From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id C5AA621D046CB for ; Wed, 20 Sep 2017 20:47:12 -0700 (PDT) Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Sep 2017 20:50:18 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.42,423,1500966000"; d="scan'208";a="151666687" Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by orsmga005.jf.intel.com with ESMTP; 20 Sep 2017 20:50:17 -0700 Received: from fmsmsx121.amr.corp.intel.com (10.18.125.36) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 20 Sep 2017 20:50:17 -0700 Received: from shsmsx101.ccr.corp.intel.com (10.239.4.153) by fmsmsx121.amr.corp.intel.com (10.18.125.36) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 20 Sep 2017 20:50:14 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.213]) by SHSMSX101.ccr.corp.intel.com ([169.254.1.159]) with mapi id 14.03.0319.002; Thu, 21 Sep 2017 11:50:12 +0800 From: "Ye, Ting" To: "Long, Qin" , "lersek@redhat.com" , "Zhang, Chao B" CC: "edk2-devel@lists.01.org" Thread-Topic: [PATCH v3] CryptoPkg: Add new API to retrieve commonName of X.509 certificate Thread-Index: AQHTMoQYmhwO4qs6wUWFNUPFTLbCNKK+s2Eg Date: Thu, 21 Sep 2017 03:50:11 +0000 Message-ID: References: <20170921024803.13452-1-qin.long@intel.com> In-Reply-To: <20170921024803.13452-1-qin.long@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v3] CryptoPkg: Add new API to retrieve commonName of X.509 certificate X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Sep 2017 03:47:13 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Qin, I think we might add OPTIONAL attribute to CommonName, as NULL is an valid = input for this API. In function description, I think we need update below statement to "if *** = and *CommonNameSize is 0." "If CommonName is not NULL and CommonNameSize is 0." Others are good to me. Reviewed-by: Ye Ting Best Regards, Ting -----Original Message----- From: Long, Qin=20 Sent: Thursday, September 21, 2017 10:48 AM To: lersek@redhat.com; Ye, Ting ; Zhang, Chao B Cc: edk2-devel@lists.01.org Subject: [PATCH v3] CryptoPkg: Add new API to retrieve commonName of X.509 = certificate v3: Add extra CommonNameSize check since OpenSSL didn't check this input parameter. (One openssl issue was filed to address this risk: https://github.com/openssl/openssl/issues/4392) v2: Update function interface to return RETURN_STATUS to represent different error cases. Add one new API (X509GetCommonName()) to retrieve the subject commonName st= ring from one X.509 certificate. Cc: Laszlo Ersek Cc: Ting Ye Cc: Chao Zhang Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long --- CryptoPkg/Application/Cryptest/RsaVerify2.c | 32 ++++-- CryptoPkg/Include/Library/BaseCryptLib.h | 35 +++++++ CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 109 +++++++++++++++++= ++++ CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c | 32 ++++++ .../Pk/CryptX509Null.c | 34 ++++++- 5 files changed, 234 insertions(+), 8 deletions(-) diff --git a/CryptoPkg/Application/Cryptest/RsaVerify2.c b/CryptoPkg/Applic= ation/Cryptest/RsaVerify2.c index 98b5aad900..9db43d6eef 100644 --- a/CryptoPkg/Application/Cryptest/RsaVerify2.c +++ b/CryptoPkg/Application/Cryptest/RsaVerify2.c @@ -204,13 +204,17 @@ ValidateCryptRsa2 ( VOID ) { - BOOLEAN Status; - VOID *RsaPrivKey; - VOID *RsaPubKey; - UINT8 *Signature; - UINTN SigSize; - UINT8 *Subject; - UINTN SubjectSize; + BOOLEAN Status; + VOID *RsaPrivKey; + VOID *RsaPubKey; + UINT8 *Signature; + UINTN SigSize; + UINT8 *Subject; + UINTN SubjectSize; + RETURN_STATUS ReturnStatus; + CHAR8 CommonName[64]; + CHAR16 CommonNameUnicode[64]; + UINTN CommonNameSize; =20 Print (L"\nUEFI-OpenSSL RSA Key Retrieving Testing: "); =20 @@ -286,6 +290,20 @@ ValidateCryptRsa2 ( Print (L"[Pass]"); } =20 + // + // Get CommonName from X509 Certificate Subject // CommonNameSize =3D= =20 + 64; ZeroMem (CommonName, CommonNameSize); ReturnStatus =3D=20 + X509GetCommonName (TestCert, sizeof (TestCert), CommonName,=20 + &CommonNameSize); if (RETURN_ERROR (ReturnStatus)) { + Print (L"\n - Retrieving Common Name - [Fail]"); + return EFI_ABORTED; + } else { + AsciiStrToUnicodeStrS (CommonName, CommonNameUnicode, CommonNameSize); + Print (L"\n - Retrieving Common Name =3D \"%s\" (Size =3D %d)",=20 + CommonNameUnicode, CommonNameSize); } + // // X509 Certificate Verification. // diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/L= ibrary/BaseCryptLib.h index 9c5ffcd9cf..2366a0218d 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -2171,6 +2171,41 @@ X509GetSubjectName ( IN OUT UINTN *SubjectSize ); =20 +/** + Retrieve the common name (CN) string from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CommonName Buffer to contain the retrieved certifi= cate common + name string. At most CommonNameSize byt= es will be + written and the string will be null ter= minated. May be + NULL in order to determine the size buf= fer needed. + @param[in,out] CommonNameSize The size in bytes of the CommonName buf= fer on input, + and the size of buffer returned CommonN= ame on output. + If CommonName is NULL then the amount o= f space needed + in buffer (including the final null) is= returned. + + @retval RETURN_SUCCESS The certificate CommonName retrieved su= ccessfully. + @retval RETURN_INVALID_PARAMETER If Cert is NULL. + If CommonNameSize is NULL. + If CommonName is not NULL and CommonNam= eSize is 0. + If Certificate is invalid. + @retval RETURN_NOT_FOUND If no CommonName entry exists. + @retval RETURN_BUFFER_TOO_SMALL If the CommonName is NULL. The required= buffer size + (including the final null) is returned = in the=20 + CommonNameSize parameter. + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +RETURN_STATUS +EFIAPI +X509GetCommonName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *CommonName, + IN OUT UINTN *CommonNameSize + ); + /** Verify one X509 certificate was issued by the trusted CA. =20 diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Libr= ary/BaseCryptLib/Pk/CryptX509.c index 7d275977c5..bcd5ff49fd 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c @@ -297,6 +297,115 @@ _Exit: return Status; } =20 +/** + Retrieve the common name (CN) string from one X.509 certificate. + + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CommonName Buffer to contain the retrieved certifi= cate common + name string. At most CommonNameSize byt= es will be + written and the string will be null ter= minated. May be + NULL in order to determine the size buf= fer needed. + @param[in,out] CommonNameSize The size in bytes of the CommonName buf= fer on input, + and the size of buffer returned CommonN= ame on output. + If CommonName is NULL then the amount o= f space needed + in buffer (including the final null) is= returned. + + @retval RETURN_SUCCESS The certificate CommonName retrieved su= ccessfully. + @retval RETURN_INVALID_PARAMETER If Cert is NULL. + If CommonNameSize is NULL. + If CommonName is not NULL and CommonNam= eSize is 0. + If Certificate is invalid. + @retval RETURN_NOT_FOUND If no CommonName entry exists. + @retval RETURN_BUFFER_TOO_SMALL If the CommonName is NULL. The required= buffer size + (including the final null) is returned = in the=20 + CommonNameSize parameter. + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +RETURN_STATUS +EFIAPI +X509GetCommonName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *CommonName, + IN OUT UINTN *CommonNameSize + ) +{ + RETURN_STATUS ReturnStatus; + BOOLEAN Status; + X509 *X509Cert; + X509_NAME *X509Name; + INTN Length; + + ReturnStatus =3D RETURN_INVALID_PARAMETER; + + // + // Check input parameters. + // + if ((Cert =3D=3D NULL) || (CertSize > INT_MAX) || (CommonNameSize =3D=3D= NULL)) { + return ReturnStatus; + } + if ((CommonName !