Add SPC_INDIRECT_DATA_OBJID check to make sure contentType equals to the

specific value defined in Authenticode PE specification. Signed-off-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Long Qin <qin.long@intel.com> Reviewed-by:Dong Guo <guo.dong@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13853 6f19259b-4bc3-4df7-8a09-765794883524
2025-04-08 17:05:09 +02:00 · 2012-10-17 02:13:54 +00:00 · 2012-10-17 02:13:54 +00:00 · fe5eea5e00
commit fe5eea5e00
parent 3d267c70b2
1 changed files with 20 additions and 0 deletions
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
@ -26,6 +26,12 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>

+//
+// OID ASN.1 Value for SPC_INDIRECT_DATA_OBJID
+//
+UINT8 mSpcIndirectOidValue[] = {
+  0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x04
+  };

 /**
  Verifies the validility of a PE/COFF Authenticode Signature as described in "Windows
@ -70,6 +76,7 @@ AuthenticodeVerify (
  UINT8        *SpcIndirectDataContent;
  UINT8        Asn1Byte;
  UINTN        ContentSize;
+  UINT8        *SpcIndirectDataOid;

  //
  // Check input parameters.
@ -106,6 +113,19 @@ AuthenticodeVerify (
  //       some authenticode-specific structure. Use opaque ASN.1 string to retrieve
  //       PKCS#7 ContentInfo here.
  //
+  SpcIndirectDataOid = (UINT8 *)(Pkcs7->d.sign->contents->type->data);
+  if (CompareMem (
+        SpcIndirectDataOid,
+        mSpcIndirectOidValue,
+        sizeof (mSpcIndirectOidValue)
+        ) != 0) {
+    //
+    // Un-matched SPC_INDIRECT_DATA_OBJID.
+    //
+    goto _Exit;
+  }  
+
+
  SpcIndirectDataContent = (UINT8 *)(Pkcs7->d.sign->contents->d.other->value.asn1_string->data);

  //