2020-10-09 00:37:46 +02:00
|
|
|
/** @file -- Pkcs7EkuVerify.c
|
|
|
|
* Copyright (c) Microsoft Corporation.
|
|
|
|
* SPDX-License-Identifier: BSD-2-Clause-Patent
|
|
|
|
|
|
|
|
This is an test code which verifies specified
|
|
|
|
Enhanced Key Usages (EKU)'s are present in the leaf signer
|
|
|
|
of a PKCS7 formatted signature.
|
|
|
|
|
|
|
|
|
|
|
|
A typical signing certificate chain looks like this: (Could be RSA or ECC).
|
|
|
|
|
|
|
|
------------------------------------------
|
|
|
|
| | // Root of trust. ECDSA P521 curve
|
|
|
|
| TestEKUParsingRoot | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
|
|
|
|
| | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
|
|
|
|
------------------------------------------
|
|
|
|
^
|
|
|
|
|
|
|
|
|
------------------------------------------
|
|
|
|
| | // Policy CA. Issues subordinate CAs. ECC P384 curve.
|
|
|
|
| TestEKUParsingPolicyCA | // SHA 256 Key Usage:
|
|
|
|
| | // CERT_KEY_CERT_SIGN_KEY_USAGE | CERT_CRL_SIGN_KEY_USAGE
|
|
|
|
------------------------------------------
|
|
|
|
^
|
|
|
|
|
|
|
|
|
------------------------------------------
|
|
|
|
| | // Issues end-entity (leaf) signers. ECC P256 curve.
|
|
|
|
| TestEKUParsingIssuingCA | // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
|
|
|
|
| | // Enhanced Key Usage:
|
|
|
|
------------------------------------------ // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
|
|
|
|
^
|
|
|
|
|
|
|
|
|
--------------------------------------
|
|
|
|
/ TestEKUParsingLeafSigner && / // Leaf signer, ECC P256 curve.
|
|
|
|
/ TestEKUParsingLeafSignerPid12345 / // SHA 256 Key Usage: CERT_DIGITAL_SIGNATURE_KEY_USAGE
|
|
|
|
/ / // Enhanced Key usages:
|
|
|
|
-------------------------------------- // 1.3.6.1.4.1.311.76.9.21.1 (Surface firmware signing)
|
|
|
|
// 1.3.6.1.4.1.311.76.9.21.1.N, N == Product ID.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
|
|
|
#include "TestBaseCryptLib.h"
|
|
|
|
|
|
|
|
#include "Pkcs7EkuTestSignatures.h"
|
|
|
|
|
|
|
|
EFI_STATUS
|
|
|
|
EFIAPI
|
|
|
|
VerifyEKUsInPkcs7Signature (
|
|
|
|
IN CONST UINT8 *Pkcs7Signature,
|
|
|
|
IN CONST UINT32 SignatureSize,
|
|
|
|
IN CONST CHAR8 *RequiredEKUs[],
|
|
|
|
IN CONST UINT32 RequiredEKUsSize,
|
|
|
|
IN BOOLEAN RequireAllPresent
|
|
|
|
);
|
|
|
|
|
|
|
|
/// ================================================================================================
|
|
|
|
/// ================================================================================================
|
|
|
|
///
|
|
|
|
/// TEST CASES
|
|
|
|
///
|
|
|
|
/// ================================================================================================
|
|
|
|
/// ================================================================================================
|
|
|
|
|
|
|
|
CONST CHAR8 FIRMWARE_SIGNER_EKU[] = "1.3.6.1.4.1.311.76.9.21.1";
|
|
|
|
|
|
|
|
/**
|
|
|
|
TestVerifyEKUsInSignature()
|
|
|
|
|
|
|
|
Verify that "1.3.6.1.4.1.311.76.9.21.1" (Firmware signature) is in the
|
|
|
|
leaf signer certificate.
|
|
|
|
|
|
|
|
|
|
|
|
@param[in] Framework - Unit-test framework handle.
|
|
|
|
@param[in] Context - Optional context pointer for this test.
