diff options
Diffstat (limited to 'Cryptlib/Pk/CryptPkcs7Verify.c')
| -rw-r--r-- | Cryptlib/Pk/CryptPkcs7Verify.c | 142 |
1 files changed, 88 insertions, 54 deletions
diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c index cbd9669a..09895d8c 100644 --- a/Cryptlib/Pk/CryptPkcs7Verify.c +++ b/Cryptlib/Pk/CryptPkcs7Verify.c @@ -10,7 +10,7 @@ WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated
Variable and will do basic check for data structure.
-Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -30,19 +30,48 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
-BOOLEAN ca_warning;
-
-void
-clear_ca_warning()
+#if 1
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
+#define X509_OBJECT_get_type(obj) ((obj)->type)
+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
+#define X509_STORE_get0_objects(certs) ((certs)->objs)
+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
+#if OPENSSL_VERSION_NUMBER < 0x10020000L
+#define X509_STORE_CTX_get0_store(ctx) ((ctx)->ctx)
+#endif
+#endif
+
+static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
{
- ca_warning = FALSE;
+ X509_OBJECT obj;
+ obj.type = X509_LU_X509;
+ obj.data.x509 = cert;
+ return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
}
-
-BOOLEAN
-get_ca_warning()
+#else
+/*
+ * Later versions of openssl will need this instead.
+ */
+static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
{
- return ca_warning;
+ STACK_OF(X509_OBJECT) *objs;
+ X509_OBJECT *obj;
+ int i;
+
+ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
+
+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+ obj = sk_X509_OBJECT_value(objs, i);
+
+ if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
+ !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
+ return 1;
+ }
+
+ return 0;
}
+#endif
int
X509VerifyCb (
@@ -54,14 +83,33 @@ X509VerifyCb ( Error = (INTN) X509_STORE_CTX_get_error (Context);
- if (Error == X509_V_ERR_INVALID_CA) {
+ /* Accept code-signing keys */
+ if (Error == X509_V_ERR_INVALID_PURPOSE &&
+ X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(Context)) == XKU_CODE_SIGN) {
+ Status = 1;
+ } else if (Error == X509_V_ERR_CERT_UNTRUSTED ||
+ Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
+ Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
+ Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) {
+ /* all certs in our cert database are explicitly trusted */
+
+ if (cert_in_store(X509_STORE_CTX_get_current_cert(Context), Context))
+ Status = 1;
+ } else if (Error == X509_V_ERR_CERT_HAS_EXPIRED ||
+ Error == X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD ||
+ Error == X509_V_ERR_CERT_NOT_YET_VALID ||
+ Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
+ Error == X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD) {
+ /* UEFI explicitly allows expired certificates */
+ Status = 1;
+#if 0
+ } else if (Error == X509_V_ERR_INVALID_CA) {
/* Due to the historical reason, we have to relax the the x509 v3 extension
* check to allow the CA certificates without the CA flag in the basic
* constraints or KeyCertSign in the key usage to be loaded. In the future,
* this callback should be removed to enforce the proper check. */
- ca_warning = TRUE;
-
- return 1;
+ Status = 1;
+#endif
}
return Status;
@@ -200,7 +248,6 @@ X509PopCertificate ( STACK_OF(X509) *CertStack;
BOOLEAN Status;
INT32 Result;
- BUF_MEM *Ptr;
INT32 Length;
VOID *Buffer;
@@ -230,8 +277,7 @@ X509PopCertificate ( goto _Exit;
}
- BIO_get_mem_ptr (CertBio, &Ptr);
- Length = (INT32)(Ptr->length);
+ Length = (INT32)(((BUF_MEM *) CertBio->ptr)->length);
if (Length <= 0) {
goto _Exit;
}
@@ -502,15 +548,12 @@ Pkcs7GetCertificatesList ( BOOLEAN Wrapped;
UINT8 Index;
PKCS7 *Pkcs7;
- X509_STORE_CTX *CertCtx;
- STACK_OF(X509) *CtxChain;
- STACK_OF(X509) *CtxUntrusted;
- X509 *CtxCert;
+ X509_STORE_CTX CertCtx;
STACK_OF(X509) *Signers;
X509 *Signer;
X509 *Cert;
+ X509 *TempCert;
X509 *Issuer;
- X509_NAME *IssuerName;
UINT8 *CertBuf;
UINT8 *OldBuf;
UINTN BufferSize;
@@ -524,11 +567,8 @@ Pkcs7GetCertificatesList ( Status = FALSE;
NewP7Data = NULL;
Pkcs7 = NULL;
- CertCtx = NULL;
- CtxChain = NULL;
- CtxCert = NULL;
- CtxUntrusted = NULL;
Cert = NULL;
+ TempCert = NULL;
SingleCert = NULL;
CertBuf = NULL;
OldBuf = NULL;
@@ -576,26 +616,19 @@ Pkcs7GetCertificatesList ( }
Signer = sk_X509_value (Signers, 0);
- CertCtx = X509_STORE_CTX_new ();
- if (CertCtx == NULL) {
- goto _Error;
- }
- if (!X509_STORE_CTX_init (CertCtx, NULL, Signer, Pkcs7->d.sign->cert)) {
+ if (!X509_STORE_CTX_init (&CertCtx, NULL, Signer, Pkcs7->d.sign->cert)) {
goto _Error;
}
//
// Initialize Chained & Untrusted stack
//
- CtxChain = X509_STORE_CTX_get0_chain (CertCtx);
- CtxCert = X509_STORE_CTX_get0_cert (CertCtx);
- if (CtxChain == NULL) {
- if (((CtxChain = sk_X509_new_null ()) == NULL) ||
- (!sk_X509_push (CtxChain, CtxCert))) {
+ if (CertCtx.chain == NULL) {
+ if (((CertCtx.chain = sk_X509_new_null ()) == NULL) ||
+ (!sk_X509_push (CertCtx.chain, CertCtx.cert))) {
goto _Error;
}
}
- CtxUntrusted = X509_STORE_CTX_get0_untrusted (CertCtx);
- (VOID)sk_X509_delete_ptr (CtxUntrusted, Signer);
+ (VOID)sk_X509_delete_ptr (CertCtx.untrusted, Signer);
//
// Build certificates stack chained from Signer's certificate.
@@ -605,25 +638,27 @@ Pkcs7GetCertificatesList ( //
// Self-Issue checking
//
- Issuer = NULL;
- if (X509_STORE_CTX_get1_issuer (&Issuer, CertCtx, Cert) == 1) {
- if (X509_cmp (Issuer, Cert) == 0) {
- break;
- }
+ if (CertCtx.check_issued (&CertCtx, Cert, Cert)) {
+ break;
}
//
// Found the issuer of the current certificate
//
- if (CtxUntrusted != NULL) {
+ if (CertCtx.untrusted != NULL) {
Issuer = NULL;
- IssuerName = X509_get_issuer_name (Cert);
- Issuer = X509_find_by_subject (CtxUntrusted, IssuerName);
+ for (Index = 0; Index < sk_X509_num (CertCtx.untrusted); Index++) {
+ TempCert = sk_X509_value (CertCtx.untrusted, Index);
+ if (CertCtx.check_issued (&CertCtx, Cert, TempCert)) {
+ Issuer = TempCert;
+ break;
+ }
+ }
if (Issuer != NULL) {
- if (!sk_X509_push (CtxChain, Issuer)) {
+ if (!sk_X509_push (CertCtx.chain, Issuer)) {
goto _Error;
}
- (VOID)sk_X509_delete_ptr (CtxUntrusted, Issuer);
+ (VOID)sk_X509_delete_ptr (CertCtx.untrusted, Issuer);
Cert = Issuer;
continue;
@@ -645,13 +680,13 @@ Pkcs7GetCertificatesList ( // UINT8 Certn[];
//
- if (CtxChain != NULL) {
+ if (CertCtx.chain != NULL) {
BufferSize = sizeof (UINT8);
OldSize = BufferSize;
CertBuf = NULL;
for (Index = 0; ; Index++) {
- Status = X509PopCertificate (CtxChain, &SingleCert, &CertSize);
+ Status = X509PopCertificate (CertCtx.chain, &SingleCert, &CertSize);
if (!Status) {
break;
}
@@ -689,13 +724,13 @@ Pkcs7GetCertificatesList ( }
}
- if (CtxUntrusted != NULL) {
+ if (CertCtx.untrusted != NULL) {
BufferSize = sizeof (UINT8);
OldSize = BufferSize;
CertBuf = NULL;
for (Index = 0; ; Index++) {
- Status = X509PopCertificate (CtxUntrusted, &SingleCert, &CertSize);
+ Status = X509PopCertificate (CertCtx.untrusted, &SingleCert, &CertSize);
if (!Status) {
break;
}
@@ -748,8 +783,7 @@ _Error: }
sk_X509_free (Signers);
- X509_STORE_CTX_cleanup (CertCtx);
- X509_STORE_CTX_free (CertCtx);
+ X509_STORE_CTX_cleanup (&CertCtx);
if (SingleCert != NULL) {
free (SingleCert);
|