the lifetime of the signature when a signing certificate expires or is later\r
revoked.\r
\r
-Copyright (c) 2014 - 2015, Intel Corporation. All rights reserved.<BR>\r
-This program and the accompanying materials\r
-are licensed and made available under the terms and conditions of the BSD License\r
-which accompanies this distribution. The full text of the license may be found at\r
-http://opensource.org/licenses/bsd-license.php\r
-\r
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
+Copyright (c) 2014 - 2017, Intel Corporation. All rights reserved.<BR>\r
+SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
IMPLEMENT_ASN1_FUNCTIONS (TS_TST_INFO)\r
\r
\r
-/**\r
- Verification callback function to override any existing callbacks in OpenSSL\r
- for intermediate TSA certificate supports.\r
-\r
- @param[in] Status Original status before calling this callback.\r
- @param[in] Context X509 store context.\r
-\r
- @retval 1 Current X509 certificate is verified successfully.\r
- @retval 0 Verification failed.\r
-\r
-**/\r
-int\r
-TSVerifyCallback (\r
- IN int Status,\r
- IN X509_STORE_CTX *Context\r
- )\r
-{\r
- X509_OBJECT *Obj;\r
- INTN Error;\r
- INTN Index;\r
- INTN Count;\r
-\r
- Obj = NULL;\r
- Error = (INTN) X509_STORE_CTX_get_error (Context);\r
-\r
- //\r
- // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_\r
- // CERT_LOCALLY mean a X509 certificate is not self signed and its issuer\r
- // can not be found in X509_verify_cert of X509_vfy.c.\r
- // In order to support intermediate certificate node, we override the\r
- // errors if the certification is obtained from X509 store, i.e. it is\r
- // a trusted ceritifcate node that is enrolled by user.\r
- // Besides,X509_V_ERR_CERT_UNTRUSTED and X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE\r
- // are also ignored to enable such feature.\r
- //\r
- if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) ||\r
- (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {\r
- Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT));\r
- if (Obj == NULL) {\r
- return 0;\r
- }\r
-\r
- Obj->type = X509_LU_X509;\r
- Obj->data.x509 = Context->current_cert;\r
-\r
- CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE);\r
-\r
- if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {\r
- Status = 1;\r
- } else {\r
- //\r
- // If any certificate in the chain is enrolled as trusted certificate,\r
- // pass the certificate verification.\r
- //\r
- if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {\r
- Count = (INTN) sk_X509_num (Context->chain);\r
- for (Index = 0; Index < Count; Index++) {\r
- Obj->data.x509 = sk_X509_value (Context->chain, (int) Index);\r
- if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {\r
- Status = 1;\r
- break;\r
- }\r
- }\r
- }\r
- }\r
-\r
- CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE);\r
- }\r
-\r
- if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||\r
- (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {\r
- Status = 1;\r
- }\r
-\r
- if (Obj != NULL) {\r
- OPENSSL_free (Obj);\r
- }\r
-\r
- return Status;\r
-}\r
-\r
/**\r
Convert ASN.1 GeneralizedTime to EFI Time.\r
\r
@param[in] Asn1Time Pointer to the ASN.1 GeneralizedTime to be converted.\r
@param[out] SigningTime Return the corresponding EFI Time.\r
\r
- @retval TRUE The time convertion succeeds.\r
+ @retval TRUE The time conversion succeeds.\r
@retval FALSE Invalid parameters.\r
\r
**/\r
TS_MESSAGE_IMPRINT *Imprint;\r
X509_ALGOR *HashAlgo;\r
CONST EVP_MD *Md;\r
- EVP_MD_CTX MdCtx;\r
+ EVP_MD_CTX *MdCtx;\r
UINTN MdSize;\r
UINT8 *HashedMsg;\r
\r
Status = FALSE;\r
HashAlgo = NULL;\r
HashedMsg = NULL;\r
+ MdCtx = NULL;\r
\r
//\r
// -- Check version number of Timestamp:\r
if (HashedMsg == NULL) {\r
goto _Exit;\r
}\r
- EVP_DigestInit (&MdCtx, Md);\r
- EVP_DigestUpdate (&MdCtx, TimestampedData, DataSize);\r
- EVP_DigestFinal (&MdCtx, HashedMsg, NULL);\r
+ MdCtx = EVP_MD_CTX_new ();\r
+ if (MdCtx == NULL) {\r
+ goto _Exit;\r
+ }\r
+ if ((EVP_DigestInit_ex (MdCtx, Md, NULL) != 1) ||\r
+ (EVP_DigestUpdate (MdCtx, TimestampedData, DataSize) != 1) ||\r
+ (EVP_DigestFinal (MdCtx, HashedMsg, NULL) != 1)) {\r
+ goto _Exit;\r
+ }\r
if ((MdSize == (UINTN)ASN1_STRING_length (Imprint->HashedMessage)) &&\r
- (CompareMem (HashedMsg, ASN1_STRING_data (Imprint->HashedMessage), MdSize) != 0)) {\r
+ (CompareMem (HashedMsg, ASN1_STRING_get0_data (Imprint->HashedMessage), MdSize) != 0)) {\r
goto _Exit;\r
}\r
\r
\r
_Exit:\r
X509_ALGOR_free (HashAlgo);\r
+ EVP_MD_CTX_free (MdCtx);\r
if (HashedMsg != NULL) {\r
FreePool (HashedMsg);\r
}\r
}\r
\r
/**\r
- Verifies the validility of a TimeStamp Token as described in RFC 3161 ("Internet\r
+ Verifies the validity of a TimeStamp Token as described in RFC 3161 ("Internet\r
X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)").\r
\r
If TSToken is NULL, then return FALSE.\r
}\r
\r
//\r
- // Register customized X509 verification callback function to support\r
- // trusted intermediate TSA certificate anchor.\r
+ // Allow partial certificate chains, terminated by a non-self-signed but\r
+ // still trusted intermediate certificate. Also disable time checks.\r
//\r
- CertStore->verify_cb = TSVerifyCallback;\r
+ X509_STORE_set_flags (CertStore,\r
+ X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME);\r
\r
X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);\r
\r
}\r
\r
/**\r
- Verifies the validility of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode\r
+ Verifies the validity of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode\r
signature.\r
\r
If AuthData is NULL, then return FALSE.\r