From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=192.55.52.151; helo=mga17.intel.com; envelope-from=ting.ye@intel.com; receiver=edk2-devel@lists.01.org Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 4D7AA207E36C8 for ; Mon, 28 May 2018 21:35:05 -0700 (PDT) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 May 2018 21:35:04 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,455,1520924400"; d="scan'208";a="59896524" Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204]) by orsmga001.jf.intel.com with ESMTP; 28 May 2018 21:34:54 -0700 Received: from fmsmsx154.amr.corp.intel.com (10.18.116.70) by FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 28 May 2018 21:33:54 -0700 Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by FMSMSX154.amr.corp.intel.com (10.18.116.70) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 28 May 2018 20:24:35 -0700 Received: from shsmsx103.ccr.corp.intel.com ([169.254.4.51]) by SHSMSX104.ccr.corp.intel.com ([169.254.5.87]) with mapi id 14.03.0319.002; Tue, 29 May 2018 11:16:55 +0800 From: "Ye, Ting" To: "Long, Qin" , "edk2-devel@lists.01.org" CC: "Michael.Turner@microsoft.com" Thread-Topic: [PATCH] CryptoPkg: Remove deprecated function usage in X509GetCommonName() Thread-Index: AQHT8zbcfVURlTFqO0CJK8JmGACRE6RGEIBQ Date: Tue, 29 May 2018 03:16:55 +0000 Message-ID: References: <20180524081116.5380-1-qin.long@intel.com> In-Reply-To: <20180524081116.5380-1-qin.long@intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH] CryptoPkg: Remove deprecated function usage in X509GetCommonName() X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2018 04:35:05 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Ye Ting =20 -----Original Message----- From: Long, Qin=20 Sent: Thursday, May 24, 2018 4:11 PM To: edk2-devel@lists.01.org Cc: Ye, Ting ; Michael.Turner@microsoft.com Subject: [PATCH] CryptoPkg: Remove deprecated function usage in X509GetComm= onName() BZ#: https://bugzilla.tianocore.org/show_bug.cgi?id=3D923 X509_NAME_get_text_by_NID() used in X509GetCommonName() implementation is o= ne legacy function which have various limitations. The returned data may be= not usable when the target cert contains multicharacter string type like = a BMPString or a UTF8String. This patch replaced the legacy function usage with more general X509_NAME_get_index_by_NID() / X509_NAME_get_entry() APIs for X509 CommonNa= me retrieving. Tests: Validated the commonName retrieving with test certificates containing PrintableString or BMPString data. Cc: Ye Ting Cc: Michael Turner Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Long Qin --- CryptoPkg/Include/Library/BaseCryptLib.h | 4 +- CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 53 ++++++++++++++++++-= ---- CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c | 4 +- 3 files changed, 47 insertions(+), 14 deletions(-) diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/L= ibrary/BaseCryptLib.h index 027ea09feb..dc6aaf0635 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -4,7 +4,7 @@ primitives (Hash Serials, HMAC, RSA, Diffie-Hellman, etc) for UEFI secur= ity functionality enabling. =20 -Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made availab= le under the terms and conditions of the BSD License which accompanies thi= s distribution. The full text of the license may be found at @@ -2177,7 +2= 177,7 @@ X509GetSubjectName ( @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. @param[in] CertSize Size of the X509 certificate in bytes. @param[out] CommonName Buffer to contain the retrieved certifi= cate common - name string. At most CommonNameSize byt= es will be + name string (UTF8). At most=20 + CommonNameSize bytes will be written and the string will be null ter= minated. May be NULL in order to determine the size buf= fer needed. @param[in,out] CommonNameSize The size in bytes of the CommonName buf= fer on input, diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Libr= ary/BaseCryptLib/Pk/CryptX509.c