CryptoPkg/BaseCryptLib: Use X509_V_FLAG_PARTIAL_CHAIN

Since OpenSSL 1.0.2 we can set this flag on the X509_STORE to instruct OpenSSL to accept non-self-signed certificates as trusted. So we don't need two entirely identical copies of a verify_cb() function which makes it ignore the resulting errors. We also *didn't* use that verify_cb() function for X509VerifyCert(), but probably should have done. So that can get X509_V_FLAG_PARTIAL_CHAIN for consistency, too. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Reviewed-by: Qin Long <qin.long@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18703 6f19259b-4bc3-4df7-8a09-765794883524
author: David Woodhouse <David.Woodhouse@intel.com> 2015-10-29 14:16:45 +0000
committer: qlong <qlong@Edk2> 2015-10-29 14:16:45 +0000
commit: 68547181f3c5b1c0a73e748b44be1f454e2f7e3c (patch)
tree: 0dcb20e11819754d9d84c172704d1c75a1e2fa57 /CryptoPkg/Library
parent: e6eaada46861a2a7c5a5370d74dafc731a587786 (diff)
download: edk2-68547181f3c5b1c0a73e748b44be1f454e2f7e3c.tar.gz
3 files changed, 15 insertions, 171 deletions
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
index d0b0c838b..4d23cbfb9 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c
@@ -31,87 +31,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
 
 /**
-  Verification callback function to override any existing callbacks in OpenSSL
-  for intermediate certificate supports.
-
-  @param[in]  Status   Original status before calling this callback.
-  @param[in]  Context  X509 store context.
-
-  @retval     1        Current X509 certificate is verified successfully.
-  @retval     0        Verification failed.
-
-**/
-int
-X509VerifyCb (
-  IN int            Status,
-  IN X509_STORE_CTX *Context
-  )
-{
-  X509_OBJECT  *Obj;
-  INTN         Error;
-  INTN         Index;
-  INTN         Count;
-
-  Obj   = NULL;
-  Error = (INTN) X509_STORE_CTX_get_error (Context);
-
-  //
-  // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_
-  // CERT_LOCALLY mean a X509 certificate is not self signed and its issuer
-  // can not be found in X509_verify_cert of X509_vfy.c.
-  // In order to support intermediate certificate node, we override the
-  // errors if the certification is obtained from X509 store, i.e. it is
-  // a trusted ceritifcate node that is enrolled by user.
-  // Besides,X509_V_ERR_CERT_UNTRUSTED and X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
-  // are also ignored to enable such feature.
-  //
-  if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) ||
-      (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {
-    Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT));
-    if (Obj == NULL) {
-      return 0;
-    }
-
-    Obj->type      = X509_LU_X509;
-    Obj->data.x509 = Context->current_cert;
-
-    CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE);
-
-    if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {
-      Status = 1;
-    } else {
-      //
-      // If any certificate in the chain is enrolled as trusted certificate,
-      // pass the certificate verification.
-      //
-      if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {
-        Count = (INTN) sk_X509_num (Context->chain);
-        for (Index = 0; Index < Count; Index++) {
-          Obj->data.x509 = sk_X509_value (Context->chain, (int) Index);
-          if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {
-            Status = 1;
-            break;
-          }
-        }
-      }
-    }
-
-    CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE);
-  }
-
-  if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||
-      (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
-    Status = 1;
-  }
-
-  if (Obj != NULL) {
-    OPENSSL_free (Obj);
-  }
-
-  return Status;
-}
-
-/**
   Check input P7Data is a wrapped ContentInfo structure or not. If not construct
   a new structure to wrap P7Data.
 
@@ -636,12 +555,6 @@ Pkcs7Verify (
   }
 
   //
-  // Register customized X509 verification callback function to support
-  // trusted intermediate certificate anchor.
-  //
-  CertStore->verify_cb = X509VerifyCb;
-
-  //
   // For generic PKCS#7 handling, InData may be NULL if the content is present
   // in PKCS#7 structure. So ignore NULL checking here.
   //
@@ -655,6 +568,12 @@ Pkcs7Verify (
   }
 
   //
+  // Allow partial certificate chains, terminated by a non-self-signed but
+  // still trusted intermediate certificate.
+  //
+  X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);
+
+  //
   // OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and
   // doesn't support the extended key usage for Authenticode Code Signing.
   // Bypass the certificate purpose checking by enabling any purposes setting.
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
index efb40b823..449a08db2 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c
@@ -137,87 +137,6 @@ IMPLEMENT_ASN1_FUNCTIONS (TS_TST_INFO)
 
