2 This module verifies that Enhanced Key Usages (EKU's) are present within
3 a PKCS7 signature blob using OpenSSL.
5 Copyright (C) Microsoft Corporation. All Rights Reserved.
6 Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
8 SPDX-License-Identifier: BSD-2-Clause-Patent
13 #include "InternalCryptLib.h"
14 #include <openssl/x509v3.h>
15 #include <openssl/asn1.h>
16 #include <openssl/x509.h>
17 #include <openssl/bio.h>
18 #include <crypto/x509.h>
19 #include <openssl/pkcs7.h>
20 #include <openssl/bn.h>
21 #include <openssl/x509_vfy.h>
22 #include <openssl/pem.h>
23 #include <openssl/evp.h>
24 #include <crypto/asn1.h>
27 This function will return the leaf signer certificate in a chain. This is
28 required because certificate chains are not guaranteed to have the
29 certificates in the order that they were issued.
31 A typical certificate chain looks like this:
34 ----------------------------
36 ----------------------------
39 ----------------------------
40 | Policy CA | <-- Typical Trust Anchor.
41 ----------------------------
44 ----------------------------
46 ----------------------------
49 -----------------------------
50 / End-Entity (leaf) signer / <-- Bottom certificate.
51 ----------------------------- EKU: "1.3.6.1.4.1.311.76.9.21.1"
55 @param[in] CertChain Certificate chain.
57 @param[out] SignerCert Last certificate in the chain. For PKCS7 signatures,
58 this will be the end-entity (leaf) signer cert.
60 @retval EFI_SUCCESS The required EKUs were found in the signature.
61 @retval EFI_INVALID_PARAMETER A parameter was invalid.
62 @retval EFI_NOT_FOUND The number of signers found was not 1.
66 GetSignerCertificate (
67 IN CONST PKCS7
*CertChain
,
72 STACK_OF(X509
) *Signers
;
79 if (CertChain
== NULL
|| SignerCert
== NULL
) {
80 Status
= EFI_INVALID_PARAMETER
;
85 // Get the signers from the chain.
87 Signers
= PKCS7_get0_signers ((PKCS7
*) CertChain
, NULL
, PKCS7_BINARY
);
88 if (Signers
== NULL
) {
90 // Fail to get signers form PKCS7
92 Status
= EFI_INVALID_PARAMETER
;
97 // There should only be one signer in the PKCS7 stack.
99 NumberSigners
= sk_X509_num (Signers
);
100 if (NumberSigners
!= 1) {
102 // The number of singers should have been 1
104 Status
= EFI_NOT_FOUND
;
108 *SignerCert
= sk_X509_value (Signers
, 0);
114 if (Signers
!= NULL
) {
115 sk_X509_free (Signers
);
123 Determines if the specified EKU represented in ASN1 form is present
124 in a given certificate.
126 @param[in] Cert The certificate to check.
128 @param[in] Asn1ToFind The EKU to look for.
130 @retval EFI_SUCCESS We successfully identified the signing type.
131 @retval EFI_INVALID_PARAMETER A parameter was invalid.
132 @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
138 IN ASN1_OBJECT
*Asn1ToFind
143 X509_EXTENSION
*Extension
;
144 EXTENDED_KEY_USAGE
*Eku
;
145 INT32 ExtensionIndex
;
147 ASN1_OBJECT
*Asn1InCert
;
150 Status
= EFI_NOT_FOUND
;
158 if (Cert
== NULL
|| Asn1ToFind
== NULL
) {
159 Status
= EFI_INVALID_PARAMETER
;
164 // Clone the certificate. This is required because the Extension API's
165 // only work once per instance of an X509 object.
167 ClonedCert
= X509_dup ((X509
*)Cert
);
168 if (ClonedCert
== NULL
) {
170 // Fail to duplicate cert.
172 Status
= EFI_INVALID_PARAMETER
;
177 // Look for the extended key usage.
