Re: [edk2] [Patch] CryptoPkg: Add one new API (Pkcs7GetCertificatesList) for certs retrieving.
On 3 November 2015 at 07:38, Qin Long wrote: > Adding one new API (Pkcs7GetCertificatesList) to retrieve and sort all > embedded certificates from Pkcs7 signedData. This new API will provide > the support for UEFI 2.5 Secure-Boot AuditMode feature. > > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Qin Long This patch breaks the CLANG35 build for AARCH64. Please see the patch in the other thread. > --- > CryptoPkg/Include/Library/BaseCryptLib.h | 30 +++ > .../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 288 > + > .../Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c | 34 +++ > .../Pk/CryptPkcs7VerifyNull.c | 34 +++ > 4 files changed, 386 insertions(+) > > diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h > b/CryptoPkg/Include/Library/BaseCryptLib.h > index 95b75c9..390e302 100644 > --- a/CryptoPkg/Include/Library/BaseCryptLib.h > +++ b/CryptoPkg/Include/Library/BaseCryptLib.h > @@ -1985,6 +1985,36 @@ Pkcs7FreeSigners ( >); > > /** > + Retrieves all embedded certificates from PKCS#7 signed data as described > in "PKCS #7: > + Cryptographic Message Syntax Standard", and outputs two certificate lists > chained and > + unchained to the signer's certificates. > + The input signed data could be wrapped in a ContentInfo structure. > + > + @param[in] P7DataPointer to the PKCS#7 message. > + @param[in] P7Length Length of the PKCS#7 message in bytes. > + @param[out] SingerChainCerts Pointer to the certificates list chained to > signer's > +certificate. It's caller's responsiblity to > free the buffer. > + @param[out] ChainLength Length of the chained certificates list > buffer in bytes. > + @param[out] UnchainCerts Pointer to the unchained certificates lists. > It's caller's > +responsiblity to free the buffer. > + @param[out] UnchainLength Length of the unchained certificates list > buffer in bytes. > + > + @retval TRUE The operation is finished successfully. > + @retval FALSEError occurs during the operation. > + > +**/ > +BOOLEAN > +EFIAPI > +Pkcs7GetCertificatesList ( > + IN CONST UINT8 *P7Data, > + IN UINTNP7Length, > + OUT UINT8**SignerChainCerts, > + OUT UINTN*ChainLength, > + OUT UINT8**UnchainCerts, > + OUT UINTN*UnchainLength > + ); > + > +/** >Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message >Syntax Standard, version 1.5". This interface is only intended to be used > for >application to perform PKCS#7 functionality validation. > diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c > b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c > index fafcf1b..541156e 100644 > --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c > +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c > @@ -428,6 +428,294 @@ Pkcs7FreeSigners ( > } > > /** > + Retrieves all embedded certificates from PKCS#7 signed data as described > in "PKCS #7: > + Cryptographic Message Syntax Standard", and outputs two certificate lists > chained and > + unchained to the signer's certificates. > + The input signed data could be wrapped in a ContentInfo structure. > + > + @param[in] P7DataPointer to the PKCS#7 message. > + @param[in] P7Length Length of the PKCS#7 message in bytes. > + @param[out] SingerChainCerts Pointer to the certificates list chained to > signer's > +certificate. It's caller's responsiblity to > free the buffer. > + @param[out] ChainLength Length of the chained certificates list > buffer in bytes. > + @param[out] UnchainCerts Pointer to the unchained certificates lists. > It's caller's > +responsiblity to free the buffer. > + @param[out] UnchainLength Length of the unchained certificates list > buffer in bytes. > + > + @retval TRUE The operation is finished successfully. > + @retval FALSEError occurs during the operation. > + > +**/ > +BOOLEAN > +EFIAPI > +Pkcs7GetCertificatesList ( > + IN CONST UINT8 *P7Data, > + IN UINTNP7Length, > + OUT UINT8**SignerChainCerts, > + OUT UINTN*ChainLength, > + OUT UINT8**UnchainCerts, > + OUT UINTN*UnchainLength > + ) > +{ > + BOOLEAN Status; > + UINT8*NewP7Data; > + UINTNNewP7Length; > + BOOLEAN Wrapped; > + UINT8Index; > + PKCS7*Pkcs7; > + X509_STORE_CTX CertCtx; > + STACK_OF(X509) *Signers; > + X509 *Signer; > + X509 *Cert; > + X509 *TempCert; > + X509 *Issuer; > + UINT8*CertBuf; > + UINT8*OldBuf; > + UINTNBufferSize; > + UINTNOldSize; > + UINT8*SingleCert; >
Re: [edk2] [Patch] CryptoPkg: Add one new API (Pkcs7GetCertificatesList) for certs retrieving.
Suggest to add a note that this new API is for signed PE/COFF image only. Other parts are good to me. Reviewed-by: Ye Ting -Original Message- From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Qin Long Sent: Tuesday, November 03, 2015 2:38 PM To: Ye, Ting; Zhang, Chao B Cc: edk2-devel@lists.01.org Subject: [edk2] [Patch] CryptoPkg: Add one new API (Pkcs7GetCertificatesList) for certs retrieving. Adding one new API (Pkcs7GetCertificatesList) to retrieve and sort all embedded certificates from Pkcs7 signedData. This new API will provide the support for UEFI 2.5 Secure-Boot AuditMode feature. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long --- CryptoPkg/Include/Library/BaseCryptLib.h | 30 +++ .../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 288 + .../Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c | 34 +++ .../Pk/CryptPkcs7VerifyNull.c | 34 +++ 4 files changed, 386 insertions(+) diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h index 95b75c9..390e302 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -1985,6 +1985,36 @@ Pkcs7FreeSigners ( ); /** + Retrieves all embedded certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard", and outputs two certificate + lists chained and unchained to the signer's certificates. + The input signed data could be wrapped in a ContentInfo structure. + + @param[in] P7DataPointer to the PKCS#7 message. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] SingerChainCerts Pointer to the certificates list chained to signer's +certificate. It's caller's responsiblity to free the buffer. + @param[out] ChainLength Length of the chained certificates list buffer in bytes. + @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's +responsiblity to free the buffer. + @param[out] UnchainLength Length of the unchained certificates list buffer in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSEError occurs during the operation. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetCertificatesList ( + IN CONST UINT8 *P7Data, + IN UINTNP7Length, + OUT UINT8**SignerChainCerts, + OUT UINTN*ChainLength, + OUT UINT8**UnchainCerts, + OUT UINTN*UnchainLength + ); + +/** Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message Syntax Standard, version 1.5". This interface is only intended to be used for application to perform PKCS#7 functionality validation. diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c index fafcf1b..541156e 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c @@ -428,6 +428,294 @@ Pkcs7FreeSigners ( } /** + Retrieves all embedded certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard", and outputs two certificate + lists chained and unchained to the signer's certificates. + The input signed data could be wrapped in a ContentInfo structure. + + @param[in] P7DataPointer to the PKCS#7 message. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] SingerChainCerts Pointer to the certificates list chained to signer's +certificate. It's caller's responsiblity to free the buffer. + @param[out] ChainLength Length of the chained certificates list buffer in bytes. + @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's +responsiblity to free the buffer. + @param[out] UnchainLength Length of the unchained certificates list buffer in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSEError occurs during the operation. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetCertificatesList ( + IN CONST UINT8 *P7Data, + IN UINTNP7Length, + OUT UINT8**SignerChainCerts, + OUT UINTN*ChainLength, + OUT UINT8**UnchainCerts, + OUT UINTN*UnchainLength + ) +{ + BOOLEAN Status; + UINT8*NewP7Data; + UINTNNewP7Length; + BOOLEAN Wrapped; + UINT8Index; + PKCS7*Pkcs7; + X509_STORE_CTX CertCtx; + STACK_OF(X509) *Signers; + X509 *Signer; + X509 *Cert; + X509 *TempCert; + X509 *Issuer; + UINT8
Re: [edk2] [Patch] CryptoPkg: Add one new API (Pkcs7GetCertificatesList) for certs retrieving.
Reviewed-by: Chao Zhang Thanks & Best regards Chao Zhang -Original Message- From: Long, Qin Sent: Tuesday, November 03, 2015 2:38 PM To: Ye, Ting; Zhang, Chao B Cc: edk2-devel@lists.01.org Subject: [Patch] CryptoPkg: Add one new API (Pkcs7GetCertificatesList) for certs retrieving. Adding one new API (Pkcs7GetCertificatesList) to retrieve and sort all embedded certificates from Pkcs7 signedData. This new API will provide the support for UEFI 2.5 Secure-Boot AuditMode feature. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long --- CryptoPkg/Include/Library/BaseCryptLib.h | 30 +++ .../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 288 + .../Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c | 34 +++ .../Pk/CryptPkcs7VerifyNull.c | 34 +++ 4 files changed, 386 insertions(+) diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h index 95b75c9..390e302 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -1985,6 +1985,36 @@ Pkcs7FreeSigners ( ); /** + Retrieves all embedded certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard", and outputs two certificate + lists chained and unchained to the signer's certificates. + The input signed data could be wrapped in a ContentInfo structure. + + @param[in] P7DataPointer to the PKCS#7 message. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] SingerChainCerts Pointer to the certificates list chained to signer's +certificate. It's caller's responsiblity to free the buffer. + @param[out] ChainLength Length of the chained certificates list buffer in bytes. + @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's +responsiblity to free the buffer. + @param[out] UnchainLength Length of the unchained certificates list buffer in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSEError occurs during the operation. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetCertificatesList ( + IN CONST UINT8 *P7Data, + IN UINTNP7Length, + OUT UINT8**SignerChainCerts, + OUT UINTN*ChainLength, + OUT UINT8**UnchainCerts, + OUT UINTN*UnchainLength + ); + +/** Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message Syntax Standard, version 1.5". This interface is only intended to be used for application to perform PKCS#7 functionality validation. diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c index fafcf1b..541156e 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c @@ -428,6 +428,294 @@ Pkcs7FreeSigners ( } /** + Retrieves all embedded certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard", and outputs two certificate + lists chained and unchained to the signer's certificates. + The input signed data could be wrapped in a ContentInfo structure. + + @param[in] P7DataPointer to the PKCS#7 message. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] SingerChainCerts Pointer to the certificates list chained to signer's +certificate. It's caller's responsiblity to free the buffer. + @param[out] ChainLength Length of the chained certificates list buffer in bytes. + @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's +responsiblity to free the buffer. + @param[out] UnchainLength Length of the unchained certificates list buffer in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSEError occurs during the operation. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetCertificatesList ( + IN CONST UINT8 *P7Data, + IN UINTNP7Length, + OUT UINT8**SignerChainCerts, + OUT UINTN*ChainLength, + OUT UINT8**UnchainCerts, + OUT UINTN*UnchainLength + ) +{ + BOOLEAN Status; + UINT8*NewP7Data; + UINTNNewP7Length; + BOOLEAN Wrapped; + UINT8Index; + PKCS7*Pkcs7; + X509_STORE_CTX CertCtx; + STACK_OF(X509) *Signers; + X509 *Signer; + X509 *Cert; + X509 *TempCert; + X509 *Issuer; + UINT8*CertBuf; + UINT8*OldBuf; + UINTNBufferSize; + UINTNOldSize; + UINT8*SingleCert; + UINTNCertSize; + + // + // Initializations + // + Status =
[edk2] [Patch] CryptoPkg: Add one new API (Pkcs7GetCertificatesList) for certs retrieving.
