From 69a50a249b866d155f39e2199404b1c0d3568f93 Mon Sep 17 00:00:00 2001 From: Qi Zhang Date: Wed, 12 Oct 2022 10:47:59 +0800 Subject: CryptoPkg: Add EC key interface to DXE and protocol The implementation provide EC key interface for EFI driver nad EFI BaseCrypt protocol. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4102 Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Signed-off-by: Qi Zhang Reviewed-by: Jiewen Yao --- .../Library/BaseCryptLibOnProtocolPpi/CryptLib.c | 136 +++++++++++++++++++++ 1 file changed, 136 insertions(+) (limited to 'CryptoPkg/Library') diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c index 52b934a545..48ec6d3528 100644 --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c @@ -5164,3 +5164,139 @@ EcDhComputeKey ( { CALL_CRYPTO_SERVICE (EcDhComputeKey, (EcContext, PeerPublic, PeerPublicSize, CompressFlag, Key, KeySize), FALSE); } + +/** + Retrieve the EC Public Key from one DER-encoded X509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] EcContext Pointer to new-generated EC DSA context which contain the retrieved + EC public key component. Use EcFree() function to free the + resource. + + If Cert is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Public Key was retrieved successfully. + @retval FALSE Fail to retrieve EC public key from X509 certificate. + +**/ +BOOLEAN +EFIAPI +EcGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **EcContext + ) +{ + CALL_CRYPTO_SERVICE (EcGetPublicKeyFromX509, (Cert, CertSize, EcContext), FALSE); +} + +/** + Retrieve the EC Private Key from the password-protected PEM key data. + + @param[in] PemData Pointer to the PEM-encoded key data to be retrieved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted PEM key data. + @param[out] EcContext Pointer to new-generated EC DSA context which contain the retrieved + EC private key component. Use EcFree() function to free the + resource. + + If PemData is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + +**/ +BOOLEAN +EFIAPI +EcGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **EcContext + ) +{ + CALL_CRYPTO_SERVICE (EcGetPrivateKeyFromPem, (PemData, PemSize, Password, EcContext), FALSE); +} + +/** + Carries out the EC-DSA signature. + + This function carries out the EC-DSA signature. + If the Signature buffer is too small to hold the contents of signature, FALSE + is returned and SigSize is set to the required buffer size to obtain the signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512. + If SigSize is large enough but Signature is NULL, then return FALSE. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature generation. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive EC-DSA signature. + @param[in, out] SigSize On input, the size of Signature buffer in bytes. + On output, the size of data returned in Signature buffer in bytes. + + @retval TRUE Signature successfully generated in EC-DSA. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + +**/ +BOOLEAN +EFIAPI +EcDsaSign ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + CALL_CRYPTO_SERVICE (EcDsaSign, (EcContext, HashNid, MessageHash, HashSize, Signature, SigSize), FALSE); +} + +/** + Verifies the EC-DSA signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA512, SHA3_256, SHA3_384, SHA3_512. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature verification. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to EC-DSA signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in EC-DSA. + @retval FALSE Invalid signature or invalid EC context. + +**/ +BOOLEAN +EFIAPI +EcDsaVerify ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ) +{ + CALL_CRYPTO_SERVICE (EcDsaVerify, (EcContext, HashNid, MessageHash, HashSize, Signature, SigSize), FALSE); +} -- cgit v1.2.3