Implement the CodeSign EKU check to fulfill the requirements of NIAP OS_PP. Also modify the ModSign EKU check to use VerifyEKUsInPkcs7Signature() to check the signer certificate instead of the certificate directly from the key database.
The EKU check can be enabled by setting ENABLE_EKU_CODESIGN=1 when make. This commit supersedes PR-232 which was closed on Jul 1, 2021.
Implement the CodeSign EKU check to fulfill the requirements of NIAP OS_PP. Also modify the ModSign EKU check to use VerifyEKUsInPkcs7Signature() to check the signer certificate instead of the certificate directly from the key database.
The EKU check can be enabled by setting ENABLE_EKU_CODESIGN=1 when make. This commit supersedes PR-232 which was closed on Jul 1, 2021.
Signed-off-by: Gary Lin glin@suse.com and Dennis Tseng dennis.tseng@suse.com