Revision: 19560
http://sourceforge.net/p/edk2/code/19560
Author: vanjeff
Date: 2015-12-29 03:13:44 +0000 (Tue, 29 Dec 2015)
Log Message:
-----------
CryptoPkg/BaseCryptLib: Use X509_V_FLAG_PARTIAL_CHAIN
Since OpenSSL 1.0.2 we can set this flag on the X509_STORE to instruct
OpenSSL to accept non-self-signed certificates as trusted. So we don't
need two entirely identical copies of a verify_cb() function which makes
it ignore the resulting errors.
We also *didn't* use that verify_cb() function for X509VerifyCert(), but
probably should have done. So that can get X509_V_FLAG_PARTIAL_CHAIN for
consistency, too.
(Sync patch r18703 from main trunk.)
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <[email protected]>
Reviewed-by: Qin Long <[email protected]>
Revision Links:
--------------
http://sourceforge.net/p/edk2/code/18703
Modified Paths:
--------------
branches/UDK2015/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
branches/UDK2015/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
branches/UDK2015/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
Modified: branches/UDK2015/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
===================================================================
--- branches/UDK2015/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
2015-12-29 03:13:10 UTC (rev 19559)
+++ branches/UDK2015/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
2015-12-29 03:13:44 UTC (rev 19560)
@@ -31,87 +31,6 @@
UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
/**
- Verification callback function to override any existing callbacks in OpenSSL
- for intermediate certificate supports.
-
- @param[in] Status Original status before calling this callback.
- @param[in] Context X509 store context.
-
- @retval 1 Current X509 certificate is verified successfully.
- @retval 0 Verification failed.
-
-**/
-int
-X509VerifyCb (
- IN int Status,
- IN X509_STORE_CTX *Context
- )
-{
- X509_OBJECT *Obj;
- INTN Error;
- INTN Index;
- INTN Count;
-
- Obj = NULL;
- Error = (INTN) X509_STORE_CTX_get_error (Context);
-
- //
- // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_
- // CERT_LOCALLY mean a X509 certificate is not self signed and its issuer
- // can not be found in X509_verify_cert of X509_vfy.c.
- // In order to support intermediate certificate node, we override the
- // errors if the certification is obtained from X509 store, i.e. it is
- // a trusted ceritifcate node that is enrolled by user.
- // Besides,X509_V_ERR_CERT_UNTRUSTED and
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
- // are also ignored to enable such feature.
- //
- if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) ||
- (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {
- Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT));
- if (Obj == NULL) {
- return 0;
- }
-
- Obj->type = X509_LU_X509;
- Obj->data.x509 = Context->current_cert;
-
- CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE);
-
- if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {
- Status = 1;
- } else {
- //
- // If any certificate in the chain is enrolled as trusted certificate,
- // pass the certificate verification.
- //
- if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {
- Count = (INTN) sk_X509_num (Context->chain);
- for (Index = 0; Index < Count; Index++) {
- Obj->data.x509 = sk_X509_value (Context->chain, (int) Index);
- if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {
- Status = 1;
- break;
- }
- }
- }
- }
-
- CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE);
- }
-
- if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||
- (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
- Status = 1;
- }
-
- if (Obj != NULL) {
- OPENSSL_free (Obj);
- }
-
- return Status;
-}
-
-/**
Check input P7Data is a wrapped ContentInfo structure or not. If not
construct
a new structure to wrap P7Data.
@@ -924,12 +843,6 @@
}
//
- // Register customized X509 verification callback function to support
- // trusted intermediate certificate anchor.
- //
- CertStore->verify_cb = X509VerifyCb;
-
- //
// For generic PKCS#7 handling, InData may be NULL if the content is present
// in PKCS#7 structure. So ignore NULL checking here.
//
@@ -943,6 +856,12 @@
}
//
+ // Allow partial certificate chains, terminated by a non-self-signed but
+ // still trusted intermediate certificate.
+ //
+ X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);
+
+ //
// OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and
// doesn't support the extended key usage for Authenticode Code Signing.
// Bypass the certificate purpose checking by enabling any purposes setting.
Modified: branches/UDK2015/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
===================================================================
--- branches/UDK2015/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
2015-12-29 03:13:10 UTC (rev 19559)
+++ branches/UDK2015/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
2015-12-29 03:13:44 UTC (rev 19560)
@@ -137,87 +137,6 @@
/**
- Verification callback function to override any existing callbacks in OpenSSL
- for intermediate TSA certificate supports.
-
- @param[in] Status Original status before calling this callback.
- @param[in] Context X509 store context.
-
- @retval 1 Current X509 certificate is verified successfully.
- @retval 0 Verification failed.
-
-**/
-int
-TSVerifyCallback (
- IN int Status,
- IN X509_STORE_CTX *Context
- )
-{
- X509_OBJECT *Obj;
- INTN Error;
- INTN Index;
- INTN Count;
-
- Obj = NULL;
- Error = (INTN) X509_STORE_CTX_get_error (Context);
-
- //
- // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_
- // CERT_LOCALLY mean a X509 certificate is not self signed and its issuer
- // can not be found in X509_verify_cert of X509_vfy.c.
- // In order to support intermediate certificate node, we override the
- // errors if the certification is obtained from X509 store, i.e. it is
- // a trusted ceritifcate node that is enrolled by user.
- // Besides,X509_V_ERR_CERT_UNTRUSTED and
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
- // are also ignored to enable such feature.
- //
- if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) ||
- (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {
- Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT));
- if (Obj == NULL) {
- return 0;
- }
-
- Obj->type = X509_LU_X509;
- Obj->data.x509 = Context->current_cert;
-
- CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE);
-
- if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {
- Status = 1;
- } else {
- //
- // If any certificate in the chain is enrolled as trusted certificate,
- // pass the certificate verification.
- //
- if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {
- Count = (INTN) sk_X509_num (Context->chain);
- for (Index = 0; Index < Count; Index++) {
- Obj->data.x509 = sk_X509_value (Context->chain, (int) Index);
- if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {
- Status = 1;
- break;
- }
- }
- }
- }
-
- CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE);
- }
-
- if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||
- (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
- Status = 1;
- }
-
- if (Obj != NULL) {
- OPENSSL_free (Obj);
- }
-
- return Status;
-}
-
-/**
Convert ASN.1 GeneralizedTime to EFI Time.
@param[in] Asn1Time Pointer to the ASN.1 GeneralizedTime to be
converted.
@@ -506,10 +425,10 @@
}
//
- // Register customized X509 verification callback function to support
- // trusted intermediate TSA certificate anchor.
+ // Allow partial certificate chains, terminated by a non-self-signed but
+ // still trusted intermediate certificate.
//
- CertStore->verify_cb = TSVerifyCallback;
+ X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);
X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);
Modified: branches/UDK2015/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
===================================================================
--- branches/UDK2015/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
2015-12-29 03:13:10 UTC (rev 19559)
+++ branches/UDK2015/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
2015-12-29 03:13:44 UTC (rev 19560)
@@ -464,6 +464,12 @@
}
//
+ // Allow partial certificate chains, terminated by a non-self-signed but
+ // still trusted intermediate certificate.
+ //
+ X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);
+
+ //
// Set up X509_STORE_CTX for the subsequent verification operation.
//
if (!X509_STORE_CTX_init (&CertCtx, CertStore, X509Cert, NULL)) {
------------------------------------------------------------------------------
_______________________________________________
edk2-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-commits
