[mirror_edk2.git] / CryptoPkg / Library / BaseCryptLib / Pk / CryptPkcs7VerifyBase.c

/** @file\r
  Non-runtime specific implementation of PKCS#7 SignedData Verification Wrapper.\r
\r
Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>\r
SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
#include "InternalCryptLib.h"\r
\r
#include <openssl/objects.h>\r
#include <openssl/x509.h>\r
#include <openssl/x509v3.h>\r
#include <openssl/pkcs7.h>\r
\r
/**\r
  Check the contents of PKCS7 is not data.\r
\r
  It is copied from PKCS7_type_is_other() in pk7_doit.c.\r
\r
  @param[in] P7 Pointer to the location at which the PKCS7 is located.\r
\r
  @retval TRUE  If the type is others.\r
  @retval FALSE If the type is expected.\r
**/\r
STATIC\r
BOOLEAN\r
Pkcs7TypeIsOther (\r
  IN PKCS7  *P7\r
  )\r
{\r
  BOOLEAN  Others;\r
  INTN     Nid = OBJ_obj2nid (P7->type);\r
\r
  switch (Nid) {\r
    case NID_pkcs7_data:\r
    case NID_pkcs7_signed:\r
    case NID_pkcs7_enveloped:\r
    case NID_pkcs7_signedAndEnveloped:\r
    case NID_pkcs7_encrypted:\r
      Others = FALSE;\r
      break;\r
    default:\r
      Others = TRUE;\r
  }\r
\r
  return Others;\r
}\r
\r
/**\r
  Get the ASN.1 string for the PKCS7.\r
\r
  It is copied from PKCS7_get_octet_string() in pk7_doit.c.\r
\r
  @param[in] P7 Pointer to the location at which the PKCS7 is located.\r
\r
  @return ASN1_OCTET_STRING ASN.1 string.\r
**/\r
STATIC\r
ASN1_OCTET_STRING *\r
Pkcs7GetOctetString (\r
  IN PKCS7  *P7\r
  )\r
{\r
  if (PKCS7_type_is_data (P7)) {\r
    return P7->d.data;\r
  }\r
\r
  if (Pkcs7TypeIsOther (P7) && (P7->d.other != NULL) &&\r
      (P7->d.other->type == V_ASN1_OCTET_STRING))\r
  {\r
    return P7->d.other->value.octet_string;\r
  }\r
\r
  return NULL;\r
}\r
\r
/**\r
  Extracts the attached content from a PKCS#7 signed data if existed. The input signed\r
  data could be wrapped in a ContentInfo structure.\r
\r
  If P7Data, Content, or ContentSize is NULL, then return FALSE. If P7Length overflow,\r
  then return FALSE. If the P7Data is not correctly formatted, then return FALSE.\r
\r
  Caution: This function may receive untrusted input. So this function will do\r
           basic check for PKCS#7 data structure.\r
\r
  @param[in]   P7Data       Pointer to the PKCS#7 signed data to process.\r
  @param[in]   P7Length     Length of the PKCS#7 signed data in bytes.\r
  @param[out]  Content      Pointer to the extracted content from the PKCS#7 signedData.\r
                            It's caller's responsibility to free the buffer with FreePool().\r
  @param[out]  ContentSize  The size of the extracted content in bytes.\r
\r
  @retval     TRUE          The P7Data was correctly formatted for processing.\r
  @retval     FALSE         The P7Data was not correctly formatted for processing.\r
\r
**/\r
BOOLEAN\r
EFIAPI\r
Pkcs7GetAttachedContent (\r
  IN  CONST UINT8  *P7Data,\r
  IN  UINTN        P7Length,\r
  OUT VOID         **Content,\r
  OUT UINTN        *ContentSize\r
  )\r
{\r
  BOOLEAN            Status;\r
  PKCS7              *Pkcs7;\r
  UINT8              *SignedData;\r
  UINTN              SignedDataSize;\r
  BOOLEAN            Wrapped;\r
  CONST UINT8        *Temp;\r
  ASN1_OCTET_STRING  *OctStr;\r
\r
  //\r
  // Check input parameter.\r
  //\r
  if ((P7Data == NULL) || (P7Length > INT_MAX) || (Content == NULL) || (ContentSize == NULL)) {\r
    return FALSE;\r
  }\r
\r
  *Content   = NULL;\r
  Pkcs7      = NULL;\r