179 ExtensionIndex
= X509_get_ext_by_NID (ClonedCert
, NID_ext_key_usage
, -1);
181 if (ExtensionIndex
< 0) {
183 // Fail to find 'NID_ext_key_usage' in Cert.
188 Extension
= X509_get_ext (ClonedCert
, ExtensionIndex
);
189 if (Extension
== NULL
) {
191 // Fail to get Extension form cert.
196 Eku
= (EXTENDED_KEY_USAGE
*)X509V3_EXT_d2i (Extension
);
199 // Fail to get Eku from extension.
204 NumExtensions
= sk_ASN1_OBJECT_num (Eku
);
207 // Now loop through the extensions, looking for the specified Eku.
209 for (Index
= 0; Index
< NumExtensions
; Index
++) {
210 Asn1InCert
= sk_ASN1_OBJECT_value (Eku
, (INT32
)Index
);
211 if (Asn1InCert
== NULL
) {
213 // Fail to get ASN object from Eku.
218 if (Asn1InCert
->length
== Asn1ToFind
->length
&&
219 CompareMem (Asn1InCert
->data
, Asn1ToFind
->data
, Asn1InCert
->length
) == 0) {
221 // Found Eku in certificate.
223 Status
= EFI_SUCCESS
;
233 if (ClonedCert
!= NULL
) {
234 X509_free (ClonedCert
);
238 sk_ASN1_OBJECT_pop_free (Eku
, ASN1_OBJECT_free
);
246 Determines if the specified EKUs are present in a signing certificate.
248 @param[in] SignerCert The certificate to check.
249 @param[in] RequiredEKUs The EKUs to look for.
250 @param[in] RequiredEKUsSize The number of EKUs
251 @param[in] RequireAllPresent If TRUE, then all the specified EKUs
252 must be present in the certificate.
254 @retval EFI_SUCCESS We successfully identified the signing type.
255 @retval EFI_INVALID_PARAMETER A parameter was invalid.
256 @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
260 IN CONST X509
*SignerCert
,
261 IN CONST CHAR8
*RequiredEKUs
[],
262 IN CONST UINT32 RequiredEKUsSize
,
263 IN BOOLEAN RequireAllPresent
267 ASN1_OBJECT
*Asn1ToFind
;
271 Status
= EFI_SUCCESS
;
275 if (SignerCert
== NULL
|| RequiredEKUs
== NULL
|| RequiredEKUsSize
== 0) {
276 Status
= EFI_INVALID_PARAMETER
;
280 for (Index
= 0; Index
< RequiredEKUsSize
; Index
++) {
282 // Finding required EKU in cert.
284 if (Asn1ToFind
!= NULL
) {
285 ASN1_OBJECT_free(Asn1ToFind
);
289 Asn1ToFind
= OBJ_txt2obj (RequiredEKUs
[Index
], 0);
290 if (Asn1ToFind
== NULL
) {
292 // Fail to convert required EKU to ASN1.
294 Status
= EFI_INVALID_PARAMETER
;
298 Status
= IsEkuInCertificate (SignerCert
, Asn1ToFind
);
299 if (Status
== EFI_SUCCESS
) {
301 if (!RequireAllPresent
) {
303 // Found at least one, so we are done.
309 // Fail to find Eku in cert
316 if (Asn1ToFind
!= NULL
) {
317 ASN1_OBJECT_free(Asn1ToFind
);
320 if (RequireAllPresent
&&
321 NumEkusFound
== RequiredEKUsSize
) {
323 // Found all required EKUs in certificate.
325 Status
= EFI_SUCCESS
;
332 This function receives a PKCS#7 formatted signature blob,
333 looks for the EKU SEQUENCE blob, and if found then looks
334 for all the required EKUs. This function was created so that
335 the Surface team can cut down on the number of Certificate
336 Authorities (CA's) by checking EKU's on leaf signers for
337 a specific product. This prevents one product's certificate
338 from signing another product's firmware or unlock blobs.
340 Note that this function does not validate the certificate chain.
341 That needs to be done before using this function.
343 @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array
344 containing the content block with both the signature,
345 the signer's certificate, and any necessary intermediate
347 @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature.
348 @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of
349 required EKUs that must be present in the signature.
350 @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array.
351 @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's
352 must be present in the leaf signer. If it is
353 FALSE, then we will succeed if we find any
354 of the specified EKU's.
356 @retval EFI_SUCCESS The required EKUs were found in the signature.
357 @retval EFI_INVALID_PARAMETER A parameter was invalid.
358 @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
363 VerifyEKUsInPkcs7Signature (
364 IN CONST UINT8
*Pkcs7Signature
,
365 IN CONST UINT32 SignatureSize
,
366 IN CONST CHAR8
*RequiredEKUs
[],
367 IN CONST UINT32 RequiredEKUsSize
,
368 IN BOOLEAN RequireAllPresent
373 STACK_OF(X509
) *CertChain
;
375 INT32 NumberCertsInSignature
;
379 UINTN SignedDataSize
;
383 Status
= EFI_SUCCESS
;
387 NumberCertsInSignature
= 0;
395 //Validate the input parameters.
397 if (Pkcs7Signature
== NULL
||
398 SignatureSize
== 0 ||
399 RequiredEKUs
== NULL
||
400 RequiredEKUsSize
== 0) {
401 Status
= EFI_INVALID_PARAMETER
;
405 if (RequiredEKUsSize
== 1) {
406 RequireAllPresent
= TRUE
;
410 // Wrap the PKCS7 data if needed.
412 Ok
= WrapPkcs7Data (Pkcs7Signature
,
419 // Fail to Wrap the PKCS7 data.
421 Status
= EFI_INVALID_PARAMETER
;
428 // Create the PKCS7 object.
430 Pkcs7
= d2i_PKCS7 (NULL
, (const unsigned char **)&Temp
, (INT32
)SignedDataSize
);
433 // Fail to read PKCS7 data.
435 Status
= EFI_INVALID_PARAMETER
;
440 // Get the certificate chain.
442 SignatureType
= OBJ_obj2nid (Pkcs7
->type
);
443 switch (SignatureType
) {
444 case NID_pkcs7_signed
:
445 if (Pkcs7
->d
.sign
!= NULL
) {
446 CertChain
= Pkcs7
->d
.sign
->cert
;
449 case NID_pkcs7_signedAndEnveloped
:
450 if (Pkcs7
->d
.signed_and_enveloped
!= NULL
) {
451 CertChain
= Pkcs7
->d
.signed_and_enveloped
->cert
;
459 // Ensure we have a certificate stack
461 if (CertChain
== NULL
) {
463 // Fail to get the certificate stack from signature.
465 Status
= EFI_INVALID_PARAMETER
;
470 // Find out how many certificates were in the PKCS7 signature.
472 NumberCertsInSignature
= sk_X509_num (CertChain
);
474 if (NumberCertsInSignature
== 0) {
476 // Fail to find any certificates in signature.
478 Status
= EFI_INVALID_PARAMETER
;
483 // Get the leaf signer.
485 Status
= GetSignerCertificate (Pkcs7
, &SignerCert
);
486 if (Status
!= EFI_SUCCESS
|| SignerCert
== NULL
) {
488 // Fail to get the end-entity leaf signer certificate.
490 Status
= EFI_INVALID_PARAMETER
;
494 Status
= CheckEKUs (SignerCert
, RequiredEKUs
, RequiredEKUsSize
, RequireAllPresent
);
495 if (Status
!= EFI_SUCCESS
) {
504 // If the signature was not wrapped, then the call to WrapData() will allocate
505 // the data and add a header to it
507 if (!IsWrapped
&& SignedData
) {