primitives (Hash Serials, HMAC, RSA, Diffie-Hellman, etc) for UEFI security\r
functionality enabling.\r
\r
-Copyright (c) 2009 - 2010, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2009 - 2011, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
which accompanies this distribution. The full text of the license may be found at\r
#ifndef __BASE_CRYPT_LIB_H__\r
#define __BASE_CRYPT_LIB_H__\r
\r
+///\r
+/// MD4 digest size in bytes\r
+///\r
+#define MD4_DIGEST_SIZE 16\r
+\r
///\r
/// MD5 digest size in bytes\r
///\r
// One-Way Cryptographic Hash Primitives\r
//=====================================================================================\r
\r
+/**\r
+ Retrieves the size, in bytes, of the context buffer required for MD4 hash operations.\r
+\r
+ @return The size, in bytes, of the context buffer required for MD4 hash operations.\r
+\r
+**/\r
+UINTN\r
+EFIAPI\r
+Md4GetContextSize (\r
+ VOID\r
+ );\r
+\r
+/**\r
+ Initializes user-supplied memory pointed by Md4Context as MD4 hash context for\r
+ subsequent use.\r
+\r
+ If Md4Context is NULL, then ASSERT().\r
+\r
+ @param[out] Md4Context Pointer to MD4 context being initialized.\r
+\r
+ @retval TRUE MD4 context initialization succeeded.\r
+ @retval FALSE MD4 context initialization failed.\r
+\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+Md4Init (\r
+ OUT VOID *Md4Context\r
+ );\r
+\r
+/**\r
+ Makes a copy of an existing MD4 context.\r
+\r
+ If Md4Context is NULL, then ASSERT().\r
+ If NewMd4Context is NULL, then ASSERT().\r
+\r
+ @param[in] Md4Context Pointer to MD4 context being copied.\r
+ @param[out] NewMd4Context Pointer to new MD4 context.\r
+\r
+ @retval TRUE MD4 context copy succeeded.\r
+ @retval FALSE MD4 context copy failed.\r
+\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+Md4Duplicate (\r
+ IN CONST VOID *Md4Context,\r
+ OUT VOID *NewMd4Context\r
+ );\r
+\r
+/**\r
+ Digests the input data and updates MD4 context.\r
+\r
+ This function performs MD4 digest on a data buffer of the specified size.\r
+ It can be called multiple times to compute the digest of long or discontinuous data streams.\r
+ MD4 context should be already correctly intialized by Md4Init(), and should not be finalized\r
+ by Md4Final(). Behavior with invalid context is undefined.\r
+\r
+ If Md4Context is NULL, then ASSERT().\r
+\r
+ @param[in, out] Md4Context Pointer to the MD4 context.\r
+ @param[in] Data Pointer to the buffer containing the data to be hashed.\r
+ @param[in] DataSize Size of Data buffer in bytes.\r
+\r
+ @retval TRUE MD4 data digest succeeded.\r
+ @retval FALSE MD4 data digest failed.\r
+\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+Md4Update (\r
+ IN OUT VOID *Md4Context,\r
+ IN CONST VOID *Data,\r
+ IN UINTN DataSize\r
+ );\r
+\r
+/**\r
+ Completes computation of the MD4 digest value.\r
+\r
+ This function completes MD4 hash computation and retrieves the digest value into\r
+ the specified memory. After this function has been called, the MD4 context cannot\r
+ be used again.\r
+ MD4 context should be already correctly intialized by Md4Init(), and should not be\r
+ finalized by Md4Final(). Behavior with invalid MD4 context is undefined.\r
+\r
+ If Md4Context is NULL, then ASSERT().\r
+ If HashValue is NULL, then ASSERT().\r
+\r
+ @param[in, out] Md4Context Pointer to the MD4 context.\r
+ @param[out] HashValue Pointer to a buffer that receives the MD4 digest\r
+ value (16 bytes).\r
+\r
+ @retval TRUE MD4 digest computation succeeded.\r
+ @retval FALSE MD4 digest computation failed.\r
+\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+Md4Final (\r
+ IN OUT VOID *Md4Context,\r
+ OUT UINT8 *HashValue\r
+ );\r
+\r
/**\r
Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.\r
\r
\r
If RsaContext is NULL, then ASSERT().\r
If MessageHash is NULL, then ASSERT().\r
- If HashSize is not equal to the size of MD5, SHA-1, SHA-256, SHA-224, SHA-512 or SHA-384 digest, then ASSERT().\r
+ If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then ASSERT().\r
If SigSize is large enough but Signature is NULL, then ASSERT().\r
\r
@param[in] RsaContext Pointer to RSA context for signature generation.\r
@param[in] HashSize Size of the message hash in bytes.\r
@param[out] Signature Pointer to buffer to receive RSA PKCS1-v1_5 signature.\r
@param[in, out] SigSize On input, the size of Signature buffer in bytes.\r
- On output, the size of data returned in Signature buffer in bytes.\r
+ On output, the size of data returned in Signature buffer in bytes.\r
\r
@retval TRUE Signature successfully generated in PKCS1-v1_5.\r
@retval FALSE Signature generation failed.\r
If RsaContext is NULL, then ASSERT().\r
If MessageHash is NULL, then ASSERT().\r
If Signature is NULL, then ASSERT().\r
- If HashSize is not equal to the size of MD5, SHA-1, SHA-256, SHA-224, SHA-512 or SHA-384 digest, then ASSERT().\r
+ If HashSize is not equal to the size of MD5, SHA-1, SHA-256 digest, then ASSERT().\r
\r
@param[in] RsaContext Pointer to RSA context for signature verification.\r
@param[in] MessageHash Pointer to octet message hash to be checked.\r
IN UINTN SigSize\r
);\r
\r
+/**\r
+ Retrieve the RSA Private Key from the password-protected PEM key data.\r
+\r
+ @param[in] PemData Pointer to the PEM-encoded key data to be retrieved.\r
+ @param[in] PemSize Size of the PEM key data in bytes.\r
+ @param[in] Password NULL-terminated passphrase used for encrypted PEM key data.\r
+ @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved\r
+ RSA private key component. Use RsaFree() function to free the\r
+ resource.\r
+\r
+ If PemData is NULL, then ASSERT().\r
+ If RsaContext is NULL, then ASSERT().\r
+\r
+ @retval TRUE RSA Private Key was retrieved successfully.\r
+ @retval FALSE Invalid PEM key data or incorrect password.\r
+\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+RsaGetPrivateKeyFromPem (\r
+ IN CONST UINT8 *PemData,\r
+ IN UINTN PemSize,\r
+ IN CONST CHAR8 *Password,\r
+ OUT VOID **RsaContext\r
+ );\r
+\r
+/**\r
+ Retrieve the RSA Public Key from one DER-encoded X509 certificate.\r
+\r
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.\r
+ @param[in] CertSize Size of the X509 certificate in bytes.\r
+ @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved\r
+ RSA public key component. Use RsaFree() function to free the\r
+ resource.\r
+\r
+ If Cert is NULL, then ASSERT().\r
+ If RsaContext is NULL, then ASSERT().\r
+\r
+ @retval TRUE RSA Public Key was retrieved successfully.\r
+ @retval FALSE Fail to retrieve RSA public key from X509 certificate.\r
+\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+RsaGetPublicKeyFromX509 (\r
+ IN CONST UINT8 *Cert,\r
+ IN UINTN CertSize,\r
+ OUT VOID **RsaContext\r
+ );\r
+\r
+/**\r
+ Retrieve the subject bytes from one X.509 certificate.\r
+\r
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.\r
+ @param[in] CertSize Size of the X509 certificate in bytes.\r
+ @param[out] CertSubject Pointer to the retrieved certificate subject bytes.\r
+ @param[in, out] SubjectSize The size in bytes of the CertSubject buffer on input,\r
+ and the size of buffer returned CertSubject on output.\r
+\r
+ If Cert is NULL, then ASSERT().\r
+ If SubjectSize is NULL, then ASSERT().\r
+\r
+ @retval TRUE The certificate subject retrieved successfully.\r
+ @retval FALSE Invalid certificate, or the SubjectSize is too small for the result.\r
+ The SubjectSize will be updated with the required size.\r
+\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+X509GetSubjectName (\r
+ IN CONST UINT8 *Cert,\r
+ IN UINTN CertSize,\r
+ OUT UINT8 *CertSubject,\r
+ IN OUT UINTN *SubjectSize\r
+ );\r
+\r
+/**\r
+ Verify one X509 certificate was issued by the trusted CA.\r
+\r
+ @param[in] Cert Pointer to the DER-encoded X509 certificate to be verified.\r
+ @param[in] CertSize Size of the X509 certificate in bytes.\r
+ @param[in] CACert Pointer to the DER-encoded trusted CA certificate.\r
+ @param[in] CACertSize Size of the CA Certificate in bytes.\r
+\r
+ If Cert is NULL, then ASSERT().\r
+ If CACert is NULL, then ASSERT().\r
+\r
+ @retval TRUE The certificate was issued by the trusted CA.\r
+ @retval FALSE Invalid certificate or the certificate was not issued by the given\r
+ trusted CA.\r
+\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+X509VerifyCert (\r
+ IN CONST UINT8 *Cert,\r
+ IN UINTN CertSize,\r
+ IN CONST UINT8 *CACert,\r
+ IN UINTN CACertSize\r
+ );\r
+\r
+/**\r
+ Construct a X509 object from DER-encoded certificate data.\r
+\r
+ If Cert is NULL, then ASSERT().\r
+ If SingleX509Cert is NULL, then ASSERT().\r
+\r
+ @param[in] Cert Pointer to the DER-encoded certificate data.\r
+ @param[in] CertSize The size of certificate data in bytes.\r
+ @param[out] SingleX509Cert The generated X509 object.\r
+\r
+ @retval TRUE The X509 object generation succeeded.\r
+ @retval FALSE The operation failed.\r
+\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+X509ConstructCertificate (\r
+ IN CONST UINT8 *Cert,\r
+ IN UINTN CertSize,\r
+ OUT UINT8 **SingleX509Cert\r
+ );\r
+\r
+/**\r
+ Construct a X509 stack object from a list of DER-encoded certificate data.\r
+\r
+ If X509Stack is NULL, then ASSERT().\r
+\r
+ @param[in, out] X509Stack On input, pointer to an existing X509 stack object.\r
+ On output, pointer to the X509 stack object with new\r
+ inserted X509 certificate.\r
+ @param ... A list of DER-encoded single certificate data followed\r
+ by certificate size. A NULL terminates the list. The\r
+ pairs are the arguments to X509ConstructCertificate().\r
+ \r
+ @retval TRUE The X509 stack construction succeeded.\r
+ @retval FALSE The construction operation failed.\r
+\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+X509ConstructCertificateStack (\r
+ IN OUT UINT8 **X509Stack,\r
+ ... \r
+ );\r
+\r
+/**\r
+ Release the specified X509 object.\r
+\r
+ If X509Cert is NULL, then ASSERT().\r
+\r
+ @param[in] X509Cert Pointer to the X509 object to be released.\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+X509Free (\r
+ IN VOID *X509Cert\r
+ );\r
+\r
+/**\r
+ Release the specified X509 stack object.\r
+\r
+ If X509Stack is NULL, then ASSERT().\r
+\r
+ @param[in] X509Stack Pointer to the X509 stack object to be released.\r
+\r
+**/\r
+VOID\r
+EFIAPI\r
+X509StackFree (\r
+ IN VOID *X509Stack\r
+ );\r
+\r
+/**\r
+ Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message\r
+ Syntax Standard, version 1.5". This interface is only intended to be used for\r
+ application to perform PKCS#7 functionality validation.\r
+\r
+ @param[in] PrivateKey Pointer to the PEM-formatted private key data for\r
+ data signing.\r
+ @param[in] PrivateKeySize Size of the PEM private key data in bytes.\r
+ @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM\r
+ key data.\r
+ @param[in] InData Pointer to the content to be signed.\r
+ @param[in] InDataSize Size of InData in bytes.\r
+ @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with.\r
+ @param[in] OtherCerts Pointer to an optional additional set of certificates to\r
+ include in the PKCS#7 signedData (e.g. any intermediate\r
+ CAs in the chain).\r
+ @param[out] SignedData Pointer to output PKCS#7 signedData.\r
+ @param[out] SignedDataSize Size of SignedData in bytes.\r
+\r
+ @retval TRUE PKCS#7 data signing succeeded.\r
+ @retval FALSE PKCS#7 data signing failed.\r
+\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+Pkcs7Sign (\r
+ IN CONST UINT8 *PrivateKey,\r
+ IN UINTN PrivateKeySize,\r
+ IN CONST UINT8 *KeyPassword,\r
+ IN UINT8 *InData,\r
+ IN UINTN InDataSize,\r
+ IN UINT8 *SignCert,\r
+ IN UINT8 *OtherCerts OPTIONAL,\r
+ OUT UINT8 **SignedData,\r
+ OUT UINTN *SignedDataSize\r
+ );\r
+\r
/**\r
Verifies the validility of a PKCS#7 signed data as described in "PKCS #7: Cryptographic\r
Message Syntax Standard".\r
IN UINTN DataSize\r
);\r
\r
+/**\r
+ Verifies the validility of a PE/COFF Authenticode Signature as described in "Windows\r
+ Authenticode Portable Executable Signature Format".\r
+\r
+ If AuthData is NULL, then ASSERT().\r
+ If ImageHash is NULL, then ASSERT().\r
+\r
+ @param[in] AuthData Pointer to the Authenticode Signature retrieved from signed\r
+ PE/COFF image to be verified.\r
+ @param[in] DataSize Size of the Authenticode Signature in bytes.\r
+ @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which\r
+ is used for certificate chain verification.\r
+ @param[in] CertSize Size of the trusted certificate in bytes.\r
+ @param[in] ImageHash Pointer to the original image file hash value. The procudure\r
+ for calculating the image hash value is described in Authenticode\r
+ specification.\r
+ @param[in] HashSize Size of Image hash value in bytes.\r
+\r
+ @retval TRUE The specified Authenticode Signature is valid.\r
+ @retval FALSE Invalid Authenticode Signature.\r
+\r
+**/\r
+BOOLEAN\r
+EFIAPI\r
+AuthenticodeVerify (\r
+ IN CONST UINT8 *AuthData,\r
+ IN UINTN DataSize,\r
+ IN CONST UINT8 *TrustedCert,\r
+ IN UINTN CertSize,\r
+ IN CONST UINT8 *ImageHash,\r
+ IN UINTN HashSize\r
+ );\r
+\r
//=====================================================================================\r
// DH Key Exchange Primitive\r
//=====================================================================================\r