From nobody Wed May 8 09:52:58 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+94976+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+94976+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1665470224; cv=none; d=zohomail.com; s=zohoarc; b=jxTF5y2C63jPtv3BjecfdmJoZlnNVNGQ0jBEZdO/rsMTwcYasUYFSFf/itRCqKoSQ3QJCZJOZ4BuvAVXQVYX8MIe+qoQfoTn6SzQzOlC9n0jsyndtcT719oVSXbtpcVZq59YlowLH8AKp3mp3UViYrZpYxXMDbzVwiXbl7eTU2I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1665470224; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=vzxqkqmqyHcMuBbhCsCIcg23rUbPKbKUzoQSMEiZ1P8=; b=D1+GoqsJN6YPqVZHEgDO2z1fn7NXsHAr/A88x6/PMuuSqucgFdjTuSs/67+thZhdhWk7N3uwFN18d8E8IPrCB1XXWl+f5CpCNLkdwS1EE0QnEmrELoKXzgzWDZfrAKDgPC+iANk8xWPsNhEbQTRKATNJSPjFDlPu6PZpCe4oMLY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+94976+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1665470224605891.8471166035841; Mon, 10 Oct 2022 23:37:04 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id ssKCYY1788612xUpth4GBW8u; Mon, 10 Oct 2022 23:37:04 -0700 X-Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web11.4307.1665470221304550128 for ; Mon, 10 Oct 2022 23:37:03 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10496"; a="305476487" X-IronPort-AV: E=Sophos;i="5.95,175,1661842800"; d="scan'208";a="305476487" X-Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Oct 2022 23:37:02 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10496"; a="694938655" X-IronPort-AV: E=Sophos;i="5.95,175,1661842800"; d="scan'208";a="694938655" X-Received: from shwdesssddpdqi.ccr.corp.intel.com ([10.239.157.129]) by fmsmga004.fm.intel.com with ESMTP; 10 Oct 2022 23:37:00 -0700 From: "Qi Zhang" To: devel@edk2.groups.io Cc: Qi Zhang , Jiewen Yao , Jian J Wang , Xiaoyu Lu , Guomin Jiang Subject: [edk2-devel] [PATCH 1/3] CryptoPkg: Add EC key retrieving and signature interface. Date: Tue, 11 Oct 2022 14:36:53 +0800 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,qi1.zhang@intel.com X-Gm-Message-State: DU9grUeBT3n7cmSdE4HWdSB8x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1665470224; bh=l6PfjcU80s8Kl3d+842sg8zny1P+B/qsfdkB0+Enogc=; h=Cc:Date:From:Reply-To:Subject:To; b=a5cONSL+HFIIml+eRvBq0JImKH/9XChQLPtJNkKkZCby9nn1rhF7CbH1k5DzoHnJNYt hhYy/vdnA1hamR9vySMkAMCecrlQoBHopQBQj2gt2ijV7VgKcMzUbHMZuE0uhJCC9K1AW lSj7zmDRHLjX4W7Coc02z8hJsbZ+9PhioGo= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1665470226759100007 Content-Type: text/plain; charset="utf-8" This patch is used to retrieve EC key from PEM and X509 and carry out the EC-DSA signature and verify it. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4102 Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Signed-off-by: Qi Zhang --- CryptoPkg/Include/Library/BaseCryptLib.h | 129 +++++++++ CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c | 87 ++++++ .../Library/BaseCryptLib/Pem/CryptPemNull.c | 30 ++ CryptoPkg/Library/BaseCryptLib/Pk/CryptEc.c | 258 ++++++++++++++++++ .../Library/BaseCryptLib/Pk/CryptEcNull.c | 82 ++++++ CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 83 ++++++ .../Library/BaseCryptLib/Pk/CryptX509Null.c | 28 ++ .../BaseCryptLibNull/Pem/CryptPemNull.c | 30 ++ .../Library/BaseCryptLibNull/Pk/CryptEcNull.c | 82 ++++++ .../BaseCryptLibNull/Pk/CryptX509Null.c | 28 ++ 10 files changed, 837 insertions(+) diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/L= ibrary/BaseCryptLib.h index 63c6228368..dfeb8c7d55 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -16,6 +16,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 #define CRYPTO_NID_NULL 0x0000 =20 +// Hash +#define CRYPTO_NID_SHA256 0x0001 +#define CRYPTO_NID_SHA384 0x0002 +#define CRYPTO_NID_SHA512 0x0003 + // Key Exchange #define CRYPTO_NID_SECP256R1 0x0204 #define CRYPTO_NID_SECP384R1 0x0205 @@ -3678,4 +3683,128 @@ EcDhComputeKey ( IN OUT UINTN *KeySize ); =20 +/** + Retrieve the EC Private Key from the password-protected PEM key data. + + @param[in] PemData Pointer to the PEM-encoded key data to be retri= eved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted P= EM key data. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC private key component. Use EcFree() function= to free the + resource. + + If PemData is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + +**/ +BOOLEAN +EFIAPI +EcGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **EcContext + ); + +/** + Retrieve the EC Public Key from one DER-encoded X509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC public key component. Use EcFree() function = to free the + resource. + + If Cert is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Public Key was retrieved successfully. + @retval FALSE Fail to retrieve EC public key from X509 certificate. + +**/ +BOOLEAN +EFIAPI +EcGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **EcContext + ); + +/** + Carries out the EC-DSA signature. + + This function carries out the EC-DSA signature. + If the Signature buffer is too small to hold the contents of signature, = FALSE + is returned and SigSize is set to the required buffer size to obtain the= signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + If SigSize is large enough but Signature is NULL, then return FALSE. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature genera= tion. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive EC-DSA signat= ure. + @param[in, out] SigSize On input, the size of Signature buffer in = bytes. + On output, the size of data returned in Si= gnature buffer in bytes. + + @retval TRUE Signature successfully generated in EC-DSA. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + +**/ +BOOLEAN +EFIAPI +EcDsaSign ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ); + +/** + Verifies the EC-DSA signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature verificatio= n. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to EC-DSA signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in EC-DSA. + @retval FALSE Invalid signature or invalid EC context. + +**/ +BOOLEAN +EFIAPI +EcDsaVerify ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ); + #endif // __BASE_CRYPT_LIB_H__ diff --git a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c b/CryptoPkg/Libr= ary/BaseCryptLib/Pem/CryptPem.c index 7733d772f4..559a6b4df0 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c +++ b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c @@ -126,3 +126,90 @@ _Exit: =20 return Status; } + +/** + Retrieve the EC Private Key from the password-protected PEM key data. + + @param[in] PemData Pointer to the PEM-encoded key data to be retri= eved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted P= EM key data. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC private key component. Use EcFree() function= to free the + resource. + + If PemData is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + +**/ +BOOLEAN +EFIAPI +EcGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **EcContext + ) +{ + #if FixedPcdGetBool (PcdOpensslEcEnabled) + BOOLEAN Status; + BIO *PemBio; + + // + // Check input parameters. + // + if ((PemData =3D=3D NULL) || (EcContext =3D=3D NULL) || (PemSize > INT_M= AX)) { + return FALSE; + } + + // + // Add possible block-cipher descriptor for PEM data decryption. + // NOTE: Only support most popular ciphers AES for the encrypted PEM. + // + if (EVP_add_cipher (EVP_aes_128_cbc ()) =3D=3D 0) { + return FALSE; + } + + if (EVP_add_cipher (EVP_aes_192_cbc ()) =3D=3D 0) { + return FALSE; + } + + if (EVP_add_cipher (EVP_aes_256_cbc ()) =3D=3D 0) { + return FALSE; + } + + Status =3D FALSE; + + // + // Read encrypted PEM Data. + // + PemBio =3D BIO_new (BIO_s_mem ()); + if (PemBio =3D=3D NULL) { + goto _Exit; + } + + if (BIO_write (PemBio, PemData, (int)PemSize) <=3D 0) { + goto _Exit; + } + + // + // Retrieve EC Private Key from encrypted PEM data. + // + *EcContext =3D PEM_read_bio_ECPrivateKey (PemBio, NULL, (pem_password_cb= *)&PasswordCallback, (void *)Password); + if (*EcContext !=3D NULL) { + Status =3D TRUE; + } + +_Exit: + // + // Release Resources. + // + BIO_free (PemBio); + + return Status; + #else + return FALSE; + #endif +} diff --git a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPemNull.c b/CryptoPkg/= Library/BaseCryptLib/Pem/CryptPemNull.c index 4eeabd91ad..4ca9357c96 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPemNull.c +++ b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPemNull.c @@ -36,3 +36,33 @@ RsaGetPrivateKeyFromPem ( ASSERT (FALSE); return FALSE; } + +/** + Retrieve the EC Private Key from the password-protected PEM key data. + + @param[in] PemData Pointer to the PEM-encoded key data to be retri= eved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted P= EM key data. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC private key component. Use EcFree() function= to free the + resource. + + If PemData is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + +**/ +BOOLEAN +EFIAPI +EcGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **EcContext + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptEc.c b/CryptoPkg/Librar= y/BaseCryptLib/Pk/CryptEc.c index 396c819834..d8cc9ba0e8 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptEc.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptEc.c @@ -763,3 +763,261 @@ fail: EC_KEY_free (PeerEcKey); return RetVal; } + +/** + Carries out the EC-DSA signature. + + This function carries out the EC-DSA signature. + If the Signature buffer is too small to hold the contents of signature, = FALSE + is returned and SigSize is set to the required buffer size to obtain the= signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + If SigSize is large enough but Signature is NULL, then return FALSE. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature genera= tion. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive EC-DSA signat= ure. + @param[in, out] SigSize On input, the size of Signature buffer in = bytes. + On output, the size of data returned in Si= gnature buffer in bytes. + + @retval TRUE Signature successfully generated in EC-DSA. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + +**/ +BOOLEAN +EFIAPI +EcDsaSign ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + EC_KEY *EcKey; + ECDSA_SIG *EcDsaSig; + INT32 OpenSslNid; + UINT8 HalfSize; + BIGNUM *R; + BIGNUM *S; + INTN RSize; + INTN SSize; + + if ((EcContext =3D=3D NULL) || (MessageHash =3D=3D NULL)) { + return FALSE; + } + + if (Signature =3D=3D NULL) { + return FALSE; + } + + EcKey =3D (EC_KEY *)EcContext; + OpenSslNid =3D EC_GROUP_get_curve_name (EC_KEY_get0_group (EcKey)); + switch (OpenSslNid) { + case NID_X9_62_prime256v1: + HalfSize =3D 32; + break; + case NID_secp384r1: + HalfSize =3D 48; + break; + case NID_secp521r1: + HalfSize =3D 66; + break; + default: + return FALSE; + } + + if (*SigSize < (UINTN)(HalfSize * 2)) { + *SigSize =3D HalfSize * 2; + return FALSE; + } + + *SigSize =3D HalfSize * 2; + ZeroMem (Signature, *SigSize); + + switch (HashNid) { + case CRYPTO_NID_SHA256: + if (HashSize !=3D SHA256_DIGEST_SIZE) { + return FALSE; + } + + break; + + case CRYPTO_NID_SHA384: + if (HashSize !=3D SHA384_DIGEST_SIZE) { + return FALSE; + } + + break; + + case CRYPTO_NID_SHA512: + if (HashSize !