1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
/** @file
PKCS7 Verify Null implementation.
Copyright (C) Microsoft Corporation. All Rights Reserved.
Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "InternalCryptLib.h"
/**
This function will return the leaf signer certificate in a chain. This is
required because certificate chains are not guaranteed to have the
certificates in the order that they were issued.
A typical certificate chain looks like this:
----------------------------
| Root |
----------------------------
^
|
----------------------------
| Policy CA | <-- Typical Trust Anchor.
----------------------------
^
|
----------------------------
| Issuing CA |
----------------------------
^
|
-----------------------------
/ End-Entity (leaf) signer / <-- Bottom certificate.
----------------------------- EKU: "1.3.6.1.4.1.311.76.9.21.1"
(Firmware Signing)
@param[in] CertChain Certificate chain.
@param[out] SignerCert Last certificate in the chain. For PKCS7 signatures,
this will be the end-entity (leaf) signer cert.
@retval EFI_SUCCESS The required EKUs were found in the signature.
@retval EFI_INVALID_PARAMETER A parameter was invalid.
@retval EFI_NOT_FOUND The number of signers found was not 1.
**/
EFI_STATUS
GetSignerCertificate (
IN CONST VOID *CertChain,
OUT VOID **SignerCert
)
{
ASSERT (FALSE);
return EFI_NOT_READY;
}
/**
Determines if the specified EKU represented in ASN1 form is present
in a given certificate.
@param[in] Cert The certificate to check.
@param[in] Asn1ToFind The EKU to look for.
@retval EFI_SUCCESS We successfully identified the signing type.
@retval EFI_INVALID_PARAMETER A parameter was invalid.
@retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
**/
EFI_STATUS
IsEkuInCertificate (
IN CONST VOID *Cert,
IN VOID *Asn1ToFind
)
{
ASSERT (FALSE);
return EFI_NOT_READY;
}
/**
Determines if the specified EKUs are present in a signing certificate.
@param[in] SignerCert The certificate to check.
@param[in] RequiredEKUs The EKUs to look for.
@param[in] RequiredEKUsSize The number of EKUs
@param[in] RequireAllPresent If TRUE, then all the specified EKUs
must be present in the certificate.
@retval EFI_SUCCESS We successfully identified the signing type.
@retval EFI_INVALID_PARAMETER A parameter was invalid.
@retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
**/
EFI_STATUS
CheckEKUs (
IN CONST VOID *SignerCert,
IN CONST CHAR8 *RequiredEKUs[],
IN CONST UINT32 RequiredEKUsSize,
IN BOOLEAN RequireAllPresent
)
{
ASSERT (FALSE);
return EFI_NOT_READY;
}
/**
This function receives a PKCS#7 formatted signature blob,
looks for the EKU SEQUENCE blob, and if found then looks
for all the required EKUs. This function was created so that
the Surface team can cut down on the number of Certificate
Authorities (CA's) by checking EKU's on leaf signers for
a specific product. This prevents one product's certificate
from signing another product's firmware or unlock blobs.
Note that this function does not validate the certificate chain.
That needs to be done before using this function.
@param[in] Pkcs7Signature The PKCS#7 signed information content block. An array
containing the content block with both the signature,
the signer's certificate, and any necessary intermediate
certificates.
@param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature.
@param[in] RequiredEKUs Array of null-terminated strings listing OIDs of
required EKUs that must be present in the signature.
@param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array.
@param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's
must be present in the leaf signer. If it is
FALSE, then we will succeed if we find any
of the specified EKU's.
@retval EFI_SUCCESS The required EKUs were found in the signature.
@retval EFI_INVALID_PARAMETER A parameter was invalid.
@retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
**/
EFI_STATUS
EFIAPI
VerifyEKUsInPkcs7Signature (
IN CONST UINT8 *Pkcs7Signature,
IN CONST UINT32 SignatureSize,
IN CONST CHAR8 *RequiredEKUs[],
IN CONST UINT32 RequiredEKUsSize,
IN BOOLEAN RequireAllPresent
)
{
ASSERT (FALSE);
return EFI_NOT_READY;
}
|