From nobody Sun Feb 8 21:12:34 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+94284+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+94284+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1664096070; cv=none; d=zohomail.com; s=zohoarc; b=IFEZm5V+GJKsW9LuhNV1NvBe4Oty0PT4vKv1/4mAnnbYjqC+Jk/qdfhez8Qi4RLTM1HkJSWboR79bdfRf9HAxKEKeUP2+8rA/2Wc2gtR4DVJqWXWqKXyEKMf4rkT0geUDI+XHsIWiyj3gEifd+MODLts7LuKbqmLoZsb6IJ1YhU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1664096070; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=m6lv+u7GZAtwfj2G+3tUseAIwCCMFMm8W1UkPoId8zE=; b=AglLn5tk4PJzDbS34vDNCYCYJyLRrqzMGPDcbEiF78VlzKVeskJcKsbfRO7oZXdc3J6D8eJT0danlpSXRyRVz3Sk/cE195yMasuvzD19ozjr2AIjqnqJDAMPttKyNYA/3nAW02jPIqsArlaeMrB1PHc882LPFR0pG/xvdJluKc0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+94284+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1664096070168939.2821484968001; Sun, 25 Sep 2022 01:54:30 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 1TPCYY1788612xFexkDP8mue; Sun, 25 Sep 2022 01:54:29 -0700 X-Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web09.15520.1664096064489346505 for ; Sun, 25 Sep 2022 01:54:29 -0700 X-IronPort-AV: E=McAfee;i="6500,9779,10480"; a="327182119" X-IronPort-AV: E=Sophos;i="5.93,344,1654585200"; d="scan'208";a="327182119" X-Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Sep 2022 01:54:28 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.93,344,1654585200"; d="scan'208";a="623001785" X-Received: from shwdesssddpdqi.ccr.corp.intel.com ([10.239.157.129]) by fmsmga007.fm.intel.com with ESMTP; 25 Sep 2022 01:54:26 -0700 From: "Qi Zhang" To: devel@edk2.groups.io Cc: Qi Zhang , Jiewen Yao , Jian J Wang , Xiaoyu Lu , Guomin Jiang Subject: [edk2-devel] [PATCH 2/4] CryptoPkg: add new X509 function. Date: Sun, 25 Sep 2022 16:54:17 +0800 Message-Id: <2b691674a8c77c8629e120f1e58d9b52ed0de44e.1664095355.git.qi1.zhang@intel.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,qi1.zhang@intel.com X-Gm-Message-State: 4hSPDMFhlwuLs6qctXO1sFEcx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1664096069; bh=j23NrpRtGrDrUoWIVo7yxlnDP+31NF3nnWzD6PnW7TM=; h=Cc:Date:From:Reply-To:Subject:To; b=leyW3fmjmqyDpQMZ0dV6i2EdaCO3zSaF5Zt/t9rU2g5/WaWgTDE7U/v54NfVP7UxBtW GYa7Ox0bvvKdFSZBnAelKlEpZq0tNgxjeQWn38WYaN6EpE3YvHEBDX254nGHPx3As2CI6 2Cha3q5+qBr+veen7ThjfepqOYGI/v62LaM= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1664096072340100002 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4082 Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Signed-off-by: Qi Zhang --- CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 1036 +++++++++++++++++ .../Library/BaseCryptLib/Pk/CryptX509Null.c | 429 +++++++ .../BaseCryptLibNull/Pk/CryptX509Null.c | 429 +++++++ 3 files changed, 1894 insertions(+) diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Libr= ary/BaseCryptLib/Pk/CryptX509.c index e6bb45e641..4cb3c9f814 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c @@ -8,8 +8,22 @@ SPDX-License-Identifier: BSD-2-Clause-Patent =20 #include "InternalCryptLib.h" #include +#include +#include +#include #include =20 +/* OID*/ +#define OID_EXT_KEY_USAGE { 0x55, 0x1D, 0x25 } +#define OID_BASIC_CONSTRAINTS { 0x55, 0x1D, 0x13 } + +static CONST UINT8 mOidExtKeyUsage[] =3D OID_EXT_KEY_USAGE; +static CONST UINT8 mOidBasicConstraints[] =3D OID_BASIC_CONSTRAINTS; + +#define CRYPTO_ASN1_TAG_CLASS_MASK 0xC0 +#define CRYPTO_ASN1_TAG_PC_MASK 0x20 +#define CRYPTO_ASN1_TAG_VALUE_MASK 0x1F + /** Construct a X509 object from DER-encoded certificate data. =20 @@ -842,3 +856,1025 @@ X509GetTBSCert ( =20 return TRUE; } + +/** + Retrieve the version from one X.509 certificate. + + If Cert is NULL, then return FALSE. + If CertSize is 0, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] Version Pointer to the retrieved version integer. + + @retval TRUE The certificate version retrieved successfully. + @retval FALSE If Cert is NULL or CertSize is Zero. + @retval FALSE The operation is not supported. + +**/ +BOOLEAN +EFIAPI +X509GetVersion ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINTN *Version + ) +{ + BOOLEAN Status; + X509 *X509Cert; + + X509Cert =3D NULL; + Status =3D X509ConstructCertificate (Cert, CertSize, (UINT8 **)&X509Ce= rt); + if ((X509Cert =3D=3D NULL) || (!Status)) { + // + // Invalid X.509 Certificate + // + Status =3D FALSE; + } + + if (Status) { + *Version =3D X509_get_version (X509Cert); + } + + if (X509Cert !=3D NULL) { + X509_free (X509Cert); + } + + return Status; +} + +/** + Retrieve the serialNumber from one X.509 certificate. + + If Cert is NULL, then return FALSE. + If CertSize is 0, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] SerialNumber Pointer to the retrieved certificate Seria= lNumber bytes. + @param[in, out] SerialNumberSize The size in bytes of the SerialNumber = buffer on input, + and the size of buffer returned SerialNumbe= r on output. + + @retval TRUE The certificate serialNumber retrieved = successfully. + @retval FALSE If Cert is NULL or CertSize is Zero. + If SerialNumberSize is NULL. + If Certificate is invalid. + @retval FALSE If no SerialNumber exists. + @retval FALSE If the SerialNumber is NULL. The requir= ed buffer size + (including the final null) is returned = in the + SerialNumberSize parameter. + @retval FALSE The operation is not supported. +**/ +BOOLEAN +EFIAPI +X509GetSerialNumber ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *SerialNumber, OPTIONAL + IN OUT UINTN *SerialNumberSize + ) +{ + BOOLEAN Status; + X509 *X509Cert; + ASN1_INTEGER *Asn1Integer; + + Status =3D FALSE; + // + // Check input parameters. + // + if ((Cert =3D=3D NULL) || (SerialNumberSize =3D=3D NULL)) { + return Status; + } + + X509Cert =3D NULL; + + // + // Read DER-encoded X509 Certificate and Construct X509 object. + // + Status =3D X509ConstructCertificate (Cert, CertSize, (UINT8 **)&X509Cert= ); + if ((X509Cert =3D=3D NULL) || (!Status)) { + *SerialNumberSize =3D 0; + Status =3D FALSE; + goto _Exit; + } + + // + // Retrieve subject name from certificate object. + // + Asn1Integer =3D X509_get_serialNumber (X509Cert); + if (Asn1Integer =3D=3D NULL) { + *SerialNumberSize =3D 0; + Status =3D FALSE; + goto _Exit; + } + + if (*SerialNumberSize < (UINTN)Asn1Integer->length) { + *SerialNumberSize =3D (UINTN)Asn1Integer->length; + Status =3D FALSE; + goto _Exit; + } + + if (SerialNumber !