From 3702637a528707704fb37defea042f7b10709ec4 Mon Sep 17 00:00:00 2001 From: chenc2 Date: Tue, 7 Nov 2017 08:56:56 +0800 Subject: [PATCH] CryptoPkg/BaseCryptLib: Add C-structure to matching certificate stack The parameter CertStack of Pkcs7GetSigners will return all embedded X.509 certificate in one given PKCS7 signature. The format is: // // UINT8 CertNumber; // UINT32 Cert1Length; // UINT8 Cert1[]; // UINT32 Cert2Length; // UINT8 Cert2[]; // ... // UINT32 CertnLength; // UINT8 Certn[]; // Add EFI_CERT_STACK and EFI_CERT_DATA structure, these two C-structure are used for parsing CertStack more clearly. Cc: Long Qin Cc: Zhang Chao Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: chenc2 Reviewed-by: Long Qin Reviewed-by: Zhang Chao --- CryptoPkg/Include/Library/BaseCryptLib.h | 33 +++++++++++++++++++ .../BaseCryptLib/Pk/CryptPkcs7Verify.c | 3 ++ .../BaseCryptLib/Pk/CryptPkcs7VerifyNull.c | 3 ++ 3 files changed, 39 insertions(+) diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h index e2b6a95666..027ea09feb 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -2376,6 +2376,36 @@ Pkcs5HashPassword ( OUT UINT8 *OutKey ); +/** + The 3rd parameter of Pkcs7GetSigners will return all embedded + X.509 certificate in one given PKCS7 signature. The format is: + // + // UINT8 CertNumber; + // UINT32 Cert1Length; + // UINT8 Cert1[]; + // UINT32 Cert2Length; + // UINT8 Cert2[]; + // ... + // UINT32 CertnLength; + // UINT8 Certn[]; + // + + The two following C-structure are used for parsing CertStack more clearly. +**/ +#pragma pack(1) + +typedef struct { + UINT32 CertDataLength; // The length in bytes of X.509 certificate. + UINT8 CertDataBuffer[0]; // The X.509 certificate content (DER). +} EFI_CERT_DATA; + +typedef struct { + UINT8 CertNumber; // Number of X.509 certificate. + //EFI_CERT_DATA CertArray[]; // An array of X.509 certificate. +} EFI_CERT_STACK; + +#pragma pack() + /** Get the signer's certificates from PKCS#7 signed data as described in "PKCS #7: Cryptographic Message Syntax Standard". The input signed data could be wrapped @@ -2390,6 +2420,7 @@ Pkcs5HashPassword ( @param[out] CertStack Pointer to Signer's certificates retrieved from P7Data. It's caller's responsibility to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. @param[out] StackLength Length of signer's certificates in bytes. @param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates. It's caller's responsibility to free the buffer with @@ -2437,9 +2468,11 @@ Pkcs7FreeSigners ( @param[out] SignerChainCerts Pointer to the certificates list chained to signer's certificate. It's caller's responsibility to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. @param[out] ChainLength Length of the chained certificates list buffer in bytes. @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's responsibility to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. @param[out] UnchainLength Length of the unchained certificates list buffer in bytes. @retval TRUE The operation is finished successfully. diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c index 296df028b1..fe8e5950f9 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c @@ -242,6 +242,7 @@ _Exit: @param[out] CertStack Pointer to Signer's certificates retrieved from P7Data. It's caller's responsibility to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. @param[out] StackLength Length of signer's certificates in bytes. @param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates. It's caller's responsibility to free the buffer with @@ -442,9 +443,11 @@ Pkcs7FreeSigners ( @param[out] SignerChainCerts Pointer to the certificates list chained to signer's certificate. It's caller's responsibility to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. @param[out] ChainLength Length of the chained certificates list buffer in bytes. @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's responsibility to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. @param[out] UnchainLength Length of the unchained certificates list buffer in bytes. @retval TRUE The operation is finished successfully. diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c index d3e8ec89a7..5490b1f3d6 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyNull.c @@ -27,6 +27,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. @param[out] CertStack Pointer to Signer's certificates retrieved from P7Data. It's caller's responsibility to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. @param[out] StackLength Length of signer's certificates in bytes. @param[out] TrustedCert Pointer to a trusted certificate from Signer's certificates. It's caller's responsibility to free the buffer with @@ -79,9 +80,11 @@ Pkcs7FreeSigners ( @param[out] SignerChainCerts Pointer to the certificates list chained to signer's certificate. It's caller's responsibility to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. @param[out] ChainLength Length of the chained certificates list buffer in bytes. @param[out] UnchainCerts Pointer to the unchained certificates lists. It's caller's responsibility to free the buffer with Pkcs7FreeSigners(). + This data structure is EFI_CERT_STACK type. @param[out] UnchainLength Length of the unchained certificates list buffer in bytes. @retval TRUE The operation is finished successfully.