public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Wenxing Hou" <wenxing.hou@intel.com>
To: devel@edk2.groups.io
Cc: Wenxing Hou <wenxing.hou@intel.com>
Subject: [edk2-staging/OpenSSL11_EOL PATCH 6/7] Update X509 api based on MbedTlsLib for CryptoPkg
Date: Fri, 17 Mar 2023 17:00:52 +0800	[thread overview]
Message-ID: <20230317090053.1895-7-wenxing.hou@intel.com> (raw)
In-Reply-To: <20230317090053.1895-1-wenxing.hou@intel.com>

Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
---
 .../BaseCryptLibMbedTls/Pk/CryptX509.c        | 163 +++++++++++++++++-
 1 file changed, 161 insertions(+), 2 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509.c b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509.c
index 6e4a898572..957703a3eb 100644
--- a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509.c
@@ -26,6 +26,9 @@ STATIC CONST UINT8 OID_organizationName[] = {
 STATIC CONST UINT8 OID_extKeyUsage[] = {
   0x55, 0x1D, 0x25
 };
+STATIC CONST UINT8 OID_BasicConstraints[] = {
+  0x55, 0x1D, 0x13
+};
 
 /**
   Construct a X509 object from DER-encoded certificate data.
@@ -857,9 +860,61 @@ X509GetTBSCert (
   OUT UINTN        *TBSCertSize
   )
 {
-  return FALSE;
-}
+  UINTN        Length;
+  UINTN        Ret;
+  UINT8        *Ptr;
+  CONST UINT8        *Temp;
+  CONST UINT8        *End;
+
+  //
+  // Check input parameters.
+  //
+  if ((Cert == NULL) || (TBSCert == NULL) ||
+      (TBSCertSize == NULL) || (CertSize > INT_MAX))
+  {
+    return FALSE;
+  }
+
+  //
+  // An X.509 Certificate is: (defined in RFC3280)
+  //   Certificate  ::=  SEQUENCE  {
+  //     tbsCertificate       TBSCertificate,
+  //     signatureAlgorithm   AlgorithmIdentifier,
+  //     signature            BIT STRING }
+  //
+  // and
+  //
+  //  TBSCertificate  ::=  SEQUENCE  {
+  //    version         [0]  Version DEFAULT v1,
+  //    ...
+  //    }
+  //
+  // So we can just ASN1-parse the x.509 DER-encoded data. If we strip
+  // the first SEQUENCE, the second SEQUENCE is the TBSCertificate.
+  //
+
+  Length = 0;
+
+  Ptr = (UINT8 *)Cert;
+  End = Cert + CertSize;
+
+  Ret = mbedtls_asn1_get_tag(&Ptr, End, &Length, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+  if (Ret != 0) {
+    return FALSE;
+  }
 
+  Temp = Ptr;
+  End = Ptr + Length;
+  Ret = mbedtls_asn1_get_tag(&Ptr, End, &Length, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
+  if (Ret != 0) {
+    return FALSE;
+  }
+
+  *TBSCert = (UINT8 *)Temp;
+  *TBSCertSize = Length + (Ptr - Temp);
+
+  return TRUE;
+}
 
