diff options
Diffstat (limited to 'Cryptlib/Pk')
| -rw-r--r-- | Cryptlib/Pk/CryptPkcs7Sign.c | 207 | ||||
| -rw-r--r-- | Cryptlib/Pk/CryptPkcs7SignNull.c | 59 | ||||
| -rw-r--r-- | Cryptlib/Pk/CryptPkcs7Verify.c (renamed from Cryptlib/Pk/CryptPkcs7.c) | 306 | ||||
| -rw-r--r-- | Cryptlib/Pk/CryptPkcs7VerifyNull.c | 100 | ||||
| -rw-r--r-- | Cryptlib/Pk/CryptRsaExtNull.c | 125 |
5 files changed, 606 insertions, 191 deletions
diff --git a/Cryptlib/Pk/CryptPkcs7Sign.c b/Cryptlib/Pk/CryptPkcs7Sign.c new file mode 100644 index 00000000..63fe78fc --- /dev/null +++ b/Cryptlib/Pk/CryptPkcs7Sign.c @@ -0,0 +1,207 @@ +/** @file
+ PKCS#7 SignedData Sign Wrapper Implementation over OpenSSL.
+
+Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "InternalCryptLib.h"
+
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
+
+
+/**
+ Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message
+ Syntax Standard, version 1.5". This interface is only intended to be used for
+ application to perform PKCS#7 functionality validation.
+
+ @param[in] PrivateKey Pointer to the PEM-formatted private key data for
+ data signing.
+ @param[in] PrivateKeySize Size of the PEM private key data in bytes.
+ @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM
+ key data.
+ @param[in] InData Pointer to the content to be signed.
+ @param[in] InDataSize Size of InData in bytes.
+ @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with.
+ @param[in] OtherCerts Pointer to an optional additional set of certificates to
+ include in the PKCS#7 signedData (e.g. any intermediate
+ CAs in the chain).
+ @param[out] SignedData Pointer to output PKCS#7 signedData.
+ @param[out] SignedDataSize Size of SignedData in bytes.
+
+ @retval TRUE PKCS#7 data signing succeeded.
+ @retval FALSE PKCS#7 data signing failed.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7Sign (
+ IN CONST UINT8 *PrivateKey,
+ IN UINTN PrivateKeySize,
+ IN CONST UINT8 *KeyPassword,
+ IN UINT8 *InData,
+ IN UINTN InDataSize,
+ IN UINT8 *SignCert,
+ IN UINT8 *OtherCerts OPTIONAL,
+ OUT UINT8 **SignedData,
+ OUT UINTN *SignedDataSize
+ )
+{
+ BOOLEAN Status;
+ EVP_PKEY *Key;
+ BIO *DataBio;
+ PKCS7 *Pkcs7;
+ UINT8 *RsaContext;
+ UINT8 *P7Data;
+ UINTN P7DataSize;
+ UINT8 *Tmp;
+
+ //
+ // Check input parameters.
+ //
+ if (PrivateKey == NULL || KeyPassword == NULL || InData == NULL ||
+ SignCert == NULL || SignedData == NULL || SignedDataSize == NULL || InDataSize > INT_MAX) {
+ return FALSE;
+ }
+
+ RsaContext = NULL;
+ Key = NULL;
+ Pkcs7 = NULL;
+ DataBio = NULL;
+ Status = FALSE;
+
+ //
+ // Retrieve RSA private key from PEM data.
+ //
+ Status = RsaGetPrivateKeyFromPem (
+ PrivateKey,
+ PrivateKeySize,
+ (CONST CHAR8 *) KeyPassword,
+ (VOID **) &RsaContext
+ );
+ if (!Status) {
+ return Status;
+ }
+
+ Status = FALSE;
+
+ //
+ // Register & Initialize necessary digest algorithms and PRNG for PKCS#7 Handling
+ //
+ if (EVP_add_digest (EVP_md5 ()) == 0) {
+ goto _Exit;
+ }
+ if (EVP_add_digest (EVP_sha1 ()) == 0) {
+ goto _Exit;
+ }
+ if (EVP_add_digest (EVP_sha256 ()) == 0) {
+ goto _Exit;
+ }
+
+ RandomSeed (NULL, 0);
+
+ //
+ // Construct OpenSSL EVP_PKEY for private key.
+ //
+ Key = EVP_PKEY_new ();
+ if (Key == NULL) {
+ goto _Exit;
+ }
+ Key->save_type = EVP_PKEY_RSA;
+ Key->type = EVP_PKEY_type (EVP_PKEY_RSA);
+ Key->pkey.rsa = (RSA *) RsaContext;
+
+ //
+ // Convert the data to be signed to BIO format.
+ //
+ DataBio = BIO_new (BIO_s_mem ());
+ if (DataBio == NULL) {
+ goto _Exit;
+ }
+
+ if (BIO_write (DataBio, InData, (int) InDataSize) <= 0) {
+ goto _Exit;
+ }
+
+ //
+ // Create the PKCS#7 signedData structure.
+ //
+ Pkcs7 = PKCS7_sign (
+ (X509 *) SignCert,
+ Key,
+ (STACK_OF(X509) *) OtherCerts,
+ DataBio,
+ PKCS7_BINARY | PKCS7_NOATTR | PKCS7_DETACHED
+ );
+ if (Pkcs7 == NULL) {
+ goto _Exit;
+ }
+
+ //
+ // Convert PKCS#7 signedData structure into DER-encoded buffer.
+ //
+ P7DataSize = i2d_PKCS7 (Pkcs7, NULL);
+ if (P7DataSize <= 19) {
+ goto _Exit;
+ }
+
+ P7Data = malloc (P7DataSize);
+ if (P7Data == NULL) {
+ goto _Exit;
+ }
+
+ Tmp = P7Data;
+ P7DataSize = i2d_PKCS7 (Pkcs7, (unsigned char **) &Tmp);
+ ASSERT (P7DataSize > 19);
+
+ //
+ // Strip ContentInfo to content only for signeddata. The data be trimmed off
+ // is totally 19 bytes.
+ //
+ *SignedDataSize = P7DataSize - 19;
+ *SignedData = malloc (*SignedDataSize);
+ if (*SignedData == NULL) {
+ OPENSSL_free (P7Data);
+ goto _Exit;
+ }
+
+ CopyMem (*SignedData, P7Data + 19, *SignedDataSize);
+
+ OPENSSL_free (P7Data);
+
+ Status = TRUE;
+
+_Exit:
+ //
+ // Release Resources
+ //
+ if (RsaContext != NULL) {
+ RsaFree (RsaContext);
+ if (Key != NULL) {
+ Key->pkey.rsa = NULL;
+ }
+ }
+
+ if (Key != NULL) {
+ EVP_PKEY_free (Key);
+ }
+
+ if (DataBio != NULL) {
+ BIO_free (DataBio);
+ }
+
+ if (Pkcs7 != NULL) {
+ PKCS7_free (Pkcs7);
+ }
+
+ return Status;
+}
diff --git a/Cryptlib/Pk/CryptPkcs7SignNull.c b/Cryptlib/Pk/CryptPkcs7SignNull.c new file mode 100644 index 00000000..539bb6b7 --- /dev/null +++ b/Cryptlib/Pk/CryptPkcs7SignNull.c @@ -0,0 +1,59 @@ +/** @file
+ PKCS#7 SignedData Sign Wrapper Implementation which does not provide real
+ capabilities.
+
+Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message
+ Syntax Standard, version 1.5". This interface is only intended to be used for
+ application to perform PKCS#7 functionality validation.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] PrivateKey Pointer to the PEM-formatted private key data for
+ data signing.
+ @param[in] PrivateKeySize Size of the PEM private key data in bytes.
+ @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM
+ key data.
+ @param[in] InData Pointer to the content to be signed.
+ @param[in] InDataSize Size of InData in bytes.
+ @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with.
+ @param[in] OtherCerts Pointer to an optional additional set of certificates to
+ include in the PKCS#7 signedData (e.g. any intermediate
+ CAs in the chain).
+ @param[out] SignedData Pointer to output PKCS#7 signedData.
