[mirror_edk2.git] / CryptoPkg / Test / UnitTest / Library / BaseCryptLib / Pkcs7EkuTests.c

/** @file -- Pkcs7EkuVerify.c\r
 * Copyright (c) Microsoft Corporation.\r
 * SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
  This is an test code which verifies specified\r
  Enhanced Key Usages (EKU)'s are present in the leaf signer\r
  of a PKCS7 formatted signature.\r
\r
\r
  A typical signing certificate chain looks like this: (Could be RSA or ECC).\r
\r
      ------------------------------------------\r
     |                                          | // Root of trust. ECDSA P521 curve\r
     |          TestEKUParsingRoot              | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r
     |                                          | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE\r
      ------------------------------------------\r
                        ^\r
                        |\r
      ------------------------------------------\r
     |                                          | // Policy CA.  Issues subordinate CAs. ECC P384 curve.\r
     |       TestEKUParsingPolicyCA             | // SHA 256 Key Usage:\r
     |                                          | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE\r
      ------------------------------------------\r
                        ^\r
                        |\r
      ------------------------------------------\r
     |                                          | // Issues end-entity (leaf) signers. ECC P256 curve.\r
     |        TestEKUParsingIssuingCA           | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r
     |                                          | // Enhanced Key Usage:\r
      ------------------------------------------  // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)\r
                        ^\r
                        |\r
         --------------------------------------\r
        /     TestEKUParsingLeafSigner &&     /   // Leaf signer,  ECC P256 curve.\r
       /    TestEKUParsingLeafSignerPid12345 /    // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r
      /                                     /     // Enhanced Key usages:\r
      --------------------------------------      // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)\r
                                                  // 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.\r
\r
\r
\r
\r
\r
**/\r
\r
#include "TestBaseCryptLib.h"\r
\r
#include "Pkcs7EkuTestSignatures.h"\r
\r
EFI_STATUS\r
EFIAPI\r
VerifyEKUsInPkcs7Signature (\r
  IN CONST UINT8   *Pkcs7Signature,\r
  IN CONST UINT32  SignatureSize,\r
  IN CONST CHAR8   *RequiredEKUs[],\r
  IN CONST UINT32  RequiredEKUsSize,\r
  IN BOOLEAN       RequireAllPresent\r
  );\r
\r
/// ================================================================================================\r
/// ================================================================================================\r
///\r
/// TEST CASES\r
///\r
/// ================================================================================================\r
/// ================================================================================================\r
\r
CONST CHAR8  FIRMWARE_SIGNER_EKU[] = "1.3.6.1.4.1.311.76.9.21.1";\r
\r
/**\r
  TestVerifyEKUsInSignature()\r
\r
  Verify that "1.3.6.1.4.1.311.76.9.21.1" (Firmware signature) is in the\r
  leaf signer certificate.\r
\r
\r
  @param[in]  Framework - Unit-test framework handle.\r
  @param[in]  Context   - Optional context pointer for this test.\r
\r
  @retval UNIT_TEST_PASSED            - The required EKUs were found in the signature.\r
  @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
**/\r
static\r
UNIT_TEST_STATUS\r
EFIAPI\r
TestVerifyEKUsInSignature (\r
  IN UNIT_TEST_CONTEXT  Context\r
  )\r
{\r
  EFI_STATUS  Status = EFI_SUCCESS;\r
\r
  CONST CHAR8  *RequiredEKUs[] = { FIRMWARE_SIGNER_EKU };\r
\r
  Status = VerifyEKUsInPkcs7Signature (\r
             ProductionECCSignature,\r
             ARRAY_SIZE (ProductionECCSignature),\r
             (CONST CHAR8 **)RequiredEKUs,\r
             ARRAY_SIZE (RequiredEKUs),\r
             TRUE\r
             );\r
  UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);\r
\r
  return UNIT_TEST_PASSED;\r
}// TestVerifyEKUsInSignature()\r
\r
/**\r
  TestVerifyEKUsWith3CertsInSignature()\r
\r
  This PKCS7 signature has 3 certificates in it. (Policy CA, Issuing CA\r
  and leaf signer). It has one firmware signing EKU in it.\r
  "1.3.6.1.4.1.311.76.9.21.1"\r
\r
  @param[in]  Framework - Unit-test framework handle.\r
  @param[in]  Context   - Optional context pointer for this test.\r
\r
  @retval UNIT_TEST_PASSED            - The required EKUs were found in the signature.\r
  @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