 
 /**
-  Verification callback function to override any existing callbacks in OpenSSL
-  for intermediate TSA certificate supports.
-
-  @param[in]  Status   Original status before calling this callback.
-  @param[in]  Context  X509 store context.
-
-  @retval     1        Current X509 certificate is verified successfully.
-  @retval     0        Verification failed.
-
-**/
-int
-TSVerifyCallback (
-  IN int             Status,
-  IN X509_STORE_CTX  *Context
-  )
-{
-  X509_OBJECT  *Obj;
-  INTN         Error;
-  INTN         Index;
-  INTN         Count;
-
-  Obj   = NULL;
-  Error = (INTN) X509_STORE_CTX_get_error (Context);
-
-  //
-  // X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_
-  // CERT_LOCALLY mean a X509 certificate is not self signed and its issuer
-  // can not be found in X509_verify_cert of X509_vfy.c.
-  // In order to support intermediate certificate node, we override the
-  // errors if the certification is obtained from X509 store, i.e. it is
-  // a trusted ceritifcate node that is enrolled by user.
-  // Besides,X509_V_ERR_CERT_UNTRUSTED and X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
-  // are also ignored to enable such feature.
-  //
-  if ((Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) ||
-      (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {
-    Obj = (X509_OBJECT *) malloc (sizeof (X509_OBJECT));
-    if (Obj == NULL) {
-      return 0;
-    }
-
-    Obj->type      = X509_LU_X509;
-    Obj->data.x509 = Context->current_cert;
-
-    CRYPTO_w_lock (CRYPTO_LOCK_X509_STORE);
-
-    if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {
-      Status = 1;
-    } else {
-      //
-      // If any certificate in the chain is enrolled as trusted certificate,
-      // pass the certificate verification.
-      //
-      if (Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) {
-        Count = (INTN) sk_X509_num (Context->chain);
-        for (Index = 0; Index < Count; Index++) {
-          Obj->data.x509 = sk_X509_value (Context->chain, (int) Index);
-          if (X509_OBJECT_retrieve_match (Context->ctx->objs, Obj)) {
-            Status = 1;
-            break;
-          }
-        }
-      }
-    }
-
-    CRYPTO_w_unlock (CRYPTO_LOCK_X509_STORE);
-  }
-
-  if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||
-      (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
-    Status = 1;
-  }
-
-  if (Obj != NULL) {
-    OPENSSL_free (Obj);
-  }
-
-  return Status;
-}
-
-/**
   Convert ASN.1 GeneralizedTime to EFI Time.
 
   @param[in]  Asn1Time         Pointer to the ASN.1 GeneralizedTime to be converted.
@@ -506,10 +425,10 @@ TimestampTokenVerify (
   }
 
   //
-  // Register customized X509 verification callback function to support
-  // trusted intermediate TSA certificate anchor.
+  // Allow partial certificate chains, terminated by a non-self-signed but
+  // still trusted intermediate certificate.
   //
-  CertStore->verify_cb = TSVerifyCallback;
+  X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);
 
   X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);
 
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 5d6be6fce..669a7af3d 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -464,6 +464,12 @@ X509VerifyCert (
   }
 
   //
+  // Allow partial certificate chains, terminated by a non-self-signed but
+  // still trusted intermediate certificate.
+  //
+  X509_STORE_set_flags (CertStore, X509_V_FLAG_PARTIAL_CHAIN);
+
+  //
   // Set up X509_STORE_CTX for the subsequent verification operation.
   //
   if (!X509_STORE_CTX_init (&CertCtx, CertStore, X509Cert, NULL)) {
author	David Woodhouse <David.Woodhouse@intel.com>	2015-10-29 14:16:45 +0000
committer	qlong <qlong@Edk2>	2015-10-29 14:16:45 +0000
commit	68547181f3c5b1c0a73e748b44be1f454e2f7e3c (patch)
tree	0dcb20e11819754d9d84c172704d1c75a1e2fa57 /CryptoPkg/Library
parent	e6eaada46861a2a7c5a5370d74dafc731a587786 (diff)
download	edk2-68547181f3c5b1c0a73e748b44be1f454e2f7e3c.tar.gz