From nobody Mon Feb 9 21:21:52 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+94976+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+94976+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1665470224; cv=none; d=zohomail.com; s=zohoarc; b=jxTF5y2C63jPtv3BjecfdmJoZlnNVNGQ0jBEZdO/rsMTwcYasUYFSFf/itRCqKoSQ3QJCZJOZ4BuvAVXQVYX8MIe+qoQfoTn6SzQzOlC9n0jsyndtcT719oVSXbtpcVZq59YlowLH8AKp3mp3UViYrZpYxXMDbzVwiXbl7eTU2I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1665470224; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=vzxqkqmqyHcMuBbhCsCIcg23rUbPKbKUzoQSMEiZ1P8=; b=D1+GoqsJN6YPqVZHEgDO2z1fn7NXsHAr/A88x6/PMuuSqucgFdjTuSs/67+thZhdhWk7N3uwFN18d8E8IPrCB1XXWl+f5CpCNLkdwS1EE0QnEmrELoKXzgzWDZfrAKDgPC+iANk8xWPsNhEbQTRKATNJSPjFDlPu6PZpCe4oMLY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+94976+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1665470224605891.8471166035841; Mon, 10 Oct 2022 23:37:04 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id ssKCYY1788612xUpth4GBW8u; Mon, 10 Oct 2022 23:37:04 -0700 X-Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web11.4307.1665470221304550128 for ; Mon, 10 Oct 2022 23:37:03 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10496"; a="305476487" X-IronPort-AV: E=Sophos;i="5.95,175,1661842800"; d="scan'208";a="305476487" X-Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Oct 2022 23:37:02 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10496"; a="694938655" X-IronPort-AV: E=Sophos;i="5.95,175,1661842800"; d="scan'208";a="694938655" X-Received: from shwdesssddpdqi.ccr.corp.intel.com ([10.239.157.129]) by fmsmga004.fm.intel.com with ESMTP; 10 Oct 2022 23:37:00 -0700 From: "Qi Zhang" To: devel@edk2.groups.io Cc: Qi Zhang , Jiewen Yao , Jian J Wang , Xiaoyu Lu , Guomin Jiang Subject: [edk2-devel] [PATCH 1/3] CryptoPkg: Add EC key retrieving and signature interface. Date: Tue, 11 Oct 2022 14:36:53 +0800 Message-Id: In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,qi1.zhang@intel.com X-Gm-Message-State: DU9grUeBT3n7cmSdE4HWdSB8x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1665470224; bh=l6PfjcU80s8Kl3d+842sg8zny1P+B/qsfdkB0+Enogc=; h=Cc:Date:From:Reply-To:Subject:To; b=a5cONSL+HFIIml+eRvBq0JImKH/9XChQLPtJNkKkZCby9nn1rhF7CbH1k5DzoHnJNYt hhYy/vdnA1hamR9vySMkAMCecrlQoBHopQBQj2gt2ijV7VgKcMzUbHMZuE0uhJCC9K1AW lSj7zmDRHLjX4W7Coc02z8hJsbZ+9PhioGo= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1665470226759100007 Content-Type: text/plain; charset="utf-8" This patch is used to retrieve EC key from PEM and X509 and carry out the EC-DSA signature and verify it. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4102 Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Signed-off-by: Qi Zhang --- CryptoPkg/Include/Library/BaseCryptLib.h | 129 +++++++++ CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c | 87 ++++++ .../Library/BaseCryptLib/Pem/CryptPemNull.c | 30 ++ CryptoPkg/Library/BaseCryptLib/Pk/CryptEc.c | 258 ++++++++++++++++++ .../Library/BaseCryptLib/Pk/CryptEcNull.c | 82 ++++++ CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 83 ++++++ .../Library/BaseCryptLib/Pk/CryptX509Null.c | 28 ++ .../BaseCryptLibNull/Pem/CryptPemNull.c | 30 ++ .../Library/BaseCryptLibNull/Pk/CryptEcNull.c | 82 ++++++ .../BaseCryptLibNull/Pk/CryptX509Null.c | 28 ++ 10 files changed, 837 insertions(+) diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/L= ibrary/BaseCryptLib.h index 63c6228368..dfeb8c7d55 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -16,6 +16,11 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 #define CRYPTO_NID_NULL 0x0000 =20 +// Hash +#define CRYPTO_NID_SHA256 0x0001 +#define CRYPTO_NID_SHA384 0x0002 +#define CRYPTO_NID_SHA512 0x0003 + // Key Exchange #define CRYPTO_NID_SECP256R1 0x0204 #define CRYPTO_NID_SECP384R1 0x0205 @@ -3678,4 +3683,128 @@ EcDhComputeKey ( IN OUT UINTN *KeySize ); =20 +/** + Retrieve the EC Private Key from the password-protected PEM key data. + + @param[in] PemData Pointer to the PEM-encoded key data to be retri= eved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted P= EM key data. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC private key component. Use EcFree() function= to free the + resource. + + If PemData is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + +**/ +BOOLEAN +EFIAPI +EcGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **EcContext + ); + +/** + Retrieve the EC Public Key from one DER-encoded X509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC public key component. Use EcFree() function = to free the + resource. + + If Cert is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Public Key was retrieved successfully. + @retval FALSE Fail to retrieve EC public key from X509 certificate. + +**/ +BOOLEAN +EFIAPI +EcGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **EcContext + ); + +/** + Carries out the EC-DSA signature. + + This function carries out the EC-DSA signature. + If the Signature buffer is too small to hold the contents of signature, = FALSE + is returned and SigSize is set to the required buffer size to obtain the= signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + If SigSize is large enough but Signature is NULL, then return FALSE. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature genera= tion. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive EC-DSA signat= ure. + @param[in, out] SigSize On input, the size of Signature buffer in = bytes. + On output, the size of data returned in Si= gnature buffer in bytes. + + @retval TRUE Signature successfully generated in EC-DSA. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + +**/ +BOOLEAN +EFIAPI +EcDsaSign ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ); + +/** + Verifies the EC-DSA signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature verificatio= n. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to EC-DSA signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in EC-DSA. + @retval FALSE Invalid signature or invalid EC context. + +**/ +BOOLEAN +EFIAPI +EcDsaVerify ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ); + #endif // __BASE_CRYPT_LIB_H__ diff --git a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c b/CryptoPkg/Libr= ary/BaseCryptLib/Pem/CryptPem.c index 7733d772f4..559a6b4df0 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c +++ b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c @@ -126,3 +126,90 @@ _Exit: =20 return Status; } + +/** + Retrieve the EC Private Key from the password-protected PEM key data. + + @param[in] PemData Pointer to the PEM-encoded key data to be retri= eved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted P= EM key data. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC private key component. Use EcFree() function= to free the + resource. + + If PemData is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + +**/ +BOOLEAN +EFIAPI +EcGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **EcContext + ) +{ + #if FixedPcdGetBool (PcdOpensslEcEnabled) + BOOLEAN Status; + BIO *PemBio; + + // + // Check input parameters. + // + if ((PemData =3D=3D NULL) || (EcContext =3D=3D NULL) || (PemSize > INT_M= AX)) { + return FALSE; + } + + // + // Add possible block-cipher descriptor for PEM data decryption. + // NOTE: Only support most popular ciphers AES for the encrypted PEM. + // + if (EVP_add_cipher (EVP_aes_128_cbc ()) =3D=3D 0) { + return FALSE; + } + + if (EVP_add_cipher (EVP_aes_192_cbc ()) =3D=3D 0) { + return FALSE; + } + + if (EVP_add_cipher (EVP_aes_256_cbc ()) =3D=3D 0) { + return FALSE; + } + + Status =3D FALSE; + + // + // Read encrypted PEM Data. + // + PemBio =3D BIO_new (BIO_s_mem ()); + if (PemBio =3D=3D NULL) { + goto _Exit; + } + + if (BIO_write (PemBio, PemData, (int)PemSize) <=3D 0) { + goto _Exit; + } + + // + // Retrieve EC Private Key from encrypted PEM data. + // + *EcContext =3D PEM_read_bio_ECPrivateKey (PemBio, NULL, (pem_password_cb= *)&PasswordCallback, (void *)Password); + if (*EcContext !=3D NULL) { + Status =3D TRUE; + } + +_Exit: + // + // Release Resources. + // + BIO_free (PemBio); + + return Status; + #else + return FALSE; + #endif +} diff --git a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPemNull.c b/CryptoPkg/= Library/BaseCryptLib/Pem/CryptPemNull.c index 4eeabd91ad..4ca9357c96 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPemNull.c +++ b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPemNull.c @@ -36,3 +36,33 @@ RsaGetPrivateKeyFromPem ( ASSERT (FALSE); return FALSE; } + +/** + Retrieve the EC Private Key from the password-protected PEM key data. + + @param[in] PemData Pointer to the PEM-encoded key data to be retri= eved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted P= EM key data. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC private key component. Use EcFree() function= to free the + resource. + + If PemData is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + +**/ +BOOLEAN +EFIAPI +EcGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **EcContext + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptEc.c b/CryptoPkg/Librar= y/BaseCryptLib/Pk/CryptEc.c index 396c819834..d8cc9ba0e8 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptEc.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptEc.c @@ -763,3 +763,261 @@ fail: EC_KEY_free (PeerEcKey); return RetVal; } + +/** + Carries out the EC-DSA signature. + + This function carries out the EC-DSA signature. + If the Signature buffer is too small to hold the contents of signature, = FALSE + is returned and SigSize is set to the required buffer size to obtain the= signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + If SigSize is large enough but Signature is NULL, then return FALSE. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature genera= tion. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive EC-DSA signat= ure. + @param[in, out] SigSize On input, the size of Signature buffer in = bytes. + On output, the size of data returned in Si= gnature buffer in bytes. + + @retval TRUE Signature successfully generated in EC-DSA. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + +**/ +BOOLEAN +EFIAPI +EcDsaSign ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + EC_KEY *EcKey; + ECDSA_SIG *EcDsaSig; + INT32 OpenSslNid; + UINT8 HalfSize; + BIGNUM *R; + BIGNUM *S; + INTN RSize; + INTN SSize; + + if ((EcContext =3D=3D NULL) || (MessageHash =3D=3D NULL)) { + return FALSE; + } + + if (Signature =3D=3D NULL) { + return FALSE; + } + + EcKey =3D (EC_KEY *)EcContext; + OpenSslNid =3D EC_GROUP_get_curve_name (EC_KEY_get0_group (EcKey)); + switch (OpenSslNid) { + case NID_X9_62_prime256v1: + HalfSize =3D 32; + break; + case NID_secp384r1: + HalfSize =3D 48; + break; + case NID_secp521r1: + HalfSize =3D 66; + break; + default: + return FALSE; + } + + if (*SigSize < (UINTN)(HalfSize * 2)) { + *SigSize =3D HalfSize * 2; + return FALSE; + } + + *SigSize =3D HalfSize * 2; + ZeroMem (Signature, *SigSize); + + switch (HashNid) { + case CRYPTO_NID_SHA256: + if (HashSize !=3D SHA256_DIGEST_SIZE) { + return FALSE; + } + + break; + + case CRYPTO_NID_SHA384: + if (HashSize !=3D SHA384_DIGEST_SIZE) { + return FALSE; + } + + break; + + case CRYPTO_NID_SHA512: + if (HashSize !