From nobody Mon Apr 29 09:25:34 2024 Delivered-To: importer@patchew.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 1505792360833709.6533122658875; Mon, 18 Sep 2017 20:39:20 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 64A1121D492C5; Mon, 18 Sep 2017 20:36:15 -0700 (PDT) Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id AA76921D046BE for ; Mon, 18 Sep 2017 20:36:14 -0700 (PDT) Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga105.jf.intel.com with ESMTP; 18 Sep 2017 20:39:18 -0700 Received: from shwdepsi940.ccr.corp.intel.com ([10.239.9.118]) by fmsmga006.fm.intel.com with ESMTP; 18 Sep 2017 20:39:17 -0700 X-Original-To: edk2-devel@lists.01.org X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.42,416,1500966000"; d="scan'208";a="153403040" From: Long Qin To: ting.ye@intel.com, chao.b.zhang@intel.com Date: Tue, 19 Sep 2017 11:38:40 +0800 Message-Id: <20170919033840.3012-1-qin.long@intel.com> X-Mailer: git-send-email 2.14.1.windows.1 Subject: [edk2] [PATCH] CryptoPkg: Add new API to retrieve commonName of X.509 certificate X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: edk2-devel@lists.01.org, Qin Long MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Add one new API (X509GetCommonName()) to retrieve the subject commonName string from one X.509 certificate. Cc: Ting Ye Cc: Chao Zhang Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long --- CryptoPkg/Application/Cryptest/RsaVerify2.c | 17 ++++ CryptoPkg/Include/Library/BaseCryptLib.h | 32 ++++++++ CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 93 ++++++++++++++++++= ++++ CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c | 32 ++++++++ .../Pk/CryptX509Null.c | 34 +++++++- 5 files changed, 207 insertions(+), 1 deletion(-) diff --git a/CryptoPkg/Application/Cryptest/RsaVerify2.c b/CryptoPkg/Applic= ation/Cryptest/RsaVerify2.c index 98b5aad900..f9b70d5794 100644 --- a/CryptoPkg/Application/Cryptest/RsaVerify2.c +++ b/CryptoPkg/Application/Cryptest/RsaVerify2.c @@ -211,6 +211,9 @@ ValidateCryptRsa2 ( UINTN SigSize; UINT8 *Subject; UINTN SubjectSize; + CHAR8 CommonName[64]; + CHAR16 CommonNameUnicode[64]; + UINTN CommonNameSize; =20 Print (L"\nUEFI-OpenSSL RSA Key Retrieving Testing: "); =20 @@ -286,6 +289,20 @@ ValidateCryptRsa2 ( Print (L"[Pass]"); } =20 + // + // Get CommonName from X509 Certificate Subject + // + CommonNameSize =3D 64; + ZeroMem (CommonName, CommonNameSize); + Status =3D X509GetCommonName (TestCert, sizeof (TestCert), CommonName, &= CommonNameSize); + if (!Status) { + Print (L"\n - Retrieving Common Name - [Fail]"); + return EFI_ABORTED; + } else { + AsciiStrToUnicodeStrS (CommonName, CommonNameUnicode, CommonNameSize); + Print (L"\n - Retrieving Common Name =3D \"%s\" (Size =3D %d)", Commo= nNameUnicode, CommonNameSize); + } + // // X509 Certificate Verification. // diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/L= ibrary/BaseCryptLib.h index 9c5ffcd9cf..d861be6725 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -2171,6 +2171,38 @@ X509GetSubjectName ( IN OUT UINTN *SubjectSize ); =20 +/** + Retrieve the common name (CN) string from one X.509 certificate. + + If Cert or CommonNameSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certific= ate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CommonName Buffer to contain the retrieved certific= ate common + name string. At most CommonNameSize byte= s will be + written and the string will be null term= inated. May be + NULL in order to determine the size buff= er needed. + @param[in,out] CommonNameSize The size in bytes of the CommonName buff= er on input, + and the size of buffer returned CommonNa= me on output. + if CommonName is NULL then the amount of= space needed + in buffer (including the final null) is = returned. + + @retval TRUE The certificate CommonName retrieved successfully. + @retval FALSE Invalid certificate, or CommonNameSize is NULL, + or no CommonName entry exists. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509GetCommonName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *CommonName, + IN OUT UINTN *CommonNameSize + ); + /** Verify one X509 certificate was issued by the trusted CA. =20 diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Libr= ary/BaseCryptLib/Pk/CryptX509.c index 7d275977c5..e45c214bd1 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c @@ -297,6 +297,99 @@ _Exit: return Status; } =20 +/** + Retrieve the common name (CN) string from one X.509 certificate. + + If Cert or CommonNameSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certific= ate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CommonName Buffer to contain the retrieved certific= ate common + name string. At most CommonNameSize byte= s will be + written and the string will be null term= inated. May be + NULL in order to determine the size buff= er needed. + @param[in,out] CommonNameSize The size in bytes of the CommonName buff= er on input, + and the size of buffer returned CommonNa= me on output. + if CommonName is NULL then the amount of= space needed + in buffer (including the final null) is = returned. + + @retval TRUE The certificate CommonName retrieved successfully. + @retval FALSE Invalid certificate, or CommonNameSize is NULL, + or no CommonName entry exists. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509GetCommonName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *CommonName, + IN OUT UINTN *CommonNameSize + ) +{ + BOOLEAN Status; + X509 *X509Cert; + X509_NAME *X509Name; + INTN Length; + + // + // Check input parameters. + // + if ((Cert =3D=3D NULL) || (CommonNameSize =3D=3D NULL)) { + return FALSE; + } + + X509Cert =3D NULL; + + // + // Read DER-encoded X509 Certificate and Construct X509 object. + // + Status =3D X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cer= t); + if ((X509Cert =3D=3D NULL) || (!Status)) { + // + // Invalid X.509 Certificate + // + goto _Exit; + } + + Status =3D FALSE; + + // + // Retrieve subject name from certificate object. + // + X509Name =3D X509_get_subject_name (X509Cert); + if (X509Name =3D=3D NULL) { + goto _Exit; + } + + // + // Retrieve the CommonName information from X.509 Subject + // + Length =3D (INTN) X509_NAME_get_text_by_NID (X509Name, NID_commonName, C= ommonName, (int)(*CommonNameSize)); + if (Length < 0) { + // + // No CommonName entry exists in X509_NAME object + // + *CommonNameSize =3D 0; + goto _Exit; + } + + *CommonNameSize =3D (UINTN)(Length + 1); + Status =3D TRUE; + +_Exit: + // + // Release Resources. + // + if (X509Cert !=3D NULL) { + X509_free (X509Cert); + } + + return Status; +} + /** Retrieve the RSA Public Key from one DER-encoded X509 certificate. =20 diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c b/CryptoPkg/= Library/BaseCryptLib/Pk/CryptX509Null.c index 51aa0633a8..81587003f2 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c @@ -127,6 +127,38 @@ X509GetSubjectName ( return FALSE; } =20 +/** + Retrieve the common name (CN) string from one X.509 certificate. + + Return FALSE to indicate this interface is not supported. + + @param[in] Cert Pointer to the DER-encoded X509 certific= ate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CommonName Buffer to contain the retrieved certific= ate common + name string. At most CommonNameSize byte= s will be + written and the string will be null term= inated. May be + NULL in order to determine the size buff= er needed. + @param[in,out] CommonNameSize The size in bytes of the CommonName buff= er on input, + and the size of buffer returned CommonNa= me on output. + if CommonName is NULL then the amount of= space needed + in buffer (including the final null) is = returned. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509GetCommonName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *CommonName, + IN OUT UINTN *CommonNameSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + /** Retrieve the RSA Public Key from one DER-encoded X509 certificate. =20 diff --git a/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/Pk/CryptX50= 9Null.c b/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/Pk/CryptX509Nu= ll.c index f5d9aa1076..81587003f2 100644 --- a/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/Pk/CryptX509Null.c +++ b/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/Pk/CryptX509Null.c @@ -127,6 +127,38 @@ X509GetSubjectName ( return FALSE; } =20 +/** + Retrieve the common name (CN) string from one X.509 certificate. + + Return FALSE to indicate this interface is not supported. + + @param[in] Cert Pointer to the DER-encoded X509 certific= ate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CommonName Buffer to contain the retrieved certific= ate common + name string. At most CommonNameSize byte= s will be + written and the string will be null term= inated. May be + NULL in order to determine the size buff= er needed. + @param[in,out] CommonNameSize The size in bytes of the CommonName buff= er on input, + and the size of buffer returned CommonNa= me on output. + if CommonName is NULL then the amount of= space needed + in buffer (including the final null) is = returned. + + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509GetCommonName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *CommonName, + IN OUT UINTN *CommonNameSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + /** Retrieve the RSA Public Key from one DER-encoded X509 certificate. =20 @@ -203,4 +235,4 @@ X509GetTBSCert ( { ASSERT (FALSE); return FALSE; -} \ No newline at end of file +} --=20 2.14.1.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel