Revision: 13553
http://edk2.svn.sourceforge.net/edk2/?rev=13553&view=rev
Author: sfu5
Date: 2012-07-25 02:01:58 +0000 (Wed, 25 Jul 2012)
Log Message:
-----------
Use RsaGetPublicKeyFromX509() to validate the given X.509 certificate for
PK/KEK/db/dbx database.
Signed-off-by: Fu Siyuan <siyuan...@intel.com>
Reviewed-by: Dong Guo <guo.d...@intel.com>
Reviewed-by: Ye Ting <ting...@intel.com>
Modified Paths:
--------------
trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
Modified: trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
===================================================================
--- trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
2012-07-24 07:17:24 UTC (rev 13552)
+++ trunk/edk2/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c
2012-07-25 02:01:58 UTC (rev 13553)
@@ -746,7 +746,7 @@
}
/**
- Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for
PK/KEK variable.
+ Check input data form to make sure it is a valid EFI_SIGNATURE_LIST for
PK/KEK/db/dbx variable.
@param[in] VariableName Name of Variable to be check.
@param[in] VendorGuid Variable vendor GUID.
@@ -770,6 +770,9 @@
UINT32 Index;
UINT32 SigCount;
BOOLEAN IsPk;
+ VOID *RsaContext;
+ EFI_SIGNATURE_DATA *CertData;
+ UINTN CertLen;
if (DataSize == 0) {
return EFI_SUCCESS;
@@ -779,7 +782,9 @@
if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp
(VariableName, EFI_PLATFORM_KEY_NAME) == 0)){
IsPk = TRUE;
- } else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp
(VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)) {
+ } else if ((CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && StrCmp
(VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0) ||
+ (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
+ (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0 ||
StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0))){
IsPk = FALSE;
} else {
return EFI_SUCCESS;
@@ -788,6 +793,7 @@
SigCount = 0;
SigList = (EFI_SIGNATURE_LIST *) Data;
SigDataSize = DataSize;
+ RsaContext = NULL;
//
// Walk throuth the input signature list and check the data format.
@@ -819,6 +825,24 @@
return EFI_INVALID_PARAMETER;
}
+ if (CompareGuid (&SigList->SignatureType, &gEfiCertX509Guid)) {
+ //
+ // Try to retrieve the RSA public key from the X.509 certificate.
+ // If this operation fails, it's not a valid certificate.
+ //
+ RsaContext = RsaNew ();
+ if (RsaContext == NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+ CertData = (EFI_SIGNATURE_DATA *) ((UINT8 *) SigList + sizeof
(EFI_SIGNATURE_LIST) + SigList->SignatureHeaderSize);
+ CertLen = SigList->SignatureSize - sizeof (EFI_GUID);
+ if (!RsaGetPublicKeyFromX509 (CertData->SignatureData, CertLen,
&RsaContext)) {
+ RsaFree (RsaContext);
+ return EFI_INVALID_PARAMETER;
+ }
+ RsaFree (RsaContext);
+ }
+
if ((SigList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) -
SigList->SignatureHeaderSize) % SigList->SignatureSize != 0) {
return EFI_INVALID_PARAMETER;
}
@@ -1029,6 +1053,11 @@
Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);
PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
+ Status = CheckSignatureListFormat(VariableName, VendorGuid, Payload,
PayloadSize);
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+
Status = UpdateVariable (
VariableName,
VendorGuid,
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
edk2-commits mailing list
edk2-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-commits
