From nobody Sun Feb 8 18:14:08 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+89928+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89928+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1653184493; cv=none; d=zohomail.com; s=zohoarc; b=nzCgXW4m+N0NEuwf/PaVdrVn6FaepAyYvb3Gxht0Ao101t/FweryGB3lTdSJzl2j3Br9foCvOZyH8/js1iUzx0N8wc2HMUIk7oZLJon2cUb8ikhOoSCQs7GeZUiCbKZl+kKLd3Ebv0Deq/KuU0pAi5wkxok0ohnRgJLMy5+oSBs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1653184493; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=16S5R/UOSg97C6uwDldYMtJe8gKm/Ipy7ZRZHAR21TQ=; b=iQMmVCB8sOYBC0S5m2UUWKata0mXixyOW4cdmnWPhPQukLUBaAALq9jeuzVyI8QJ4MtjNlTbCs7h/+nist2O+KqaQsJZVaUR/DB6hrreSZjvV6ME1B9hWZD5eoCj8caBMQFB/KV5Ze7ap4NMmWilF4KfXT1r1E7/osWwcfjCcao= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+89928+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1653184493914739.2270899969722; Sat, 21 May 2022 18:54:53 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id D0sJYY1788612xeExBvFWNMW; Sat, 21 May 2022 18:54:53 -0700 X-Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web08.12308.1653184484313245119 for ; Sat, 21 May 2022 18:54:52 -0700 X-IronPort-AV: E=McAfee;i="6400,9594,10354"; a="272638260" X-IronPort-AV: E=Sophos;i="5.91,243,1647327600"; d="scan'208";a="272638260" X-Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 May 2022 18:54:52 -0700 X-IronPort-AV: E=Sophos;i="5.91,243,1647327600"; d="scan'208";a="599981621" X-Received: from shwdejointd178.ccr.corp.intel.com ([10.239.153.103]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 May 2022 18:54:49 -0700 From: "yi1 li" To: devel@edk2.groups.io Cc: yi1 li , Jiewen Yao , Jian J Wang , Xiaoyu Lu , Guomin Jiang , Maciej Rabeda , Jiaxin Wu , Siyuan Fu Subject: [edk2-devel] [PATCH 4/5] CryptoPkg: Add implementation for TlsSetHostPrivateKey() Date: Sun, 22 May 2022 09:54:18 +0800 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,yi1.li@intel.com X-Gm-Message-State: NO7S6sjv511U3jqBh8Hq1Xcwx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1653184493; bh=wK7XAz/dgZF9u5JRt6UzMiXso7jZAVTM1PFIdPVGSrk=; h=Cc:Date:From:Reply-To:Subject:To; b=W0NhgD/ZNqY4W6DJOcco7kVWjJTI+bbdDmKefaahns9vp7Ay7N77NXStG2wL0x1C7Lg iGTp5bSXPrQIxdZ5aleovDE3S2R3C+Gvxtlj35tvL+lpNMv3IbCGXm16s4kn/rmJ9moSy 3c1E5PMdfSdpkqh/dikov8HUBnIWQIwghdg= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1653184494929100001 Content-Type: text/plain; charset="utf-8" From: yi1 li Add Password to TlsSetHostPrivateKey() param list, Set Password to NULL when useless. This function adds the local private key (PEM-encoded RSA or PKCS#8 private key) into the specified TLS object for TLS negotiation. Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Cc: Maciej Rabeda Cc: Jiaxin Wu Cc: Siyuan Fu Signed-off-by: Yi Li --- CryptoPkg/Driver/Crypto.c | 6 +- CryptoPkg/Include/Library/TlsLib.h | 4 +- .../BaseCryptLibOnProtocolPpi/CryptLib.c | 6 +- CryptoPkg/Library/TlsLib/TlsConfig.c | 81 ++++++++++++++++++- CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 4 +- CryptoPkg/Private/Protocol/Crypto.h | 4 +- 6 files changed, 96 insertions(+), 9 deletions(-) diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c index 6a86c4dba6a2..b2e3cbde5bd3 100644 --- a/CryptoPkg/Driver/Crypto.c +++ b/CryptoPkg/Driver/Crypto.c @@ -4136,6 +4136,7 @@ CryptoServiceTlsSetHostPublicCert ( @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL = if not used. =20 @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -4147,10 +4148,11 @@ EFIAPI CryptoServiceTlsSetHostPrivateKey ( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ) { - return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKey, TlsSetHostPriv= ateKey, (Tls, Data, DataSize), EFI_UNSUPPORTED); + return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKey, TlsSetHostPriv= ateKey, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED); } =20 /** diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library= /TlsLib.h index 8a109ec89d3d..01b1087e3d2e 100644 --- a/CryptoPkg/Include/Library/TlsLib.h +++ b/CryptoPkg/Include/Library/TlsLib.h @@ -534,6 +534,7 @@ TlsSetHostPublicCert ( @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL = if not used. =20 @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -545,7 +546,8 @@ EFIAPI TlsSetHostPrivateKey ( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ); =20 /** diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/Crypt= oPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c index 1c7c90e432de..d1405e26f9fc 100644 --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c @@ -3279,6 +3279,7 @@ TlsSetHostPublicCert ( @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL = if not used. =20 @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -3290,10 +3291,11 @@ EFIAPI TlsSetHostPrivateKey ( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ) { - CALL_CRYPTO_SERVICE (TlsSetHostPrivateKey, (Tls, Data, DataSize), EFI_UN= SUPPORTED); + CALL_CRYPTO_SERVICE (TlsSetHostPrivateKey, (Tls, Data, DataSize, Passwor= d), EFI_UNSUPPORTED); } =20 /** diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLi= b/TlsConfig.c index b45050c18770..e7d4474dff8d 100644 --- a/CryptoPkg/Library/TlsLib/TlsConfig.c +++ b/CryptoPkg/Library/TlsLib/TlsConfig.c @@ -870,6 +870,7 @@ ON_EXIT: @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL = if not used. =20 @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -881,10 +882,86 @@ EFIAPI TlsSetHostPrivateKey ( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ) { - return EFI_UNSUPPORTED; + TLS_CONNECTION *TlsConn; + BIO *Bio; + + TlsConn =3D (TLS_CONNECTION *)Tls; + + if ((TlsConn =3D=3D NULL) || (TlsConn->Ssl =3D=3D NULL) || (Data =3D=3D = NULL) || (DataSize =3D=3D 0)) { + return EFI_INVALID_PARAMETER; + } + + if (SSL_use_PrivateKey_ASN1 ( + EVP_PKEY_RSA, + TlsConn->Ssl, + Data, + (long)DataSize + ) =3D=3D 1) + { + goto verify; + } + + if (SSL_use_PrivateKey_ASN1 ( + EVP_PKEY_DSA, + TlsConn->Ssl, + Data, + (long)DataSize + ) =3D=3D 1) + { + goto verify; + } + + if (SSL_use_PrivateKey_ASN1 ( + EVP_PKEY_EC, + TlsConn->Ssl, + Data, + (long)DataSize + ) =3D=3D 1) + { + goto verify; + } + + if (SSL_use_RSAPrivateKey_ASN1 ( + TlsConn->Ssl, + Data, + (long)DataSize + ) =3D=3D 1) + { + goto verify; + } + + // Try to parse the private key in PEM format encoded PKC#8 + Bio =3D BIO_new_mem_buf (Data, (long)DataSize); + if (Bio !=3D NULL) { + EVP_PKEY *Pkey; + BOOLEAN Verify; + + Verify =3D FALSE; + Pkey =3D PEM_read_bio_PrivateKey (Bio, NULL, NULL, Password); + if ((Pkey !=3D NULL) && (SSL_use_PrivateKey (TlsConn->Ssl, Pkey) =3D= =3D 1)) { + Verify =3D TRUE; + } + + EVP_PKEY_free (Pkey); + BIO_free (Bio); + + if (Verify) { + goto verify; + } + } + + return EFI_ABORTED; + +verify: + if (SSL_check_private_key (TlsConn->Ssl) =3D=3D 1) { + return EFI_SUCCESS; + } + + return EFI_ABORTED; } =20 /** diff --git a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/CryptoPkg/Libra= ry/TlsLibNull/TlsConfigNull.c index b2c7e6869f53..9ab95f7269ee 100644 --- a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c +++ b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c @@ -250,6 +250,7 @@ TlsSetHostPublicCert ( @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL = if not used. =20 @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -261,7 +262,8 @@ EFIAPI TlsSetHostPrivateKey ( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ) { ASSERT (FALSE); diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protoc= ol/Crypto.h index bc94cbb66311..ab01ff985da7 100644 --- a/CryptoPkg/Private/Protocol/Crypto.h +++ b/CryptoPkg/Private/Protocol/Crypto.h @@ -3092,6 +3092,7 @@ EFI_STATUS @param[in] Data Pointer to the data buffer of a PEM-encoded RSA or PKCS#8 private key. @param[in] DataSize The size of data buffer in bytes. + @param[in] Password Pointer to private key password, set it to NULL = if not used. =20 @retval EFI_SUCCESS The operation succeeded. @retval EFI_UNSUPPORTED This function is not supported. @@ -3103,7 +3104,8 @@ EFI_STATUS (EFIAPI *EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY)( IN VOID *Tls, IN VOID *Data, - IN UINTN DataSize + IN UINTN DataSize, + IN VOID *Password OPTIONAL ); =20 /** --=20 2.31.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#89928): https://edk2.groups.io/g/devel/message/89928 Mute This Topic: https://groups.io/mt/91262941/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-