From eb02afc6f822576b73b7added3966ad7e72fd342 Mon Sep 17 00:00:00 2001 From: Dennis Tseng Date: Wed, 5 Jun 2024 22:33:06 +0800 Subject: Optionally enabling codesign EKU check in compiling time. This commit also supersedes PR#232 which was closed on Jul 1, 2021. So that original codesign EKU codes cannot be bothered. To enable the codesign check, ENABLE_CODESIGN_EKU can be set to 1. To disable the codesign check, ENABLE_CODESIGN_EKU can be set to 0 or just omit this flag. For example: make xxxx ENABLE_CODESIGN_EKU=1 xxxx shim.efi Signed-off-by: Dennis Tseng --- Cryptlib/Pk/CryptPkcs7Verify.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'Cryptlib/Pk') diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c index fd523c59..640b01d0 100644 --- a/Cryptlib/Pk/CryptPkcs7Verify.c +++ b/Cryptlib/Pk/CryptPkcs7Verify.c @@ -29,8 +29,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 }; +#if defined(ENABLE_CODESIGN_EKU) /* EKU CodeSign */ CHAR8 mOidCodeSign[] = "1.3.6.1.5.5.7.3.3"; +#endif #if 1 #if OPENSSL_VERSION_NUMBER < 0x10100000L @@ -848,8 +850,10 @@ Pkcs7Verify ( CONST UINT8 *Temp; UINTN SignedDataSize; BOOLEAN Wrapped; +#if defined(ENABLE_CODESIGN_EKU) CONST CHAR8 *Ekus[1]; EFI_STATUS EFI_Status; +#endif // // Check input parameters. @@ -863,7 +867,9 @@ Pkcs7Verify ( DataBio = NULL; Cert = NULL; CertStore = NULL; +#if defined(ENABLE_CODESIGN_EKU) Ekus[0] = mOidCodeSign; +#endif // // Register & Initialize necessary digest algorithms for PKCS#7 Handling @@ -963,10 +969,12 @@ Pkcs7Verify ( // X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY); +#if defined(ENABLE_CODESIGN_EKU) EFI_Status = VerifyEKUsInPkcs7Signature(P7Data, P7Length, Ekus, 1, TRUE); if (EFI_Status != EFI_SUCCESS) { goto _Exit; } +#endif // // Verifies the PKCS#7 signedData structure -- cgit v1.2.3