]>
git.proxmox.com Git - mirror_edk2.git/blob - CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c
2 PKCS#7 SignedData Sign Wrapper Implementation over OpenSSL.
4 Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
5 SPDX-License-Identifier: BSD-2-Clause-Patent
9 #include "InternalCryptLib.h"
11 #include <openssl/objects.h>
12 #include <openssl/x509.h>
13 #include <openssl/pkcs7.h>
16 Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message
17 Syntax Standard, version 1.5". This interface is only intended to be used for
18 application to perform PKCS#7 functionality validation.
20 @param[in] PrivateKey Pointer to the PEM-formatted private key data for
22 @param[in] PrivateKeySize Size of the PEM private key data in bytes.
23 @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM
25 @param[in] InData Pointer to the content to be signed.
26 @param[in] InDataSize Size of InData in bytes.
27 @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with.
28 @param[in] OtherCerts Pointer to an optional additional set of certificates to
29 include in the PKCS#7 signedData (e.g. any intermediate
31 @param[out] SignedData Pointer to output PKCS#7 signedData. It's caller's
32 responsibility to free the buffer with FreePool().
33 @param[out] SignedDataSize Size of SignedData in bytes.
35 @retval TRUE PKCS#7 data signing succeeded.
36 @retval FALSE PKCS#7 data signing failed.
42 IN CONST UINT8
*PrivateKey
,
43 IN UINTN PrivateKeySize
,
44 IN CONST UINT8
*KeyPassword
,
48 IN UINT8
*OtherCerts OPTIONAL
,
49 OUT UINT8
**SignedData
,
50 OUT UINTN
*SignedDataSize
63 // Check input parameters.
65 if ((PrivateKey
== NULL
) || (KeyPassword
== NULL
) || (InData
== NULL
) ||
66 (SignCert
== NULL
) || (SignedData
== NULL
) || (SignedDataSize
== NULL
) || (InDataSize
> INT_MAX
))
78 // Retrieve RSA private key from PEM data.
80 Status
= RsaGetPrivateKeyFromPem (
83 (CONST CHAR8
*)KeyPassword
,
93 // Register & Initialize necessary digest algorithms and PRNG for PKCS#7 Handling
95 if (EVP_add_digest (EVP_md5 ()) == 0) {
99 if (EVP_add_digest (EVP_sha1 ()) == 0) {
103 if (EVP_add_digest (EVP_sha256 ()) == 0) {
107 RandomSeed (NULL
, 0);
110 // Construct OpenSSL EVP_PKEY for private key.
112 Key
= EVP_PKEY_new ();
117 if (EVP_PKEY_assign_RSA (Key
, (RSA
*)RsaContext
) == 0) {
122 // Convert the data to be signed to BIO format.
124 DataBio
= BIO_new (BIO_s_mem ());
125 if (DataBio
== NULL
) {
129 if (BIO_write (DataBio
, InData
, (int)InDataSize
) <= 0) {
134 // Create the PKCS#7 signedData structure.
139 (STACK_OF (X509
) *) OtherCerts
,
141 PKCS7_BINARY
| PKCS7_NOATTR
| PKCS7_DETACHED
148 // Convert PKCS#7 signedData structure into DER-encoded buffer.
150 P7DataSize
= i2d_PKCS7 (Pkcs7
, NULL
);
151 if (P7DataSize
<= 19) {
155 P7Data
= malloc (P7DataSize
);
156 if (P7Data
== NULL
) {
161 P7DataSize
= i2d_PKCS7 (Pkcs7
, (unsigned char **)&Tmp
);
162 ASSERT (P7DataSize
> 19);
165 // Strip ContentInfo to content only for signeddata. The data be trimmed off
166 // is totally 19 bytes.
168 *SignedDataSize
= P7DataSize
- 19;
169 *SignedData
= AllocatePool (*SignedDataSize
);
170 if (*SignedData
== NULL
) {
171 OPENSSL_free (P7Data
);
175 CopyMem (*SignedData
, P7Data
+ 19, *SignedDataSize
);
177 OPENSSL_free (P7Data
);
189 if (DataBio
!= NULL
) {