tyler.durden
/
audk
mirror of https://github.com/acidanthera/audk.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use RsaGetPublicKeyFromX509() to validate the given X.509 certificate for PK/KEK/db/dbx database. 

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Dong Guo <guo.dong@intel.com>
Reviewed-by: Ye Ting <ting.ye@intel.com>

git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13553 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
sfu5 2012-07-25 02:01:58 +00:00
parent 952de07651
commit e77f9ef656
1 changed files with 31 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
View File

@ -746,7 +746,7 @@ UpdatePlatformMode (
}
/**
Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK variable.
Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for PK/KEK/db/dbx variable.
@param[in] VariableName Name of Variable to be check.
@param[in] VendorGuid Variable vendor GUID.
@ -770,6 +770,9 @@ CheckSignatureListFormat(
UINT32 Index;
UINT32 SigCount;
BOOLEAN IsPk;
VOID *RsaContext;
EFI_SIGNATURE_DATA *CertData;
UINTN CertLen;
if (DataSize == 0) {
return EFI_SUCCESS;
@ -779,7 +782,9 @@ CheckSignatureListFormat(
if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_PLATFORM_KEY_NAME) == 0)){
IsPk = TRUE;
} else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)) {
} else if ((CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0) ||
(CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
(StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0 || StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0))){
IsPk = FALSE;
} else {
return EFI_SUCCESS;
@ -788,6 +793,7 @@ CheckSignatureListFormat(
SigCount = 0;
SigList = (EFI_SIGNATURE_LIST *) Data;
SigDataSize = DataSize;
RsaContext = NULL;
//
// Walk throuth the input signature list and check the data format.
@ -819,6 +825,24 @@ CheckSignatureListFormat(
return EFI_INVALID_PARAMETER;
}
if (CompareGuid (&SigList->SignatureType, &gEfiCertX509Guid)) {
//
// Try to retrieve the RSA public key from the X.509 certificate.
// If this operation fails, it's not a valid certificate.
//
RsaContext = RsaNew ();
if (RsaContext == NULL) {
return EFI_INVALID_PARAMETER;
}
CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) SigList + sizeof (EFI_SIGNATURE_LIST) + SigList->SignatureHeaderSize);
CertLen = SigList->SignatureSize - sizeof (EFI_GUID);
if (!RsaGetPublicKeyFromX509 (CertData->SignatureData, CertLen, &RsaContext)) {
RsaFree (RsaContext);
return EFI_INVALID_PARAMETER;
}
RsaFree (RsaContext);
}
if ((SigList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - SigList->SignatureHeaderSize) % SigList->SignatureSize != 0) {
return EFI_INVALID_PARAMETER;
}
@ -1029,6 +1053,11 @@ ProcessVarWithKek (
Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);
PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
Status = CheckSignatureListFormat(VariableName, VendorGuid, Payload, PayloadSize);
if (EFI_ERROR (Status)) {
return Status;
}
Status = UpdateVariable (
VariableName,
VendorGuid,