Adding one new API (Pkcs7GetCertificatesList) to retrieve and sort all embedded certificates from Pkcs7 signedData. This new API will provide the support for UEFI 2.5 Secure-Boot AuditMode feature. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long --- CryptoPkg/Include/Library/BaseCryptLib.h | 30 +++ .../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 288 + .../Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c | 34 +++ .../Pk/CryptPkcs7VerifyNull.c | 34 +++ 4 files changed, 386 insertions(+) diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h index 95b75c9..390e302 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -1985,6 +1985,36 @@ Pkcs7FreeSigners ( ); /** + Retrieves all embedded certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard", and outputs two certificate lists chained and + unchained to the signer's certificates. + The input signed data could be wrapped in a ContentInfo structure. + + @param[in] P7DataPointer to the PKCS#7 message. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] SingerChainCerts Pointer to the certificates list chained to signer's +certificate. It's caller's responsiblity to free the buffer. + @param[out] ChainLength Length of the chained certificates list buffer in bytes. + @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's +responsiblity to free the buffer. + @param[out] UnchainLength Length of the unchained certificates list buffer in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSEError occurs during the operation. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetCertificatesList ( + IN CONST UINT8 *P7Data, + IN UINTNP7Length, + OUT UINT8**SignerChainCerts, + OUT UINTN*ChainLength, + OUT UINT8**UnchainCerts, + OUT UINTN*UnchainLength + ); + +/** Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message Syntax Standard, version 1.5". This interface is only intended to be used for application to perform PKCS#7 functionality validation. diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c index fafcf1b..541156e 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c @@ -428,6 +428,294 @@ Pkcs7FreeSigners ( } /** + Retrieves all embedded certificates from PKCS#7 signed data as described in "PKCS #7: + Cryptographic Message Syntax Standard", and outputs two certificate lists chained and + unchained to the signer's certificates. + The input signed data could be wrapped in a ContentInfo structure. + + @param[in] P7DataPointer to the PKCS#7 message. + @param[in] P7Length Length of the PKCS#7 message in bytes. + @param[out] SingerChainCerts Pointer to the certificates list chained to signer's +certificate. It's caller's responsiblity to free the buffer. + @param[out] ChainLength Length of the chained certificates list buffer in bytes. + @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's +responsiblity to free the buffer. + @param[out] UnchainLength Length of the unchained certificates list buffer in bytes. + + @retval TRUE The operation is finished successfully. + @retval FALSEError occurs during the operation. + +**/ +BOOLEAN +EFIAPI +Pkcs7GetCertificatesList ( + IN CONST UINT8 *P7Data, + IN UINTNP7Length, + OUT UINT8**SignerChainCerts, + OUT UINTN*ChainLength, + OUT UINT8**UnchainCerts, + OUT UINTN*UnchainLength + ) +{ + BOOLEAN Status; + UINT8*NewP7Data; + UINTNNewP7Length; + BOOLEAN Wrapped; + UINT8Index; + PKCS7*Pkcs7; + X509_STORE_CTX CertCtx; + STACK_OF(X509) *Signers; + X509 *Signer; + X509 *Cert; + X509 *TempCert; + X509 *Issuer; + UINT8*CertBuf; + UINT8*OldBuf; + UINTNBufferSize; + UINTNOldSize; + UINT8*SingleCert; + UINTNCertSize; + + // + // Initializations + // + Status = FALSE; + NewP7Data = NULL; + Pkcs7 = NULL; + Cert = NULL; + TempCert = NULL; + SingleCert = NULL; + CertBuf= NULL; + OldBuf = NULL; + Signers= NULL; + + // + // Parameter Checking + // + if ((P7Data == NULL) || (SignerChainCerts == N