diff options
| author | Bret Barkelew <Bret.Barkelew@microsoft.com> | 2019-03-25 12:01:10 +0800 |
|---|---|---|
| committer | Jian J Wang <jian.j.wang@intel.com> | 2019-04-18 13:11:20 +0800 |
| commit | 1796a39493b2447758099e1fba77e61b5cfe9261 (patch) | |
| tree | e88880412438772957408e47a01258682a8c0ff4 /CryptoPkg/Include/Library | |
| parent | 912e1e1ee27ed55baefac0002070472116202cbb (diff) | |
| download | edk2-1796a39493b2447758099e1fba77e61b5cfe9261.tar.gz edk2-1796a39493b2447758099e1fba77e61b5cfe9261.tar.bz2 edk2-1796a39493b2447758099e1fba77e61b5cfe9261.zip | |
CryptoPkg/BaseCryptLib.h: Add new API VerifyEKUsInPkcs7Signature
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1402
Add a prototype of new API VerifyEKUsInPkcs7Signature.
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Cc: Wang Jian J <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Diffstat (limited to 'CryptoPkg/Include/Library')
| -rw-r--r-- | CryptoPkg/Include/Library/BaseCryptLib.h | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h index 6183bb0df4..f9191f6e96 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -2594,6 +2594,48 @@ Pkcs7Verify ( );
/**
+ This function receives a PKCS7 formatted signature, and then verifies that
+ the specified Enhanced or Extended Key Usages (EKU's) are present in the end-entity
+ leaf signing certificate.
+ Note that this function does not validate the certificate chain.
+
+ Applications for custom EKU's are quite flexible. For example, a policy EKU
+ may be present in an Issuing Certificate Authority (CA), and any sub-ordinate
+ certificate issued might also contain this EKU, thus constraining the
+ sub-ordinate certificate. Other applications might allow a certificate
+ embedded in a device to specify that other Object Identifiers (OIDs) are
+ present which contains binary data specifying custom capabilities that
+ the device is able to do.
+
+ @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array
+ containing the content block with both the signature,
+ the signer's certificate, and any necessary intermediate
+ certificates.
+ @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature.
+ @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of
+ required EKUs that must be present in the signature.
+ @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array.
+ @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's
+ must be present in the leaf signer. If it is
+ FALSE, then we will succeed if we find any
+ of the specified EKU's.
+
+ @retval EFI_SUCCESS The required EKUs were found in the signature.
+ @retval EFI_INVALID_PARAMETER A parameter was invalid.
+ @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
+
+**/
+RETURN_STATUS
+EFIAPI
+VerifyEKUsInPkcs7Signature (
+ IN CONST UINT8 *Pkcs7Signature,
+ IN CONST UINT32 SignatureSize,
+ IN CONST CHAR8 *RequiredEKUs[],
+ IN CONST UINT32 RequiredEKUsSize,
+ IN BOOLEAN RequireAllPresent
+ );
+
+/**
Extracts the attached content from a PKCS#7 signed data if existed. The input signed
data could be wrapped in a ContentInfo structure.
|