CryptoPkg/BaseCryptLib: Use X509_V_FLAG_PARTIAL_CHAIN

Since OpenSSL 1.0.2 we can set this flag on the X509_STORE to instruct
OpenSSL to accept non-self-signed certificates as trusted. So we don't
need two entirely identical copies of a verify_cb() function which makes
it ignore the resulting errors.

We also *didn't* use that verify_cb() function for X509VerifyCert(), but
probably should have done. So that can get X509_V_FLAG_PARTIAL_CHAIN for
consistency, too.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18703 6f19259b-4bc3-4df7-8a09-765794883524

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index d0b0c838b83a4b4ff3a8a4ebeedba9e4d9dcfcd1..4d23cbfb945164ba4824e79b5b512f6479ae0e67 100644 (file)
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -30,87 +30,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 \r
 UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };\r
 \r
 \r
 UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };\r
 \r

-/**\r
-  Verification callback function to override any existing callbacks in OpenSSL\r
-  for intermediate certificate supports.\r
-\r
-  @param[in]  Status   Original status before calling this callback.\r
-  @param[in]  Context  X509 store context.\r
-\r
-  @retval     1        Current X509 certificate is verified successfully.\r
-  @retval     0        Verification failed.\r
-\r
-**/\r
-int\r
-X509VerifyCb (\r
-  IN int            Status,\r
-  IN X509_STORE_CTX *Context\r
-  )\r
-{\r
-  X509_OBJECT  *Obj;\r
-  INTN         Error;\r
-  INTN         Index;\r
-  INTN         Count;\r
-\r
-  Obj   = NULL;\r
-  Error = (INTN) X509_STORE_CTX_get_error (Context);\r
-\r
-  //\r
-  // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_\r
-  // CERT_LOCALLY mean a X509 certificate is not self signed and its issuer\r
-  // can not be found in X509_verify_cert of X509_vfy.c.\r
-  // In order to support intermediate certificate node, we override the\r
-  // errors if the certification is obtained from X509 store, i.e. it is\r
-  // a trusted ceritifcate node that is enrolled by user.\r
-  // Besides,X509_V_ERR_CERT_UNTRUSTED and X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE\r
-  // are also ignored to enable such feature.\r
-  //\r
-  if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) ||\r
-      (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {\r
-    Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT));\r
-    if (Obj == NULL) {\r
-      return 0;\r
-    }\r
-\r
-    Obj->type      = X509_LU_X509;\r
-    Obj->data.x509 = Context->current_cert;\r
-\r
-    CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE);\r
-\r
-    if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {\r
-      Status = 1;\r
-    } else {\r
-      //\r
-      // If any certificate in the chain is enrolled as trusted certificate,\r
-      // pass the certificate verification.\r
-      //\r
-      if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {\r
-        Count = (INTN) sk_X509_num (Context->chain);\r
-        for (Index = 0; Index < Count; Index++) {\r
-          Obj->data.x509 = sk_X509_value (Context->chain, (int) Index);\r
-          if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {\r
-            Status = 1;\r
-            break;\r
-          }\r
-        }\r
-      }\r
-    }\r
-\r
-    CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE);\r
-  }\r
-\r
-  if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||\r
-      (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {\r
-    Status = 1;\r
-  }\r
-\r
-  if (Obj != NULL) {\r
-    OPENSSL_free (Obj);\r
-  }\r
-\r
-  return Status;\r
-}\r
-\r

 /**\r
   Check input P7Data is a wrapped ContentInfo structure or not. If not construct\r
   a new structure to wrap P7Data.\r
 /**\r
   Check input P7Data is a wrapped ContentInfo structure or not. If not construct\r
   a new structure to wrap P7Data.\r


@@ -635,12 +554,6 @@ Pkcs7Verify (
     goto _Exit;\r
   }\r
 \r
     goto _Exit;\r
   }\r
 \r

-  //\r
-  // Register customized X509 verification callback function to support\r
-  // trusted intermediate certificate anchor.\r
-  //\r
-  CertStore->verify_cb = X509VerifyCb;\r
-\r

   //\r
   // For generic PKCS#7 handling, InData may be NULL if the content is present\r
   // in PKCS#7 structure. So ignore NULL checking here.\r
   //\r
   // For generic PKCS#7 handling, InData may be NULL if the content is present\r
   // in PKCS#7 structure. So ignore NULL checking here.\r


@@ -654,6 +567,12 @@ Pkcs7Verify (
     goto _Exit;\r
   }\r
 \r
     goto _Exit;\r
   }\r
 \r

+  //\r
+  // Allow partial certificate chains, terminated by a non-self-signed but\r
+  // still trusted intermediate certificate.\r
+  //\r
+  X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);\r
+\r

   //\r
   // OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and\r
   // doesn't support the extended key usage for Authenticode Code Signing.\r
   //\r
   // OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and\r
   // doesn't support the extended key usage for Authenticode Code Signing.\r

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
index efb40b8234215077d2cab6a56414792427c46889..449a08db2c6391599e5d42ffbd2961adec4cc496 100644 (file)
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
@@ -136,87 +136,6 @@ ASN1_SEQUENCE (TS_TST_INFO) = {
 IMPLEMENT_ASN1_FUNCTIONS (TS_TST_INFO)\r
 \r
 \r
 IMPLEMENT_ASN1_FUNCTIONS (TS_TST_INFO)\r
 \r
 \r

-/**\r
-  Verification callback function to override any existing callbacks in OpenSSL\r
-  for intermediate TSA certificate supports.\r
-\r
-  @param[in]  Status   Original status before calling this callback.\r
-  @param[in]  Context  X509 store context.\r
-\r
-  @retval     1        Current X509 certificate is verified successfully.\r
-  @retval     0        Verification failed.\r
-\r
-**/\r
-int\r
-TSVerifyCallback (\r
-  IN int             Status,\r
-  IN X509_STORE_CTX  *Context\r
-  )\r
-{\r
-  X509_OBJECT  *Obj;\r
-  INTN         Error;\r
-  INTN         Index;\r
-  INTN         Count;\r
-\r
-  Obj   = NULL;\r
-  Error = (INTN) X509_STORE_CTX_get_error (Context);\r
-\r
-  //\r
-  // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_\r
-  // CERT_LOCALLY mean a X509 certificate is not self signed and its issuer\r
-  // can not be found in X509_verify_cert of X509_vfy.c.\r
-  // In order to support intermediate certificate node, we override the\r
-  // errors if the certification is obtained from X509 store, i.e. it is\r
-  // a trusted ceritifcate node that is enrolled by user.\r
-  // Besides,X509_V_ERR_CERT_UNTRUSTED and X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE\r
-  // are also ignored to enable such feature.\r
-  //\r
-  if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) ||\r
-      (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {\r
-    Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT));\r
-    if (Obj == NULL) {\r
-      return 0;\r
-    }\r
-\r
-    Obj->type      = X509_LU_X509;\r
-    Obj->data.x509 = Context->current_cert;\r
-\r
-    CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE);\r
-\r
-    if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {\r
-      Status = 1;\r
-    } else {\r
-      //\r
-      // If any certificate in the chain is enrolled as trusted certificate,\r
-      // pass the certificate verification.\r
-      //\r
-      if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {\r
-        Count = (INTN) sk_X509_num (Context->chain);\r
-        for (Index = 0; Index < Count; Index++) {\r
-          Obj->data.x509 = sk_X509_value (Context->chain, (int) Index);\r
-          if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {\r
-            Status = 1;\r
-            break;\r
-          }\r
-        }\r
-      }\r
-    }\r
-\r
-    CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE);\r
-  }\r
-\r
-  if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||\r
-      (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {\r
-    Status = 1;\r
-  }\r
-\r
-  if (Obj != NULL) {\r
-    OPENSSL_free (Obj);\r
-  }\r
-\r
-  return Status;\r
-}\r
-\r

 /**\r
   Convert ASN.1 GeneralizedTime to EFI Time.\r
 \r
 /**\r
   Convert ASN.1 GeneralizedTime to EFI Time.\r
 \r


@@ -506,10 +425,10 @@ TimestampTokenVerify (
   }\r
 \r
   //\r
   }\r
 \r
   //\r

-  // Register customized X509 verification callback function to support\r
-  // trusted intermediate TSA certificate anchor.\r
+  // Allow partial certificate chains, terminated by a non-self-signed but\r
+  // still trusted intermediate certificate.\r

   //\r
   //\r

-  CertStore->verify_cb = TSVerifyCallback;\r
+  X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);\r

 \r
   X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);\r
 \r
 \r
   X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);\r
 \r

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 5d6be6fce9e545408529b43c6baff85d059d8e08..669a7af3db0367d172bacf71d1e42b167ac2e5ac 100644 (file)
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -463,6 +463,12 @@ X509VerifyCert (
     goto _Exit;\r
   }\r
 \r
     goto _Exit;\r
   }\r
 \r

+  //\r
+  // Allow partial certificate chains, terminated by a non-self-signed but\r
+  // still trusted intermediate certificate.\r
+  //\r
+  X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);\r
+\r

   //\r
   // Set up X509_STORE_CTX for the subsequent verification operation.\r
   //\r
   //\r
   // Set up X509_STORE_CTX for the subsequent verification operation.\r
   //\r