diff --git a/Cargo.toml b/Cargo.toml index 59e6ec67049a40bb006aa5add58ffa77862aa50a..6564856b55e819b2e167e0d25bde44739f0d59c7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -72,7 +72,7 @@ url = "2.3.1" futures = "0.3.26" utoipa = { version = "3", features = ["actix_extras"] } utoipa-swagger-ui = { version ="3.1.3", features = ["actix-web"]} -efi_signer = "0.2.6" +efi_signer = "0.2.7" regex = "1" csrf= "0.4.1" data-encoding= "2.4.0" diff --git a/src/infra/sign_plugin/x509.rs b/src/infra/sign_plugin/x509.rs index 82788d86958e2ef586734b5a2703958326fc6e70..5a01fce9690edc6dfc5cd9a99243112266fc6a26 100644 --- a/src/infra/sign_plugin/x509.rs +++ b/src/infra/sign_plugin/x509.rs @@ -422,15 +422,16 @@ impl X509Plugin { .keyid(true) .build(&generator.x509v3_context(Some(ca_cert.as_ref()), None))?, )?; - generator.append_extension( - KeyUsage::new() - .crl_sign() - .digital_signature() - .key_cert_sign() - .critical() - .build()?, - )?; generator.append_extension(ExtendedKeyUsage::new().code_signing().build()?)?; + //NOTE: then signing cert should not contain any key usage extension + //generator.append_extension( + // KeyUsage::new() + // .crl_sign() + // .digital_signature() + // .key_cert_sign() + // .critical() + // .build()?, + //)?; //NOTE: sbverify for EFI file will fail, enable when fixed // generator.append_extension(X509Extension::new_nid( // None, @@ -555,9 +556,20 @@ impl SignPlugins for X509Plugin { .unwrap_or(&SignType::Cms.to_string()), )? { SignType::Authenticode => { - debug!("cert info: {:#?}", certificate); + let mut bufs: Vec> = vec![]; + if self.parent_key.is_some() { + bufs.push( + self.parent_key + .clone() + .unwrap() + .certificate + .unsecure() + .to_vec(), + ); + } + bufs.push(self.certificate.unsecure().to_vec()); - let p7b = efi_signer::EfiImage::pem_to_p7(self.certificate.unsecure())?; + let p7b = efi_signer::EfiImage::pems_to_p7(bufs)?; Ok(efi_signer::EfiImage::do_sign_signature( content, p7b,