]> git.proxmox.com Git - mirror_edk2.git/blob - CryptoPkg/Test/UnitTest/Library/BaseCryptLib/Pkcs7EkuTests.c
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
CryptoPkg: Apply uncrustify changes
[mirror_edk2.git] / CryptoPkg / Test / UnitTest / Library / BaseCryptLib / Pkcs7EkuTests.c
1 /** @file -- Pkcs7EkuVerify.c
2 * Copyright (c) Microsoft Corporation.
3 * SPDX-License-Identifier: BSD-2-Clause-Patent
4
5 This is an test code which verifies specified
6 Enhanced Key Usages (EKU)'s are present in the leaf signer
7 of a PKCS7 formatted signature.
8
9
10 A typical signing certificate chain looks like this: (Could be RSA or ECC).
11
12 ------------------------------------------
13 | | // Root of trust. ECDSA P521 curve
14 | TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
15 | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
16 ------------------------------------------
17 ^
18 |
19 ------------------------------------------
20 | | // Policy CA. Issues subordinate CAs. ECC P384 curve.
21 | TestEKUParsingPolicyCA | // SHA 256 Key Usage:
22 | | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
23 ------------------------------------------
24 ^
25 |
26 ------------------------------------------
27 | | // Issues end-entity (leaf) signers. ECC P256 curve.
28 | TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
29 | | // Enhanced Key Usage:
30 ------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
31 ^
32 |
33 --------------------------------------
34 / TestEKUParsingLeafSigner && / // Leaf signer, ECC P256 curve.
35 / TestEKUParsingLeafSignerPid12345 / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
36 / / // Enhanced Key usages:
37 -------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
38 // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.
39
40
41
42
43
44 **/
45
46 #include "TestBaseCryptLib.h"
47
48 #include "Pkcs7EkuTestSignatures.h"
49
50 EFI_STATUS
51 EFIAPI
52 VerifyEKUsInPkcs7Signature (
53 IN CONST UINT8 *Pkcs7Signature,
54 IN CONST UINT32 SignatureSize,
55 IN CONST CHAR8 *RequiredEKUs[],
56 IN CONST UINT32 RequiredEKUsSize,
57 IN BOOLEAN RequireAllPresent
58 );
59
60 /// ================================================================================================
61 /// ================================================================================================
62 ///
63 /// TEST CASES
64 ///
65 /// ================================================================================================
66 /// ================================================================================================
67
68 CONST CHAR8 FIRMWARE_SIGNER_EKU[] = "1.3.6.1.4.1.311.76.9.21.1";
69
70 /**
71 TestVerifyEKUsInSignature()
72
73 Verify that "1.3.6.1.4.1.311.76.9.21.1" (Firmware signature) is in the
74 leaf signer certificate.
75
76
77 @param[in] Framework - Unit-test framework handle.
78 @param[in] Context - Optional context pointer for this test.
79
80 @retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
81 @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
82 **/
83 static
84 UNIT_TEST_STATUS
85 EFIAPI
86 TestVerifyEKUsInSignature (
87 IN UNIT_TEST_CONTEXT Context
88 )
89 {
90 EFI_STATUS Status = EFI_SUCCESS;
91
92 CONST CHAR8 *RequiredEKUs[] = { FIRMWARE_SIGNER_EKU };
93
94 Status = VerifyEKUsInPkcs7Signature (
95 ProductionECCSignature,
96 ARRAY_SIZE (ProductionECCSignature),
97 (CONST CHAR8 **)RequiredEKUs,
98 ARRAY_SIZE (RequiredEKUs),
99 TRUE
100 );
101 UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);
102
103 return UNIT_TEST_PASSED;
104 }// TestVerifyEKUsInSignature()
105
106 /**
107 TestVerifyEKUsWith3CertsInSignature()
108
109 This PKCS7 signature has 3 certificates in it. (Policy CA, Issuing CA
110 and leaf signer). It has one firmware signing EKU in it.
