1. Enable the whole X509v3 extension checking.

2. Replace d2i_X509_bio with d2i_X509.

Signed-off-by: Fu Siyuan <siyuan.fu@intel.com>
Reviewed-by: Ling Qin <qin.long@intel.com>
Reviewed-by: Ouyang Qian <qian.ouyang@intel.com>


git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14026 6f19259b-4bc3-4df7-8a09-765794883524

CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Verify.c

@@ -25,6 +25,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <openssl/pkcs7.h>
 
 UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
@@ -543,7 +544,6 @@ Pkcs7Verify (
   )
 {
   PKCS7       *Pkcs7;
-  BIO         *CertBio;
   BIO         *DataBio;
   BOOLEAN     Status;
   X509        *Cert;
@@ -562,7 +562,6 @@ Pkcs7Verify (
   }
   
   Pkcs7     = NULL;
-  CertBio   = NULL;
   DataBio   = NULL;
   Cert      = NULL;
   CertStore = NULL;
@@ -614,12 +613,7 @@ Pkcs7Verify (
   //
   // Read DER-encoded root certificate and Construct X509 Certificate
   //
-  CertBio = BIO_new (BIO_s_mem ());
+  Cert = d2i_X509 (NULL, &TrustedCert, (long) CertLength);
-  BIO_write (CertBio, TrustedCert, (int)CertLength);
-  if (CertBio == NULL) {
-    goto _Exit;
-  }
-  Cert = d2i_X509_bio (CertBio, NULL);
   if (Cert == NULL) {
     goto _Exit;
   }
@@ -648,6 +642,13 @@ Pkcs7Verify (
   DataBio = BIO_new (BIO_s_mem ());
   BIO_write (DataBio, InData, (int)DataLength);
 
+  //
+  // OpenSSL PKCS7 Verification by default checks for SMIME (email signing) and
+  // doesn't support the extended key usage for Authenticode Code Signing.
+  // Bypass the certificate purpose checking by enabling any purposes setting.
+  //
+  X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);
+
   //
   // Verifies the PKCS#7 signedData structure
   //
@@ -658,7 +659,6 @@ _Exit:
   // Release Resources
   //
   BIO_free (DataBio);
-  BIO_free (CertBio);
   X509_free (Cert);
   X509_STORE_free (CertStore);
   PKCS7_free (Pkcs7);

CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c

@@ -38,9 +38,7 @@ X509ConstructCertificate (
   OUT  UINT8        **SingleX509Cert
   )
 {
-  BIO      *CertBio;
   X509     *X509Cert;
-  BOOLEAN  Status;
 
   //
   // Check input parameters.
@@ -49,31 +47,17 @@ X509ConstructCertificate (
     return FALSE;
   }
 
-  Status = FALSE;
-
   //
   // Read DER-encoded X509 Certificate and Construct X509 object.
   //
-  CertBio = BIO_new (BIO_s_mem ());
+  X509Cert = d2i_X509 (NULL, &Cert, (long) CertSize);
-  BIO_write (CertBio, Cert, (int) CertSize);
-  if (CertBio == NULL) {
-    goto _Exit;
-  }
-  X509Cert = d2i_X509_bio (CertBio, NULL);
   if (X509Cert == NULL) {
-    goto _Exit;
+    return FALSE;
   }
 
   *SingleX509Cert = (UINT8 *) X509Cert;
-  Status = TRUE;
 
-_Exit:
+  return TRUE;
-  //
-  // Release Resources.
-  //
-  BIO_free (CertBio);
-
-  return Status;
 }
 
 /**

CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch

@@ -260,20 +260,7 @@ Index: crypto/x509/x509_vfy.c
 ===================================================================
 --- crypto/x509/x509_vfy.c	(revision 1)
 +++ crypto/x509/x509_vfy.c	(working copy)
-@@ -386,7 +386,11 @@
+@@ -899,6 +899,10 @@
- 
- static int check_chain_extensions(X509_STORE_CTX *ctx)
- {
--#ifdef OPENSSL_NO_CHAIN_VERIFY
-+#if defined(OPENSSL_NO_CHAIN_VERIFY) || defined(OPENSSL_SYS_UEFI)
-+  /* 
-+    NOTE: Bypass KU Flags Checking for UEFI version. There are incorrect KU flag setting
-+          in Authenticode Signing Certificates. 
-+  */
- 	return 1;
- #else
- 	int i, ok=0, must_be_ca, plen = 0;
-@@ -899,6 +903,10 @@
  
  static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
  	{
@@ -284,7 +271,7 @@ Index: crypto/x509/x509_vfy.c
  	time_t *ptime;
  	int i;
  
-@@ -942,6 +950,7 @@
+@@ -942,6 +946,7 @@
  		}
  
  	return 1;