[mirror_edk2.git] / CryptoPkg / Library / BaseCryptLib / Pk / CryptPkcs7Verify.c

/** @file\r
  PKCS#7 SignedData Verification Wrapper Implementation over OpenSSL.\r
\r
  Caution: This module requires additional review when modified.\r
  This library will have external input - signature (e.g. UEFI Authenticated\r
  Variable). It may by input in SMM mode.\r
  This external input must be validated carefully to avoid security issue like\r
  buffer overflow, integer overflow.\r
\r
  WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated\r
  Variable and will do basic check for data structure.\r
\r
Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
which accompanies this distribution.  The full text of the license may be found at\r
http://opensource.org/licenses/bsd-license.php\r
\r
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
\r
**/\r
\r
#include "InternalCryptLib.h"\r
\r
#include <openssl/objects.h>\r
#include <openssl/x509.h>\r
#include <openssl/pkcs7.h>\r
\r
UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };\r
\r
/**\r
  Verification callback function to override any existing callbacks in OpenSSL\r
  for intermediate certificate supports.\r
\r
  @param[in]  Status   Original status before calling this callback.\r
  @param[in]  Context  X509 store context.\r
\r
  @retval     1        Current X509 certificate is verified successfully.\r
  @retval     0        Verification failed.\r
\r
**/\r
int\r
X509VerifyCb (\r
  IN int            Status,\r
  IN X509_STORE_CTX *Context\r
  )\r
{\r
  X509_OBJECT  *Obj;\r
  INTN         Error;\r
  INTN         Index;\r
  INTN         Count;\r
\r
  Obj   = NULL;\r
  Error = (INTN) X509_STORE_CTX_get_error (Context);\r
\r
  //\r
  // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_\r
  // CERT_LOCALLY mean a X509 certificate is not self signed and its issuer\r
  // can not be found in X509_verify_cert of X509_vfy.c.\r
  // In order to support intermediate certificate node, we override the\r
  // errors if the certification is obtained from X509 store, i.e. it is\r
  // a trusted ceritifcate node that is enrolled by user.\r
  // Besides,X509_V_ERR_CERT_UNTRUSTED and X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE\r
  // are also ignored to enable such feature.\r
  //\r
  if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) ||\r
      (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {\r
    Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT));\r
    if (Obj == NULL) {\r
      return 0;\r
    }\r
\r
    Obj->type      = X509_LU_X509;\r
    Obj->data.x509 = Context->current_cert;\r
\r
    CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE);\r
\r
    if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {\r
      Status = 1;\r
    } else {\r
      //\r
      // If any certificate in the chain is enrolled as trusted certificate,\r
      // pass the certificate verification.\r
      //\r
      if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {\r
        Count = (INTN) sk_X509_num (Context->chain);\r
        for (Index = 0; Index < Count; Index++) {\r
          Obj->data.x509 = sk_X509_value (Context->chain, (int) Index);\r
          if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {\r
            Status = 1;\r
            break;\r
          }\r
        }\r
      }\r
    }\r
\r
    CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE);\r
  }\r
\r
  if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||\r
      (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {\r
    Status = 1;\r
  }\r
\r
  if (Obj != NULL) {\r
    OPENSSL_free (Obj);\r
  }\r
\r
  return Status;\r
}\r
\r
/**\r
  Check input P7Data is a wrapped ContentInfo structure or not. If not construct\r
  a new structure to wrap P7Data.\r
\r
  Caution: This function may receive untrusted input.\r
  UEFI Authenticated Variable is external input, so this function will do basic\r
  check for PKCS#7 data structure.\r
\r
  @param[in]  P7Data       Pointer to the PKCS#7 message to verify.\r
  @param[in]  P7Length     Length of the PKCS#7 message in bytes.\r
  @param[out] WrapFlag     If TRUE P7Data is a ContentInfo structure, otherwise\r
                           return FALSE.\r
  @param[out] WrapData     If return status of this function is TRUE: \r
                           1) when WrapFlag is TRUE, pointer to P7Data.\r
                           2) when WrapFlag is FALSE, pointer to a new ContentInfo\r
                           structure. It's caller's responsibility to free this\r
                           buffer.\r
  @param[out] WrapDataSize Length of ContentInfo structure in bytes.\r
\r
