]>
git.proxmox.com Git - mirror_edk2.git/blob - CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
2 PKCS#7 SignedData Sign Wrapper Implementation over OpenSSL.
4 Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
5 This program and the accompanying materials
6 are licensed and made available under the terms and conditions of the BSD License
7 which accompanies this distribution. The full text of the license may be found at
8 http://opensource.org/licenses/bsd-license.php
10 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
11 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
15 #include "InternalCryptLib.h"
17 #include <openssl/objects.h>
18 #include <openssl/x509.h>
19 #include <openssl/pkcs7.h>
23 Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message
24 Syntax Standard, version 1.5". This interface is only intended to be used for
25 application to perform PKCS#7 functionality validation.
27 @param[in] PrivateKey Pointer to the PEM-formatted private key data for
29 @param[in] PrivateKeySize Size of the PEM private key data in bytes.
30 @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM
32 @param[in] InData Pointer to the content to be signed.
33 @param[in] InDataSize Size of InData in bytes.
34 @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with.
35 @param[in] OtherCerts Pointer to an optional additional set of certificates to
36 include in the PKCS#7 signedData (e.g. any intermediate
38 @param[out] SignedData Pointer to output PKCS#7 signedData.
39 @param[out] SignedDataSize Size of SignedData in bytes.
41 @retval TRUE PKCS#7 data signing succeeded.
42 @retval FALSE PKCS#7 data signing failed.
48 IN CONST UINT8
*PrivateKey
,
49 IN UINTN PrivateKeySize
,
50 IN CONST UINT8
*KeyPassword
,
54 IN UINT8
*OtherCerts OPTIONAL
,
55 OUT UINT8
**SignedData
,
56 OUT UINTN
*SignedDataSize
69 // Check input parameters.
71 if (PrivateKey
== NULL
|| KeyPassword
== NULL
|| InData
== NULL
||
72 SignCert
== NULL
|| SignedData
== NULL
|| SignedDataSize
== NULL
|| InDataSize
> INT_MAX
) {
83 // Retrieve RSA private key from PEM data.
85 Status
= RsaGetPrivateKeyFromPem (
88 (CONST CHAR8
*) KeyPassword
,
98 // Register & Initialize necessary digest algorithms and PRNG for PKCS#7 Handling
100 if (EVP_add_digest (EVP_md5 ()) == 0) {
103 if (EVP_add_digest (EVP_sha1 ()) == 0) {
106 if (EVP_add_digest (EVP_sha256 ()) == 0) {
110 RandomSeed (NULL
, 0);
113 // Construct OpenSSL EVP_PKEY for private key.
115 Key
= EVP_PKEY_new ();
119 Key
->save_type
= EVP_PKEY_RSA
;
120 Key
->type
= EVP_PKEY_type (EVP_PKEY_RSA
);
121 Key
->pkey
.rsa
= (RSA
*) RsaContext
;
124 // Convert the data to be signed to BIO format.
126 DataBio
= BIO_new (BIO_s_mem ());
127 BIO_write (DataBio
, InData
, (int) InDataSize
);
130 // Create the PKCS#7 signedData structure.
135 (STACK_OF(X509
) *) OtherCerts
,
137 PKCS7_BINARY
| PKCS7_NOATTR
| PKCS7_DETACHED
144 // Convert PKCS#7 signedData structure into DER-encoded buffer.
146 P7DataSize
= i2d_PKCS7 (Pkcs7
, NULL
);
147 if (P7DataSize
<= 19) {
151 P7Data
= malloc (P7DataSize
);
152 if (P7Data
== NULL
) {
157 P7DataSize
= i2d_PKCS7 (Pkcs7
, (unsigned char **) &Tmp
);
160 // Strip ContentInfo to content only for signeddata. The data be trimmed off
161 // is totally 19 bytes.
163 *SignedDataSize
= P7DataSize
- 19;
164 *SignedData
= malloc (*SignedDataSize
);
165 if (*SignedData
== NULL
) {
166 OPENSSL_free (P7Data
);
170 CopyMem (*SignedData
, P7Data
+ 19, *SignedDataSize
);
172 OPENSSL_free (P7Data
);
180 if (RsaContext
!= NULL
) {
181 RsaFree (RsaContext
);
183 Key
->pkey
.rsa
= NULL
;
191 if (DataBio
!= NULL
) {