Optionally enabling codesign EKU check in compiling time.

This commit also supersedes PR#232 which was closed on Jul 1, 2021.
So that original codesign EKU codes cannot be bothered.

To enable the codesign check, ENABLE_CODESIGN_EKU can be set to 1.
To disable the codesign check, ENABLE_CODESIGN_EKU can be set to 0
or just omit this flag.

For example:
make xxxx ENABLE_CODESIGN_EKU=1 xxxx shim.efi

Signed-off-by: Dennis Tseng <dennis.tseng@suse.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c
index fd523c59..640b01d0 100644
--- a/Cryptlib/Pk/CryptPkcs7Verify.c
+++ b/Cryptlib/Pk/CryptPkcs7Verify.c
@@ -29,8 +29,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <openssl/pkcs7.h>

 

 UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };

+#if defined(ENABLE_CODESIGN_EKU)

 /* EKU CodeSign */

 CHAR8 mOidCodeSign[] = "1.3.6.1.5.5.7.3.3";

+#endif

 

 #if 1

 #if OPENSSL_VERSION_NUMBER < 0x10100000L

@@ -848,8 +850,10 @@ Pkcs7Verify (
   CONST UINT8 *Temp;

   UINTN       SignedDataSize;

   BOOLEAN     Wrapped;

+#if defined(ENABLE_CODESIGN_EKU)

   CONST CHAR8 *Ekus[1];

   EFI_STATUS  EFI_Status;

+#endif

 

   //

   // Check input parameters.

@@ -863,7 +867,9 @@ Pkcs7Verify (
   DataBio   = NULL;

   Cert      = NULL;

   CertStore = NULL;

+#if defined(ENABLE_CODESIGN_EKU)

   Ekus[0]   = mOidCodeSign;

+#endif

 

   //

   // Register & Initialize necessary digest algorithms for PKCS#7 Handling

@@ -963,10 +969,12 @@ Pkcs7Verify (
   //

   X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);

 

+#if defined(ENABLE_CODESIGN_EKU)

   EFI_Status = VerifyEKUsInPkcs7Signature(P7Data, P7Length, Ekus, 1, TRUE);

   if (EFI_Status != EFI_SUCCESS) {

 	  goto _Exit;

   }

+#endif

 

   //

   // Verifies the PKCS#7 signedData structure