diff options
Diffstat (limited to 'Cryptlib/Pk')
| -rw-r--r-- | Cryptlib/Pk/CryptAuthenticode.c | 4 | ||||
| -rw-r--r-- | Cryptlib/Pk/CryptPkcs7Verify.c | 125 | ||||
| -rw-r--r-- | Cryptlib/Pk/CryptRsaBasic.c | 193 | ||||
| -rw-r--r-- | Cryptlib/Pk/CryptTs.c | 24 | ||||
| -rw-r--r-- | Cryptlib/Pk/CryptX509.c | 41 |
5 files changed, 222 insertions, 165 deletions
diff --git a/Cryptlib/Pk/CryptAuthenticode.c b/Cryptlib/Pk/CryptAuthenticode.c index 857281d7..74e50a2e 100644 --- a/Cryptlib/Pk/CryptAuthenticode.c +++ b/Cryptlib/Pk/CryptAuthenticode.c @@ -34,7 +34,7 @@ UINT8 mSpcIndirectOidValue[] = { };
/**
- Verifies the validility of a PE/COFF Authenticode Signature as described in "Windows
+ Verifies the validity of a PE/COFF Authenticode Signature as described in "Windows
Authenticode Portable Executable Signature Format".
If AuthData is NULL, then return FALSE.
@@ -50,7 +50,7 @@ UINT8 mSpcIndirectOidValue[] = { @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which
is used for certificate chain verification.
@param[in] CertSize Size of the trusted certificate in bytes.
- @param[in] ImageHash Pointer to the original image file hash value. The procudure
+ @param[in] ImageHash Pointer to the original image file hash value. The procedure
for calculating the image hash value is described in Authenticode
specification.
@param[in] HashSize Size of Image hash value in bytes.
diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c index efa3796a..cbd9669a 100644 --- a/Cryptlib/Pk/CryptPkcs7Verify.c +++ b/Cryptlib/Pk/CryptPkcs7Verify.c @@ -10,7 +10,7 @@ WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated
Variable and will do basic check for data structure.
-Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -30,6 +30,43 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
+BOOLEAN ca_warning;
+
+void
+clear_ca_warning()
+{
+ ca_warning = FALSE;
+}
+
+BOOLEAN
+get_ca_warning()
+{
+ return ca_warning;
+}
+
+int
+X509VerifyCb (
+ IN int Status,
+ IN X509_STORE_CTX *Context
+ )
+{
+ INTN Error;
+
+ Error = (INTN) X509_STORE_CTX_get_error (Context);
+
+ if (Error == X509_V_ERR_INVALID_CA) {
+ /* Due to the historical reason, we have to relax the the x509 v3 extension
+ * check to allow the CA certificates without the CA flag in the basic
+ * constraints or KeyCertSign in the key usage to be loaded. In the future,
+ * this callback should be removed to enforce the proper check. */
+ ca_warning = TRUE;
+
+ return 1;
+ }
+
+ return Status;
+}
+
/**
Check input P7Data is a wrapped ContentInfo structure or not. If not construct
a new structure to wrap P7Data.
@@ -163,6 +200,7 @@ X509PopCertificate ( STACK_OF(X509) *CertStack;
BOOLEAN Status;
INT32 Result;
+ BUF_MEM *Ptr;
INT32 Length;
VOID *Buffer;
@@ -192,7 +230,8 @@ X509PopCertificate ( goto _Exit;
}
- Length = (INT32)(((BUF_MEM *) CertBio->ptr)->length);
+ BIO_get_mem_ptr (CertBio, &Ptr);
+ Length = (INT32)(Ptr->length);
if (Length <= 0) {
goto _Exit;
}
@@ -229,7 +268,7 @@ _Exit: in a ContentInfo structure.
If P7Data, CertStack, StackLength, TrustedCert or CertLength is NULL, then
- return FALSE. If P7Length overflow, then return FAlSE.
+ return FALSE. If P7Length overflow, then return FALSE.
Caution: This function may receive untrusted input.
UEFI Authenticated Variable is external input, so this function will do basic
@@ -238,10 +277,10 @@ _Exit: @param[in] P7Data Pointer to the PKCS#7 message to verify.
@param[in] P7Length Length of the PKCS#7 message in bytes.