**/\r
static\r
UNIT_TEST_STATUS\r
EFIAPI\r
TestVerifyEKUsWith3CertsInSignature (\r
  IN UNIT_TEST_CONTEXT  Context\r
  )\r
{\r
  EFI_STATUS  Status = EFI_SUCCESS;\r
\r
  CONST CHAR8  *RequiredEKUs[] = { FIRMWARE_SIGNER_EKU };\r
\r
  Status = VerifyEKUsInPkcs7Signature (\r
             TestSignEKUsWith3CertsInSignature,\r
             ARRAY_SIZE (TestSignEKUsWith3CertsInSignature),\r
             (CONST CHAR8 **)RequiredEKUs,\r
             ARRAY_SIZE (RequiredEKUs),\r
             TRUE\r
             );\r
  UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);\r
\r
  return UNIT_TEST_PASSED;\r
}// TestVerifyEKUsWith3CertsInSignature()\r
\r
/**\r
  TestVerifyEKUsWith2CertsInSignature()\r
\r
  This PKCS7 signature has 2 certificates in it. (Issuing CA and leaf signer).\r
  It has one firmware signing EKU in it. "1.3.6.1.4.1.311.76.9.21.1"\r
\r
  @param[in]  Framework - Unit-test framework handle.\r
  @param[in]  Context   - Optional context pointer for this test.\r
\r
  @retval UNIT_TEST_PASSED            - The required EKUs were found in the signature.\r
  @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
**/\r
static\r
UNIT_TEST_STATUS\r
EFIAPI\r
TestVerifyEKUsWith2CertsInSignature (\r
  IN UNIT_TEST_CONTEXT  Context\r
  )\r
{\r
  EFI_STATUS  Status = EFI_SUCCESS;\r
\r
  CONST CHAR8  *RequiredEKUs[] = { FIRMWARE_SIGNER_EKU };\r
\r
  Status = VerifyEKUsInPkcs7Signature (\r
             TestSignEKUsWith2CertsInSignature,\r
             ARRAY_SIZE (TestSignEKUsWith2CertsInSignature),\r
             (CONST CHAR8 **)RequiredEKUs,\r
             ARRAY_SIZE (RequiredEKUs),\r
             TRUE\r
             );\r
  UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);\r
\r
  return UNIT_TEST_PASSED;\r
}// TestVerifyEKUsWith2CertsInSignature()\r
\r
/**\r
  TestVerifyEKUsWith1CertInSignature()\r
\r
  This PKCS7 signature only has the leaf signer in it.\r
  It has one firmware signing EKU in it. "1.3.6.1.4.1.311.76.9.21.1"\r
\r
  @param[in]  Framework - Unit-test framework handle.\r
  @param[in]  Context   - Optional context pointer for this test.\r
\r
  @retval UNIT_TEST_PASSED            - The required EKUs were found in the signature.\r
  @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
**/\r
static\r
UNIT_TEST_STATUS\r
EFIAPI\r
TestVerifyEKUsWith1CertInSignature (\r
  IN UNIT_TEST_CONTEXT  Context\r
  )\r
{\r
  EFI_STATUS  Status = EFI_SUCCESS;\r
\r
  CONST CHAR8  *RequiredEKUs[] = { FIRMWARE_SIGNER_EKU };\r
\r
  Status = VerifyEKUsInPkcs7Signature (\r
             TestSignEKUsWith1CertInSignature,\r
             ARRAY_SIZE (TestSignEKUsWith1CertInSignature),\r
             (CONST CHAR8 **)RequiredEKUs,\r
             ARRAY_SIZE (RequiredEKUs),\r
             TRUE\r
             );\r
  UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);\r
\r
  return UNIT_TEST_PASSED;\r
}// TestVerifyEKUsWith1CertInSignature()\r
\r
/**\r
  TestVerifyEKUsWithMultipleEKUsInCert()\r
\r
\r
  This signature has two EKU's in it:\r
  "1.3.6.1.4.1.311.76.9.21.1"\r
  "1.3.6.1.4.1.311.76.9.21.2"\r
  We verify that both EKU's were present in the leaf signer.\r
\r
  @param[in]  Framework - Unit-test framework handle.\r
  @param[in]  Context   - Optional context pointer for this test.\r
\r
  @retval UNIT_TEST_PASSED            - The required EKUs were found in the signature.\r
  @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
**/\r
static\r
UNIT_TEST_STATUS\r
EFIAPI\r
TestVerifyEKUsWithMultipleEKUsInCert (\r
  IN UNIT_TEST_CONTEXT  Context\r
  )\r
{\r
  EFI_STATUS  Status = EFI_SUCCESS;\r
\r
  CONST CHAR8  *RequiredEKUs[] = {\r
    "1.3.6.1.4.1.311.76.9.21.1",\r
    "1.3.6.1.4.1.311.76.9.21.1.2"\r
  };\r
\r
  Status = VerifyEKUsInPkcs7Signature (\r
             TestSignedWithMultipleEKUsInCert,\r
             ARRAY_SIZE (TestSignedWithMultipleEKUsInCert),\r
             (CONST CHAR8 **)RequiredEKUs,\r
             ARRAY_SIZE (RequiredEKUs),\r
             TRUE\r
             );\r
  UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);\r
\r
  return UNIT_TEST_PASSED;\r
}// TestVerifyEKUsWithMultipleEKUsInCert()\r
\r
/**\r
  TestEkusNotPresentInSignature()\r
\r
  This test verifies that if we send an EKU that is not in the signature,\r
  that we get back an error.\r
\r
  @param[in]  Framework - Unit-test framework handle.\r
  @param[in]  Context   - Optional context pointer for this test.\r
\r
  @retval UNIT_TEST_PASSED            - The required EKUs were found in the signature.\r
  @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
**/\r
static\r
UNIT_TEST_STATUS\r
EFIAPI\r
TestEkusNotPresentInSignature (\r
  IN UNIT_TEST_CONTEXT  Context\r
  )\r
{\r
  EFI_STATUS  Status = EFI_SUCCESS;\r
\r
  //\r
  // This EKU is not in the signature.\r
  //\r
  CONST CHAR8  *RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.3" };\r
