From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web12.5191.1665401566013137258 for ; Mon, 10 Oct 2022 04:32:47 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=ks3as7P0; spf=pass (domain: intel.com, ip: 134.134.136.20, mailfrom: qi1.zhang@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1665401567; x=1696937567; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=XORDZYhO0MLE49zei/yHFTF8IkJtiNnlvDbVwBOoMYg=; b=ks3as7P0tcfLtcODSTMNmvJSqjXsRVczcL+2KykdsI9zj6m+8An84CAp AaGQofgiE2rEa2/CXQsX6Q74lhEwvGNae4SKIihkBBuZ7YloCqn+vVifn n+qIwujOXX+C2ecw653pJZx6dny60NBKspI6K4hrLKegv+oyH8feI0HMa dAil6hqM+1HXkln4wTIr/Tel223WG2M12Z6HQkXK0iJfhQwx1yVjqkH8w YXrWyfpVdgIi3pauIvl7hqLBtt4bISJ8zCCHOprlSuE3b28LYzOAi2/4q sbIM9rwi5mXTeDXXDTxVZg3k3+CSSR9SUeO/ALrwBYHoyQtObicrZFnEK Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10495"; a="291489601" X-IronPort-AV: E=Sophos;i="5.95,173,1661842800"; d="scan'208";a="291489601" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Oct 2022 04:32:41 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10495"; a="620990425" X-IronPort-AV: E=Sophos;i="5.95,173,1661842800"; d="scan'208";a="620990425" Received: from shwdesssddpdqi.ccr.corp.intel.com ([10.239.157.129]) by orsmga007.jf.intel.com with ESMTP; 10 Oct 2022 04:32:39 -0700 From: "Qi Zhang" To: devel@edk2.groups.io Cc: Qi Zhang , Jiewen Yao , Jian J Wang , Xiaoyu Lu , Guomin Jiang Subject: [PATCH V2 3/4] CryptoPkg: add new X509 function to Crypto Service. Date: Mon, 10 Oct 2022 19:32:27 +0800 Message-Id: X-Mailer: git-send-email 2.26.2.windows.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D4082 Cc: Jiewen Yao Cc: Jian J Wang Cc: Xiaoyu Lu Cc: Guomin Jiang Signed-off-by: Qi Zhang --- CryptoPkg/Driver/Crypto.c | 432 +++++++++++++++++- .../Pcd/PcdCryptoServiceFamilyEnable.h | 34 +- .../BaseCryptLibOnProtocolPpi/CryptLib.c | 415 +++++++++++++++++ CryptoPkg/Private/Protocol/Crypto.h | 390 ++++++++++++++++ 4 files changed, 1260 insertions(+), 11 deletions(-) diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c index f1ff77855c..82ed28bdd8 100644 --- a/CryptoPkg/Driver/Crypto.c +++ b/CryptoPkg/Driver/Crypto.c @@ -3086,6 +3086,421 @@ CryptoServiceX509GetTBSCert ( return CALL_BASECRYPTLIB (X509.Services.GetTBSCert, X509GetTBSCert, (Cer= t, CertSize, TBSCert, TBSCertSize), FALSE);=0D }=0D =0D +/**=0D + Retrieve the version from one X.509 certificate.=0D +=0D + If Cert is NULL, then return FALSE.=0D + If CertSize is 0, then return FALSE.=0D + If this interface is not supported, then return FALSE.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certificate= .=0D + @param[in] CertSize Size of the X509 certificate in bytes.=0D + @param[out] Version Pointer to the retrieved version integer.=0D +=0D + @retval TRUE The certificate version retrieved successfully.=0D + @retval FALSE If Cert is NULL or CertSize is Zero.=0D + @retval FALSE The operation is not supported.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +CryptoServiceX509GetVersion (=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINTN *Version=0D + )=0D +{=0D + return CALL_BASECRYPTLIB (X509.Services.GetVersion, X509GetVersion, (Cer= t, CertSize, Version), FALSE);=0D +}=0D +=0D +/**=0D + Retrieve the serialNumber from one X.509 certificate.=0D +=0D + If Cert is NULL, then return FALSE.=0D + If CertSize is 0, then return FALSE.=0D + If this interface is not supported, then return FALSE.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certificate= .=0D + @param[in] CertSize Size of the X509 certificate in bytes.