@param[out] CertStack Pointer to Signer's certificates retrieved from P7Data.
- It's caller's responsiblity to free the buffer.
+ It's caller's responsibility to free the buffer.
@param[out] StackLength Length of signer's certificates in bytes.
@param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates.
- It's caller's responsiblity to free the buffer.
+ It's caller's responsibility to free the buffer.
@param[out] CertLength Length of the trusted certificate in bytes.
@retval TRUE The operation is finished successfully.
@@ -436,10 +475,10 @@ Pkcs7FreeSigners ( @param[in] P7Data Pointer to the PKCS#7 message.
@param[in] P7Length Length of the PKCS#7 message in bytes.
@param[out] SignerChainCerts Pointer to the certificates list chained to signer's
- certificate. It's caller's responsiblity to free the buffer.
+ certificate. It's caller's responsibility to free the buffer.
@param[out] ChainLength Length of the chained certificates list buffer in bytes.
@param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's
- responsiblity to free the buffer.
+ responsibility to free the buffer.
@param[out] UnchainLength Length of the unchained certificates list buffer in bytes.
@retval TRUE The operation is finished successfully.
@@ -463,12 +502,15 @@ Pkcs7GetCertificatesList ( BOOLEAN Wrapped;
UINT8 Index;
PKCS7 *Pkcs7;
- X509_STORE_CTX CertCtx;
+ X509_STORE_CTX *CertCtx;
+ STACK_OF(X509) *CtxChain;
+ STACK_OF(X509) *CtxUntrusted;
+ X509 *CtxCert;
STACK_OF(X509) *Signers;
X509 *Signer;
X509 *Cert;
- X509 *TempCert;
X509 *Issuer;
+ X509_NAME *IssuerName;
UINT8 *CertBuf;
UINT8 *OldBuf;
UINTN BufferSize;
@@ -482,8 +524,11 @@ Pkcs7GetCertificatesList ( Status = FALSE;
NewP7Data = NULL;
Pkcs7 = NULL;
+ CertCtx = NULL;
+ CtxChain = NULL;
+ CtxCert = NULL;
+ CtxUntrusted = NULL;
Cert = NULL;
- TempCert = NULL;
SingleCert = NULL;
CertBuf = NULL;
OldBuf = NULL;
@@ -531,19 +576,26 @@ Pkcs7GetCertificatesList ( }
Signer = sk_X509_value (Signers, 0);
- if (!X509_STORE_CTX_init (&CertCtx, NULL, Signer, Pkcs7->d.sign->cert)) {
+ CertCtx = X509_STORE_CTX_new ();
+ if (CertCtx == NULL) {
+ goto _Error;
+ }
+ if (!X509_STORE_CTX_init (CertCtx, NULL, Signer, Pkcs7->d.sign->cert)) {
goto _Error;
}
//
// Initialize Chained & Untrusted stack
//
- if (CertCtx.chain == NULL) {
- if (((CertCtx.chain = sk_X509_new_null ()) == NULL) ||
- (!sk_X509_push (CertCtx.chain, CertCtx.cert))) {
+ CtxChain = X509_STORE_CTX_get0_chain (CertCtx);
+ CtxCert = X509_STORE_CTX_get0_cert (CertCtx);
+ if (CtxChain == NULL) {
+ if (((CtxChain = sk_X509_new_null ()) == NULL) ||
+ (!sk_X509_push (CtxChain, CtxCert))) {
goto _Error;
}
}
- (VOID)sk_X509_delete_ptr (CertCtx.untrusted, Signer);
+ CtxUntrusted = X509_STORE_CTX_get0_untrusted (CertCtx);
+ (VOID)sk_X509_delete_ptr (CtxUntrusted, Signer);
//
// Build certificates stack chained from Signer's certificate.
