summaryrefslogtreecommitdiffstats
path: root/CryptoPkg/Include/Library
diff options
context:
space:
mode:
authorBret Barkelew <Bret.Barkelew@microsoft.com>2019-03-25 12:01:10 +0800
committerJian J Wang <jian.j.wang@intel.com>2019-04-18 13:11:20 +0800
commit1796a39493b2447758099e1fba77e61b5cfe9261 (patch)
treee88880412438772957408e47a01258682a8c0ff4 /CryptoPkg/Include/Library
parent912e1e1ee27ed55baefac0002070472116202cbb (diff)
downloadedk2-1796a39493b2447758099e1fba77e61b5cfe9261.tar.gz
edk2-1796a39493b2447758099e1fba77e61b5cfe9261.tar.bz2
edk2-1796a39493b2447758099e1fba77e61b5cfe9261.zip
CryptoPkg/BaseCryptLib.h: Add new API VerifyEKUsInPkcs7Signature
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1402 Add a prototype of new API VerifyEKUsInPkcs7Signature. Signed-off-by: Zhichao Gao <zhichao.gao@intel.com> Cc: Ting Ye <ting.ye@intel.com> Cc: Gang Wei <gang.wei@intel.com> Cc: Wang Jian J <jian.j.wang@intel.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Sean Brogan <sean.brogan@microsoft.com> Cc: Michael Turner <Michael.Turner@microsoft.com> Cc: Bret Barkelew <Bret.Barkelew@microsoft.com> Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Diffstat (limited to 'CryptoPkg/Include/Library')
-rw-r--r--CryptoPkg/Include/Library/BaseCryptLib.h42
1 files changed, 42 insertions, 0 deletions
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 6183bb0df4..f9191f6e96 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -2594,6 +2594,48 @@ Pkcs7Verify (
);
/**
+ This function receives a PKCS7 formatted signature, and then verifies that
+ the specified Enhanced or Extended Key Usages (EKU's) are present in the end-entity
+ leaf signing certificate.
+ Note that this function does not validate the certificate chain.
+
+ Applications for custom EKU's are quite flexible. For example, a policy EKU
+ may be present in an Issuing Certificate Authority (CA), and any sub-ordinate
+ certificate issued might also contain this EKU, thus constraining the
+ sub-ordinate certificate. Other applications might allow a certificate
+ embedded in a device to specify that other Object Identifiers (OIDs) are
+ present which contains binary data specifying custom capabilities that
+ the device is able to do.
+
+ @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array
+ containing the content block with both the signature,
+ the signer's certificate, and any necessary intermediate
+ certificates.
+ @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature.
+ @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of
+ required EKUs that must be present in the signature.
+ @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array.
+ @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's
+ must be present in the leaf signer. If it is
+ FALSE, then we will succeed if we find any
+ of the specified EKU's.
+
+ @retval EFI_SUCCESS The required EKUs were found in the signature.
+ @retval EFI_INVALID_PARAMETER A parameter was invalid.
+ @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
+
+**/
+RETURN_STATUS
+EFIAPI
+VerifyEKUsInPkcs7Signature (
+ IN CONST UINT8 *Pkcs7Signature,
+ IN CONST UINT32 SignatureSize,
+ IN CONST CHAR8 *RequiredEKUs[],
+ IN CONST UINT32 RequiredEKUsSize,
+ IN BOOLEAN RequireAllPresent
+ );
+
+/**
Extracts the attached content from a PKCS#7 signed data if existed. The input signed
data could be wrapped in a ContentInfo structure.