index 56e66308ae..c137df357f 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c @@ -1,7 +1,7 @@ /** @file X.509 Certificate Handler Wrapper Implementation over OpenSSL. =20 -Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made availab= le under the terms and conditions of the BSD License which accompanies thi= s distribution. The full text of the license may be found at @@ -303,7 +30= 3,7 @@ _Exit: @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. @param[in] CertSize Size of the X509 certificate in bytes. @param[out] CommonName Buffer to contain the retrieved certifi= cate common - name string. At most CommonNameSize byt= es will be + name string (UTF8). At most=20 + CommonNameSize bytes will be written and the string will be null ter= minated. May be NULL in order to determine the size buf= fer needed. @param[in,out] CommonNameSize The size in bytes of the CommonName buf= fer on input, @@ -332,13 +332,18 @@ X509GetCommonName ( IN OUT UINTN *CommonNameSize ) { - RETURN_STATUS ReturnStatus; - BOOLEAN Status; - X509 *X509Cert; - X509_NAME *X509Name; - INTN Length; + RETURN_STATUS ReturnStatus; + BOOLEAN Status; + X509 *X509Cert; + X509_NAME *X509Name; + INT32 Index; + INTN Length; + X509_NAME_ENTRY *Entry; + ASN1_STRING *EntryData; + UINT8 *UTF8Name; =20 ReturnStatus =3D RETURN_INVALID_PARAMETER; + UTF8Name =3D NULL; =20 // // Check input parameters. @@ -378,8 +383,8 @@ X509GetCommonName ( // // Retrieve the CommonName information from X.509 Subject // - Length =3D (INTN) X509_NAME_get_text_by_NID (X509Name, NID_commonName, C= ommonName, (int)(*CommonNameSize)); - if (Length < 0) { + Index =3D X509_NAME_get_index_by_NID (X509Name, NID_commonName, -1); =20 + if (Index < 0) { // // No CommonName entry exists in X509_NAME object // @@ -388,10 +393,35 @@ X509GetCommonName ( goto _Exit; } =20 - *CommonNameSize =3D (UINTN)(Length + 1); + Entry =3D X509_NAME_get_entry (X509Name, Index); if (Entry =3D=3D NULL)= { + // + // Fail to retrieve name entry data + // + *CommonNameSize =3D 0; + ReturnStatus =3D RETURN_NOT_FOUND; + goto _Exit; + } + + EntryData =3D X509_NAME_ENTRY_get_data (Entry); + + Length =3D ASN1_STRING_to_UTF8 (&UTF8Name, EntryData); if (Length < 0)= =20 + { + // + // Fail to convert the commonName string + // + *CommonNameSize =3D 0; + ReturnStatus =3D RETURN_INVALID_PARAMETER; + goto _Exit; + } + if (CommonName =3D=3D NULL) { + *CommonNameSize =3D Length + 1; ReturnStatus =3D RETURN_BUFFER_TOO_SMALL; } else { + *CommonNameSize =3D MIN ((UINTN)Length, *CommonNameSize - 1) + 1; + CopyMem (CommonName, UTF8Name, *CommonNameSize - 1); + CommonName[*CommonNameSize - 1] =3D '\0'; ReturnStatus =3D RETURN_SUCCESS; } =20 @@ -402,6 +432,9 @@ _Exit: if (X509Cert !=3D NULL) { X509_free (X509Cert); } + if (UTF8Name !=3D NULL) { + OPENSSL_free (UTF8Name); + } =20 return ReturnStatus; } diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c b/CryptoPkg/= Library/BaseCryptLib/Pk/CryptX509Null.c index d00f38daa8..d86c784a7f 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c @@ -2,7 +2,7 @@ X.509 Certificate Handler Wrapper Implementation which does not provide real capabilities. =20 -Copyright (c) 2012 - 2014, Intel Corporation. All rights reserved.
+Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made availab= le under the terms and conditions of the BSD License which accompanies thi= s distribution. The full text of the license may be found at @@ -135,7 +13= 5,7 @@ X509GetSubjectName ( @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. @param[in] CertSize Size of the X509 certificate in bytes. @param[out] CommonName Buffer to contain the retrieved certifi= cate common - name string. At most CommonNameSize byt= es will be + name string (UTF8). At most=20 + CommonNameSize bytes will be written and the string will be null ter= minated. May be NULL in order to determine the size buf= fer needed. @param[in,out] CommonNameSize The size in bytes of the CommonName buf= fer on input, -- 2.16.1.windows.1