]>
git.proxmox.com Git - mirror_edk2.git/blob - CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
2 PKCS#7 SignedData Sign Wrapper Implementation over OpenSSL.
4 Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
5 SPDX-License-Identifier: BSD-2-Clause-Patent
9 #include "InternalCryptLib.h"
11 #include <openssl/objects.h>
12 #include <openssl/x509.h>
13 #include <openssl/pkcs7.h>
16 Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message
17 Syntax Standard, version 1.5". This interface is only intended to be used for
18 application to perform PKCS#7 functionality validation.
20 @param[in] PrivateKey Pointer to the PEM-formatted private key data for
22 @param[in] PrivateKeySize Size of the PEM private key data in bytes.
23 @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM
25 @param[in] InData Pointer to the content to be signed.
26 @param[in] InDataSize Size of InData in bytes.
27 @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with.
28 @param[in] OtherCerts Pointer to an optional additional set of certificates to
29 include in the PKCS#7 signedData (e.g. any intermediate
31 @param[out] SignedData Pointer to output PKCS#7 signedData. It's caller's
32 responsibility to free the buffer with FreePool().
33 @param[out] SignedDataSize Size of SignedData in bytes.
35 @retval TRUE PKCS#7 data signing succeeded.
36 @retval FALSE PKCS#7 data signing failed.
42 IN CONST UINT8
*PrivateKey
,
43 IN UINTN PrivateKeySize
,
44 IN CONST UINT8
*KeyPassword
,
48 IN UINT8
*OtherCerts OPTIONAL
,
49 OUT UINT8
**SignedData
,
50 OUT UINTN
*SignedDataSize
63 // Check input parameters.
65 if (PrivateKey
== NULL
|| KeyPassword
== NULL
|| InData
== NULL
||
66 SignCert
== NULL
|| SignedData
== NULL
|| SignedDataSize
== NULL
|| InDataSize
> INT_MAX
) {
77 // Retrieve RSA private key from PEM data.
79 Status
= RsaGetPrivateKeyFromPem (
82 (CONST CHAR8
*) KeyPassword
,
92 // Register & Initialize necessary digest algorithms and PRNG for PKCS#7 Handling
94 if (EVP_add_digest (EVP_md5 ()) == 0) {
97 if (EVP_add_digest (EVP_sha1 ()) == 0) {
100 if (EVP_add_digest (EVP_sha256 ()) == 0) {
104 RandomSeed (NULL
, 0);
107 // Construct OpenSSL EVP_PKEY for private key.
109 Key
= EVP_PKEY_new ();
113 if (EVP_PKEY_assign_RSA (Key
, (RSA
*) RsaContext
) == 0) {
118 // Convert the data to be signed to BIO format.
120 DataBio
= BIO_new (BIO_s_mem ());
121 if (DataBio
== NULL
) {
125 if (BIO_write (DataBio
, InData
, (int) InDataSize
) <= 0) {
130 // Create the PKCS#7 signedData structure.
135 (STACK_OF(X509
) *) OtherCerts
,
137 PKCS7_BINARY
| PKCS7_NOATTR
| PKCS7_DETACHED
144 // Convert PKCS#7 signedData structure into DER-encoded buffer.
146 P7DataSize
= i2d_PKCS7 (Pkcs7
, NULL
);
147 if (P7DataSize
<= 19) {
151 P7Data
= malloc (P7DataSize
);
152 if (P7Data
== NULL
) {
157 P7DataSize
= i2d_PKCS7 (Pkcs7
, (unsigned char **) &Tmp
);
158 ASSERT (P7DataSize
> 19);
161 // Strip ContentInfo to content only for signeddata. The data be trimmed off
162 // is totally 19 bytes.
164 *SignedDataSize
= P7DataSize
- 19;
165 *SignedData
= AllocatePool (*SignedDataSize
);
166 if (*SignedData
== NULL
) {
167 OPENSSL_free (P7Data
);
171 CopyMem (*SignedData
, P7Data
+ 19, *SignedDataSize
);
173 OPENSSL_free (P7Data
);
185 if (DataBio
!= NULL
) {