=3D NULL) { + CopyMem (SerialNumber, Asn1Integer->data, *SerialNumberSize); + Status =3D TRUE; + } + + *SerialNumberSize =3D (UINTN)Asn1Integer->length; + +_Exit: + // + // Release Resources. + // + if (X509Cert !=3D NULL) { + X509_free (X509Cert); + } + + return Status; +} + +/** + Retrieve the issuer bytes from one X.509 certificate. + + If Cert is NULL, then return FALSE. + If CertIssuerSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CertIssuer Pointer to the retrieved certificate subject= bytes. + @param[in, out] CertIssuerSize The size in bytes of the CertIssuer buff= er on input, + and the size of buffer returned CertSubject= on output. + + @retval TRUE The certificate issuer retrieved successfully. + @retval FALSE Invalid certificate, or the CertIssuerSize is too small = for the result. + The CertIssuerSize will be updated with the required siz= e. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509GetIssuerName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *CertIssuer, + IN OUT UINTN *CertIssuerSize + ) +{ + BOOLEAN Status; + X509 *X509Cert; + X509_NAME *X509Name; + UINTN X509NameSize; + + // + // Check input parameters. + // + if ((Cert =3D=3D NULL) || (CertIssuerSize =3D=3D NULL)) { + return FALSE; + } + + X509Cert =3D NULL; + + // + // Read DER-encoded X509 Certificate and Construct X509 object. + // + Status =3D X509ConstructCertificate (Cert, CertSize, (UINT8 **)&X509Cert= ); + if ((X509Cert =3D=3D NULL) || (!Status)) { + Status =3D FALSE; + goto _Exit; + } + + Status =3D FALSE; + + // + // Retrieve subject name from certificate object. + // + X509Name =3D X509_get_subject_name (X509Cert); + if (X509Name =3D=3D NULL) { + goto _Exit; + } + + X509NameSize =3D i2d_X509_NAME (X509Name, NULL); + if (*CertIssuerSize < X509NameSize) { + *CertIssuerSize =3D X509NameSize; + goto _Exit; + } + + *CertIssuerSize =3D X509NameSize; + if (CertIssuer !=3D NULL) { + i2d_X509_NAME (X509Name, &CertIssuer); + Status =3D TRUE; + } + +_Exit: + // + // Release Resources. + // + if (X509Cert !=3D NULL) { + X509_free (X509Cert); + } + + return Status; +} + +/** + Retrieve the Signature Algorithm from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] Oid Signature Algorithm Object identifier b= uffer. + @param[in,out] OidSize Signature Algorithm Object identifier b= uffer size + + @retval TRUE The certificate Extension data retrieved successf= ully. + @retval FALSE If Cert is NULL. + If OidSize is NULL. + If Oid is not NULL and *OidSize is 0. + If Certificate is invalid. + @retval FALSE If no SignatureType. + @retval FALSE If the Oid is NULL. The required buffer= size + is returned in the OidSize. + @retval FALSE The operation is not supported. +**/ +BOOLEAN +EFIAPI +X509GetSignatureAlgorithm ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *Oid, OPTIONAL + IN OUT UINTN *OidSize + ) +{ + BOOLEAN Status; + X509 *X509Cert; + int Nid; + ASN1_OBJECT *Asn1Obj; + + // + // Check input parameters. + // + if ((Cert =3D=3D NULL) || (OidSize =3D=3D NULL) || (CertSize =3D=3D 0)) { + return FALSE; + } + + X509Cert =3D NULL; + Status =3D FALSE; + + // + // Read DER-encoded X509 Certificate and Construct X509 object. + // + Status =3D X509ConstructCertificate (Cert, CertSize, (UINT8 **)&X509Cert= ); + if ((X509Cert =3D=3D NULL) || (!Status)) { + Status =3D FALSE; + goto _Exit; + } + + // + // Retrieve subject name from certificate object. + // + Nid =3D X509_get_signature_nid (X509Cert); + if (Nid =3D=3D NID_undef) { + *OidSize =3D 0; + Status =3D FALSE; + goto _Exit; + } + + Asn1Obj =3D OBJ_nid2obj (Nid); + if (Asn1Obj =3D=3D NULL) { + *OidSize =3D 0; + Status =3D FALSE; + goto _Exit; + } + + if (*OidSize < (UINTN)Asn1Obj->length) { + *OidSize =3D Asn1Obj->length; + Status =3D FALSE; + goto _Exit; + } + + if (Oid !=3D NULL) { + CopyMem (Oid, Asn1Obj->data, Asn1Obj->length); + } + + *OidSize =3D Asn1Obj->length; + Status =3D TRUE; + +_Exit: + // + // Release Resources. + // + if (X509Cert !=3D NULL) { + X509_free (X509Cert); + } + + return Status; +} + +/** + Retrieve Extension data from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[in] Oid Object identifier buffer + @param[in] OidSize Object identifier buffer size + @param[out] ExtensionData Extension bytes. + @param[in, out] ExtensionDataSize Extension bytes size. + + @retval TRUE The certificate Extension data retrieve= d successfully. + @retval FALSE If Cert is NULL. + If ExtensionDataSize is NULL. + If ExtensionData is not NULL and *Exten= sionDataSize is 0. + If Certificate is invalid. + @retval FALSE If no Extension entry match Oid. + @retval FALSE If the ExtensionData is NULL. The requi= red buffer size + is returned in the ExtensionDataSize pa= rameter. + @retval FALSE The operation is not supported. +**/ +BOOLEAN +EFIAPI +X509GetExtensionData ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + IN CONST UINT8 *Oid, + IN UINTN OidSize, + OUT UINT8 *ExtensionData, + IN OUT UINTN *ExtensionDataSize + ) +{ + BOOLEAN Status; + INTN i; + X509 *X509Cert; + + CONST STACK_OF (X509_EXTENSION) *Extensions; + ASN1_OBJECT *Asn1Obj; + ASN1_OCTET_STRING *Asn1Oct; + X509_EXTENSION *Ext; + UINTN ObjLength; + UINTN OctLength; + + // + // Check input parameters. + // + if ((Cert =3D=3D NULL) || (CertSize =3D=3D 0) || (Oid =3D=3D NULL) || (O= idSize =3D=3D 0) || (ExtensionDataSize =3D=3D NULL)) { + return FALSE; + } + + X509Cert =3D NULL; + Status =3D FALSE; + + // + // Read DER-encoded X509 Certificate and Construct X509 object. + // + Status =3D X509ConstructCertificate (Cert, CertSize, (UINT8 **)&X509Cert= ); + if ((X509Cert =3D=3D NULL) || (!Status)) { + *ExtensionDataSize =3D 0; + goto Cleanup; + } + + // + // Retrieve Extensions from certificate object. + // + Extensions =3D X509_get0_extensions (X509Cert); + if (sk_X509_EXTENSION_num (Extensions) <=3D 0) { + *ExtensionDataSize =3D 0; + goto Cleanup; + } + + // + // Traverse Extensions + // + Status =3D FALSE; + Asn1Oct =3D NULL; + OctLength =3D 0; + for (i =3D 0; i < sk_X509_EXTENSION_num (Extensions); i++) { + Ext =3D sk_X509_EXTENSION_value (Extensions, (int)i); + if (Ext =3D=3D NULL) { + continue; + } + + Asn1Obj =3D X509_EXTENSION_get_object (Ext); + if (Asn1Obj =3D=3D NULL) { + continue; + } + + Asn1Oct =3D X509_EXTENSION_get_data (Ext); + if (Asn1Oct =3D=3D NULL) { + continue; + } + + ObjLength =3D OBJ_length (Asn1Obj); + OctLength =3D ASN1_STRING_length (Asn1Oct); + if ((OidSize =3D=3D ObjLength) && (CompareMem (OBJ_get0_data (Asn1Obj)= , Oid, OidSize) =3D=3D 0)) { + // + // Extension Found + // + Status =3D TRUE; + break; + } + + // + // reset to 0 if not found + // + OctLength =3D 0; + } + + if (Status) { + if (*ExtensionDataSize < OctLength) { + *ExtensionDataSize =3D OctLength; + Status =3D FALSE; + goto Cleanup; + } + + if (Asn1Oct !