111 "1.3.6.1.4.1.311.76.9.21.1"
112
113 @param[in] Framework - Unit-test framework handle.
114 @param[in] Context - Optional context pointer for this test.
115
116 @retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
117 @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
118 **/
119 static
120 UNIT_TEST_STATUS
121 EFIAPI
122 TestVerifyEKUsWith3CertsInSignature (
123 IN UNIT_TEST_CONTEXT Context
124 )
125 {
126 EFI_STATUS Status = EFI_SUCCESS;
127
128 CONST CHAR8 *RequiredEKUs[] = { FIRMWARE_SIGNER_EKU };
129
130 Status = VerifyEKUsInPkcs7Signature (
131 TestSignEKUsWith3CertsInSignature,
132 ARRAY_SIZE (TestSignEKUsWith3CertsInSignature),
133 (CONST CHAR8 **)RequiredEKUs,
134 ARRAY_SIZE (RequiredEKUs),
135 TRUE
136 );
137 UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);
138
139 return UNIT_TEST_PASSED;
140 }// TestVerifyEKUsWith3CertsInSignature()
141
142 /**
143 TestVerifyEKUsWith2CertsInSignature()
144
145 This PKCS7 signature has 2 certificates in it. (Issuing CA and leaf signer).
146 It has one firmware signing EKU in it. "1.3.6.1.4.1.311.76.9.21.1"
147
148 @param[in] Framework - Unit-test framework handle.
149 @param[in] Context - Optional context pointer for this test.
150
151 @retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
152 @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
153 **/
154 static
155 UNIT_TEST_STATUS
156 EFIAPI
157 TestVerifyEKUsWith2CertsInSignature (
158 IN UNIT_TEST_CONTEXT Context
159 )
160 {
161 EFI_STATUS Status = EFI_SUCCESS;
162
163 CONST CHAR8 *RequiredEKUs[] = { FIRMWARE_SIGNER_EKU };
164
165 Status = VerifyEKUsInPkcs7Signature (
166 TestSignEKUsWith2CertsInSignature,
167 ARRAY_SIZE (TestSignEKUsWith2CertsInSignature),
168 (CONST CHAR8 **)RequiredEKUs,
169 ARRAY_SIZE (RequiredEKUs),
170 TRUE
171 );
172 UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);
173
174 return UNIT_TEST_PASSED;
175 }// TestVerifyEKUsWith2CertsInSignature()
176
177 /**
178 TestVerifyEKUsWith1CertInSignature()
179
180 This PKCS7 signature only has the leaf signer in it.
181 It has one firmware signing EKU in it. "1.3.6.1.4.1.311.76.9.21.1"
182
183 @param[in] Framework - Unit-test framework handle.
184 @param[in] Context - Optional context pointer for this test.
185
186 @retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
187 @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
188 **/
189 static
190 UNIT_TEST_STATUS
191 EFIAPI
192 TestVerifyEKUsWith1CertInSignature (
193 IN UNIT_TEST_CONTEXT Context
194 )
195 {
196 EFI_STATUS Status = EFI_SUCCESS;
197
198 CONST CHAR8 *RequiredEKUs[] = { FIRMWARE_SIGNER_EKU };
199
200 Status = VerifyEKUsInPkcs7Signature (
201 TestSignEKUsWith1CertInSignature,
202 ARRAY_SIZE (TestSignEKUsWith1CertInSignature),
203 (CONST CHAR8 **)RequiredEKUs,
204 ARRAY_SIZE (RequiredEKUs),
205 TRUE
206 );
207 UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);
208
209 return UNIT_TEST_PASSED;
210 }// TestVerifyEKUsWith1CertInSignature()
211
212 /**
213 TestVerifyEKUsWithMultipleEKUsInCert()
214
215
216 This signature has two EKU's in it:
217 "1.3.6.1.4.1.311.76.9.21.1"
218 "1.3.6.1.4.1.311.76.9.21.2"
219 We verify that both EKU's were present in the leaf signer.
220
221 @param[in] Framework - Unit-test framework handle.
