1. Enable the whole X509v3 extension checking.

2. Replace d2i_X509_bio with d2i_X509. Signed-off-by: Fu Siyuan <siyuan.fu@intel.com> Reviewed-by: Ling Qin <qin.long@intel.com> Reviewed-by: Ouyang Qian <qian.ouyang@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@14026 6f19259b-4bc3-4df7-8a09-765794883524
2012-12-28 01:20:57 +00:00
parent bf29dc16e6
commit 02ee8d3b4c
3 changed files with 14 additions and 43 deletions
--- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch
+++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch
@@ -260,20 +260,7 @@ Index: crypto/x509/x509_vfy.c
 ===================================================================
 --- crypto/x509/x509_vfy.c	(revision 1)
 +++ crypto/x509/x509_vfy.c	(working copy)
-@@ -386,7 +386,11 @@
- 
- static int check_chain_extensions(X509_STORE_CTX *ctx)
- {
-#ifdef OPENSSL_NO_CHAIN_VERIFY
-+#if defined(OPENSSL_NO_CHAIN_VERIFY) || defined(OPENSSL_SYS_UEFI)
-+  /* 
-+    NOTE: Bypass KU Flags Checking for UEFI version. There are incorrect KU flag setting
-+          in Authenticode Signing Certificates. 
-+  */
- 	return 1;
- #else
- 	int i, ok=0, must_be_ca, plen = 0;
-@@ -899,6 +903,10 @@
+@@ -899,6 +899,10 @@
 
 static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
 	{
@@ -284,7 +271,7 @@ Index: crypto/x509/x509_vfy.c
 	time_t *ptime;
 	int i;
 
-@@ -942,6 +950,7 @@
+@@ -942,6 +946,7 @@
 		}
 
 	return 1;