  @retval     TRUE         The operation is finished successfully.\r
  @retval     FALSE        The operation is failed due to lack of resources.\r
\r
**/\r
BOOLEAN\r
WrapPkcs7Data (\r
  IN  CONST UINT8  *P7Data,\r
  IN  UINTN        P7Length,\r
  OUT BOOLEAN      *WrapFlag,\r
  OUT UINT8        **WrapData,\r
  OUT UINTN        *WrapDataSize\r
  )\r
{\r
  BOOLEAN          Wrapped;\r
  UINT8            *SignedData;\r
\r
  //\r
  // Check whether input P7Data is a wrapped ContentInfo structure or not.\r
  //\r
  Wrapped = FALSE;\r
  if ((P7Data[4] == 0x06) && (P7Data[5] == 0x09)) {\r
    if (CompareMem (P7Data + 6, mOidValue, sizeof (mOidValue)) == 0) {\r
      if ((P7Data[15] == 0xA0) && (P7Data[16] == 0x82)) {\r
        Wrapped = TRUE;\r
      }\r
    }\r
  }\r
\r
  if (Wrapped) {\r
    *WrapData     = (UINT8 *) P7Data;\r
    *WrapDataSize = P7Length;\r
  } else {\r
    //\r
    // Wrap PKCS#7 signeddata to a ContentInfo structure - add a header in 19 bytes.\r
    //\r
    *WrapDataSize = P7Length + 19;\r
    *WrapData     = malloc (*WrapDataSize);\r
    if (*WrapData == NULL) {\r
      *WrapFlag = Wrapped;\r
      return FALSE;\r
    }\r
\r
    SignedData = *WrapData;\r
\r
    //\r
    // Part1: 0x30, 0x82.\r
    //\r
    SignedData[0] = 0x30;\r
    SignedData[1] = 0x82;\r
\r
    //\r
    // Part2: Length1 = P7Length + 19 - 4, in big endian.\r
    //\r
    SignedData[2] = (UINT8) (((UINT16) (*WrapDataSize - 4)) >> 8);\r
    SignedData[3] = (UINT8) (((UINT16) (*WrapDataSize - 4)) & 0xff);\r
\r
    //\r
    // Part3: 0x06, 0x09.\r
    //\r
    SignedData[4] = 0x06;\r
    SignedData[5] = 0x09;\r
\r
    //\r
    // Part4: OID value -- 0x2A 0x86 0x48 0x86 0xF7 0x0D 0x01 0x07 0x02.\r
    //\r
    CopyMem (SignedData + 6, mOidValue, sizeof (mOidValue));\r
\r
    //\r
    // Part5: 0xA0, 0x82.\r
    //\r
    SignedData[15] = 0xA0;\r
    SignedData[16] = 0x82;\r
\r
    //\r
    // Part6: Length2 = P7Length, in big endian.\r
    //\r
    SignedData[17] = (UINT8) (((UINT16) P7Length) >> 8);\r
    SignedData[18] = (UINT8) (((UINT16) P7Length) & 0xff);\r
\r
    //\r
    // Part7: P7Data.\r
    //\r
    CopyMem (SignedData + 19, P7Data, P7Length);\r
  }\r
\r
  *WrapFlag = Wrapped;\r
  return TRUE;\r
}\r
\r
/**\r
  Pop single certificate from STACK_OF(X509).\r
\r
  If X509Stack, Cert, or CertSize is NULL, then return FALSE.\r
\r
  @param[in]  X509Stack       Pointer to a X509 stack object.\r
  @param[out] Cert            Pointer to a X509 certificate.\r
  @param[out] CertSize        Length of output X509 certificate in bytes.\r
                                 \r
  @retval     TRUE            The X509 stack pop succeeded.\r
  @retval     FALSE           The pop operation failed.\r
\r
**/\r
BOOLEAN\r
X509PopCertificate (\r
  IN  VOID  *X509Stack,\r
  OUT UINT8 **Cert,\r
  OUT UINTN *CertSize\r
  )\r
{\r
  BIO             *CertBio;\r
  X509            *X509Cert;\r
  STACK_OF(X509)  *CertStack;\r
  BOOLEAN         Status;\r
  int             Result;\r
  int             Length;\r
  VOID            *Buffer;\r
\r
  Status = FALSE;\r
\r
  if ((X509Stack == NULL) || (Cert == NULL) || (CertSize == NULL)) {\r
    return Status;\r
  }\r
\r
  CertStack = (STACK_OF(X509) *) X509Stack;\r
\r
  X509Cert = sk_X509_pop (CertStack);\r
\r
  if (X509Cert == NULL) {\r
    return Status;\r
  }\r
\r
  Buffer = NULL;\r
\r
  CertBio = BIO_new (BIO_s_mem ());\r
  if (CertBio == NULL) {\r
    return Status;\r
  }\r
\r
  Result = i2d_X509_bio (CertBio, X509Cert);\r
  if (Result == 0) {\r
    goto _Exit;\r
  }\r
\r
  Length = ((BUF_MEM *) CertBio->ptr)->length;\r
  if (Length <= 0) {\r
    goto _Exit;\r
  }\r
\r
  Buffer = malloc (Length);\r
  if (Buffer == NULL) {\r
    goto _Exit;\r
  }\r
\r
  Result = BIO_read (CertBio, Buffer, Length);\r
  if (Result != Length) {\r
    goto _Exit;\r
  }\r
\r
  *Cert     = Buffer;\r
  *CertSize = Length;\r
\r
  Status = TRUE;\r
\r
_Exit:\r
\r
  BIO_free (CertBio);\r
\r
  if (!Status && (Buffer != NULL)) {\r
    free (Buffer);\r
  }\r
\r
  return Status;\r
}\r
\r
/**\r
  Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7:\r
  Cryptographic Message Syntax Standard". The input signed data could be wrapped\r
  in a ContentInfo structure.\r
\r
  If P7Data, CertStack, StackLength, TrustedCert or CertLength is NULL, then\r
  return FALSE. If P7Length overflow, then return FAlSE.\r
\r
  Caution: This function may receive untrusted input.\r
  UEFI Authenticated Variable is external input, so this function will do basic\r
  check for PKCS#7 data structure.\r
\r
  @param[in]  P7Data       Pointer to the PKCS#7 message to verify.\r
