Skip to content

Commit

Permalink
capsule/signtool_signer: Add support for pkcs7DetachedSignedData (#240)
Browse files Browse the repository at this point in the history
Also add test cases to cover mutually exclusive options.

Co-authored-by: Bret Barkelew <[email protected]>
  • Loading branch information
corthon and Bret Barkelew authored Mar 25, 2021
1 parent 5841e7f commit df522f6
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 6 deletions.
17 changes: 13 additions & 4 deletions edk2toolext/capsule/signtool_signer.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@

GLOBAL_SIGNTOOL_PATH = None
SUPPORTED_SIGNATURE_TYPE_OPTIONS = {
'pkcs7': {'detachedSignedData', 'embedded'}
'pkcs7': {'detachedSignedData', 'embedded', 'pkcs7DetachedSignedData'}
}


Expand Down Expand Up @@ -66,9 +66,16 @@ def sign(data: bytes, signature_options: dict, signer_options: dict) -> bytes:
for opt in signature_options['type_options']:
if opt not in SUPPORTED_SIGNATURE_TYPE_OPTIONS[signature_options['type']]:
raise ValueError(f"Unsupported type option: {opt}! Ensure you have provied a set")
if 'embedded' in signature_options['type_options']:
if 'detachedSignedData' in signature_options['type_options']:
raise ValueError("type_options 'detachedSignedData' and 'embedded' are mutually exclusive")

mutually_exclusive_options = ('embedded', 'detachedSignedData', 'pkcs7DetachedSignedData')
option_found = None
for option in mutually_exclusive_options:
if option in signature_options['type_options']:
if option_found is None:
option_found = option
else:
raise ValueError("type_options '%s' and '%s' are mutually exclusive" % (option_found, option))

if signature_options['encoding'] != 'DER':
raise ValueError(f"Unsupported signature encoding: {signature_options['type']}!")
if signature_options['hash_alg'] != 'sha256':
Expand All @@ -92,6 +99,8 @@ def sign(data: bytes, signature_options: dict, signer_options: dict) -> bytes:
signtool_params += ['/fd', signature_options['hash_alg']]
if 'detachedSignedData' in signature_options['type_options']:
signtool_params += ['/p7ce', 'DetachedSignedData']
elif 'pkcs7DetachedSignedData' in signature_options['type_options']:
signtool_params += ['/p7ce', 'PKCS7DetachedSignedData']
elif 'embedded' in signature_options['type_options']:
signtool_params += ['/p7ce', 'Embedded']
else:
Expand Down
28 changes: 26 additions & 2 deletions edk2toolext/tests/test_signtool_signer.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
from edk2toolext.capsule import signtool_signer


class Test_pyopenssl_signer(unittest.TestCase):
class Test_signtool_signer(unittest.TestCase):

@unittest.skipUnless(sys.platform.startswith("win"), "requires Windows")
def test_get_path(self):
Expand Down Expand Up @@ -43,11 +43,35 @@ def test_sign_with_good_options(self):
signtool_signer.sign(b"data", signature, signer)

@unittest.skipUnless(sys.platform.startswith("win"), "requires Windows")
def test_sign_with_embed_type_and_detached_signdata(self):
def test_sign_with_mutually_exclusive_options(self):
signature = {
"type": "pkcs7",
"type_options": ["embedded", "detachedSignedData"]
}
signer = {}
with self.assertRaises(ValueError):
signtool_signer.sign(b"data", signature, signer)

signature = {
"type": "pkcs7",
"type_options": ["pkcs7DetachedSignedData", "detachedSignedData"]
}
signer = {}
with self.assertRaises(ValueError):
signtool_signer.sign(b"data", signature, signer)

signature = {
"type": "pkcs7",
"type_options": ["pkcs7DetachedSignedData", "embedded"]
}
signer = {}
with self.assertRaises(ValueError):
signtool_signer.sign(b"data", signature, signer)

signature = {
"type": "pkcs7",
"type_options": ["detachedSignedData", "pkcs7DetachedSignedData", "embedded"]
}
signer = {}
with self.assertRaises(ValueError):
signtool_signer.sign(b"data", signature, signer)

0 comments on commit df522f6

Please sign in to comment.