 /**
   Retrieve the version from one X.509 certificate.
@@ -1666,3 +1721,107 @@ X509CompareDateTime (
     return 1;
   }
 }
+
+/**
+  Retrieve the basic constraints from one X.509 certificate.
+
+  @param[in]      Cert                     Pointer to the DER-encoded X509 certificate.
+  @param[in]      CertSize                 size of the X509 certificate in bytes.
+  @param[out]     BasicConstraints         basic constraints bytes.
+  @param[in, out] BasicConstraintsSize     basic constraints buffer sizs in bytes.
+
+  @retval TRUE                     The basic constraints retrieve successfully.
+  @retval FALSE                    If cert is NULL.
+                                   If cert_size is NULL.
+                                   If basic_constraints is not NULL and *basic_constraints_size is 0.
+                                   If cert is invalid.
+  @retval FALSE                    The required buffer size is small.
+                                   The return buffer size is basic_constraints_size parameter.
+  @retval FALSE                    If no Extension entry match oid.
+  @retval FALSE                    The operation is not supported.
+ **/
+BOOLEAN
+EFIAPI
+X509GetExtendedBasicConstraints(
+  CONST UINT8  *Cert,
+  UINTN        CertSize,
+  UINT8        *BasicConstraints,
+  UINTN        *BasicConstraintsSize
+  )
+{
+  BOOLEAN  Status;
+
+  if ((Cert == NULL) || (CertSize == 0) || (BasicConstraintsSize == NULL)) {
+    return FALSE;
+  }
+
+  Status = X509GetExtensionData (
+             (UINT8 *)Cert,
+             CertSize,
+             OID_BasicConstraints,
+             sizeof (OID_BasicConstraints),
+             BasicConstraints,
+             BasicConstraintsSize
+             );
+
+  return Status;
+}
+
+/**
+  Format a DateTimeStr to DataTime object in DataTime Buffer
+
+  If DateTimeStr is NULL, then return FALSE.
+  If DateTimeSize is NULL, then return FALSE.
+  If this interface is not supported, then return FALSE.
+
+  @param[in]      DateTimeStr      DateTime string like YYYYMMDDhhmmssZ
+                                   Ref: https://www.w3.org/TR/NOTE-datetime
+                                   Z stand for UTC time
+  @param[out]     DateTime         Pointer to a DateTime object.
+  @param[in,out]  DateTimeSize     DateTime object buffer size.
+
+  @retval TRUE                     The DateTime object create successfully.
+  @retval FALSE                    If DateTimeStr is NULL.
+                                   If DateTimeSize is NULL.
+                                   If DateTime is not NULL and *DateTimeSize is 0.
+                                   If Year Month Day Hour Minute Second combination is invalid datetime.
+  @retval FALSE                    If the DateTime is NULL. The required buffer size
+                                   (including the final null) is returned in the
+                                   DateTimeSize parameter.
+  @retval FALSE                    The operation is not supported.
+**/
+BOOLEAN
+EFIAPI
+X509FormatDateTime (
+  IN  CONST  CHAR8  *DateTimeStr,
+  OUT VOID          *DateTime,
+  IN OUT UINTN      *DateTimeSize
+  )
+{
+  mbedtls_x509_time *tm;
+
+  if (*DateTimeSize < sizeof(mbedtls_x509_time)){
+    return FALSE;
+  }
+
+  if (DateTime == NULL) {
+    return FALSE;
+  }
+
+  tm = (mbedtls_x509_time *)DateTime;
+
+  tm->year = (DateTimeStr[0] + '0') * 1000 + (DateTimeStr[1] + '0') * 100 +
+    (DateTimeStr[2] + '0') * 10 + (DateTimeStr[3] + '0') * 1;
+
+  tm->mon = (DateTimeStr[4] + '0') * 10 + (DateTimeStr[5] + '0') * 1;
+
+  tm->day = (DateTimeStr[6] + '0') * 10 + (DateTimeStr[7] + '0') * 1;
+
+  tm->hour = (DateTimeStr[8] + '0') * 10 + (DateTimeStr[9] + '0') * 1;
+
+  tm->min = (DateTimeStr[10] + '0') * 10 + (DateTimeStr[11] + '0') * 1;
+
+  tm->sec = (DateTimeStr[12] + '0') * 10 + (DateTimeStr[13] + '0') * 1;
+
+  return TRUE;
+}
-- 
2.26.2.windows.1


  parent reply	other threads:[~2023-03-17  9:02 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-17  9:00 [edk2-staging/OpenSSL11_EOL PATCH 0/7] Enable MbedTLS for CryptoPkg update Mar 17 Wenxing Hou
2023-03-17  9:00 ` [edk2-staging/OpenSSL11_EOL PATCH 1/7] Update ReadmeMbedtls Wenxing Hou
2023-03-17  9:00 ` [edk2-staging/OpenSSL11_EOL PATCH 2/7] Clear unnecessary API in DH Wenxing Hou
2023-03-17  9:00 ` [edk2-staging/OpenSSL11_EOL PATCH 3/7] Make all BaseCryptLibMbedTls inf files consistent with BaseCryptLib Wenxing Hou
2023-03-17  9:00 ` [edk2-staging/OpenSSL11_EOL PATCH 4/7] Update Pkcs7 api based on MbedTlsLib for CryptoPkg Wenxing Hou
2023-03-17  9:00 ` [edk2-staging/OpenSSL11_EOL PATCH 5/7] Update EC " Wenxing Hou
2023-03-17  9:00 ` Wenxing Hou [this message]
2023-03-17  9:00 ` [edk2-staging/OpenSSL11_EOL PATCH 7/7] Clean SysCall api by adding platform_util.c Wenxing Hou

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230317090053.1895-7-wenxing.hou@intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox