]>
git.proxmox.com Git - mirror_edk2.git/blob - CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7.c
2 PKCS#7 SignedData Verification Wrapper Implementation over OpenSSL.
4 Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>
5 This program and the accompanying materials
6 are licensed and made available under the terms and conditions of the BSD License
7 which accompanies this distribution. The full text of the license may be found at
8 http://opensource.org/licenses/bsd-license.php
10 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
11 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
15 #include "InternalCryptLib.h"
17 #include <openssl/objects.h>
18 #include <openssl/x509.h>
19 #include <openssl/pkcs7.h>
23 Verifies the validility of a PKCS#7 signed data as described in "PKCS #7: Cryptographic
24 Message Syntax Standard".
26 If P7Data is NULL, then ASSERT().
28 @param[in] P7Data Pointer to the PKCS#7 message to verify.
29 @param[in] P7Length Length of the PKCS#7 message in bytes.
30 @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which
31 is used for certificate chain verification.
32 @param[in] CertLength Length of the trusted certificate in bytes.
33 @param[in] InData Pointer to the content to be verified.
34 @param[in] DataLength Length of InData in bytes.
36 @retval TRUE The specified PKCS#7 signed data is valid.
37 @retval FALSE Invalid PKCS#7 signed data.
43 IN CONST UINT8
*P7Data
,
45 IN CONST UINT8
*TrustedCert
,
47 IN CONST UINT8
*InData
,
57 X509_STORE
*CertStore
;
60 // ASSERT if P7Data is NULL
62 ASSERT (P7Data
!= NULL
);
72 // Register & Initialize necessary digest algorithms for PKCS#7 Handling
74 EVP_add_digest (EVP_md5());
75 EVP_add_digest (EVP_sha1());
76 EVP_add_digest (EVP_sha256());
79 // Retrieve PKCS#7 Data (DER encoding)
81 Pkcs7
= d2i_PKCS7 (NULL
, &P7Data
, (int)P7Length
);
87 // Check if it's PKCS#7 Signed Data (for Authenticode Scenario)
89 if (!PKCS7_type_is_signed (Pkcs7
)) {
94 // Check PKCS#7 embedded signed content with InData.
98 // NOTE: PKCS7_dataDecode() didn't work for Authenticode-format signed data due to
99 // some authenticode-specific structure. Use opaque ASN.1 string to retrieve
100 // PKCS#7 ContentInfo here.
102 Content
= (UINT8
*)(Pkcs7
->d
.sign
->contents
->d
.other
->value
.asn1_string
->data
);
104 // Ignore two bytes for DER encoding of ASN.1 "SEQUENCE"
105 if (CompareMem (Content
+ 2, InData
, DataLength
) != 0) {
111 // Read DER-encoded root certificate and Construct X509 Certificate
113 CertBio
= BIO_new (BIO_s_mem ());
114 BIO_write (CertBio
, TrustedCert
, (int)CertLength
);
115 if (CertBio
== NULL
) {
118 Cert
= d2i_X509_bio (CertBio
, NULL
);
124 // Setup X509 Store for trusted certificate
126 CertStore
= X509_STORE_new ();
127 if (CertStore
== NULL
) {
130 if (!(X509_STORE_add_cert (CertStore
, Cert
))) {
135 // For generic PKCS#7 handling, InData may be NULL if the content is present
136 // in PKCS#7 structure. So ignore NULL checking here.
138 DataBio
= BIO_new (BIO_s_mem ());
139 BIO_write (DataBio
, InData
, (int)DataLength
);
142 // Verifies the PKCS#7 signedData structure
144 Status
= (BOOLEAN
) PKCS7_verify (Pkcs7
, NULL
, CertStore
, DataBio
, NULL
, 0);
153 X509_STORE_free (CertStore
);