]> git.proxmox.com Git - mirror_edk2.git/blob - CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7VerifyEku.c
projects / mirror_edk2.git / blob
? search:


833b29ae97551b672abb7b3482e0a48110ff7ba3
[mirror_edk2.git] / CryptoPkg / Library / BaseCryptLib / Pk / CryptPkcs7VerifyEku.c
1 /** @file
2 This module verifies that Enhanced Key Usages (EKU's) are present within
3 a PKCS7 signature blob using OpenSSL.
4
5 Copyright (C) Microsoft Corporation. All Rights Reserved.
6 Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
7
8 SPDX-License-Identifier: BSD-2-Clause-Patent
9
10 **/
11
12 #include <Base.h>
13 #include "InternalCryptLib.h"
14 #include <openssl/x509v3.h>
15 #include <openssl/asn1.h>
16 #include <openssl/x509.h>
17 #include <openssl/bio.h>
18 #include <crypto/x509.h>
19 #include <openssl/pkcs7.h>
20 #include <openssl/bn.h>
21 #include <openssl/x509_vfy.h>
22 #include <openssl/pem.h>
23 #include <openssl/evp.h>
24 #include <crypto/asn1.h>
25
26 /**
27 This function will return the leaf signer certificate in a chain. This is
28 required because certificate chains are not guaranteed to have the
29 certificates in the order that they were issued.
30
31 A typical certificate chain looks like this:
32
33
34 ----------------------------
35 | Root |
36 ----------------------------
37 ^
38 |
39 ----------------------------
40 | Policy CA | <-- Typical Trust Anchor.
41 ----------------------------
42 ^
43 |
44 ----------------------------
45 | Issuing CA |
46 ----------------------------
47 ^
48 |
49 -----------------------------
50 / End-Entity (leaf) signer / <-- Bottom certificate.
51 ----------------------------- EKU: "1.3.6.1.4.1.311.76.9.21.1"
52 (Firmware Signing)
53
54
55 @param[in] CertChain Certificate chain.
56
57 @param[out] SignerCert Last certificate in the chain. For PKCS7 signatures,
58 this will be the end-entity (leaf) signer cert.
59
60 @retval EFI_SUCCESS The required EKUs were found in the signature.
61 @retval EFI_INVALID_PARAMETER A parameter was invalid.
62 @retval EFI_NOT_FOUND The number of signers found was not 1.
63
64 **/
65 EFI_STATUS
66 GetSignerCertificate (
67 IN CONST PKCS7 *CertChain,
68 OUT X509 **SignerCert
69 )
70 {
71 EFI_STATUS Status;
72
73 STACK_OF (X509) *Signers;
74 INT32 NumberSigners;
75
76 Status = EFI_SUCCESS;
77 Signers = NULL;
78 NumberSigners = 0;
79
80 if ((CertChain == NULL) || (SignerCert == NULL)) {
81 Status = EFI_INVALID_PARAMETER;
82 goto Exit;
83 }
84
85 //
86 // Get the signers from the chain.
87 //
88 Signers = PKCS7_get0_signers ((PKCS7 *)CertChain, NULL, PKCS7_BINARY);
89 if (Signers == NULL) {
90 //
91 // Fail to get signers form PKCS7
92 //
93 Status = EFI_INVALID_PARAMETER;
94 goto Exit;
95 }
96
97 //
98 // There should only be one signer in the PKCS7 stack.
99 //
100 NumberSigners = sk_X509_num (Signers);
101 if (NumberSigners != 1) {
102 //
103 // The number of singers should have been 1
104 //
105 Status = EFI_NOT_FOUND;
106 goto Exit;
107 }
108
109 *SignerCert = sk_X509_value (Signers, 0);
110
111 Exit:
112 //
113 // Release Resources
114 //
115 if (Signers != NULL) {
116 sk_X509_free (Signers);
117 }
118
119 return Status;
120 }
121
122 /**
123 Determines if the specified EKU represented in ASN1 form is present
124 in a given certificate.
125
126 @param[in] Cert The certificate to check.
127
128 @param[in] Asn1ToFind The EKU to look for.
129
130 @retval EFI_SUCCESS We successfully identified the signing type.
131 @retval EFI_INVALID_PARAMETER A parameter was invalid.
132 @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
133
134 **/
135 EFI_STATUS
136 IsEkuInCertificate (
137 IN CONST X509 *Cert,
138 IN ASN1_OBJECT *Asn1ToFind
139 )
140 {
141 EFI_STATUS Status;
142 X509 *ClonedCert;
143 X509_EXTENSION *Extension;
144 EXTENDED_KEY_USAGE *Eku;
145 INT32 ExtensionIndex;
146 INTN NumExtensions;
147 ASN1_OBJECT *Asn1InCert;
148 INTN Index;
149
150 Status = EFI_NOT_FOUND;
151 ClonedCert = NULL;
152 Extension = NULL;
153 Eku = NULL;
154 ExtensionIndex = -1;
155 NumExtensions = 0;
156 Asn1InCert = NULL;
157
158 if ((Cert == NULL) || (Asn1ToFind == NULL)) {
159 Status = EFI_INVALID_PARAMETER;
160 goto Exit;
161 }
162
163 //
164 // Clone the certificate. This is required because the Extension API's
165 // only work once per instance of an X509 object.
166 //
167 ClonedCert = X509_dup ((X509 *)Cert);
168 if (ClonedCert == NULL) {
169 //
170 // Fail to duplicate cert.
171 //
172 Status = EFI_INVALID_PARAMETER;
173 goto Exit;
174 }
175
176 //
177 // Look for the extended key usage.
178 //
179 ExtensionIndex = X509_get_ext_by_NID (ClonedCert, NID_ext_key_usage, -1);
180
181 if (ExtensionIndex < 0) {
182 //
183 // Fail to find 'NID_ext_key_usage' in Cert.
184 //
185 goto Exit;
186 }
187
188 Extension = X509_get_ext (ClonedCert, ExtensionIndex);
189 if (Extension == NULL) {
190 //
191 // Fail to get Extension form cert.
192 //
193 goto Exit;
194 }
195
196 Eku = (EXTENDED_KEY_USAGE *)X509V3_EXT_d2i (Extension);
197 if (Eku == NULL) {
198 //
199 // Fail to get Eku from extension.
200 //
201 goto Exit;
202 }
203
204 NumExtensions = sk_ASN1_OBJECT_num (Eku);
205
206 //
207 // Now loop through the extensions, looking for the specified Eku.
208 //
209 for (Index = 0; Index < NumExtensions; Index++) {
210 Asn1InCert = sk_ASN1_OBJECT_value (Eku, (INT32)Index);
211 if (Asn1InCert == NULL) {
212 //
213 // Fail to get ASN object from Eku.
214 //
215 goto Exit;
216 }
217
218 if ((Asn1InCert->length == Asn1ToFind->length) &&
219 (CompareMem (Asn1InCert->data, Asn1ToFind->data, Asn1InCert->length) == 0))
220 {
221 //
222 // Found Eku in certificate.
223 //
224 Status = EFI_SUCCESS;
225 goto Exit;
226 }
227 }
228
229 Exit:
230
231 //
232 // Release Resources
233 //
234 if (ClonedCert != NULL) {
235 X509_free (ClonedCert);
236 }
237
238 if (Eku != NULL) {
239 sk_ASN1_OBJECT_pop_free (Eku, ASN1_OBJECT_free);
240 }
241
242 return Status;
243 }
244
245 /**
246 Determines if the specified EKUs are present in a signing certificate.
247
248 @param[in] SignerCert The certificate to check.
249 @param[in] RequiredEKUs The EKUs to look for.
250 @param[in] RequiredEKUsSize The number of EKUs
251 @param[in] RequireAllPresent If TRUE, then all the specified EKUs
252 must be present in the certificate.
253
254 @retval EFI_SUCCESS We successfully identified the signing type.
