[edk2-devel] [PATCH 4/5] CryptoPkg: Add implementation for TlsSetHostPrivateKey()
yi1 li
yi1.li at intel.com
Sun May 22 01:54:18 UTC 2022
From: yi1 li <yi1.li at intel.com>
Add Password to TlsSetHostPrivateKey() param list,
Set Password to NULL when useless.
This function adds the local private key (PEM-encoded RSA or PKCS#8 private
key) into the specified TLS object for TLS negotiation.
Cc: Jiewen Yao <jiewen.yao at intel.com>
Cc: Jian J Wang <jian.j.wang at intel.com>
Cc: Xiaoyu Lu <xiaoyu1.lu at intel.com>
Cc: Guomin Jiang <guomin.jiang at intel.com>
Cc: Maciej Rabeda <maciej.rabeda at linux.intel.com>
Cc: Jiaxin Wu <jiaxin.wu at intel.com>
Cc: Siyuan Fu <siyuan.fu at intel.com>
Signed-off-by: Yi Li <yi1.li at intel.com>
---
CryptoPkg/Driver/Crypto.c | 6 +-
CryptoPkg/Include/Library/TlsLib.h | 4 +-
.../BaseCryptLibOnProtocolPpi/CryptLib.c | 6 +-
CryptoPkg/Library/TlsLib/TlsConfig.c | 81 ++++++++++++++++++-
CryptoPkg/Library/TlsLibNull/TlsConfigNull.c | 4 +-
CryptoPkg/Private/Protocol/Crypto.h | 4 +-
6 files changed, 96 insertions(+), 9 deletions(-)
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 6a86c4dba6a2..b2e3cbde5bd3 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -4136,6 +4136,7 @@ CryptoServiceTlsSetHostPublicCert (
@param[in] Data Pointer to the data buffer of a PEM-encoded RSA
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
+ @param[in] Password Pointer to private key password, set it to NULL if not used.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@@ -4147,10 +4148,11 @@ EFIAPI
CryptoServiceTlsSetHostPrivateKey (
IN VOID *Tls,
IN VOID *Data,
- IN UINTN DataSize
+ IN UINTN DataSize,
+ IN VOID *Password OPTIONAL
)
{
- return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKey, TlsSetHostPrivateKey, (Tls, Data, DataSize), EFI_UNSUPPORTED);
+ return CALL_BASECRYPTLIB (TlsSet.Services.HostPrivateKey, TlsSetHostPrivateKey, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED);
}
/**
diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h
index 8a109ec89d3d..01b1087e3d2e 100644
--- a/CryptoPkg/Include/Library/TlsLib.h
+++ b/CryptoPkg/Include/Library/TlsLib.h
@@ -534,6 +534,7 @@ TlsSetHostPublicCert (
@param[in] Data Pointer to the data buffer of a PEM-encoded RSA
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
+ @param[in] Password Pointer to private key password, set it to NULL if not used.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@@ -545,7 +546,8 @@ EFIAPI
TlsSetHostPrivateKey (
IN VOID *Tls,
IN VOID *Data,
- IN UINTN DataSize
+ IN UINTN DataSize,
+ IN VOID *Password OPTIONAL
);
/**
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 1c7c90e432de..d1405e26f9fc 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -3279,6 +3279,7 @@ TlsSetHostPublicCert (
@param[in] Data Pointer to the data buffer of a PEM-encoded RSA
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
+ @param[in] Password Pointer to private key password, set it to NULL if not used.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@@ -3290,10 +3291,11 @@ EFIAPI
TlsSetHostPrivateKey (
IN VOID *Tls,
IN VOID *Data,
- IN UINTN DataSize
+ IN UINTN DataSize,
+ IN VOID *Password OPTIONAL
)
{
- CALL_CRYPTO_SERVICE (TlsSetHostPrivateKey, (Tls, Data, DataSize), EFI_UNSUPPORTED);
+ CALL_CRYPTO_SERVICE (TlsSetHostPrivateKey, (Tls, Data, DataSize, Password), EFI_UNSUPPORTED);
}
/**
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c
index b45050c18770..e7d4474dff8d 100644
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -870,6 +870,7 @@ ON_EXIT:
@param[in] Data Pointer to the data buffer of a PEM-encoded RSA
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
+ @param[in] Password Pointer to private key password, set it to NULL if not used.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@@ -881,10 +882,86 @@ EFIAPI
TlsSetHostPrivateKey (
IN VOID *Tls,
IN VOID *Data,
- IN UINTN DataSize
+ IN UINTN DataSize,
+ IN VOID *Password OPTIONAL
)
{
- return EFI_UNSUPPORTED;
+ TLS_CONNECTION *TlsConn;
+ BIO *Bio;
+
+ TlsConn = (TLS_CONNECTION *)Tls;
+
+ if ((TlsConn == NULL) || (TlsConn->Ssl == NULL) || (Data == NULL) || (DataSize == 0)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (SSL_use_PrivateKey_ASN1 (
+ EVP_PKEY_RSA,
+ TlsConn->Ssl,
+ Data,
+ (long)DataSize
+ ) == 1)
+ {
+ goto verify;
+ }
+
+ if (SSL_use_PrivateKey_ASN1 (
+ EVP_PKEY_DSA,
+ TlsConn->Ssl,
+ Data,
+ (long)DataSize
+ ) == 1)
+ {
+ goto verify;
+ }
+
+ if (SSL_use_PrivateKey_ASN1 (
+ EVP_PKEY_EC,
+ TlsConn->Ssl,
+ Data,
+ (long)DataSize
+ ) == 1)
+ {
+ goto verify;
+ }
+
+ if (SSL_use_RSAPrivateKey_ASN1 (
+ TlsConn->Ssl,
+ Data,
+ (long)DataSize
+ ) == 1)
+ {
+ goto verify;
+ }
+
+ // Try to parse the private key in PEM format encoded PKC#8
+ Bio = BIO_new_mem_buf (Data, (long)DataSize);
+ if (Bio != NULL) {
+ EVP_PKEY *Pkey;
+ BOOLEAN Verify;
+
+ Verify = FALSE;
+ Pkey = PEM_read_bio_PrivateKey (Bio, NULL, NULL, Password);
+ if ((Pkey != NULL) && (SSL_use_PrivateKey (TlsConn->Ssl, Pkey) == 1)) {
+ Verify = TRUE;
+ }
+
+ EVP_PKEY_free (Pkey);
+ BIO_free (Bio);
+
+ if (Verify) {
+ goto verify;
+ }
+ }
+
+ return EFI_ABORTED;
+
+verify:
+ if (SSL_check_private_key (TlsConn->Ssl) == 1) {
+ return EFI_SUCCESS;
+ }
+
+ return EFI_ABORTED;
}
/**
diff --git a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
index b2c7e6869f53..9ab95f7269ee 100644
--- a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
+++ b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
@@ -250,6 +250,7 @@ TlsSetHostPublicCert (
@param[in] Data Pointer to the data buffer of a PEM-encoded RSA
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
+ @param[in] Password Pointer to private key password, set it to NULL if not used.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@@ -261,7 +262,8 @@ EFIAPI
TlsSetHostPrivateKey (
IN VOID *Tls,
IN VOID *Data,
- IN UINTN DataSize
+ IN UINTN DataSize,
+ IN VOID *Password OPTIONAL
)
{
ASSERT (FALSE);
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index bc94cbb66311..ab01ff985da7 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -3092,6 +3092,7 @@ EFI_STATUS
@param[in] Data Pointer to the data buffer of a PEM-encoded RSA
or PKCS#8 private key.
@param[in] DataSize The size of data buffer in bytes.
+ @param[in] Password Pointer to private key password, set it to NULL if not used.
@retval EFI_SUCCESS The operation succeeded.
@retval EFI_UNSUPPORTED This function is not supported.
@@ -3103,7 +3104,8 @@ EFI_STATUS
(EFIAPI *EDKII_CRYPTO_TLS_SET_HOST_PRIVATE_KEY)(
IN VOID *Tls,
IN VOID *Data,
- IN UINTN DataSize
+ IN UINTN DataSize,
+ IN VOID *Password OPTIONAL
);
/**
--
2.31.1.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89928): https://edk2.groups.io/g/devel/message/89928
Mute This Topic: https://groups.io/mt/91262941/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list