=3D NULL) { + CopyMem (ExtensionData, ASN1_STRING_get0_data (Asn1Oct), OctLength); + } + + *ExtensionDataSize =3D OctLength; + } else { + *ExtensionDataSize =3D 0; + } + +Cleanup: + // + // Release Resources. + // + if (X509Cert !=3D NULL) { + X509_free (X509Cert); + } + + return Status; +} + +/** + Retrieve the Extended Key Usage from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] Usage Key Usage bytes. + @param[in, out] UsageSize Key Usage buffer sizs in bytes. + + @retval TRUE The Usage bytes retrieve successfully. + @retval FALSE If Cert is NULL. + If CertSize is NULL. + If Usage is not NULL and *UsageSize is = 0. + If Cert is invalid. + @retval FALSE If the Usage is NULL. The required buff= er size + is returned in the UsageSize parameter. + @retval FALSE The operation is not supported. +**/ +BOOLEAN +EFIAPI +X509GetExtendedKeyUsage ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *Usage, + IN OUT UINTN *UsageSize + ) +{ + BOOLEAN Status; + + Status =3D X509GetExtensionData (Cert, CertSize, mOidExtKeyUsage, sizeof= (mOidExtKeyUsage), Usage, UsageSize); + return Status; +} + +/** + Retrieve the Validity from one X.509 certificate + + If Cert is NULL, then return FALSE. + If CertIssuerSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] From notBefore Pointer to DateTime object. + @param[in,out] FromSize notBefore DateTime object size. + @param[out] To notAfter Pointer to DateTime object. + @param[in,out] ToSize notAfter DateTime object size. + + Note: X509CompareDateTime to compare DateTime oject + x509SetDateTime to get a DateTime object from a DateTimeStr + + @retval TRUE The certificate Validity retrieved successfully. + @retval FALSE Invalid certificate, or Validity retrieve failed. + @retval FALSE This interface is not supported. +**/ +BOOLEAN +EFIAPI +X509GetValidity ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + IN UINT8 *From, + IN OUT UINTN *FromSize, + IN UINT8 *To, + IN OUT UINTN *ToSize + ) +{ + BOOLEAN Status; + X509 *X509Cert; + CONST ASN1_TIME *F; + CONST ASN1_TIME *T; + UINTN TSize; + UINTN FSize; + + // + // Check input parameters. + // + if ((Cert =3D=3D NULL) || (FromSize =3D=3D NULL) || (ToSize =3D=3D NULL)= || (CertSize =3D=3D 0)) { + return FALSE; + } + + X509Cert =3D NULL; + Status =3D FALSE; + + // + // Read DER-encoded X509 Certificate and Construct X509 object. + // + Status =3D X509ConstructCertificate (Cert, CertSize, (UINT8 **)&X509Cert= ); + if ((X509Cert =3D=3D NULL) || (!Status)) { + goto _Exit; + } + + // + // Retrieve Validity from/to from certificate object. + // + F =3D X509_get0_notBefore (X509Cert); + T =3D X509_get0_notAfter (X509Cert); + + if ((F =3D=3D NULL) || (T =3D=3D NULL)) { + goto _Exit; + } + + FSize =3D sizeof (ASN1_TIME) + F->length; + if (*FromSize < FSize) { + *FromSize =3D FSize; + goto _Exit; + } + + *FromSize =3D FSize; + if (From !=3D NULL) { + CopyMem (From, F, sizeof (ASN1_TIME)); + ((ASN1_TIME *)From)->data =3D From + sizeof (ASN1_TIME); + CopyMem (From + sizeof (ASN1_TIME), F->data, F->length); + } + + TSize =3D sizeof (ASN1_TIME) + T->length; + if (*ToSize < TSize) { + *ToSize =3D TSize; + goto _Exit; + } + + *ToSize =3D TSize; + if (To !=3D NULL) { + CopyMem (To, T, sizeof (ASN1_TIME)); + ((ASN1_TIME *)To)->data =3D To + sizeof (ASN1_TIME); + CopyMem (To + sizeof (ASN1_TIME), T->data, T->length); + } + + Status =3D TRUE; + +_Exit: + // + // Release Resources. + // + if (X509Cert !=3D NULL) { + X509_free (X509Cert); + } + + return Status; +} + +/** + Format a DateTime object into DataTime Buffer + + If DateTimeStr is NULL, then return FALSE. + If DateTimeSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] DateTimeStr DateTime string like YYYYMMDDhhmmssZ + Ref: https://www.w3.org/TR/NOTE-datetime + Z stand for UTC time + @param[out] DateTime Pointer to a DateTime object. + @param[in,out] DateTimeSize DateTime object buffer size. + + @retval TRUE The DateTime object create successfully. + @retval FALSE If DateTimeStr is NULL. + If DateTimeSize is NULL. + If DateTime is not NULL and *DateTimeSi= ze is 0. + If Year Month Day Hour Minute Second co= mbination is invalid datetime. + @retval FALSE If the DateTime is NULL. The required b= uffer size + (including the final null) is returned = in the + DateTimeSize parameter. + @retval FALSE The operation is not supported. +**/ +BOOLEAN +EFIAPI +X509SetDateTime ( + IN CHAR8 *DateTimeStr, + OUT VOID *DateTime, + IN OUT UINTN *DateTimeSize + ) +{ + BOOLEAN Status; + INT32 Ret; + ASN1_TIME *Dt; + UINTN DSize; + + Dt =3D NULL; + Status =3D FALSE; + + Dt =3D ASN1_TIME_new (); + if (Dt =3D=3D NULL) { + Status =3D FALSE; + goto Cleanup; + } + + Ret =3D ASN1_TIME_set_string_X509 (Dt, DateTimeStr); + if (Ret !=3D 1) { + Status =3D FALSE; + goto Cleanup; + } + + DSize =3D sizeof (ASN1_TIME) + Dt->length; + if (*DateTimeSize < DSize) { + *DateTimeSize =3D DSize; + Status =3D FALSE; + goto Cleanup; + } + + *DateTimeSize =3D DSize; + if (DateTime !=3D NULL) { + CopyMem (DateTime, Dt, sizeof (ASN1_TIME)); + ((ASN1_TIME *)DateTime)->data =3D (UINT8 *)DateTime + sizeof (ASN1_TIM= E); + CopyMem ((UINT8 *)DateTime + sizeof (ASN1_TIME), Dt->data, Dt->length); + } + + Status =3D TRUE; + +Cleanup: + if (Dt !