CryptoPkg/BaseCryptLib: Add new API VerifyEKUsInPkcs7Signature
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1402 Add the API VerifyEKUsInPkcs7Signature to check if x509 cert has any or all EKUs. Signed-off-by: Zhichao Gao <zhichao.gao@intel.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Gang Wei <gang.wei@intel.com> Cc: Wang Jian J <jian.j.wang@intel.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael Turner <Michael.Turner@microsoft.com> Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
This commit is contained in:
committed by
Jian J Wang
parent
1796a39493
commit
23c3178c4d
@@ -0,0 +1,57 @@
|
||||
/** @file
|
||||
This module verifies that Enhanced Key Usages (EKU's) are present within
|
||||
a PKCS7 signature blob using OpenSSL.
|
||||
|
||||
Copyright (C) Microsoft Corporation. All Rights Reserved.
|
||||
Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
|
||||
|
||||
SPDX-License-Identifier: BSD-2-Clause-Patent
|
||||
|
||||
**/
|
||||
|
||||
#include "InternalCryptLib.h"
|
||||
|
||||
/**
|
||||
This function receives a PKCS#7 formatted signature blob,
|
||||
looks for the EKU SEQUENCE blob, and if found then looks
|
||||
for all the required EKUs. This function was created so that
|
||||
the Surface team can cut down on the number of Certificate
|
||||
Authorities (CA's) by checking EKU's on leaf signers for
|
||||
a specific product. This prevents one product's certificate
|
||||
from signing another product's firmware or unlock blobs.
|
||||
|
||||
Return RETURN_UNSUPPORTED to indicate this interface is not supported.
|
||||
|
||||
@param[in] Pkcs7Signature The PKCS#7 signed information content block. An array
|
||||
containing the content block with both the signature,
|
||||
the signer's certificate, and any necessary intermediate
|
||||
certificates.
|
||||
@param[in] Pkcs7SignatureSize Number of bytes in pPkcs7Signature.
|
||||
@param[in] RequiredEKUs Array of null-terminated strings listing OIDs of
|
||||
required EKUs that must be present in the signature.
|
||||
All specified EKU's must be present in order to
|
||||
succeed.
|
||||
@param[in] RequiredEKUsSize Number of elements in the rgRequiredEKUs string.
|
||||
This parameter has a maximum of MAX_EKU_SEARCH.
|
||||
@param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's
|
||||
must be present in the leaf signer. If it is
|
||||
FALSE, then we will succeed if we find any
|
||||
of the specified EKU's.
|
||||
|
||||
@retval RETURN_UNSUPPORTED The operation is not supported.
|
||||
|
||||
**/
|
||||
EFI_STATUS
|
||||
EFIAPI
|
||||
VerifyEKUsInPkcs7Signature (
|
||||
IN CONST UINT8 *Pkcs7Signature,
|
||||
IN CONST UINT32 SignatureSize,
|
||||
IN CONST CHAR8 *RequiredEKUs[],
|
||||
IN CONST UINT32 RequiredEKUsSize,
|
||||
IN BOOLEAN RequireAllPresent
|
||||
)
|
||||
{
|
||||
ASSERT (FALSE);
|
||||
return RETURN_UNSUPPORTED;
|
||||
}
|
||||
|
Reference in New Issue
Block a user