--- /dev/null
+/** @file\r
+ PKCS7 Verify Null implementation.\r
+\r
+ Copyright (C) Microsoft Corporation. All Rights Reserved.\r
+ Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>\r
+\r
+ SPDX-License-Identifier: BSD-2-Clause-Patent\r
+\r
+**/\r
+\r
+#include "InternalCryptLib.h"\r
+\r
+/**\r
+ This function will return the leaf signer certificate in a chain. This is\r
+ required because certificate chains are not guaranteed to have the\r
+ certificates in the order that they were issued.\r
+\r
+ A typical certificate chain looks like this:\r
+\r
+\r
+ ----------------------------\r
+ | Root |\r
+ ----------------------------\r
+ ^\r
+ |\r
+ ----------------------------\r
+ | Policy CA | <-- Typical Trust Anchor.\r
+ ----------------------------\r
+ ^\r
+ |\r
+ ----------------------------\r
+ | Issuing CA |\r
+ ----------------------------\r
+ ^\r
+ |\r
+ -----------------------------\r
+ / End-Entity (leaf) signer / <-- Bottom certificate.\r
+ ----------------------------- EKU: "1.3.6.1.4.1.311.76.9.21.1"\r
+ (Firmware Signing)\r
+\r
+\r
+ @param[in] CertChain Certificate chain.\r
+\r
+ @param[out] SignerCert Last certificate in the chain. For PKCS7 signatures,\r
+ this will be the end-entity (leaf) signer cert.\r
+\r
+ @retval EFI_SUCCESS The required EKUs were found in the signature.\r
+ @retval EFI_INVALID_PARAMETER A parameter was invalid.\r
+ @retval EFI_NOT_FOUND The number of signers found was not 1.\r
+\r
+**/\r
+EFI_STATUS\r
+GetSignerCertificate (\r
+ IN CONST VOID *CertChain,\r
+ OUT VOID **SignerCert\r
+ )\r
+{\r
+ ASSERT(FALSE);\r
+ return EFI_NOT_READY;\r
+\r
+}\r
+\r
+\r
+/**\r
+ Determines if the specified EKU represented in ASN1 form is present\r
+ in a given certificate.\r
+\r
+ @param[in] Cert The certificate to check.\r
+\r
+ @param[in] Asn1ToFind The EKU to look for.\r
+\r
+ @retval EFI_SUCCESS We successfully identified the signing type.\r
+ @retval EFI_INVALID_PARAMETER A parameter was invalid.\r
+ @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.\r
+\r
+**/\r
+EFI_STATUS\r
+IsEkuInCertificate (\r
+ IN CONST VOID *Cert,\r
+ IN VOID *Asn1ToFind\r
+ )\r
+{\r
+ ASSERT(FALSE);\r
+ return EFI_NOT_READY;\r
+}\r
+\r
+\r
+/**\r
+ Determines if the specified EKUs are present in a signing certificate.\r
+\r
+ @param[in] SignerCert The certificate to check.\r
+ @param[in] RequiredEKUs The EKUs to look for.\r
+ @param[in] RequiredEKUsSize The number of EKUs\r
+ @param[in] RequireAllPresent If TRUE, then all the specified EKUs\r
+ must be present in the certificate.\r
+\r
+ @retval EFI_SUCCESS We successfully identified the signing type.\r
+ @retval EFI_INVALID_PARAMETER A parameter was invalid.\r
+ @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.\r
+**/\r
+EFI_STATUS\r
+CheckEKUs(\r
+ IN CONST VOID *SignerCert,\r
+ IN CONST CHAR8 *RequiredEKUs[],\r
+ IN CONST UINT32 RequiredEKUsSize,\r
+ IN BOOLEAN RequireAllPresent\r
+ )\r
+{\r
+ ASSERT(FALSE);\r
+ return EFI_NOT_READY;\r
+}\r
+\r
+/**\r
+ This function receives a PKCS#7 formatted signature blob,\r
+ looks for the EKU SEQUENCE blob, and if found then looks\r
+ for all the required EKUs. This function was created so that\r
+ the Surface team can cut down on the number of Certificate\r
+ Authorities (CA's) by checking EKU's on leaf signers for\r
+ a specific product. This prevents one product's certificate\r
+ from signing another product's firmware or unlock blobs.\r
+\r
+ Note that this function does not validate the certificate chain.\r
+ That needs to be done before using this function.\r
+\r
+ @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array\r
+ containing the content block with both the signature,\r
+ the signer's certificate, and any necessary intermediate\r
+ certificates.\r
+ @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature.\r
+ @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of\r
+ required EKUs that must be present in the signature.\r
+ @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array.\r
+ @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's\r
+ must be present in the leaf signer. If it is\r
+ FALSE, then we will succeed if we find any\r
+ of the specified EKU's.\r
+\r
+ @retval EFI_SUCCESS The required EKUs were found in the signature.\r
+ @retval EFI_INVALID_PARAMETER A parameter was invalid.\r
+ @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+VerifyEKUsInPkcs7Signature (\r
+ IN CONST UINT8 *Pkcs7Signature,\r
+ IN CONST UINT32 SignatureSize,\r
+ IN CONST CHAR8 *RequiredEKUs[],\r
+ IN CONST UINT32 RequiredEKUsSize,\r
+ IN BOOLEAN RequireAllPresent\r
+ )\r
+{\r
+ ASSERT(FALSE);\r
+ return EFI_NOT_READY;\r
+}\r
+\r
projects / mirror_edk2.git / blobdiff