|
|
|
|
|
|
|
|
@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
|
|
|
|
@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
|
|
|
|
**/
|
|
|
|
static
|
|
|
|
UNIT_TEST_STATUS
|
|
|
|
EFIAPI
|
|
|
|
TestVerifyEKUsInSignature (
|
|
|
|
IN UNIT_TEST_CONTEXT Context
|
|
|
|
)
|
|
|
|
{
|
|
|
|
EFI_STATUS Status = EFI_SUCCESS;
|
|
|
|
|
|
|
|
CONST CHAR8 *RequiredEKUs[] = { FIRMWARE_SIGNER_EKU };
|
|
|
|
|
|
|
|
Status = VerifyEKUsInPkcs7Signature (
|
|
|
|
ProductionECCSignature,
|
|
|
|
ARRAY_SIZE (ProductionECCSignature),
|
|
|
|
(CONST CHAR8 **)RequiredEKUs,
|
|
|
|
ARRAY_SIZE (RequiredEKUs),
|
|
|
|
TRUE
|
|
|
|
);
|
|
|
|
UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);
|
|
|
|
|
|
|
|
return UNIT_TEST_PASSED;
|
|
|
|
}// TestVerifyEKUsInSignature()
|
|
|
|
|
|
|
|
/**
|
|
|
|
TestVerifyEKUsWith3CertsInSignature()
|
|
|
|
|
|
|
|
This PKCS7 signature has 3 certificates in it. (Policy CA, Issuing CA
|
|
|
|
and leaf signer). It has one firmware signing EKU in it.
|
|
|
|
"1.3.6.1.4.1.311.76.9.21.1"
|
|
|
|
|
|
|
|
@param[in] Framework - Unit-test framework handle.
|
|
|
|
@param[in] Context - Optional context pointer for this test.
|
|
|
|
|
|
|
|
@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
|
|
|
|
@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
|
|
|
|
**/
|
|
|
|
static
|
|
|
|
UNIT_TEST_STATUS
|
|
|
|
EFIAPI
|
|
|
|
TestVerifyEKUsWith3CertsInSignature (
|
|
|
|
IN UNIT_TEST_CONTEXT Context
|
|
|
|
)
|
|
|
|
{
|
|
|
|
EFI_STATUS Status = EFI_SUCCESS;
|
|
|
|
|
|
|
|
CONST CHAR8 *RequiredEKUs[] = { FIRMWARE_SIGNER_EKU };
|
|
|
|
|
|
|
|
Status = VerifyEKUsInPkcs7Signature (
|
|
|
|
TestSignEKUsWith3CertsInSignature,
|
|
|
|
ARRAY_SIZE (TestSignEKUsWith3CertsInSignature),
|
|
|
|
(CONST CHAR8 **)RequiredEKUs,
|
|
|
|
ARRAY_SIZE (RequiredEKUs),
|
|
|
|
TRUE
|
|
|
|
);
|
|
|
|
UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);
|
|
|
|
|
|
|
|
return UNIT_TEST_PASSED;
|
|
|
|
}// TestVerifyEKUsWith3CertsInSignature()
|
|
|
|
|
|
|
|
/**
|
|
|
|
TestVerifyEKUsWith2CertsInSignature()
|
|
|
|
|
|
|
|
This PKCS7 signature has 2 certificates in it. (Issuing CA and leaf signer).
|
|
|
|
It has one firmware signing EKU in it. "1.3.6.1.4.1.311.76.9.21.1"
|
|
|
|
|
|
|
|
@param[in] Framework - Unit-test framework handle.
|
|
|
|
@param[in] Context - Optional context pointer for this test.