  SignedData = NULL;\r
  OctStr     = NULL;\r
\r
  Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);\r
  if (!Status || (SignedDataSize > INT_MAX)) {\r
    goto _Exit;\r
  }\r
\r
  Status = FALSE;\r
\r
  //\r
  // Decoding PKCS#7 SignedData\r
  //\r
  Temp  = SignedData;\r
  Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **)&Temp, (int)SignedDataSize);\r
  if (Pkcs7 == NULL) {\r
    goto _Exit;\r
  }\r
\r
  //\r
  // The type of Pkcs7 must be signedData\r
  //\r
  if (!PKCS7_type_is_signed (Pkcs7)) {\r
    goto _Exit;\r
  }\r
\r
  //\r
  // Check for detached or attached content\r
  //\r
  if (PKCS7_get_detached (Pkcs7)) {\r
    //\r
    // No Content supplied for PKCS7 detached signedData\r
    //\r
    *Content     = NULL;\r
    *ContentSize = 0;\r
  } else {\r
    //\r
    // Retrieve the attached content in PKCS7 signedData\r
    //\r
    OctStr = Pkcs7GetOctetString (Pkcs7->d.sign->contents);\r
    if (OctStr == NULL) {\r
      goto _Exit;\r
    }\r
\r
    if ((OctStr->length > 0) && (OctStr->data != NULL)) {\r
      *ContentSize = OctStr->length;\r
      *Content     = AllocatePool (*ContentSize);\r
      if (*Content == NULL) {\r
        *ContentSize = 0;\r
        goto _Exit;\r
      }\r
\r
      CopyMem (*Content, OctStr->data, *ContentSize);\r
    }\r
  }\r
\r
  Status = TRUE;\r
\r
_Exit:\r
  //\r
  // Release Resources\r
  //\r
  PKCS7_free (Pkcs7);\r
\r
  if (!Wrapped) {\r
    OPENSSL_free (SignedData);\r
  }\r
\r
  return Status;\r
}\r
Commit	Line	Data
cc01b26e JW	1	/** @file\r
	2	Non-runtime specific implementation of PKCS#7 SignedData Verification Wrapper.\r
	3	\r
	4	Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>\r
2009f6b4	5	SPDX-License-Identifier: BSD-2-Clause-Patent\r
cc01b26e JW	6	\r
	7	**/\r
	8	\r
	9	#include "InternalCryptLib.h"\r
	10	\r
	11	#include <openssl/objects.h>\r
	12	#include <openssl/x509.h>\r
	13	#include <openssl/x509v3.h>\r
	14	#include <openssl/pkcs7.h>\r
	15	\r
469eb461 GJ	16	/**\r
	17	Check the contents of PKCS7 is not data.\r
	18	\r
	19	It is copied from PKCS7_type_is_other() in pk7_doit.c.\r
	20	\r
	21	@param[in] P7 Pointer to the location at which the PKCS7 is located.\r
	22	\r
	23	@retval TRUE If the type is others.\r
	24	@retval FALSE If the type is expected.\r
	25	**/\r
	26	STATIC\r
	27	BOOLEAN\r
	28	Pkcs7TypeIsOther (\r
7c342378	29	IN PKCS7 *P7\r
469eb461 GJ	30	)\r
469eb461 GJ	31	{\r
7c342378 MK	32	BOOLEAN Others;\r
7c342378 MK	33	INTN Nid = OBJ_obj2nid (P7->type);\r
469eb461 GJ	34	\r
	35	switch (Nid) {\r
	36	case NID_pkcs7_data:\r
	37	case NID_pkcs7_signed:\r
	38	case NID_pkcs7_enveloped:\r
	39	case NID_pkcs7_signedAndEnveloped:\r
	40	case NID_pkcs7_encrypted:\r
	41	Others = FALSE;\r
	42	break;\r
	43	default:\r
	44	Others = TRUE;\r
	45	}\r
	46	\r
	47	return Others;\r
	48	}\r
	49	\r
	50	/**\r
	51	Get the ASN.1 string for the PKCS7.\r
	52	\r
	53	It is copied from PKCS7_get_octet_string() in pk7_doit.c.\r
	54	\r
	55	@param[in] P7 Pointer to the location at which the PKCS7 is located.\r
	56	\r
	57	@return ASN1_OCTET_STRING ASN.1 string.\r
	58	**/\r
	59	STATIC\r
7c342378	60	ASN1_OCTET_STRING *\r
469eb461	61	Pkcs7GetOctetString (\r
7c342378	62	IN PKCS7 *P7\r
469eb461 GJ	63	)\r
	64	{\r
	65	if (PKCS7_type_is_data (P7)) {\r
	66	return P7->d.data;\r
	67	}\r
	68	\r
7c342378 MK	69	if (Pkcs7TypeIsOther (P7) && (P7->d.other != NULL) &&\r
	70	(P7->d.other->type == V_ASN1_OCTET_STRING))\r
	71	{\r
