- Generated on Fri Nov 15 2024 18:01:28 for TianoCore EDK2 by
1.9.6
|
TianoCore EDK2 master
|
#include <Base.h>#include "InternalCryptLib.h"#include <mbedtls/pkcs7.h>#include <mbedtls/asn1write.h>Go to the source code of this file.
Functions | |
| STATIC BOOLEAN | InternalX509FindExtensionData (UINT8 *Start, UINT8 *End, CONST UINT8 *Oid, UINTN OidSize, UINT8 **FindExtensionData, UINTN *FindExtensionDataLen) |
| STATIC BOOLEAN | GetExtensionData (CONST mbedtls_x509_crt *Cert, CONST UINT8 *Oid, UINTN OidSize, UINT8 *ExtensionData, UINTN *ExtensionDataSize) |
| STATIC EFI_STATUS | IsEkuInCertificate (IN CONST mbedtls_x509_crt *Cert, IN UINT8 *EKU, IN UINTN EkuLen) |
| VOID | GetOidFromTxt (IN CONST CHAR8 *RequiredEKUs, IN UINTN RequiredEKUsSize, IN OUT UINT8 *CheckOid, OUT UINT8 *OidLen) |
| STATIC BOOLEAN | IsCertSignerCert (UINT8 *Start, UINT8 *End) |
| STATIC EFI_STATUS | CheckEKUs (IN CONST mbedtls_x509_crt *SignerCert, IN CONST CHAR8 *RequiredEKUs[], IN CONST UINT32 RequiredEKUsSize, IN BOOLEAN RequireAllPresent) |
| EFI_STATUS EFIAPI | VerifyEKUsInPkcs7Signature (IN CONST UINT8 *Pkcs7Signature, IN CONST UINT32 SignatureSize, IN CONST CHAR8 *RequiredEKUs[], IN CONST UINT32 RequiredEKUsSize, IN BOOLEAN RequireAllPresent) |
Variables | |
| GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 | EkuOID [] = { 0x55, 0x1D, 0x25 } |
| GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 | gBasicConstraintsCase1 [] = { 0x30, 0x00 } |
| GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 | gBasicConstraintsCase2 [] = { 0x30, 0x06, 0x01, 0x01, 0xFF, 0x02, 0x01, 0x00 } |
| GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 | gOidBasicConstraints [] = { 0x55, 0x1D, 0x13 } |
This module verifies that Enhanced Key Usages (EKU's) are present within a PKCS7 signature blob using MbedTLS.
Copyright (C) Microsoft Corporation. All Rights Reserved. Copyright (c) 2024, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent
Definition in file CryptPkcs7VerifyEku.c.
| STATIC EFI_STATUS CheckEKUs | ( | IN CONST mbedtls_x509_crt * | SignerCert, |
| IN CONST CHAR8 * | RequiredEKUs[], | ||
| IN CONST UINT32 | RequiredEKUsSize, | ||
| IN BOOLEAN | RequireAllPresent | ||
| ) |
Determines if the specified EKUs are present in a signing certificate.
| [in] | SignerCert | The certificate to check. |
| [in] | RequiredEKUs | The EKUs to look for. |
| [in] | RequiredEKUsSize | The number of EKUs |
| [in] | RequireAllPresent | If TRUE, then all the specified EKUs must be present in the certificate. |
| EFI_SUCCESS | We successfully identified the signing type. |
| EFI_INVALID_PARAMETER | A parameter was invalid. |
| EFI_NOT_FOUND | One or more EKU's were not found in the signature. |
Definition at line 488 of file CryptPkcs7VerifyEku.c.
| STATIC BOOLEAN GetExtensionData | ( | CONST mbedtls_x509_crt * | Cert, |
| CONST UINT8 * | Oid, | ||
| UINTN | OidSize, | ||
| UINT8 * | ExtensionData, | ||
| UINTN * | ExtensionDataSize | ||
| ) |
Retrieve Extension data from one X.509 certificate.
| [in] | Cert | Pointer to the X509 certificate. |
| [in] | Oid | Object identifier buffer |
| [in] | OidSize | Object identifier buffer size |
| [out] | ExtensionData | Extension bytes. |
| [in,out] | ExtensionDataSize | Extension bytes size. |
| RETURN_SUCCESS | The certificate Extension data retrieved successfully. |
| RETURN_INVALID_PARAMETER | If Cert is NULL. If ExtensionDataSize is NULL. If ExtensionData is not NULL and *ExtensionDataSize is 0. If Certificate is invalid. |
| RETURN_NOT_FOUND | If no Extension entry match Oid. |
| RETURN_BUFFER_TOO_SMALL | If the ExtensionData is NULL. The required buffer size is returned in the ExtensionDataSize parameter. |
| RETURN_UNSUPPORTED | The operation is not supported. |
Definition at line 151 of file CryptPkcs7VerifyEku.c.
| VOID GetOidFromTxt | ( | IN CONST CHAR8 * | RequiredEKUs, |
| IN UINTN | RequiredEKUsSize, | ||
| IN OUT UINT8 * | CheckOid, | ||
| OUT UINT8 * | OidLen | ||
| ) |
Get OID from txt.
| [in] | RequiredEKUs | Array of null-terminated strings listing OIDs of required EKUs that must be present in the signature. |
| [in] | RequiredEKUsSize | Number of elements in the RequiredEKUs string array. |
| [in,out] | CheckOid | OID. |
| [out] | OidLen | The size of OID. |
Definition at line 326 of file CryptPkcs7VerifyEku.c.
| STATIC BOOLEAN InternalX509FindExtensionData | ( | UINT8 * | Start, |
| UINT8 * | End, | ||
| CONST UINT8 * | Oid, | ||
| UINTN | OidSize, | ||
| UINT8 ** | FindExtensionData, | ||
| UINTN * | FindExtensionDataLen | ||
| ) |
Find first Extension data match with given OID
| [in] | Start | Pointer to the DER-encoded extensions data |
| [in] | End | extensions data size in bytes |
| [in] | Oid | OID for match |
| [in] | OidSize | OID size in bytes |
| [out] | FindExtensionData | output matched extension data. |
| [out] | FindExtensionDataLen | matched extension data size. |
Definition at line 40 of file CryptPkcs7VerifyEku.c.
| STATIC BOOLEAN IsCertSignerCert | ( | UINT8 * | Start, |
| UINT8 * | End | ||
| ) |
Verify the Cert is signer cert
| [in] | Start | Pointer to the DER-encoded certificate data Start. |
| [in] | End | Pointer to the DER-encoded certificate data End. |
| true | verify pass |
| false | verify fail |
Definition at line 392 of file CryptPkcs7VerifyEku.c.
| STATIC EFI_STATUS IsEkuInCertificate | ( | IN CONST mbedtls_x509_crt * | Cert, |
| IN UINT8 * | EKU, | ||
| IN UINTN | EkuLen | ||
| ) |
Determines if the specified EKU represented in ASN1 form is present in a given certificate.
| [in] | Cert | The certificate to check. |
| [in] | EKU | The EKU to look for. |
| [in] | EkuLen | The size of EKU. |
| EFI_SUCCESS | We successfully identified the signing type. |
| EFI_INVALID_PARAMETER | A parameter was invalid. |
| EFI_NOT_FOUND | One or more EKU's were not found in the signature. |
Definition at line 240 of file CryptPkcs7VerifyEku.c.
| EFI_STATUS EFIAPI VerifyEKUsInPkcs7Signature | ( | IN CONST UINT8 * | Pkcs7Signature, |
| IN CONST UINT32 | SignatureSize, | ||
| IN CONST CHAR8 * | RequiredEKUs[], | ||
| IN CONST UINT32 | RequiredEKUsSize, | ||
| IN BOOLEAN | RequireAllPresent | ||
| ) |
This function receives a PKCS#7 formatted signature blob, looks for the EKU SEQUENCE blob, and if found then looks for all the required EKUs. This function was created so that the Surface team can cut down on the number of Certificate Authorities (CA's) by checking EKU's on leaf signers for a specific product. This prevents one product's certificate from signing another product's firmware or unlock blobs.
Note that this function does not validate the certificate chain. That needs to be done before using this function.
| [in] | Pkcs7Signature | The PKCS#7 signed information content block. An array containing the content block with both the signature, the signer's certificate, and any necessary intermediate certificates. |
| [in] | Pkcs7SignatureSize | Number of bytes in Pkcs7Signature. |
| [in] | RequiredEKUs | Array of null-terminated strings listing OIDs of required EKUs that must be present in the signature. |
| [in] | RequiredEKUsSize | Number of elements in the RequiredEKUs string array. |
| [in] | RequireAllPresent | If this is TRUE, then all of the specified EKU's must be present in the leaf signer. If it is FALSE, then we will succeed if we find any of the specified EKU's. |
| EFI_SUCCESS | The required EKUs were found in the signature. |
| EFI_INVALID_PARAMETER | A parameter was invalid. |
| EFI_NOT_FOUND | One or more EKU's were not found in the signature. |
Definition at line 581 of file CryptPkcs7VerifyEku.c.
| GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 EkuOID[] = { 0x55, 0x1D, 0x25 } |
Definition at line 17 of file CryptPkcs7VerifyEku.c.
| GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 gBasicConstraintsCase1[] = { 0x30, 0x00 } |
Definition at line 20 of file CryptPkcs7VerifyEku.c.
| GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 gBasicConstraintsCase2[] = { 0x30, 0x06, 0x01, 0x01, 0xFF, 0x02, 0x01, 0x00 } |
Definition at line 23 of file CryptPkcs7VerifyEku.c.
| GLOBAL_REMOVE_IF_UNREFERENCED CONST UINT8 gOidBasicConstraints[] = { 0x55, 0x1D, 0x13 } |
Definition at line 25 of file CryptPkcs7VerifyEku.c.
1.9.6