|
|
|
|
|
|
|
|
@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
|
|
|
|
@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
|
|
|
|
**/
|
|
|
|
static
|
|
|
|
UNIT_TEST_STATUS
|
|
|
|
EFIAPI
|
|
|
|
TestVerifyEKUsWith2CertsInSignature (
|
|
|
|
IN UNIT_TEST_CONTEXT Context
|
|
|
|
)
|
|
|
|
{
|
|
|
|
EFI_STATUS Status = EFI_SUCCESS;
|
|
|
|
|
|
|
|
CONST CHAR8 *RequiredEKUs[] = { FIRMWARE_SIGNER_EKU };
|
|
|
|
|
|
|
|
Status = VerifyEKUsInPkcs7Signature (
|
|
|
|
TestSignEKUsWith2CertsInSignature,
|
|
|
|
ARRAY_SIZE (TestSignEKUsWith2CertsInSignature),
|
|
|
|
(CONST CHAR8 **)RequiredEKUs,
|
|
|
|
ARRAY_SIZE (RequiredEKUs),
|
|
|
|
TRUE
|
|
|
|
);
|
|
|
|
UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);
|
|
|
|
|
|
|
|
return UNIT_TEST_PASSED;
|
|
|
|
}// TestVerifyEKUsWith2CertsInSignature()
|
|
|
|
|
|
|
|
/**
|
|
|
|
TestVerifyEKUsWith1CertInSignature()
|
|
|
|
|
|
|
|
This PKCS7 signature only has the leaf signer in it.
|
|
|
|
It has one firmware signing EKU in it. "1.3.6.1.4.1.311.76.9.21.1"
|
|
|
|
|
|
|
|
@param[in] Framework - Unit-test framework handle.
|
|
|
|
@param[in] Context - Optional context pointer for this test.
|
|
|
|
|
|
|
|
@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
|
|
|
|
@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
|
|
|
|
**/
|
|
|
|
static
|
|
|
|
UNIT_TEST_STATUS
|
|
|
|
EFIAPI
|
|
|
|
TestVerifyEKUsWith1CertInSignature (
|
|
|
|
IN UNIT_TEST_CONTEXT Context
|
|
|
|
)
|
|
|
|
{
|
|
|
|
EFI_STATUS Status = EFI_SUCCESS;
|
|
|
|
|
|
|
|
CONST CHAR8 *RequiredEKUs[] = { FIRMWARE_SIGNER_EKU };
|
|
|
|
|
|
|
|
Status = VerifyEKUsInPkcs7Signature (
|
|
|
|
TestSignEKUsWith1CertInSignature,
|
|
|
|
ARRAY_SIZE (TestSignEKUsWith1CertInSignature),
|
|
|
|
(CONST CHAR8 **)RequiredEKUs,
|
|
|
|
ARRAY_SIZE (RequiredEKUs),
|
|
|
|
TRUE
|
|
|
|
);
|
|
|
|
UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);
|
|
|
|
|
|
|
|
return UNIT_TEST_PASSED;
|
|
|
|
}// TestVerifyEKUsWith1CertInSignature()
|
|
|
|
|
|
|
|
/**
|
|
|
|
TestVerifyEKUsWithMultipleEKUsInCert()
|
|
|
|
|
|
|
|
|
|
|
|
This signature has two EKU's in it:
|
|
|
|
"1.3.6.1.4.1.311.76.9.21.1"
|
|
|
|
"1.3.6.1.4.1.311.76.9.21.2"
|
|
|
|
We verify that both EKU's were present in the leaf signer.
|
|
|
|
|
|
|
|
@param[in] Framework - Unit-test framework handle.
|
|
|
|
@param[in] Context - Optional context pointer for this test.
|
|
|
|
|
|
|
|
@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
|
|
|
|
@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
|
|
|
|
**/
|
|
|
|
static
|
|
|
|
UNIT_TEST_STATUS
|
|
|
|
EFIAPI
|
|
|
|
TestVerifyEKUsWithMultipleEKUsInCert (
|
|
|
|
IN UNIT_TEST_CONTEXT Context
|
|
|
|
)
|
|
|
|
{
|
|
|
|
EFI_STATUS Status = EFI_SUCCESS;
|
2021-12-05 23:53:54 +01:00
|
|
|
|
2020-10-09 00:37:46 +02:00
|
|
|
CONST CHAR8 *RequiredEKUs[] = {
|
|
|
|
"1.3.6.1.4.1.311.76.9.21.1",
|
|
|
|
"1.3.6.1.4.1.311.76.9.21.1.2"
|
|
|
|
};
|
2021-12-05 23:53:54 +01:00
|
|
|
|
2020-10-09 00:37:46 +02:00
|
|
|
Status = VerifyEKUsInPkcs7Signature (
|
|
|
|
TestSignedWithMultipleEKUsInCert,
|
|
|
|
ARRAY_SIZE (TestSignedWithMultipleEKUsInCert),
|
|
|
|
(CONST CHAR8 **)RequiredEKUs,
|
|
|
|
ARRAY_SIZE (RequiredEKUs),
|
|
|
|
TRUE
|
|
|
|
);
|
|
|
|
UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);
|
|
|
|
|
|
|
|
return UNIT_TEST_PASSED;
|
|
|
|
}// TestVerifyEKUsWithMultipleEKUsInCert()
|
|
|
|
|
|
|
|
/**
|
|
|
|
TestEkusNotPresentInSignature()
|
|
|
|
|
|
|
|
This test verifies that if we send an EKU that is not in the signature,
|
|
|
|
that we get back an error.
