CryptoPkg/Library/BaseCryptLibNull/Pk/CryptPkcs7VerifyEkuNull.c

   1 /** @file
   2   PKCS7 Verify Null implementation.
   3
   4   Copyright (C) Microsoft Corporation. All Rights Reserved.
   5   Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
   6
   7   SPDX-License-Identifier: BSD-2-Clause-Patent
   8
   9 **/
  10
  11 #include "InternalCryptLib.h"
  12
  13 /**
  14   This function will return the leaf signer certificate in a chain.  This is
  15   required because certificate chains are not guaranteed to have the
  16   certificates in the order that they were issued.
  17
  18   A typical certificate chain looks like this:
  19
  20
  21                  ----------------------------
  22                 |            Root            |
  23                  ----------------------------
  24                                ^
  25                                |
  26                  ----------------------------
  27                 |          Policy CA         | <-- Typical Trust Anchor.
  28                  ----------------------------
  29                                ^
  30                                |
  31                  ----------------------------
  32                 |         Issuing CA         |
  33                  ----------------------------
  34                                ^
  35                                |
  36                  -----------------------------
  37                 /  End-Entity (leaf) signer  / <-- Bottom certificate.
  38                 -----------------------------  EKU: "1.3.6.1.4.1.311.76.9.21.1"
  39                                                     (Firmware Signing)
  40
  41
  42   @param[in]   CertChain            Certificate chain.
  43
  44   @param[out]  SignerCert           Last certificate in the chain.  For PKCS7 signatures,
  45                                     this will be the end-entity (leaf) signer cert.
  46
  47   @retval EFI_SUCCESS               The required EKUs were found in the signature.
  48   @retval EFI_INVALID_PARAMETER     A parameter was invalid.
  49   @retval EFI_NOT_FOUND             The number of signers found was not 1.
  50
  51 **/
  52 EFI_STATUS
  53 GetSignerCertificate (
  54   IN CONST VOID *CertChain,
  55   OUT VOID       **SignerCert
  56   )
  57 {
  58   ASSERT(FALSE);
  59   return EFI_NOT_READY;
  60
  61 }
  62
  63
  64 /**
  65   Determines if the specified EKU represented in ASN1 form is present
  66   in a given certificate.
  67
  68   @param[in]  Cert                  The certificate to check.
  69
  70   @param[in]  Asn1ToFind            The EKU to look for.
  71
  72   @retval EFI_SUCCESS               We successfully identified the signing type.
  73   @retval EFI_INVALID_PARAMETER     A parameter was invalid.
  74   @retval EFI_NOT_FOUND             One or more EKU's were not found in the signature.
  75
  76 **/
  77 EFI_STATUS
  78 IsEkuInCertificate (
  79   IN CONST VOID  *Cert,
  80   IN VOID *Asn1ToFind
  81   )
  82 {
  83   ASSERT(FALSE);
  84   return EFI_NOT_READY;
  85 }
  86
  87
  88 /**
  89   Determines if the specified EKUs are present in a signing certificate.
  90
  91   @param[in]  SignerCert            The certificate to check.
  92   @param[in]  RequiredEKUs          The EKUs to look for.
  93   @param[in]  RequiredEKUsSize      The number of EKUs
  94   @param[in]  RequireAllPresent     If TRUE, then all the specified EKUs
  95                                     must be present in the certificate.
  96
  97   @retval EFI_SUCCESS               We successfully identified the signing type.
  98   @retval EFI_INVALID_PARAMETER     A parameter was invalid.
  99   @retval EFI_NOT_FOUND             One or more EKU's were not found in the signature.
 100 **/
 101 EFI_STATUS
 102 CheckEKUs(
 103   IN CONST VOID     *SignerCert,
 104   IN CONST CHAR8    *RequiredEKUs[],
 105   IN CONST UINT32   RequiredEKUsSize,
 106   IN BOOLEAN        RequireAllPresent
 107   )
 108 {
 109   ASSERT(FALSE);
 110   return EFI_NOT_READY;
 111 }
 112
 113 /**
 114   This function receives a PKCS#7 formatted signature blob,
 115   looks for the EKU SEQUENCE blob, and if found then looks
 116   for all the required EKUs. This function was created so that
 117   the Surface team can cut down on the number of Certificate
 118   Authorities (CA's) by checking EKU's on leaf signers for
 119   a specific product. This prevents one product's certificate
 120   from signing another product's firmware or unlock blobs.
 121
 122   Note that this function does not validate the certificate chain.
 123   That needs to be done before using this function.
 124
 125   @param[in]  Pkcs7Signature       The PKCS#7 signed information content block. An array
 126                                    containing the content block with both the signature,
 127                                    the signer's certificate, and any necessary intermediate
 128                                    certificates.
 129   @param[in]  Pkcs7SignatureSize   Number of bytes in Pkcs7Signature.
 130   @param[in]  RequiredEKUs         Array of null-terminated strings listing OIDs of
 131                                    required EKUs that must be present in the signature.
 132   @param[in]  RequiredEKUsSize     Number of elements in the RequiredEKUs string array.
 133   @param[in]  RequireAllPresent    If this is TRUE, then all of the specified EKU's
 134                                    must be present in the leaf signer.  If it is
 135                                    FALSE, then we will succeed if we find any
 136                                    of the specified EKU's.
 137
 138   @retval EFI_SUCCESS              The required EKUs were found in the signature.
 139   @retval EFI_INVALID_PARAMETER    A parameter was invalid.
 140   @retval EFI_NOT_FOUND            One or more EKU's were not found in the signature.
 141
 142 **/
 143 EFI_STATUS
 144 EFIAPI
 145 VerifyEKUsInPkcs7Signature (
 146   IN CONST UINT8    *Pkcs7Signature,
 147   IN CONST UINT32   SignatureSize,
 148   IN CONST CHAR8    *RequiredEKUs[],
 149   IN CONST UINT32   RequiredEKUsSize,
 150   IN BOOLEAN        RequireAllPresent
 151   )
 152 {
 153   ASSERT(FALSE);
 154   return EFI_NOT_READY;
 155 }
 156