469eb461 GJ	72	return P7->d.other->value.octet_string;\r
	73	}\r
	74	\r
	75	return NULL;\r
	76	}\r
	77	\r
cc01b26e JW	78	/**\r
	79	Extracts the attached content from a PKCS#7 signed data if existed. The input signed\r
	80	data could be wrapped in a ContentInfo structure.\r
	81	\r
	82	If P7Data, Content, or ContentSize is NULL, then return FALSE. If P7Length overflow,\r
	83	then return FALSE. If the P7Data is not correctly formatted, then return FALSE.\r
	84	\r
	85	Caution: This function may receive untrusted input. So this function will do\r
	86	basic check for PKCS#7 data structure.\r
	87	\r
	88	@param[in] P7Data Pointer to the PKCS#7 signed data to process.\r
	89	@param[in] P7Length Length of the PKCS#7 signed data in bytes.\r
	90	@param[out] Content Pointer to the extracted content from the PKCS#7 signedData.\r
	91	It's caller's responsibility to free the buffer with FreePool().\r
	92	@param[out] ContentSize The size of the extracted content in bytes.\r
	93	\r
	94	@retval TRUE The P7Data was correctly formatted for processing.\r
	95	@retval FALSE The P7Data was not correctly formatted for processing.\r
	96	\r
	97	**/\r
	98	BOOLEAN\r
	99	EFIAPI\r
	100	Pkcs7GetAttachedContent (\r
	101	IN CONST UINT8 *P7Data,\r
	102	IN UINTN P7Length,\r
	103	OUT VOID **Content,\r
	104	OUT UINTN *ContentSize\r
	105	)\r
	106	{\r
	107	BOOLEAN Status;\r
	108	PKCS7 *Pkcs7;\r
	109	UINT8 *SignedData;\r
	110	UINTN SignedDataSize;\r
	111	BOOLEAN Wrapped;\r
	112	CONST UINT8 *Temp;\r
	113	ASN1_OCTET_STRING *OctStr;\r
	114	\r
	115	//\r
	116	// Check input parameter.\r
	117	//\r
	118	if ((P7Data == NULL) \|\| (P7Length > INT_MAX) \|\| (Content == NULL) \|\| (ContentSize == NULL)) {\r
	119	return FALSE;\r
	120	}\r
	121	\r
	122	*Content = NULL;\r
	123	Pkcs7 = NULL;\r
	124	SignedData = NULL;\r
	125	OctStr = NULL;\r
	126	\r
	127	Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);\r
	128	if (!Status \|\| (SignedDataSize > INT_MAX)) {\r
	129	goto _Exit;\r
	130	}\r
	131	\r
	132	Status = FALSE;\r
	133	\r
	134	//\r
	135	// Decoding PKCS#7 SignedData\r
	136	//\r
	137	Temp = SignedData;\r
	138	Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **)&Temp, (int)SignedDataSize);\r
	139	if (Pkcs7 == NULL) {\r
	140	goto _Exit;\r
	141	}\r
142	\r
143	//\r
144	// The type of Pkcs7 must be signedData\r
145	//\r
146	if (!PKCS7_type_is_signed (Pkcs7)) {\r
147	goto _Exit;\r
148	}\r
149	\r
150	//\r
151	// Check for detached or attached content\r
152	//\r
153	if (PKCS7_get_detached (Pkcs7)) {\r
154	//\r
155	// No Content supplied for PKCS7 detached signedData\r
156	//\r
157	*Content = NULL;\r
158	*ContentSize = 0;\r
159	} else {\r
160	//\r
161	// Retrieve the attached content in PKCS7 signedData\r
162	//\r
469eb461 GJ	163	OctStr = Pkcs7GetOctetString (Pkcs7->d.sign->contents);\r
	164	if (OctStr == NULL) {\r
	165	goto _Exit;\r
	166	}\r
	167	\r
cc01b26e JW	168	if ((OctStr->length > 0) && (OctStr->data != NULL)) {\r
	169	*ContentSize = OctStr->length;\r
	170	Content = AllocatePool (ContentSize);\r
	171	if (*Content == NULL) {\r
	172	*ContentSize = 0;\r
	173	goto _Exit;\r
	174	}\r
7c342378	175	\r
cc01b26e JW	176	CopyMem (Content, OctStr->data, ContentSize);\r
	177	}\r
	178	}\r
7c342378	179	\r
cc01b26e JW	180	Status = TRUE;\r
	181	\r
	182	_Exit:\r
	183	//\r
	184	// Release Resources\r
	185	//\r
	186	PKCS7_free (Pkcs7);\r
	187	\r
	188	if (!Wrapped) {\r
	189	OPENSSL_free (SignedData);\r
	190	}\r
	191	\r
	192	return Status;\r
	193	}\r