\r
  Status = VerifyEKUsInPkcs7Signature (\r
             TestSignedWithMultipleEKUsInCert,\r
             ARRAY_SIZE (TestSignedWithMultipleEKUsInCert),\r
             (CONST CHAR8 **)RequiredEKUs,\r
             ARRAY_SIZE (RequiredEKUs),\r
             TRUE\r
             );\r
  UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS);\r
\r
  return UNIT_TEST_PASSED;\r
}// TestEkusNotPresentInSignature()\r
\r
/**\r
  TestEkusNotPresentInSignature()\r
\r
  This test signature has two EKU's in it:  (Product ID is 10001)\r
  "1.3.6.1.4.1.311.76.9.21.1"\r
  "1.3.6.1.4.1.311.76.9.21.1.10001"\r
\r
  @param[in]  Framework - Unit-test framework handle.\r
  @param[in]  Context   - Optional context pointer for this test.\r
\r
  @retval UNIT_TEST_PASSED            - The required EKUs were found in the signature.\r
  @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
**/\r
static\r
UNIT_TEST_STATUS\r
EFIAPI\r
TestProductId10001PresentInSignature (\r
  IN UNIT_TEST_CONTEXT  Context\r
  )\r
{\r
  EFI_STATUS  Status = EFI_SUCCESS;\r
\r
  //\r
  // These EKU's are present in the leaf signer certificate.\r
  //\r
  CONST CHAR8  *RequiredEKUs[] = {\r
    "1.3.6.1.4.1.311.76.9.21.1",\r
    "1.3.6.1.4.1.311.76.9.21.1.10001"\r
  };\r
\r
  Status = VerifyEKUsInPkcs7Signature (\r
             TestSignedWithProductId10001,\r
             ARRAY_SIZE (TestSignedWithProductId10001),\r
             (CONST CHAR8 **)RequiredEKUs,\r
             ARRAY_SIZE (RequiredEKUs),\r
             TRUE\r
             );\r
  UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);\r
\r
  return UNIT_TEST_PASSED;\r
}// TestProductId10001PresentInSignature()\r
\r
/**\r
  TestOnlyOneEkuInListRequired()\r
\r
  This test will check the BOOLEAN RequireAllPresent parameter in the\r
  call to VerifyEKUsInPkcs7Signature() behaves properly.  The signature\r
  has two EKU's in it:\r
\r
  "1.3.6.1.4.1.311.76.9.21.1"\r
  "1.3.6.1.4.1.311.76.9.21.1.10001"\r
\r
  but we only pass in one of them, and set RequireAllPresent to FALSE.\r
\r
  @param[in]  Framework - Unit-test framework handle.\r
  @param[in]  Context   - Optional context pointer for this test.\r
\r
  @retval UNIT_TEST_PASSED            - The required EKUs were found in the signature.\r
  @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
**/\r
static\r
UNIT_TEST_STATUS\r
EFIAPI\r
TestOnlyOneEkuInListRequired (\r
  IN UNIT_TEST_CONTEXT  Context\r
  )\r
{\r
  EFI_STATUS  Status = EFI_SUCCESS;\r
\r
  //\r
  // This will test the flag that specifies it is OK to succeed if\r
  // any one of the EKU's passed in is found.\r
  //\r
  CONST CHAR8  *RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1.10001" };\r
\r
  Status = VerifyEKUsInPkcs7Signature (\r
             TestSignedWithProductId10001,\r
             ARRAY_SIZE (TestSignedWithProductId10001),\r
             (CONST CHAR8 **)RequiredEKUs,\r
             ARRAY_SIZE (RequiredEKUs),\r
             FALSE\r
             );\r
  UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);\r
\r
  return UNIT_TEST_PASSED;\r
}// TestOnlyOneEkuInListRequired()\r
\r
/**\r
  TestNoEKUsInSignature()\r
\r
  This test uses a signature that was signed with a certificate that does\r
  not contain any EKUs.\r
\r
\r
  @param[in]  Framework - Unit-test framework handle.\r
  @param[in]  Context   - Optional context pointer for this test.\r
\r
  @retval UNIT_TEST_PASSED            - The required EKUs were found in the signature.\r
  @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
**/\r
static\r
UNIT_TEST_STATUS\r
EFIAPI\r
TestNoEKUsInSignature (\r
  IN UNIT_TEST_CONTEXT  Context\r
  )\r
{\r
  EFI_STATUS  Status = EFI_SUCCESS;\r
\r
  //\r
  // This EKU is not in the certificate, so it should fail.\r
  //\r
  CONST CHAR8  *RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1" };\r
\r
  Status = VerifyEKUsInPkcs7Signature (\r
             TestSignatureWithNoEKUsPresent,\r
             ARRAY_SIZE (TestSignatureWithNoEKUsPresent),\r
             (CONST CHAR8 **)RequiredEKUs,\r
             ARRAY_SIZE (RequiredEKUs),\r
             TRUE\r
             );\r
  UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS);\r
\r
  return UNIT_TEST_PASSED;\r
}// TestNoEKUsInSignature()\r
\r
/**\r
  TestInvalidParameters()\r
\r
  Passes the API invalid parameters, and ensures that it does not succeed.\r
\r
  @param[in]  Framework - Unit-test framework handle.\r
  @param[in]  Context   - Optional context pointer for this test.\r
\r
  @retval UNIT_TEST_PASSED            - The required EKUs were found in the signature.\r
  @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
**/\r
static\r
UNIT_TEST_STATUS\r
EFIAPI\r
TestInvalidParameters (\r
  IN UNIT_TEST_CONTEXT  Context\r
  )\r
{\r
  EFI_STATUS  Status = EFI_SUCCESS;\r
\r