  @param[in]  P7Length     Length of the PKCS#7 message in bytes.\r
  @param[out] CertStack    Pointer to Signer's certificates retrieved from P7Data.\r
                           It's caller's responsiblity to free the buffer.\r
  @param[out] StackLength  Length of signer's certificates in bytes.\r
  @param[out] TrustedCert  Pointer to a trusted certificate from Signer's certificates.\r
                           It's caller's responsiblity to free the buffer.\r
  @param[out] CertLength   Length of the trusted certificate in bytes.\r
\r
  @retval  TRUE            The operation is finished successfully.\r
  @retval  FALSE           Error occurs during the operation.\r
\r
**/\r
BOOLEAN\r
EFIAPI\r
Pkcs7GetSigners (\r
  IN  CONST UINT8  *P7Data,\r
  IN  UINTN        P7Length,\r
  OUT UINT8        **CertStack,\r
  OUT UINTN        *StackLength,\r
  OUT UINT8        **TrustedCert,\r
  OUT UINTN        *CertLength\r
  )\r
{\r
  PKCS7            *Pkcs7;\r
  BOOLEAN          Status;\r
  UINT8            *SignedData;\r
  UINT8            *Temp;\r
  UINTN            SignedDataSize;\r
  BOOLEAN          Wrapped;\r
  STACK_OF(X509)   *Stack;\r
  UINT8            Index;\r
  UINT8            *CertBuf;\r
  UINT8            *OldBuf;\r
  UINTN            BufferSize;\r
  UINTN            OldSize;\r
  UINT8            *SingleCert;\r
  UINTN            SingleCertSize;\r
\r
  if ((P7Data == NULL) || (CertStack == NULL) || (StackLength == NULL) ||\r
      (TrustedCert == NULL) || (CertLength == NULL) || (P7Length > INT_MAX)) {\r
    return FALSE;\r
  }\r
  \r
  Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);\r
  if (!Status) {\r
    return Status;\r
  }\r
\r
  Status     = FALSE;\r
  Pkcs7      = NULL;\r
  Stack      = NULL;\r
  CertBuf    = NULL;\r
  OldBuf     = NULL;\r
  SingleCert = NULL;\r
\r
  //\r
  // Retrieve PKCS#7 Data (DER encoding)\r
  //\r
  if (SignedDataSize > INT_MAX) {\r
    goto _Exit;\r
  }\r
\r
  Temp = SignedData;\r
  Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) SignedDataSize);\r
  if (Pkcs7 == NULL) {\r
    goto _Exit;\r
  }\r
\r
  //\r
  // Check if it's PKCS#7 Signed Data (for Authenticode Scenario)\r
  //\r
  if (!PKCS7_type_is_signed (Pkcs7)) {\r
    goto _Exit;\r
  }\r
\r
  Stack = PKCS7_get0_signers(Pkcs7, NULL, PKCS7_BINARY);\r
  if (Stack == NULL) {\r
    goto _Exit;\r
  }\r
\r
  //\r
  // Convert CertStack to buffer in following format:\r
  // UINT8  CertNumber;\r
  // UINT32 Cert1Length;\r
  // UINT8  Cert1[];\r
  // UINT32 Cert2Length;\r
  // UINT8  Cert2[];\r
  // ...\r
  // UINT32 CertnLength;\r
  // UINT8  Certn[];\r
  //\r
  BufferSize = sizeof (UINT8);\r
  OldSize    = BufferSize;\r
  \r
  for (Index = 0; ; Index++) {\r
    Status = X509PopCertificate (Stack, &SingleCert, &SingleCertSize);\r
    if (!Status) {\r
      break;\r
    }\r
\r
    OldSize    = BufferSize;\r
    OldBuf     = CertBuf;\r
    BufferSize = OldSize + SingleCertSize + sizeof (UINT32);\r
    CertBuf    = malloc (BufferSize);\r
\r
    if (CertBuf == NULL) {\r
      goto _Exit;\r
    }\r
\r
    if (OldBuf != NULL) {\r
      CopyMem (CertBuf, OldBuf, OldSize);\r
      free (OldBuf);\r
      OldBuf = NULL;\r
    }\r
\r
    WriteUnaligned32 ((UINT32 *) (CertBuf + OldSize), (UINT32) SingleCertSize);\r
    CopyMem (CertBuf + OldSize + sizeof (UINT32), SingleCert, SingleCertSize);\r
\r
    free (SingleCert);\r
    SingleCert = NULL;\r
  }\r
\r
  if (CertBuf != NULL) {\r
    //\r
    // Update CertNumber.\r
    //\r
    CertBuf[0] = Index;\r
\r
    *CertLength = BufferSize - OldSize - sizeof (UINT32);\r
    *TrustedCert = malloc (*CertLength);\r
    if (*TrustedCert == NULL) {\r
      goto _Exit;\r
    }\r
\r
    CopyMem (*TrustedCert, CertBuf + OldSize + sizeof (UINT32), *CertLength);\r
    *CertStack   = CertBuf;\r
    *StackLength = BufferSize;\r
    Status = TRUE;\r
  } \r
\r
_Exit:\r
  //\r
  // Release Resources\r
  //\r
  if (!Wrapped) {\r
    free (SignedData);\r
  }\r
\r
  if (Pkcs7 != NULL) {\r
    PKCS7_free (Pkcs7);\r
  }\r
\r
  if (Stack != NULL) {\r
    sk_X509_pop_free(Stack, X509_free);\r
  }\r
\r
  if (SingleCert !=  NULL) {\r
    free (SingleCert);\r
  }\r
\r
  if (!Status && (CertBuf != NULL)) {\r
    free (CertBuf);\r
    *CertStack = NULL;\r
  }\r
\r
  if (OldBuf != NULL) {\r
    free (OldBuf);\r
  }\r
  \r
  return Status;\r
}\r
\r
/**\r
  Wrap function to use free() to free allocated memory for certificates.\r
\r
  @param[in]  Certs        Pointer to the certificates to be freed.\r
\r
**/\r
VOID\r
EFIAPI\r
Pkcs7FreeSigners (\r
  IN  UINT8        *Certs\r
  )\r
{\r
  if (Certs == NULL) {\r
    return;\r
  }\r
\r
  free (Certs);\r
}\r
\r
/**\r
