Re: [edk2] [Patch] CryptoPkg: Add one new API (Pkcs7GetCertificatesList) for certs retrieving.
On 3 November 2015 at 07:38, Qin Long wrote:
> Adding one new API (Pkcs7GetCertificatesList) to retrieve and sort all
> embedded certificates from Pkcs7 signedData. This new API will provide
> the support for UEFI 2.5 Secure-Boot AuditMode feature.
>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Qin Long
This patch breaks the CLANG35 build for AARCH64. Please see the patch
in the other thread.
> ---
> CryptoPkg/Include/Library/BaseCryptLib.h | 30 +++
> .../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 288
> +
> .../Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c | 34 +++
> .../Pk/CryptPkcs7VerifyNull.c | 34 +++
> 4 files changed, 386 insertions(+)
>
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index 95b75c9..390e302 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -1985,6 +1985,36 @@ Pkcs7FreeSigners (
>);
>
> /**
> + Retrieves all embedded certificates from PKCS#7 signed data as described
> in "PKCS #7:
> + Cryptographic Message Syntax Standard", and outputs two certificate lists
> chained and
> + unchained to the signer's certificates.
> + The input signed data could be wrapped in a ContentInfo structure.
> +
> + @param[in] P7DataPointer to the PKCS#7 message.
> + @param[in] P7Length Length of the PKCS#7 message in bytes.
> + @param[out] SingerChainCerts Pointer to the certificates list chained to
> signer's
> +certificate. It's caller's responsiblity to
> free the buffer.
> + @param[out] ChainLength Length of the chained certificates list
> buffer in bytes.
> + @param[out] UnchainCerts Pointer to the unchained certificates lists.
> It's caller's
> +responsiblity to free the buffer.
> + @param[out] UnchainLength Length of the unchained certificates list
> buffer in bytes.
> +
> + @retval TRUE The operation is finished successfully.
> + @retval FALSEError occurs during the operation.
> +
> +**/
> +BOOLEAN
> +EFIAPI
> +Pkcs7GetCertificatesList (
> + IN CONST UINT8 *P7Data,
> + IN UINTNP7Length,
> + OUT UINT8**SignerChainCerts,
> + OUT UINTN*ChainLength,
> + OUT UINT8**UnchainCerts,
> + OUT UINTN*UnchainLength
> + );
> +
> +/**
>Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message
>Syntax Standard, version 1.5". This interface is only intended to be used
> for
>application to perform PKCS#7 functionality validation.
> diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
> b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
> index fafcf1b..541156e 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
> @@ -428,6 +428,294 @@ Pkcs7FreeSigners (
> }
>
> /**
> + Retrieves all embedded certificates from PKCS#7 signed data as described
> in "PKCS #7:
> + Cryptographic Message Syntax Standard", and outputs two certificate lists
> chained and
> + unchained to the signer's certificates.
> + The input signed data could be wrapped in a ContentInfo structure.
> +
> + @param[in] P7DataPointer to the PKCS#7 message.
> + @param[in] P7Length Length of the PKCS#7 message in bytes.
> + @param[out] SingerChainCerts Pointer to the certificates list chained to
> signer's
> +certificate. It's caller's responsiblity to
> free the buffer.
> + @param[out] ChainLength Length of the chained certificates list
> buffer in bytes.
> + @param[out] UnchainCerts Pointer to the unchained certificates lists.
> It's caller's
> +responsiblity to free the buffer.
> + @param[out] UnchainLength Length of the unchained certificates list
> buffer in bytes.
> +
> + @retval TRUE The operation is finished successfully.
> + @retval FALSEError occurs during the operation.
> +
> +**/
> +BOOLEAN
> +EFIAPI
> +Pkcs7GetCertificatesList (
> + IN CONST UINT8 *P7Data,
> + IN UINTNP7Length,
> + OUT UINT8**SignerChainCerts,
> + OUT UINTN*ChainLength,
> + OUT UINT8**UnchainCerts,
> + OUT UINTN*UnchainLength
> + )
> +{
> + BOOLEAN Status;
> + UINT8*NewP7Data;
> + UINTNNewP7Length;
> + BOOLEAN Wrapped;
> + UINT8Index;
> + PKCS7*Pkcs7;
> + X509_STORE_CTX CertCtx;
> + STACK_OF(X509) *Signers;
> + X509 *Signer;
> + X509 *Cert;
> + X509 *TempCert;
> + X509 *Issuer;
> + UINT8*CertBuf;
> + UINT8*OldBuf;
> + UINTNBufferSize;
> + UINTNOldSize;
> + UINT8*SingleCert;
>
Re: [edk2] [Patch] CryptoPkg: Add one new API (Pkcs7GetCertificatesList) for certs retrieving.