@@ -553,27 +605,25 @@ Pkcs7GetCertificatesList ( //
// Self-Issue checking
//
- if (CertCtx.check_issued (&CertCtx, Cert, Cert)) {
- break;
+ Issuer = NULL;
+ if (X509_STORE_CTX_get1_issuer (&Issuer, CertCtx, Cert) == 1) {
+ if (X509_cmp (Issuer, Cert) == 0) {
+ break;
+ }
}
//
// Found the issuer of the current certificate
//
- if (CertCtx.untrusted != NULL) {
+ if (CtxUntrusted != NULL) {
Issuer = NULL;
- for (Index = 0; Index < sk_X509_num (CertCtx.untrusted); Index++) {
- TempCert = sk_X509_value (CertCtx.untrusted, Index);
- if (CertCtx.check_issued (&CertCtx, Cert, TempCert)) {
- Issuer = TempCert;
- break;
- }
- }
+ IssuerName = X509_get_issuer_name (Cert);
+ Issuer = X509_find_by_subject (CtxUntrusted, IssuerName);
if (Issuer != NULL) {
- if (!sk_X509_push (CertCtx.chain, Issuer)) {
+ if (!sk_X509_push (CtxChain, Issuer)) {
goto _Error;
}
- (VOID)sk_X509_delete_ptr (CertCtx.untrusted, Issuer);
+ (VOID)sk_X509_delete_ptr (CtxUntrusted, Issuer);
Cert = Issuer;
continue;
@@ -595,13 +645,13 @@ Pkcs7GetCertificatesList ( // UINT8 Certn[];
//
- if (CertCtx.chain != NULL) {
+ if (CtxChain != NULL) {
BufferSize = sizeof (UINT8);
OldSize = BufferSize;
CertBuf = NULL;
for (Index = 0; ; Index++) {
- Status = X509PopCertificate (CertCtx.chain, &SingleCert, &CertSize);
+ Status = X509PopCertificate (CtxChain, &SingleCert, &CertSize);
if (!Status) {
break;
}
@@ -639,13 +689,13 @@ Pkcs7GetCertificatesList ( }
}
- if (CertCtx.untrusted != NULL) {
+ if (CtxUntrusted != NULL) {
BufferSize = sizeof (UINT8);
OldSize = BufferSize;
CertBuf = NULL;
for (Index = 0; ; Index++) {
- Status = X509PopCertificate (CertCtx.untrusted, &SingleCert, &CertSize);
+ Status = X509PopCertificate (CtxUntrusted, &SingleCert, &CertSize);
if (!Status) {
break;
}
@@ -698,7 +748,8 @@ _Error: }
sk_X509_free (Signers);
- X509_STORE_CTX_cleanup (&CertCtx);
+ X509_STORE_CTX_cleanup (CertCtx);
+ X509_STORE_CTX_free (CertCtx);
if (SingleCert != NULL) {
free (SingleCert);
@@ -718,12 +769,12 @@ _Error: }
/**
- Verifies the validility of a PKCS#7 signed data as described in "PKCS #7:
+ Verifies the validity of a PKCS#7 signed data as described in "PKCS #7:
Cryptographic Message Syntax Standard". The input signed data could be wrapped
in a ContentInfo structure.
If P7Data, TrustedCert or InData is NULL, then return FALSE.
- If P7Length, CertLength or DataLength overflow, then return FAlSE.
+ If P7Length, CertLength or DataLength overflow, then return FALSE.
Caution: This function may receive untrusted input.
UEFI Authenticated Variable is external input, so this function will do basic
@@ -844,6 +895,8 @@ Pkcs7Verify ( goto _Exit;
}
+ X509_STORE_set_verify_cb (CertStore, X509VerifyCb);
+
//
// For generic PKCS#7 handling, InData may be NULL if the content is present
// in PKCS#7 structure. So ignore NULL checking here.
@@ -897,7 +950,7 @@ _Exit: data could be wrapped in a ContentInfo structure.
If P7Data, Content, or ContentSize is NULL, then return FALSE. If P7Length overflow,
- then return FAlSE. If the P7Data is not correctly formatted, then return FALSE.
+ then return FALSE. If the P7Data is not correctly formatted, then return FALSE.
Caution: This function may receive untrusted input. So this function will do
basic check for PKCS#7 data structure.
@@ -905,7 +958,7 @@ _Exit: @param[in] P7Data Pointer to the PKCS#7 signed data to process.
@param[in] P7Length Length of the PKCS#7 signed data in bytes.
@param[out] Content Pointer to the extracted content from the PKCS#7 signedData.
- It's caller's responsiblity to free the buffer.
+ It's caller's responsibility to free the buffer.
