From: Qin Long <qin.long@intel.com>
To: lersek@redhat.com, ting.ye@intel.com, chao.b.zhang@intel.com
Cc: edk2-devel@lists.01.org
Subject: [PATCH v2] CryptoPkg: Add new API to retrieve commonName of X.509 certificate
Date: Thu, 21 Sep 2017 00:05:15 +0800 [thread overview]
Message-ID: <20170920160515.6792-1-qin.long@intel.com> (raw)
v2: Update function interface to return RETURN_STATUS to represent
different error cases.
Add one new API (X509GetCommonName()) to retrieve the subject commonName
string from one X.509 certificate.
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ting Ye <ting.ye@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
---
CryptoPkg/Application/Cryptest/RsaVerify2.c | 32 +++++--
CryptoPkg/Include/Library/BaseCryptLib.h | 34 +++++++
CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 106 +++++++++++++++++++++
CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c | 32 +++++++
.../Pk/CryptX509Null.c | 34 ++++++-
5 files changed, 230 insertions(+), 8 deletions(-)
diff --git a/CryptoPkg/Application/Cryptest/RsaVerify2.c b/CryptoPkg/Application/Cryptest/RsaVerify2.c
index 98b5aad900..9db43d6eef 100644
--- a/CryptoPkg/Application/Cryptest/RsaVerify2.c
+++ b/CryptoPkg/Application/Cryptest/RsaVerify2.c
@@ -204,13 +204,17 @@ ValidateCryptRsa2 (
VOID
)
{
- BOOLEAN Status;
- VOID *RsaPrivKey;
- VOID *RsaPubKey;
- UINT8 *Signature;
- UINTN SigSize;
- UINT8 *Subject;
- UINTN SubjectSize;
+ BOOLEAN Status;
+ VOID *RsaPrivKey;
+ VOID *RsaPubKey;
+ UINT8 *Signature;
+ UINTN SigSize;
+ UINT8 *Subject;
+ UINTN SubjectSize;
+ RETURN_STATUS ReturnStatus;
+ CHAR8 CommonName[64];
+ CHAR16 CommonNameUnicode[64];
+ UINTN CommonNameSize;
Print (L"\nUEFI-OpenSSL RSA Key Retrieving Testing: ");
@@ -286,6 +290,20 @@ ValidateCryptRsa2 (
Print (L"[Pass]");
}
+ //
+ // Get CommonName from X509 Certificate Subject
+ //
+ CommonNameSize = 64;
+ ZeroMem (CommonName, CommonNameSize);
+ ReturnStatus = X509GetCommonName (TestCert, sizeof (TestCert), CommonName, &CommonNameSize);
+ if (RETURN_ERROR (ReturnStatus)) {
+ Print (L"\n - Retrieving Common Name - [Fail]");
+ return EFI_ABORTED;
+ } else {
+ AsciiStrToUnicodeStrS (CommonName, CommonNameUnicode, CommonNameSize);
+ Print (L"\n - Retrieving Common Name = \"%s\" (Size = %d)", CommonNameUnicode, CommonNameSize);
+ }
+
//
// X509 Certificate Verification.
//
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 9c5ffcd9cf..48e9531758 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -2171,6 +2171,40 @@ X509GetSubjectName (
IN OUT UINTN *SubjectSize
);
+/**
+ Retrieve the common name (CN) string from one X.509 certificate.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] CommonName Buffer to contain the retrieved certificate common
+ name string. At most CommonNameSize bytes will be
+ written and the string will be null terminated. May be
+ NULL in order to determine the size buffer needed.
+ @param[in,out] CommonNameSize The size in bytes of the CommonName buffer on input,
+ and the size of buffer returned CommonName on output.
+ If CommonName is NULL then the amount of space needed
+ in buffer (including the final null) is returned.
+
+ @retval RETURN_SUCCESS The certificate CommonName retrieved successfully.
+ @retval RETURN_INVALID_PARAMETER If Cert is NULL.
+ If CommonNameSize is NULL.
+ If Certificate is invalid.
+ @retval RETURN_NOT_FOUND If no CommonName entry exists.
+ @retval RETURN_BUFFER_TOO_SMALL If the CommonName is NULL. The required buffer size
+ (including the final null) is returned in the
+ CommonNameSize parameter.
+ @retval RETURN_UNSUPPORTED The operation is not supported.
+
+**/
+RETURN_STATUS
+EFIAPI
+X509GetCommonName (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT CHAR8 *CommonName,
+ IN OUT UINTN *CommonNameSize
+ );
+
/**
Verify one X509 certificate was issued by the trusted CA.
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 7d275977c5..c3cf97b262 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -297,6 +297,112 @@ _Exit:
return Status;
}
+/**
+ Retrieve the common name (CN) string from one X.509 certificate.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] CommonName Buffer to contain the retrieved certificate common
+ name string. At most CommonNameSize bytes will be
+ written and the string will be null terminated. May be
+ NULL in order to determine the size buffer needed.
+ @param[in,out] CommonNameSize The size in bytes of the CommonName buffer on input,
+ and the size of buffer returned CommonName on output.
+ If CommonName is NULL then the amount of space needed
+ in buffer (including the final null) is returned.
+
+ @retval RETURN_SUCCESS The certificate CommonName retrieved successfully.
+ @retval RETURN_INVALID_PARAMETER If Cert is NULL.
+ If CommonNameSize is NULL.
+ If Certificate is invalid.
+ @retval RETURN_NOT_FOUND If no CommonName entry exists.
+ @retval RETURN_BUFFER_TOO_SMALL If the CommonName is NULL. The required buffer size
+ (including the final null) is returned in the
+ CommonNameSize parameter.
+ @retval RETURN_UNSUPPORTED The operation is not supported.
+
+**/
+RETURN_STATUS
+EFIAPI
+X509GetCommonName (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT CHAR8 *CommonName,
+ IN OUT UINTN *CommonNameSize
+ )
+{
+ RETURN_STATUS ReturnStatus;
+ BOOLEAN Status;
+ X509 *X509Cert;
+ X509_NAME *X509Name;
+ INTN Length;
+
+ ReturnStatus = RETURN_INVALID_PARAMETER;
+
+ //
+ // Check input parameters.
+ //
+ if ((Cert == NULL) || (CommonNameSize == NULL)) {
+ return ReturnStatus;
+ }
+
+ X509Cert = NULL;
+ //
+ // Read DER-encoded X509 Certificate and Construct X509 object.
+ //
+ Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert);
+ if ((X509Cert == NULL) || (!Status)) {
+ //
+ // Invalid X.509 Certificate
+ //
+ goto _Exit;
+ }
+
+ Status = FALSE;
+
+ //
+ // Retrieve subject name from certificate object.
+ //
+ X509Name = X509_get_subject_name (X509Cert);
+ if (X509Name == NULL) {
+ //
+ // Fail to retrieve subject name content
+ //
+ ReturnStatus = RETURN_INVALID_PARAMETER;
+ goto _Exit;
+ }
+
+ //
+ // Retrieve the CommonName information from X.509 Subject
+ //
+ Length = (INTN) X509_NAME_get_text_by_NID (X509Name, NID_commonName, CommonName, (int)(*CommonNameSize));
+ if (Length < 0) {
+ //
+ // No CommonName entry exists in X509_NAME object
+ //
+ *CommonNameSize = 0;
+ ReturnStatus = RETURN_NOT_FOUND;
+ goto _Exit;
+ }
+
+ *CommonNameSize = (UINTN)(Length + 1);
+ if (CommonName == NULL) {
+ ReturnStatus = RETURN_BUFFER_TOO_SMALL;
+ } else {
+ ReturnStatus = RETURN_SUCCESS;
+ }
+
+_Exit:
+ //
+ // Release Resources.
+ //
+ if (X509Cert != NULL) {
+ X509_free (X509Cert);
+ }
+
+ return ReturnStatus;
+}
+
/**
Retrieve the RSA Public Key from one DER-encoded X509 certificate.
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c
index 51aa0633a8..25879d3578 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c
@@ -127,6 +127,38 @@ X509GetSubjectName (
return FALSE;
}
+/**
+ Retrieve the common name (CN) string from one X.509 certificate.
+
+ Return RETURN_UNSUPPORTED to indicate this interface is not supported.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] CommonName Buffer to contain the retrieved certificate common
+ name string. At most CommonNameSize bytes will be
+ written and the string will be null terminated. May be
+ NULL in order to determine the size buffer needed.
+ @param[in,out] CommonNameSize The size in bytes of the CommonName buffer on input,
+ and the size of buffer returned CommonName on output.
+ If CommonName is NULL then the amount of space needed
+ in buffer (including the final null) is returned.
+
+ @retval RETURN_UNSUPPORTED The operation is not supported.
+
+**/
+RETURN_STATUS
+EFIAPI
+X509GetCommonName (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT CHAR8 *CommonName,
+ IN OUT UINTN *CommonNameSize
+ )
+{
+ ASSERT (FALSE);
+ return RETURN_UNSUPPORTED;
+}
+
/**
Retrieve the RSA Public Key from one DER-encoded X509 certificate.
diff --git a/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/Pk/CryptX509Null.c b/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/Pk/CryptX509Null.c
index f5d9aa1076..25879d3578 100644
--- a/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/Pk/CryptX509Null.c
+++ b/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/Pk/CryptX509Null.c
@@ -127,6 +127,38 @@ X509GetSubjectName (
return FALSE;
}
+/**
+ Retrieve the common name (CN) string from one X.509 certificate.
+
+ Return RETURN_UNSUPPORTED to indicate this interface is not supported.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] CommonName Buffer to contain the retrieved certificate common
+ name string. At most CommonNameSize bytes will be
+ written and the string will be null terminated. May be
+ NULL in order to determine the size buffer needed.
+ @param[in,out] CommonNameSize The size in bytes of the CommonName buffer on input,
+ and the size of buffer returned CommonName on output.
+ If CommonName is NULL then the amount of space needed
+ in buffer (including the final null) is returned.
+
+ @retval RETURN_UNSUPPORTED The operation is not supported.
+
+**/
+RETURN_STATUS
+EFIAPI
+X509GetCommonName (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT CHAR8 *CommonName,
+ IN OUT UINTN *CommonNameSize
+ )
+{
+ ASSERT (FALSE);
+ return RETURN_UNSUPPORTED;
+}
+
/**
Retrieve the RSA Public Key from one DER-encoded X509 certificate.
@@ -203,4 +235,4 @@ X509GetTBSCert (
{
ASSERT (FALSE);
return FALSE;
-}
\ No newline at end of file
+}
--
2.14.1.windows.1
next reply other threads:[~2017-09-20 16:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-20 16:05 Qin Long [this message]
2017-09-20 16:38 ` [PATCH v2] CryptoPkg: Add new API to retrieve commonName of X.509 certificate Laszlo Ersek
2017-09-20 17:04 ` Long, Qin
2017-09-20 17:12 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170920160515.6792-1-qin.long@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox