diff options
| author | Min Xu <min.m.xu@intel.com> | 2022-05-16 15:42:16 +0800 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2022-06-03 11:41:36 +0000 |
| commit | b1567b2e15239b06952e81f15c295574fae983e3 (patch) | |
| tree | 9428b99de0e712c59093916c3c6332b3b5e3f641 /CryptoPkg/Library/BaseCryptLib/Pk | |
| parent | 72c5afd0b47b26d569451bbee4cef18b0dd6e043 (diff) | |
| download | edk2-b1567b2e15239b06952e81f15c295574fae983e3.tar.gz edk2-b1567b2e15239b06952e81f15c295574fae983e3.tar.bz2 edk2-b1567b2e15239b06952e81f15c295574fae983e3.zip | |
CryptoPkg: Add SecCryptLib
RFC: https://bugzilla.tianocore.org/show_bug.cgi?id=3853
This is the Cryptographic library instance for SEC. The motivation of
this library is to support SHA384 in SEC phase for Td guest. So only
Hash/CryptSha512.c is included which supports SHA384 and SHA512. Other
cryptographics are added with the null version, such as CryptMd5Null.c.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Min Xu <min.m.xu@intel.com>
Diffstat (limited to 'CryptoPkg/Library/BaseCryptLib/Pk')
| -rw-r--r-- | CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c | 152 | ||||
| -rw-r--r-- | CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c | 121 |
2 files changed, 273 insertions, 0 deletions
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c new file mode 100644 index 0000000000..c1d9837c51 --- /dev/null +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuNull.c @@ -0,0 +1,152 @@ +/** @file
+ PKCS7 Verify Null implementation.
+
+ Copyright (C) Microsoft Corporation. All Rights Reserved.
+ Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ This function will return the leaf signer certificate in a chain. This is
+ required because certificate chains are not guaranteed to have the
+ certificates in the order that they were issued.
+
+ A typical certificate chain looks like this:
+
+
+ ----------------------------
+ | Root |
+ ----------------------------
+ ^
+ |
+ ----------------------------
+ | Policy CA | <-- Typical Trust Anchor.
+ ----------------------------
+ ^
+ |
+ ----------------------------
+ | Issuing CA |
+ ----------------------------
+ ^
+ |
+ -----------------------------
+ / End-Entity (leaf) signer / <-- Bottom certificate.
+ ----------------------------- EKU: "1.3.6.1.4.1.311.76.9.21.1"
+ (Firmware Signing)
+
+
+ @param[in] CertChain Certificate chain.
+
+ @param[out] SignerCert Last certificate in the chain. For PKCS7 signatures,
+ this will be the end-entity (leaf) signer cert.
+
+ @retval EFI_SUCCESS The required EKUs were found in the signature.
+ @retval EFI_INVALID_PARAMETER A parameter was invalid.
+ @retval EFI_NOT_FOUND The number of signers found was not 1.
+
+**/
+EFI_STATUS
+GetSignerCertificate (
+ IN CONST VOID *CertChain,
+ OUT VOID **SignerCert
+ )
+{
+ ASSERT (FALSE);
+ return EFI_NOT_READY;
+}
+
+/**
+ Determines if the specified EKU represented in ASN1 form is present
+ in a given certificate.
+
+ @param[in] Cert The certificate to check.
+
+ @param[in] Asn1ToFind The EKU to look for.
+
+ @retval EFI_SUCCESS We successfully identified the signing type.
+ @retval EFI_INVALID_PARAMETER A parameter was invalid.
+ @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
+
+**/
+EFI_STATUS
+IsEkuInCertificate (
+ IN CONST VOID *Cert,
+ IN VOID *Asn1ToFind
+ )
+{
+ ASSERT (FALSE);
+ return EFI_NOT_READY;
+}
+
+/**
+ Determines if the specified EKUs are present in a signing certificate.
+
+ @param[in] SignerCert The certificate to check.
+ @param[in] RequiredEKUs The EKUs to look for.
+ @param[in] RequiredEKUsSize The number of EKUs
+ @param[in] RequireAllPresent If TRUE, then all the specified EKUs
+ must be present in the certificate.
+
+ @retval EFI_SUCCESS We successfully identified the signing type.
+ @retval EFI_INVALID_PARAMETER A parameter was invalid.
+ @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
+**/
+EFI_STATUS
+CheckEKUs (
+ IN CONST VOID *SignerCert,
+ IN CONST CHAR8 *RequiredEKUs[],
+ IN CONST UINT32 RequiredEKUsSize,
+ IN BOOLEAN RequireAllPresent
+ )
+{
+ ASSERT (FALSE);
+ return EFI_NOT_READY;
+}
+
+/**
+ This function receives a PKCS#7 formatted signature blob,
+ looks for the EKU SEQUENCE blob, and if found then looks
+ for all the required EKUs. This function was created so that
+ the Surface team can cut down on the number of Certificate
+ Authorities (CA's) by checking EKU's on leaf signers for
+ a specific product. This prevents one product's certificate
+ from signing another product's firmware or unlock blobs.
