Optionally enabling codesign EKU check in compiling time.

This commit also supersedes PR#232 which was closed on Jul 1, 2021.
So that original codesign EKU codes cannot be bothered.

To enable the codesign check, ENABLE_CODESIGN_EKU can be set to 1.
To disable the codesign check, ENABLE_CODESIGN_EKU can be set to 0
or just omit this flag.

For example:
make xxxx ENABLE_CODESIGN_EKU=1 xxxx shim.efi

Signed-off-by: Dennis Tseng <[email protected]>

Cryptlib/InternalCryptLib.h

@@ -32,6 +32,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #define OBJ_length(o) ((o)->length)
 #endif
 
+#if defined(ENABLE_CODESIGN_EKU)
 /**
   Check input P7Data is a wrapped ContentInfo structure or not. If not construct
   a new structure to wrap P7Data.
@@ -65,4 +66,4 @@ WrapPkcs7Data (
   );
 
 #endif
-
+#endif

Cryptlib/Library/BaseCryptLib.h

@@ -2403,6 +2403,7 @@ Pkcs7Verify (
   IN  UINTN        DataLength
   );
 
+#if defined(ENABLE_CODESIGN_EKU)
 /**
   This function receives a PKCS#7 formatted signature blob,
   looks for the EKU SEQUENCE blob, and if found then looks
@@ -2442,6 +2443,7 @@ VerifyEKUsInPkcs7Signature (
   IN CONST UINT32   RequiredEKUsSize,
   IN BOOLEAN        RequireAllPresent
   );
+#endif
 
 /**
   Extracts the attached content from a PKCS#7 signed data if existed. The input signed

Cryptlib/Makefile

@@ -37,6 +37,9 @@ endif
 ifeq ($(ARCH),arm)
 DEFINES		+= -DMDE_CPU_ARM
 endif
+ifeq ($(ENABLE_CODESIGN_EKU),1)
+DEFINES += -DENABLE_CODESIGN_EKU
+endif
 
 LDFLAGS		= -nostdlib -znocombreloc
 
@@ -57,7 +60,6 @@ OBJS		=   Hash/CryptMd4Null.o \
 		    Pk/CryptRsaExtNull.o \
 		    Pk/CryptPkcs7SignNull.o \
 		    Pk/CryptPkcs7Verify.o \
-		    Pk/CryptPkcs7VerifyEku.o \
 		    Pk/CryptDhNull.o \
 		    Pk/CryptTs.o \
 		    Pk/CryptX509.o \
@@ -68,6 +70,10 @@ OBJS		=   Hash/CryptMd4Null.o \
 		    SysCall/BaseMemAllocation.o \
 		    SysCall/BaseStrings.o
 
+ifeq ($(ENABLE_CODESIGN_EKU),1)
+	OBJS += Pk/CryptPkcs7VerifyEku.o
+endif
+
 all: $(TARGET)
 
 libcryptlib.a: $(OBJS)

Cryptlib/Pk/CryptPkcs7Verify.c

@@ -29,8 +29,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <openssl/pkcs7.h>
 
 UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
+#if defined(ENABLE_CODESIGN_EKU)
 /* EKU CodeSign */
 CHAR8 mOidCodeSign[] = "1.3.6.1.5.5.7.3.3";
+#endif
 
 #if 1
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
@@ -848,8 +850,10 @@ Pkcs7Verify (
   CONST UINT8 *Temp;
   UINTN       SignedDataSize;
   BOOLEAN     Wrapped;
+#if defined(ENABLE_CODESIGN_EKU)  
   CONST CHAR8 *Ekus[1];
   EFI_STATUS  EFI_Status;
+#endif  
 
   //
   // Check input parameters.
@@ -863,7 +867,9 @@ Pkcs7Verify (
   DataBio   = NULL;
   Cert      = NULL;
   CertStore = NULL;
+#if defined(ENABLE_CODESIGN_EKU)  
   Ekus[0]   = mOidCodeSign;
+#endif  
 
   //
   // Register & Initialize necessary digest algorithms for PKCS#7 Handling
@@ -963,10 +969,12 @@ Pkcs7Verify (
   //
   X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);
 
+#if defined(ENABLE_CODESIGN_EKU)  
   EFI_Status = VerifyEKUsInPkcs7Signature(P7Data, P7Length, Ekus, 1, TRUE);
   if (EFI_Status != EFI_SUCCESS) {
 	  goto _Exit;
   }
+#endif  
 
   //
   // Verifies the PKCS#7 signedData structure