+ @param[out] SignedDataSize Size of SignedData in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7Sign (
+ IN CONST UINT8 *PrivateKey,
+ IN UINTN PrivateKeySize,
+ IN CONST UINT8 *KeyPassword,
+ IN UINT8 *InData,
+ IN UINTN InDataSize,
+ IN UINT8 *SignCert,
+ IN UINT8 *OtherCerts OPTIONAL,
+ OUT UINT8 **SignedData,
+ OUT UINTN *SignedDataSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
diff --git a/Cryptlib/Pk/CryptPkcs7.c b/Cryptlib/Pk/CryptPkcs7Verify.c index 218e7ac2..05c3f877 100644 --- a/Cryptlib/Pk/CryptPkcs7.c +++ b/Cryptlib/Pk/CryptPkcs7Verify.c @@ -10,7 +10,7 @@ WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated
Variable and will do basic check for data structure.
-Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2009 - 2013, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -25,6 +25,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include <openssl/objects.h>
#include <openssl/x509.h>
+#include <openssl/x509v3.h>
#include <openssl/pkcs7.h>
UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
@@ -111,182 +112,6 @@ X509VerifyCb ( }
/**
- Creates a PKCS#7 signedData as described in "PKCS #7: Cryptographic Message
- Syntax Standard, version 1.5". This interface is only intended to be used for
- application to perform PKCS#7 functionality validation.
-
- @param[in] PrivateKey Pointer to the PEM-formatted private key data for
- data signing.
- @param[in] PrivateKeySize Size of the PEM private key data in bytes.
- @param[in] KeyPassword NULL-terminated passphrase used for encrypted PEM
- key data.
- @param[in] InData Pointer to the content to be signed.
- @param[in] InDataSize Size of InData in bytes.
- @param[in] SignCert Pointer to signer's DER-encoded certificate to sign with.
- @param[in] OtherCerts Pointer to an optional additional set of certificates to
- include in the PKCS#7 signedData (e.g. any intermediate
- CAs in the chain).
- @param[out] SignedData Pointer to output PKCS#7 signedData.
- @param[out] SignedDataSize Size of SignedData in bytes.
-
- @retval TRUE PKCS#7 data signing succeeded.
- @retval FALSE PKCS#7 data signing failed.
-
-**/
-BOOLEAN
-EFIAPI
-Pkcs7Sign (
- IN CONST UINT8 *PrivateKey,
- IN UINTN PrivateKeySize,
- IN CONST UINT8 *KeyPassword,
- IN UINT8 *InData,
- IN UINTN InDataSize,
- IN UINT8 *SignCert,
- IN UINT8 *OtherCerts OPTIONAL,
- OUT UINT8 **SignedData,
- OUT UINTN *SignedDataSize
- )
-{
- BOOLEAN Status;
- EVP_PKEY *Key;
- BIO *DataBio;
- PKCS7 *Pkcs7;
- UINT8 *RsaContext;
- UINT8 *P7Data;
- UINTN P7DataSize;
- UINT8 *Tmp;
-
- //
- // Check input parameters.
- //
- if (PrivateKey == NULL || KeyPassword == NULL || InData == NULL ||
- SignCert == NULL || SignedData == NULL || SignedDataSize == NULL || InDataSize > INT_MAX) {
- return FALSE;
- }
-
- RsaContext = NULL;
- Key = NULL;
- Pkcs7 = NULL;
- DataBio = NULL;
- Status = FALSE;
-
- //
- // Retrieve RSA private key from PEM data.
- //
- Status = RsaGetPrivateKeyFromPem (
- PrivateKey,
- PrivateKeySize,
- (CONST CHAR8 *) KeyPassword,
- (VOID **) &RsaContext
- );
- if (!Status) {
- return Status;
- }
-
- //
- // Register & Initialize necessary digest algorithms and PRNG for PKCS#7 Handling
- //
- EVP_add_digest (EVP_md5());
- EVP_add_digest (EVP_sha1());
- EVP_add_digest (EVP_sha256());
- RandomSeed (NULL, 0);
-
- //
- // Construct OpenSSL EVP_PKEY for private key.
- //
- Key = EVP_PKEY_new ();
- if (Key == NULL) {
- Status = FALSE;
- goto _Exit;
- }
- Key->save_type = EVP_PKEY_RSA;
- Key->type = EVP_PKEY_type (EVP_PKEY_RSA);
- Key->pkey.rsa = (RSA *) RsaContext;
-
- //
- // Convert the data to be signed to BIO format.
- //
- DataBio = BIO_new (BIO_s_mem ());
- BIO_write (DataBio, InData, (int) InDataSize);
-
- //
- // Create the PKCS#7 signedData structure.
- //
- Pkcs7 = PKCS7_sign (
- (X509 *) SignCert,
- Key,
- (STACK_OF(X509) *) OtherCerts,
- DataBio,
- PKCS7_BINARY | PKCS7_NOATTR | PKCS7_DETACHED
- );
- if (Pkcs7 == NULL) {
- Status = FALSE;
- goto _Exit;
- }
-
- //
- // Convert PKCS#7 signedData structure into DER-encoded buffer.
- //
- P7DataSize = i2d_PKCS7 (Pkcs7, NULL);
- if (P7DataSize <= 19) {
- Status = FALSE;
- goto _Exit;
- }
-
- P7Data = malloc (P7DataSize);
- if (P7Data == NULL) {
- Status = FALSE;
- goto _Exit;
- }
-
- Tmp = P7Data;
- P7DataSize = i2d_PKCS7 (Pkcs7, (unsigned char **) &Tmp);
-
- //
- // Strip ContentInfo to content only for signeddata. The data be trimmed off
- // is totally 19 bytes.
- //
- *SignedDataSize = P7DataSize - 19;
- *SignedData = malloc (*SignedDataSize);
- if (*SignedData == NULL) {
- Status = FALSE;
- OPENSSL_free (P7Data);
- goto _Exit;
- }
-
- CopyMem (*SignedData, P7Data + 19, *SignedDataSize);
-
- OPENSSL_free (P7Data);
-
- Status = TRUE;
-
-_Exit:
- //
- // Release Resources
- //
- if (RsaContext != NULL) {
- RsaFree (RsaContext);
- if (Key != NULL) {
- Key->pkey.rsa = NULL;
- }
- }
-
- if (Key != NULL) {
- EVP_PKEY_free (Key);
- }
-
- if (DataBio != NULL) {
- BIO_free (DataBio);
- }
-
- if (Pkcs7 != NULL) {
- PKCS7_free (Pkcs7);
- }
-
- return Status;
-}
-
-/**
Check input P7Data is a wrapped ContentInfo structure or not. If not construct
a new structure to wrap P7Data.
@@ -395,6 +220,91 @@ WrapPkcs7Data ( }
/**
+ Pop single certificate from STACK_OF(X509).
+
+ If X509Stack, Cert, or CertSize is NULL, then return FALSE.
+
+ @param[in] X509Stack Pointer to a X509 stack object.
+ @param[out] Cert Pointer to a X509 certificate.
+ @param[out] CertSize Length of output X509 certificate in bytes.
+
+ @retval TRUE The X509 stack pop succeeded.
+ @retval FALSE The pop operation failed.
+
+**/
+BOOLEAN
+X509PopCertificate (
+ IN VOID *X509Stack,
+ OUT UINT8 **Cert,
+ OUT UINTN *CertSize
+ )
+{
+ BIO *CertBio;
+ X509 *X509Cert;
+ STACK_OF(X509) *CertStack;
+ BOOLEAN Status;
+ INT32 Result;
+ INT32 Length;
+ VOID *Buffer;
+
+ Status = FALSE;
+
+ if ((X509Stack == NULL) || (Cert == NULL) || (CertSize == NULL)) {
+ return Status;
+ }
+
+ CertStack = (STACK_OF(X509) *) X509Stack;
+
+ X509Cert = sk_X509_pop (CertStack);
+
+ if (X509Cert == NULL) {
+ return Status;
+ }
+
+ Buffer = NULL;
+
+ CertBio = BIO_new (BIO_s_mem ());
+ if (CertBio == NULL) {
+ return Status;
+ }
+
+ Result = i2d_X509_bio (CertBio, X509Cert);
+ if (Result == 0) {
+ goto _Exit;
+ }
+
+ Length = ((BUF_MEM *) CertBio->ptr)->length;
+ if (Length <= 0) {
+ goto _Exit;
+ }
+
+ Buffer = malloc (Length);
+ if (Buffer == NULL) {
+ goto _Exit;
+ }
+
+ Result = BIO_read (CertBio, Buffer, Length);
+ if (Result != Length) {
+ goto _Exit;
+ }
+
+ *Cert = Buffer;
+ *CertSize = Length;
+
+ Status = TRUE;
+
+_Exit:
+
+ BIO_free (CertBio);
+
+ if (!Status && (Buffer != NULL)) {
+ free (Buffer);
+ }
+
+ return Status;
+}
+
+/**
Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7:
Cryptographic Message Syntax Standard". The input signed data could be wrapped
in a ContentInfo structure.