  Verifies the validility of a PKCS#7 signed data as described in "PKCS #7:\r
  Cryptographic Message Syntax Standard". The input signed data could be wrapped\r
  in a ContentInfo structure.\r
\r
  If P7Data, TrustedCert or InData is NULL, then return FALSE.\r
  If P7Length, CertLength or DataLength overflow, then return FAlSE.\r
\r
  Caution: This function may receive untrusted input.\r
  UEFI Authenticated Variable is external input, so this function will do basic\r
  check for PKCS#7 data structure.\r
\r
  @param[in]  P7Data       Pointer to the PKCS#7 message to verify.\r
  @param[in]  P7Length     Length of the PKCS#7 message in bytes.\r
  @param[in]  TrustedCert  Pointer to a trusted/root certificate encoded in DER, which\r
                           is used for certificate chain verification.\r
  @param[in]  CertLength   Length of the trusted certificate in bytes.\r
  @param[in]  InData       Pointer to the content to be verified.\r
  @param[in]  DataLength   Length of InData in bytes.\r
\r
  @retval  TRUE  The specified PKCS#7 signed data is valid.\r
  @retval  FALSE Invalid PKCS#7 signed data.\r
\r
**/\r
BOOLEAN\r
EFIAPI\r
Pkcs7Verify (\r
  IN  CONST UINT8  *P7Data,\r
  IN  UINTN        P7Length,\r
  IN  CONST UINT8  *TrustedCert,\r
  IN  UINTN        CertLength,\r
  IN  CONST UINT8  *InData,\r
  IN  UINTN        DataLength\r
  )\r
{\r
  PKCS7       *Pkcs7;\r
  BIO         *CertBio;\r
  BIO         *DataBio;\r
  BOOLEAN     Status;\r
  X509        *Cert;\r
  X509_STORE  *CertStore;\r
  UINT8       *SignedData;\r
  UINT8       *Temp;\r
  UINTN       SignedDataSize;\r
  BOOLEAN     Wrapped;\r
\r
  //\r
  // Check input parameters.\r
  //\r
  if (P7Data == NULL || TrustedCert == NULL || InData == NULL || \r
    P7Length > INT_MAX || CertLength > INT_MAX || DataLength > INT_MAX) {\r
    return FALSE;\r
  }\r
  \r
  Pkcs7     = NULL;\r
  CertBio   = NULL;\r
  DataBio   = NULL;\r
  Cert      = NULL;\r
  CertStore = NULL;\r
\r
  //\r
  // Register & Initialize necessary digest algorithms for PKCS#7 Handling\r
  //\r
  if (EVP_add_digest (EVP_md5 ()) == 0) {\r
    return FALSE;\r
  }\r
  if (EVP_add_digest (EVP_sha1 ()) == 0) {\r
    return FALSE;\r
  }\r
  if (EVP_add_digest (EVP_sha256 ()) == 0) {\r
    return FALSE;\r
  }\r
  if (EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA) == 0) {\r
    return FALSE;\r
  }\r
\r
\r
  Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);\r
  if (!Status) {\r
    return Status;\r
  }\r
\r
  Status = FALSE;\r
  \r
  //\r
  // Retrieve PKCS#7 Data (DER encoding)\r
  //\r
  if (SignedDataSize > INT_MAX) {\r
    goto _Exit;\r
  }\r
\r
  Temp = SignedData;\r
  Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) SignedDataSize);\r
  if (Pkcs7 == NULL) {\r
    goto _Exit;\r
  }\r
\r
  //\r
  // Check if it's PKCS#7 Signed Data (for Authenticode Scenario)\r
  //\r
  if (!PKCS7_type_is_signed (Pkcs7)) {\r
    goto _Exit;\r
  }\r
\r
  //\r
  // Read DER-encoded root certificate and Construct X509 Certificate\r
  //\r
  CertBio = BIO_new (BIO_s_mem ());\r
  BIO_write (CertBio, TrustedCert, (int)CertLength);\r
  if (CertBio == NULL) {\r
    goto _Exit;\r
  }\r
  Cert = d2i_X509_bio (CertBio, NULL);\r
  if (Cert == NULL) {\r
    goto _Exit;\r
  }\r
\r
  //\r
  // Setup X509 Store for trusted certificate\r
  //\r
  CertStore = X509_STORE_new ();\r
  if (CertStore == NULL) {\r
    goto _Exit;\r
  }\r
  if (!(X509_STORE_add_cert (CertStore, Cert))) {\r
    goto _Exit;\r
  }\r
\r
  //\r
  // Register customized X509 verification callback function to support\r
  // trusted intermediate certificate anchor.\r
  //\r
  CertStore->verify_cb = X509VerifyCb;\r
\r
  //\r
  // For generic PKCS#7 handling, InData may be NULL if the content is present\r
  // in PKCS#7 structure. So ignore NULL checking here.\r
  //\r
  DataBio = BIO_new (BIO_s_mem ());\r
  BIO_write (DataBio, InData, (int)DataLength);\r
\r
  //\r
  // Verifies the PKCS#7 signedData structure\r
  //\r
  Status = (BOOLEAN) PKCS7_verify (Pkcs7, NULL, CertStore, DataBio, NULL, PKCS7_BINARY);\r
\r
_Exit:\r
  //\r
  // Release Resources\r
  //\r
  BIO_free (DataBio);\r
  BIO_free (CertBio);\r
  X509_free (Cert);\r
  X509_STORE_free (CertStore);\r
  PKCS7_free (Pkcs7);\r
\r
  if (!Wrapped) {\r
    OPENSSL_free (SignedData);\r
  }\r
\r
  return Status;\r
}\r
Commit	Line	Data
532616bb	1	/** @file\r
	2	PKCS#7 SignedData Verification Wrapper Implementation over OpenSSL.\r
	3	\r
	4	Caution: This module requires additional review when modified.\r
	5	This library will have external input - signature (e.g. UEFI Authenticated\r
	6	Variable). It may by input in SMM mode.\r
