2. Replace d2i_X509_bio with d2i_X509.
Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ling Qin <qin.long@intel.com>
Reviewed-by: Ouyang Qian <qian.ouyang@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14026
6f19259b-4bc3-4df7-8a09-
765794883524
\r
#include <openssl/objects.h>\r
#include <openssl/x509.h>\r
\r
#include <openssl/objects.h>\r
#include <openssl/x509.h>\r
+#include <openssl/x509v3.h>\r
#include <openssl/pkcs7.h>\r
\r
UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };\r
#include <openssl/pkcs7.h>\r
\r
UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };\r
BIO *DataBio;\r
BOOLEAN Status;\r
X509 *Cert;\r
BIO *DataBio;\r
BOOLEAN Status;\r
X509 *Cert;\r
DataBio = NULL;\r
Cert = NULL;\r
CertStore = NULL;\r
DataBio = NULL;\r
Cert = NULL;\r
CertStore = NULL;\r
//\r
// Read DER-encoded root certificate and Construct X509 Certificate\r
//\r
//\r
// Read DER-encoded root certificate and Construct X509 Certificate\r
//\r
- CertBio = BIO_new (BIO_s_mem ());\r
- BIO_write (CertBio, TrustedCert, (int)CertLength);\r
- if (CertBio == NULL) {\r
- goto _Exit;\r
- }\r
- Cert = d2i_X509_bio (CertBio, NULL);\r
+ Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength);\r
if (Cert == NULL) {\r
goto _Exit;\r
}\r
if (Cert == NULL) {\r
goto _Exit;\r
}\r
DataBio = BIO_new (BIO_s_mem ());\r
BIO_write (DataBio, InData, (int)DataLength);\r
\r
DataBio = BIO_new (BIO_s_mem ());\r
BIO_write (DataBio, InData, (int)DataLength);\r
\r
+ //\r
+ // OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and\r
+ // doesn't support the extended key usage for Authenticode Code Signing.\r
+ // Bypass the certificate purpose checking by enabling any purposes setting.\r
+ //\r
+ X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);\r
+\r
//\r
// Verifies the PKCS#7 signedData structure\r
//\r
//\r
// Verifies the PKCS#7 signedData structure\r
//\r
// Release Resources\r
//\r
BIO_free (DataBio);\r
// Release Resources\r
//\r
BIO_free (DataBio);\r
X509_free (Cert);\r
X509_STORE_free (CertStore);\r
PKCS7_free (Pkcs7);\r
X509_free (Cert);\r
X509_STORE_free (CertStore);\r
PKCS7_free (Pkcs7);\r
OUT UINT8 **SingleX509Cert\r
)\r
{\r
OUT UINT8 **SingleX509Cert\r
)\r
{\r
\r
//\r
// Check input parameters.\r
\r
//\r
// Check input parameters.\r
//\r
// Read DER-encoded X509 Certificate and Construct X509 object.\r
//\r
//\r
// Read DER-encoded X509 Certificate and Construct X509 object.\r
//\r
- CertBio = BIO_new (BIO_s_mem ());\r
- BIO_write (CertBio, Cert, (int) CertSize);\r
- if (CertBio == NULL) {\r
- goto _Exit;\r
- }\r
- X509Cert = d2i_X509_bio (CertBio, NULL);\r
+ X509Cert = d2i_X509 (NULL, &Cert, (long) CertSize);\r
if (X509Cert == NULL) {\r
if (X509Cert == NULL) {\r
}\r
\r
*SingleX509Cert = (UINT8 *) X509Cert;\r
}\r
\r
*SingleX509Cert = (UINT8 *) X509Cert;\r
-_Exit:\r
- //\r
- // Release Resources.\r
- //\r
- BIO_free (CertBio);\r
-\r
- return Status;\r
===================================================================\r
--- crypto/x509/x509_vfy.c (revision 1)\r
+++ crypto/x509/x509_vfy.c (working copy)\r
===================================================================\r
--- crypto/x509/x509_vfy.c (revision 1)\r
+++ crypto/x509/x509_vfy.c (working copy)\r
-@@ -386,7 +386,11 @@\r
- \r
- static int check_chain_extensions(X509_STORE_CTX *ctx)\r
- {\r
--#ifdef OPENSSL_NO_CHAIN_VERIFY\r
-+#if defined(OPENSSL_NO_CHAIN_VERIFY) || defined(OPENSSL_SYS_UEFI)\r
-+ /* \r
-+ NOTE: Bypass KU Flags Checking for UEFI version. There are incorrect KU flag setting\r
-+ in Authenticode Signing Certificates. \r
-+ */\r
- return 1;\r
- #else\r
- int i, ok=0, must_be_ca, plen = 0;\r
-@@ -899,6 +903,10 @@\r
\r
static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)\r
{\r
\r
static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)\r
{\r
time_t *ptime;\r
int i;\r
\r
time_t *ptime;\r
int i;\r
\r