Skip to content

[Feature]: Add Pkcs7GetCertificateChain #265

Description

@Javagedes

Feature Overview

Add a new Crypto function that allows the user to pass in a Pkcs7 signer (Returned from Pkcs7GetSigners) and return all certificates in the embedded certificate chain.

Per PR microsoft/mu_basecore#1809, there is a request that any certificate in the embedded certificate chain of a signer of the image can revoke an image if that certificate's TBS hash is in the DBX. This is not currently possible because Pkcs7GetSigners only returns the certificate(s) that was used to sign the image, rather than all certificates in the signer's chain.

Example Certificate chain

The below certificate chain shows how there may be chained certificates in an image (3), but that only one signer is returned from Pkcs7GetSigners:

   Number of signers: 1
   Number of certificates: 3
   Certificate details:
     Certificate 1:
       Subject: CN=ImageVerificationTestApp Test Leaf Signer
       Issuer: CN=ImageVerificationTestApp Test Intermediate CA
       Serial: 314556928297652248523712714390387598879269811652
       Valid: 2026-07-07 15:04:47+00:00 to 2036-07-04 15:04:47+00:00
     Certificate 2:
       Subject: CN=ImageVerificationTestApp Test Intermediate CA
       Issuer: CN=ImageVerificationTestApp Test Root CA
       Serial: 599383424167630017078964453635053286142044034510
       Valid: 2026-07-07 15:04:46+00:00 to 2036-07-04 15:04:46+00:00
     Certificate 3:
       Subject: CN=ImageVerificationTestApp Test Root CA
       Issuer: CN=ImageVerificationTestApp Test Root CA
       Serial: 38338095520394824745650771619981258967089602714
       Valid: 2026-07-07 15:04:46+00:00 to 2036-07-04 15:04:46+00:00

Solution Overview

The proposed solution would be to create a function that takes as input the AuthData from an image, and one of the signers returned from Pkcs7GetSigners. It then returns a caller owned list of all certificates in that signer's embedded certificate chain.

This would allow the follow to look something like this:

└ foreach Signer in Pkcs7GetSigners(AuthData, AuthDataSize, ...)
    └ foreach Certificate in PkcsPkcs7GetCertificateChain(Signer, SignerSize, ...)
        ├ X509GetTBSCert(Certificate, CertificateSize ...)
        └ IsTBSCertHashInDbx(TBS, TBSSize, ...)

Alternatives Considered

N/A

Urgency

Medium

Are you going to implement the feature request?

Someone else needs to implement the feature

Do you need maintainer feedback?

Maintainer feedback requested

Anything else?

The below tests show three scenarios, all of which should result in the image being rejected. However due to Pkcs7GetSigners only returning the actual signer (in this case the Leaf certificate), only the Signer 1 Leaf TBS Hash in the DBX results in the expected EFI_ACCESS_DENIED.

Signed Image Validation
  ImageValidationScenario
    Description: DB: [Signer 1 Leaf Cert], DBX: [Signer 1 Leaf TBS Hash], Expected: Denied
    Result: PASS
  ImageValidationScenario
    Description: DB: [Signer 1 Leaf Cert], DBX: [Signer 1 Intermediate TBS Hash], Expected: Denied
    Result: FAIL - Status 'Status' is Success, should be Access Denied!
  ImageValidationScenario
    Description: DB: [Signer 1 Leaf Cert], DBX: [Signer 1 LEAF TBS Hash], Expected: Denied
    Result: FAIL - Status 'Status' is Success, should be Access Denied!

Expected Results:

Signed Image Validation
  ImageValidationScenario
    Description: DB: [Signer 1 Leaf Cert], DBX: [Signer 1 Leaf TBS Hash], Expected: Denied
    Result: PASS
  ImageValidationScenario
    Description: DB: [Signer 1 Leaf Cert], DBX: [Signer 1 Intermediate TBS Hash], Expected: Denied
    Result: PASS
  ImageValidationScenario
    Description: DB: [Signer 1 Leaf Cert], DBX: [Signer 1 LEAF TBS Hash], Expected: Denied
    Result: PASS

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions