From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web10.14911.1679043720870874677 for ; Fri, 17 Mar 2023 02:02:11 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=TXHTZDWO; spf=pass (domain: intel.com, ip: 192.55.52.136, mailfrom: wenxing.hou@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1679043730; x=1710579730; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=fDaeXpEiR13p0z8UIkjZeVV5XFwRnjMMgv6EypGIImU=; b=TXHTZDWOQFForthEvZeNSLrjw1rNWoZAeYWy7OBujrR66vibb79yKZhC INnUtl92aBwhGH9l75BlQ2h0Ui5BhaZCpQxJBGGd441Y2D5dIgxIvGWRs AwVheKgRa0XKCv6Gt5M0iW4J3S0sO36waqw7rZ9lM/9qSDFxr3WfXatDf VAOkB7+59l6REe6MveEhQd0Yy3hE1JyJ4EwhxKvt8a6NEW+AQLth//gOt xwlNzl09xBhfp5hN+tPb4lkxkdctHH0O4TjYaxkHY7YuqpNZJcDEUsDBa zglWeeVgmBAkkoF1irSGLcVsHW3bPg4r5IOuapVhKH68/BIaGGXS8I89o w==; X-IronPort-AV: E=McAfee;i="6600,9927,10651"; a="317871169" X-IronPort-AV: E=Sophos;i="5.98,268,1673942400"; d="scan'208";a="317871169" Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Mar 2023 02:02:10 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10651"; a="926066887" X-IronPort-AV: E=Sophos;i="5.98,268,1673942400"; d="scan'208";a="926066887" Received: from shwdejointd777.ccr.corp.intel.com ([10.239.157.39]) by fmsmga006.fm.intel.com with ESMTP; 17 Mar 2023 02:02:09 -0700 From: "Wenxing Hou" To: devel@edk2.groups.io Cc: Wenxing Hou Subject: [edk2-staging/OpenSSL11_EOL PATCH 6/7] Update X509 api based on MbedTlsLib for CryptoPkg Date: Fri, 17 Mar 2023 17:00:52 +0800 Message-Id: <20230317090053.1895-7-wenxing.hou@intel.com> X-Mailer: git-send-email 2.26.2.windows.1 In-Reply-To: <20230317090053.1895-1-wenxing.hou@intel.com> References: <20230317090053.1895-1-wenxing.hou@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Signed-off-by: Wenxing Hou --- .../BaseCryptLibMbedTls/Pk/CryptX509.c | 163 +++++++++++++++++- 1 file changed, 161 insertions(+), 2 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509.c b/CryptoP= kg/Library/BaseCryptLibMbedTls/Pk/CryptX509.c index 6e4a898572..957703a3eb 100644 --- a/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509.c +++ b/CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509.c @@ -26,6 +26,9 @@ STATIC CONST UINT8 OID_organizationName[] =3D { STATIC CONST UINT8 OID_extKeyUsage[] =3D {=0D 0x55, 0x1D, 0x25=0D };=0D +STATIC CONST UINT8 OID_BasicConstraints[] =3D {=0D + 0x55, 0x1D, 0x13=0D +};=0D =0D /**=0D Construct a X509 object from DER-encoded certificate data.=0D @@ -857,9 +860,61 @@ X509GetTBSCert ( OUT UINTN *TBSCertSize=0D )=0D {=0D - return FALSE;=0D -}=0D + UINTN Length;=0D + UINTN Ret;=0D + UINT8 *Ptr;=0D + CONST UINT8 *Temp;=0D + CONST UINT8 *End;=0D +=0D + //=0D + // Check input parameters.=0D + //=0D + if ((Cert =3D=3D NULL) || (TBSCert =3D=3D NULL) ||=0D + (TBSCertSize =3D=3D NULL) || (CertSize > INT_MAX))=0D + {=0D + return FALSE;=0D + }=0D +=0D + //=0D + // An X.509 Certificate is: (defined in RFC3280)=0D + // Certificate ::=3D SEQUENCE {=0D + // tbsCertificate TBSCertificate,=0D + // signatureAlgorithm AlgorithmIdentifier,=0D + // signature BIT STRING }=0D + //=0D + // and=0D + //=0D + // TBSCertificate ::=3D SEQUENCE {=0D + // version [0] Version DEFAULT v1,=0D + // ...=0D + // }=0D + //=0D + // So we can just ASN1-parse the x.509 DER-encoded data. If we strip=0D + // the first SEQUENCE, the second SEQUENCE is the TBSCertificate.=0D + //=0D +=0D + Length =3D 0;=0D +=0D + Ptr =3D (UINT8 *)Cert;=0D + End =3D Cert + CertSize;=0D +=0D + Ret =3D mbedtls_asn1_get_tag(&Ptr, End, &Length, MBEDTLS_ASN1_CONSTRUCTE= D | MBEDTLS_ASN1_SEQUENCE);=0D + if (Ret !=3D 0) {=0D + return FALSE;=0D + }=0D =0D + Temp =3D Ptr;=0D + End =3D Ptr + Length;=0D + Ret =3D mbedtls_asn1_get_tag(&Ptr, End, &Length, MBEDTLS_ASN1_CONSTRUCTE= D | MBEDTLS_ASN1_SEQUENCE);=0D + if (Ret !=3D 0) {=0D + return FALSE;=0D + }=0D +=0D + *TBSCert =3D (UINT8 *)Temp;=0D + *TBSCertSize =3D Length + (Ptr - Temp);=0D +=0D + return TRUE;=0D +}=0D =0D /**=0D Retrieve the version from one X.509 certificate.=0D @@ -1666,3 +1721,107 @@ X509CompareDateTime ( return 1;=0D }=0D }=0D +=0D +/**=0D + Retrieve the basic constraints from one X.509 certificate.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509= certificate.=0D + @param[in] CertSize size of the X509 certificate in= bytes.=0D + @param[out] BasicConstraints basic constraints bytes.=0D + @param[in, out] BasicConstraintsSize basic constraints buffer sizs i= n bytes.=0D +=0D + @retval TRUE The basic constraints retrieve successf= ully.=0D + @retval FALSE If cert is NULL.=0D + If cert_size is NULL.=0D + If basic_constraints is not NULL and *b= asic_constraints_size is 0.=0D + If cert is invalid.=0D + @retval FALSE The required buffer size is small.=0D + The return buffer size is basic_constra= ints_size parameter.=0D + @retval FALSE If no Extension entry match oid.=0D + @retval FALSE The operation is not supported.=0D + **/=0D +BOOLEAN=0D +EFIAPI=0D +X509GetExtendedBasicConstraints(=0D + CONST UINT8 *Cert,=0D + UINTN CertSize,=0D + UINT8 *BasicConstraints,=0D + UINTN *BasicConstraintsSize=0D + )=0D +{=0D + BOOLEAN Status;=0D +=0D + if ((Cert =3D=3D NULL) || (CertSize =3D=3D 0) || (BasicConstraintsSize = =3D=3D NULL)) {=0D + return FALSE;=0D + }=0D +=0D + Status =3D X509GetExtensionData (=0D + (UINT8 *)Cert,=0D + CertSize,=0D + OID_BasicConstraints,=0D + sizeof (OID_BasicConstraints),=0D + BasicConstraints,=0D + BasicConstraintsSize=0D + );=0D +=0D + return Status;=0D +}=0D +=0D +/**=0D + Format a DateTimeStr to DataTime object in DataTime Buffer=0D +=0D + If DateTimeStr is NULL, then return FALSE.=0D + If DateTimeSize is NULL, then return FALSE.=0D + If this interface is not supported, then return FALSE.=0D +=0D + @param[in] DateTimeStr DateTime string like YYYYMMDDhhmmssZ=0D + Ref: https://www.w3.org/TR/NOTE-datetim= e=0D + Z stand for UTC time=0D + @param[out] DateTime Pointer to a DateTime object.=0D + @param[in,out] DateTimeSize DateTime object buffer size.=0D +=0D + @retval TRUE The DateTime object create successfully= .=0D + @retval FALSE If DateTimeStr is NULL.=0D + If DateTimeSize is NULL.=0D + If DateTime is not NULL and *DateTimeSi= ze is 0.=0D + If Year Month Day Hour Minute Second co= mbination is invalid datetime.=0D + @retval FALSE If the DateTime is NULL. The required b= uffer size=0D + (including the final null) is returned = in the=0D + DateTimeSize parameter.=0D + @retval FALSE The operation is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +X509FormatDateTime (=0D + IN CONST CHAR8 *DateTimeStr,=0D + OUT VOID *DateTime,=0D + IN OUT UINTN *DateTimeSize=0D + )=0D +{=0D + mbedtls_x509_time *tm;=0D +=0D + if (*DateTimeSize < sizeof(mbedtls_x509_time)){=0D + return FALSE;=0D + }=0D +=0D + if (DateTime =3D=3D NULL) {=0D + return FALSE;=0D + }=0D +=0D + tm =3D (mbedtls_x509_time *)DateTime;=0D +=0D + tm->year =3D (DateTimeStr[0] + '0') * 1000 + (DateTimeStr[1] + '0') * 10= 0 +=0D + (DateTimeStr[2] + '0') * 10 + (DateTimeStr[3] + '0') * 1;=0D +=0D + tm->mon =3D (DateTimeStr[4] + '0') * 10 + (DateTimeStr[5] + '0') * 1;=0D +=0D + tm->day =3D (DateTimeStr[6] + '0') * 10 + (DateTimeStr[7] + '0') * 1;=0D +=0D + tm->hour =3D (DateTimeStr[8] + '0') * 10 + (DateTimeStr[9] + '0') * 1;=0D +=0D + tm->min =3D (DateTimeStr[10] + '0') * 10 + (DateTimeStr[11] + '0') * 1;= =0D +=0D + tm->sec =3D (DateTimeStr[12] + '0') * 10 + (DateTimeStr[13] + '0') * 1;= =0D +=0D + return TRUE;=0D +}=0D --=20 2.26.2.windows.1