sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
3d61650f95193694fb00e1e6863ef09c5ecba090
system76-edk2/CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEkuRuntime.c
Bret Barkelew 23c3178c4d CryptoPkg/BaseCryptLib: Add new API VerifyEKUsInPkcs7Signature 
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1402

Add the API VerifyEKUsInPkcs7Signature to check if x509 cert
has any or all EKUs.

Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Cc: Wang Jian J <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-04-18 13:11:21 +08:00

58 lines
2.4 KiB
C
Raw Blame History

/** @file
This module verifies that Enhanced Key Usages (EKU's) are present within
a PKCS7 signature blob using OpenSSL.
Copyright (C) Microsoft Corporation. All Rights Reserved.
Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "InternalCryptLib.h"
/**
This function receives a PKCS#7 formatted signature blob,
looks for the EKU SEQUENCE blob, and if found then looks
for all the required EKUs. This function was created so that
the Surface team can cut down on the number of Certificate
Authorities (CA's) by checking EKU's on leaf signers for
a specific product. This prevents one product's certificate
from signing another product's firmware or unlock blobs.
Return RETURN_UNSUPPORTED to indicate this interface is not supported.
@param[in] Pkcs7Signature The PKCS#7 signed information content block. An array
containing the content block with both the signature,
the signer's certificate, and any necessary intermediate
certificates.
@param[in] Pkcs7SignatureSize Number of bytes in pPkcs7Signature.
@param[in] RequiredEKUs Array of null-terminated strings listing OIDs of
required EKUs that must be present in the signature.
All specified EKU's must be present in order to
succeed.
@param[in] RequiredEKUsSize Number of elements in the rgRequiredEKUs string.
This parameter has a maximum of MAX_EKU_SEARCH.
@param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's
must be present in the leaf signer. If it is
FALSE, then we will succeed if we find any
of the specified EKU's.
@retval RETURN_UNSUPPORTED The operation is not supported.
**/
EFI_STATUS
EFIAPI
VerifyEKUsInPkcs7Signature (
IN CONST UINT8 *Pkcs7Signature,
IN CONST UINT32 SignatureSize,
IN CONST CHAR8 *RequiredEKUs[],
IN CONST UINT32 RequiredEKUsSize,
IN BOOLEAN RequireAllPresent
)
{
ASSERT (FALSE);
return RETURN_UNSUPPORTED;
}
Reference in New Issue View Git Blame Copy Permalink