On Mon, May 21, 2012 at 2:04 PM, Felix von Leitner
<felix-open...@fefe.de> wrote:
> Hi!
>
> Has someone with domain knowledge of how OpenSSL works looked at the
> UEFI implementation of AuthentiCode?
>
> I am currently looking at this file in particular:
>
> http://tianocore.git.sourceforge.net/git/gitweb.cgi?p=tianocore/edk2;a=blob;f=CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7.c;h=036412af5989650ebaf360f513e187fe3a07973d;hb=refs/heads/master
>
> This is the current version in the master branch of the UEFI reference
> implementation, which BIOS and device vendors use to make their BIOSes
> from. In particular, this code is used by the UEFI AuthentiCode code,
> which is the core of their secure boot chain.
>
> I'm afraid I find the OpenSSL documentation insufficient to understand
> what that code is actually doing, and whether it is doing it right or
> not. The code starting from line 92 looks very dodgy to me, and I think
> it is there so they can put intermediate certs (as opposed to CA certs)
> into their cert store. I wonder where the cert store is in UEFI. The
> actual OpenSSL code does not appear to be part of the UEFI reference
> code source tree, but UEFI does have a filesystem, so I wonder if you
> could just put certs in your cert store as a user. It's all conjecture
> for now, but it would sure be great if the OpenSSL community would look
> at this code and find out if they are doing it right or not.
30 @retval 1 Current X509 certificate is verified successfully
31 @retval 0 Verification failed.
...
92 if ((Error == X509_V_ERR_CERT_UNTRUSTED) ||
93 (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
94 Status = 1;
95 }
Yeah, that's f**k'd. It looks a lot like "just make the s**t work."
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