=3D NULL) && (*CommonNameSize =3D=3D 0)) { + return ReturnStatus; + } + + X509Cert =3D NULL; + // + // Read DER-encoded X509 Certificate and Construct X509 object. + // + Status =3D X509ConstructCertificate (Cert, CertSize, (UINT8 **)=20 + &X509Cert); if ((X509Cert =3D=3D NULL) || (!Status)) { + // + // Invalid X.509 Certificate + // + goto _Exit; + } + + Status =3D FALSE; + + // + // Retrieve subject name from certificate object. + // + X509Name =3D X509_get_subject_name (X509Cert); if (X509Name =3D=3D NULL= ) { + // + // Fail to retrieve subject name content + // + goto _Exit; + } + + // + // Retrieve the CommonName information from X.509 Subject // Length=20 + =3D (INTN) X509_NAME_get_text_by_NID (X509Name, NID_commonName,=20 + CommonName, (int)(*CommonNameSize)); if (Length < 0) { + // + // No CommonName entry exists in X509_NAME object + // + *CommonNameSize =3D 0; + ReturnStatus =3D RETURN_NOT_FOUND; + goto _Exit; + } + + *CommonNameSize =3D (UINTN)(Length + 1); if (CommonName =3D=3D NULL) { + ReturnStatus =3D RETURN_BUFFER_TOO_SMALL; } else { + ReturnStatus =3D RETURN_SUCCESS; + } + +_Exit: + // + // Release Resources. + // + if (X509Cert !=3D NULL) { + X509_free (X509Cert); + } + + return ReturnStatus; +} + /** Retrieve the RSA Public Key from one DER-encoded X509 certificate. =20 diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c b/CryptoPkg/= Library/BaseCryptLib/Pk/CryptX509Null.c index 51aa0633a8..25879d3578 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c @@ -127,6 +127,38 @@ X509GetSubjectName ( return FALSE; } =20 +/** + Retrieve the common name (CN) string from one X.509 certificate. + + Return RETURN_UNSUPPORTED to indicate this interface is not supported. + + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CommonName Buffer to contain the retrieved certifi= cate common + name string. At most CommonNameSize byt= es will be + written and the string will be null ter= minated. May be + NULL in order to determine the size buf= fer needed. + @param[in,out] CommonNameSize The size in bytes of the CommonName buf= fer on input, + and the size of buffer returned CommonN= ame on output. + If CommonName is NULL then the amount o= f space needed + in buffer (including the final null) is= returned. + + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +RETURN_STATUS +EFIAPI +X509GetCommonName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *CommonName, + IN OUT UINTN *CommonNameSize + ) +{ + ASSERT (FALSE); + return RETURN_UNSUPPORTED; +} + /** Retrieve the RSA Public Key from one DER-encoded X509 certificate. =20 diff --git a/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/Pk/CryptX50= 9Null.c b/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/Pk/CryptX509Nu= ll.c index f5d9aa1076..25879d3578 100644 --- a/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/Pk/CryptX509Null.c +++ b/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/Pk/CryptX509Nul +++ l.c @@ -127,6 +127,38 @@ X509GetSubjectName ( return FALSE; } =20 +/** + Retrieve the common name (CN) string from one X.509 certificate. + + Return RETURN_UNSUPPORTED to indicate this interface is not supported. + + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. + @param[in] CertSize Size of the X509 certificate in bytes. + @param[out] CommonName Buffer to contain the retrieved certifi= cate common + name string. At most CommonNameSize byt= es will be + written and the string will be null ter= minated. May be + NULL in order to determine the size buf= fer needed. + @param[in,out] CommonNameSize The size in bytes of the CommonName buf= fer on input, + and the size of buffer returned CommonN= ame on output. + If CommonName is NULL then the amount o= f space needed + in buffer (including the final null) is= returned. + + @retval RETURN_UNSUPPORTED The operation is not supported. + +**/ +RETURN_STATUS +EFIAPI +X509GetCommonName ( + IN CONST UINT8 *Cert, + IN UINTN CertSize, + OUT CHAR8 *CommonName, + IN OUT UINTN *CommonNameSize + ) +{ + ASSERT (FALSE); + return RETURN_UNSUPPORTED; +} + /** Retrieve the RSA Public Key from one DER-encoded X509 certificate. =20 @@ -203,4 +235,4 @@ X509GetTBSCert ( { ASSERT (FALSE); return FALSE; -} \ No newline at end of file +} -- 2.14.1.windows.1