#include "InternalCryptLib.h"
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pkcs7.h>

Functions
BOOLEAN	WrapPkcs7Data (IN CONST UINT8 P7Data, IN UINTN P7Length, OUT BOOLEAN WrapFlag, OUT UINT8 *WrapData, OUT UINTN WrapDataSize)

STATIC BOOLEAN	X509PopCertificate (IN VOID X509Stack, OUT UINT8 Cert, OUT UINTN CertSize)

BOOLEAN EFIAPI	Pkcs7GetSigners (IN CONST UINT8 P7Data, IN UINTN P7Length, OUT UINT8 CertStack, OUT UINTN StackLength, OUT UINT8 *TrustedCert, OUT UINTN CertLength)

VOID EFIAPI	Pkcs7FreeSigners (IN UINT8 *Certs)

BOOLEAN EFIAPI	Pkcs7GetCertificatesList (IN CONST UINT8 P7Data, IN UINTN P7Length, OUT UINT8 SignerChainCerts, OUT UINTN ChainLength, OUT UINT8 *UnchainCerts, OUT UINTN UnchainLength)

BOOLEAN EFIAPI	Pkcs7Verify (IN CONST UINT8 P7Data, IN UINTN P7Length, IN CONST UINT8 TrustedCert, IN UINTN CertLength, IN CONST UINT8 *InData, IN UINTN DataLength)

Variables
GLOBAL_REMOVE_IF_UNREFERENCED const UINT8	mOidValue [9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 }

Detailed Description

PKCS#7 SignedData Verification Wrapper Implementation over OpenSSL.

Caution: This module requires additional review when modified. This library will have external input - signature (e.g. UEFI Authenticated Variable). It may by input in SMM mode. This external input must be validated carefully to avoid security issue like buffer overflow, integer overflow.

WrapPkcs7Data(), Pkcs7GetSigners(), Pkcs7Verify() will get UEFI Authenticated Variable and will do basic check for data structure.

Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent

Definition in file CryptPkcs7VerifyCommon.c.

Function Documentation

◆ Pkcs7FreeSigners()

VOID EFIAPI Pkcs7FreeSigners ( IN UINT8 * Certs )

Wrap function to use free() to free allocated memory for certificates.

Parameters

[in] Certs Pointer to the certificates to be freed.

Definition at line 422 of file CryptPkcs7VerifyCommon.c.

◆ Pkcs7GetCertificatesList()

BOOLEAN EFIAPI Pkcs7GetCertificatesList	(	IN CONST UINT8 *	P7Data,
		IN UINTN	P7Length,
		OUT UINT8 **	SignerChainCerts,
		OUT UINTN *	ChainLength,
		OUT UINT8 **	UnchainCerts,
		OUT UINTN *	UnchainLength
	)

Retrieves all embedded certificates from PKCS#7 signed data as described in "PKCS #7: Cryptographic Message Syntax Standard", and outputs two certificate lists chained and unchained to the signer's certificates. The input signed data could be wrapped in a ContentInfo structure.

Parameters

[in]	P7Data	Pointer to the PKCS#7 message.
[in]	P7Length	Length of the PKCS#7 message in bytes.
[out]	SignerChainCerts	Pointer to the certificates list chained to signer's certificate. It's caller's responsibility to free the buffer with Pkcs7FreeSigners(). This data structure is EFI_CERT_STACK type.
[out]	ChainLength	Length of the chained certificates list buffer in bytes.
[out]	UnchainCerts	Pointer to the unchained certificates lists. It's caller's responsibility to free the buffer with Pkcs7FreeSigners(). This data structure is EFI_CERT_STACK type.
[out]	UnchainLength	Length of the unchained certificates list buffer in bytes.

Return values

TRUE	The operation is finished successfully.
FALSE	Error occurs during the operation.

Definition at line 457 of file CryptPkcs7VerifyCommon.c.

◆ Pkcs7GetSigners()

BOOLEAN EFIAPI Pkcs7GetSigners	(	IN CONST UINT8 *	P7Data,
		IN UINTN	P7Length,
		OUT UINT8 **	CertStack,
		OUT UINTN *	StackLength,
		OUT UINT8 **	TrustedCert,
		OUT UINTN *	CertLength
	)

Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7: Cryptographic Message Syntax Standard". The input signed data could be wrapped in a ContentInfo structure.

If P7Data, CertStack, StackLength, TrustedCert or CertLength is NULL, then return FALSE. If P7Length overflow, then return FALSE.

Caution: This function may receive untrusted input. UEFI Authenticated Variable is external input, so this function will do basic check for PKCS#7 data structure.