222 @param[in] Context - Optional context pointer for this test.
223
224 @retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
225 @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
226 **/
227 static
228 UNIT_TEST_STATUS
229 EFIAPI
230 TestVerifyEKUsWithMultipleEKUsInCert (
231 IN UNIT_TEST_CONTEXT Context
232 )
233 {
234 EFI_STATUS Status = EFI_SUCCESS;
235
236 CONST CHAR8 *RequiredEKUs[] = {
237 "1.3.6.1.4.1.311.76.9.21.1",
238 "1.3.6.1.4.1.311.76.9.21.1.2"
239 };
240
241 Status = VerifyEKUsInPkcs7Signature (
242 TestSignedWithMultipleEKUsInCert,
243 ARRAY_SIZE (TestSignedWithMultipleEKUsInCert),
244 (CONST CHAR8 **)RequiredEKUs,
245 ARRAY_SIZE (RequiredEKUs),
246 TRUE
247 );
248 UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);
249
250 return UNIT_TEST_PASSED;
251 }// TestVerifyEKUsWithMultipleEKUsInCert()
252
253 /**
254 TestEkusNotPresentInSignature()
255
256 This test verifies that if we send an EKU that is not in the signature,
257 that we get back an error.
258
259 @param[in] Framework - Unit-test framework handle.
260 @param[in] Context - Optional context pointer for this test.
261
262 @retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
263 @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
264 **/
265 static
266 UNIT_TEST_STATUS
267 EFIAPI
268 TestEkusNotPresentInSignature (
269 IN UNIT_TEST_CONTEXT Context
270 )
271 {
272 EFI_STATUS Status = EFI_SUCCESS;
273
274 //
275 // This EKU is not in the signature.
276 //
277 CONST CHAR8 *RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.3" };
278
279 Status = VerifyEKUsInPkcs7Signature (
280 TestSignedWithMultipleEKUsInCert,
281 ARRAY_SIZE (TestSignedWithMultipleEKUsInCert),
282 (CONST CHAR8 **)RequiredEKUs,
283 ARRAY_SIZE (RequiredEKUs),
284 TRUE
285 );
286 UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS);
287
288 return UNIT_TEST_PASSED;
289 }// TestEkusNotPresentInSignature()
290
291 /**
292 TestEkusNotPresentInSignature()
293
294 This test signature has two EKU's in it: (Product ID is 10001)
295 "1.3.6.1.4.1.311.76.9.21.1"
296 "1.3.6.1.4.1.311.76.9.21.1.10001"
297
298 @param[in] Framework - Unit-test framework handle.
299 @param[in] Context - Optional context pointer for this test.
300
301 @retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
302 @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
303 **/
304 static
305 UNIT_TEST_STATUS
306 EFIAPI
307 TestProductId10001PresentInSignature (
308 IN UNIT_TEST_CONTEXT Context
309 )
310 {
311 EFI_STATUS Status = EFI_SUCCESS;
312
313 //
314 // These EKU's are present in the leaf signer certificate.
315 //
316 CONST CHAR8 *RequiredEKUs[] = {
317 "1.3.6.1.4.1.311.76.9.21.1",
318 "1.3.6.1.4.1.311.76.9.21.1.10001"
319 };
320
321 Status = VerifyEKUsInPkcs7Signature (
322 TestSignedWithProductId10001,
323 ARRAY_SIZE (TestSignedWithProductId10001),
324 (CONST CHAR8 **)RequiredEKUs,
325 ARRAY_SIZE (RequiredEKUs),
326 TRUE
327 );
328 UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);
329
330 return UNIT_TEST_PASSED;
331 }// TestProductId10001PresentInSignature()
332
333 /**
334 TestOnlyOneEkuInListRequired()
335
336 This test will check the BOOLEAN RequireAllPresent parameter in the
337 call to VerifyEKUsInPkcs7Signature() behaves properly. The signature
338 has two EKU's in it:
339
340 "1.3.6.1.4.1.311.76.9.21.1"
341 "1.3.6.1.4.1.311.76.9.21.1.10001"
342
343 but we only pass in one of them, and set RequireAllPresent to FALSE.
