Hi! Has someone with domain knowledge of how OpenSSL works looked at the UEFI implementation of AuthentiCode?
I am currently looking at this file in particular: http://tianocore.git.sourceforge.net/git/gitweb.cgi?p=tianocore/edk2;a=blob;f=CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7.c;h=036412af5989650ebaf360f513e187fe3a07973d;hb=refs/heads/master This is the current version in the master branch of the UEFI reference implementation, which BIOS and device vendors use to make their BIOSes from. In particular, this code is used by the UEFI AuthentiCode code, which is the core of their secure boot chain. I'm afraid I find the OpenSSL documentation insufficient to understand what that code is actually doing, and whether it is doing it right or not. The code starting from line 92 looks very dodgy to me, and I think it is there so they can put intermediate certs (as opposed to CA certs) into their cert store. I wonder where the cert store is in UEFI. The actual OpenSSL code does not appear to be part of the UEFI reference code source tree, but UEFI does have a filesystem, so I wonder if you could just put certs in your cert store as a user. It's all conjecture for now, but it would sure be great if the OpenSSL community would look at this code and find out if they are doing it right or not. Regards, Felix ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