	7	This external input must be validated carefully to avoid security issue like\r
	8	buffer overflow, integer overflow.\r
	9	\r
	10	WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated\r
	11	Variable and will do basic check for data structure.\r
	12	\r
	13	Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>\r
	14	This program and the accompanying materials\r
	15	are licensed and made available under the terms and conditions of the BSD License\r
	16	which accompanies this distribution. The full text of the license may be found at\r
	17	http://opensource.org/licenses/bsd-license.php\r
	18	\r
	19	THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
	20	WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
	21	\r
	22	**/\r
	23	\r
	24	#include "InternalCryptLib.h"\r
	25	\r
	26	#include <openssl/objects.h>\r
	27	#include <openssl/x509.h>\r
	28	#include <openssl/pkcs7.h>\r
	29	\r
	30	UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };\r
	31	\r
	32	/**\r
	33	Verification callback function to override any existing callbacks in OpenSSL\r
	34	for intermediate certificate supports.\r
	35	\r
	36	@param[in] Status Original status before calling this callback.\r
	37	@param[in] Context X509 store context.\r
	38	\r
	39	@retval 1 Current X509 certificate is verified successfully.\r
	40	@retval 0 Verification failed.\r
	41	\r
	42	**/\r
	43	int\r
	44	X509VerifyCb (\r
	45	IN int Status,\r
	46	IN X509_STORE_CTX *Context\r
	47	)\r
	48	{\r
	49	X509_OBJECT *Obj;\r
	50	INTN Error;\r
	51	INTN Index;\r
	52	INTN Count;\r
	53	\r
	54	Obj = NULL;\r
	55	Error = (INTN) X509_STORE_CTX_get_error (Context);\r
	56	\r
	57	//\r
	58	// X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_\r
	59	// CERT_LOCALLY mean a X509 certificate is not self signed and its issuer\r
	60	// can not be found in X509_verify_cert of X509_vfy.c.\r
	61	// In order to support intermediate certificate node, we override the\r
	62	// errors if the certification is obtained from X509 store, i.e. it is\r
	63	// a trusted ceritifcate node that is enrolled by user.\r
	64	// Besides,X509_V_ERR_CERT_UNTRUSTED and X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE\r
65	// are also ignored to enable such feature.\r
66	//\r
67	if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) \|\|\r
68	(Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {\r
69	Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT));\r
70	if (Obj == NULL) {\r
71	return 0;\r
72	}\r
73	\r
74	Obj->type = X509_LU_X509;\r
75	Obj->data.x509 = Context->current_cert;\r
76	\r
77	CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE);\r
78	\r
79	if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {\r
80	Status = 1;\r
81	} else {\r
82	//\r
83	// If any certificate in the chain is enrolled as trusted certificate,\r
84	// pass the certificate verification.\r
85	//\r
86	if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {\r
87	Count = (INTN) sk_X509_num (Context->chain);\r
88	for (Index = 0; Index < Count; Index++) {\r
89	Obj->data.x509 = sk_X509_value (Context->chain, (int) Index);\r
90	if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {\r
91	Status = 1;\r
92	break;\r
93	}\r
94	}\r
95	}\r
96	}\r
97	\r
98	CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE);\r
99	}\r
100	\r
101	if ((Error == X509_V_ERR_CERT_UNTRUSTED) \|\|\r
102	(Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {\r
103	Status = 1;\r
104	}\r
105	\r
106	if (Obj != NULL) {\r
107	OPENSSL_free (Obj);\r
108	}\r
109	\r
110	return Status;\r
111	}\r
112	\r
113	/**\r
114	Check input P7Data is a wrapped ContentInfo structure or not. If not construct\r
115	a new structure to wrap P7Data.\r
116	\r
117	Caution: This function may receive untrusted input.\r
118	UEFI Authenticated Variable is external input, so this function will do basic\r
119	check for PKCS#7 data structure.\r
120	\r
121	@param[in] P7Data Pointer to the PKCS#7 message to verify.\r
122	@param[in] P7Length Length of the PKCS#7 message in bytes.\r
123	@param[out] WrapFlag If TRUE P7Data is a ContentInfo structure, otherwise\r
124	return FALSE.\r
125	@param[out] WrapData If return status of this function is TRUE: \r
126	1) when WrapFlag is TRUE, pointer to P7Data.\r
127	2) when WrapFlag is FALSE, pointer to a new ContentInfo\r
128	structure. It's caller's responsibility to free this\r
129	buffer.\r
130	@param[out] WrapDataSize Length of ContentInfo structure in bytes.\r
131	\r
132	@retval TRUE The operation is finished successfully.\r
133	@retval FALSE The operation is failed due to lack of resources.\r
134	\r
135	**/\r
136	BOOLEAN\r
137	WrapPkcs7Data (\r
138	IN CONST UINT8 *P7Data,\r
139	IN UINTN P7Length,\r
