From: Zhichao Gao <zhichao.gao@intel.com>
To: edk2-devel@lists.01.org
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>,
Ting Ye <ting.ye@intel.com>, Gang Wei <gang.wei@intel.com>,
Wang Jian J <jian.j.wang@intel.com>,
Liming Gao <liming.gao@intel.com>,
Sean Brogan <sean.brogan@microsoft.com>,
Michael Turner <Michael.Turner@microsoft.com>
Subject: [PATCH 3/6] CryptoPkg/BaseCryptLib.h: Add new API VerifyEKUsInPkcs7Signature
Date: Mon, 25 Mar 2019 12:01:10 +0800 [thread overview]
Message-ID: <20190325040113.18848-4-zhichao.gao@intel.com> (raw)
In-Reply-To: <20190325040113.18848-1-zhichao.gao@intel.com>
From: Bret Barkelew <Bret.Barkelew@microsoft.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1402
Add a prototype of new API VerifyEKUsInPkcs7Signature.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Gang Wei <gang.wei@intel.com>
Cc: Wang Jian J <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
---
CryptoPkg/Include/Library/BaseCryptLib.h | 42 ++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 011e908ee4..37b93a2c63 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -2599,6 +2599,48 @@ Pkcs7Verify (
IN UINTN DataLength
);
+/**
+ This function receives a PKCS7 formatted signature, and then verifies that
+ the specified Enhanced or Extended Key Usages (EKU's) are present in the end-entity
+ leaf signing certificate.
+ Note that this function does not validate the certificate chain.
+
+ Applications for custom EKU's are quite flexible. For example, a policy EKU
+ may be present in an Issuing Certificate Authority (CA), and any sub-ordinate
+ certificate issued might also contain this EKU, thus constraining the
+ sub-ordinate certificate. Other applications might allow a certificate
+ embedded in a device to specify that other Object Identifiers (OIDs) are
+ present which contains binary data specifying custom capabilities that
+ the device is able to do.
+
+ @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array
+ containing the content block with both the signature,
+ the signer's certificate, and any necessary intermediate
+ certificates.
+ @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature.
+ @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of
+ required EKUs that must be present in the signature.
+ @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array.
+ @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's
+ must be present in the leaf signer. If it is
+ FALSE, then we will succeed if we find any
+ of the specified EKU's.
+
+ @retval EFI_SUCCESS The required EKUs were found in the signature.
+ @retval EFI_INVALID_PARAMETER A parameter was invalid.
+ @retval EFI_NOT_FOUND One or more EKU's were not found in the signature.
+
+**/
+RETURN_STATUS
+EFIAPI
+VerifyEKUsInPkcs7Signature (
+ IN CONST UINT8 *Pkcs7Signature,
+ IN CONST UINT32 SignatureSize,
+ IN CONST CHAR8 *RequiredEKUs[],
+ IN CONST UINT32 RequiredEKUsSize,
+ IN BOOLEAN RequireAllPresent
+ );
+
/**
Extracts the attached content from a PKCS#7 signed data if existed. The input signed
data could be wrapped in a ContentInfo structure.
--
2.16.2.windows.1
next prev parent reply other threads:[~2019-03-25 4:01 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-25 4:01 [PATCH 0/6] Add new APIs for BaseCryptLib Zhichao Gao
2019-03-25 4:01 ` [PATCH 1/6] CryptoPkg/BaseCryptLib.h: Add new API to get organization name Zhichao Gao
2019-03-25 4:01 ` [PATCH 2/6] CryptoPkg/BaseCryptLib: " Zhichao Gao
2019-03-25 4:01 ` Zhichao Gao [this message]
2019-03-25 4:01 ` [PATCH 4/6] CryptoPkg/BaseCryptLib: Add new API VerifyEKUsInPkcs7Signature Zhichao Gao
2019-03-25 4:01 ` [PATCH 5/6] CryptoPkg/BaseCryptLib.h: Add PKCS1v2 (RSAES-OAEP) support Zhichao Gao
2019-03-25 4:01 ` [PATCH 6/6] CryptoPkg/BaseCryptLib: " Zhichao Gao
2019-03-25 8:22 ` [PATCH 0/6] Add new APIs for BaseCryptLib Yao, Jiewen
2019-03-28 4:04 ` Gao, Zhichao
2019-04-17 5:57 ` [edk2] " Gao, Zhichao
2019-04-17 6:09 ` Wang, Jian J
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190325040113.18848-4-zhichao.gao@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox