[efi-boot-shim.git] / Cryptlib / ca-check-workaround.patch

diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c
index bf24e92..cbd9669 100644
--- a/Cryptlib/Pk/CryptPkcs7Verify.c
+++ b/Cryptlib/Pk/CryptPkcs7Verify.c
@@ -30,6 +30,43 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 \r
 UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };\r
 \r
+BOOLEAN ca_warning;\r
+\r
+void\r
+clear_ca_warning()\r
+{\r
+  ca_warning = FALSE;\r
+}\r
+\r
+BOOLEAN\r
+get_ca_warning()\r
+{\r
+  return ca_warning;\r
+}\r
+\r
+int\r
+X509VerifyCb (\r
+  IN int            Status,\r
+  IN X509_STORE_CTX *Context\r
+  )\r
+{\r
+  INTN         Error;\r
+\r
+  Error = (INTN) X509_STORE_CTX_get_error (Context);\r
+\r
+  if (Error == X509_V_ERR_INVALID_CA) {\r
+    /* Due to the historical reason, we have to relax the the x509 v3 extension\r
+     * check to allow the CA certificates without the CA flag in the basic\r
+     * constraints or KeyCertSign in the key usage to be loaded. In the future,\r
+     * this callback should be removed to enforce the proper check. */\r
+    ca_warning = TRUE;\r
+\r
+    return 1;\r
+  }\r
+\r
+  return Status;\r
+}\r
+\r
 /**\r
   Check input P7Data is a wrapped ContentInfo structure or not. If not construct\r
   a new structure to wrap P7Data.\r
@@ -858,6 +895,8 @@ Pkcs7Verify (
     goto _Exit;\r
   }\r
 \r
+  X509_STORE_set_verify_cb (CertStore, X509VerifyCb);\r
+\r
   //\r
   // For generic PKCS#7 handling, InData may be NULL if the content is present\r
   // in PKCS#7 structure. So ignore NULL checking here.\r
-- 
2.14.2
Commit	Line	Data
7bf7a6d0 MTL	1	diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c
	2	index bf24e92..cbd9669 100644
	3	--- a/Cryptlib/Pk/CryptPkcs7Verify.c
	4	+++ b/Cryptlib/Pk/CryptPkcs7Verify.c
	5	@@ -30,6 +30,43 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
	6	\r
	7	UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };\r
	8	\r
	9	+BOOLEAN ca_warning;\r
	10	+\r
	11	+void\r
	12	+clear_ca_warning()\r
	13	+{\r
	14	+ ca_warning = FALSE;\r
	15	+}\r
	16	+\r
	17	+BOOLEAN\r
	18	+get_ca_warning()\r
	19	+{\r
	20	+ return ca_warning;\r
	21	+}\r
	22	+\r
	23	+int\r
	24	+X509VerifyCb (\r
	25	+ IN int Status,\r
	26	+ IN X509_STORE_CTX *Context\r
	27	+ )\r
	28	+{\r
	29	+ INTN Error;\r
	30	+\r
	31	+ Error = (INTN) X509_STORE_CTX_get_error (Context);\r
	32	+\r
	33	+ if (Error == X509_V_ERR_INVALID_CA) {\r
	34	+ /* Due to the historical reason, we have to relax the the x509 v3 extension\r
	35	+ * check to allow the CA certificates without the CA flag in the basic\r
	36	+ * constraints or KeyCertSign in the key usage to be loaded. In the future,\r
	37	+ * this callback should be removed to enforce the proper check. */\r
	38	+ ca_warning = TRUE;\r
	39	+\r
	40	+ return 1;\r
	41	+ }\r
	42	+\r
	43	+ return Status;\r
	44	+}\r
	45	+\r
	46	/**\r
	47	Check input P7Data is a wrapped ContentInfo structure or not. If not construct\r
	48	a new structure to wrap P7Data.\r
	49	@@ -858,6 +895,8 @@ Pkcs7Verify (
	50	goto _Exit;\r
	51	}\r
	52	\r
	53	+ X509_STORE_set_verify_cb (CertStore, X509VerifyCb);\r
	54	+\r
	55	//\r
	56	// For generic PKCS#7 handling, InData may be NULL if the content is present\r
	57	// in PKCS#7 structure. So ignore NULL checking here.\r
	58	--
	59	2.14.2
	60