Re: [edk2] [PATCH 2/2] SecurityPkg/AuthVariableLib: Use EFI_CERT_DATA to parse certificate

2017-11-06 Thread Long, Qin 
Reviewed-by: Long Qin <qin.l...@intel.com>


Best Regards & Thanks,
LONG, Qin

-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of chenc2
Sent: Tuesday, November 7, 2017 9:05 AM
To: edk2-devel@lists.01.org
Cc: Zhang, Chao B <chao.b.zh...@intel.com>; Long, Qin <qin.l...@intel.com>
Subject: [edk2] [PATCH 2/2] SecurityPkg/AuthVariableLib: Use EFI_CERT_DATA to 
parse certificate

The function Pkcs7GetSigners return certificate stack as binary buffer.
Use EFI_CERT_DATA to parsing certificate stack more clearly, and access 
certificate by the field of EFI_CERT_DATA structure.

Cc: Long Qin <qin.l...@intel.com>
Cc: Zhang Chao <chao.b.zh...@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: chenc2 <chen.a.c...@intel.com>
---
 SecurityPkg/Library/AuthVariableLib/AuthService.c | 12 
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c 
b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 6cbeb98535..213a524f27 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -1828,6 +1828,7 @@ VerifyTimeBasedPayload (
   UINT8*CertsInCertDb;
   UINT32   CertsSizeinDb;
   UINT8Sha256Digest[SHA256_DIGEST_SIZE];
+  EFI_CERT_DATA*CertDataPtr;
 
   //
   // 1. TopLevelCert is the top-level issuer certificate in signature Signer 
Cert Chain @@ -1841,6 +1842,7 @@ VerifyTimeBasedPayload (
   SignerCerts= NULL;
   TopLevelCert   = NULL;
   CertsInCertDb  = NULL;
+  CertDataPtr= NULL;
 
   //
   // When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is 
@@ -2098,9 +2100,10 @@ VerifyTimeBasedPayload (
 //
 // Check hash of signer cert CommonName + Top-level issuer 
tbsCertificate against data in CertDb
 //
+CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
 Status = CalculatePrivAuthVarSignChainSHA256Digest(
-   SignerCerts + sizeof(UINT8) + sizeof(UINT32),
-   ReadUnaligned32 ((UINT32 *)(SignerCerts + sizeof(UINT8))),
+   CertDataPtr->CertDataBuffer,
+   ReadUnaligned32 ((UINT32 
+ *)&(CertDataPtr->CertDataLength)),
TopLevelCert,
TopLevelCertSize,
Sha256Digest
@@ -2135,12 +2138,13 @@ VerifyTimeBasedPayload (
   //
   // When adding a new common authenticated variable, always save Hash of 
cn of signer cert + tbsCertificate of Top-level issuer
   //
+  CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
   Status = InsertCertsToDb (
  VariableName,
  VendorGuid,
  Attributes,
- SignerCerts + sizeof(UINT8) + sizeof(UINT32),
- ReadUnaligned32 ((UINT32 *)(SignerCerts + sizeof(UINT8))),
+ CertDataPtr->CertDataBuffer,
+ ReadUnaligned32 ((UINT32 
+ *)&(CertDataPtr->CertDataLength)),
  TopLevelCert,
  TopLevelCertSize
  );
--
2.13.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

[edk2] [PATCH 2/2] SecurityPkg/AuthVariableLib: Use EFI_CERT_DATA to parse certificate

2017-11-06 Thread chenc2 
The function Pkcs7GetSigners return certificate stack as binary buffer.
Use EFI_CERT_DATA to parsing certificate stack more clearly, and access
certificate by the field of EFI_CERT_DATA structure.

Cc: Long Qin 
Cc: Zhang Chao 
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: chenc2 
---
 SecurityPkg/Library/AuthVariableLib/AuthService.c | 12 
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c 
b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 6cbeb98535..213a524f27 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -1828,6 +1828,7 @@ VerifyTimeBasedPayload (
   UINT8*CertsInCertDb;
   UINT32   CertsSizeinDb;
   UINT8Sha256Digest[SHA256_DIGEST_SIZE];
+  EFI_CERT_DATA*CertDataPtr;
 
   //
   // 1. TopLevelCert is the top-level issuer certificate in signature Signer 
Cert Chain
@@ -1841,6 +1842,7 @@ VerifyTimeBasedPayload (
   SignerCerts= NULL;
   TopLevelCert   = NULL;
   CertsInCertDb  = NULL;
+  CertDataPtr= NULL;
 
   //
   // When the attribute EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS is
@@ -2098,9 +2100,10 @@ VerifyTimeBasedPayload (
 //
 // Check hash of signer cert CommonName + Top-level issuer 
tbsCertificate against data in CertDb
 //
+CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
 Status = CalculatePrivAuthVarSignChainSHA256Digest(
-   SignerCerts + sizeof(UINT8) + sizeof(UINT32),
-   ReadUnaligned32 ((UINT32 *)(SignerCerts + sizeof(UINT8))),
+   CertDataPtr->CertDataBuffer,
+   ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
TopLevelCert,
TopLevelCertSize,
Sha256Digest
@@ -2135,12 +2138,13 @@ VerifyTimeBasedPayload (
   //
   // When adding a new common authenticated variable, always save Hash of 
cn of signer cert + tbsCertificate of Top-level issuer
   //
+  CertDataPtr = (EFI_CERT_DATA *)(SignerCerts + 1);
   Status = InsertCertsToDb (
  VariableName,
  VendorGuid,
  Attributes,
- SignerCerts + sizeof(UINT8) + sizeof(UINT32),
- ReadUnaligned32 ((UINT32 *)(SignerCerts + sizeof(UINT8))),
+ CertDataPtr->CertDataBuffer,
+ ReadUnaligned32 ((UINT32 *)&(CertDataPtr->CertDataLength)),
  TopLevelCert,
  TopLevelCertSize
  );
-- 
2.13.2.windows.1

___
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel