TianoCore EDK2 master
Loading...
Searching...
No Matches
CryptPkcs7VerifyEku.c File Reference
#include <Base.h>
#include "InternalCryptLib.h"
#include <openssl/x509v3.h>
#include <openssl/asn1.h>
#include <openssl/x509.h>
#include <openssl/bio.h>
#include <crypto/x509.h>
#include <openssl/pkcs7.h>
#include <openssl/bn.h>
#include <openssl/x509_vfy.h>
#include <openssl/pem.h>
#include <openssl/evp.h>
#include <crypto/asn1.h>

Go to the source code of this file.

Functions

STATIC EFI_STATUS GetSignerCertificate (IN CONST PKCS7 *CertChain, OUT X509 **SignerCert)
 
STATIC EFI_STATUS IsEkuInCertificate (IN CONST X509 *Cert, IN ASN1_OBJECT *Asn1ToFind)
 
STATIC EFI_STATUS CheckEKUs (IN CONST X509 *SignerCert, IN CONST CHAR8 *RequiredEKUs[], IN CONST UINT32 RequiredEKUsSize, IN BOOLEAN RequireAllPresent)
 
EFI_STATUS EFIAPI VerifyEKUsInPkcs7Signature (IN CONST UINT8 *Pkcs7Signature, IN CONST UINT32 SignatureSize, IN CONST CHAR8 *RequiredEKUs[], IN CONST UINT32 RequiredEKUsSize, IN BOOLEAN RequireAllPresent)
 

Detailed Description

This module verifies that Enhanced Key Usages (EKU's) are present within a PKCS7 signature blob using OpenSSL.

Copyright (C) Microsoft Corporation. All Rights Reserved. Copyright (c) 2019, Intel Corporation. All rights reserved.

SPDX-License-Identifier: BSD-2-Clause-Patent

Definition in file CryptPkcs7VerifyEku.c.

Function Documentation

◆ CheckEKUs()

STATIC EFI_STATUS CheckEKUs ( IN CONST X509 *  SignerCert,
IN CONST CHAR8 *  RequiredEKUs[],
IN CONST UINT32  RequiredEKUsSize,
IN BOOLEAN  RequireAllPresent 
)

Determines if the specified EKUs are present in a signing certificate.

Parameters
[in]SignerCertThe certificate to check.
[in]RequiredEKUsThe EKUs to look for.
[in]RequiredEKUsSizeThe number of EKUs
[in]RequireAllPresentIf TRUE, then all the specified EKUs must be present in the certificate.
Return values
EFI_SUCCESSWe successfully identified the signing type.
EFI_INVALID_PARAMETERA parameter was invalid.
EFI_NOT_FOUNDOne or more EKU's were not found in the signature.

Definition at line 262 of file CryptPkcs7VerifyEku.c.

◆ GetSignerCertificate()

STATIC EFI_STATUS GetSignerCertificate ( IN CONST PKCS7 CertChain,
OUT X509 **  SignerCert 
)

This function will return the leaf signer certificate in a chain. This is required because certificate chains are not guaranteed to have the certificates in the order that they were issued.

A typical certificate chain looks like this:


| Root |

^

|

| Policy CA | <– Typical Trust Anchor.

^

|

| Issuing CA |

^

|

/ End-Entity (leaf) signer / <– Bottom certificate. --------------------------— EKU: "1.3.6.1.4.1.311.76.9.21.1" (Firmware Signing)

Parameters
[in]CertChainCertificate chain.
[out]SignerCertLast certificate in the chain. For PKCS7 signatures, this will be the end-entity (leaf) signer cert.
Return values
EFI_SUCCESSThe required EKUs were found in the signature.
EFI_INVALID_PARAMETERA parameter was invalid.
EFI_NOT_FOUNDThe number of signers found was not 1.

Definition at line 67 of file CryptPkcs7VerifyEku.c.

◆ IsEkuInCertificate()

STATIC EFI_STATUS IsEkuInCertificate ( IN CONST X509 *  Cert,
IN ASN1_OBJECT *  Asn1ToFind 
)

Determines if the specified EKU represented in ASN1 form is present in a given certificate.

Parameters
[in]CertThe certificate to check.
[in]Asn1ToFindThe EKU to look for.
Return values
EFI_SUCCESSWe successfully identified the signing type.
EFI_INVALID_PARAMETERA parameter was invalid.
EFI_NOT_FOUNDOne or more EKU's were not found in the signature.

Definition at line 138 of file CryptPkcs7VerifyEku.c.

◆ VerifyEKUsInPkcs7Signature()

EFI_STATUS EFIAPI VerifyEKUsInPkcs7Signature ( IN CONST UINT8 *  Pkcs7Signature,
IN CONST UINT32  SignatureSize,
IN CONST CHAR8 *  RequiredEKUs[],
IN CONST UINT32  RequiredEKUsSize,
IN BOOLEAN  RequireAllPresent 
)

This function receives a PKCS#7 formatted signature blob, looks for the EKU SEQUENCE blob, and if found then looks for all the required EKUs. This function was created so that the Surface team can cut down on the number of Certificate Authorities (CA's) by checking EKU's on leaf signers for a specific product. This prevents one product's certificate from signing another product's firmware or unlock blobs.

Note that this function does not validate the certificate chain. That needs to be done before using this function.

Parameters
[in]Pkcs7SignatureThe PKCS#7 signed information content block. An array containing the content block with both the signature, the signer's certificate, and any necessary intermediate certificates.
[in]Pkcs7SignatureSizeNumber of bytes in Pkcs7Signature.
[in]RequiredEKUsArray of null-terminated strings listing OIDs of required EKUs that must be present in the signature.
[in]RequiredEKUsSizeNumber of elements in the RequiredEKUs string array.
[in]RequireAllPresentIf this is TRUE, then all of the specified EKU's must be present in the leaf signer. If it is FALSE, then we will succeed if we find any of the specified EKU's.
Return values
EFI_SUCCESSThe required EKUs were found in the signature.
EFI_INVALID_PARAMETERA parameter was invalid.
EFI_NOT_FOUNDOne or more EKU's were not found in the signature.

Definition at line 367 of file CryptPkcs7VerifyEku.c.