140	OUT BOOLEAN *WrapFlag,\r
141	OUT UINT8 **WrapData,\r
142	OUT UINTN *WrapDataSize\r
143	)\r
144	{\r
145	BOOLEAN Wrapped;\r
146	UINT8 *SignedData;\r
147	\r
148	//\r
149	// Check whether input P7Data is a wrapped ContentInfo structure or not.\r
150	//\r
151	Wrapped = FALSE;\r
152	if ((P7Data[4] == 0x06) && (P7Data[5] == 0x09)) {\r
153	if (CompareMem (P7Data + 6, mOidValue, sizeof (mOidValue)) == 0) {\r
154	if ((P7Data[15] == 0xA0) && (P7Data[16] == 0x82)) {\r
155	Wrapped = TRUE;\r
156	}\r
157	}\r
158	}\r
159	\r
160	if (Wrapped) {\r
161	WrapData = (UINT8 ) P7Data;\r
162	*WrapDataSize = P7Length;\r
163	} else {\r
164	//\r
165	// Wrap PKCS#7 signeddata to a ContentInfo structure - add a header in 19 bytes.\r
166	//\r
167	*WrapDataSize = P7Length + 19;\r
168	WrapData = malloc (WrapDataSize);\r
169	if (*WrapData == NULL) {\r
170	*WrapFlag = Wrapped;\r
171	return FALSE;\r
172	}\r
173	\r
174	SignedData = *WrapData;\r
175	\r
176	//\r
177	// Part1: 0x30, 0x82.\r
178	//\r
179	SignedData[0] = 0x30;\r
180	SignedData[1] = 0x82;\r
181	\r
182	//\r
183	// Part2: Length1 = P7Length + 19 - 4, in big endian.\r
184	//\r
185	SignedData[2] = (UINT8) (((UINT16) (*WrapDataSize - 4)) >> 8);\r
186	SignedData[3] = (UINT8) (((UINT16) (*WrapDataSize - 4)) & 0xff);\r
187	\r
188	//\r
189	// Part3: 0x06, 0x09.\r
190	//\r
191	SignedData[4] = 0x06;\r
192	SignedData[5] = 0x09;\r
193	\r
194	//\r
195	// Part4: OID value -- 0x2A 0x86 0x48 0x86 0xF7 0x0D 0x01 0x07 0x02.\r
196	//\r
197	CopyMem (SignedData + 6, mOidValue, sizeof (mOidValue));\r
198	\r
199	//\r
200	// Part5: 0xA0, 0x82.\r
201	//\r
202	SignedData[15] = 0xA0;\r
203	SignedData[16] = 0x82;\r
204	\r
205	//\r
206	// Part6: Length2 = P7Length, in big endian.\r
207	//\r
208	SignedData[17] = (UINT8) (((UINT16) P7Length) >> 8);\r
209	SignedData[18] = (UINT8) (((UINT16) P7Length) & 0xff);\r
210	\r
211	//\r
212	// Part7: P7Data.\r
213	//\r
214	CopyMem (SignedData + 19, P7Data, P7Length);\r
215	}\r
216	\r
217	*WrapFlag = Wrapped;\r
218	return TRUE;\r
219	}\r
220	\r
efad60c5	221	/**\r
	222	Pop single certificate from STACK_OF(X509).\r
	223	\r
	224	If X509Stack, Cert, or CertSize is NULL, then return FALSE.\r
	225	\r
	226	@param[in] X509Stack Pointer to a X509 stack object.\r
	227	@param[out] Cert Pointer to a X509 certificate.\r
	228	@param[out] CertSize Length of output X509 certificate in bytes.\r
	229	\r
	230	@retval TRUE The X509 stack pop succeeded.\r
	231	@retval FALSE The pop operation failed.\r
	232	\r
	233	**/\r
	234	BOOLEAN\r
	235	X509PopCertificate (\r
	236	IN VOID *X509Stack,\r
	237	OUT UINT8 **Cert,\r
	238	OUT UINTN *CertSize\r
	239	)\r
	240	{\r
	241	BIO *CertBio;\r
	242	X509 *X509Cert;\r
	243	STACK_OF(X509) *CertStack;\r
	244	BOOLEAN Status;\r
	245	int Result;\r
	246	int Length;\r
	247	VOID *Buffer;\r
	248	\r
	249	Status = FALSE;\r
	250	\r
	251	if ((X509Stack == NULL) \|\| (Cert == NULL) \|\| (CertSize == NULL)) {\r
	252	return Status;\r
	253	}\r
	254	\r
	255	CertStack = (STACK_OF(X509) *) X509Stack;\r
	256	\r
	257	X509Cert = sk_X509_pop (CertStack);\r
	258	\r
	259	if (X509Cert == NULL) {\r
	260	return Status;\r
	261	}\r
	262	\r
	263	Buffer = NULL;\r
	264	\r
	265	CertBio = BIO_new (BIO_s_mem ());\r
	266	if (CertBio == NULL) {\r
	267	return Status;\r
	268	}\r
	269	\r
	270	Result = i2d_X509_bio (CertBio, X509Cert);\r
	271	if (Result == 0) {\r
	272	goto _Exit;\r
	273	}\r
	274	\r
	275	Length = ((BUF_MEM *) CertBio->ptr)->length;\r
	276	if (Length <= 0) {\r
	277	goto _Exit;\r
	278	}\r
	279	\r
	280	Buffer = malloc (Length);\r
	281	if (Buffer == NULL) {\r
	282	goto _Exit;\r
	283	}\r
	284	\r
285	Result = BIO_read (CertBio, Buffer, Length);\r
286	if (Result != Length) {\r
287	goto _Exit;\r
288	}\r
289	\r
290	*Cert = Buffer;\r
291	*CertSize = Length;\r
292	\r
293	Status = TRUE;\r
294	\r
295	_Exit:\r
296	\r
297	BIO_free (CertBio);\r
298	\r
299	if (!Status && (Buffer != NULL)) {\r
300	free (Buffer);\r
301	}\r
302	\r
303	return Status;\r
304	}\r
305	\r
532616bb	306	/**\r
	307	Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7:\r
	308	Cryptographic Message Syntax Standard". The input signed data could be wrapped\r
	309	in a ContentInfo structure.\r
	310	\r
	311	If P7Data, CertStack, StackLength, TrustedCert or CertLength is NULL, then\r
	312	return FALSE. If P7Length overflow, then return FAlSE.\r
	313	\r
	314	Caution: This function may receive untrusted input.\r
	315	UEFI Authenticated Variable is external input, so this function will do basic\r
	316	check for PKCS#7 data structure.\r
	317	\r
	318	@param[in] P7Data Pointer to the PKCS#7 message to verify.\r
	319	@param[in] P7Length Length of the PKCS#7 message in bytes.\r
	320	@param[out] CertStack Pointer to Signer's certificates retrieved from P7Data.\r
	321	It's caller's responsiblity to free the buffer.\r
	322	@param[out] StackLength Length of signer's certificates in bytes.\r
	323	@param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates.\r
	324	It's caller's responsiblity to free the buffer.\r
	325	@param[out] CertLength Length of the trusted certificate in bytes.\r
	326	\r
	327	@retval TRUE The operation is finished successfully.\r
	328	@retval FALSE Error occurs during the operation.\r
	329	\r
	330	**/\r
	331	BOOLEAN\r
	332	EFIAPI\r
	333	Pkcs7GetSigners (\r
	334	IN CONST UINT8 *P7Data,\r
	335	IN UINTN P7Length,\r
	336	OUT UINT8 **CertStack,\r
	337	OUT UINTN *StackLength,\r
	338	OUT UINT8 **TrustedCert,\r
	339	OUT UINTN *CertLength\r
	340	)\r
	341	{\r
	342	PKCS7 *Pkcs7;\r
	343	BOOLEAN Status;\r
	344	UINT8 *SignedData;\r
	345	UINT8 *Temp;\r
	346	UINTN SignedDataSize;\r
	347	BOOLEAN Wrapped;\r
	348	STACK_OF(X509) *Stack;\r
	349	UINT8 Index;\r
	350	UINT8 *CertBuf;\r
	351	UINT8 *OldBuf;\r
	352	UINTN BufferSize;\r
	353	UINTN OldSize;\r
	354	UINT8 *SingleCert;\r
	355	UINTN SingleCertSize;\r
	356	\r
	357	if ((P7Data == NULL) \|\| (CertStack == NULL) \|\| (StackLength == NULL) \|\|\r
	358	(TrustedCert == NULL) \|\| (CertLength == NULL) \|\| (P7Length > INT_MAX)) {\r
	359	return FALSE;\r
	360	}\r
	361	\r
	362	Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);\r
	363	if (!Status) {\r
	364	return Status;\r
	365	}\r
	366	\r
	367	Status = FALSE;\r
	368	Pkcs7 = NULL;\r
	369	Stack = NULL;\r
370	CertBuf = NULL;\r
371	OldBuf = NULL;\r
372	SingleCert = NULL;\r
373	\r
374	//\r
375	// Retrieve PKCS#7 Data (DER encoding)\r
376	//\r
377	if (SignedDataSize > INT_MAX) {\r
378	goto _Exit;\r
379	}\r
380	\r
381	Temp = SignedData;\r
382	Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) SignedDataSize);\r
383	if (Pkcs7 == NULL) {\r
384	goto _Exit;\r
385	}\r
386	\r
387	//\r
388	// Check if it's PKCS#7 Signed Data (for Authenticode Scenario)\r
389	//\r
390	if (!PKCS7_type_is_signed (Pkcs7)) {\r
391	goto _Exit;\r
392	}\r
393	\r
394	Stack = PKCS7_get0_signers(Pkcs7, NULL, PKCS7_BINARY);\r
395	if (Stack == NULL) {\r
396	goto _Exit;\r
397	}\r
398	\r
399	//\r
400	// Convert CertStack to buffer in following format:\r
401	// UINT8 CertNumber;\r
402	// UINT32 Cert1Length;\r
403	// UINT8 Cert1[];\r
404	// UINT32 Cert2Length;\r
405	// UINT8 Cert2[];\r
406	// ...\r
407	// UINT32 CertnLength;\r
408	// UINT8 Certn[];\r
409	//\r
410	BufferSize = sizeof (UINT8);\r
411	OldSize = BufferSize;\r
412	\r
413	for (Index = 0; ; Index++) {\r
414	Status = X509PopCertificate (Stack, &SingleCert, &SingleCertSize);\r
415	if (!Status) {\r
416	break;\r
417	}\r
418	\r
419	OldSize = BufferSize;\r
420	OldBuf = CertBuf;\r
421	BufferSize = OldSize + SingleCertSize + sizeof (UINT32);\r
422	CertBuf = malloc (BufferSize);\r
423	\r
424	if (CertBuf == NULL) {\r
425	goto _Exit;\r
426	}\r
427	\r
428	if (OldBuf != NULL) {\r
429	CopyMem (CertBuf, OldBuf, OldSize);\r
430	free (OldBuf);\r
431	OldBuf = NULL;\r
432	}\r
433	\r
434	WriteUnaligned32 ((UINT32 *) (CertBuf + OldSize), (UINT32) SingleCertSize);\r
435	CopyMem (CertBuf + OldSize + sizeof (UINT32), SingleCert, SingleCertSize);\r
436	\r
437	free (SingleCert);\r
438	SingleCert = NULL;\r
439	}\r
440	\r
441	if (CertBuf != NULL) {\r
442	//\r
443	// Update CertNumber.\r
444	//\r
445	CertBuf[0] = Index;\r
446	\r
447	*CertLength = BufferSize - OldSize - sizeof (UINT32);\r
448	TrustedCert = malloc (CertLength);\r
449	if (*TrustedCert == NULL) {\r
450	goto _Exit;\r
451	}\r
452	\r
453	CopyMem (TrustedCert, CertBuf + OldSize + sizeof (UINT32), CertLength);\r
454	*CertStack = CertBuf;\r
455	*StackLength = BufferSize;\r
456	Status = TRUE;\r
457	} \r
458	\r
459	_Exit:\r
460	//\r
461	// Release Resources\r
462	//\r
463	if (!Wrapped) {\r
464	free (SignedData);\r
465	}\r
466	\r
467	if (Pkcs7 != NULL) {\r
468	PKCS7_free (Pkcs7);\r
469	}\r
470	\r
471	if (Stack != NULL) {\r
472	sk_X509_pop_free(Stack, X509_free);\r
473	}\r
474	\r
475	if (SingleCert != NULL) {\r
476	free (SingleCert);\r
477	}\r
478	\r
479	if (!Status && (CertBuf != NULL)) {\r
480	free (CertBuf);\r
481	*CertStack = NULL;\r
482	}\r
483	\r
484	if (OldBuf != NULL) {\r
485	free (OldBuf);\r
486	}\r
487	\r
488	return Status;\r
489	}\r
490	\r
491	/**\r
492	Wrap function to use free() to free allocated memory for certificates.\r
493	\r
494	@param[in] Certs Pointer to the certificates to be freed.\r
495	\r
496	**/\r
497	VOID\r
498	EFIAPI\r
499	Pkcs7FreeSigners (\r
500	IN UINT8 *Certs\r
501	)\r
502	{\r
503	if (Certs == NULL) {\r
504	return;\r
505	}\r
506	\r
507	free (Certs);\r
508	}\r