Parameters

[in]	P7Data	Pointer to the PKCS#7 message to verify.
[in]	P7Length	Length of the PKCS#7 message in bytes.
[out]	CertStack	Pointer to Signer's certificates retrieved from P7Data. It's caller's responsibility to free the buffer with Pkcs7FreeSigners(). This data structure is EFI_CERT_STACK type.
[out]	StackLength	Length of signer's certificates in bytes.
[out]	TrustedCert	Pointer to a trusted certificate from Signer's certificates. It's caller's responsibility to free the buffer with Pkcs7FreeSigners().
[out]	CertLength	Length of the trusted certificate in bytes.

Return values

TRUE	The operation is finished successfully.
FALSE	Error occurs during the operation.

Definition at line 254 of file CryptPkcs7VerifyCommon.c.

◆ Pkcs7Verify()

BOOLEAN EFIAPI Pkcs7Verify	(	IN CONST UINT8 *	P7Data,
		IN UINTN	P7Length,
		IN CONST UINT8 *	TrustedCert,
		IN UINTN	CertLength,
		IN CONST UINT8 *	InData,
		IN UINTN	DataLength
	)

Verifies the validity of a PKCS#7 signed data as described in "PKCS #7: Cryptographic Message Syntax Standard". The input signed data could be wrapped in a ContentInfo structure.

If P7Data, TrustedCert or InData is NULL, then return FALSE. If P7Length, CertLength or DataLength overflow, then return FALSE.

Caution: This function may receive untrusted input. UEFI Authenticated Variable is external input, so this function will do basic check for PKCS#7 data structure.

Parameters

[in]	P7Data	Pointer to the PKCS#7 message to verify.
[in]	P7Length	Length of the PKCS#7 message in bytes.
[in]	TrustedCert	Pointer to a trusted/root certificate encoded in DER, which is used for certificate chain verification.
[in]	CertLength	Length of the trusted certificate in bytes.
[in]	InData	Pointer to the content to be verified.
[in]	DataLength	Length of InData in bytes.

Return values

TRUE	The specified PKCS#7 signed data is valid.
FALSE	Invalid PKCS#7 signed data.

Definition at line 776 of file CryptPkcs7VerifyCommon.c.

◆ WrapPkcs7Data()

BOOLEAN WrapPkcs7Data	(	IN CONST UINT8 *	P7Data,
		IN UINTN	P7Length,
		OUT BOOLEAN *	WrapFlag,
		OUT UINT8 **	WrapData,
		OUT UINTN *	WrapDataSize
	)

Check input P7Data is a wrapped ContentInfo structure or not. If not construct a new structure to wrap P7Data.

Caution: This function may receive untrusted input. UEFI Authenticated Variable is external input, so this function will do basic check for PKCS#7 data structure.

Parameters

[in]	P7Data	Pointer to the PKCS#7 message to verify.
[in]	P7Length	Length of the PKCS#7 message in bytes.
[out]	WrapFlag	If TRUE P7Data is a ContentInfo structure, otherwise return FALSE.
[out]	WrapData	If return status of this function is TRUE: 1) when WrapFlag is TRUE, pointer to P7Data. 2) when WrapFlag is FALSE, pointer to a new ContentInfo structure. It's caller's responsibility to free this buffer.
[out]	WrapDataSize	Length of ContentInfo structure in bytes.

Return values

TRUE	The operation is finished successfully.
FALSE	The operation is failed due to lack of resources.

Definition at line 51 of file CryptPkcs7VerifyCommon.c.

◆ X509PopCertificate()

STATIC BOOLEAN X509PopCertificate	(	IN VOID *	X509Stack,
		OUT UINT8 **	Cert,
		OUT UINTN *	CertSize
	)

Pop single certificate from STACK_OF(X509).

If X509Stack, Cert, or CertSize is NULL, then return FALSE.

Parameters

[in]	X509Stack	Pointer to a X509 stack object.
[out]	Cert	Pointer to a X509 certificate.
[out]	CertSize	Length of output X509 certificate in bytes.

Return values

TRUE	The X509 stack pop succeeded.
FALSE	The pop operation failed.

Definition at line 150 of file CryptPkcs7VerifyCommon.c.

Variable Documentation

◆ mOidValue

GLOBAL_REMOVE_IF_UNREFERENCED const UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 }

Definition at line 25 of file CryptPkcs7VerifyCommon.c.

Functions

Variables

Detailed Description

Function Documentation

◆ Pkcs7FreeSigners()

◆ Pkcs7GetCertificatesList()

◆ Pkcs7GetSigners()

◆ Pkcs7Verify()

◆ WrapPkcs7Data()

◆ X509PopCertificate()

Variable Documentation

◆ mOidValue