]>
Commit | Line | Data |
---|---|---|
23c3178c BB |
1 | /** @file\r |
2 | This module verifies that Enhanced Key Usages (EKU's) are present within\r | |
3 | a PKCS7 signature blob using OpenSSL.\r | |
4 | \r | |
5 | Copyright (C) Microsoft Corporation. All Rights Reserved.\r | |
6 | Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>\r | |
7 | \r | |
8 | SPDX-License-Identifier: BSD-2-Clause-Patent\r | |
9 | \r | |
10 | **/\r | |
11 | \r | |
12 | #include "InternalCryptLib.h"\r | |
13 | \r | |
14 | /**\r | |
15 | This function receives a PKCS#7 formatted signature blob,\r | |
16 | looks for the EKU SEQUENCE blob, and if found then looks\r | |
17 | for all the required EKUs. This function was created so that\r | |
18 | the Surface team can cut down on the number of Certificate\r | |
19 | Authorities (CA's) by checking EKU's on leaf signers for\r | |
20 | a specific product. This prevents one product's certificate\r | |
21 | from signing another product's firmware or unlock blobs.\r | |
22 | \r | |
23 | Return RETURN_UNSUPPORTED to indicate this interface is not supported.\r | |
24 | \r | |
25 | @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array\r | |
26 | containing the content block with both the signature,\r | |
27 | the signer's certificate, and any necessary intermediate\r | |
28 | certificates.\r | |
29 | @param[in] Pkcs7SignatureSize Number of bytes in pPkcs7Signature.\r | |
30 | @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of\r | |
31 | required EKUs that must be present in the signature.\r | |
32 | All specified EKU's must be present in order to\r | |
33 | succeed.\r | |
34 | @param[in] RequiredEKUsSize Number of elements in the rgRequiredEKUs string.\r | |
35 | This parameter has a maximum of MAX_EKU_SEARCH.\r | |
36 | @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's\r | |
37 | must be present in the leaf signer. If it is\r | |
38 | FALSE, then we will succeed if we find any\r | |
39 | of the specified EKU's.\r | |
40 | \r | |
41 | @retval RETURN_UNSUPPORTED The operation is not supported.\r | |
42 | \r | |
43 | **/\r | |
44 | EFI_STATUS\r | |
45 | EFIAPI\r | |
46 | VerifyEKUsInPkcs7Signature (\r | |
47 | IN CONST UINT8 *Pkcs7Signature,\r | |
48 | IN CONST UINT32 SignatureSize,\r | |
49 | IN CONST CHAR8 *RequiredEKUs[],\r | |
50 | IN CONST UINT32 RequiredEKUsSize,\r | |
51 | IN BOOLEAN RequireAllPresent\r | |
52 | )\r | |
53 | {\r | |
54 | ASSERT (FALSE);\r | |
55 | return RETURN_UNSUPPORTED;\r | |
56 | }\r | |
57 | \r |