CryptoPkg: BaseCryptLib: Add RSA PSS verify support

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3314

This patch uses Openssl's EVP API's to perform RSASSA-PSS verification
of a binary blob.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Guomin Jiang <guomin.jiang@intel.com>
Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

1 files changed, 70 insertions, 0 deletions

diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 8b43d1363c..af99ed7f5b 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1553,6 +1553,76 @@ RsaPkcs1Verify (
 }

 

 /**

+  Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017.

+  Implementation determines salt length automatically from the signature encoding.

+  Mask generation function is the same as the message digest algorithm.

+  Salt length should atleast be equal to digest length.

+

+  @param[in]  RsaContext      Pointer to RSA context for signature verification.

+  @param[in]  Message         Pointer to octet message to be verified.

+  @param[in]  MsgSize         Size of the message in bytes.

+  @param[in]  Signature       Pointer to RSASSA-PSS signature to be verified.

+  @param[in]  SigSize         Size of signature in bytes.

+  @param[in]  DigestLen       Length of digest for RSA operation.

+  @param[in]  SaltLen         Salt length for PSS encoding.

+

+  @retval  TRUE   Valid signature encoded in RSASSA-PSS.

+  @retval  FALSE  Invalid signature or invalid RSA context.

+

+**/

+BOOLEAN

+EFIAPI

+RsaPssVerify (

+  IN  VOID         *RsaContext,

+  IN  CONST UINT8  *Message,

+  IN  UINTN        MsgSize,

+  IN  CONST UINT8  *Signature,

+  IN  UINTN        SigSize,

+  IN  UINT16       DigestLen,

+  IN  UINT16       SaltLen

+  )

+{

+  CALL_CRYPTO_SERVICE (RsaPssVerify, (RsaContext, Message, MsgSize, Signature, SigSize, DigestLen, SaltLen), FALSE);

+}

+

+/**

+  This function carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme defined in

+  RFC 8017.

+  Mask generation function is the same as the message digest algorithm.

+  If the Signature buffer is too small to hold the contents of signature, FALSE

+  is returned and SigSize is set to the required buffer size to obtain the signature.

+

+  @param[in]      RsaContext   Pointer to RSA context for signature generation.

+  @param[in]      Message      Pointer to octet message to be signed.

+  @param[in]      MsgSize      Size of the message in bytes.

+  @param[in]      DigestLen    Length of the digest in bytes to be used for RSA signature operation.

+  @param[in]      SaltLen      Length of the salt in bytes to be used for PSS encoding.

+  @param[out]     Signature    Pointer to buffer to receive RSA PSS signature.

+  @param[in, out] SigSize      On input, the size of Signature buffer in bytes.

+                               On output, the size of data returned in Signature buffer in bytes.

+

+  @retval  TRUE   Signature successfully generated in RSASSA-PSS.

+  @retval  FALSE  Signature generation failed.

+  @retval  FALSE  SigSize is too small.

+  @retval  FALSE  This interface is not supported.

+

+**/

+BOOLEAN

+EFIAPI

+RsaPssSign (

+  IN      VOID         *RsaContext,

+  IN      CONST UINT8  *Message,

+  IN      UINTN        MsgSize,

+  IN      UINT16       DigestLen,

+  IN      UINT16       SaltLen,

+  OUT     UINT8        *Signature,

+  IN OUT  UINTN        *SigSize

+  )

+{

+  CALL_CRYPTO_SERVICE (RsaPssSign, (RsaContext, Message, MsgSize, DigestLen, SaltLen, Signature, SigSize), FALSE);

+}

+

+/**

   Retrieve the RSA Private Key from the password-protected PEM key data.

 

   If PemData is NULL, then return FALSE.