On Mon, May 21, 2012 at 2:04 PM, Felix von Leitner <felix-open...@fefe.de> wrote: > Hi! > > Has someone with domain knowledge of how OpenSSL works looked at the > UEFI implementation of AuthentiCode? > > I am currently looking at this file in particular: > > http://tianocore.git.sourceforge.net/git/gitweb.cgi?p=tianocore/edk2;a=blob;f=CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7.c;h=036412af5989650ebaf360f513e187fe3a07973d;hb=refs/heads/master > > This is the current version in the master branch of the UEFI reference > implementation, which BIOS and device vendors use to make their BIOSes > from. In particular, this code is used by the UEFI AuthentiCode code, > which is the core of their secure boot chain. > > I'm afraid I find the OpenSSL documentation insufficient to understand > what that code is actually doing, and whether it is doing it right or > not. The code starting from line 92 looks very dodgy to me, and I think > it is there so they can put intermediate certs (as opposed to CA certs) > into their cert store. I wonder where the cert store is in UEFI. The > actual OpenSSL code does not appear to be part of the UEFI reference > code source tree, but UEFI does have a filesystem, so I wonder if you > could just put certs in your cert store as a user. It's all conjecture > for now, but it would sure be great if the OpenSSL community would look > at this code and find out if they are doing it right or not.
30 @retval 1 Current X509 certificate is verified successfully 31 @retval 0 Verification failed. ... 92 if ((Error == X509_V_ERR_CERT_UNTRUSTED) || 93 (Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) { 94 Status = 1; 95 } Yeah, that's f**k'd. It looks a lot like "just make the s**t work." ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org