  CONST CHAR8  *RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1" };\r
\r
  //\r
  // Check bad signature.\r
  //\r
  Status = VerifyEKUsInPkcs7Signature (\r
             NULL,\r
             0,\r
             (CONST CHAR8 **)RequiredEKUs,\r
             ARRAY_SIZE (RequiredEKUs),\r
             TRUE\r
             );\r
  UT_ASSERT_STATUS_EQUAL (Status, EFI_INVALID_PARAMETER);\r
\r
  //\r
  // Check invalid EKU's\r
  //\r
  Status = VerifyEKUsInPkcs7Signature (\r
             TestSignatureWithNoEKUsPresent,\r
             ARRAY_SIZE (TestSignatureWithNoEKUsPresent),\r
             (CONST CHAR8 **)NULL,\r
             0,\r
             TRUE\r
             );\r
  UT_ASSERT_STATUS_EQUAL (Status, EFI_INVALID_PARAMETER);\r
\r
  return UNIT_TEST_PASSED;\r
}// TestInvalidParameters()\r
\r
/**\r
  TestEKUSubStringFails()\r
\r
  Pass the API a sub set and super set of an EKU and ensure that they\r
  don't pass.\r
\r
  @param[in]  Framework - Unit-test framework handle.\r
  @param[in]  Context   - Optional context pointer for this test.\r
\r
  @retval UNIT_TEST_PASSED            - The required EKUs were found in the signature.\r
  @retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
**/\r
static\r
UNIT_TEST_STATUS\r
EFIAPI\r
TestEKUSubsetSupersetFails (\r
  IN UNIT_TEST_CONTEXT  Context\r
  )\r
{\r
  EFI_STATUS  Status = EFI_SUCCESS;\r
\r
  //\r
  // This signature has an EKU of:\r
  // "1.3.6.1.4.1.311.76.9.21.1.10001"\r
  // so ensure that\r
  // "1.3.6.1.4.1.311.76.9.21"\r
  // does not pass.\r
  //\r
  CONST CHAR8  *RequiredEKUs1[] = { "1.3.6.1.4.1.311.76.9.21" };\r
\r
  Status = VerifyEKUsInPkcs7Signature (\r
             TestSignedWithProductId10001,\r
             ARRAY_SIZE (TestSignedWithProductId10001),\r
             (CONST CHAR8 **)RequiredEKUs1,\r
             ARRAY_SIZE (RequiredEKUs1),\r
             TRUE\r
             );\r
  UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS);\r
\r
  //\r
  // This signature has an EKU of:\r
  // "1.3.6.1.4.1.311.76.9.21.1.10001"\r
  // so ensure that a super set\r
  // "1.3.6.1.4.1.311.76.9.21.1.10001.1"\r
  // does not pass.\r
  //\r
  CONST CHAR8  *RequiredEKUs2[] = { "1.3.6.1.4.1.311.76.9.21.1.10001.1" };\r
\r
  Status = VerifyEKUsInPkcs7Signature (\r
             TestSignedWithProductId10001,\r
             ARRAY_SIZE (TestSignedWithProductId10001),\r
             (CONST CHAR8 **)RequiredEKUs2,\r
             ARRAY_SIZE (RequiredEKUs2),\r
             TRUE\r
             );\r
  UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS);\r
\r
  return UNIT_TEST_PASSED;\r
}// TestEKUSubsetSupersetFails()\r
\r
TEST_DESC  mPkcs7EkuTest[] = {\r
  //\r
  // -----Description--------------------------------Class----------------------------Function------------------------------Pre---Post--Context\r
  //\r
  { "TestVerifyEKUsInSignature()",            "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsInSignature,            NULL, NULL, NULL },\r
  { "TestVerifyEKUsWith3CertsInSignature()",  "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWith3CertsInSignature,  NULL, NULL, NULL },\r
  { "TestVerifyEKUsWith2CertsInSignature()",  "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWith2CertsInSignature,  NULL, NULL, NULL },\r
  { "TestVerifyEKUsWith1CertInSignature()",   "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWith1CertInSignature,   NULL, NULL, NULL },\r
  { "TestVerifyEKUsWithMultipleEKUsInCert()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWithMultipleEKUsInCert, NULL, NULL, NULL },\r
  { "TestEkusNotPresentInSignature()",        "CryptoPkg.BaseCryptLib.Eku", TestEkusNotPresentInSignature,        NULL, NULL, NULL },\r
  { "TestProductId10001PresentInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestProductId10001PresentInSignature, NULL, NULL, NULL },\r
  { "TestOnlyOneEkuInListRequired()",         "CryptoPkg.BaseCryptLib.Eku", TestOnlyOneEkuInListRequired,         NULL, NULL, NULL },\r
  { "TestNoEKUsInSignature()",                "CryptoPkg.BaseCryptLib.Eku", TestNoEKUsInSignature,                NULL, NULL, NULL },\r
  { "TestInvalidParameters()",                "CryptoPkg.BaseCryptLib.Eku", TestInvalidParameters,                NULL, NULL, NULL },\r
  { "TestEKUSubsetSupersetFails()",           "CryptoPkg.BaseCryptLib.Eku", TestEKUSubsetSupersetFails,           NULL, NULL, NULL },\r
};\r
\r
UINTN  mPkcs7EkuTestNum = ARRAY_SIZE (mPkcs7EkuTest);\r
Commit	Line	Data
694bfd6f MC	1	/** @file -- Pkcs7EkuVerify.c\r
	2	* Copyright (c) Microsoft Corporation.\r
	3	* SPDX-License-Identifier: BSD-2-Clause-Patent\r
	4	\r
	5	This is an test code which verifies specified\r
	6	Enhanced Key Usages (EKU)'s are present in the leaf signer\r
	7	of a PKCS7 formatted signature.\r
	8	\r
	9	\r
	10	A typical signing certificate chain looks like this: (Could be RSA or ECC).\r
	11	\r
	12	------------------------------------------\r
	13	\| \| // Root of trust. ECDSA P521 curve\r
	14	\| TestEKUParsingRoot \| // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r
	15	\| \| // CERT_KEY_CERT_SIGN_KEY_USAGE \| CERT_CRL_SIGN_KEY_USAGE\r
	16	------------------------------------------\r
	17	^\r
	18	\|\r
	19	------------------------------------------\r
	20	\| \| // Policy CA. Issues subordinate CAs. ECC P384 curve.\r
	21	\| TestEKUParsingPolicyCA \| // SHA 256 Key Usage:\r
	22	\| \| // CERT_KEY_CERT_SIGN_KEY_USAGE \| CERT_CRL_SIGN_KEY_USAGE\r
	23	------------------------------------------\r
	24	^\r
	25	\|\r
	26	------------------------------------------\r
	27	\| \| // Issues end-entity (leaf) signers. ECC P256 curve.\r
	28	\| TestEKUParsingIssuingCA \| // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r
	29	\| \| // Enhanced Key Usage:\r
	30	------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)\r
	31	^\r
	32	\|\r
	33	--------------------------------------\r
	34	/ TestEKUParsingLeafSigner && / // Leaf signer, ECC P256 curve.\r
	35	/ TestEKUParsingLeafSignerPid12345 / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE\r
	36	/ / // Enhanced Key usages:\r
	37	-------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)\r
	38	// 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.\r
	39	\r
	40	\r
	41	\r
	42	\r
	43	\r
	44	**/\r
	45	\r
	46	#include "TestBaseCryptLib.h"\r
	47	\r
	48	#include "Pkcs7EkuTestSignatures.h"\r
	49	\r
	50	EFI_STATUS\r
	51	EFIAPI\r
	52	VerifyEKUsInPkcs7Signature (\r
7c342378	53	IN CONST UINT8 *Pkcs7Signature,\r
694bfd6f	54	IN CONST UINT32 SignatureSize,\r
7c342378	55	IN CONST CHAR8 *RequiredEKUs[],\r
694bfd6f MC	56	IN CONST UINT32 RequiredEKUsSize,\r
	57	IN BOOLEAN RequireAllPresent\r
	58	);\r
	59	\r
7c342378 MK	60	/// ================================================================================================\r
7c342378 MK	61	/// ================================================================================================\r
694bfd6f MC	62	///\r
	63	/// TEST CASES\r
	64	///\r
7c342378 MK	65	/// ================================================================================================\r
7c342378 MK	66	/// ================================================================================================\r
694bfd6f	67	\r
7c342378	68	CONST CHAR8 FIRMWARE_SIGNER_EKU[] = "1.3.6.1.4.1.311.76.9.21.1";\r
694bfd6f MC	69	\r
	70	/**\r
	71	TestVerifyEKUsInSignature()\r
	72	\r
	73	Verify that "1.3.6.1.4.1.311.76.9.21.1" (Firmware signature) is in the\r
	74	leaf signer certificate.\r
	75	\r
	76	\r
	77	@param[in] Framework - Unit-test framework handle.\r
	78	@param[in] Context - Optional context pointer for this test.\r
	79	\r
	80	@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.\r
	81	@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
	82	**/\r
	83	static\r
	84	UNIT_TEST_STATUS\r
	85	EFIAPI\r
	86	TestVerifyEKUsInSignature (\r
7c342378	87	IN UNIT_TEST_CONTEXT Context\r
694bfd6f MC	88	)\r
694bfd6f MC	89	{\r
7c342378	90	EFI_STATUS Status = EFI_SUCCESS;\r
694bfd6f	91	\r
7c342378	92	CONST CHAR8 *RequiredEKUs[] = { FIRMWARE_SIGNER_EKU };\r
694bfd6f	93	\r
7c342378 MK	94	Status = VerifyEKUsInPkcs7Signature (\r
	95	ProductionECCSignature,\r
	96	ARRAY_SIZE (ProductionECCSignature),\r
	97	(CONST CHAR8 **)RequiredEKUs,\r
	98	ARRAY_SIZE (RequiredEKUs),\r
	99	TRUE\r
	100	);\r
694bfd6f MC	101	UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);\r
	102	\r
	103	return UNIT_TEST_PASSED;\r
	104	}// TestVerifyEKUsInSignature()\r
	105	\r
694bfd6f MC	106	/**\r
	107	TestVerifyEKUsWith3CertsInSignature()\r
	108	\r
	109	This PKCS7 signature has 3 certificates in it. (Policy CA, Issuing CA\r
	110	and leaf signer). It has one firmware signing EKU in it.\r
	111	"1.3.6.1.4.1.311.76.9.21.1"\r
	112	\r
	113	@param[in] Framework - Unit-test framework handle.\r
	114	@param[in] Context - Optional context pointer for this test.\r
	115	\r
	116	@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.\r
	117	@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
	118	**/\r
	119	static\r
	120	UNIT_TEST_STATUS\r
	121	EFIAPI\r
	122	TestVerifyEKUsWith3CertsInSignature (\r
7c342378	123	IN UNIT_TEST_CONTEXT Context\r
694bfd6f MC	124	)\r
694bfd6f MC	125	{\r
7c342378	126	EFI_STATUS Status = EFI_SUCCESS;\r
694bfd6f	127	\r
7c342378	128	CONST CHAR8 *RequiredEKUs[] = { FIRMWARE_SIGNER_EKU };\r
694bfd6f	129	\r
7c342378 MK	130	Status = VerifyEKUsInPkcs7Signature (\r
	131	TestSignEKUsWith3CertsInSignature,\r
	132	ARRAY_SIZE (TestSignEKUsWith3CertsInSignature),\r
	133	(CONST CHAR8 **)RequiredEKUs,\r
	134	ARRAY_SIZE (RequiredEKUs),\r
	135	TRUE\r
	136	);\r
694bfd6f MC	137	UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);\r
	138	\r
	139	return UNIT_TEST_PASSED;\r
	140	}// TestVerifyEKUsWith3CertsInSignature()\r