=3D SHA512_DIGEST_SIZE) { + return FALSE; + } + + break; + + default: + return FALSE; + } + + EcDsaSig =3D ECDSA_do_sign ( + MessageHash, + (UINT32)HashSize, + (EC_KEY *)EcContext + ); + if (EcDsaSig =3D=3D NULL) { + return FALSE; + } + + ECDSA_SIG_get0 (EcDsaSig, (CONST BIGNUM **)&R, (CONST BIGNUM **)&S); + + RSize =3D BN_num_bytes (R); + SSize =3D BN_num_bytes (S); + if ((RSize <=3D 0) || (SSize <=3D 0)) { + ECDSA_SIG_free (EcDsaSig); + return FALSE; + } + + ASSERT ((UINTN)RSize <=3D HalfSize && (UINTN)SSize <=3D HalfSize); + + BN_bn2bin (R, &Signature[0 + HalfSize - RSize]); + BN_bn2bin (S, &Signature[HalfSize + HalfSize - SSize]); + + ECDSA_SIG_free (EcDsaSig); + + return TRUE; +} + +/** + Verifies the EC-DSA signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature verificatio= n. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to EC-DSA signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in EC-DSA. + @retval FALSE Invalid signature or invalid EC context. + +**/ +BOOLEAN +EFIAPI +EcDsaVerify ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ) +{ + INT32 Result; + EC_KEY *EcKey; + ECDSA_SIG *EcDsaSig; + INT32 OpenSslNid; + UINT8 HalfSize; + BIGNUM *R; + BIGNUM *S; + + if ((EcContext =3D=3D NULL) || (MessageHash =3D=3D NULL) || (Signature = =3D=3D NULL)) { + return FALSE; + } + + if ((SigSize > INT_MAX) || (SigSize =3D=3D 0)) { + return FALSE; + } + + EcKey =3D (EC_KEY *)EcContext; + OpenSslNid =3D EC_GROUP_get_curve_name (EC_KEY_get0_group (EcKey)); + switch (OpenSslNid) { + case NID_X9_62_prime256v1: + HalfSize =3D 32; + break; + case NID_secp384r1: + HalfSize =3D 48; + break; + case NID_secp521r1: + HalfSize =3D 66; + break; + default: + return FALSE; + } + + if (SigSize !=3D (UINTN)(HalfSize * 2)) { + return FALSE; + } + + switch (HashNid) { + case CRYPTO_NID_SHA256: + if (HashSize !=3D SHA256_DIGEST_SIZE) { + return FALSE; + } + + break; + + case CRYPTO_NID_SHA384: + if (HashSize !=3D SHA384_DIGEST_SIZE) { + return FALSE; + } + + break; + + case CRYPTO_NID_SHA512: + if (HashSize !=3D SHA512_DIGEST_SIZE) { + return FALSE; + } + + break; + + default: + return FALSE; + } + + EcDsaSig =3D ECDSA_SIG_new (); + if (EcDsaSig =3D=3D NULL) { + ECDSA_SIG_free (EcDsaSig); + return FALSE; + } + + R =3D BN_bin2bn (Signature, (UINT32)HalfSize, NULL); + S =3D BN_bin2bn (Signature + HalfSize, (UINT32)HalfSize, NULL); + if ((R =3D=3D NULL) || (S =3D=3D NULL)) { + ECDSA_SIG_free (EcDsaSig); + return FALSE; + } + + ECDSA_SIG_set0 (EcDsaSig, R, S); + + Result =3D ECDSA_do_verify ( + MessageHash, + (UINT32)HashSize, + EcDsaSig, + (EC_KEY *)EcContext + ); + + ECDSA_SIG_free (EcDsaSig); + + return (Result =3D=3D 1); +} diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptEcNull.c b/CryptoPkg/Li= brary/BaseCryptLib/Pk/CryptEcNull.c index d9f1004f6c..1129fa7696 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptEcNull.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptEcNull.c @@ -494,3 +494,85 @@ EcDhComputeKey ( ASSERT (FALSE); return FALSE; } + +/** + Carries out the EC-DSA signature. + + This function carries out the EC-DSA signature. + If the Signature buffer is too small to hold the contents of signature, = FALSE + is returned and SigSize is set to the required buffer size to obtain the= signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + If SigSize is large enough but Signature is NULL, then return FALSE. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature genera= tion. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive EC-DSA signat= ure. + @param[in, out] SigSize On input, the size of Signature buffer in = bytes. + On output, the size of data returned in Si= gnature buffer in bytes. + + @retval TRUE Signature successfully generated in EC-DSA. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + +**/ +BOOLEAN +EFIAPI +EcDsaSign ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Verifies the EC-DSA signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature verificatio= n. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to EC-DSA signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in EC-DSA. + @retval FALSE Invalid signature or invalid EC context. + +**/ +BOOLEAN +EFIAPI +EcDsaVerify ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Libr= ary/BaseCryptLib/Pk/CryptX509.c index e6bb45e641..58d3f27b11 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c @@ -842,3 +842,86 @@ X509GetTBSCert ( =20 return TRUE; } + +/** + Retrieve the EC Public Key from one DER-encoded X509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC public key component. Use EcFree() function = to free the + resource. + + If Cert is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Public Key was retrieved successfully. + @retval FALSE Fail to retrieve EC public key from X509 certificate. + +**/ +BOOLEAN +EFIAPI +EcGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **EcContext + ) +{ + #if FixedPcdGetBool (PcdOpensslEcEnabled) + BOOLEAN Status; + EVP_PKEY *Pkey; + X509 *X509Cert; + + // + // Check input parameters. + // + if ((Cert =3D=3D NULL) || (EcContext =3D=3D NULL)) { + return FALSE; + } + + Pkey =3D NULL; + X509Cert =3D NULL; + + // + // Read DER-encoded X509 Certificate and Construct X509 object. + // + Status =3D X509ConstructCertificate (Cert, CertSize, (UINT8 **)&X509Cert= ); + if ((X509Cert =3D=3D NULL) || (!Status)) { + Status =3D FALSE; + goto _Exit; + } + + Status =3D FALSE; + + // + // Retrieve and check EVP_PKEY data from X509 Certificate. + // + Pkey =3D X509_get_pubkey (X509Cert); + if ((Pkey =3D=3D NULL) || (EVP_PKEY_id (Pkey) !=3D EVP_PKEY_EC)) { + goto _Exit; + } + + // + // Duplicate EC Context from the retrieved EVP_PKEY. + // + if ((*EcContext =3D EC_KEY_dup (EVP_PKEY_get0_EC_KEY (Pkey))) !=3D NULL)= { + Status =3D TRUE; + } + +_Exit: + // + // Release Resources. + // + if (X509Cert !=3D NULL) { + X509_free (X509Cert); + } + + if (Pkey !=3D NULL) { + EVP_PKEY_free (Pkey); + } + + return Status; + #else + return FALSE; + #endif +} diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c b/CryptoPkg/= Library/BaseCryptLib/Pk/CryptX509Null.c index 38819723c7..c6718e6aeb 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c @@ -292,3 +292,31 @@ X509GetTBSCert ( ASSERT (FALSE); return FALSE; } + +/** + Retrieve the EC Public Key from one DER-encoded X509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC public key component. Use EcFree() function = to free the + resource. + + If Cert is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Public Key was retrieved successfully. + @retval FALSE Fail to retrieve EC public key from X509 certificate. + +**/ +BOOLEAN +EFIAPI +EcGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **EcContext + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLibNull/Pem/CryptPemNull.c b/Crypto= Pkg/Library/BaseCryptLibNull/Pem/CryptPemNull.c index 4eeabd91ad..4ca9357c96 100644 --- a/CryptoPkg/Library/BaseCryptLibNull/Pem/CryptPemNull.c +++ b/CryptoPkg/Library/BaseCryptLibNull/Pem/CryptPemNull.c @@ -36,3 +36,33 @@ RsaGetPrivateKeyFromPem ( ASSERT (FALSE); return FALSE; } + +/** + Retrieve the EC Private Key from the password-protected PEM key data. + + @param[in] PemData Pointer to the PEM-encoded key data to be retri= eved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted P= EM key data. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC private key component. Use EcFree() function= to free the + resource. + + If PemData is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + +**/ +BOOLEAN +EFIAPI +EcGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **EcContext + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptEcNull.c b/CryptoPk= g/Library/BaseCryptLibNull/Pk/CryptEcNull.c index d9f1004f6c..1129fa7696 100644 --- a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptEcNull.c +++ b/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptEcNull.c @@ -494,3 +494,85 @@ EcDhComputeKey ( ASSERT (FALSE); return FALSE; } + +/** + Carries out the EC-DSA signature. + + This function carries out the EC-DSA signature. + If the Signature buffer is too small to hold the contents of signature, = FALSE + is returned and SigSize is set to the required buffer size to obtain the= signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + If SigSize is large enough but Signature is NULL, then return FALSE. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature genera= tion. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive EC-DSA signat= ure. + @param[in, out] SigSize On input, the size of Signature buffer in = bytes. + On output, the size of data returned in Si= gnature buffer in bytes. + + @retval TRUE Signature successfully generated in EC-DSA. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + +**/ +BOOLEAN +EFIAPI +EcDsaSign ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Verifies the EC-DSA signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature verificatio= n. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to EC-DSA signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in EC-DSA. + @retval FALSE Invalid signature or invalid EC context. + +**/ +BOOLEAN +EFIAPI +EcDsaVerify ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptX509Null.c b/Crypto= Pkg/Library/BaseCryptLibNull/Pk/CryptX509Null.c index 38819723c7..c6718e6aeb 100644 --- a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptX509Null.c +++ b/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptX509Null.c @@ -292,3 +292,31 @@ X509GetTBSCert ( ASSERT (FALSE); return FALSE; } + +/** + Retrieve the EC Public Key from one DER-encoded X509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC public key component. Use EcFree() function = to free the + resource. + + If Cert is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Public Key was retrieved successfully. + @retval FALSE Fail to retrieve EC public key from X509 certificate. + +**/ +BOOLEAN +EFIAPI +EcGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **EcContext + ) +{ + ASSERT (FALSE); + return FALSE; +} --=20 2.26.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#94976): https://edk2.groups.io/g/devel/message/94976 Mute This Topic: https://groups.io/mt/94253653/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed May 8 09:52:58 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+94977+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+94977+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1665470226; cv=none; d=zohomail.com; s=zohoarc; b=SCARi8iTka3qVJO7QxMxp58Yj2nXWONP0P/Inko076mc0qFFHC2GS5V6D/4UhFEtgg96f2kMIj8yVmuQOJCiXar+Euciqe7SyqAm+ukvZOz8s+rTk/uN/o2QDvwMhhKT3diHDUjKsrZ56BFa32DukUzSu2cy80dT3Aj3xDYNZyE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1665470226; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=QKNe89PeF1Qi0cdKxDadXDLY2hzuAYwecO7lkSM7D6Y=; b=m/q93DDbmblzQEZIoDu7ApM3rpeXOMtsYL57bE5yipEnYuokZwj4MiiFFL7Yk1q4FtapXTmGFejPfAHMLgrebuMe3libF6Y6vg8y++poF3jg/TWDua9Jh40WWKg0JDal9ibg5Td9VKvxTkG+JtxyrmtebZZAgIlzeYAZY2bAz60= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+94977+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1665470226342355.6437711807903; Mon, 10 Oct 2022 23:37:06 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id cwpgYY1788612xZDOzbqD37I; Mon, 10 Oct 2022 23:37:05 -0700 