CryptoPkg: BaseCryptLib: Add RSA PSS verify support

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3314 This patch uses Openssl's EVP API's to perform RSASSA-PSS verification of a binary blob. Cc: Jiewen Yao <jiewen.yao@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com> Cc: Guomin Jiang <guomin.jiang@intel.com> Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
author: Sachin Agrawal <sachin.agrawal@intel.com> 2021-04-10 06:14:04 +0800
committer: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> 2021-05-14 03:35:33 +0000
commit: 22ac5cc9d9db34056f7c97e994fd9def683ebb2e (patch)
tree: ec32ec2a206f3ba7181056c44b5657fe1a44b9fb /CryptoPkg/Private
parent: 5531fd48ded1271b8775725355ab83994e4bc77c (diff)
download: edk2-22ac5cc9d9db34056f7c97e994fd9def683ebb2e.tar.gz
edk2-22ac5cc9d9db34056f7c97e994fd9def683ebb2e.tar.bz2
edk2-22ac5cc9d9db34056f7c97e994fd9def683ebb2e.zip
1 files changed, 78 insertions, 0 deletions
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index 17930a77a6..e304302c94 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -3408,6 +3408,81 @@ EFI_STATUS
   IN OUT UINTN                    *DataSize
   );
 
+/**
+  Carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme.
+
+  This function carries out the RSA-SSA signature generation with EMSA-PSS encoding scheme defined in
+  RFC 8017.
+  Mask generation function is the same as the message digest algorithm.
+  If the Signature buffer is too small to hold the contents of signature, FALSE
+  is returned and SigSize is set to the required buffer size to obtain the signature.
+
+  If RsaContext is NULL, then return FALSE.
+  If Message is NULL, then return FALSE.
+  If MsgSize is zero or > INT_MAX, then return FALSE.
+  If DigestLen is NOT 32, 48 or 64, return FALSE.
+  If SaltLen is < DigestLen, then return FALSE.
+  If SigSize is large enough but Signature is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in]      RsaContext   Pointer to RSA context for signature generation.
+  @param[in]      Message      Pointer to octet message to be signed.
+  @param[in]      MsgSize      Size of the message in bytes.
+  @param[in]      DigestLen    Length of the digest in bytes to be used for RSA signature operation.
+  @param[in]      SaltLen      Length of the salt in bytes to be used for PSS encoding.
+  @param[out]     Signature    Pointer to buffer to receive RSA PSS signature.
+  @param[in, out] SigSize      On input, the size of Signature buffer in bytes.
+                               On output, the size of data returned in Signature buffer in bytes.
+
+  @retval  TRUE   Signature successfully generated in RSASSA-PSS.
+  @retval  FALSE  Signature generation failed.
+  @retval  FALSE  SigSize is too small.
+  @retval  FALSE  This interface is not supported.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI* EDKII_CRYPTO_RSA_PSS_SIGN)(
+  IN      VOID         *RsaContext,
+  IN      CONST UINT8  *Message,
+  IN      UINTN        MsgSize,
+  IN      UINT16       DigestLen,
+  IN      UINT16       SaltLen,
+  OUT     UINT8        *Signature,
+  IN OUT  UINTN        *SigSize
+  );
+
+/**
+  Verifies the RSA signature with RSASSA-PSS signature scheme defined in RFC 8017.
+  Implementation determines salt length automatically from the signature encoding.
+  Mask generation function is the same as the message digest algorithm.
+  Salt length should atleast be equal to digest length.
+
+  @param[in]  RsaContext      Pointer to RSA context for signature verification.
+  @param[in]  Message         Pointer to octet message to be verified.
+  @param[in]  MsgSize         Size of the message in bytes.
+  @param[in]  Signature       Pointer to RSASSA-PSS signature to be verified.
+  @param[in]  SigSize         Size of signature in bytes.
+  @param[in]  DigestLen       Length of digest for RSA operation.
+  @param[in]  SaltLen         Salt length for PSS encoding.
+
+  @retval  TRUE   Valid signature encoded in RSASSA-PSS.
+  @retval  FALSE  Invalid signature or invalid RSA context.
+
+**/
+typedef
+BOOLEAN
+(EFIAPI* EDKII_CRYPTO_RSA_PSS_VERIFY)(
+  IN  VOID         *RsaContext,
+  IN  CONST UINT8  *Message,
+  IN  UINTN        MsgSize,
+  IN  CONST UINT8  *Signature,
+  IN  UINTN        SigSize,
+  IN  UINT16       DigestLen,
+  IN  UINT16       SaltLen
+  );
+
+
 
 ///
 /// EDK II Crypto Protocol
@@ -3593,6 +3668,9 @@ struct _EDKII_CRYPTO_PROTOCOL {
   EDKII_CRYPTO_TLS_GET_HOST_PUBLIC_CERT           TlsGetHostPublicCert;
   EDKII_CRYPTO_TLS_GET_HOST_PRIVATE_KEY           TlsGetHostPrivateKey;
   EDKII_CRYPTO_TLS_GET_CERT_REVOCATION_LIST       TlsGetCertRevocationList;
+  /// RSA PSS
+  EDKII_CRYPTO_RSA_PSS_SIGN                       RsaPssSign;
+  EDKII_CRYPTO_RSA_PSS_VERIFY                     RsaPssVerify;
 };
 
 extern GUID gEdkiiCryptoProtocolGuid;
author	Sachin Agrawal <sachin.agrawal@intel.com>	2021-04-10 06:14:04 +0800
committer	mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>	2021-05-14 03:35:33 +0000
commit	22ac5cc9d9db34056f7c97e994fd9def683ebb2e (patch)
tree	ec32ec2a206f3ba7181056c44b5657fe1a44b9fb /CryptoPkg/Private
parent	5531fd48ded1271b8775725355ab83994e4bc77c (diff)
download	edk2-22ac5cc9d9db34056f7c97e994fd9def683ebb2e.tar.gz edk2-22ac5cc9d9db34056f7c97e994fd9def683ebb2e.tar.bz2 edk2-22ac5cc9d9db34056f7c97e994fd9def683ebb2e.zip