Use RsaGetPublicKeyFromX509() to validate the given X.509 certificate for PK/KEK...

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>
git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13553 6f19259b-4bc3-4df7-8a09-765794883524

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
index b25c04368412cd78924ea1d32496655a7c1d8196..09c58db985928a44c5351a70c9b5fd9e4b243847 100644 (file)
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
@@ -746,7 +746,7 @@ UpdatePlatformMode (
 }\r
 \r
 /**\r
-  Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK variable.\r
+  Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK/db/dbx variable.\r
 \r
   @param[in]  VariableName                Name of Variable to be check.\r
   @param[in]  VendorGuid                  Variable vendor GUID.\r
@@ -770,6 +770,9 @@ CheckSignatureListFormat(
   UINT32                 Index;\r
   UINT32                 SigCount;\r
   BOOLEAN                IsPk;\r
+  VOID                   *RsaContext;\r
+  EFI_SIGNATURE_DATA     *CertData;\r
+  UINTN                  CertLen;\r
 \r
   if (DataSize == 0) {\r
     return EFI_SUCCESS;\r
@@ -779,7 +782,9 @@ CheckSignatureListFormat(
 \r
   if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0)){\r
     IsPk = TRUE;\r
-  } else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)) {\r
+  } else if ((CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0) ||\r
+             (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) && \r
+              (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0 || StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0))){\r
     IsPk = FALSE;\r
   } else {\r
     return EFI_SUCCESS;\r
@@ -788,6 +793,7 @@ CheckSignatureListFormat(
   SigCount = 0;\r
   SigList  = (EFI_SIGNATURE_LIST *) Data;\r
   SigDataSize  = DataSize;\r
+  RsaContext = NULL;\r
 \r
   //\r
   // Walk throuth the input signature list and check the data format.\r
@@ -819,6 +825,24 @@ CheckSignatureListFormat(
       return EFI_INVALID_PARAMETER;\r
     }\r
 \r
+    if (CompareGuid (&SigList->SignatureType, &gEfiCertX509Guid)) {\r
+      //\r
+      // Try to retrieve the RSA public key from the X.509 certificate.\r
+      // If this operation fails, it's not a valid certificate.\r
+      //\r
+      RsaContext = RsaNew ();\r
+      if (RsaContext == NULL) {\r
+        return EFI_INVALID_PARAMETER;\r
+      }\r
+      CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) SigList + sizeof (EFI_SIGNATURE_LIST) + SigList->SignatureHeaderSize);\r
+      CertLen = SigList->SignatureSize - sizeof (EFI_GUID);\r
+      if (!RsaGetPublicKeyFromX509 (CertData->SignatureData, CertLen, &RsaContext)) {\r
+        RsaFree (RsaContext);\r
+        return EFI_INVALID_PARAMETER;\r
+      }\r
+      RsaFree (RsaContext);\r
+    }\r
+\r
     if ((SigList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - SigList->SignatureHeaderSize) % SigList->SignatureSize != 0) {\r
       return EFI_INVALID_PARAMETER;\r
     }\r
@@ -1029,6 +1053,11 @@ ProcessVarWithKek (
     Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);\r
     PayloadSize = DataSize - AUTHINFO2_SIZE (Data);\r
 \r
+    Status = CheckSignatureListFormat(VariableName, VendorGuid, Payload, PayloadSize);\r
+    if (EFI_ERROR (Status)) {\r
+      return Status;\r
+    }\r
+    \r
     Status = UpdateVariable (\r
                VariableName,\r
                VendorGuid,\r