	141	\r
	142	/**\r
	143	TestVerifyEKUsWith2CertsInSignature()\r
	144	\r
	145	This PKCS7 signature has 2 certificates in it. (Issuing CA and leaf signer).\r
	146	It has one firmware signing EKU in it. "1.3.6.1.4.1.311.76.9.21.1"\r
	147	\r
	148	@param[in] Framework - Unit-test framework handle.\r
	149	@param[in] Context - Optional context pointer for this test.\r
	150	\r
	151	@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.\r
	152	@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
	153	**/\r
	154	static\r
	155	UNIT_TEST_STATUS\r
	156	EFIAPI\r
	157	TestVerifyEKUsWith2CertsInSignature (\r
7c342378	158	IN UNIT_TEST_CONTEXT Context\r
694bfd6f MC	159	)\r
694bfd6f MC	160	{\r
7c342378	161	EFI_STATUS Status = EFI_SUCCESS;\r
694bfd6f	162	\r
7c342378	163	CONST CHAR8 *RequiredEKUs[] = { FIRMWARE_SIGNER_EKU };\r
694bfd6f	164	\r
7c342378 MK	165	Status = VerifyEKUsInPkcs7Signature (\r
	166	TestSignEKUsWith2CertsInSignature,\r
	167	ARRAY_SIZE (TestSignEKUsWith2CertsInSignature),\r
	168	(CONST CHAR8 **)RequiredEKUs,\r
	169	ARRAY_SIZE (RequiredEKUs),\r
	170	TRUE\r
	171	);\r
694bfd6f MC	172	UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);\r
	173	\r
	174	return UNIT_TEST_PASSED;\r
	175	}// TestVerifyEKUsWith2CertsInSignature()\r
	176	\r
694bfd6f MC	177	/**\r
	178	TestVerifyEKUsWith1CertInSignature()\r
	179	\r
	180	This PKCS7 signature only has the leaf signer in it.\r
	181	It has one firmware signing EKU in it. "1.3.6.1.4.1.311.76.9.21.1"\r
	182	\r
	183	@param[in] Framework - Unit-test framework handle.\r
	184	@param[in] Context - Optional context pointer for this test.\r
	185	\r
	186	@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.\r
	187	@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
	188	**/\r
	189	static\r
	190	UNIT_TEST_STATUS\r
	191	EFIAPI\r
	192	TestVerifyEKUsWith1CertInSignature (\r
7c342378	193	IN UNIT_TEST_CONTEXT Context\r
694bfd6f MC	194	)\r
694bfd6f MC	195	{\r
7c342378	196	EFI_STATUS Status = EFI_SUCCESS;\r
694bfd6f	197	\r
7c342378	198	CONST CHAR8 *RequiredEKUs[] = { FIRMWARE_SIGNER_EKU };\r
694bfd6f	199	\r
7c342378 MK	200	Status = VerifyEKUsInPkcs7Signature (\r
	201	TestSignEKUsWith1CertInSignature,\r
	202	ARRAY_SIZE (TestSignEKUsWith1CertInSignature),\r
	203	(CONST CHAR8 **)RequiredEKUs,\r
	204	ARRAY_SIZE (RequiredEKUs),\r
	205	TRUE\r
	206	);\r
694bfd6f MC	207	UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);\r
	208	\r
	209	return UNIT_TEST_PASSED;\r
	210	}// TestVerifyEKUsWith1CertInSignature()\r
	211	\r
694bfd6f MC	212	/**\r
	213	TestVerifyEKUsWithMultipleEKUsInCert()\r
	214	\r
	215	\r
	216	This signature has two EKU's in it:\r
	217	"1.3.6.1.4.1.311.76.9.21.1"\r
	218	"1.3.6.1.4.1.311.76.9.21.2"\r
	219	We verify that both EKU's were present in the leaf signer.\r
	220	\r
	221	@param[in] Framework - Unit-test framework handle.\r
	222	@param[in] Context - Optional context pointer for this test.\r
	223	\r
	224	@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.\r
	225	@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
	226	**/\r
	227	static\r
	228	UNIT_TEST_STATUS\r
	229	EFIAPI\r
	230	TestVerifyEKUsWithMultipleEKUsInCert (\r
7c342378	231	IN UNIT_TEST_CONTEXT Context\r
694bfd6f MC	232	)\r
694bfd6f MC	233	{\r
7c342378 MK	234	EFI_STATUS Status = EFI_SUCCESS;\r
	235	\r
	236	CONST CHAR8 *RequiredEKUs[] = {\r
	237	"1.3.6.1.4.1.311.76.9.21.1",\r
	238	"1.3.6.1.4.1.311.76.9.21.1.2"\r
	239	};\r
	240	\r
	241	Status = VerifyEKUsInPkcs7Signature (\r
	242	TestSignedWithMultipleEKUsInCert,\r
	243	ARRAY_SIZE (TestSignedWithMultipleEKUsInCert),\r
	244	(CONST CHAR8 **)RequiredEKUs,\r
	245	ARRAY_SIZE (RequiredEKUs),\r
	246	TRUE\r
	247	);\r
694bfd6f MC	248	UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);\r
	249	\r
	250	return UNIT_TEST_PASSED;\r
	251	}// TestVerifyEKUsWithMultipleEKUsInCert()\r
	252	\r
694bfd6f MC	253	/**\r
	254	TestEkusNotPresentInSignature()\r
	255	\r
	256	This test verifies that if we send an EKU that is not in the signature,\r
	257	that we get back an error.\r
	258	\r
	259	@param[in] Framework - Unit-test framework handle.\r
	260	@param[in] Context - Optional context pointer for this test.\r
	261	\r
	262	@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.\r
	263	@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
	264	**/\r
	265	static\r
	266	UNIT_TEST_STATUS\r
	267	EFIAPI\r
	268	TestEkusNotPresentInSignature (\r
7c342378	269	IN UNIT_TEST_CONTEXT Context\r
694bfd6f MC	270	)\r
694bfd6f MC	271	{\r
7c342378	272	EFI_STATUS Status = EFI_SUCCESS;\r
694bfd6f MC	273	\r
	274	//\r
	275	// This EKU is not in the signature.\r
	276	//\r
7c342378 MK	277	CONST CHAR8 *RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.3" };\r
	278	\r
	279	Status = VerifyEKUsInPkcs7Signature (\r
	280	TestSignedWithMultipleEKUsInCert,\r
	281	ARRAY_SIZE (TestSignedWithMultipleEKUsInCert),\r
	282	(CONST CHAR8 **)RequiredEKUs,\r
	283	ARRAY_SIZE (RequiredEKUs),\r
	284	TRUE\r
	285	);\r
694bfd6f MC	286	UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS);\r
	287	\r
	288	return UNIT_TEST_PASSED;\r
	289	}// TestEkusNotPresentInSignature()\r
	290	\r
	291	/**\r
	292	TestEkusNotPresentInSignature()\r
	293	\r
	294	This test signature has two EKU's in it: (Product ID is 10001)\r
	295	"1.3.6.1.4.1.311.76.9.21.1"\r
	296	"1.3.6.1.4.1.311.76.9.21.1.10001"\r
	297	\r
	298	@param[in] Framework - Unit-test framework handle.\r
	299	@param[in] Context - Optional context pointer for this test.\r
	300	\r
	301	@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.\r
	302	@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
	303	**/\r
694bfd6f MC	304	static\r
	305	UNIT_TEST_STATUS\r
	306	EFIAPI\r
7c342378 MK	307	TestProductId10001PresentInSignature (\r
	308	IN UNIT_TEST_CONTEXT Context\r
	309	)\r
694bfd6f	310	{\r
7c342378	311	EFI_STATUS Status = EFI_SUCCESS;\r
694bfd6f MC	312	\r
	313	//\r
	314	// These EKU's are present in the leaf signer certificate.\r
	315	//\r
7c342378 MK	316	CONST CHAR8 *RequiredEKUs[] = {\r
	317	"1.3.6.1.4.1.311.76.9.21.1",\r
	318	"1.3.6.1.4.1.311.76.9.21.1.10001"\r
	319	};\r
	320	\r
	321	Status = VerifyEKUsInPkcs7Signature (\r
	322	TestSignedWithProductId10001,\r
	323	ARRAY_SIZE (TestSignedWithProductId10001),\r
	324	(CONST CHAR8 **)RequiredEKUs,\r
	325	ARRAY_SIZE (RequiredEKUs),\r
	326	TRUE\r
	327	);\r
694bfd6f MC	328	UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);\r
	329	\r
	330	return UNIT_TEST_PASSED;\r
	331	}// TestProductId10001PresentInSignature()\r
	332	\r
694bfd6f MC	333	/**\r
	334	TestOnlyOneEkuInListRequired()\r
	335	\r
	336	This test will check the BOOLEAN RequireAllPresent parameter in the\r
	337	call to VerifyEKUsInPkcs7Signature() behaves properly. The signature\r
	338	has two EKU's in it:\r
	339	\r
	340	"1.3.6.1.4.1.311.76.9.21.1"\r
	341	"1.3.6.1.4.1.311.76.9.21.1.10001"\r
	342	\r
	343	but we only pass in one of them, and set RequireAllPresent to FALSE.\r
	344	\r
	345	@param[in] Framework - Unit-test framework handle.\r
	346	@param[in] Context - Optional context pointer for this test.\r
	347	\r
	348	@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.\r
	349	@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
	350	**/\r
694bfd6f MC	351	static\r
	352	UNIT_TEST_STATUS\r
	353	EFIAPI\r
7c342378 MK	354	TestOnlyOneEkuInListRequired (\r
	355	IN UNIT_TEST_CONTEXT Context\r
	356	)\r
694bfd6f	357	{\r
7c342378	358	EFI_STATUS Status = EFI_SUCCESS;\r
694bfd6f MC	359	\r
	360	//\r
	361	// This will test the flag that specifies it is OK to succeed if\r
	362	// any one of the EKU's passed in is found.\r
	363	//\r
7c342378 MK	364	CONST CHAR8 *RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1.10001" };\r
	365	\r
	366	Status = VerifyEKUsInPkcs7Signature (\r
	367	TestSignedWithProductId10001,\r
	368	ARRAY_SIZE (TestSignedWithProductId10001),\r
	369	(CONST CHAR8 **)RequiredEKUs,\r
	370	ARRAY_SIZE (RequiredEKUs),\r
	371	FALSE\r
	372	);\r
694bfd6f MC	373	UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);\r
	374	\r
	375	return UNIT_TEST_PASSED;\r
	376	}// TestOnlyOneEkuInListRequired()\r
	377	\r
	378	/**\r
	379	TestNoEKUsInSignature()\r
	380	\r
	381	This test uses a signature that was signed with a certificate that does\r
	382	not contain any EKUs.\r
	383	\r
	384	\r
	385	@param[in] Framework - Unit-test framework handle.\r
	386	@param[in] Context - Optional context pointer for this test.\r
	387	\r
	388	@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.\r
	389	@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
	390	**/\r
694bfd6f MC	391	static\r
	392	UNIT_TEST_STATUS\r
	393	EFIAPI\r
7c342378 MK	394	TestNoEKUsInSignature (\r
	395	IN UNIT_TEST_CONTEXT Context\r
	396	)\r
694bfd6f	397	{\r
7c342378	398	EFI_STATUS Status = EFI_SUCCESS;\r
694bfd6f MC	399	\r
	400	//\r
	401	// This EKU is not in the certificate, so it should fail.\r
	402	//\r
7c342378 MK	403	CONST CHAR8 *RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1" };\r
	404	\r
	405	Status = VerifyEKUsInPkcs7Signature (\r
	406	TestSignatureWithNoEKUsPresent,\r
	407	ARRAY_SIZE (TestSignatureWithNoEKUsPresent),\r
	408	(CONST CHAR8 **)RequiredEKUs,\r
	409	ARRAY_SIZE (RequiredEKUs),\r
	410	TRUE\r
	411	);\r
694bfd6f MC	412	UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS);\r
	413	\r
	414	return UNIT_TEST_PASSED;\r
	415	}// TestNoEKUsInSignature()\r
	416	\r
694bfd6f MC	417	/**\r
	418	TestInvalidParameters()\r
	419	\r
	420	Passes the API invalid parameters, and ensures that it does not succeed.\r
	421	\r
	422	@param[in] Framework - Unit-test framework handle.\r
	423	@param[in] Context - Optional context pointer for this test.\r
	424	\r
	425	@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.\r
