[mirror_edk2.git] / CryptoPkg / Library / BaseCryptLibNull / Pk / CryptPkcs7VerifyEkuNull.c

/** @file\r
  PKCS7 Verify Null implementation.\r
\r
  Copyright (C) Microsoft Corporation. All Rights Reserved.\r
  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>\r
\r
  SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
#include "InternalCryptLib.h"\r
\r
/**\r
  This function will return the leaf signer certificate in a chain.  This is\r
  required because certificate chains are not guaranteed to have the\r
  certificates in the order that they were issued.\r
\r
  A typical certificate chain looks like this:\r
\r
\r
                 ----------------------------\r
                |            Root            |\r
                 ----------------------------\r
                               ^\r
                               |\r
                 ----------------------------\r
                |          Policy CA         | <-- Typical Trust Anchor.\r
                 ----------------------------\r
                               ^\r
                               |\r
                 ----------------------------\r
                |         Issuing CA         |\r
                 ----------------------------\r
                               ^\r
                               |\r
                 -----------------------------\r
                /  End-Entity (leaf) signer  / <-- Bottom certificate.\r
                -----------------------------  EKU: "1.3.6.1.4.1.311.76.9.21.1"\r
                                                    (Firmware Signing)\r
\r
\r
  @param[in]   CertChain            Certificate chain.\r
\r
  @param[out]  SignerCert           Last certificate in the chain.  For PKCS7 signatures,\r
                                    this will be the end-entity (leaf) signer cert.\r
\r
  @retval EFI_SUCCESS               The required EKUs were found in the signature.\r
  @retval EFI_INVALID_PARAMETER     A parameter was invalid.\r
  @retval EFI_NOT_FOUND             The number of signers found was not 1.\r
\r
**/\r
EFI_STATUS\r
GetSignerCertificate (\r
  IN CONST VOID  *CertChain,\r
  OUT VOID       **SignerCert\r
  )\r
{\r
  ASSERT (FALSE);\r
  return EFI_NOT_READY;\r
}\r
\r
/**\r
  Determines if the specified EKU represented in ASN1 form is present\r
  in a given certificate.\r
\r
  @param[in]  Cert                  The certificate to check.\r
\r
  @param[in]  Asn1ToFind            The EKU to look for.\r
\r
  @retval EFI_SUCCESS               We successfully identified the signing type.\r
  @retval EFI_INVALID_PARAMETER     A parameter was invalid.\r
  @retval EFI_NOT_FOUND             One or more EKU's were not found in the signature.\r
\r
**/\r
EFI_STATUS\r
IsEkuInCertificate (\r
  IN CONST VOID  *Cert,\r
  IN VOID        *Asn1ToFind\r
  )\r
{\r
  ASSERT (FALSE);\r
  return EFI_NOT_READY;\r
}\r
\r
/**\r
  Determines if the specified EKUs are present in a signing certificate.\r
\r
  @param[in]  SignerCert            The certificate to check.\r
  @param[in]  RequiredEKUs          The EKUs to look for.\r
  @param[in]  RequiredEKUsSize      The number of EKUs\r
  @param[in]  RequireAllPresent     If TRUE, then all the specified EKUs\r
                                    must be present in the certificate.\r
\r
  @retval EFI_SUCCESS               We successfully identified the signing type.\r
  @retval EFI_INVALID_PARAMETER     A parameter was invalid.\r
  @retval EFI_NOT_FOUND             One or more EKU's were not found in the signature.\r
**/\r
EFI_STATUS\r
CheckEKUs (\r
  IN CONST VOID    *SignerCert,\r
  IN CONST CHAR8   *RequiredEKUs[],\r
  IN CONST UINT32  RequiredEKUsSize,\r
  IN BOOLEAN       RequireAllPresent\r
  )\r
{\r
  ASSERT (FALSE);\r
  return EFI_NOT_READY;\r
}\r
\r
/**\r
  This function receives a PKCS#7 formatted signature blob,\r
  looks for the EKU SEQUENCE blob, and if found then looks\r
  for all the required EKUs. This function was created so that\r
  the Surface team can cut down on the number of Certificate\r
  Authorities (CA's) by checking EKU's on leaf signers for\r
  a specific product. This prevents one product's certificate\r
  from signing another product's firmware or unlock blobs.\r
\r
  Note that this function does not validate the certificate chain.\r
  That needs to be done before using this function.\r
\r
  @param[in]  Pkcs7Signature       The PKCS#7 signed information content block. An array\r
                                   containing the content block with both the signature,\r
                                   the signer's certificate, and any necessary intermediate\r
                                   certificates.\r
  @param[in]  Pkcs7SignatureSize   Number of bytes in Pkcs7Signature.\r
  @param[in]  RequiredEKUs         Array of null-terminated strings listing OIDs of\r
                                   required EKUs that must be present in the signature.\r
  @param[in]  RequiredEKUsSize     Number of elements in the RequiredEKUs string array.\r
  @param[in]  RequireAllPresent    If this is TRUE, then all of the specified EKU's\r
                                   must be present in the leaf signer.  If it is\r
                                   FALSE, then we will succeed if we find any\r
                                   of the specified EKU's.\r
\r
  @retval EFI_SUCCESS              The required EKUs were found in the signature.\r
  @retval EFI_INVALID_PARAMETER    A parameter was invalid.\r
  @retval EFI_NOT_FOUND            One or more EKU's were not found in the signature.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
VerifyEKUsInPkcs7Signature (\r
  IN CONST UINT8   *Pkcs7Signature,\r
  IN CONST UINT32  SignatureSize,\r
  IN CONST CHAR8   *RequiredEKUs[],\r
  IN CONST UINT32  RequiredEKUsSize,\r
  IN BOOLEAN       RequireAllPresent\r
  )\r
{\r
  ASSERT (FALSE);\r
  return EFI_NOT_READY;\r
}\r
Commit	Line	Data
d95de082 SB	1	/** @file\r
	2	PKCS7 Verify Null implementation.\r
	3	\r
	4	Copyright (C) Microsoft Corporation. All Rights Reserved.\r
	5	Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>\r
	6	\r
	7	SPDX-License-Identifier: BSD-2-Clause-Patent\r
	8	\r
	9	**/\r
	10	\r
	11	#include "InternalCryptLib.h"\r
	12	\r
	13	/**\r
	14	This function will return the leaf signer certificate in a chain. This is\r
	15	required because certificate chains are not guaranteed to have the\r
	16	certificates in the order that they were issued.\r
	17	\r
	18	A typical certificate chain looks like this:\r
	19	\r
	20	\r
	21	----------------------------\r
	22	\| Root \|\r
	23	----------------------------\r
	24	^\r
	25	\|\r
	26	----------------------------\r
	27	\| Policy CA \| <-- Typical Trust Anchor.\r
	28	----------------------------\r
	29	^\r
	30	\|\r
	31	----------------------------\r
	32	\| Issuing CA \|\r
	33	----------------------------\r
	34	^\r
	35	\|\r
	36	-----------------------------\r
	37	/ End-Entity (leaf) signer / <-- Bottom certificate.\r
	38	----------------------------- EKU: "1.3.6.1.4.1.311.76.9.21.1"\r
	39	(Firmware Signing)\r
	40	\r
	41	\r
	42	@param[in] CertChain Certificate chain.\r
	43	\r
	44	@param[out] SignerCert Last certificate in the chain. For PKCS7 signatures,\r
	45	this will be the end-entity (leaf) signer cert.\r
	46	\r
	47	@retval EFI_SUCCESS The required EKUs were found in the signature.\r
	48	@retval EFI_INVALID_PARAMETER A parameter was invalid.\r
	49	@retval EFI_NOT_FOUND The number of signers found was not 1.\r
	50	\r
	51	**/\r
	52	EFI_STATUS\r
	53	GetSignerCertificate (\r
7c342378	54	IN CONST VOID *CertChain,\r
d95de082 SB	55	OUT VOID **SignerCert\r
	56	)\r
	57	{\r
7c342378	58	ASSERT (FALSE);\r
d95de082	59	return EFI_NOT_READY;\r
d95de082 SB	60	}\r
d95de082 SB	61	\r
d95de082 SB	62	/**\r
	63	Determines if the specified EKU represented in ASN1 form is present\r
	64	in a given certificate.\r
	65	\r
	66	@param[in] Cert The certificate to check.\r
	67	\r
	68	@param[in] Asn1ToFind The EKU to look for.\r
	69	\r
	70	@retval EFI_SUCCESS We successfully identified the signing type.\r
	71	@retval EFI_INVALID_PARAMETER A parameter was invalid.\r
	72	@retval EFI_NOT_FOUND One or more EKU's were not found in the signature.\r
	73	\r
	74	**/\r
	75	EFI_STATUS\r
	76	IsEkuInCertificate (\r
	77	IN CONST VOID *Cert,\r
7c342378	78	IN VOID *Asn1ToFind\r
d95de082 SB	79	)\r
d95de082 SB	80	{\r
7c342378	81	ASSERT (FALSE);\r
d95de082 SB	82	return EFI_NOT_READY;\r
	83	}\r
	84	\r
d95de082 SB	85	/**\r
	86	Determines if the specified EKUs are present in a signing certificate.\r
	87	\r
	88	@param[in] SignerCert The certificate to check.\r
	89	@param[in] RequiredEKUs The EKUs to look for.\r
	90	@param[in] RequiredEKUsSize The number of EKUs\r
	91	@param[in] RequireAllPresent If TRUE, then all the specified EKUs\r
	92	must be present in the certificate.\r
	93	\r
	94	@retval EFI_SUCCESS We successfully identified the signing type.\r
	95	@retval EFI_INVALID_PARAMETER A parameter was invalid.\r
	96	@retval EFI_NOT_FOUND One or more EKU's were not found in the signature.\r
	97	**/\r
	98	EFI_STATUS\r
7c342378 MK	99	CheckEKUs (\r
	100	IN CONST VOID *SignerCert,\r
	101	IN CONST CHAR8 *RequiredEKUs[],\r
	102	IN CONST UINT32 RequiredEKUsSize,\r
	103	IN BOOLEAN RequireAllPresent\r
d95de082 SB	104	)\r
d95de082 SB	105	{\r
7c342378	106	ASSERT (FALSE);\r
d95de082 SB	107	return EFI_NOT_READY;\r
	108	}\r
	109	\r
	110	/**\r
	111	This function receives a PKCS#7 formatted signature blob,\r
	112	looks for the EKU SEQUENCE blob, and if found then looks\r
	113	for all the required EKUs. This function was created so that\r
	114	the Surface team can cut down on the number of Certificate\r
	115	Authorities (CA's) by checking EKU's on leaf signers for\r
	116	a specific product. This prevents one product's certificate\r
	117	from signing another product's firmware or unlock blobs.\r
	118	\r
	119	Note that this function does not validate the certificate chain.\r
	120	That needs to be done before using this function.\r
	121	\r
	122	@param[in] Pkcs7Signature The PKCS#7 signed information content block. An array\r
	123	containing the content block with both the signature,\r
	124	the signer's certificate, and any necessary intermediate\r
	125	certificates.\r
	126	@param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature.\r
	127	@param[in] RequiredEKUs Array of null-terminated strings listing OIDs of\r
	128	required EKUs that must be present in the signature.\r
	129	@param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array.\r
	130	@param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's\r
	131	must be present in the leaf signer. If it is\r
	132	FALSE, then we will succeed if we find any\r
	133	of the specified EKU's.\r
	134	\r
	135	@retval EFI_SUCCESS The required EKUs were found in the signature.\r
	136	@retval EFI_INVALID_PARAMETER A parameter was invalid.\r
	137	@retval EFI_NOT_FOUND One or more EKU's were not found in the signature.\r
	138	\r
	139	**/\r
	140	EFI_STATUS\r
	141	EFIAPI\r
	142	VerifyEKUsInPkcs7Signature (\r
7c342378 MK	143	IN CONST UINT8 *Pkcs7Signature,\r
	144	IN CONST UINT32 SignatureSize,\r
	145	IN CONST CHAR8 *RequiredEKUs[],\r
	146	IN CONST UINT32 RequiredEKUsSize,\r
	147	IN BOOLEAN RequireAllPresent\r
d95de082 SB	148	)\r
d95de082 SB	149	{\r
7c342378	150	ASSERT (FALSE);\r
d95de082 SB	151	return EFI_NOT_READY;\r
d95de082 SB	152	}\r