Suggest to add a note that this new API is for signed PE/COFF image only. Other
parts are good to me.
Reviewed-by: Ye Ting
-Original Message-
From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Qin Long
Sent: Tuesday, November 03, 2015 2:38 PM
To: Ye, Ting; Zhang, Chao B
Cc: edk2-devel@lists.01.org
Subject: [edk2] [Patch] CryptoPkg: Add one new API (Pkcs7GetCertificatesList)
for certs retrieving.
Adding one new API (Pkcs7GetCertificatesList) to retrieve and sort all embedded
certificates from Pkcs7 signedData. This new API will provide the support for
UEFI 2.5 Secure-Boot AuditMode feature.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long
---
CryptoPkg/Include/Library/BaseCryptLib.h | 30 +++
.../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 288 +
.../Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c | 34 +++
.../Pk/CryptPkcs7VerifyNull.c | 34 +++
4 files changed, 386 insertions(+)
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
b/CryptoPkg/Include/Library/BaseCryptLib.h
index 95b75c9..390e302 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -1985,6 +1985,36 @@ Pkcs7FreeSigners (
);
/**
+ Retrieves all embedded certificates from PKCS#7 signed data as described in
"PKCS #7:
+ Cryptographic Message Syntax Standard", and outputs two certificate
+ lists chained and unchained to the signer's certificates.
+ The input signed data could be wrapped in a ContentInfo structure.
+
+ @param[in] P7DataPointer to the PKCS#7 message.
+ @param[in] P7Length Length of the PKCS#7 message in bytes.
+ @param[out] SingerChainCerts Pointer to the certificates list chained to
signer's
+certificate. It's caller's responsiblity to
free the buffer.
+ @param[out] ChainLength Length of the chained certificates list buffer
in bytes.
+ @param[out] UnchainCerts Pointer to the unchained certificates lists.
It's caller's
+responsiblity to free the buffer.
+ @param[out] UnchainLength Length of the unchained certificates list
buffer in bytes.
+
+ @retval TRUE The operation is finished successfully.
+ @retval FALSEError occurs during the operation.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetCertificatesList (
+ IN CONST UINT8 *P7Data,
+ IN UINTNP7Length,
+ OUT UINT8**SignerChainCerts,
+ OUT UINTN*ChainLength,
+ OUT UINT8**UnchainCerts,
+ OUT UINTN*UnchainLength
+ );
+
+/**
Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message
Syntax Standard, version 1.5". This interface is only intended to be used for
application to perform PKCS#7 functionality validation.
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index fafcf1b..541156e 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -428,6 +428,294 @@ Pkcs7FreeSigners ( }
/**
+ Retrieves all embedded certificates from PKCS#7 signed data as described in
"PKCS #7:
+ Cryptographic Message Syntax Standard", and outputs two certificate
+ lists chained and unchained to the signer's certificates.
+ The input signed data could be wrapped in a ContentInfo structure.
+
+ @param[in] P7DataPointer to the PKCS#7 message.
+ @param[in] P7Length Length of the PKCS#7 message in bytes.
+ @param[out] SingerChainCerts Pointer to the certificates list chained to
signer's
+certificate. It's caller's responsiblity to
free the buffer.
+ @param[out] ChainLength Length of the chained certificates list buffer
in bytes.
+ @param[out] UnchainCerts Pointer to the unchained certificates lists.
It's caller's
+responsiblity to free the buffer.
+ @param[out] UnchainLength Length of the unchained certificates list
buffer in bytes.
+
+ @retval TRUE The operation is finished successfully.
+ @retval FALSEError occurs during the operation.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetCertificatesList (
+ IN CONST UINT8 *P7Data,
+ IN UINTNP7Length,
+ OUT UINT8**SignerChainCerts,
+ OUT UINTN*ChainLength,
+ OUT UINT8**UnchainCerts,
+ OUT UINTN*UnchainLength
+ )
+{
+ BOOLEAN Status;
+ UINT8*NewP7Data;
+ UINTNNewP7Length;
+ BOOLEAN Wrapped;
+ UINT8Index;
+ PKCS7*Pkcs7;
+ X509_STORE_CTX CertCtx;
+ STACK_OF(X509) *Signers;
+ X509 *Signer;
+ X509 *Cert;
+ X509 *TempCert;
+ X509 *Issuer;
+ UINT8
Re: [edk2] [Patch] CryptoPkg: Add one new API (Pkcs7GetCertificatesList) for certs retrieving.
