]>
Commit | Line | Data |
---|---|---|
d95de082 SB |
1 | /** @file\r |
2 | PKCS7 Verify Null implementation.\r | |
3 | \r | |
4 | Copyright (C) Microsoft Corporation. All Rights Reserved.\r | |
5 | Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>\r | |
6 | \r | |
7 | SPDX-License-Identifier: BSD-2-Clause-Patent\r | |
8 | \r | |
9 | **/\r | |
10 | \r | |
11 | #include "InternalCryptLib.h"\r | |
12 | \r | |
13 | /**\r | |
14 | This function will return the leaf signer certificate in a chain. This is\r | |
15 | required because certificate chains are not guaranteed to have the\r | |
16 | certificates in the order that they were issued.\r | |
17 | \r | |
18 | A typical certificate chain looks like this:\r | |
19 | \r | |
20 | \r | |
21 | ----------------------------\r | |
22 | | Root |\r | |
23 | ----------------------------\r | |
24 | ^\r | |
25 | |\r | |
26 | ----------------------------\r | |
27 | | Policy CA | <-- Typical Trust Anchor.\r | |
28 | ----------------------------\r | |
29 | ^\r | |
30 | |\r | |
31 | ----------------------------\r | |
32 | | Issuing CA |\r | |
33 | ----------------------------\r | |
34 | ^\r | |
35 | |\r | |
36 | -----------------------------\r | |
37 | / End-Entity (leaf) signer / <-- Bottom certificate.\r | |
38 | ----------------------------- EKU: "1.3.6.1.4.1.311.76.9.21.1"\r | |
39 | (Firmware Signing)\r | |
40 | \r | |
41 | \r | |
42 | @param[in] CertChain Certificate chain.\r | |
43 | \r | |
44 | @param[out] SignerCert Last certificate in the chain. For PKCS7 signatures,\r | |
45 | this will be the end-entity (leaf) signer cert.\r | |
46 | \r | |
47 | @retval EFI_SUCCESS The required EKUs were found in the signature.\r | |
48 | @retval EFI_INVALID_PARAMETER A parameter was invalid.\r | |
49 | @retval EFI_NOT_FOUND The number of signers found was not 1.\r | |
50 | \r | |
51 | **/\r | |
52 | EFI_STATUS\r | |
53 | GetSignerCertificate (\r | |
7c342378 | 54 | IN CONST VOID *CertChain,\r |
d95de082 SB |
55 | OUT VOID **SignerCert\r |
56 | )\r | |
57 | {\r | |
7c342378 | 58 | ASSERT (FALSE);\r |
d95de082 | 59 | return EFI_NOT_READY;\r |
d95de082 SB |
60 | }\r |
61 | \r | |
d95de082 SB |
62 | /**\r |
63 | Determines if the specified EKU represented in ASN1 form is present\r | |
64 | in a given certificate.\r | |
65 | \r | |
66 | @param[in] Cert The certificate to check.\r | |
67 | \r | |
68 | @param[in] Asn1ToFind The EKU to look for.\r | |
69 | \r | |
70 | @retval EFI_SUCCESS We successfully identified the signing type.\r | |
71 | @retval EFI_INVALID_PARAMETER A parameter was invalid.\r | |
72 | @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.\r | |
73 | \r | |
74 | **/\r | |
75 | EFI_STATUS\r | |
76 | IsEkuInCertificate (\r | |
77 | IN CONST VOID *Cert,\r | |
7c342378 | 78 | IN VOID *Asn1ToFind\r |
d95de082 SB |
79 | )\r |
80 | {\r | |
7c342378 | 81 | ASSERT (FALSE);\r |
d95de082 SB |
82 | return EFI_NOT_READY;\r |
83 | }\r | |
84 | \r | |
d95de082 SB |
85 | /**\r |
86 | Determines if the specified EKUs are present in a signing certificate.\r | |
87 | \r | |
88 | @param[in] SignerCert The certificate to check.\r | |
89 | @param[in] RequiredEKUs The EKUs to look for.\r | |
90 | @param[in] RequiredEKUsSize The number of EKUs\r | |
91 | @param[in] RequireAllPresent If TRUE, then all the specified EKUs\r | |
92 | must be present in the certificate.\r | |
93 | \r | |
94 | @retval EFI_SUCCESS We successfully identified the signing type.\r | |
95 | @retval EFI_INVALID_PARAMETER A parameter was invalid.\r | |
96 | @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.\r | |
97 | **/\r | |
98 | EFI_STATUS\r | |
7c342378 MK |
99 | CheckEKUs (\r |
100 | IN CONST VOID *SignerCert,\r | |
101 | IN CONST CHAR8 *RequiredEKUs[],\r | |
102 | IN CONST UINT32 RequiredEKUsSize,\r | |
103 | IN BOOLEAN RequireAllPresent\r | |
d95de082 SB |
104 | )\r |
105 | {\r | |
7c342378 | 106 | ASSERT (FALSE);\r |
d95de082 SB |
107 | return EFI_NOT_READY;\r |
108 | }\r | |
109 | \r | |
110 | /**\r | |
111 | This function receives a PKCS#7 formatted signature blob,\r | |
112 | looks for the EKU SEQUENCE blob, and if found then looks\r | |
113 | for all the required EKUs. This function was created so that\r | |
114 | the Surface team can cut down on the number of Certificate\r | |
115 | Authorities (CA's) by checking EKU's on leaf signers for\r | |
116 | a specific product. This prevents one product's certificate\r | |
117 | from signing another product's firmware or unlock blobs.\r | |
118 | \r | |
119 | Note that this function does not validate the certificate chain.\r | |
120 | That needs to be done before using this function.\r | |
121 | \r | |
122 | @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array\r | |
123 | containing the content block with both the signature,\r | |
124 | the signer's certificate, and any necessary intermediate\r | |
125 | certificates.\r | |
126 | @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature.\r | |
127 | @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of\r | |
128 | required EKUs that must be present in the signature.\r | |
129 | @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array.\r | |
130 | @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's\r | |
131 | must be present in the leaf signer. If it is\r | |
132 | FALSE, then we will succeed if we find any\r | |
133 | of the specified EKU's.\r | |
134 | \r | |
135 | @retval EFI_SUCCESS The required EKUs were found in the signature.\r | |
136 | @retval EFI_INVALID_PARAMETER A parameter was invalid.\r | |
137 | @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.\r | |
138 | \r | |
139 | **/\r | |
140 | EFI_STATUS\r | |
141 | EFIAPI\r | |
142 | VerifyEKUsInPkcs7Signature (\r | |
7c342378 MK |
143 | IN CONST UINT8 *Pkcs7Signature,\r |
144 | IN CONST UINT32 SignatureSize,\r | |
145 | IN CONST CHAR8 *RequiredEKUs[],\r | |
146 | IN CONST UINT32 RequiredEKUsSize,\r | |
147 | IN BOOLEAN RequireAllPresent\r | |
d95de082 SB |
148 | )\r |
149 | {\r | |
7c342378 | 150 | ASSERT (FALSE);\r |
d95de082 SB |
151 | return EFI_NOT_READY;\r |
152 | }\r |