|
|
|
|
|
|
|
|
@param[in] Framework - Unit-test framework handle.
|
|
|
|
@param[in] Context - Optional context pointer for this test.
|
|
|
|
|
|
|
|
@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
|
|
|
|
@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
|
|
|
|
**/
|
|
|
|
static
|
|
|
|
UNIT_TEST_STATUS
|
|
|
|
EFIAPI
|
|
|
|
TestEkusNotPresentInSignature (
|
|
|
|
IN UNIT_TEST_CONTEXT Context
|
|
|
|
)
|
|
|
|
{
|
|
|
|
EFI_STATUS Status = EFI_SUCCESS;
|
|
|
|
|
|
|
|
//
|
|
|
|
// This EKU is not in the signature.
|
|
|
|
//
|
|
|
|
CONST CHAR8 *RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.3" };
|
2021-12-05 23:53:54 +01:00
|
|
|
|
2020-10-09 00:37:46 +02:00
|
|
|
Status = VerifyEKUsInPkcs7Signature (
|
|
|
|
TestSignedWithMultipleEKUsInCert,
|
|
|
|
ARRAY_SIZE (TestSignedWithMultipleEKUsInCert),
|
|
|
|
(CONST CHAR8 **)RequiredEKUs,
|
|
|
|
ARRAY_SIZE (RequiredEKUs),
|
|
|
|
TRUE
|
|
|
|
);
|
|
|
|
UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS);
|
|
|
|
|
|
|
|
return UNIT_TEST_PASSED;
|
|
|
|
}// TestEkusNotPresentInSignature()
|
|
|
|
|
|
|
|
/**
|
|
|
|
TestEkusNotPresentInSignature()
|
|
|
|
|
|
|
|
This test signature has two EKU's in it: (Product ID is 10001)
|
|
|
|
"1.3.6.1.4.1.311.76.9.21.1"
|
|
|
|
"1.3.6.1.4.1.311.76.9.21.1.10001"
|
|
|
|
|
|
|
|
@param[in] Framework - Unit-test framework handle.
|
|
|
|
@param[in] Context - Optional context pointer for this test.
|
|
|
|
|
|
|
|
@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
|
|
|
|
@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
|
|
|
|
**/
|
|
|
|
static
|
|
|
|
UNIT_TEST_STATUS
|
|
|
|
EFIAPI
|
|
|
|
TestProductId10001PresentInSignature (
|
|
|
|
IN UNIT_TEST_CONTEXT Context
|
|
|
|
)
|
|
|
|
{
|
|
|
|
EFI_STATUS Status = EFI_SUCCESS;
|
|
|
|
|
|
|
|
//
|
|
|
|
// These EKU's are present in the leaf signer certificate.
