Per NIAP OS_PP, the signer certificate of the UEFI image has to contain "CodeSign" extension in its Extended Key Usage(EKU).
This commit borrows VerifyEKUsInPkcs7Signature() from edk2 and enforces the CodeSign check in Pkcs7Verify().
Also merged the buffer use-after-free fix (*)
Per NIAP OS_PP, the signer certificate of the UEFI image has to contain "CodeSign" extension in its Extended Key Usage(EKU).
This commit borrows VerifyEKUsInPkcs7Signature() from edk2 and enforces the CodeSign check in Pkcs7Verify(). Also merged the buffer use-after-free fix (*)
(*) https://bugzilla.tianocore.org/show_bug.cgi?id=2459
Signed-off-by: Gary Lin glin@suse.com Signed-off-by: Dennis Tseng dennis.tseng@suse.com