=3D SHA512_DIGEST_SIZE) { + return FALSE; + } + + break; + + default: + return FALSE; + } + + EcDsaSig =3D ECDSA_do_sign ( + MessageHash, + (UINT32)HashSize, + (EC_KEY *)EcContext + ); + if (EcDsaSig =3D=3D NULL) { + return FALSE; + } + + ECDSA_SIG_get0 (EcDsaSig, (CONST BIGNUM **)&R, (CONST BIGNUM **)&S); + + RSize =3D BN_num_bytes (R); + SSize =3D BN_num_bytes (S); + if ((RSize <=3D 0) || (SSize <=3D 0)) { + ECDSA_SIG_free (EcDsaSig); + return FALSE; + } + + ASSERT ((UINTN)RSize <=3D HalfSize && (UINTN)SSize <=3D HalfSize); + + BN_bn2bin (R, &Signature[0 + HalfSize - RSize]); + BN_bn2bin (S, &Signature[HalfSize + HalfSize - SSize]); + + ECDSA_SIG_free (EcDsaSig); + + return TRUE; +} + +/** + Verifies the EC-DSA signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature verificatio= n. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to EC-DSA signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in EC-DSA. + @retval FALSE Invalid signature or invalid EC context. + +**/ +BOOLEAN +EFIAPI +EcDsaVerify ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ) +{ + INT32 Result; + EC_KEY *EcKey; + ECDSA_SIG *EcDsaSig; + INT32 OpenSslNid; + UINT8 HalfSize; + BIGNUM *R; + BIGNUM *S; + + if ((EcContext =3D=3D NULL) || (MessageHash =3D=3D NULL) || (Signature = =3D=3D NULL)) { + return FALSE; + } + + if ((SigSize > INT_MAX) || (SigSize =3D=3D 0)) { + return FALSE; + } + + EcKey =3D (EC_KEY *)EcContext; + OpenSslNid =3D EC_GROUP_get_curve_name (EC_KEY_get0_group (EcKey)); + switch (OpenSslNid) { + case NID_X9_62_prime256v1: + HalfSize =3D 32; + break; + case NID_secp384r1: + HalfSize =3D 48; + break; + case NID_secp521r1: + HalfSize =3D 66; + break; + default: + return FALSE; + } + + if (SigSize !=3D (UINTN)(HalfSize * 2)) { + return FALSE; + } + + switch (HashNid) { + case CRYPTO_NID_SHA256: + if (HashSize !=3D SHA256_DIGEST_SIZE) { + return FALSE; + } + + break; + + case CRYPTO_NID_SHA384: + if (HashSize !=3D SHA384_DIGEST_SIZE) { + return FALSE; + } + + break; + + case CRYPTO_NID_SHA512: + if (HashSize !=3D SHA512_DIGEST_SIZE) { + return FALSE; + } + + break; + + default: + return FALSE; + } + + EcDsaSig =3D ECDSA_SIG_new (); + if (EcDsaSig =3D=3D NULL) { + ECDSA_SIG_free (EcDsaSig); + return FALSE; + } + + R =3D BN_bin2bn (Signature, (UINT32)HalfSize, NULL); + S =3D BN_bin2bn (Signature + HalfSize, (UINT32)HalfSize, NULL); + if ((R =3D=3D NULL) || (S =3D=3D NULL)) { + ECDSA_SIG_free (EcDsaSig); + return FALSE; + } + + ECDSA_SIG_set0 (EcDsaSig, R, S); + + Result =3D ECDSA_do_verify ( + MessageHash, + (UINT32)HashSize, + EcDsaSig, + (EC_KEY *)EcContext + ); + + ECDSA_SIG_free (EcDsaSig); + + return (Result =3D=3D 1); +} diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptEcNull.c b/CryptoPkg/Li= brary/BaseCryptLib/Pk/CryptEcNull.c index d9f1004f6c..1129fa7696 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptEcNull.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptEcNull.c @@ -494,3 +494,85 @@ EcDhComputeKey ( ASSERT (FALSE); return FALSE; } + +/** + Carries out the EC-DSA signature. + + This function carries out the EC-DSA signature. + If the Signature buffer is too small to hold the contents of signature, = FALSE + is returned and SigSize is set to the required buffer size to obtain the= signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + If SigSize is large enough but Signature is NULL, then return FALSE. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature genera= tion. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive EC-DSA signat= ure. + @param[in, out] SigSize On input, the size of Signature buffer in = bytes. + On output, the size of data returned in Si= gnature buffer in bytes. + + @retval TRUE Signature successfully generated in EC-DSA. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + +**/ +BOOLEAN +EFIAPI +EcDsaSign ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Verifies the EC-DSA signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature verificatio= n. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to EC-DSA signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in EC-DSA. + @retval FALSE Invalid signature or invalid EC context. + +**/ +BOOLEAN +EFIAPI +EcDsaVerify ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Libr= ary/BaseCryptLib/Pk/CryptX509.c index e6bb45e641..58d3f27b11 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c @@ -842,3 +842,86 @@ X509GetTBSCert ( =20 return TRUE; } + +/** + Retrieve the EC Public Key from one DER-encoded X509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC public key component. Use EcFree() function = to free the + resource. + + If Cert is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Public Key was retrieved successfully. + @retval FALSE Fail to retrieve EC public key from X509 certificate. + +**/ +BOOLEAN +EFIAPI +EcGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **EcContext + ) +{ + #if FixedPcdGetBool (PcdOpensslEcEnabled) + BOOLEAN Status; + EVP_PKEY *Pkey; + X509 *X509Cert; + + // + // Check input parameters. + // + if ((Cert =3D=3D NULL) || (EcContext =3D=3D NULL)) { + return FALSE; + } + + Pkey =3D NULL; + X509Cert =3D NULL; + + // + // Read DER-encoded X509 Certificate and Construct X509 object. + // + Status =3D X509ConstructCertificate (Cert, CertSize, (UINT8 **)&X509Cert= ); + if ((X509Cert =3D=3D NULL) || (!Status)) { + Status =3D FALSE; + goto _Exit; + } + + Status =3D FALSE; + + // + // Retrieve and check EVP_PKEY data from X509 Certificate. + // + Pkey =3D X509_get_pubkey (X509Cert); + if ((Pkey =3D=3D NULL) || (EVP_PKEY_id (Pkey) !=3D EVP_PKEY_EC)) { + goto _Exit; + } + + // + // Duplicate EC Context from the retrieved EVP_PKEY. + // + if ((*EcContext =3D EC_KEY_dup (EVP_PKEY_get0_EC_KEY (Pkey))) !=3D NULL)= { + Status =3D TRUE; + } + +_Exit: + // + // Release Resources. + // + if (X509Cert !=3D NULL) { + X509_free (X509Cert); + } + + if (Pkey !=3D NULL) { + EVP_PKEY_free (Pkey); + } + + return Status; + #else + return FALSE; + #endif +} diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c b/CryptoPkg/= Library/BaseCryptLib/Pk/CryptX509Null.c index 38819723c7..c6718e6aeb 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c @@ -292,3 +292,31 @@ X509GetTBSCert ( ASSERT (FALSE); return FALSE; } + +/** + Retrieve the EC Public Key from one DER-encoded X509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC public key component. Use EcFree() function = to free the + resource. + + If Cert is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Public Key was retrieved successfully. + @retval FALSE Fail to retrieve EC public key from X509 certificate. + +**/ +BOOLEAN +EFIAPI +EcGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **EcContext + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLibNull/Pem/CryptPemNull.c b/Crypto= Pkg/Library/BaseCryptLibNull/Pem/CryptPemNull.c index 4eeabd91ad..4ca9357c96 100644 --- a/CryptoPkg/Library/BaseCryptLibNull/Pem/CryptPemNull.c +++ b/CryptoPkg/Library/BaseCryptLibNull/Pem/CryptPemNull.c @@ -36,3 +36,33 @@ RsaGetPrivateKeyFromPem ( ASSERT (FALSE); return FALSE; } + +/** + Retrieve the EC Private Key from the password-protected PEM key data. + + @param[in] PemData Pointer to the PEM-encoded key data to be retri= eved. + @param[in] PemSize Size of the PEM key data in bytes. + @param[in] Password NULL-terminated passphrase used for encrypted P= EM key data. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC private key component. Use EcFree() function= to free the + resource. + + If PemData is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Private Key was retrieved successfully. + @retval FALSE Invalid PEM key data or incorrect password. + +**/ +BOOLEAN +EFIAPI +EcGetPrivateKeyFromPem ( + IN CONST UINT8 *PemData, + IN UINTN PemSize, + IN CONST CHAR8 *Password, + OUT VOID **EcContext + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptEcNull.c b/CryptoPk= g/Library/BaseCryptLibNull/Pk/CryptEcNull.c index d9f1004f6c..1129fa7696 100644 --- a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptEcNull.c +++ b/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptEcNull.c @@ -494,3 +494,85 @@ EcDhComputeKey ( ASSERT (FALSE); return FALSE; } + +/** + Carries out the EC-DSA signature. + + This function carries out the EC-DSA signature. + If the Signature buffer is too small to hold the contents of signature, = FALSE + is returned and SigSize is set to the required buffer size to obtain the= signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + If SigSize is large enough but Signature is NULL, then return FALSE. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature genera= tion. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be signed. + @param[in] HashSize Size of the message hash in bytes. + @param[out] Signature Pointer to buffer to receive EC-DSA signat= ure. + @param[in, out] SigSize On input, the size of Signature buffer in = bytes. + On output, the size of data returned in Si= gnature buffer in bytes. + + @retval TRUE Signature successfully generated in EC-DSA. + @retval FALSE Signature generation failed. + @retval FALSE SigSize is too small. + +**/ +BOOLEAN +EFIAPI +EcDsaSign ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + OUT UINT8 *Signature, + IN OUT UINTN *SigSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Verifies the EC-DSA signature. + + If EcContext is NULL, then return FALSE. + If MessageHash is NULL, then return FALSE. + If Signature is NULL, then return FALSE. + If HashSize need match the HashNid. HashNid could be SHA256, SHA384, SHA= 512, SHA3_256, SHA3_384, SHA3_512. + + For P-256, the SigSize is 64. First 32-byte is R, Second 32-byte is S. + For P-384, the SigSize is 96. First 48-byte is R, Second 48-byte is S. + For P-521, the SigSize is 132. First 66-byte is R, Second 66-byte is S. + + @param[in] EcContext Pointer to EC context for signature verificatio= n. + @param[in] HashNid hash NID + @param[in] MessageHash Pointer to octet message hash to be checked. + @param[in] HashSize Size of the message hash in bytes. + @param[in] Signature Pointer to EC-DSA signature to be verified. + @param[in] SigSize Size of signature in bytes. + + @retval TRUE Valid signature encoded in EC-DSA. + @retval FALSE Invalid signature or invalid EC context. + +**/ +BOOLEAN +EFIAPI +EcDsaVerify ( + IN VOID *EcContext, + IN UINTN HashNid, + IN CONST UINT8 *MessageHash, + IN UINTN HashSize, + IN CONST UINT8 *Signature, + IN UINTN SigSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptX509Null.c b/Crypto= Pkg/Library/BaseCryptLibNull/Pk/CryptX509Null.c index 38819723c7..c6718e6aeb 100644 --- a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptX509Null.c +++ b/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptX509Null.c @@ -292,3 +292,31 @@ X509GetTBSCert ( ASSERT (FALSE); return FALSE; } + +/** + Retrieve the EC Public Key from one DER-encoded X509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] EcContext Pointer to new-generated EC DSA context which c= ontain the retrieved + EC public key component. Use EcFree() function = to free the + resource. + + If Cert is NULL, then return FALSE. + If EcContext is NULL, then return FALSE. + + @retval TRUE EC Public Key was retrieved successfully. + @retval FALSE Fail to retrieve EC public key from X509 certificate. + +**/ +BOOLEAN +EFIAPI +EcGetPublicKeyFromX509 ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT VOID **EcContext + ) +{ + ASSERT (FALSE); + return FALSE; +} --=20 2.26.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#94976): https://edk2.groups.io/g/devel/message/94976 Mute This Topic: https://groups.io/mt/94253653/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-