summaryrefslogtreecommitdiff
path: root/include
diff options
context:
space:
mode:
authorAKASHI Takahiro <takahiro.akashi@linaro.org>2020-07-21 19:35:22 +0900
committerHeinrich Schuchardt <xypron.glpk@gmx.de>2020-08-13 22:37:36 +0200
commit1115edd8462b047f83fcca4abcf89b68f2d87041 (patch)
tree724a209c24bfe0ec2c6ce63341d0a699f6fa8c37 /include
parent0658bb29b026a6af434b9e0cdeced5d25bdd206f (diff)
efi_loader: signature: rework for intermediate certificates support
In this commit, efi_signature_verify(with_sigdb) will be re-implemented using pcks7_verify_one() in order to support certificates chain, where the signer's certificate will be signed by an intermediate CA (certificate authority) and the latter's certificate will also be signed by another CA and so on. What we need to do here is to search for certificates in a signature, build up a chain of certificates and verify one by one. pkcs7_verify_one() handles most of these steps except the last one. pkcs7_verify_one() returns, if succeeded, the last certificate to verify, which can be either a self-signed one or one that should be signed by one of certificates in "db". Re-worked efi_signature_verify() will take care of this step. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Diffstat (limited to 'include')
-rw-r--r--include/efi_loader.h8
1 files changed, 4 insertions, 4 deletions
diff --git a/include/efi_loader.h b/include/efi_loader.h
index 7f0ab1be56..b941b5e994 100644
--- a/include/efi_loader.h
+++ b/include/efi_loader.h
@@ -776,10 +776,10 @@ bool efi_signature_lookup_digest(struct efi_image_regions *regs,
bool efi_signature_verify_one(struct efi_image_regions *regs,
struct pkcs7_message *msg,
struct efi_signature_store *db);
-bool efi_signature_verify_with_sigdb(struct efi_image_regions *regs,
- struct pkcs7_message *msg,
- struct efi_signature_store *db,
- struct efi_signature_store *dbx);
+bool efi_signature_verify(struct efi_image_regions *regs,
+ struct pkcs7_message *msg,
+ struct efi_signature_store *db,
+ struct efi_signature_store *dbx);
bool efi_signature_check_signers(struct pkcs7_message *msg,
struct efi_signature_store *dbx);