TianoCore EDK2 master
Loading...
Searching...
No Matches
Functions
CryptPkcs7VerifyEkuRuntime.c File Reference
#include "InternalCryptLib.h"

Go to the source code of this file.

Functions

EFI_STATUS EFIAPI VerifyEKUsInPkcs7Signature (IN CONST UINT8 *Pkcs7Signature, IN CONST UINT32 SignatureSize, IN CONST CHAR8 *RequiredEKUs[], IN CONST UINT32 RequiredEKUsSize, IN BOOLEAN RequireAllPresent)
 

Detailed Description

This module verifies that Enhanced Key Usages (EKU's) are present within a PKCS7 signature blob using OpenSSL.

Copyright (C) Microsoft Corporation. All Rights Reserved. Copyright (c) 2019, Intel Corporation. All rights reserved.

SPDX-License-Identifier: BSD-2-Clause-Patent

Definition in file CryptPkcs7VerifyEkuRuntime.c.

Function Documentation

◆ VerifyEKUsInPkcs7Signature()

EFI_STATUS EFIAPI VerifyEKUsInPkcs7Signature ( IN CONST UINT8 *  Pkcs7Signature,
IN CONST UINT32  SignatureSize,
IN CONST CHAR8 *  RequiredEKUs[],
IN CONST UINT32  RequiredEKUsSize,
IN BOOLEAN  RequireAllPresent 
)

This function receives a PKCS#7 formatted signature blob, looks for the EKU SEQUENCE blob, and if found then looks for all the required EKUs. This function was created so that the Surface team can cut down on the number of Certificate Authorities (CA's) by checking EKU's on leaf signers for a specific product. This prevents one product's certificate from signing another product's firmware or unlock blobs.

Return RETURN_UNSUPPORTED to indicate this interface is not supported.

Parameters
[in]Pkcs7SignatureThe PKCS#7 signed information content block. An array containing the content block with both the signature, the signer's certificate, and any necessary intermediate certificates.
[in]Pkcs7SignatureSizeNumber of bytes in pPkcs7Signature.
[in]RequiredEKUsArray of null-terminated strings listing OIDs of required EKUs that must be present in the signature. All specified EKU's must be present in order to succeed.
[in]RequiredEKUsSizeNumber of elements in the rgRequiredEKUs string. This parameter has a maximum of MAX_EKU_SEARCH.
[in]RequireAllPresentIf this is TRUE, then all of the specified EKU's must be present in the leaf signer. If it is FALSE, then we will succeed if we find any of the specified EKU's.
Return values
RETURN_UNSUPPORTEDThe operation is not supported.

Definition at line 46 of file CryptPkcs7VerifyEkuRuntime.c.