Reviewed-by: Chao Zhang
Thanks & Best regards
Chao Zhang
-Original Message-
From: Long, Qin
Sent: Tuesday, November 03, 2015 2:38 PM
To: Ye, Ting; Zhang, Chao B
Cc: edk2-devel@lists.01.org
Subject: [Patch] CryptoPkg: Add one new API (Pkcs7GetCertificatesList) for
certs retrieving.
Adding one new API (Pkcs7GetCertificatesList) to retrieve and sort all embedded
certificates from Pkcs7 signedData. This new API will provide the support for
UEFI 2.5 Secure-Boot AuditMode feature.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long
---
CryptoPkg/Include/Library/BaseCryptLib.h | 30 +++
.../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 288 +
.../Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c | 34 +++
.../Pk/CryptPkcs7VerifyNull.c | 34 +++
4 files changed, 386 insertions(+)
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
b/CryptoPkg/Include/Library/BaseCryptLib.h
index 95b75c9..390e302 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -1985,6 +1985,36 @@ Pkcs7FreeSigners (
);
/**
+ Retrieves all embedded certificates from PKCS#7 signed data as described in
"PKCS #7:
+ Cryptographic Message Syntax Standard", and outputs two certificate
+ lists chained and unchained to the signer's certificates.
+ The input signed data could be wrapped in a ContentInfo structure.
+
+ @param[in] P7DataPointer to the PKCS#7 message.
+ @param[in] P7Length Length of the PKCS#7 message in bytes.
+ @param[out] SingerChainCerts Pointer to the certificates list chained to
signer's
+certificate. It's caller's responsiblity to
free the buffer.
+ @param[out] ChainLength Length of the chained certificates list buffer
in bytes.
+ @param[out] UnchainCerts Pointer to the unchained certificates lists.
It's caller's
+responsiblity to free the buffer.
+ @param[out] UnchainLength Length of the unchained certificates list
buffer in bytes.
+
+ @retval TRUE The operation is finished successfully.
+ @retval FALSEError occurs during the operation.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetCertificatesList (
+ IN CONST UINT8 *P7Data,
+ IN UINTNP7Length,
+ OUT UINT8**SignerChainCerts,
+ OUT UINTN*ChainLength,
+ OUT UINT8**UnchainCerts,
+ OUT UINTN*UnchainLength
+ );
+
+/**
Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message
Syntax Standard, version 1.5". This interface is only intended to be used for
application to perform PKCS#7 functionality validation.
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index fafcf1b..541156e 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -428,6 +428,294 @@ Pkcs7FreeSigners ( }
/**
+ Retrieves all embedded certificates from PKCS#7 signed data as described in
"PKCS #7:
+ Cryptographic Message Syntax Standard", and outputs two certificate
+ lists chained and unchained to the signer's certificates.
+ The input signed data could be wrapped in a ContentInfo structure.
+
+ @param[in] P7DataPointer to the PKCS#7 message.
+ @param[in] P7Length Length of the PKCS#7 message in bytes.
+ @param[out] SingerChainCerts Pointer to the certificates list chained to
signer's
+certificate. It's caller's responsiblity to
free the buffer.
+ @param[out] ChainLength Length of the chained certificates list buffer
in bytes.
+ @param[out] UnchainCerts Pointer to the unchained certificates lists.
It's caller's
+responsiblity to free the buffer.
+ @param[out] UnchainLength Length of the unchained certificates list
buffer in bytes.
+
+ @retval TRUE The operation is finished successfully.
+ @retval FALSEError occurs during the operation.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetCertificatesList (
+ IN CONST UINT8 *P7Data,
+ IN UINTNP7Length,
+ OUT UINT8**SignerChainCerts,
+ OUT UINTN*ChainLength,
+ OUT UINT8**UnchainCerts,
+ OUT UINTN*UnchainLength
+ )
+{
+ BOOLEAN Status;
+ UINT8*NewP7Data;
+ UINTNNewP7Length;
+ BOOLEAN Wrapped;
+ UINT8Index;
+ PKCS7*Pkcs7;
+ X509_STORE_CTX CertCtx;
+ STACK_OF(X509) *Signers;
+ X509 *Signer;
+ X509 *Cert;
+ X509 *TempCert;
+ X509 *Issuer;
+ UINT8*CertBuf;
+ UINT8*OldBuf;
+ UINTNBufferSize;
+ UINTNOldSize;
+ UINT8*SingleCert;
+ UINTNCertSize;
+
+ //
+ // Initializations
+ //
+ Status =
[edk2] [Patch] CryptoPkg: Add one new API (Pkcs7GetCertificatesList) for certs retrieving.
