY_SIGNATURE VerifySignature;\r | |
219 | };\r | |
220 | \r | |
221 | extern EFI_GUID gEfiPkcs7VerifyProtocolGuid;\r | |
222 | \r | |
223 | #endif\r |