|
|
|
|
//
|
|
|
|
CONST CHAR8 *RequiredEKUs[] = {
|
|
|
|
"1.3.6.1.4.1.311.76.9.21.1",
|
|
|
|
"1.3.6.1.4.1.311.76.9.21.1.10001"
|
|
|
|
};
|
2021-12-05 23:53:54 +01:00
|
|
|
|
2020-10-09 00:37:46 +02:00
|
|
|
Status = VerifyEKUsInPkcs7Signature (
|
|
|
|
TestSignedWithProductId10001,
|
|
|
|
ARRAY_SIZE (TestSignedWithProductId10001),
|
|
|
|
(CONST CHAR8 **)RequiredEKUs,
|
|
|
|
ARRAY_SIZE (RequiredEKUs),
|
|
|
|
TRUE
|
|
|
|
);
|
|
|
|
UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);
|
|
|
|
|
|
|
|
return UNIT_TEST_PASSED;
|
|
|
|
}// TestProductId10001PresentInSignature()
|
|
|
|
|
|
|
|
/**
|
|
|
|
TestOnlyOneEkuInListRequired()
|
|
|
|
|
|
|
|
This test will check the BOOLEAN RequireAllPresent parameter in the
|
|
|
|
call to VerifyEKUsInPkcs7Signature() behaves properly. The signature
|
|
|
|
has two EKU's in it:
|
|
|
|
|
|
|
|
"1.3.6.1.4.1.311.76.9.21.1"
|
|
|
|
"1.3.6.1.4.1.311.76.9.21.1.10001"
|
|
|
|
|
|
|
|
but we only pass in one of them, and set RequireAllPresent to FALSE.
|
|
|
|
|
|
|
|
@param[in] Framework - Unit-test framework handle.
|
|
|
|
@param[in] Context - Optional context pointer for this test.
|
|
|
|
|
|
|
|
@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
|
|
|
|
@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
|
|
|
|
**/
|
|
|
|
static
|
|
|
|
UNIT_TEST_STATUS
|
|
|
|
EFIAPI
|
|
|
|
TestOnlyOneEkuInListRequired (
|
|
|
|
IN UNIT_TEST_CONTEXT Context
|
|
|
|
)
|
|
|
|
{
|
|
|
|
EFI_STATUS Status = EFI_SUCCESS;
|
|
|
|
|
|
|
|
//
|
|
|
|
// This will test the flag that specifies it is OK to succeed if
|
|
|
|
// any one of the EKU's passed in is found.
|
|
|
|
//
|
|
|
|
CONST CHAR8 *RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1.10001" };
|
2021-12-05 23:53:54 +01:00
|
|
|
|
2020-10-09 00:37:46 +02:00
|
|
|
Status = VerifyEKUsInPkcs7Signature (
|
|
|
|
TestSignedWithProductId10001,
|
|
|
|
ARRAY_SIZE (TestSignedWithProductId10001),
|
|
|
|
(CONST CHAR8 **)RequiredEKUs,
|
|
|
|
ARRAY_SIZE (RequiredEKUs),
|
|
|
|
FALSE
|
|
|
|
);
|
|
|
|
UT_ASSERT_STATUS_EQUAL (Status, EFI_SUCCESS);
|
|
|
|
|
|
|
|
return UNIT_TEST_PASSED;
|
|
|
|
}// TestOnlyOneEkuInListRequired()
|
|
|
|
|
|
|
|
/**
|
|
|
|
TestNoEKUsInSignature()
|
|
|
|
|
|
|
|
This test uses a signature that was signed with a certificate that does
|
|
|
|
not contain any EKUs.
|
|
|
|
|
|
|
|
|
|
|
|
@param[in] Framework - Unit-test framework handle.
|
|
|
|
@param[in] Context - Optional context pointer for this test.
|
|
|
|
|
|
|
|
@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
|
|
|
|
@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
|
|
|
|
**/
|
|
|
|
static
|
|
|
|
UNIT_TEST_STATUS
|
|
|
|
EFIAPI
|
|
|
|
TestNoEKUsInSignature (
|
|
|
|
IN UNIT_TEST_CONTEXT Context
|
|
|
|
)
|
|
|
|
{
|
|
|
|
EFI_STATUS Status = EFI_SUCCESS;
|
|
|
|
|
|
|
|
//
|
|
|
|
// This EKU is not in the certificate, so it should fail.