	426	@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
	427	**/\r
	428	static\r
	429	UNIT_TEST_STATUS\r
	430	EFIAPI\r
7c342378 MK	431	TestInvalidParameters (\r
	432	IN UNIT_TEST_CONTEXT Context\r
	433	)\r
694bfd6f	434	{\r
7c342378	435	EFI_STATUS Status = EFI_SUCCESS;\r
694bfd6f	436	\r
7c342378	437	CONST CHAR8 *RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1" };\r
694bfd6f MC	438	\r
	439	//\r
	440	// Check bad signature.\r
	441	//\r
7c342378 MK	442	Status = VerifyEKUsInPkcs7Signature (\r
	443	NULL,\r
	444	0,\r
	445	(CONST CHAR8 **)RequiredEKUs,\r
	446	ARRAY_SIZE (RequiredEKUs),\r
	447	TRUE\r
	448	);\r
694bfd6f MC	449	UT_ASSERT_STATUS_EQUAL (Status, EFI_INVALID_PARAMETER);\r
	450	\r
	451	//\r
	452	// Check invalid EKU's\r
	453	//\r
7c342378 MK	454	Status = VerifyEKUsInPkcs7Signature (\r
	455	TestSignatureWithNoEKUsPresent,\r
	456	ARRAY_SIZE (TestSignatureWithNoEKUsPresent),\r
	457	(CONST CHAR8 **)NULL,\r
	458	0,\r
	459	TRUE\r
	460	);\r
694bfd6f MC	461	UT_ASSERT_STATUS_EQUAL (Status, EFI_INVALID_PARAMETER);\r
	462	\r
	463	return UNIT_TEST_PASSED;\r
	464	}// TestInvalidParameters()\r
	465	\r
694bfd6f MC	466	/**\r
	467	TestEKUSubStringFails()\r
	468	\r
	469	Pass the API a sub set and super set of an EKU and ensure that they\r
	470	don't pass.\r
	471	\r
	472	@param[in] Framework - Unit-test framework handle.\r
	473	@param[in] Context - Optional context pointer for this test.\r
	474	\r
	475	@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.\r
	476	@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.\r
	477	**/\r
	478	static\r
	479	UNIT_TEST_STATUS\r
	480	EFIAPI\r
7c342378 MK	481	TestEKUSubsetSupersetFails (\r
	482	IN UNIT_TEST_CONTEXT Context\r
	483	)\r
694bfd6f	484	{\r
7c342378	485	EFI_STATUS Status = EFI_SUCCESS;\r
694bfd6f MC	486	\r
	487	//\r
	488	// This signature has an EKU of:\r
	489	// "1.3.6.1.4.1.311.76.9.21.1.10001"\r
	490	// so ensure that\r
	491	// "1.3.6.1.4.1.311.76.9.21"\r
	492	// does not pass.\r
	493	//\r
7c342378 MK	494	CONST CHAR8 *RequiredEKUs1[] = { "1.3.6.1.4.1.311.76.9.21" };\r
	495	\r
	496	Status = VerifyEKUsInPkcs7Signature (\r
	497	TestSignedWithProductId10001,\r
	498	ARRAY_SIZE (TestSignedWithProductId10001),\r
	499	(CONST CHAR8 **)RequiredEKUs1,\r
	500	ARRAY_SIZE (RequiredEKUs1),\r
	501	TRUE\r
	502	);\r
694bfd6f MC	503	UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS);\r
	504	\r
	505	//\r
	506	// This signature has an EKU of:\r
	507	// "1.3.6.1.4.1.311.76.9.21.1.10001"\r
	508	// so ensure that a super set\r
	509	// "1.3.6.1.4.1.311.76.9.21.1.10001.1"\r
	510	// does not pass.\r
	511	//\r
7c342378 MK	512	CONST CHAR8 *RequiredEKUs2[] = { "1.3.6.1.4.1.311.76.9.21.1.10001.1" };\r
	513	\r
	514	Status = VerifyEKUsInPkcs7Signature (\r
	515	TestSignedWithProductId10001,\r
	516	ARRAY_SIZE (TestSignedWithProductId10001),\r
	517	(CONST CHAR8 **)RequiredEKUs2,\r
	518	ARRAY_SIZE (RequiredEKUs2),\r
	519	TRUE\r
	520	);\r
694bfd6f MC	521	UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS);\r
	522	\r
	523	return UNIT_TEST_PASSED;\r
	524	}// TestEKUSubsetSupersetFails()\r
	525	\r
7c342378 MK	526	TEST_DESC mPkcs7EkuTest[] = {\r
	527	//\r
	528	// -----Description--------------------------------Class----------------------------Function------------------------------Pre---Post--Context\r
	529	//\r
	530	{ "TestVerifyEKUsInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsInSignature, NULL, NULL, NULL },\r
	531	{ "TestVerifyEKUsWith3CertsInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWith3CertsInSignature, NULL, NULL, NULL },\r
	532	{ "TestVerifyEKUsWith2CertsInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWith2CertsInSignature, NULL, NULL, NULL },\r
	533	{ "TestVerifyEKUsWith1CertInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWith1CertInSignature, NULL, NULL, NULL },\r
	534	{ "TestVerifyEKUsWithMultipleEKUsInCert()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWithMultipleEKUsInCert, NULL, NULL, NULL },\r
	535	{ "TestEkusNotPresentInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestEkusNotPresentInSignature, NULL, NULL, NULL },\r
	536	{ "TestProductId10001PresentInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestProductId10001PresentInSignature, NULL, NULL, NULL },\r
	537	{ "TestOnlyOneEkuInListRequired()", "CryptoPkg.BaseCryptLib.Eku", TestOnlyOneEkuInListRequired, NULL, NULL, NULL },\r
	538	{ "TestNoEKUsInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestNoEKUsInSignature, NULL, NULL, NULL },\r
	539	{ "TestInvalidParameters()", "CryptoPkg.BaseCryptLib.Eku", TestInvalidParameters, NULL, NULL, NULL },\r
	540	{ "TestEKUSubsetSupersetFails()", "CryptoPkg.BaseCryptLib.Eku", TestEKUSubsetSupersetFails, NULL, NULL, NULL },\r
694bfd6f MC	541	};\r
694bfd6f MC	542	\r
7c342378	543	UINTN mPkcs7EkuTestNum = ARRAY_SIZE (mPkcs7EkuTest);\r