The best way to create signed certificate request and verify certificate from UEFI

Question

I'm trying to create signed certificate request from C code in UEFI (I use edk2).

I know how to do it using openssl in Linux C code. I know there is CryptoPkg in edk2. But I didn't find functions to create request and check certificate.

Is there any way to create X509_REQ and check X509 certificate using CryptoPkg? And how can I do it?

In the case if I can't do it: How can I create create request and check certificate? What is the best way to create my own openssl wrapper?

In my `ListCerts.efi` utility, I parse and display portions of firmware X509 certificates. The source code for this utility is available at https://github.com/fpmurphy/UEFI-Utilities-2019/tree/master/MyApps/ListCerts. — fpmurphy, Jun 03 '20 at 16:01

score 0 · Accepted Answer · answered Jun 01 '20 at 16:12

Okay. I figured out that the best way for me is create my own wrapper in CryptoPkg. So I created library in CryptoPkg\Library\MyCryptLib according to CryptoPkg\Library\BaseCryptLib, copy enviroment header and library paths to link.

So I've got openssl wrapper that I can expand and use

The best way to create signed certificate request and verify certificate from UEFI

1 Answers1