X-Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web11.4307.1665470221304550128 for ; Mon, 10 Oct 2022 23:37:05 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10496"; a="305476510" X-IronPort-AV: E=Sophos;i="5.95,175,1661842800"; d="scan'208";a="305476510" X-Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Oct 2022 23:37:04 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10496"; a="694938671" X-IronPort-AV: E=Sophos;i="5.95,175,1661842800"; d="scan'208";a="694938671" X-Received: from shwdesssddpdqi.ccr.corp.intel.com ([10.239.157.129]) by fmsmga004.fm.intel.com with ESMTP; 10 Oct 2022 23:37:02 -0700 From: "Qi Zhang" To: devel@edk2.groups.io Cc: Qi Zhang , Jiewen Yao , Jian J Wang , Xiaoyu Lu , Guomin Jiang Subject: [edk2-devel] [PATCH 2/3] CryptoPkg: Add EC key interface to DXE and protocol Date: Tue, 11 Oct 2022 14:36:54 +0800 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,qi1.zhang@intel.com X-Gm-Message-State: SWP3iJN7P3aFRF8F2RVhCR74x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1665470225; bh=OgUCX4oQn3siY35BwuCZqZG0F7G9Fm8rhAYwtHO6wPk=; h=Cc:Date:From:Reply-To:Subject:To; b=VYg8BUfZmw5bqiYmQs+StccOv6Xsu0OWU3WvlN4epMukBDj44f1mTAY9TgaM5wrJLD9 FDCWMMLO43geH2nbgWr3ojLGBH7BCD9R4s6bsadGk98lHgNEMHvZHe+b0X5rwnL8WbJEh FtwxTpwGa1ZWjq7NsNE4/HmQajOIeNd053M= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1665470226730100004 Content-Type: text/plain; charset="utf-8" The implementation provide EC key interface for EFI driver nad EFI BaseCrypt protocol. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4102 Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Signed-off-by: Qi Zhang --- CryptoPkg/Driver/Crypto.c | 143 +++++++++++++++++- .../Pcd/PcdCryptoServiceFamilyEnable.h | 4 + .../BaseCryptLibOnProtocolPpi/CryptLib.c | 136 +++++++++++++++++ CryptoPkg/Private/Protocol/Crypto.h | 129 ++++++++++++++++ 4 files changed, 411 insertions(+), 1 deletion(-) diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c index f1ff77855c..1928adbff7 100644 --- a/CryptoPkg/Driver/Crypto.c +++ b/CryptoPkg/Driver/Crypto.c @@ -6137,6 +6137,142 @@ CryptoServiceEcDhComputeKey ( return CALL_BASECRYPTLIB (Ec.Services.DhComputeKey, EcDhComputeKey, (EcC= ontext, PeerPublic, PeerPublicSize, CompressFlag, Key, KeySize), FALSE); } =20 +/** + Retrieve the EC Public Key from one DER-encoded X509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC public key component. Use EcFree() function = to free the + resource. + + If Cert is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Public Key was retrieved successfully. + @retval FALSE Fail to retrieve EC public key from X509 certificate. + +**/ +BOOLEAN +EFIAPI +CryptoServiceEcGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **EcContext + ) +{ + return CALL_BASECRYPTLIB (Ec.Services.GetPublicKeyFromX509, EcGetPublicK= eyFromX509, (Cert, CertSize, EcContext), FALSE); +} + +/** + Retrieve the EC Private Key from the password-protected PEM key data. + + @param[in] PemData Pointer to the PEM-encoded key data to be retri= eved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted P= EM key data. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC private key component. Use EcFree() function= to free the + resource. + + If PemData is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + +**/ +BOOLEAN +EFIAPI +CryptoServiceEcGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **EcContext + ) +{ + return CALL_BASECRYPTLIB (Ec.Services.GetPrivateKeyFromPem, EcGetPrivate= KeyFromPem, (PemData, PemSize, Password, EcContext), FALSE); +} + +/** + Carries out the EC-DSA signature. + + This function carries out the EC-DSA signature. + If the Signature buffer is too small to hold the contents of signature, = FALSE + is returned and SigSize is set to the required buffer size to obtain the= signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + If SigSize is large enough but Signature is NULL, then return FALSE. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature genera= tion. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive EC-DSA signat= ure. + @param[in, out] SigSize On input, the size of Signature buffer in = bytes. + On output, the size of data returned in Si= gnature buffer in bytes. + + @retval TRUE Signature successfully generated in EC-DSA. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + +**/ +BOOLEAN +EFIAPI +CryptoServiceEcDsaSign ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + return CALL_BASECRYPTLIB (Ec.Services.DsaSign, EcDsaSign, (EcContext, Ha= shNid, MessageHash, HashSize, Signature, SigSize), FALSE); +} + +/** + Verifies the EC-DSA signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature verificatio= n. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to EC-DSA signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in EC-DSA. + @retval FALSE Invalid signature or invalid EC context. + +**/ +BOOLEAN +EFIAPI +CryptoServiceEcDsaVerify ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ) +{ + return CALL_BASECRYPTLIB (Ec.Services.DsaVerify, EcDsaVerify, (EcContext= , HashNid, MessageHash, HashSize, Signature, SigSize), FALSE); +} + const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto =3D { /// Version CryptoServiceGetCryptoVersion, @@ -6416,5 +6552,10 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto =3D { CryptoServiceTlsSetSignatureAlgoList, CryptoServiceTlsSetEcCurve, /// TLS Get (continued) - CryptoServiceTlsGetExportKey + CryptoServiceTlsGetExportKey, + /// Ec (Continued) + CryptoServiceEcGetPublicKeyFromX509, + CryptoServiceEcGetPrivateKeyFromPem, + CryptoServiceEcDsaSign, + CryptoServiceEcDsaVerify }; diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoP= kg/Include/Pcd/PcdCryptoServiceFamilyEnable.h index 4740589417..12b0c0583e 100644 --- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h +++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h @@ -383,6 +383,10 @@ typedef struct { UINT8 GenerateKey : 1; UINT8 GetPubKey : 1; UINT8 DhComputeKey : 1; + UINT8 GetPublicKeyFromX509 : 1; + UINT8 GetPrivateKeyFromPem : 1; + UINT8 DsaSign : 1; + UINT8 DsaVerify : 1; } Services; UINT32 Family; } Ec; diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/Crypt= oPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c index 52b934a545..48ec6d3528 100644 --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c @@ -5164,3 +5164,139 @@ EcDhComputeKey ( { CALL_CRYPTO_SERVICE (EcDhComputeKey, (EcContext, PeerPublic, PeerPublicS= ize, CompressFlag, Key, KeySize), FALSE); } + +/** + Retrieve the EC Public Key from one DER-encoded X509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC public key component. Use EcFree() function = to free the + resource. + + If Cert is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Public Key was retrieved successfully. + @retval FALSE Fail to retrieve EC public key from X509 certificate. + +**/ +BOOLEAN +EFIAPI +EcGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **EcContext + ) +{ + CALL_CRYPTO_SERVICE (EcGetPublicKeyFromX509, (Cert, CertSize, EcContext)= , FALSE); +} + +/** + Retrieve the EC Private Key from the password-protected PEM key data. + + @param[in] PemData Pointer to the PEM-encoded key data to be retri= eved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted P= EM key data. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC private key component. Use EcFree() function= to free the + resource. + + If PemData is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + +**/ +BOOLEAN +EFIAPI +EcGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **EcContext + ) +{ + CALL_CRYPTO_SERVICE (EcGetPrivateKeyFromPem, (PemData, PemSize, Password= , EcContext), FALSE); +} + +/** + Carries out the EC-DSA signature. + + This function carries out the EC-DSA signature. + If the Signature buffer is too small to hold the contents of signature, = FALSE + is returned and SigSize is set to the required buffer size to obtain the= signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + If SigSize is large enough but Signature is NULL, then return FALSE. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature genera= tion. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive EC-DSA signat= ure. + @param[in, out] SigSize On input, the size of Signature buffer in = bytes. + On output, the size of data returned in Si= gnature buffer in bytes. + + @retval TRUE Signature successfully generated in EC-DSA. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + +**/ +BOOLEAN +EFIAPI +EcDsaSign ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + CALL_CRYPTO_SERVICE (EcDsaSign, (EcContext, HashNid, MessageHash, HashSi= ze, Signature, SigSize), FALSE); +} + +/** + Verifies the EC-DSA signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature verificatio= n. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to EC-DSA signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in EC-DSA. + @retval FALSE Invalid signature or invalid EC context. + +**/ +BOOLEAN +EFIAPI +EcDsaVerify ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ) +{ + CALL_CRYPTO_SERVICE (EcDsaVerify, (EcContext, HashNid, MessageHash, Hash= Size, Signature, SigSize), FALSE); +} diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protoc= ol/Crypto.h index 6293efa36b..6b2b8d3b39 100644 --- a/CryptoPkg/Private/Protocol/Crypto.h +++ b/CryptoPkg/Private/Protocol/Crypto.h @@ -4821,6 +4821,130 @@ BOOLEAN IN OUT UINTN *KeySize ); =20 +/** + Retrieve the EC Public Key from one DER-encoded X509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC public key component. Use EcFree() function = to free the + resource. + + If Cert is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Public Key was retrieved successfully. + @retval FALSE Fail to retrieve EC public key from X509 certificate. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_EC_GET_PUBLIC_KEY_FROM_X509)( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **EcContext + ); + +/** + Retrieve the EC Private Key from the password-protected PEM key data. + + @param[in] PemData Pointer to the PEM-encoded key data to be retri= eved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted P= EM key data. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC private key component. Use EcFree() function= to free the + resource. + + If PemData is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_EC_GET_PRIVATE_KEY_FROM_PEM)( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **EcContext + ); + +/** + Carries out the EC-DSA signature. + + This function carries out the EC-DSA signature. + If the Signature buffer is too small to hold the contents of signature, = FALSE + is returned and SigSize is set to the required buffer size to obtain the= signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + If SigSize is large enough but Signature is NULL, then return FALSE. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature genera= tion. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive EC-DSA signat= ure. + @param[in, out] SigSize On input, the size of Signature buffer in = bytes. + On output, the size of data returned in Si= gnature buffer in bytes. + + @retval TRUE Signature successfully generated in EC-DSA. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_EC_DSA_SIGN)( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ); + +/** + Verifies the EC-DSA signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature verificatio= n. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to EC-DSA signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in EC-DSA. + @retval FALSE Invalid signature or invalid EC context. + +**/ +typedef +BOOLEAN +(EFIAPI *EDKII_CRYPTO_EC_DSA_VERIFY)( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ); + /// /// EDK II Crypto Protocol /// @@ -5084,6 +5208,11 @@ struct _EDKII_CRYPTO_PROTOCOL { EDKII_CRYPTO_TLS_SET_EC_CURVE TlsSetEcCurve; /// TLS Get (continued) EDKII_CRYPTO_TLS_GET_EXPORT_KEY TlsGetExportKey; + /// Ec (Continued) + EDKII_CRYPTO_EC_GET_PUBLIC_KEY_FROM_X509 EcGetPublicKeyFromX5= 09; + EDKII_CRYPTO_EC_GET_PRIVATE_KEY_FROM_PEM EcGetPrivateKeyFromP= em; + EDKII_CRYPTO_EC_DSA_SIGN EcDsaSign; + EDKII_CRYPTO_EC_DSA_VERIFY EcDsaVerify; }; =20 extern GUID gEdkiiCryptoProtocolGuid; --=20 2.26.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#94977): https://edk2.groups.io/g/devel/message/94977 Mute This Topic: https://groups.io/mt/94253656/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed May 8 09:52:58 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+94978+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+94978+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1665470228; cv=none; d=zohomail.com; s=zohoarc; b=FQjDkUObC8f0tHphZY9twwcu2GyQMVBxwzRr3Q2pcIpTTeswZH0tvPqiC3SX8zTM+V7FBZH1UtU+pEpZ7DhUekxPHHMv2kEiGhEfiD2nvFpfg2Ymed2UUwt41zd2sALKTEw+P9jlUYfUGEQN16CZEOnTxfoibj+YZm6K6wRpsIU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1665470228; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=pC448DEf6nfLGnuLG9afxrOCuRi6AwZ/xfCOnO7a9mw=; b=Ejy/UwuZRsgAoz2CJl3Pc9FcrrHH0A26FAOLpPkOkH5IzIDgQsl1LKJKj+zjOH1ft2+f++pK6nLYPREhBYRWDdReDs+Tm2TAOfQviwlUXK4Vp5LWcvo/Kyht3I23iZUwDWt/DNwZrzhxKh0feW/tReoptEVIDUWJZvCwL2IU6xs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+94978+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1665470228061618.9774261062694; Mon, 10 Oct 2022 23:37:08 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id lWMLYY1788612xllSPkFIamd; Mon, 10 Oct 2022 23:37:07 -0700 X-Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web11.4307.1665470221304550128 for ; Mon, 10 Oct 2022 23:37:07 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10496"; a="305476539" X-IronPort-AV: E=Sophos;i="5.95,175,1661842800"; d="scan'208";a="305476539" X-Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Oct 2022 23:37:06 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10496"; a="694938686" X-IronPort-AV: E=Sophos;i="5.95,175,1661842800"; d="scan'208";a="694938686" X-Received: from shwdesssddpdqi.ccr.corp.intel.com ([10.239.157.129]) by fmsmga004.fm.intel.com with ESMTP; 10 Oct 2022 23:37:04 -0700 From: "Qi Zhang" To: devel@edk2.groups.io Cc: Qi Zhang , Jiewen Yao , Jian J Wang , Xiaoyu Lu , Guomin Jiang Subject: [edk2-devel] [PATCH 3/3] CryptoPkg: add unit test for EC key interface. Date: Tue, 11 Oct 2022 14:36:55 +0800 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,qi1.zhang@intel.com X-Gm-Message-State: HCyBtrfkqyYH0i2LQyqSbKMkx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1665470227; bh=WcnijGOFM1MOib5jxLqHzt1/saKFtPfQ3uLrNVVz+i0=; h=Cc:Date:From:Reply-To:Subject:To; b=DHTIs1L0GX0chZ2i97HjCDwQh6pqMnIVJRlphRakTA4yqhLawLHcYtcXeJ0ujAk5fA1 qFn7Wx06wCzLZrCWMqBzVu9S88zzSRDpH1bSGs9hh9rdumf6S91JwUmV9DQOY1xuc1um6 MFo1w6xm/yHKq3wSG4SMyTOk3ulHTNbYsTY= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1665470228735100011 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4102 Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Signed-off-by: Qi Zhang --- .../UnitTest/Library/BaseCryptLib/EcTests.c | 156 ++++++++++++++++++ 1 file changed, 156 insertions(+) diff --git a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/EcTests.c b/Crypt= oPkg/Test/UnitTest/Library/BaseCryptLib/EcTests.c index 54ce0b22df..ee1e6e870b 100644 --- a/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/EcTests.c +++ b/CryptoPkg/Test/UnitTest/Library/BaseCryptLib/EcTests.c @@ -60,6 +60,89 @@ struct Generator EcCurveGenerator[EC_CURVE_NUM_SUPPORTE= D] =3D } }; =20 +// +// Root CA X509 Certificate for X509 Verification Routine (Generated by Op= enSSL utility). +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 mEccTestRootCer[] =3D { + 0x30, 0x82, 0x01, 0xd2, 0x30, 0x82, 0x01, 0x77, 0xa0, 0x03, 0x02, 0x01, + 0x02, 0x02, 0x09, 0x00, 0xcc, 0x10, 0x45, 0x50, 0xaf, 0x50, 0x1b, 0xe2, + 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, + 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, + 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, + 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65, + 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49, + 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67, + 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64, 0x30, + 0x1e, 0x17, 0x0d, 0x32, 0x30, 0x30, 0x32, 0x32, 0x37, 0x31, 0x32, 0x30, + 0x32, 0x31, 0x30, 0x5a, 0x17, 0x0d, 0x33, 0x30, 0x30, 0x32, 0x32, 0x34, + 0x31, 0x32, 0x30, 0x32, 0x31, 0x30, 0x5a, 0x30, 0x45, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x41, 0x55, 0x31, 0x13, + 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x53, 0x6f, 0x6d, + 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65, 0x31, 0x21, 0x30, 0x1f, 0x06, + 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, + 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67, 0x69, 0x74, 0x73, 0x20, 0x50, + 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, + 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, + 