\r
#include <openssl/objects.h>\r
#include <openssl/x509.h>\r
+#include <openssl/x509v3.h>\r
#include <openssl/pkcs7.h>\r
\r
UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };\r
)\r
{\r
PKCS7 *Pkcs7;\r
- BIO *CertBio;\r
BIO *DataBio;\r
BOOLEAN Status;\r
X509 *Cert;\r
}\r
\r
Pkcs7 = NULL;\r
- CertBio = NULL;\r
DataBio = NULL;\r
Cert = NULL;\r
CertStore = NULL;\r
//\r
// Read DER-encoded root certificate and Construct X509 Certificate\r
//\r
- CertBio = BIO_new (BIO_s_mem ());\r
- BIO_write (CertBio, TrustedCert, (int)CertLength);\r
- if (CertBio == NULL) {\r
- goto _Exit;\r
- }\r
- Cert = d2i_X509_bio (CertBio, NULL);\r
+ Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength);\r
if (Cert == NULL) {\r
goto _Exit;\r
}\r
DataBio = BIO_new (BIO_s_mem ());\r
BIO_write (DataBio, InData, (int)DataLength);\r
\r
+ //\r
+ // OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and\r
+ // doesn't support the extended key usage for Authenticode Code Signing.\r
+ // Bypass the certificate purpose checking by enabling any purposes setting.\r
+ //\r
+ X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);\r
+\r
//\r
// Verifies the PKCS#7 signedData structure\r
//\r
// Release Resources\r
//\r
BIO_free (DataBio);\r
- BIO_free (CertBio);\r
X509_free (Cert);\r
X509_STORE_free (CertStore);\r
PKCS7_free (Pkcs7);\r
OUT UINT8 **SingleX509Cert\r
)\r
{\r
- BIO *CertBio;\r
X509 *X509Cert;\r
- BOOLEAN Status;\r
\r
//\r
// Check input parameters.\r
return FALSE;\r
}\r
\r
- Status = FALSE;\r
-\r
//\r
// Read DER-encoded X509 Certificate and Construct X509 object.\r
//\r
- CertBio = BIO_new (BIO_s_mem ());\r
- BIO_write (CertBio, Cert, (int) CertSize);\r
- if (CertBio == NULL) {\r
- goto _Exit;\r
- }\r
- X509Cert = d2i_X509_bio (CertBio, NULL);\r
+ X509Cert = d2i_X509 (NULL, &Cert, (long) CertSize);\r
if (X509Cert == NULL) {\r
- goto _Exit;\r
+ return FALSE;\r
}\r
\r
*SingleX509Cert = (UINT8 *) X509Cert;\r
- Status = TRUE;\r
\r
-_Exit:\r
- //\r
- // Release Resources.\r
- //\r
- BIO_free (CertBio);\r
-\r
- return Status;\r
+ return TRUE;\r
}\r
\r
/**\r
===================================================================\r
--- crypto/x509/x509_vfy.c (revision 1)\r
+++ crypto/x509/x509_vfy.c (working copy)\r
-@@ -386,7 +386,11 @@\r
- \r
- static int check_chain_extensions(X509_STORE_CTX *ctx)\r
- {\r
--#ifdef OPENSSL_NO_CHAIN_VERIFY\r
-+#if defined(OPENSSL_NO_CHAIN_VERIFY) || defined(OPENSSL_SYS_UEFI)\r
-+ /* \r
-+ NOTE: Bypass KU Flags Checking for UEFI version. There are incorrect KU flag setting\r
-+ in Authenticode Signing Certificates. \r
-+ */\r
- return 1;\r
- #else\r
- int i, ok=0, must_be_ca, plen = 0;\r
-@@ -899,6 +903,10 @@\r
+@@ -899,6 +899,10 @@\r
\r
static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)\r
{\r
time_t *ptime;\r
int i;\r
\r
-@@ -942,6 +950,7 @@\r
+@@ -942,6 +946,7 @@\r
}\r
\r
return 1;\r