|
|
|
|
//
|
|
|
|
CONST CHAR8 *RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1" };
|
2021-12-05 23:53:54 +01:00
|
|
|
|
2020-10-09 00:37:46 +02:00
|
|
|
Status = VerifyEKUsInPkcs7Signature (
|
|
|
|
TestSignatureWithNoEKUsPresent,
|
|
|
|
ARRAY_SIZE (TestSignatureWithNoEKUsPresent),
|
|
|
|
(CONST CHAR8 **)RequiredEKUs,
|
|
|
|
ARRAY_SIZE (RequiredEKUs),
|
|
|
|
TRUE
|
|
|
|
);
|
|
|
|
UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS);
|
|
|
|
|
|
|
|
return UNIT_TEST_PASSED;
|
|
|
|
}// TestNoEKUsInSignature()
|
|
|
|
|
|
|
|
/**
|
|
|
|
TestInvalidParameters()
|
|
|
|
|
|
|
|
Passes the API invalid parameters, and ensures that it does not succeed.
|
|
|
|
|
|
|
|
@param[in] Framework - Unit-test framework handle.
|
|
|
|
@param[in] Context - Optional context pointer for this test.
|
|
|
|
|
|
|
|
@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
|
|
|
|
@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
|
|
|
|
**/
|
|
|
|
static
|
|
|
|
UNIT_TEST_STATUS
|
|
|
|
EFIAPI
|
|
|
|
TestInvalidParameters (
|
|
|
|
IN UNIT_TEST_CONTEXT Context
|
|
|
|
)
|
|
|
|
{
|
|
|
|
EFI_STATUS Status = EFI_SUCCESS;
|
|
|
|
|
|
|
|
CONST CHAR8 *RequiredEKUs[] = { "1.3.6.1.4.1.311.76.9.21.1" };
|
|
|
|
|
|
|
|
//
|
|
|
|
// Check bad signature.
|
|
|
|
//
|
|
|
|
Status = VerifyEKUsInPkcs7Signature (
|
|
|
|
NULL,
|
|
|
|
0,
|
|
|
|
(CONST CHAR8 **)RequiredEKUs,
|
|
|
|
ARRAY_SIZE (RequiredEKUs),
|
|
|
|
TRUE
|
|
|
|
);
|
|
|
|
UT_ASSERT_STATUS_EQUAL (Status, EFI_INVALID_PARAMETER);
|
|
|
|
|
|
|
|
//
|
|
|
|
// Check invalid EKU's
|
|
|
|
//
|
|
|
|
Status = VerifyEKUsInPkcs7Signature (
|
|
|
|
TestSignatureWithNoEKUsPresent,
|
|
|
|
ARRAY_SIZE (TestSignatureWithNoEKUsPresent),
|
|
|
|
(CONST CHAR8 **)NULL,
|
|
|
|
0,
|
|
|
|
TRUE
|
|
|
|
);
|
|
|
|
UT_ASSERT_STATUS_EQUAL (Status, EFI_INVALID_PARAMETER);
|
|
|
|
|
|
|
|
return UNIT_TEST_PASSED;
|
|
|
|
}// TestInvalidParameters()
|
|
|
|
|
|
|
|
/**
|
|
|
|
TestEKUSubStringFails()
|
|
|
|
|
|
|
|
Pass the API a sub set and super set of an EKU and ensure that they
|
|
|
|
don't pass.
|
|
|
|
|
|
|
|
@param[in] Framework - Unit-test framework handle.
|
|
|
|
@param[in] Context - Optional context pointer for this test.
|
|
|
|
|
|
|
|
@retval UNIT_TEST_PASSED - The required EKUs were found in the signature.
|
|
|
|
@retval UNIT_TEST_ERROR_TEST_FAILED - Something failed, check the debug output.
|
|
|
|
**/
|
|
|
|
static
|
|
|
|
UNIT_TEST_STATUS
|
|
|
|
EFIAPI
|
|
|
|
TestEKUSubsetSupersetFails (
|
|
|
|
IN UNIT_TEST_CONTEXT Context
|
|
|
|
)
|
|
|
|
{
|
|
|
|
EFI_STATUS Status = EFI_SUCCESS;
|
|
|
|
|
|
|
|
//
|
|
|
|
// This signature has an EKU of:
|
|
|
|
// "1.3.6.1.4.1.311.76.9.21.1.10001"
|
|
|
|
// so ensure that
|
|
|
|
// "1.3.6.1.4.1.311.76.9.21"
|
|
|
|
// does not pass.
