diff options
| author | Gary Lin <glin@suse.com> | 2024-06-05 15:31:04 +0800 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2025-02-05 09:18:45 -0500 |
| commit | 15c1a9a310645ceb958587fe000d5f60ed3bc4bd (patch) | |
| tree | f56a86c3c8b0af45f6f982dd0d00b67186f41646 /Cryptlib/InternalCryptLib.h | |
| parent | e886fb35ad02c3d1aadb974aec7ded3451ea557f (diff) | |
| download | efi-boot-shim-15c1a9a310645ceb958587fe000d5f60ed3bc4bd.tar.gz efi-boot-shim-15c1a9a310645ceb958587fe000d5f60ed3bc4bd.zip | |
Implement the CodeSign EKU check to fulfill the requirements of NIAP OS_PP.
Also modify the ModSign EKU check to use VerifyEKUsInPkcs7Signature() to
check the signer certificate instead of the certificate directly from the
key database.
This commit supersedes the PR#232 and PR#661 (Apply the EKU checks) so
that author's original codes can be quite independent of other modification.
To answer the question in PR#232, author also changed the conditional
statement to EFI_Status != EFI_SUCCESS right after VerifyEKUsInPkcs7Signature()
in Cryptlib/Pk/CryptPkcs7Verify.c
Signed-off-by: Dennis Tseng <dennis.tseng@suse.com>
Signed-off-by: Gary Lin <glin@suse.com>
Diffstat (limited to 'Cryptlib/InternalCryptLib.h')
| -rw-r--r-- | Cryptlib/InternalCryptLib.h | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/Cryptlib/InternalCryptLib.h b/Cryptlib/InternalCryptLib.h index dc1a95e6..b713ed1c 100644 --- a/Cryptlib/InternalCryptLib.h +++ b/Cryptlib/InternalCryptLib.h @@ -32,5 +32,37 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #define OBJ_length(o) ((o)->length)
#endif
+/**
+ Check input P7Data is a wrapped ContentInfo structure or not. If not construct
+ a new structure to wrap P7Data.
+
+ Caution: This function may receive untrusted input.
+ UEFI Authenticated Variable is external input, so this function will do basic
+ check for PKCS#7 data structure.
+
+ @param[in] P7Data Pointer to the PKCS#7 message to verify.
+ @param[in] P7Length Length of the PKCS#7 message in bytes.
+ @param[out] WrapFlag If TRUE P7Data is a ContentInfo structure, otherwise
+ return FALSE.
+ @param[out] WrapData If return status of this function is TRUE:
+ 1) when WrapFlag is TRUE, pointer to P7Data.
+ 2) when WrapFlag is FALSE, pointer to a new ContentInfo
+ structure. It's caller's responsibility to free this
+ buffer.
+ @param[out] WrapDataSize Length of ContentInfo structure in bytes.
+
+ @retval TRUE The operation is finished successfully.
+ @retval FALSE The operation is failed due to lack of resources.
+
+**/
+BOOLEAN
+WrapPkcs7Data (
+ IN CONST UINT8 *P7Data,
+ IN UINTN P7Length,
+ OUT BOOLEAN *WrapFlag,
+ OUT UINT8 **WrapData,
+ OUT UINTN *WrapDataSize
+ );
+
#endif
|