From: Bret Barkelew <[email protected]> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1402
Add a prototype of new API VerifyEKUsInPkcs7Signature. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Zhichao Gao <[email protected]> Cc: Ting Ye <[email protected]> Cc: Gang Wei <[email protected]> Cc: Wang Jian J <[email protected]> Cc: Liming Gao <[email protected]> Cc: Sean Brogan <[email protected]> Cc: Michael Turner <[email protected]> Cc: Bret Barkelew <[email protected]> --- CryptoPkg/Include/Library/BaseCryptLib.h | 42 ++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h index 011e908ee4..37b93a2c63 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -2599,6 +2599,48 @@ Pkcs7Verify ( IN UINTN DataLength ); +/** + This function receives a PKCS7 formatted signature, and then verifies that + the specified Enhanced or Extended Key Usages (EKU's) are present in the end-entity + leaf signing certificate. + Note that this function does not validate the certificate chain. + + Applications for custom EKU's are quite flexible. For example, a policy EKU + may be present in an Issuing Certificate Authority (CA), and any sub-ordinate + certificate issued might also contain this EKU, thus constraining the + sub-ordinate certificate. Other applications might allow a certificate + embedded in a device to specify that other Object Identifiers (OIDs) are + present which contains binary data specifying custom capabilities that + the device is able to do. + + @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array + containing the content block with both the signature, + the signer's certificate, and any necessary intermediate + certificates. + @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature. + @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of + required EKUs that must be present in the signature. + @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array. + @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's + must be present in the leaf signer. If it is + FALSE, then we will succeed if we find any + of the specified EKU's. + + @retval EFI_SUCCESS The required EKUs were found in the signature. + @retval EFI_INVALID_PARAMETER A parameter was invalid. + @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. + +**/ +RETURN_STATUS +EFIAPI +VerifyEKUsInPkcs7Signature ( + IN CONST UINT8 *Pkcs7Signature, + IN CONST UINT32 SignatureSize, + IN CONST CHAR8 *RequiredEKUs[], + IN CONST UINT32 RequiredEKUsSize, + IN BOOLEAN RequireAllPresent + ); + /** Extracts the attached content from a PKCS#7 signed data if existed. The input signed data could be wrapped in a ContentInfo structure. -- 2.16.2.windows.1 _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