=3D NULL) { + ASN1_TIME_free (Dt); + } + + return Status; +} + +/** + Compare DateTime1 object and DateTime2 object. + + If DateTime1 is NULL, then return -2. + If DateTime2 is NULL, then return -2. + If DateTime1 =3D=3D DateTime2, then return 0 + If DateTime1 > DateTime2, then return 1 + If DateTime1 < DateTime2, then return -1 + + @param[in] DateTime1 Pointer to a DateTime Ojbect + @param[in] DateTime2 Pointer to a DateTime Object + + @retval 0 If DateTime1 =3D=3D DateTime2 + @retval 1 If DateTime1 > DateTime2 + @retval -1 If DateTime1 < DateTime2 +**/ +INT32 +EFIAPI +X509CompareDateTime ( + IN CONST VOID *DateTime1, + IN CONST VOID *DateTime2 + ) +{ + return (INT32)ASN1_TIME_compare (DateTime1, DateTime2); +} + +/** + Retrieve the Key Usage from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] Usage Key Usage (CRYPTO_X509_KU_*) + + @retval TRUE The certificate Key Usage retrieved successfully. + @retval FALSE Invalid certificate, or Usage is NULL + @retval FALSE This interface is not supported. +**/ +BOOLEAN +EFIAPI +X509GetKeyUsage ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINTN *Usage + ) +{ + BOOLEAN Status; + X509 *X509Cert; + + // + // Check input parameters. + // + if ((Cert =3D=3D NULL) || (Usage =3D=3D NULL)) { + return FALSE; + } + + X509Cert =3D NULL; + Status =3D FALSE; + + // + // Read DER-encoded X509 Certificate and Construct X509 object. + // + Status =3D X509ConstructCertificate (Cert, CertSize, (UINT8 **)&X509Cert= ); + if ((X509Cert =3D=3D NULL) || (!Status)) { + goto _Exit; + } + + // + // Retrieve subject name from certificate object. + // + *Usage =3D X509_get_key_usage (X509Cert); + if (*Usage =3D=3D NID_undef) { + goto _Exit; + } + + Status =3D TRUE; + +_Exit: + // + // Release Resources. + // + if (X509Cert !=3D NULL) { + X509_free (X509Cert); + } + + return Status; +} + +/** + Verify one X509 certificate was issued by the trusted CA. + @param[in] RootCert Trusted Root Certificate buffer + + @param[in] RootCertLength Trusted Root Certificate buffer length + @param[in] CertChain One or more ASN.1 DER-encoded X.509 ce= rtificates + where the first certificate is signed = by the Root + Certificate or is the Root Cerificate = itself. and + subsequent cerificate is signed by the= preceding + cerificate. + @param[in] CertChainLength Total length of the certificate chain,= in bytes. + + @retval TRUE All cerificates was issued by the first certificate in X= 509Certchain. + @retval FALSE Invalid certificate or the certificate was not issued by= the given + trusted CA. +**/ +BOOLEAN +EFIAPI +X509VerifyCertChain ( + IN CONST UINT8 *RootCert, + IN UINTN RootCertLength, + IN CONST UINT8 *CertChain, + IN UINTN CertChainLength + ) +{ + CONST UINT8 *TmpPtr; + UINTN Length; + UINT32 Asn1Tag; + UINT32 ObjClass; + CONST UINT8 *CurrentCert; + UINTN CurrentCertLen; + CONST UINT8 *PrecedingCert; + UINTN PrecedingCertLen; + BOOLEAN VerifyFlag; + INT32 Ret; + + PrecedingCert =3D RootCert; + PrecedingCertLen =3D RootCertLength; + + CurrentCert =3D CertChain; + Length =3D 0; + CurrentCertLen =3D 0; + + VerifyFlag =3D FALSE; + while (TRUE) { + TmpPtr =3D CurrentCert; + Ret =3D ASN1_get_object ( + (CONST UINT8 **)&TmpPtr, + (long *)&Length, + (int *)&Asn1Tag, + (int *)&ObjClass, + (long)(CertChainLength + CertChain - TmpPtr) + ); + if ((Asn1Tag !=3D V_ASN1_SEQUENCE) || (Ret =3D=3D 0x80)) { + break; + } + + // + // Calculate CurrentCert length; + // + CurrentCertLen =3D TmpPtr - CurrentCert + Length; + + // + // Verify CurrentCert with preceding cert; + // + VerifyFlag =3D X509VerifyCert (CurrentCert, CurrentCertLen, PrecedingC= ert, PrecedingCertLen); + if (VerifyFlag =3D=3D FALSE) { + break; + } + + // + // move Current cert to Preceding cert + // + PrecedingCertLen =3D CurrentCertLen; + PrecedingCert =3D CurrentCert; + + // + // Move to next + // + CurrentCert =3D CurrentCert + CurrentCertLen; + } + + return VerifyFlag; +} + +/** + Get one X509 certificate from CertChain. + + @param[in] CertChain One or more ASN.1 DER-encoded X.509 ce= rtificates + where the first certificate is signed = by the Root + Certificate or is the Root Cerificate = itself. and + subsequent cerificate is signed by the= preceding + cerificate. + @param[in] CertChainLength Total length of the certificate chain,= in bytes. + + @param[in] CertIndex Index of certificate. + + @param[out] Cert The certificate at the index of CertCh= ain. + @param[out] CertLength The length certificate at the index of= CertChain. + + @retval TRUE Success. + @retval FALSE Failed to get certificate from certificate chain. +**/ +BOOLEAN +EFIAPI +X509GetCertFromCertChain ( + IN CONST UINT8 *CertChain, + IN UINTN CertChainLength, + IN CONST INT32 CertIndex, + OUT CONST UINT8 **Cert, + OUT UINTN *CertLength + ) +{ + UINTN Asn1Len; + INT32 CurrentIndex; + UINTN CurrentCertLen; + CONST UINT8 *CurrentCert; + CONST UINT8 *TmpPtr; + INT32 Ret; + UINT32 Asn1Tag; + UINT32 ObjClass; + + // + // Check input parameters. + // + if ((CertChain =3D=3D NULL) || (Cert =3D=3D NULL) || + (CertIndex < -1) || (CertLength =3D=3D NULL)) + { + return FALSE; + } + + Asn1Len =3D 0; + CurrentCertLen =3D 0; + CurrentCert =3D CertChain; + CurrentIndex =3D -1; + + // + // Traverse the certificate chain + // + while (TRUE) { + TmpPtr =3D CurrentCert; + + // Get asn1 object and taglen + Ret =3D ASN1_get_object ( + (CONST UINT8 **)&TmpPtr, + (long *)&Asn1Len, + (int *)&Asn1Tag, + (int *)&ObjClass, + (long)(CertChainLength + CertChain - TmpPtr) + ); + if ((Asn1Tag !=3D V_ASN1_SEQUENCE) || (Ret =3D=3D 0x80)) { + break; + } + + // + // Calculate CurrentCert length; + // + CurrentCertLen =3D TmpPtr - CurrentCert + Asn1Len; + CurrentIndex++; + + if (CurrentIndex =3D=3D CertIndex) { + *Cert =3D CurrentCert; + *CertLength =3D CurrentCertLen; + return TRUE; + } + + // + // Move to next + // + CurrentCert =3D CurrentCert + CurrentCertLen; + } + + // + // If CertIndex is -1, Return the last certificate + // + if ((CertIndex =3D=3D -1) && (CurrentIndex >=3D 0)) { + *Cert =3D CurrentCert - CurrentCertLen; + *CertLength =3D CurrentCertLen; + return TRUE; + } + + return FALSE; +} + +/** + Retrieve the tag and length of the tag. + + @param Ptr The position in the ASN.1 data + @param End End of data + @param Length The variable that will receive the length + @param Tag The expected tag + + @retval TRUE Get tag successful + @retval FALSe Failed to get tag or tag not match +**/ +BOOLEAN +EFIAPI +Asn1GetTag ( + IN OUT UINT8 **Ptr, + IN UINT8 *End, + OUT UINTN *Length, + IN UINT32 Tag + ) +{ + UINT8 *PtrOld; + INT32 ObjTag; + INT32 ObjCls; + long ObjLength; + + // + // Save Ptr position + // + PtrOld =3D *Ptr; + + ASN1_get_object ((CONST UINT8 **)Ptr, &ObjLength, &ObjTag, &ObjCls, (INT= 32)(End - (*Ptr))); + if ((ObjTag =3D=3D (INT32)(Tag & CRYPTO_ASN1_TAG_VALUE_MASK)) && + (ObjCls =3D=3D (INT32)(Tag & CRYPTO_ASN1_TAG_CLASS_MASK))) + { + *Length =3D (UINTN)ObjLength; + return TRUE; + } else { + // + // if doesn't match Tag, restore Ptr to origin Ptr + // + *Ptr =3D PtrOld; + return FALSE; + } +} + +/** + Retrieve the basic constraints from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509= certificate. + @param[in] CertSize size of the X509 certificate in= bytes. + @param[out] BasicConstraints basic constraints bytes. + @param[in, out] BasicConstraintsSize basic constraints buffer sizs i= n bytes. + + @retval TRUE The basic constraints retrieve successf= ully. + @retval FALSE If cert is NULL. + If cert_size is NULL. + If basic_constraints is not NULL and *b= asic_constraints_size is 0. + If cert is invalid. + @retval FALSE The required buffer size is small. + The return buffer size is basic_constra= ints_size parameter. + @retval FALSE If no Extension entry match oid. + @retval FALSE The operation is not supported. + **/ +BOOLEAN +EFIAPI +X509GetExtendedBasicConstraints ( + CONST UINT8 *Cert, + UINTN CertSize, + UINT8 *BasicConstraints, + UINTN *BasicConstraintsSize + ) +{ + BOOLEAN Status; + + if ((Cert =3D=3D NULL) || (CertSize =3D=3D 0) || (BasicConstraintsSize = =3D=3D NULL)) { + return FALSE; + } + + Status =3D X509GetExtensionData ( + (UINT8 *)Cert, + CertSize, + mOidBasicConstraints, + sizeof (mOidBasicConstraints), + BasicConstraints, + BasicConstraintsSize + ); + + return Status; +} diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c b/CryptoPkg/= Library/BaseCryptLib/Pk/CryptX509Null.c index 38819723c7..bd2a12fc14 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c @@ -292,3 +292,432 @@ X509GetTBSCert ( ASSERT (FALSE); return FALSE; } + +/** + Retrieve the version from one X.509 certificate. + + If Cert is NULL, then return FALSE. + If CertSize is 0, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] Version Pointer to the retrieved version integer. + + @retval TRUE The certificate version retrieved successfully. + @retval FALSE If Cert is NULL or CertSize is Zero. + @retval FALSE The operation is not supported. + +**/ +BOOLEAN +EFIAPI +X509GetVersion ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINTN *Version + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the serialNumber from one X.509 certificate. + + If Cert is NULL, then return FALSE. + If CertSize is 0, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] SerialNumber Pointer to the retrieved certificate Seria= lNumber bytes. + @param[in, out] SerialNumberSize The size in bytes of the SerialNumber = buffer on input, + and the size of buffer returned SerialNumbe= r on output. + + @retval TRUE The certificate serialNumber retrieved = successfully. + @retval FALSE If Cert is NULL or CertSize is Zero. + If SerialNumberSize is NULL. + If Certificate is invalid. + @retval FALSE If no SerialNumber exists. + @retval FALSE If the SerialNumber is NULL. The requir= ed buffer size + (including the final null) is returned = in the + SerialNumberSize parameter. + @retval FALSE The operation is not supported. +**/ +BOOLEAN +EFIAPI +X509GetSerialNumber ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *SerialNumber, OPTIONAL + IN OUT UINTN *SerialNumberSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the issuer bytes from one X.509 certificate. + + If Cert is NULL, then return FALSE. + If CertIssuerSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CertIssuer Pointer to the retrieved certificate subject= bytes. + @param[in, out] CertIssuerSize The size in bytes of the CertIssuer buff= er on input, + and the size of buffer returned CertSubject= on output. + + @retval TRUE The certificate issuer retrieved successfully. + @retval FALSE Invalid certificate, or the CertIssuerSize is too small = for the result. + The CertIssuerSize will be updated with the required siz= e. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509GetIssuerName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *CertIssuer, + IN OUT UINTN *CertIssuerSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the Signature Algorithm from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] Oid Signature Algorithm Object identifier b= uffer. + @param[in,out] OidSize Signature Algorithm Object identifier b= uffer size + + @retval TRUE The certificate Extension data retrieved successf= ully. + @retval FALSE If Cert is NULL. + If OidSize is NULL. + If Oid is not NULL and *OidSize is 0. + If Certificate is invalid. + @retval FALSE If no SignatureType. + @retval FALSE If the Oid is NULL. The required buffer= size + is returned in the OidSize. + @retval FALSE The operation is not supported. +**/ +BOOLEAN +EFIAPI +X509GetSignatureAlgorithm ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *Oid, OPTIONAL + IN OUT UINTN *OidSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve Extension data from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[in] Oid Object identifier buffer + @param[in] OidSize Object identifier buffer size + @param[out] ExtensionData Extension bytes. + @param[in, out] ExtensionDataSize Extension bytes size. + + @retval TRUE The certificate Extension data retrieve= d successfully. + @retval FALSE If Cert is NULL. + If ExtensionDataSize is NULL. + If ExtensionData is not NULL and *Exten= sionDataSize is 0. + If Certificate is invalid. + @retval FALSE If no Extension entry match Oid. + @retval FALSE If the ExtensionData is NULL. The requi= red buffer size + is returned in the ExtensionDataSize pa= rameter. + @retval FALSE The operation is not supported. +**/ +BOOLEAN +EFIAPI +X509GetExtensionData ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + IN CONST UINT8 *Oid, + IN UINTN OidSize, + OUT UINT8 *ExtensionData, + IN OUT UINTN *ExtensionDataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the Extended Key Usage from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] Usage Key Usage bytes. + @param[in, out] UsageSize Key Usage buffer sizs in bytes. + + @retval TRUE The Usage bytes retrieve successfully. + @retval FALSE If Cert is NULL. + If CertSize is NULL. + If Usage is not NULL and *UsageSize is = 0. + If Cert is invalid. + @retval FALSE If the Usage is NULL. The required buff= er size + is returned in the UsageSize parameter. + @retval FALSE The operation is not supported. +**/ +BOOLEAN +EFIAPI +X509GetExtendedKeyUsage ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *Usage, + IN OUT UINTN *UsageSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the Validity from one X.509 certificate + + If Cert is NULL, then return FALSE. + If CertIssuerSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[in] From notBefore Pointer to DateTime object. + @param[in,out] FromSize notBefore DateTime object size. + @param[in] To notAfter Pointer to DateTime object. + @param[in,out] ToSize notAfter DateTime object size. + + Note: X509CompareDateTime to compare DateTime oject + x509SetDateTime to get a DateTime object from a DateTimeStr + + @retval TRUE The certificate Validity retrieved successfully. + @retval FALSE Invalid certificate, or Validity retrieve failed. + @retval FALSE This interface is not supported. +**/ +BOOLEAN +EFIAPI +X509GetValidity ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + IN UINT8 *From, + IN OUT UINTN *FromSize, + IN UINT8 *To, + IN OUT UINTN *ToSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Format a DateTime object into DataTime Buffer + + If DateTimeStr is NULL, then return FALSE. + If DateTimeSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] DateTimeStr DateTime string like YYYYMMDDhhmmssZ + Ref: https://www.w3.org/TR/NOTE-datetime + Z stand for UTC time + @param[out] DateTime Pointer to a DateTime object. + @param[in,out] DateTimeSize DateTime object buffer size. + + @retval TRUE The DateTime object create successfully. + @retval FALSE If DateTimeStr is NULL. + If DateTimeSize is NULL. + If DateTime is not NULL and *DateTimeSi= ze is 0. + If Year Month Day Hour Minute Second co= mbination is invalid datetime. + @retval FALSE If the DateTime is NULL. The required b= uffer size + (including the final null) is returned = in the + DateTimeSize parameter. + @retval FALSE The operation is not supported. +**/ +BOOLEAN +EFIAPI +X509SetDateTime ( + IN CHAR8 *DateTimeStr, + OUT VOID *DateTime, + IN OUT UINTN *DateTimeSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Compare DateTime1 object and DateTime2 object. + + If DateTime1 is NULL, then return -2. + If DateTime2 is NULL, then return -2. + If DateTime1 =3D=3D DateTime2, then return 0 + If DateTime1 > DateTime2, then return 1 + If DateTime1 < DateTime2, then return -1 + + @param[in] DateTime1 Pointer to a DateTime Ojbect + @param[in] DateTime2 Pointer to a DateTime Object + + @retval 0 If DateTime1 =3D=3D DateTime2 + @retval 1 If DateTime1 > DateTime2 + @retval -1 If DateTime1 < DateTime2 +**/ +INT32 +EFIAPI +X509CompareDateTime ( + IN CONST VOID *DateTime1, + IN CONST VOID *DateTime2 + ) +{ + ASSERT (FALSE); + return -3; +} + +/** + Retrieve the Key Usage from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] Usage Key Usage (CRYPTO_X509_KU_*) + + @retval TRUE The certificate Key Usage retrieved successfully. + @retval FALSE Invalid certificate, or Usage is NULL + @retval FALSE This interface is not supported. +**/ +BOOLEAN +EFIAPI +X509GetKeyUsage ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINTN *Usage + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Verify one X509 certificate was issued by the trusted CA. + @param[in] RootCert Trusted Root Certificate buffer + + @param[in] RootCertLength Trusted Root Certificate buffer length + @param[in] CertChain One or more ASN.1 DER-encoded X.509 ce= rtificates + where the first certificate is signed = by the Root + Certificate or is the Root Cerificate = itself. and + subsequent cerificate is signed by the= preceding + cerificate. + @param[in] CertChainLength Total length of the certificate chain,= in bytes. + + @retval TRUE All cerificates was issued by the first certificate in X= 509Certchain. + @retval FALSE Invalid certificate or the certificate was not issued by= the given + trusted CA. +**/ +BOOLEAN +EFIAPI +X509VerifyCertChain ( + IN CONST UINT8 *RootCert, + IN UINTN RootCertLength, + IN CONST UINT8 *CertChain, + IN UINTN CertChainLength + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Get one X509 certificate from CertChain. + + @param[in] CertChain One or more ASN.1 DER-encoded X.509 ce= rtificates + where the first certificate is signed = by the Root + Certificate or is the Root Cerificate = itself. and + subsequent cerificate is signed by the= preceding + cerificate. + @param[in] CertChainLength Total length of the certificate chain,= in bytes. + + @param[in] CertIndex Index of certificate. + + @param[out] Cert The certificate at the index of CertCh= ain. + @param[out] CertLength The length certificate at the index of= CertChain. + + @retval TRUE Success. + @retval FALSE Failed to get certificate from certificate chain. +**/ +BOOLEAN +EFIAPI +X509GetCertFromCertChain ( + IN CONST UINT8 *CertChain, + IN UINTN CertChainLength, + IN CONST INT32 CertIndex, + OUT CONST UINT8 **Cert, + OUT UINTN *CertLength + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the tag and length of the tag. + + @param Ptr The position in the ASN.1 data + @param End End of data + @param Length The variable that will receive the length + @param Tag The expected tag + + @retval TRUE Get tag successful + @retval FALSe Failed to get tag or tag not match +**/ +BOOLEAN +EFIAPI +Asn1GetTag ( + IN OUT UINT8 **Ptr, + IN UINT8 *End, + OUT UINTN *Length, + IN UINT32 Tag + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the basic constraints from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509= certificate. + @param[in] CertSize size of the X509 certificate in= bytes. + @param[out] BasicConstraints basic constraints bytes. + @param[in, out] BasicConstraintsSize basic constraints buffer sizs i= n bytes. + + @retval TRUE The basic constraints retrieve successf= ully. + @retval FALSE If cert is NULL. + If cert_size is NULL. + If basic_constraints is not NULL and *b= asic_constraints_size is 0. + If cert is invalid. + @retval FALSE The required buffer size is small. + The return buffer size is basic_constra= ints_size parameter. + @retval FALSE If no Extension entry match oid. + @retval FALSE The operation is not supported. + **/ +BOOLEAN +EFIAPI +X509GetExtendedBasicConstraints ( + CONST UINT8 *Cert, + UINTN CertSize, + UINT8 *BasicConstraints, + UINTN *BasicConstraintsSize + ) +{ + ASSERT (FALSE); + return FALSE; +} diff --git a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptX509Null.c b/Crypto= Pkg/Library/BaseCryptLibNull/Pk/CryptX509Null.c index 38819723c7..0068f00738 100644 --- a/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptX509Null.c +++ b/CryptoPkg/Library/BaseCryptLibNull/Pk/CryptX509Null.c @@ -292,3 +292,432 @@ X509GetTBSCert ( ASSERT (FALSE); return FALSE; } + +/** + Retrieve the version from one X.509 certificate. + + If Cert is NULL, then return FALSE. + If CertSize is 0, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] Version Pointer to the retrieved version integer. + + @retval TRUE The certificate version retrieved successfully. + @retval FALSE If Cert is NULL or CertSize is Zero. + @retval FALSE The operation is not supported. + +**/ +BOOLEAN +EFIAPI +X509GetVersion ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINTN *Version + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the serialNumber from one X.509 certificate. + + If Cert is NULL, then return FALSE. + If CertSize is 0, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] SerialNumber Pointer to the retrieved certificate Seria= lNumber bytes. + @param[in, out] SerialNumberSize The size in bytes of the SerialNumber = buffer on input, + and the size of buffer returned SerialNumbe= r on output. + + @retval TRUE The certificate serialNumber retrieved = successfully. + @retval FALSE If Cert is NULL or CertSize is Zero. + If SerialNumberSize is NULL. + If Certificate is invalid. + @retval FALSE If no SerialNumber exists. + @retval FALSE If the SerialNumber is NULL. The requir= ed buffer size + (including the final null) is returned = in the + SerialNumberSize parameter. + @retval FALSE The operation is not supported. +**/ +BOOLEAN +EFIAPI +X509GetSerialNumber ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *SerialNumber, OPTIONAL + IN OUT UINTN *SerialNumberSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the issuer bytes from one X.509 certificate. + + If Cert is NULL, then return FALSE. + If CertIssuerSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CertIssuer Pointer to the retrieved certificate subject= bytes. + @param[in, out] CertIssuerSize The size in bytes of the CertIssuer buff= er on input, + and the size of buffer returned CertSubject= on output. + + @retval TRUE The certificate issuer retrieved successfully. + @retval FALSE Invalid certificate, or the CertIssuerSize is too small = for the result. + The CertIssuerSize will be updated with the required siz= e. + @retval FALSE This interface is not supported. + +**/ +BOOLEAN +EFIAPI +X509GetIssuerName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *CertIssuer, + IN OUT UINTN *CertIssuerSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the Signature Algorithm from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] Oid Signature Algorithm Object identifier b= uffer. + @param[in,out] OidSize Signature Algorithm Object identifier b= uffer size + + @retval TRUE The certificate Extension data retrieved successf= ully. + @retval FALSE If Cert is NULL. + If OidSize is NULL. + If Oid is not NULL and *OidSize is 0. + If Certificate is invalid. + @retval FALSE If no SignatureType. + @retval FALSE If the Oid is NULL. The required buffer= size + is returned in the OidSize. + @retval FALSE The operation is not supported. +**/ +BOOLEAN +EFIAPI +X509GetSignatureAlgorithm ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *Oid, OPTIONAL + IN OUT UINTN *OidSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve Extension data from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[in] Oid Object identifier buffer + @param[in] OidSize Object identifier buffer size + @param[out] ExtensionData Extension bytes. + @param[in, out] ExtensionDataSize Extension bytes size. + + @retval TRUE The certificate Extension data retrieve= d successfully. + @retval FALSE If Cert is NULL. + If ExtensionDataSize is NULL. + If ExtensionData is not NULL and *Exten= sionDataSize is 0. + If Certificate is invalid. + @retval FALSE If no Extension entry match Oid. + @retval FALSE If the ExtensionData is NULL. The requi= red buffer size + is returned in the ExtensionDataSize pa= rameter. + @retval FALSE The operation is not supported. +**/ +BOOLEAN +EFIAPI +X509GetExtensionData ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + IN CONST UINT8 *Oid, + IN UINTN OidSize, + OUT UINT8 *ExtensionData, + IN OUT UINTN *ExtensionDataSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the Extended Key Usage from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] Usage Key Usage bytes. + @param[in, out] UsageSize Key Usage buffer sizs in bytes. + + @retval TRUE The Usage bytes retrieve successfully. + @retval FALSE If Cert is NULL. + If CertSize is NULL. + If Usage is not NULL and *UsageSize is = 0. + If Cert is invalid. + @retval FALSE If the Usage is NULL. The required buff= er size + is returned in the UsageSize parameter. + @retval FALSE The operation is not supported. +**/ +BOOLEAN +EFIAPI +X509GetExtendedKeyUsage ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINT8 *Usage, + IN OUT UINTN *UsageSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the Validity from one X.509 certificate + + If Cert is NULL, then return FALSE. + If CertIssuerSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] Cert Pointer to the DER-encoded X509 certificate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[in] From notBefore Pointer to DateTime object. + @param[in,out] FromSize