509	\r
510	/**\r
511	Verifies the validility of a PKCS#7 signed data as described in "PKCS #7:\r
512	Cryptographic Message Syntax Standard". The input signed data could be wrapped\r
513	in a ContentInfo structure.\r
514	\r
515	If P7Data, TrustedCert or InData is NULL, then return FALSE.\r
516	If P7Length, CertLength or DataLength overflow, then return FAlSE.\r
517	\r
518	Caution: This function may receive untrusted input.\r
519	UEFI Authenticated Variable is external input, so this function will do basic\r
520	check for PKCS#7 data structure.\r
521	\r
522	@param[in] P7Data Pointer to the PKCS#7 message to verify.\r
523	@param[in] P7Length Length of the PKCS#7 message in bytes.\r
524	@param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which\r
525	is used for certificate chain verification.\r
526	@param[in] CertLength Length of the trusted certificate in bytes.\r
527	@param[in] InData Pointer to the content to be verified.\r
528	@param[in] DataLength Length of InData in bytes.\r
529	\r
530	@retval TRUE The specified PKCS#7 signed data is valid.\r
531	@retval FALSE Invalid PKCS#7 signed data.\r
532	\r
533	**/\r
534	BOOLEAN\r
535	EFIAPI\r
536	Pkcs7Verify (\r
537	IN CONST UINT8 *P7Data,\r
538	IN UINTN P7Length,\r
539	IN CONST UINT8 *TrustedCert,\r
540	IN UINTN CertLength,\r
541	IN CONST UINT8 *InData,\r
542	IN UINTN DataLength\r
543	)\r
544	{\r
545	PKCS7 *Pkcs7;\r
546	BIO *CertBio;\r
547	BIO *DataBio;\r
548	BOOLEAN Status;\r
549	X509 *Cert;\r
550	X509_STORE *CertStore;\r
551	UINT8 *SignedData;\r
552	UINT8 *Temp;\r
553	UINTN SignedDataSize;\r
554	BOOLEAN Wrapped;\r
555	\r
556	//\r
557	// Check input parameters.\r
558	//\r
559	if (P7Data == NULL \|\| TrustedCert == NULL \|\| InData == NULL \|\| \r
560	P7Length > INT_MAX \|\| CertLength > INT_MAX \|\| DataLength > INT_MAX) {\r
561	return FALSE;\r
562	}\r
563	\r
564	Pkcs7 = NULL;\r
565	CertBio = NULL;\r
566	DataBio = NULL;\r
567	Cert = NULL;\r
568	CertStore = NULL;\r
569	\r
570	//\r
571	// Register & Initialize necessary digest algorithms for PKCS#7 Handling\r
572	//\r
dda39f3a	573	if (EVP_add_digest (EVP_md5 ()) == 0) {\r
	574	return FALSE;\r
	575	}\r
	576	if (EVP_add_digest (EVP_sha1 ()) == 0) {\r
	577	return FALSE;\r
	578	}\r
	579	if (EVP_add_digest (EVP_sha256 ()) == 0) {\r
	580	return FALSE;\r
	581	}\r
	582	if (EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA) == 0) {\r
	583	return FALSE;\r
	584	}\r
	585	\r
532616bb	586	\r
	587	Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);\r
	588	if (!Status) {\r
	589	return Status;\r
	590	}\r
	591	\r
	592	Status = FALSE;\r
	593	\r
	594	//\r
	595	// Retrieve PKCS#7 Data (DER encoding)\r
	596	//\r
	597	if (SignedDataSize > INT_MAX) {\r
	598	goto _Exit;\r
	599	}\r
	600	\r
	601	Temp = SignedData;\r
	602	Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **) &Temp, (int) SignedDataSize);\r
	603	if (Pkcs7 == NULL) {\r
	604	goto _Exit;\r
	605	}\r
	606	\r
	607	//\r
	608	// Check if it's PKCS#7 Signed Data (for Authenticode Scenario)\r
	609	//\r
	610	if (!PKCS7_type_is_signed (Pkcs7)) {\r
	611	goto _Exit;\r
	612	}\r
	613	\r
	614	//\r
	615	// Read DER-encoded root certificate and Construct X509 Certificate\r
	616	//\r
	617	CertBio = BIO_new (BIO_s_mem ());\r
	618	BIO_write (CertBio, TrustedCert, (int)CertLength);\r
	619	if (CertBio == NULL) {\r
	620	goto _Exit;\r
	621	}\r
	622	Cert = d2i_X509_bio (CertBio, NULL);\r
	623	if (Cert == NULL) {\r
	624	goto _Exit;\r
	625	}\r
	626	\r
	627	//\r
	628	// Setup X509 Store for trusted certificate\r
	629	//\r
	630	CertStore = X509_STORE_new ();\r
	631	if (CertStore == NULL) {\r
	632	goto _Exit;\r
	633	}\r
	634	if (!(X509_STORE_add_cert (CertStore, Cert))) {\r
	635	goto _Exit;\r
	636	}\r
	637	\r
	638	//\r
	639	// Register customized X509 verification callback function to support\r
	640	// trusted intermediate certificate anchor.\r
	641	//\r
	642	CertStore->verify_cb = X509VerifyCb;\r
	643	\r
	644	//\r
	645	// For generic PKCS#7 handling, InData may be NULL if the content is present\r
	646	// in PKCS#7 structure. So ignore NULL checking here.\r
	647	//\r
	648	DataBio = BIO_new (BIO_s_mem ());\r
	649	BIO_write (DataBio, InData, (int)DataLength);\r
650	\r
651	//\r
652	// Verifies the PKCS#7 signedData structure\r
653	//\r
654	Status = (BOOLEAN) PKCS7_verify (Pkcs7, NULL, CertStore, DataBio, NULL, PKCS7_BINARY);\r
655	\r
656	_Exit:\r
657	//\r
658	// Release Resources\r
659	//\r
660	BIO_free (DataBio);\r
661	BIO_free (CertBio);\r
662	X509_free (Cert);\r
663	X509_STORE_free (CertStore);\r
664	PKCS7_free (Pkcs7);\r
665	\r
666	if (!Wrapped) {\r
667	OPENSSL_free (SignedData);\r
668	}\r
669	\r
670	return Status;\r
671	}\r