|
|
|
|
//
|
|
|
|
CONST CHAR8 *RequiredEKUs1[] = { "1.3.6.1.4.1.311.76.9.21" };
|
2021-12-05 23:53:54 +01:00
|
|
|
|
2020-10-09 00:37:46 +02:00
|
|
|
Status = VerifyEKUsInPkcs7Signature (
|
|
|
|
TestSignedWithProductId10001,
|
|
|
|
ARRAY_SIZE (TestSignedWithProductId10001),
|
|
|
|
(CONST CHAR8 **)RequiredEKUs1,
|
|
|
|
ARRAY_SIZE (RequiredEKUs1),
|
|
|
|
TRUE
|
|
|
|
);
|
|
|
|
UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS);
|
|
|
|
|
|
|
|
//
|
|
|
|
// This signature has an EKU of:
|
|
|
|
// "1.3.6.1.4.1.311.76.9.21.1.10001"
|
|
|
|
// so ensure that a super set
|
|
|
|
// "1.3.6.1.4.1.311.76.9.21.1.10001.1"
|
|
|
|
// does not pass.
|
|
|
|
//
|
|
|
|
CONST CHAR8 *RequiredEKUs2[] = { "1.3.6.1.4.1.311.76.9.21.1.10001.1" };
|
2021-12-05 23:53:54 +01:00
|
|
|
|
2020-10-09 00:37:46 +02:00
|
|
|
Status = VerifyEKUsInPkcs7Signature (
|
|
|
|
TestSignedWithProductId10001,
|
|
|
|
ARRAY_SIZE (TestSignedWithProductId10001),
|
|
|
|
(CONST CHAR8 **)RequiredEKUs2,
|
|
|
|
ARRAY_SIZE (RequiredEKUs2),
|
|
|
|
TRUE
|
|
|
|
);
|
|
|
|
UT_ASSERT_NOT_EQUAL (Status, EFI_SUCCESS);
|
|
|
|
|
|
|
|
return UNIT_TEST_PASSED;
|
|
|
|
}// TestEKUSubsetSupersetFails()
|
|
|
|
|
|
|
|
TEST_DESC mPkcs7EkuTest[] = {
|
|
|
|
//
|
|
|
|
// -----Description--------------------------------Class----------------------------Function------------------------------Pre---Post--Context
|
|
|
|
//
|
|
|
|
{ "TestVerifyEKUsInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsInSignature, NULL, NULL, NULL },
|
|
|
|
{ "TestVerifyEKUsWith3CertsInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWith3CertsInSignature, NULL, NULL, NULL },
|
|
|
|
{ "TestVerifyEKUsWith2CertsInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWith2CertsInSignature, NULL, NULL, NULL },
|
|
|
|
{ "TestVerifyEKUsWith1CertInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWith1CertInSignature, NULL, NULL, NULL },
|
|
|
|
{ "TestVerifyEKUsWithMultipleEKUsInCert()", "CryptoPkg.BaseCryptLib.Eku", TestVerifyEKUsWithMultipleEKUsInCert, NULL, NULL, NULL },
|
|
|
|
{ "TestEkusNotPresentInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestEkusNotPresentInSignature, NULL, NULL, NULL },
|
|
|
|
{ "TestProductId10001PresentInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestProductId10001PresentInSignature, NULL, NULL, NULL },
|
|
|
|
{ "TestOnlyOneEkuInListRequired()", "CryptoPkg.BaseCryptLib.Eku", TestOnlyOneEkuInListRequired, NULL, NULL, NULL },
|
|
|
|
{ "TestNoEKUsInSignature()", "CryptoPkg.BaseCryptLib.Eku", TestNoEKUsInSignature, NULL, NULL, NULL },
|
|
|
|
{ "TestInvalidParameters()", "CryptoPkg.BaseCryptLib.Eku", TestInvalidParameters, NULL, NULL, NULL },
|
|
|
|
{ "TestEKUSubsetSupersetFails()", "CryptoPkg.BaseCryptLib.Eku", TestEKUSubsetSupersetFails, NULL, NULL, NULL },
|
|
|
|
};
|
|
|
|
|
|
|
|
UINTN mPkcs7EkuTestNum = ARRAY_SIZE (mPkcs7EkuTest);
|