@@ -634,7 +544,6 @@ Pkcs7Verify ( )
{
PKCS7 *Pkcs7;
- BIO *CertBio;
BIO *DataBio;
BOOLEAN Status;
X509 *Cert;
@@ -653,7 +562,6 @@ Pkcs7Verify ( }
Pkcs7 = NULL;
- CertBio = NULL;
DataBio = NULL;
Cert = NULL;
CertStore = NULL;
@@ -661,10 +569,19 @@ Pkcs7Verify ( //
// Register & Initialize necessary digest algorithms for PKCS#7 Handling
//
- EVP_add_digest (EVP_md5());
- EVP_add_digest (EVP_sha1());
- EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA);
- EVP_add_digest (EVP_sha256());
+ if (EVP_add_digest (EVP_md5 ()) == 0) {
+ return FALSE;
+ }
+ if (EVP_add_digest (EVP_sha1 ()) == 0) {
+ return FALSE;
+ }
+ if (EVP_add_digest (EVP_sha256 ()) == 0) {
+ return FALSE;
+ }
+ if (EVP_add_digest_alias (SN_sha1WithRSAEncryption, SN_sha1WithRSA) == 0) {
+ return FALSE;
+ }
+
Status = WrapPkcs7Data (P7Data, P7Length, &Wrapped, &SignedData, &SignedDataSize);
if (!Status) {
@@ -696,12 +613,7 @@ Pkcs7Verify ( //
// Read DER-encoded root certificate and Construct X509 Certificate
//
- CertBio = BIO_new (BIO_s_mem ());
- BIO_write (CertBio, TrustedCert, (int)CertLength);
- if (CertBio == NULL) {
- goto _Exit;
- }
- Cert = d2i_X509_bio (CertBio, NULL);
+ Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength);
if (Cert == NULL) {
goto _Exit;
}
@@ -728,7 +640,20 @@ Pkcs7Verify ( // in PKCS#7 structure. So ignore NULL checking here.
//
DataBio = BIO_new (BIO_s_mem ());
- BIO_write (DataBio, InData, (int)DataLength);
+ if (DataBio == NULL) {
+ goto _Exit;
+ }
+
+ if (BIO_write (DataBio, InData, (int) DataLength) <= 0) {
+ goto _Exit;
+ }
+
+ //
+ // OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and
+ // doesn't support the extended key usage for Authenticode Code Signing.
+ // Bypass the certificate purpose checking by enabling any purposes setting.
+ //
+ X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);
//
// Verifies the PKCS#7 signedData structure
@@ -740,7 +665,6 @@ _Exit: // Release Resources
//
BIO_free (DataBio);
- BIO_free (CertBio);
X509_free (Cert);
X509_STORE_free (CertStore);
PKCS7_free (Pkcs7);
diff --git a/Cryptlib/Pk/CryptPkcs7VerifyNull.c b/Cryptlib/Pk/CryptPkcs7VerifyNull.c new file mode 100644 index 00000000..9a4c77a2 --- /dev/null +++ b/Cryptlib/Pk/CryptPkcs7VerifyNull.c @@ -0,0 +1,100 @@ +/** @file
+ PKCS#7 SignedData Verification Wrapper Implementation which does not provide
+ real capabilities.
+
+Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7:
+ Cryptographic Message Syntax Standard". The input signed data could be wrapped
+ in a ContentInfo structure.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] P7Data Pointer to the PKCS#7 message to verify.
+ @param[in] P7Length Length of the PKCS#7 message in bytes.
+ @param[out] CertStack Pointer to Signer's certificates retrieved from P7Data.
+ It's caller's responsiblity to free the buffer.
+ @param[out] StackLength Length of signer's certificates in bytes.
+ @param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates.
+ It's caller's responsiblity to free the buffer.
+ @param[out] CertLength Length of the trusted certificate in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7GetSigners (
+ IN CONST UINT8 *P7Data,
+ IN UINTN P7Length,
+ OUT UINT8 **CertStack,
+ OUT UINTN *StackLength,
+ OUT UINT8 **TrustedCert,
+ OUT UINTN *CertLength
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Wrap function to use free() to free allocated memory for certificates.
+
+ If the interface is not supported, then ASSERT().
+
+ @param[in] Certs Pointer to the certificates to be freed.
+
+**/
+VOID
+EFIAPI
+Pkcs7FreeSigners (
+ IN UINT8 *Certs
+ )
+{
+ ASSERT (FALSE);
+}
+
+/**
+ Verifies the validility of a PKCS#7 signed data as described in "PKCS #7:
+ Cryptographic Message Syntax Standard". The input signed data could be wrapped
+ in a ContentInfo structure.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] P7Data Pointer to the PKCS#7 message to verify.
+ @param[in] P7Length Length of the PKCS#7 message in bytes.
+ @param[in] TrustedCert Pointer to a trusted/root certificate encoded in DER, which
+ is used for certificate chain verification.
+ @param[in] CertLength Length of the trusted certificate in bytes.
+ @param[in] InData Pointer to the content to be verified.
+ @param[in] DataLength Length of InData in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+Pkcs7Verify (
+ IN CONST UINT8 *P7Data,
+ IN UINTN P7Length,
+ IN CONST UINT8 *TrustedCert,
+ IN UINTN CertLength,
+ IN CONST UINT8 *InData,
+ IN UINTN DataLength
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
diff --git a/Cryptlib/Pk/CryptRsaExtNull.c b/Cryptlib/Pk/CryptRsaExtNull.c new file mode 100644 index 00000000..e44cdde4 --- /dev/null +++ b/Cryptlib/Pk/CryptRsaExtNull.c @@ -0,0 +1,125 @@ +/** @file
+ RSA Asymmetric Cipher Wrapper Implementation over OpenSSL.
+
+ This file does not provide real capabilities for following APIs in RSA handling:
+ 1) RsaGetKey
+ 2) RsaGenerateKey
+ 3) RsaCheckKey
+ 4) RsaPkcs1Sign
+
+Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Gets the tag-designated RSA key component from the established RSA context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] RsaContext Pointer to RSA context being set.
+ @param[in] KeyTag Tag of RSA key component being set.
+ @param[out] BigNumber Pointer to octet integer buffer.
+ @param[in, out] BnSize On input, the size of big number buffer in bytes.
+ On output, the size of data returned in big number buffer in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+RsaGetKey (
+ IN OUT VOID *RsaContext,
+ IN RSA_KEY_TAG KeyTag,
+ OUT UINT8 *BigNumber,
+ IN OUT UINTN *BnSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Generates RSA key components.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in, out] RsaContext Pointer to RSA context being set.
+ @param[in] ModulusLength Length of RSA modulus N in bits.
+ @param[in] PublicExponent Pointer to RSA public exponent.
+ @param[in] PublicExponentSize Size of RSA public exponent buffer in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+RsaGenerateKey (
+ IN OUT VOID *RsaContext,
+ IN UINTN ModulusLength,
+ IN CONST UINT8 *PublicExponent,
+ IN UINTN PublicExponentSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Validates key components of RSA context.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] RsaContext Pointer to RSA context to check.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+RsaCheckKey (
+ IN VOID *RsaContext
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Carries out the RSA-SSA signature generation with EMSA-PKCS1-v1_5 encoding scheme.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] RsaContext Pointer to RSA context for signature generation.
+ @param[in] MessageHash Pointer to octet message hash to be signed.
+ @param[in] HashSize Size of the message hash in bytes.
+ @param[out] Signature Pointer to buffer to receive RSA PKCS1-v1_5 signature.
+ @param[in, out] SigSize On input, the size of Signature buffer in bytes.
+ On output, the size of data returned in Signature buffer in bytes.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+RsaPkcs1Sign (
+ IN VOID *RsaContext,
+ IN CONST UINT8 *MessageHash,
+ IN UINTN HashSize,
+ OUT UINT8 *Signature,
+ IN OUT UINTN *SigSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+
|