@param[out] ContentSize The size of the extracted content in bytes.
@retval TRUE The P7Data was correctly formatted for processing.
diff --git a/Cryptlib/Pk/CryptRsaBasic.c b/Cryptlib/Pk/CryptRsaBasic.c index e49db51e..ba1bcf0f 100644 --- a/Cryptlib/Pk/CryptRsaBasic.c +++ b/Cryptlib/Pk/CryptRsaBasic.c @@ -7,7 +7,7 @@ 3) RsaSetKey
4) RsaPkcs1Verify
-Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -67,14 +67,14 @@ RsaFree ( This function sets the tag-designated RSA key component into the established
RSA context from the user-specified non-negative integer (octet string format
represented in RSA PKCS#1).
- If BigNumber is NULL, then the specified key componenet in RSA context is cleared.
+ If BigNumber is NULL, then the specified key component in RSA context is cleared.
If RsaContext is NULL, then return FALSE.
@param[in, out] RsaContext Pointer to RSA context being set.
@param[in] KeyTag Tag of RSA key component being set.
@param[in] BigNumber Pointer to octet integer buffer.
- If NULL, then the specified key componenet in RSA
+ If NULL, then the specified key component in RSA
context is cleared.
@param[in] BnSize Size of big number buffer in bytes.
If BigNumber is NULL, then it is ignored.
@@ -92,7 +92,15 @@ RsaSetKey ( IN UINTN BnSize
)
{
- RSA *RsaKey;
+ RSA *RsaKey;
+ BIGNUM *BnN;
+ BIGNUM *BnE;
+ BIGNUM *BnD;
+ BIGNUM *BnP;
+ BIGNUM *BnQ;
+ BIGNUM *BnDp;
+ BIGNUM *BnDq;
+ BIGNUM *BnQInv;
//
// Check input parameters.
@@ -101,7 +109,23 @@ RsaSetKey ( return FALSE;
}
+ BnN = NULL;
+ BnE = NULL;
+ BnD = NULL;
+ BnP = NULL;
+ BnQ = NULL;
+ BnDp = NULL;
+ BnDq = NULL;
+ BnQInv = NULL;
+
+ //
+ // Retrieve the components from RSA object.
+ //
RsaKey = (RSA *) RsaContext;
+ RSA_get0_key (RsaKey, (const BIGNUM **)&BnN, (const BIGNUM **)&BnE, (const BIGNUM **)&BnD);
+ RSA_get0_factors (RsaKey, (const BIGNUM **)&BnP, (const BIGNUM **)&BnQ);
+ RSA_get0_crt_params (RsaKey, (const BIGNUM **)&BnDp, (const BIGNUM **)&BnDq, (const BIGNUM **)&BnQInv);
+
//
// Set RSA Key Components by converting octet string to OpenSSL BN representation.
// NOTE: For RSA public key (used in signature verification), only public components
@@ -110,144 +134,109 @@ RsaSetKey ( switch (KeyTag) {
//
- // RSA Public Modulus (N)
+ // RSA Public Modulus (N), Public Exponent (e) and Private Exponent (d)
//
case RsaKeyN:
- if (RsaKey->n != NULL) {
- BN_free (RsaKey->n);
- }
- RsaKey->n = NULL;
- if (BigNumber == NULL) {
- break;
- }
- RsaKey->n = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->n);
- if (RsaKey->n == NULL) {
- return FALSE;
- }
-
- break;
-
- //
- // RSA Public Exponent (e)
- //
case RsaKeyE:
- if (RsaKey->e != NULL) {
- BN_free (RsaKey->e);
+ case RsaKeyD:
+ if (BnN == NULL) {
+ BnN = BN_new ();
}
- RsaKey->e = NULL;
- if (BigNumber == NULL) {
- break;
+ if (BnE == NULL) {
+ BnE = BN_new ();
}
- RsaKey->e = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->e);
- if (RsaKey->e == NULL) {
- return FALSE;
+ if (BnD == NULL) {
+ BnD = BN_new ();
}
- break;
-
- //
- // RSA Private Exponent (d)
- //
- case RsaKeyD:
- if (RsaKey->d != NULL) {
- BN_free (RsaKey->d);
- }
- RsaKey->d = NULL;
- if (BigNumber == NULL) {
- break;
- }
- RsaKey->d = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->d);
- if (RsaKey->d == NULL) {
+ if ((BnN == NULL) || (BnE == NULL) || (BnD == NULL)) {
return FALSE;
}
- break;
-
- //
- // RSA Secret Prime Factor of Modulus (p)
- //
- case RsaKeyP:
- if (RsaKey->p != NULL) {
- BN_free (RsaKey->p);
- }
- RsaKey->p = NULL;
- if (BigNumber == NULL) {
+ switch (KeyTag) {
+ case RsaKeyN:
+ BnN = BN_bin2bn (BigNumber, (UINT32)BnSize, BnN);
+ break;
+ case RsaKeyE:
+ BnE = BN_bin2bn (BigNumber, (UINT32)BnSize, BnE);
break;
+ case RsaKeyD:
+ BnD = BN_bin2bn (BigNumber, (UINT32)BnSize, BnD);
+ break;
+ default:
+ return FALSE;
}
- RsaKey->p = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->p);
- if (RsaKey->p == NULL) {
+ if (RSA_set0_key (RsaKey, BN_dup(BnN), BN_dup(BnE), BN_dup(BnD)) == 0) {
return FALSE;
}
break;
//
- // RSA Secret Prime Factor of Modules (q)
+ // RSA Secret Prime Factor of Modulus (p and q)
//
+ case RsaKeyP:
case RsaKeyQ:
- if (RsaKey->q != NULL) {
- BN_free (RsaKey->q);
+ if (BnP == NULL) {
+ BnP = BN_new ();
}
- RsaKey->q = NULL;
- if (BigNumber == NULL) {
- break;
+ if (BnQ == NULL) {
+ BnQ = BN_new ();
}
- RsaKey->q = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->q);
- if (RsaKey->q == NULL) {
+ if ((BnP == NULL) || (BnQ == NULL)) {
return FALSE;
}
- break;
-
- //
- // p's CRT Exponent (== d mod (p - 1))
- //
- case RsaKeyDp:
- if (RsaKey->dmp1 != NULL) {
- BN_free (RsaKey->dmp1);
- }
- RsaKey->dmp1 = NULL;
- if (BigNumber == NULL) {
+ switch (KeyTag) {
+ case RsaKeyP:
+ BnP = BN_bin2bn (BigNumber, (UINT32)BnSize, BnP);
break;
+ case RsaKeyQ:
+ BnQ = BN_bin2bn (BigNumber, (UINT32)BnSize, BnQ);
+ break;
+ default:
+ return FALSE;
}
- RsaKey->dmp1 = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->dmp1);
- if (RsaKey->dmp1 == NULL) {
+ if (RSA_set0_factors (RsaKey, BN_dup(BnP), BN_dup(BnQ)) == 0) {
return FALSE;
}
break;
//
- // q's CRT Exponent (== d mod (q - 1))
+ // p's CRT Exponent (== d mod (p - 1)), q's CRT Exponent (== d mod (q - 1)),
+ // and CRT Coefficient (== 1/q mod p)
//
+ case RsaKeyDp:
case RsaKeyDq:
- if (RsaKey->dmq1 != NULL) {
- BN_free (RsaKey->dmq1);
+ case RsaKeyQInv:
+ if (BnDp == NULL) {
+ BnDp = BN_new ();
}
- RsaKey->dmq1 = NULL;
- if (BigNumber == NULL) {
- break;
+ if (BnDq == NULL) {
+ BnDq = BN_new ();
}
- RsaKey->dmq1 = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->dmq1);
- if (RsaKey->dmq1 == NULL) {
+ if (BnQInv == NULL) {
+ BnQInv = BN_new ();
+ }
+ if ((BnDp == NULL) || (BnDq == NULL) || (BnQInv == NULL)) {
return FALSE;
}
- break;
-
- //
- // The CRT Coefficient (== 1/q mod p)
- //
- case RsaKeyQInv:
- if (RsaKey->iqmp != NULL) {
- BN_free (RsaKey->iqmp);
- }
- RsaKey->iqmp = NULL;
- if (BigNumber == NULL) {
+ switch (KeyTag) {
+ case RsaKeyDp:
+ BnDp = BN_bin2bn (BigNumber, (UINT32)BnSize, BnDp);
+ break;
+ case RsaKeyDq:
+ BnDq = BN_bin2bn (BigNumber, (UINT32)BnSize, BnDq);
+ break;
+ case RsaKeyQInv:
+ BnQInv = BN_bin2bn (BigNumber, (UINT32)BnSize, BnQInv);
break;
+ default:
+ return FALSE;
}
- RsaKey->iqmp = BN_bin2bn (BigNumber, (UINT32) BnSize, RsaKey->iqmp);
- if (RsaKey->iqmp == NULL) {
+ if (RSA_set0_crt_params (RsaKey, BN_dup(BnDp), BN_dup(BnDq), BN_dup(BnQInv)) == 0) {
return FALSE;
}
@@ -311,11 +300,11 @@ RsaPkcs1Verify ( case MD5_DIGEST_SIZE:
DigestType = NID_md5;
break;
-
+
case SHA1_DIGEST_SIZE:
DigestType = NID_sha1;
break;
-
+
case SHA256_DIGEST_SIZE:
DigestType = NID_sha256;
break;
diff --git a/Cryptlib/Pk/CryptTs.c b/Cryptlib/Pk/CryptTs.c index d4958122..d63c23df 100644 --- a/Cryptlib/Pk/CryptTs.c +++ b/Cryptlib/Pk/CryptTs.c @@ -5,7 +5,7 @@ the lifetime of the signature when a signing certificate expires or is later
revoked.
-Copyright (c) 2014 - 2015, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2014 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -239,7 +239,7 @@ CheckTSTInfo ( TS_MESSAGE_IMPRINT *Imprint;
X509_ALGOR *HashAlgo;
CONST EVP_MD *Md;
- EVP_MD_CTX MdCtx;
+ EVP_MD_CTX *MdCtx;
UINTN MdSize;
UINT8 *HashedMsg;
@@ -249,6 +249,7 @@ CheckTSTInfo ( Status = FALSE;
HashAlgo = NULL;
HashedMsg = NULL;
+ MdCtx = NULL;
//
// -- Check version number of Timestamp:
@@ -285,11 +286,17 @@ CheckTSTInfo ( if (HashedMsg == NULL) {
goto _Exit;
}
- EVP_DigestInit (&MdCtx, Md);
- EVP_DigestUpdate (&MdCtx, TimestampedData, DataSize);
- EVP_DigestFinal (&MdCtx, HashedMsg, NULL);
+ MdCtx = EVP_MD_CTX_new ();
+ if (MdCtx == NULL) {
+ goto _Exit;
+ }
+ if ((EVP_DigestInit_ex (MdCtx, Md, NULL) != 1) ||
+ (EVP_DigestUpdate (MdCtx, TimestampedData, DataSize) != 1) ||
+ (EVP_DigestFinal (MdCtx, HashedMsg, NULL) != 1)) {
+ goto _Exit;
+ }
if ((MdSize == (UINTN)ASN1_STRING_length (Imprint->HashedMessage)) &&
- (CompareMem (HashedMsg, ASN1_STRING_data (Imprint->HashedMessage), MdSize) != 0)) {
+ (CompareMem (HashedMsg, ASN1_STRING_get0_data (Imprint->HashedMessage), MdSize) != 0)) {
goto _Exit;
}
@@ -315,6 +322,7 @@ CheckTSTInfo ( _Exit:
X509_ALGOR_free (HashAlgo);
+ EVP_MD_CTX_free (MdCtx);
if (HashedMsg != NULL) {
FreePool (HashedMsg);
}
@@ -323,7 +331,7 @@ _Exit: }
/**
- Verifies the validility of a TimeStamp Token as described in RFC 3161 ("Internet
+ Verifies the validity of a TimeStamp Token as described in RFC 3161 ("Internet
X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)").
If TSToken is NULL, then return FALSE.
@@ -497,7 +505,7 @@ _Exit: }
/**
- Verifies the validility of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode
+ Verifies the validity of a RFC3161 Timestamp CounterSignature embedded in PE/COFF Authenticode
signature.
If AuthData is NULL, then return FALSE.
diff --git a/Cryptlib/Pk/CryptX509.c b/Cryptlib/Pk/CryptX509.c index 7dc45967..7d275977 100644 --- a/Cryptlib/Pk/CryptX509.c +++ b/Cryptlib/Pk/CryptX509.c @@ -1,7 +1,7 @@ /** @file
X.509 Certificate Handler Wrapper Implementation over OpenSSL.
-Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -73,7 +73,7 @@ X509ConstructCertificate ( @param ... A list of DER-encoded single certificate data followed
by certificate size. A NULL terminates the list. The
pairs are the arguments to X509ConstructCertificate().
-
+
@retval TRUE The X509 stack construction succeeded.
@retval FALSE The construction operation failed.
@@ -82,7 +82,7 @@ BOOLEAN EFIAPI
X509ConstructCertificateStack (
IN OUT UINT8 **X509Stack,
- ...
+ ...
)
{
UINT8 *Cert;
@@ -175,14 +175,14 @@ EFIAPI X509Free (
IN VOID *X509Cert
)
-{
+{
//
// Check input parameters.
//
if (X509Cert == NULL) {
return;
}
-
+
//
// Free OpenSSL X509 object.
//
@@ -209,7 +209,7 @@ X509StackFree ( if (X509Stack == NULL) {
return;
}
-
+
//
// Free OpenSSL X509 stack object.
//
@@ -324,7 +324,7 @@ RsaGetPublicKeyFromX509 ( BOOLEAN Status;
EVP_PKEY *Pkey;
X509 *X509Cert;
-
+
//
// Check input parameters.
//
@@ -350,14 +350,14 @@ RsaGetPublicKeyFromX509 ( // Retrieve and check EVP_PKEY data from X509 Certificate.
//
Pkey = X509_get_pubkey (X509Cert);
- if ((Pkey == NULL) || (Pkey->type != EVP_PKEY_RSA)) {
+ if ((Pkey == NULL) || (EVP_PKEY_id (Pkey) != EVP_PKEY_RSA)) {
goto _Exit;
}
//
// Duplicate RSA Context from the retrieved EVP_PKEY.
//
- if ((*RsaContext = RSAPublicKey_dup (Pkey->pkey.rsa)) != NULL) {
+ if ((*RsaContext = RSAPublicKey_dup (EVP_PKEY_get0_RSA (Pkey))) != NULL) {
Status = TRUE;
}
@@ -371,7 +371,7 @@ _Exit: if (Pkey != NULL) {
EVP_PKEY_free (Pkey);
- }
+ }
return Status;
}
@@ -405,8 +405,8 @@ X509VerifyCert ( X509 *X509Cert;
X509 *X509CACert;
X509_STORE *CertStore;
- X509_STORE_CTX CertCtx;
-
+ X509_STORE_CTX *CertCtx;
+
//
// Check input parameters.
//
@@ -418,6 +418,7 @@ X509VerifyCert ( X509Cert = NULL;
X509CACert = NULL;
CertStore = NULL;
+ CertCtx = NULL;
//
// Register & Initialize necessary digest algorithms for certificate verification.
@@ -473,15 +474,19 @@ X509VerifyCert ( //
// Set up X509_STORE_CTX for the subsequent verification operation.
//
- if (!X509_STORE_CTX_init (&CertCtx, CertStore, X509Cert, NULL)) {
+ CertCtx = X509_STORE_CTX_new ();
+ if (CertCtx == NULL) {
+ goto _Exit;
+ }
+ if (!X509_STORE_CTX_init (CertCtx, CertStore, X509Cert, NULL)) {
goto _Exit;
}
//
// X509 Certificate Verification.
//
- Status = (BOOLEAN) X509_verify_cert (&CertCtx);
- X509_STORE_CTX_cleanup (&CertCtx);
+ Status = (BOOLEAN) X509_verify_cert (CertCtx);
+ X509_STORE_CTX_cleanup (CertCtx);
_Exit:
//
@@ -498,7 +503,9 @@ _Exit: if (CertStore != NULL) {
X509_STORE_free (CertStore);
}
-
+
+ X509_STORE_CTX_free (CertCtx);
+
return Status;
}
@@ -575,6 +582,6 @@ X509GetTBSCert ( }
*TBSCertSize = Length + (Temp - *TBSCert);
-
+
return TRUE;
}
|