344
345 @param[in] Framework - Unit-test framework handle.
346 @param[in] Context - Optional context pointer for this test.
347
348 @retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
349 @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
350 **/
351 static
352 UNIT_TEST_STATUS
353 EFIAPI
354 TestOnlyOneEkuInListRequired (
355 IN UNIT_TEST_CONTEXT Context
356 )
357 {
358 EFI_STATUS Status = EFI_SUCCESS;
359
360 //
361 // This will test the flag that specifies it is OK to succeed if
362 // any one of the EKU's passed in is found.
363 //
364 CONST CHAR8 *RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1.10001" };
365
366 Status = VerifyEKUsInPkcs7Signature (
367 TestSignedWithProductId10001,
368 ARRAY_SIZE (TestSignedWithProductId10001),
369 (CONST CHAR8 **)RequiredEKUs,
370 ARRAY_SIZE (RequiredEKUs),
371 FALSE
372 );
373 UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);
374
375 return UNIT_TEST_PASSED;
376 }// TestOnlyOneEkuInListRequired()
377
378 /**
379 TestNoEKUsInSignature()
380
381 This test uses a signature that was signed with a certificate that does
382 not contain any EKUs.
383
384
385 @param[in] Framework - Unit-test framework handle.
386 @param[in] Context - Optional context pointer for this test.
387
388 @retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
389 @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
390 **/
391 static
392 UNIT_TEST_STATUS
393 EFIAPI
394 TestNoEKUsInSignature (
395 IN UNIT_TEST_CONTEXT Context
396 )
397 {
398 EFI_STATUS Status = EFI_SUCCESS;
399
400 //
401 // This EKU is not in the certificate, so it should fail.
402 //
403 CONST CHAR8 *RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1" };
404
405 Status = VerifyEKUsInPkcs7Signature (
406 TestSignatureWithNoEKUsPresent,
407 ARRAY_SIZE (TestSignatureWithNoEKUsPresent),
408 (CONST CHAR8 **)RequiredEKUs,
409 ARRAY_SIZE (RequiredEKUs),
410 TRUE
411 );
412 UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS);
413
414 return UNIT_TEST_PASSED;
415 }// TestNoEKUsInSignature()
416
417 /**
418 TestInvalidParameters()
419
420 Passes the API invalid parameters, and ensures that it does not succeed.
421
422 @param[in] Framework - Unit-test framework handle.
423 @param[in] Context - Optional context pointer for this test.
424
425 @retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
426 @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
427 **/
428 static
429 UNIT_TEST_STATUS
430 EFIAPI
431 TestInvalidParameters (
432 IN UNIT_TEST_CONTEXT Context
433 )
434 {
435 EFI_STATUS Status = EFI_SUCCESS;
436
437 CONST CHAR8 *RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1" };
438
439 //
440 // Check bad signature.
441 //
442 Status = VerifyEKUsInPkcs7Signature (
443 NULL,
444 0,
445 (CONST CHAR8 **)RequiredEKUs,
446 ARRAY_SIZE (RequiredEKUs),
447 TRUE
448 );
449 UT_ASSERT_STATUS_EQUAL (Status, EFI_INVALID_PARAMETER);
450
451 //
452 // Check invalid EKU's
453 //
454 Status = VerifyEKUsInPkcs7Signature (
455 TestSignatureWithNoEKUsPresent,
456 ARRAY_SIZE (TestSignatureWithNoEKUsPresent),
457 (CONST CHAR8 **)NULL,
458 0,
459 TRUE
460 );
461 UT_ASSERT_STATUS_EQUAL (Status, EFI_INVALID_PARAMETER);
462
463 return UNIT_TEST_PASSED;
464 }// TestInvalidParameters()
465
466 /**
467 TestEKUSubStringFails()
468
469 Pass the API a sub set and super set of an EKU and ensure that they
470 don't pass.
471
472 @param[in] Framework - Unit-test framework handle.
473 @param[in] Context - Optional context pointer for this test.
474
475 @retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
476 @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
477 **/
478 static
479 UNIT_TEST_STATUS
480 EFIAPI
481 TestEKUSubsetSupersetFails (
482 IN UNIT_TEST_CONTEXT Context
483 )
484 {
485 EFI_STATUS Status = EFI_SUCCESS;
486
487 //
488 // This signature has an EKU of:
489 // "1.3.6.1.4.1.311.76.9.21.1.10001"
490 // so ensure that
491 // "1.3.6.1.4.1.311.76.9.21"
492 // does not pass.
493 //
494 CONST CHAR8 *RequiredEKUs1[] = { "1.3.6.1.4.1.311.76.9.21" };
495
496 Status = VerifyEKUsInPkcs7Signature (
497 TestSignedWithProductId10001,
498 ARRAY_SIZE (TestSignedWithProductId10001),
499 (CONST CHAR8 **)RequiredEKUs1,
500 ARRAY_SIZE (RequiredEKUs1),
501 TRUE
502 );
503 UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS);
504
505 //
506 // This signature has an EKU of:
507 // "1.3.6.1.4.1.311.76.9.21.1.10001"
508 // so ensure that a super set
509 // "1.3.6.1.4.1.311.76.9.21.1.10001.1"
510 // does not pass.
511 //
512 CONST CHAR8 *RequiredEKUs2[] = { "1.3.6.1.4.1.311.76.9.21.1.10001.1" };
513
514 Status = VerifyEKUsInPkcs7Signature (
515 TestSignedWithProductId10001,
516 ARRAY_SIZE (TestSignedWithProductId10001),
517 (CONST CHAR8 **)RequiredEKUs2,
518 ARRAY_SIZE (RequiredEKUs2),
519 TRUE
520 );
521 UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS);
522
523 return UNIT_TEST_PASSED;
524 }// TestEKUSubsetSupersetFails()
525
526 TEST_DESC mPkcs7EkuTest[] = {
527 //
528 // -----Description--------------------------------Class----------------------------Function------------------------------Pre---Post--Context
529 //
530 { "TestVerifyEKUsInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsInSignature, NULL, NULL, NULL },
531 { "TestVerifyEKUsWith3CertsInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWith3CertsInSignature, NULL, NULL, NULL },
532 { "TestVerifyEKUsWith2CertsInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWith2CertsInSignature, NULL, NULL, NULL },
533 { "TestVerifyEKUsWith1CertInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWith1CertInSignature, NULL, NULL, NULL },
534 { "TestVerifyEKUsWithMultipleEKUsInCert()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWithMultipleEKUsInCert, NULL, NULL, NULL },
535 { "TestEkusNotPresentInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestEkusNotPresentInSignature, NULL, NULL, NULL },
536 { "TestProductId10001PresentInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestProductId10001PresentInSignature, NULL, NULL, NULL },
537 { "TestOnlyOneEkuInListRequired()", "CryptoPkg.BaseCryptLib.Eku", TestOnlyOneEkuInListRequired, NULL, NULL, NULL },
538 { "TestNoEKUsInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestNoEKUsInSignature, NULL, NULL, NULL },
539 { "TestInvalidParameters()", "CryptoPkg.BaseCryptLib.Eku", TestInvalidParameters, NULL, NULL, NULL },
540 { "TestEKUSubsetSupersetFails()", "CryptoPkg.BaseCryptLib.Eku", TestEKUSubsetSupersetFails, NULL, NULL, NULL },
541 };
542
543 UINTN mPkcs7EkuTestNum = ARRAY_SIZE (mPkcs7EkuTest);
EFI Development Kit II mirror for PVE