From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 5D27921ECCB07 for ; Wed, 20 Sep 2017 05:06:04 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A7E6EA0C12; Wed, 20 Sep 2017 12:09:09 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com A7E6EA0C12 Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=lersek@redhat.com Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-23.rdu2.redhat.com [10.10.120.23]) by smtp.corp.redhat.com (Postfix) with ESMTP id 76AB75D97A; Wed, 20 Sep 2017 12:09:08 +0000 (UTC) To: Long Qin , ting.ye@intel.com, chao.b.zhang@intel.com Cc: edk2-devel@lists.01.org References: <20170919033840.3012-1-qin.long@intel.com> From: Laszlo Ersek Message-ID: <179d82f6-df16-ffbf-f813-f2a2cc39f0df@redhat.com> Date: Wed, 20 Sep 2017 14:09:07 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <20170919033840.3012-1-qin.long@intel.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Wed, 20 Sep 2017 12:09:09 +0000 (UTC) Subject: Re: [PATCH] CryptoPkg: Add new API to retrieve commonName of X.509 certificate X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2017 12:06:04 -0000 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Hello Qin, On 09/19/17 05:38, Long Qin wrote: > Add one new API (X509GetCommonName()) to retrieve the subject commonName > string from one X.509 certificate. > > Cc: Ting Ye > Cc: Chao Zhang > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Qin Long > --- > CryptoPkg/Application/Cryptest/RsaVerify2.c | 17 ++++ > CryptoPkg/Include/Library/BaseCryptLib.h | 32 ++++++++ > CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 93 ++++++++++++++++++++++ > CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c | 32 ++++++++ > .../Pk/CryptX509Null.c | 34 +++++++- > 5 files changed, 207 insertions(+), 1 deletion(-) > diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h > index 9c5ffcd9cf..d861be6725 100644 > --- a/CryptoPkg/Include/Library/BaseCryptLib.h > +++ b/CryptoPkg/Include/Library/BaseCryptLib.h > @@ -2171,6 +2171,38 @@ X509GetSubjectName ( > IN OUT UINTN *SubjectSize > ); > > +/** > + Retrieve the common name (CN) string from one X.509 certificate. > + > + If Cert or CommonNameSize is NULL, then return FALSE. > + If this interface is not supported, then return FALSE. > + > + @param[in] Cert Pointer to the DER-encoded X509 certificate. > + @param[in] CertSize Size of the X509 certificate in bytes. > + @param[out] CommonName Buffer to contain the retrieved certificate common > + name string. At most CommonNameSize bytes will be > + written and the string will be null terminated. May be > + NULL in order to determine the size buffer needed. > + @param[in,out] CommonNameSize The size in bytes of the CommonName buffer on input, > + and the size of buffer returned CommonName on output. > + if CommonName is NULL then the amount of space needed > + in buffer (including the final null) is returned. > + > + @retval TRUE The certificate CommonName retrieved successfully. > + @retval FALSE Invalid certificate, or CommonNameSize is NULL, > + or no CommonName entry exists. > + @retval FALSE This interface is not supported. > + > +**/ > +BOOLEAN > +EFIAPI > +X509GetCommonName ( > + IN CONST UINT8 *Cert, > + IN UINTN CertSize, > + OUT CHAR8 *CommonName, > + IN OUT UINTN *CommonNameSize > + ); > + > /** > Verify one X509 certificate was issued by the trusted CA. > I hope my questions / suggestions aren't unwelcome (or misguided) -- have you considered returning RETURN_STATUS from this function? Currently FALSE is returned for several error cases, but we have good RETURN_xxx macros for telling them apart: - RETURN_BUFFER_TOO_SMALL: "The buffer was not large enough to hold the requested data. The required buffer size is returned in the appropriate parameter when this error occurs." - RETURN_UNSUPPORTED: "The operation is not supported." - RETURN_NOT_FOUND: "The item was not found." -- this can be used for "no CommonName entry exists". - RETURN_INVALID_PARAMETER: "The parameter was incorrect." -- this can be used for "CommonNameSize is NULL", and likely for "Invalid certificate" as well. If you don't want to update the interface, I'm OK with that of course; I just figured I'd raise the question. Thanks! Laszlo