#include <openssl/x509.h>\r
#include <openssl/pkcs7.h>\r
\r
+UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };\r
\r
/**\r
Verification callback function to override any existing callbacks in OpenSSL\r
PKCS7 *Pkcs7;\r
UINT8 *RsaContext;\r
UINT8 *P7Data;\r
+ UINTN P7DataSize;\r
+ UINT8 *Tmp;\r
\r
//\r
// Check input parameters.\r
//\r
- if ((PrivateKey == NULL) || (KeyPassword == NULL) || (InData == NULL)) {\r
- return FALSE;\r
- }\r
- \r
- if ((SignCert == NULL) || (SignedData == NULL) || (SignedDataSize == NULL)) {\r
- return FALSE;\r
- }\r
+ ASSERT (PrivateKey != NULL);\r
+ ASSERT (KeyPassword != NULL);\r
+ ASSERT (InData != NULL);\r
+ ASSERT (SignCert != NULL);\r
+ ASSERT (SignedData != NULL);\r
+ ASSERT (SignedDataSize != NULL);\r
+ ASSERT (InDataSize <= INT_MAX);\r
\r
RsaContext = NULL;\r
Key = NULL;\r
//\r
// Convert PKCS#7 signedData structure into DER-encoded buffer.\r
//\r
- *SignedDataSize = i2d_PKCS7 (Pkcs7, NULL);\r
- if (*SignedDataSize == 0) {\r
+ P7DataSize = i2d_PKCS7 (Pkcs7, NULL);\r
+ if (P7DataSize <= 19) {\r
goto _Exit;\r
}\r
+ P7Data = OPENSSL_malloc (P7DataSize);\r
+ Tmp = P7Data;\r
+ P7DataSize = i2d_PKCS7 (Pkcs7, (unsigned char **) &Tmp);\r
+\r
+ //\r
+ // Strip ContentInfo to content only for signeddata. The data be trimmed off\r
+ // is totally 19 bytes.\r
+ //\r
+ *SignedDataSize = P7DataSize - 19;\r
*SignedData = OPENSSL_malloc (*SignedDataSize);\r
- P7Data = *SignedData;\r
- *SignedDataSize = i2d_PKCS7 (Pkcs7, (unsigned char **) &P7Data);\r
+ CopyMem (*SignedData, P7Data + 19, *SignedDataSize);\r
+ \r
+ OPENSSL_free (P7Data);\r
\r
Status = TRUE;\r
\r
}\r
\r
/**\r
- Verifies the validility of a PKCS#7 signed data as described in "PKCS #7: Cryptographic\r
- Message Syntax Standard".\r
+ Verifies the validility of a PKCS#7 signed data as described in "PKCS #7:\r
+ Cryptographic Message Syntax Standard". The input signed data could be wrapped\r
+ in a ContentInfo structure.\r
\r
If P7Data is NULL, then ASSERT().\r
\r
BOOLEAN Status;\r
X509 *Cert;\r
X509_STORE *CertStore;\r
+ UINT8 *SignedData;\r
+ UINT8 *Temp;\r
+ UINTN SignedDataSize;\r
+ BOOLEAN Wrapped;\r
\r
//\r
- // ASSERT if P7Data is NULL\r
+ // ASSERT if any input parameter is invalid.\r
//\r
- ASSERT (P7Data != NULL);\r
+ ASSERT (P7Data != NULL);\r
+ ASSERT (TrustedCert != NULL);\r
+ ASSERT (InData != NULL);\r
+ ASSERT (P7Length <= INT_MAX);\r
+ ASSERT (CertLength <= INT_MAX);\r
+ ASSERT (DataLength <= INT_MAX);\r
\r
Status = FALSE;\r
Pkcs7 = NULL;\r
EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA);\r
EVP_add_digest (EVP_sha256());\r
\r
+ //\r
+ // Check whether input P7Data is a wrapped ContentInfo structure or not.\r
+ //\r
+ Wrapped = FALSE;\r
+ if ((P7Data[4] == 0x06) && (P7Data[5] == 0x09)) {\r
+ if (CompareMem (P7Data + 6, mOidValue, sizeof (mOidValue)) == 0) {\r
+ if ((P7Data[15] == 0xA0) && (P7Data[16] == 0x82)) {\r
+ Wrapped = TRUE;\r
+ }\r
+ }\r
+ }\r
+\r
+ if (Wrapped) {\r
+ SignedData = (UINT8 *) P7Data;\r
+ SignedDataSize = P7Length;\r
+ } else {\r
+ //\r
+ // Wrap PKCS#7 signeddata to a ContentInfo structure - add a header in 19 bytes.\r
+ //\r
+ SignedDataSize = P7Length + 19;\r
+ SignedData = OPENSSL_malloc (SignedDataSize);\r
+ if (SignedData == NULL) {\r
+ return FALSE;\r
+ }\r
+\r
+ //\r
+ // Part1: 0x30, 0x82.\r
+ //\r
+ SignedData[0] = 0x30;\r
+ SignedData[1] = 0x82;\r
+\r
+ //\r
+ // Part2: Length1 = P7Length + 19 - 4, in big endian.\r
+ //\r
+ SignedData[2] = (UINT8) (((UINT16) (SignedDataSize - 4)) >> 8);\r
+ SignedData[3] = (UINT8) (((UINT16) (SignedDataSize - 4)) & 0xff);\r
+\r
+ //\r
+ // Part3: 0x06, 0x09.\r
+ //\r
+ SignedData[4] = 0x06;\r
+ SignedData[5] = 0x09;\r
+\r
+ //\r
+ // Part4: OID value -- 0x2A 0x86 0x48 0x86 0xF7 0x0D 0x01 0x07 0x02.\r
+ //\r
+ CopyMem (SignedData + 6, mOidValue, sizeof (mOidValue));\r
+\r
+ //\r
+ // Part5: 0xA0, 0x82.\r
+ //\r
+ SignedData[15] = 0xA0;\r
+ SignedData[16] = 0x82;\r
+\r
+ //\r
+ // Part6: Length2 = P7Length, in big endian.\r
+ //\r
+ SignedData[17] = (UINT8) (((UINT16) P7Length) >> 8);\r
+ SignedData[18] = (UINT8) (((UINT16) P7Length) & 0xff);\r
+\r
+ //\r
+ // Part7: P7Data.\r
+ //\r
+ CopyMem (SignedData + 19, P7Data, P7Length);\r
+ }\r
+ \r
//\r
// Retrieve PKCS#7 Data (DER encoding)\r
//\r
- Pkcs7 = d2i_PKCS7 (NULL, &P7Data, (int)P7Length);\r
+ if (SignedDataSize > INT_MAX) {\r
+ goto _Exit;\r
+ }\r
+\r
+ Temp = SignedData;\r
+ Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) SignedDataSize);\r
if (Pkcs7 == NULL) {\r
goto _Exit;\r
}\r
X509_STORE_free (CertStore);\r
PKCS7_free (Pkcs7);\r
\r
+ if (!Wrapped) {\r
+ OPENSSL_free (SignedData);\r
+ }\r
+\r
return Status;\r
}\r
projects / mirror_edk2.git / blobdiff