255 @retval EFI_INVALID_PARAMETER A parameter was invalid.
256 @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
257 **/
258 EFI_STATUS
259 CheckEKUs (
260 IN CONST X509 *SignerCert,
261 IN CONST CHAR8 *RequiredEKUs[],
262 IN CONST UINT32 RequiredEKUsSize,
263 IN BOOLEAN RequireAllPresent
264 )
265 {
266 EFI_STATUS Status;
267 ASN1_OBJECT *Asn1ToFind;
268 UINT32 NumEkusFound;
269 UINT32 Index;
270
271 Status = EFI_SUCCESS;
272 Asn1ToFind = NULL;
273 NumEkusFound = 0;
274
275 if ((SignerCert == NULL) || (RequiredEKUs == NULL) || (RequiredEKUsSize == 0)) {
276 Status = EFI_INVALID_PARAMETER;
277 goto Exit;
278 }
279
280 for (Index = 0; Index < RequiredEKUsSize; Index++) {
281 //
282 // Finding required EKU in cert.
283 //
284 if (Asn1ToFind != NULL) {
285 ASN1_OBJECT_free (Asn1ToFind);
286 Asn1ToFind = NULL;
287 }
288
289 Asn1ToFind = OBJ_txt2obj (RequiredEKUs[Index], 0);
290 if (Asn1ToFind == NULL) {
291 //
292 // Fail to convert required EKU to ASN1.
293 //
294 Status = EFI_INVALID_PARAMETER;
295 goto Exit;
296 }
297
298 Status = IsEkuInCertificate (SignerCert, Asn1ToFind);
299 if (Status == EFI_SUCCESS) {
300 NumEkusFound++;
301 if (!RequireAllPresent) {
302 //
303 // Found at least one, so we are done.
304 //
305 goto Exit;
306 }
307 } else {
308 //
309 // Fail to find Eku in cert
310 break;
311 }
312 }
313
314 Exit:
315
316 if (Asn1ToFind != NULL) {
317 ASN1_OBJECT_free (Asn1ToFind);
318 }
319
320 if (RequireAllPresent &&
321 (NumEkusFound == RequiredEKUsSize))
322 {
323 //
324 // Found all required EKUs in certificate.
325 //
326 Status = EFI_SUCCESS;
327 }
328
329 return Status;
330 }
331
332 /**
333 This function receives a PKCS#7 formatted signature blob,
334 looks for the EKU SEQUENCE blob, and if found then looks
335 for all the required EKUs. This function was created so that
336 the Surface team can cut down on the number of Certificate
337 Authorities (CA's) by checking EKU's on leaf signers for
338 a specific product. This prevents one product's certificate
339 from signing another product's firmware or unlock blobs.
340
341 Note that this function does not validate the certificate chain.
342 That needs to be done before using this function.
343
344 @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array
345 containing the content block with both the signature,
346 the signer's certificate, and any necessary intermediate
347 certificates.
348 @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature.
349 @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of
350 required EKUs that must be present in the signature.
351 @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array.
352 @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's
353 must be present in the leaf signer. If it is
354 FALSE, then we will succeed if we find any
355 of the specified EKU's.
356
357 @retval EFI_SUCCESS The required EKUs were found in the signature.
358 @retval EFI_INVALID_PARAMETER A parameter was invalid.
359 @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
360
361 **/
362 EFI_STATUS
363 EFIAPI
364 VerifyEKUsInPkcs7Signature (
365 IN CONST UINT8 *Pkcs7Signature,
366 IN CONST UINT32 SignatureSize,
367 IN CONST CHAR8 *RequiredEKUs[],
368 IN CONST UINT32 RequiredEKUsSize,
369 IN BOOLEAN RequireAllPresent
370 )
371 {
372 EFI_STATUS Status;
373 PKCS7 *Pkcs7;
374
375 STACK_OF (X509) *CertChain;
376 INT32 SignatureType;
377 INT32 NumberCertsInSignature;
378 X509 *SignerCert;
379 UINT8 *SignedData;
380 UINT8 *Temp;
381 UINTN SignedDataSize;
382 BOOLEAN IsWrapped;
383 BOOLEAN Ok;
384
385 Status = EFI_SUCCESS;
386 Pkcs7 = NULL;
387 CertChain = NULL;
388 SignatureType = 0;
389 NumberCertsInSignature = 0;
390 SignerCert = NULL;
391 SignedData = NULL;
392 SignedDataSize = 0;
393 IsWrapped = FALSE;
394 Ok = FALSE;
395
396 //
397 // Validate the input parameters.
398 //
399 if ((Pkcs7Signature == NULL) ||
400 (SignatureSize == 0) ||
401 (RequiredEKUs == NULL) ||
402 (RequiredEKUsSize == 0))
403 {
404 Status = EFI_INVALID_PARAMETER;
405 goto Exit;
406 }
407
408 if (RequiredEKUsSize == 1) {
409 RequireAllPresent = TRUE;
410 }
411
412 //
413 // Wrap the PKCS7 data if needed.
414 //
415 Ok = WrapPkcs7Data (
416 Pkcs7Signature,
417 SignatureSize,
418 &IsWrapped,
419 &SignedData,
420 &SignedDataSize
421 );
422 if (!Ok) {
423 //
424 // Fail to Wrap the PKCS7 data.
425 //
426 Status = EFI_INVALID_PARAMETER;
427 goto Exit;
428 }
429
430 Temp = SignedData;
431
432 //
433 // Create the PKCS7 object.
434 //
435 Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **)&Temp, (INT32)SignedDataSize);
436 if (Pkcs7 == NULL) {
437 //
438 // Fail to read PKCS7 data.
439 //
440 Status = EFI_INVALID_PARAMETER;
441 goto Exit;
442 }
443
444 //
445 // Get the certificate chain.
446 //
447 SignatureType = OBJ_obj2nid (Pkcs7->type);
448 switch (SignatureType) {
449 case NID_pkcs7_signed:
450 if (Pkcs7->d.sign != NULL) {
451 CertChain = Pkcs7->d.sign->cert;
452 }
453
454 break;
455 case NID_pkcs7_signedAndEnveloped:
456 if (Pkcs7->d.signed_and_enveloped != NULL) {
457 CertChain = Pkcs7->d.signed_and_enveloped->cert;
458 }
459
460 break;
461 default:
462 break;
463 }
464
465 //
466 // Ensure we have a certificate stack
467 //
468 if (CertChain == NULL) {
469 //
470 // Fail to get the certificate stack from signature.
471 //
472 Status = EFI_INVALID_PARAMETER;
473 goto Exit;
474 }
475
476 //
477 // Find out how many certificates were in the PKCS7 signature.
478 //
479 NumberCertsInSignature = sk_X509_num (CertChain);
480
481 if (NumberCertsInSignature == 0) {
482 //
483 // Fail to find any certificates in signature.
484 //
485 Status = EFI_INVALID_PARAMETER;
486 goto Exit;
487 }
488
489 //
490 // Get the leaf signer.
491 //
492 Status = GetSignerCertificate (Pkcs7, &SignerCert);
493 if ((Status != EFI_SUCCESS) || (SignerCert == NULL)) {
494 //
495 // Fail to get the end-entity leaf signer certificate.
496 //
497 Status = EFI_INVALID_PARAMETER;
498 goto Exit;
499 }
500
501 Status = CheckEKUs (SignerCert, RequiredEKUs, RequiredEKUsSize, RequireAllPresent);
502 if (Status != EFI_SUCCESS) {
503 goto Exit;
504 }
505
506 Exit:
507
508 //
509 // Release Resources
510 //
511 // If the signature was not wrapped, then the call to WrapData() will allocate
512 // the data and add a header to it
513 //
514 if (!IsWrapped && SignedData) {
515 free (SignedData);
516 }
517
518 if (Pkcs7 != NULL) {
519 PKCS7_free (Pkcs7);
520 }
521
522 return Status;
523 }
EFI Development Kit II mirror for PVE