git.ipfire.org Git - thirdparty/grub.git/commit

author	Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
	Mon, 6 Oct 2025 07:24:53 +0000 (12:54 +0530)
committer	Daniel Kiper <daniel.kiper@oracle.com>
	Sat, 11 Oct 2025 13:36:35 +0000 (15:36 +0200)
commit	e95c52f1f48baf98cb64a204b681bee23265099f
tree	3cbf80cb4085afecee6c208b5d01f08eaacd7f64	tree \| snapshot
parent	a33754979725746d7d5b3809089e519006d0d4c3	commit \| diff

appended signatures: Parse X.509 certificates

This code allows us to parse:

- X.509 certificates: at least enough to verify the signatures on the PKCS#7
   messages. We expect that the certificates embedded in GRUB will be leaf
   certificates, not CA certificates. The parser enforces this.

- X.509 certificates support the Extended Key Usage extension and handle it by
   verifying that the certificate has a Code Signing usage.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> # EKU support
Reported-by: Michal Suchanek <msuchanek@suse.com> # key usage issue
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

grub-core/commands/appendedsig/appendedsig.h		diff \| blob \| blame \| history
grub-core/commands/appendedsig/x509.c	[new file with mode: 0644]	blob
include/grub/crypto.h		diff \| blob \| blame \| history