Library

sfu5 Thu, 27 Dec 2012 17:21:08 -0800

Revision: 14026
          http://edk2.svn.sourceforge.net/edk2/?rev=14026&view=rev
Author:   sfu5
Date:     2012-12-28 01:20:57 +0000 (Fri, 28 Dec 2012)
Log Message:
-----------
1. Enable the whole X509v3 extension checking.
2. Replace d2i_X509_bio with d2i_X509.


Signed-off-by: Fu Siyuan <[email protected]>
Reviewed-by: Ling Qin <[email protected]>
Reviewed-by: Ouyang Qian <[email protected]>

Modified Paths:
--------------
    trunk/edk2/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
    trunk/edk2/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
    trunk/edk2/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch

Modified: trunk/edk2/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
===================================================================
--- trunk/edk2/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c     
2012-12-27 02:13:15 UTC (rev 14025)
+++ trunk/edk2/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c     
2012-12-28 01:20:57 UTC (rev 14026)
@@ -25,6 +25,7 @@
 
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <openssl/pkcs7.h>
 
 UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
@@ -543,7 +544,6 @@
   )
 {
   PKCS7       *Pkcs7;
-  BIO         *CertBio;
   BIO         *DataBio;
   BOOLEAN     Status;
   X509        *Cert;
@@ -562,7 +562,6 @@
   }
   
   Pkcs7     = NULL;
-  CertBio   = NULL;
   DataBio   = NULL;
   Cert      = NULL;
   CertStore = NULL;
@@ -614,12 +613,7 @@
   //
   // Read DER-encoded root certificate and Construct X509 Certificate
   //
-  CertBio = BIO_new (BIO_s_mem ());
-  BIO_write (CertBio, TrustedCert, (int)CertLength);
-  if (CertBio == NULL) {
-    goto _Exit;
-  }
-  Cert = d2i_X509_bio (CertBio, NULL);
+  Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength);
   if (Cert == NULL) {
     goto _Exit;
   }
@@ -649,6 +643,13 @@
   BIO_write (DataBio, InData, (int)DataLength);
 
   //
+  // OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and
+  // doesn't support the extended key usage for Authenticode Code Signing.
+  // Bypass the certificate purpose checking by enabling any purposes setting.
+  //
+  X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);
+
+  //
   // Verifies the PKCS#7 signedData structure
   //
   Status = (BOOLEAN) PKCS7_verify (Pkcs7, NULL, CertStore, DataBio, NULL, 
PKCS7_BINARY);
@@ -658,7 +659,6 @@
   // Release Resources
   //
   BIO_free (DataBio);
-  BIO_free (CertBio);
   X509_free (Cert);
   X509_STORE_free (CertStore);
   PKCS7_free (Pkcs7);

Modified: trunk/edk2/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
===================================================================
--- trunk/edk2/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c    2012-12-27 
02:13:15 UTC (rev 14025)
+++ trunk/edk2/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c    2012-12-28 
01:20:57 UTC (rev 14026)
@@ -38,9 +38,7 @@
   OUT  UINT8        **SingleX509Cert
   )
 {
-  BIO      *CertBio;
   X509     *X509Cert;
-  BOOLEAN  Status;
 
   //
   // Check input parameters.
@@ -49,31 +47,17 @@
     return FALSE;
   }
 
-  Status = FALSE;
-
   //
   // Read DER-encoded X509 Certificate and Construct X509 object.
   //
-  CertBio = BIO_new (BIO_s_mem ());
-  BIO_write (CertBio, Cert, (int) CertSize);
-  if (CertBio == NULL) {
-    goto _Exit;
-  }
-  X509Cert = d2i_X509_bio (CertBio, NULL);
+  X509Cert = d2i_X509 (NULL, &Cert, (long) CertSize);
   if (X509Cert == NULL) {
-    goto _Exit;
+    return FALSE;
   }
 
   *SingleX509Cert = (UINT8 *) X509Cert;
-  Status = TRUE;
 
-_Exit:
-  //
-  // Release Resources.
-  //
-  BIO_free (CertBio);
-
-  return Status;
+  return TRUE;
 }
 
 /**

Modified: trunk/edk2/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch
===================================================================
--- trunk/edk2/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch  
2012-12-27 02:13:15 UTC (rev 14025)
+++ trunk/edk2/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch  
2012-12-28 01:20:57 UTC (rev 14026)
@@ -260,21 +260,8 @@
 ===================================================================
 --- crypto/x509/x509_vfy.c     (revision 1)
 +++ crypto/x509/x509_vfy.c     (working copy)
-@@ -386,7 +386,11 @@
+@@ -899,6 +899,10 @@
  
- static int check_chain_extensions(X509_STORE_CTX *ctx)
- {
--#ifdef OPENSSL_NO_CHAIN_VERIFY
-+#if defined(OPENSSL_NO_CHAIN_VERIFY) || defined(OPENSSL_SYS_UEFI)
-+  /* 
-+    NOTE: Bypass KU Flags Checking for UEFI version. There are incorrect KU 
flag setting
-+          in Authenticode Signing Certificates. 
-+  */
-       return 1;
- #else
-       int i, ok=0, must_be_ca, plen = 0;
-@@ -899,6 +903,10 @@
- 
  static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
        {
 +#if defined(OPENSSL_SYS_UEFI)
@@ -284,7 +271,7 @@
        time_t *ptime;
        int i;
  
-@@ -942,6 +950,7 @@
+@@ -942,6 +946,7 @@
                }
  
        return 1;

This was sent by the SourceForge.net collaborative development platform, the 
world's largest Open Source development site.


------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812
_______________________________________________
edk2-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-commits

SF.net SVN: edk2:[14026] trunk/edk2/CryptoPkg/Library

Reply via email to