Adding one new API (Pkcs7GetCertificatesList) to retrieve and sort all
embedded certificates from Pkcs7 signedData. This new API will provide
the support for UEFI 2.5 Secure-Boot AuditMode feature.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long
---
CryptoPkg/Include/Library/BaseCryptLib.h | 30 +++
.../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 288 +
.../Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c | 34 +++
.../Pk/CryptPkcs7VerifyNull.c | 34 +++
4 files changed, 386 insertions(+)
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
b/CryptoPkg/Include/Library/BaseCryptLib.h
index 95b75c9..390e302 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -1985,6 +1985,36 @@ Pkcs7FreeSigners (
);
/**
+ Retrieves all embedded certificates from PKCS#7 signed data as described in
"PKCS #7:
+ Cryptographic Message Syntax Standard", and outputs two certificate lists
chained and
+ unchained to the signer's certificates.
+ The input signed data could be wrapped in a ContentInfo structure.
+
+ @param[in] P7DataPointer to the PKCS#7 message.
+ @param[in] P7Length Length of the PKCS#7 message in bytes.
+ @param[out] SingerChainCerts Pointer to the certificates list chained to
signer's
+certificate. It's caller's responsiblity to
free the buffer.
+ @param[out] ChainLength Length of the chained certificates list buffer
in bytes.
+ @param[out] UnchainCerts Pointer to the unchained certificates lists.
It's caller's
+responsiblity to free the buffer.
+ @param[out] UnchainLength Length of the unchained certificates list
buffer in bytes.
+
+ @retval TRUE The operation is finished successfully.
+ @retval FALSEError occurs during the operation.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetCertificatesList (
+ IN CONST UINT8 *P7Data,
+ IN UINTNP7Length,
+ OUT UINT8**SignerChainCerts,
+ OUT UINTN*ChainLength,
+ OUT UINT8**UnchainCerts,
+ OUT UINTN*UnchainLength
+ );
+
+/**
Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message
Syntax Standard, version 1.5". This interface is only intended to be used for
application to perform PKCS#7 functionality validation.
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index fafcf1b..541156e 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -428,6 +428,294 @@ Pkcs7FreeSigners (
}
/**
+ Retrieves all embedded certificates from PKCS#7 signed data as described in
"PKCS #7:
+ Cryptographic Message Syntax Standard", and outputs two certificate lists
chained and
+ unchained to the signer's certificates.
+ The input signed data could be wrapped in a ContentInfo structure.
+
+ @param[in] P7DataPointer to the PKCS#7 message.
+ @param[in] P7Length Length of the PKCS#7 message in bytes.
+ @param[out] SingerChainCerts Pointer to the certificates list chained to
signer's
+certificate. It's caller's responsiblity to
free the buffer.
+ @param[out] ChainLength Length of the chained certificates list buffer
in bytes.
+ @param[out] UnchainCerts Pointer to the unchained certificates lists.
It's caller's
+responsiblity to free the buffer.
+ @param[out] UnchainLength Length of the unchained certificates list
buffer in bytes.
+
+ @retval TRUE The operation is finished successfully.
+ @retval FALSEError occurs during the operation.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetCertificatesList (
+ IN CONST UINT8 *P7Data,
+ IN UINTNP7Length,
+ OUT UINT8**SignerChainCerts,
+ OUT UINTN*ChainLength,
+ OUT UINT8**UnchainCerts,
+ OUT UINTN*UnchainLength
+ )
+{
+ BOOLEAN Status;
+ UINT8*NewP7Data;
+ UINTNNewP7Length;
+ BOOLEAN Wrapped;
+ UINT8Index;
+ PKCS7*Pkcs7;
+ X509_STORE_CTX CertCtx;
+ STACK_OF(X509) *Signers;
+ X509 *Signer;
+ X509 *Cert;
+ X509 *TempCert;
+ X509 *Issuer;
+ UINT8*CertBuf;
+ UINT8*OldBuf;
+ UINTNBufferSize;
+ UINTNOldSize;
+ UINT8*SingleCert;
+ UINTNCertSize;
+
+ //
+ // Initializations
+ //
+ Status = FALSE;
+ NewP7Data = NULL;
+ Pkcs7 = NULL;
+ Cert = NULL;
+ TempCert = NULL;
+ SingleCert = NULL;
+ CertBuf= NULL;
+ OldBuf = NULL;
+ Signers= NULL;
+
+ //
+ // Parameter Checking
+ //
+ if ((P7Data == NULL) || (SignerChainCerts == N