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x11, 0xa4, 0x06, + 0x65, 0xb6, 0x79, 0x6e, 0x72, 0xb6, 0xd8, 0x09, 0x84, 0x92, 0x86, 0x11, + 0x09, 0xde, 0xea, 0xd0, 0x0c, 0x60, 0xf1, 0x8a, 0xff, 0x7c, 0xde, 0xce, + 0xec, 0x07, 0xba, 0xa5, 0xb8, 0xd5, 0x17, 0xe5, 0x62, 0x33, 0x2d, 0x88, + 0xb1, 0x9a, 0xe6, 0xf3, 0x09, 0x43, 0x0e, 0xa9, 0xf7, 0x3c, 0xe9, 0x20, + 0xba, 0xbd, 0xb1, 0x3c, 0x03, 0x89, 0x1e, 0x2a, 0xff, 0x6e, 0x08, 0xff, + 0x2e, 0xa3, 0x50, 0x30, 0x4e, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, + 0x04, 0x16, 0x04, 0x14, 0x62, 0xe6, 0xd9, 0xa0, 0xee, 0x38, 0x18, 0x83, + 0xfa, 0xe3, 0xed, 0x44, 0xa4, 0x37, 0xfd, 0x4a, 0x04, 0xdf, 0xe1, 0xd5, + 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, + 0x14, 0x62, 0xe6, 0xd9, 0xa0, 0xee, 0x38, 0x18, 0x83, 0xfa, 0xe3, 0xed, + 0x44, 0xa4, 0x37, 0xfd, 0x4a, 0x04, 0xdf, 0xe1, 0xd5, 0x30, 0x0c, 0x06, + 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, + 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, + 0x49, 0x00, 0x30, 0x46, 0x02, 0x21, 0x00, 0x99, 0x2f, 0x43, 0xeb, 0xdc, + 0x4e, 0x53, 0xc7, 0xc1, 0xbd, 0xed, 0x95, 0xdc, 0xae, 0xd3, 0x75, 0xfa, + 0xc4, 0xf7, 0xa4, 0x61, 0x00, 0x57, 0xce, 0xf3, 0xe0, 0x23, 0xf6, 0xf0, + 0x41, 0x6f, 0xb5, 0x02, 0x21, 0x00, 0xf3, 0x97, 0x11, 0x06, 0x61, 0x10, + 0xc7, 0x35, 0xe9, 0xf8, 0x3b, 0x59, 0xec, 0xf5, 0x51, 0xa0, 0xa6, 0x64, + 0x6e, 0xe1, 0x44, 0xc7, 0xe1, 0xa2, 0xce, 0x90, 0x7f, 0xae, 0xad, 0xf4, + 0xa9, 0xfa, +}; + +// +// PEM key data for EC Private key Retrieving. (Generated by OpenSSL utili= ty). +// +GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 mEccTestPemKey[] =3D { + 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x45, + 0x43, 0x20, 0x50, 0x41, 0x52, 0x41, 0x4d, 0x45, 0x54, 0x45, 0x52, 0x53, + 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a, 0x42, 0x67, 0x67, 0x71, 0x68, 0x6b, + 0x6a, 0x4f, 0x50, 0x51, 0x4d, 0x42, 0x42, 0x77, 0x3d, 0x3d, 0x0a, 0x2d, + 0x2d, 0x2d, 0x2d, 0x2d, 0x45, 0x4e, 0x44, 0x20, 0x45, 0x43, 0x20, 0x50, + 0x41, 0x52, 0x41, 0x4d, 0x45, 0x54, 0x45, 0x52, 0x53, 0x2d, 0x2d, 0x2d, + 0x2d, 0x2d, 0x0a, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, + 0x4e, 0x20, 0x45, 0x43, 0x20, 0x50, 0x52, 0x49, 0x56, 0x41, 0x54, 0x45, + 0x20, 0x4b, 0x45, 0x59, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a, 0x4d, 0x48, + 0x63, 0x43, 0x41, 0x51, 0x45, 0x45, 0x49, 0x4d, 0x4a, 0x54, 0x69, 0x75, + 0x34, 0x56, 0x54, 0x54, 0x57, 0x68, 0x78, 0x4b, 0x62, 0x51, 0x65, 0x78, + 0x6e, 0x30, 0x43, 0x58, 0x41, 0x77, 0x33, 0x44, 0x57, 0x6b, 0x6f, 0x78, + 0x79, 0x77, 0x6b, 0x7a, 0x46, 0x50, 0x62, 0x32, 0x48, 0x68, 0x5a, 0x6e, + 0x5a, 0x52, 0x6f, 0x41, 0x6f, 0x47, 0x43, 0x43, 0x71, 0x47, 0x53, 0x4d, + 0x34, 0x39, 0x0a, 0x41, 0x77, 0x45, 0x48, 0x6f, 0x55, 0x51, 0x44, 0x51, + 0x67, 0x41, 0x45, 0x45, 0x61, 0x51, 0x47, 0x5a, 0x62, 0x5a, 0x35, 0x62, + 0x6e, 0x4b, 0x32, 0x32, 0x41, 0x6d, 0x45, 0x6b, 0x6f, 0x59, 0x52, 0x43, + 0x64, 0x37, 0x71, 0x30, 0x41, 0x78, 0x67, 0x38, 0x59, 0x72, 0x2f, 0x66, + 0x4e, 0x37, 0x4f, 0x37, 0x41, 0x65, 0x36, 0x70, 0x62, 0x6a, 0x56, 0x46, + 0x2b, 0x56, 0x69, 0x4d, 0x79, 0x32, 0x49, 0x0a, 0x73, 0x5a, 0x72, 0x6d, + 0x38, 0x77, 0x6c, 0x44, 0x44, 0x71, 0x6e, 0x33, 0x50, 0x4f, 0x6b, 0x67, + 0x75, 0x72, 0x32, 0x78, 0x50, 0x41, 0x4f, 0x4a, 0x48, 0x69, 0x72, 0x2f, + 0x62, 0x67, 0x6a, 0x2f, 0x4c, 0x67, 0x3d, 0x3d, 0x0a, 0x2d, 0x2d, 0x2d, + 0x2d, 0x2d, 0x45, 0x4e, 0x44, 0x20, 0x45, 0x43, 0x20, 0x50, 0x52, 0x49, + 0x56, 0x41, 0x54, 0x45, 0x20, 0x4b, 0x45, 0x59, 0x2d, 0x2d, 0x2d, 0x2d, + 0x2d, 0x0a, +}; + +// +// Payload for PKCS#7 Signing & Verification Validation. +// +CONST CHAR8 *mEcPayload =3D "payload data for PKCS#7 EC Signing"; + VOID *Ec1; VOID *Ec2; VOID *Group; @@ -279,12 +362,85 @@ TestVerifyEcDh ( return UNIT_TEST_PASSED; } =20 +UNIT_TEST_STATUS +EFIAPI +TestVerifyEcKey ( + UNIT_TEST_CONTEXT Context + ) +{ + BOOLEAN Status; + VOID *EcPrivKey; + VOID *EcPubKey; + UINT8 HashValue[SHA256_DIGEST_SIZE]; + UINTN HashSize; + UINT8 Signature[66 * 2]; + UINTN SigSize; + + // + // Retrieve EC private key from PEM data. + // + Status =3D EcGetPrivateKeyFromPem ( + mEccTestPemKey, + sizeof (mEccTestPemKey), + NULL, + &EcPrivKey + ); + UT_ASSERT_TRUE (Status); + + // + // Retrieve EC public key from X509 Certificate. + // + Status =3D EcGetPublicKeyFromX509 ( + mEccTestRootCer, + sizeof (mEccTestRootCer), + &EcPubKey + ); + UT_ASSERT_TRUE (Status); + + // + // Verify EC-DSA + // + HashSize =3D sizeof (HashValue); + SigSize =3D sizeof (Signature); + // + // EC-DSA Signing ... + // + Status =3D EcDsaSign ( + EcPrivKey, + CRYPTO_NID_SHA256, + HashValue, + HashSize, + Signature, + &SigSize + ); + UT_ASSERT_TRUE (Status); + + // + // EC-DSA Verification ... + // + Status =3D EcDsaVerify ( + EcPubKey, + CRYPTO_NID_SHA256, + HashValue, + HashSize, + Signature, + SigSize + ); + UT_ASSERT_TRUE (Status); + + EcFree (EcPrivKey); + EcFree (EcPubKey); + + return UNIT_TEST_PASSED; +} + TEST_DESC mEcTest[] =3D { // // -----Description-----------------Class------------------Function----P= re----Post----Context // { "TestVerifyEcBasic()", "CryptoPkg.BaseCryptLib.Ec", TestVerifyEcBasic,= TestVerifyEcPreReq, TestVerifyEcCleanUp, NULL }, { "TestVerifyEcDh()", "CryptoPkg.BaseCryptLib.Ec", TestVerifyEcDh, = TestVerifyEcPreReq, TestVerifyEcCleanUp, NULL }, + { "TestVerifyEcKey()", "CryptoPkg.BaseCryptLib.Ec", TestVerifyEcKey, = NULL, NULL, NULL }, }; =20 UINTN mEcTestNum =3D ARRAY_SIZE (mEcTest); --=20 2.26.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#94978): https://edk2.groups.io/g/devel/message/94978 Mute This Topic: https://groups.io/mt/94253657/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-