notBefore DateTime object size. + @param[in] To notAfter Pointer to DateTime object. + @param[in,out] ToSize notAfter DateTime object size. + + Note: X509CompareDateTime to compare DateTime oject + x509SetDateTime to get a DateTime object from a DateTimeStr + + @retval TRUE The certificate Validity retrieved successfully. + @retval FALSE Invalid certificate, or Validity retrieve failed. + @retval FALSE This interface is not supported. +**/ +BOOLEAN +EFIAPI +X509GetValidity ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + IN UINT8 *From, + IN OUT UINTN *FromSize, + IN UINT8 *To, + IN OUT UINTN *ToSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Format a DateTime object into DataTime Buffer + + If DateTimeStr is NULL, then return FALSE. + If DateTimeSize is NULL, then return FALSE. + If this interface is not supported, then return FALSE. + + @param[in] DateTimeStr DateTime string like YYYYMMDDhhmmssZ + Ref: https://www.w3.org/TR/NOTE-datetime + Z stand for UTC time + @param[out] DateTime Pointer to a DateTime object. + @param[in,out] DateTimeSize DateTime object buffer size. + + @retval TRUE The DateTime object create successfully. + @retval FALSE If DateTimeStr is NULL. + If DateTimeSize is NULL. + If DateTime is not NULL and *DateTimeSi= ze is 0. + If Year Month Day Hour Minute Second co= mbination is invalid datetime. + @retval FALSE If the DateTime is NULL. The required b= uffer size + (including the final null) is returned = in the + DateTimeSize parameter. + @retval FALSE The operation is not supported. +**/ +BOOLEAN +EFIAPI +X509SetDateTime ( + IN CHAR8 *DateTimeStr, + OUT VOID *DateTime, + IN OUT UINTN *DateTimeSize + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Compare DateTime1 object and DateTime2 object. + + If DateTime1 is NULL, then return -2. + If DateTime2 is NULL, then return -2. + If DateTime1 =3D=3D DateTime2, then return 0 + If DateTime1 > DateTime2, then return 1 + If DateTime1 < DateTime2, then return -1 + + @param[in] DateTime1 Pointer to a DateTime Ojbect + @param[in] DateTime2 Pointer to a DateTime Object + + @retval 0 If DateTime1 =3D=3D DateTime2 + @retval 1 If DateTime1 > DateTime2 + @retval -1 If DateTime1 < DateTime2 +**/ +INT32 +EFIAPI +X509CompareDateTime ( + IN CONST VOID *DateTime1, + IN CONST VOID *DateTime2 + ) +{ + ASSERT (FALSE); + return -3; +} + +/** + Retrieve the Key Usage from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] Usage Key Usage (CRYPTO_X509_KU_*) + + @retval TRUE The certificate Key Usage retrieved successfully. + @retval FALSE Invalid certificate, or Usage is NULL + @retval FALSE This interface is not supported. +**/ +BOOLEAN +EFIAPI +X509GetKeyUsage ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT UINTN *Usage + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Verify one X509 certificate was issued by the trusted CA. + @param[in] RootCert Trusted Root Certificate buffer + + @param[in] RootCertLength Trusted Root Certificate buffer length + @param[in] CertChain One or more ASN.1 DER-encoded X.509 ce= rtificates + where the first certificate is signed = by the Root + Certificate or is the Root Cerificate = itself. and + subsequent cerificate is signed by the= preceding + cerificate. + @param[in] CertChainLength Total length of the certificate chain,= in bytes. + + @retval TRUE All cerificates was issued by the first certificate in X= 509Certchain. + @retval FALSE Invalid certificate or the certificate was not issued by= the given + trusted CA. +**/ +BOOLEAN +EFIAPI +X509VerifyCertChain ( + IN CONST UINT8 *RootCert, + IN UINTN RootCertLength, + IN CONST UINT8 *CertChain, + IN UINTN CertChainLength + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Get one X509 certificate from CertChain. + + @param[in] CertChain One or more ASN.1 DER-encoded X.509 ce= rtificates + where the first certificate is signed = by the Root + Certificate or is the Root Cerificate = itself. and + subsequent cerificate is signed by the= preceding + cerificate. + @param[in] CertChainLength Total length of the certificate chain,= in bytes. + + @param[in] CertIndex Index of certificate. + + @param[out] Cert The certificate at the index of CertCh= ain. + @param[out] CertLength The length certificate at the index of= CertChain. + + @retval TRUE Success. + @retval FALSE Failed to get certificate from certificate chain. +**/ +BOOLEAN +EFIAPI +X509GetCertFromCertChain ( + IN CONST UINT8 *CertChain, + IN UINTN CertChainLength, + IN CONST INT32 CertIndex, + OUT CONST UINT8 **Cert, + OUT UINTN *CertLength + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the tag and length of the tag. + + @param Ptr The position in the ASN.1 data + @param End End of data + @param Length The variable that will receive the length + @param Tag The expected tag + + @retval TRUE Get tag successful + @retval FALSe Failed to get tag or tag not match +**/ +BOOLEAN +EFIAPI +Asn1GetTag ( + IN OUT UINT8 **Ptr, + IN UINT8 *End, + OUT UINTN *Length, + IN UINT32 Tag + ) +{ + ASSERT (FALSE); + return FALSE; +} + +/** + Retrieve the basic constraints from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509= certificate. + @param[in] CertSize size of the X509 certificate in= bytes. + @param[out] BasicConstraints basic constraints bytes. + @param[in, out] BasicConstraintsSize basic constraints buffer sizs i= n bytes. + + @retval TRUE The basic constraints retrieve successf= ully. + @retval FALSE If cert is NULL. + If cert_size is NULL. + If basic_constraints is not NULL and *b= asic_constraints_size is 0. + If cert is invalid. + @retval FALSE The required buffer size is small. + The return buffer size is basic_constra= ints_size parameter. + @retval FALSE If no Extension entry match oid. + @retval FALSE The operation is not supported. + **/ +BOOLEAN +EFIAPI +X509GetExtendedBasicConstraints ( + CONST UINT8 *Cert, + UINTN CertSize, + UINT8 *BasicConstraints, + UINTN *BasicConstraintsSize + ) +{ + ASSERT (FALSE); + return FALSE; +} --=20 2.26.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#94284): https://edk2.groups.io/g/devel/message/94284 Mute This Topic: https://groups.io/mt/93903803/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-