#include <openssl/x509.h>\r
#include <openssl/pkcs7.h>\r
\r
+UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };\r
\r
/**\r
Verification callback function to override any existing callbacks in OpenSSL\r
@retval 0 Verification failed.\r
\r
**/\r
-STATIC int X509VerifyCb (int Status, X509_STORE_CTX *Context)\r
+int\r
+X509VerifyCb (\r
+ IN int Status,\r
+ IN X509_STORE_CTX *Context\r
+ )\r
{\r
X509_OBJECT *Obj;\r
- int Error;\r
- int Index;\r
- int Count;\r
+ INTN Error;\r
+ INTN Index;\r
+ INTN Count;\r
\r
Obj = NULL;\r
- Error = X509_STORE_CTX_get_error (Context);\r
+ Error = (INTN) X509_STORE_CTX_get_error (Context);\r
\r
//\r
// X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_\r
// pass the certificate verification.\r
//\r
if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {\r
- Count = sk_X509_num (Context->chain);\r
+ Count = (INTN) sk_X509_num (Context->chain);\r
for (Index = 0; Index < Count; Index++) {\r
- Obj->data.x509 = sk_X509_value (Context->chain, Index);\r
+ Obj->data.x509 = sk_X509_value (Context->chain, (int) Index);\r
if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {\r
Status = 1;\r
break;\r
PKCS7 *Pkcs7;\r
UINT8 *RsaContext;\r
UINT8 *P7Data;\r
+ UINTN P7DataSize;\r
+ UINT8 *Tmp;\r
\r
//\r
// Check input parameters.\r
return FALSE;\r
}\r
\r
+ if (InDataSize > INT_MAX) {\r
+ return FALSE;\r
+ }\r
+\r
RsaContext = NULL;\r
Key = NULL;\r
Pkcs7 = NULL;\r
Key,\r
(STACK_OF(X509) *) OtherCerts,\r
DataBio,\r
- PKCS7_BINARY\r
+ PKCS7_BINARY | PKCS7_NOATTR | PKCS7_DETACHED\r
);\r
if (Pkcs7 == NULL) {\r
goto _Exit;\r
//\r
// Convert PKCS#7 signedData structure into DER-encoded buffer.\r
//\r
- *SignedDataSize = i2d_PKCS7 (Pkcs7, NULL);\r
- if (*SignedDataSize == 0) {\r
+ P7DataSize = i2d_PKCS7 (Pkcs7, NULL);\r
+ if (P7DataSize <= 19) {\r
goto _Exit;\r
}\r
+ P7Data = OPENSSL_malloc (P7DataSize);\r
+ Tmp = P7Data;\r
+ P7DataSize = i2d_PKCS7 (Pkcs7, (unsigned char **) &Tmp);\r
+\r
+ //\r
+ // Strip ContentInfo to content only for signeddata. The data be trimmed off\r
+ // is totally 19 bytes.\r
+ //\r
+ *SignedDataSize = P7DataSize - 19;\r
*SignedData = OPENSSL_malloc (*SignedDataSize);\r
- P7Data = *SignedData;\r
- *SignedDataSize = i2d_PKCS7 (Pkcs7, (unsigned char **) &P7Data);\r
+ CopyMem (*SignedData, P7Data + 19, *SignedDataSize);\r
+ \r
+ OPENSSL_free (P7Data);\r
\r
Status = TRUE;\r
\r
}\r
\r
/**\r
- Verifies the validility of a PKCS#7 signed data as described in "PKCS #7: Cryptographic\r
- Message Syntax Standard".\r
+ Verifies the validility of a PKCS#7 signed data as described in "PKCS #7:\r
+ Cryptographic Message Syntax Standard". The input signed data could be wrapped\r
+ in a ContentInfo structure.\r
\r
If P7Data is NULL, then ASSERT().\r
\r
BOOLEAN Status;\r
X509 *Cert;\r
X509_STORE *CertStore;\r
+ UINT8 *SignedData;\r
+ UINT8 *Temp;\r
+ UINTN SignedDataSize;\r
+ BOOLEAN Wrapped;\r
\r
//\r
- // ASSERT if P7Data is NULL\r
+ // ASSERT if P7Data is NULL or P7Length is not larger than 19 bytes.\r
//\r
- ASSERT (P7Data != NULL);\r
+ ASSERT ((P7Data != NULL) || (P7Length <= 19));\r
+\r
+ if ((CertLength > INT_MAX) || (DataLength > INT_MAX)) {\r
+ return FALSE;\r
+ }\r
\r
Status = FALSE;\r
Pkcs7 = NULL;\r
EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA);\r
EVP_add_digest (EVP_sha256());\r
\r
+ //\r
+ // Check whether input P7Data is a wrapped ContentInfo structure or not.\r
+ //\r
+ Wrapped = FALSE;\r
+ if ((P7Data[4] == 0x06) && (P7Data[5] == 0x09)) {\r
+ if (CompareMem (P7Data + 6, mOidValue, sizeof (mOidValue)) == 0) {\r
+ if ((P7Data[15] == 0xA0) && (P7Data[16] == 0x82)) {\r
+ Wrapped = TRUE;\r
+ }\r
+ }\r
+ }\r
+\r
+ if (Wrapped) {\r
+ SignedData = (UINT8 *) P7Data;\r
+ SignedDataSize = P7Length;\r
+ } else {\r
+ //\r
+ // Wrap PKCS#7 signeddata to a ContentInfo structure - add a header in 19 bytes.\r
+ //\r
+ SignedDataSize = P7Length + 19;\r
+ SignedData = OPENSSL_malloc (SignedDataSize);\r
+ if (SignedData == NULL) {\r
+ return FALSE;\r
+ }\r
+\r
+ //\r
+ // Part1: 0x30, 0x82.\r
+ //\r
+ SignedData[0] = 0x30;\r
+ SignedData[1] = 0x82;\r
+\r
+ //\r
+ // Part2: Length1 = P7Length + 19 - 4, in big endian.\r
+ //\r
+ SignedData[2] = (UINT8) (((UINT16) (SignedDataSize - 4)) >> 8);\r
+ SignedData[3] = (UINT8) (((UINT16) (SignedDataSize - 4)) & 0xff);\r
+\r
+ //\r
+ // Part3: 0x06, 0x09.\r
+ //\r
+ SignedData[4] = 0x06;\r
+ SignedData[5] = 0x09;\r
+\r
+ //\r
+ // Part4: OID value -- 0x2A 0x86 0x48 0x86 0xF7 0x0D 0x01 0x07 0x02.\r
+ //\r
+ CopyMem (SignedData + 6, mOidValue, sizeof (mOidValue));\r
+\r
+ //\r
+ // Part5: 0xA0, 0x82.\r
+ //\r
+ SignedData[15] = 0xA0;\r
+ SignedData[16] = 0x82;\r
+\r
+ //\r
+ // Part6: Length2 = P7Length, in big endian.\r
+ //\r
+ SignedData[17] = (UINT8) (((UINT16) P7Length) >> 8);\r
+ SignedData[18] = (UINT8) (((UINT16) P7Length) & 0xff);\r
+\r
+ //\r
+ // Part7: P7Data.\r
+ //\r
+ CopyMem (SignedData + 19, P7Data, P7Length);\r
+ }\r
+ \r
//\r
// Retrieve PKCS#7 Data (DER encoding)\r
//\r
- Pkcs7 = d2i_PKCS7 (NULL, &P7Data, (int)P7Length);\r
+ if (SignedDataSize > INT_MAX) {\r
+ goto _Exit;\r
+ }\r
+\r
+ Temp = SignedData;\r
+ Pkcs7 = d2i_PKCS7 (NULL, &Temp, (int) SignedDataSize);\r
if (Pkcs7 == NULL) {\r
goto _Exit;\r
}\r
X509_STORE_free (CertStore);\r
PKCS7_free (Pkcs7);\r
\r
+ if (!Wrapped) {\r
+ OPENSSL_free (SignedData);\r
+ }\r
+\r
return Status;\r
}\r
projects / mirror_edk2.git / blobdiff