Implement the CodeSign EKU check to fulfill the requirements of NIAP OS_PP.

Also modify the ModSign EKU check to use VerifyEKUsInPkcs7Signature() to
check the signer certificate instead of the certificate directly from the
key database.

This commit supersedes the PR#232 and PR#661 (Apply the EKU checks) so
that author's original codes can be quite independent of other modification.

To answer the question in PR#232, author also changed the conditional
statement to EFI_Status != EFI_SUCCESS right after VerifyEKUsInPkcs7Signature()
in Cryptlib/Pk/CryptPkcs7Verify.c

Signed-off-by: Dennis Tseng <dennis.tseng@suse.com>
Signed-off-by: Gary Lin <glin@suse.com>

1 files changed, 10 insertions, 0 deletions

diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c
index c1893848..fd523c59 100644
--- a/Cryptlib/Pk/CryptPkcs7Verify.c
+++ b/Cryptlib/Pk/CryptPkcs7Verify.c
@@ -29,6 +29,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <openssl/pkcs7.h>

 

 UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };

+/* EKU CodeSign */

+CHAR8 mOidCodeSign[] = "1.3.6.1.5.5.7.3.3";

 

 #if 1

 #if OPENSSL_VERSION_NUMBER < 0x10100000L

@@ -846,6 +848,8 @@ Pkcs7Verify (
   CONST UINT8 *Temp;

   UINTN       SignedDataSize;

   BOOLEAN     Wrapped;

+  CONST CHAR8 *Ekus[1];

+  EFI_STATUS  EFI_Status;

 

   //

   // Check input parameters.

@@ -859,6 +863,7 @@ Pkcs7Verify (
   DataBio   = NULL;

   Cert      = NULL;

   CertStore = NULL;

+  Ekus[0]   = mOidCodeSign;

 

   //

   // Register & Initialize necessary digest algorithms for PKCS#7 Handling

@@ -958,6 +963,11 @@ Pkcs7Verify (
   //

   X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);

 

+  EFI_Status = VerifyEKUsInPkcs7Signature(P7Data, P7Length, Ekus, 1, TRUE);

+  if (EFI_Status != EFI_SUCCESS) {

+	  goto _Exit;

+  }

+

   //

   // Verifies the PKCS#7 signedData structure

   //