+
+ Note that this function does not validate the certificate chain.
+ That needs to be done before using this function.
+
+ @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array
+ containing the content block with both the signature,
+ the signer's certificate, and any necessary intermediate
+ certificates.
+ @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature.
+ @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of
+ required EKUs that must be present in the signature.
+ @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array.
+ @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's
+ must be present in the leaf signer. If it is
+ FALSE, then we will succeed if we find any
+ of the specified EKU's.
+
+ @retval EFI_SUCCESS The required EKUs were found in the signature.
+ @retval EFI_INVALID_PARAMETER A parameter was invalid.
+ @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
+
+**/
+EFI_STATUS
+EFIAPI
+VerifyEKUsInPkcs7Signature (
+ IN CONST UINT8 *Pkcs7Signature,
+ IN CONST UINT32 SignatureSize,
+ IN CONST CHAR8 *RequiredEKUs[],
+ IN CONST UINT32 RequiredEKUsSize,
+ IN BOOLEAN RequireAllPresent
+ )
+{
+ ASSERT (FALSE);
+ return EFI_NOT_READY;
+}
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c new file mode 100644 index 0000000000..fd352e32dd --- /dev/null +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptRsaBasicNull.c @@ -0,0 +1,121 @@ +/** @file
+ RSA Asymmetric Cipher Wrapper Null Implementation.
+
+ This file implements following APIs which provide basic capabilities for RSA:
+ 1) RsaNew
+ 2) RsaFree
+ 3) RsaSetKey
+ 4) RsaPkcs1Verify
+
+Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Allocates and initializes one RSA context for subsequent use.
+
+ @return Pointer to the RSA context that has been initialized.
+ If the allocations fails, RsaNew() returns NULL.
+
+**/
+VOID *
+EFIAPI
+RsaNew (
+ VOID
+ )
+{
+ //
+ // Allocates & Initializes RSA Context
+ //
+ ASSERT (FALSE);
+ return NULL;
+}
+
+/**
+ Release the specified RSA context.
+
+ @param[in] RsaContext Pointer to the RSA context to be released.
+
+**/
+VOID
+EFIAPI
+RsaFree (
+ IN VOID *RsaContext
+ )
+{
+ //
+ // Free RSA Context
+ //
+ ASSERT (FALSE);
+}
+
+/**
+ Sets the tag-designated key component into the established RSA context.
+
+ This function sets the tag-designated RSA key component into the established
+ RSA context from the user-specified non-negative integer (octet string format
+ represented in RSA PKCS#1).
+ If BigNumber is NULL, then the specified key component in RSA context is cleared.
+
+ If RsaContext is NULL, then return FALSE.
+
+ @param[in, out] RsaContext Pointer to RSA context being set.
+ @param[in] KeyTag Tag of RSA key component being set.
+ @param[in] BigNumber Pointer to octet integer buffer.
+ If NULL, then the specified key component in RSA
+ context is cleared.
+ @param[in] BnSize Size of big number buffer in bytes.
+ If BigNumber is NULL, then it is ignored.
+
+ @retval TRUE RSA key component was set successfully.
+ @retval FALSE Invalid RSA key component tag.
+
+**/
+BOOLEAN
+EFIAPI
+RsaSetKey (
+ IN OUT VOID *RsaContext,
+ IN RSA_KEY_TAG KeyTag,
+ IN CONST UINT8 *BigNumber,
+ IN UINTN BnSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
+/**
+ Verifies the RSA-SSA signature with EMSA-PKCS1-v1_5 encoding scheme defined in
+ RSA PKCS#1.
+
+ If RsaContext is NULL, then return FALSE.
+ If MessageHash is NULL, then return FALSE.
+ If Signature is NULL, then return FALSE.
+ If HashSize is not equal to the size of MD5, SHA-1 or SHA-256 digest, then return FALSE.
+
+ @param[in] RsaContext Pointer to RSA context for signature verification.
+ @param[in] MessageHash Pointer to octet message hash to be checked.
+ @param[in] HashSize Size of the message hash in bytes.
+ @param[in] Signature Pointer to RSA PKCS1-v1_5 signature to be verified.
+ @param[in] SigSize Size of signature in bytes.
+
+ @retval TRUE Valid signature encoded in PKCS1-v1_5.
+ @retval FALSE Invalid signature or invalid RSA context.
+
+**/
+BOOLEAN
+EFIAPI
+RsaPkcs1Verify (
+ IN VOID *RsaContext,
+ IN CONST UINT8 *MessageHash,
+ IN UINTN HashSize,
+ IN CONST UINT8 *Signature,
+ IN UINTN SigSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
|