diff options
| -rw-r--r-- | Cryptlib/InternalCryptLib.h | 3 | ||||
| -rw-r--r-- | Cryptlib/Library/BaseCryptLib.h | 2 | ||||
| -rw-r--r-- | Cryptlib/Makefile | 8 | ||||
| -rw-r--r-- | Cryptlib/Pk/CryptPkcs7Verify.c | 8 |
4 files changed, 19 insertions, 2 deletions
diff --git a/Cryptlib/InternalCryptLib.h b/Cryptlib/InternalCryptLib.h index b713ed1c..0ad2ef70 100644 --- a/Cryptlib/InternalCryptLib.h +++ b/Cryptlib/InternalCryptLib.h @@ -32,6 +32,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #define OBJ_length(o) ((o)->length)
#endif
+#if defined(ENABLE_CODESIGN_EKU)
/**
Check input P7Data is a wrapped ContentInfo structure or not. If not construct
a new structure to wrap P7Data.
@@ -65,4 +66,4 @@ WrapPkcs7Data ( );
#endif
-
+#endif
diff --git a/Cryptlib/Library/BaseCryptLib.h b/Cryptlib/Library/BaseCryptLib.h index ed482d3f..439f0516 100644 --- a/Cryptlib/Library/BaseCryptLib.h +++ b/Cryptlib/Library/BaseCryptLib.h @@ -2403,6 +2403,7 @@ Pkcs7Verify ( IN UINTN DataLength
);
+#if defined(ENABLE_CODESIGN_EKU)
/**
This function receives a PKCS#7 formatted signature blob,
looks for the EKU SEQUENCE blob, and if found then looks
@@ -2442,6 +2443,7 @@ VerifyEKUsInPkcs7Signature ( IN CONST UINT32 RequiredEKUsSize,
IN BOOLEAN RequireAllPresent
);
+#endif
/**
Extracts the attached content from a PKCS#7 signed data if existed. The input signed
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile index 023da637..68a9395e 100644 --- a/Cryptlib/Makefile +++ b/Cryptlib/Makefile @@ -40,6 +40,9 @@ endif ifeq ($(ARCH),arm) DEFINES += -DMDE_CPU_ARM endif +ifeq ($(ENABLE_CODESIGN_EKU),1) +DEFINES += -DENABLE_CODESIGN_EKU +endif LDFLAGS = -nostdlib -znocombreloc @@ -60,7 +63,6 @@ OBJS = Hash/CryptMd4Null.o \ Pk/CryptRsaExtNull.o \ Pk/CryptPkcs7SignNull.o \ Pk/CryptPkcs7Verify.o \ - Pk/CryptPkcs7VerifyEku.o \ Pk/CryptDhNull.o \ Pk/CryptTs.o \ Pk/CryptX509.o \ @@ -71,6 +73,10 @@ OBJS = Hash/CryptMd4Null.o \ SysCall/BaseMemAllocation.o \ SysCall/BaseStrings.o +ifeq ($(ENABLE_CODESIGN_EKU),1) + OBJS += Pk/CryptPkcs7VerifyEku.o +endif + all: $(TARGET) libcryptlib.a: $(OBJS) diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c index fd523c59..640b01d0 100644 --- a/Cryptlib/Pk/CryptPkcs7Verify.c +++ b/Cryptlib/Pk/CryptPkcs7Verify.c @@ -29,8 +29,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include <openssl/pkcs7.h>
UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
+#if defined(ENABLE_CODESIGN_EKU)
/* EKU CodeSign */
CHAR8 mOidCodeSign[] = "1.3.6.1.5.5.7.3.3";
+#endif
#if 1
#if OPENSSL_VERSION_NUMBER < 0x10100000L
@@ -848,8 +850,10 @@ Pkcs7Verify ( CONST UINT8 *Temp;
UINTN SignedDataSize;
BOOLEAN Wrapped;
+#if defined(ENABLE_CODESIGN_EKU)
CONST CHAR8 *Ekus[1];
EFI_STATUS EFI_Status;
+#endif
//
// Check input parameters.
@@ -863,7 +867,9 @@ Pkcs7Verify ( DataBio = NULL;
Cert = NULL;
CertStore = NULL;
+#if defined(ENABLE_CODESIGN_EKU)
Ekus[0] = mOidCodeSign;
+#endif
//
// Register & Initialize necessary digest algorithms for PKCS#7 Handling
@@ -963,10 +969,12 @@ Pkcs7Verify ( //
X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);
+#if defined(ENABLE_CODESIGN_EKU)
EFI_Status = VerifyEKUsInPkcs7Signature(P7Data, P7Length, Ekus, 1, TRUE);
if (EFI_Status != EFI_SUCCESS) {
goto _Exit;
}
+#endif
//
// Verifies the PKCS#7 signedData structure
|