=0D + @param[out] SerialNumber Pointer to the retrieved certificate Seria= lNumber bytes.=0D + @param[in, out] SerialNumberSize The size in bytes of the SerialNumber = buffer on input,=0D + and the size of buffer returned SerialNumbe= r on output.=0D +=0D + @retval TRUE The certificate serialNumber retrieved = successfully.=0D + @retval FALSE If Cert is NULL or CertSize is Zero.=0D + If SerialNumberSize is NULL.=0D + If Certificate is invalid.=0D + @retval FALSE If no SerialNumber exists.=0D + @retval FALSE If the SerialNumber is NULL. The requir= ed buffer size=0D + (including the final null) is returned = in the=0D + SerialNumberSize parameter.=0D + @retval FALSE The operation is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +CryptoServiceX509GetSerialNumber (=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINT8 *SerialNumber, OPTIONAL=0D + IN OUT UINTN *SerialNumberSize=0D + )=0D +{=0D + return CALL_BASECRYPTLIB (X509.Services.GetSerialNumber, X509GetSerialNu= mber, (Cert, CertSize, SerialNumber, SerialNumberSize), FALSE);=0D +}=0D +=0D +/**=0D + Retrieve the issuer bytes from one X.509 certificate.=0D +=0D + If Cert is NULL, then return FALSE.=0D + If CertIssuerSize is NULL, then return FALSE.=0D + If this interface is not supported, then return FALSE.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certificate= .=0D + @param[in] CertSize Size of the X509 certificate in bytes.=0D + @param[out] CertIssuer Pointer to the retrieved certificate subject= bytes.=0D + @param[in, out] CertIssuerSize The size in bytes of the CertIssuer buff= er on input,=0D + and the size of buffer returned CertSubject= on output.=0D +=0D + @retval TRUE The certificate issuer retrieved successfully.=0D + @retval FALSE Invalid certificate, or the CertIssuerSize is too small = for the result.=0D + The CertIssuerSize will be updated with the required siz= e.=0D + @retval FALSE This interface is not supported.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +CryptoServiceX509GetIssuerName (=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINT8 *CertIssuer,=0D + IN OUT UINTN *CertIssuerSize=0D + )=0D +{=0D + return CALL_BASECRYPTLIB (X509.Services.GetIssuerName, X509GetIssuerName= , (Cert, CertSize, CertIssuer, CertIssuerSize), FALSE);=0D +}=0D +=0D +/**=0D + Retrieve the Signature Algorithm from one X.509 certificate.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate.=0D + @param[in] CertSize Size of the X509 certificate in bytes.= =0D + @param[out] Oid Signature Algorithm Object identifier b= uffer.=0D + @param[in,out] OidSize Signature Algorithm Object identifier b= uffer size=0D +=0D + @retval TRUE The certificate Extension data retrieve= d successfully.=0D + @retval FALSE If Cert is NULL.=0D + If OidSize is NULL.=0D + If Oid is not NULL and *OidSize is 0.=0D + If Certificate is invalid.=0D + @retval FALSE If no SignatureType.=0D + @retval FALSE If the Oid is NULL. The required buffer= size=0D + is returned in the OidSize.=0D + @retval FALSE The operation is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +CryptoServiceX509GetSignatureAlgorithm (=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINT8 *Oid, OPTIONAL=0D + IN OUT UINTN *OidSize=0D + )=0D +{=0D + return CALL_BASECRYPTLIB (X509.Services.GetSignatureAlgorithm, X509GetSi= gnatureAlgorithm, (Cert, CertSize, Oid, OidSize), FALSE);=0D +}=0D +=0D +/**=0D + Retrieve Extension data from one X.509 certificate.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate.=0D + @param[in] CertSize Size of the X509 certificate in bytes.= =0D + @param[in] Oid Object identifier buffer=0D + @param[in] OidSize Object identifier buffer size=0D + @param[out] ExtensionData Extension bytes.=0D + @param[in, out] ExtensionDataSize Extension bytes size.=0D +=0D + @retval TRUE The certificate Extension data retrieve= d successfully.=0D + @retval FALSE If Cert is NULL.=0D + If ExtensionDataSize is NULL.=0D + If ExtensionData is not NULL and *Exten= sionDataSize is 0.=0D + If Certificate is invalid.=0D + @retval FALSE If no Extension entry match Oid.=0D + @retval FALSE If the ExtensionData is NULL. The requi= red buffer size=0D + is returned in the ExtensionDataSize pa= rameter.=0D + @retval FALSE The operation is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +CryptoServiceX509GetExtensionData (=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + IN CONST UINT8 *Oid,=0D + IN UINTN OidSize,=0D + OUT UINT8 *ExtensionData,=0D + IN OUT UINTN *ExtensionDataSize=0D + )=0D +{=0D + return CALL_BASECRYPTLIB (X509.Services.GetExtensionData, X509GetExtensi= onData, (Cert, CertSize, Oid, OidSize, ExtensionData, ExtensionDataSize), F= ALSE);=0D +}=0D +=0D +/**=0D + Retrieve the Extended Key Usage from one X.509 certificate.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate.=0D + @param[in] CertSize Size of the X509 certificate in bytes.= =0D + @param[out] Usage Key Usage bytes.=0D + @param[in, out] UsageSize Key Usage buffer sizs in bytes.=0D +=0D + @retval TRUE The Usage bytes retrieve successfully.= =0D + @retval FALSE If Cert is NULL.=0D + If CertSize is NULL.=0D + If Usage is not NULL and *UsageSize is = 0.=0D + If Cert is invalid.=0D + @retval FALSE If the Usage is NULL. The required buff= er size=0D + is returned in the UsageSize parameter.= =0D + @retval FALSE The operation is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +CryptoServiceX509GetExtendedKeyUsage (=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINT8 *Usage,=0D + IN OUT UINTN *UsageSize=0D + )=0D +{=0D + return CALL_BASECRYPTLIB (X509.Services.GetExtendedKeyUsage, X509GetExte= ndedKeyUsage, (Cert, CertSize, Usage, UsageSize), FALSE);=0D +}=0D +=0D +/**=0D + Retrieve the Validity from one X.509 certificate=0D +=0D + If Cert is NULL, then return FALSE.=0D + If CertIssuerSize is NULL, then return FALSE.=0D + If this interface is not supported, then return FALSE.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certificate= .=0D + @param[in] CertSize Size of the X509 certificate in bytes.=0D + @param[in] From notBefore Pointer to DateTime object.=0D + @param[in,out] FromSize notBefore DateTime object size.=0D + @param[in] To notAfter Pointer to DateTime object.=0D + @param[in,out] ToSize notAfter DateTime object size.=0D +=0D + Note: X509CompareDateTime to compare DateTime oject=0D + x509SetDateTime to get a DateTime object from a DateTimeStr=0D +=0D + @retval TRUE The certificate Validity retrieved successfully.=0D + @retval FALSE Invalid certificate, or Validity retrieve failed.=0D + @retval FALSE This interface is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +CryptoServiceX509GetValidity (=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + IN UINT8 *From,=0D + IN OUT UINTN *FromSize,=0D + IN UINT8 *To,=0D + IN OUT UINTN *ToSize=0D + )=0D +{=0D + return CALL_BASECRYPTLIB (X509.Services.GetValidity, X509GetValidity, (C= ert, CertSize, From, FromSize, To, ToSize), FALSE);=0D +}=0D +=0D +/**=0D + Format a DateTimeStr to DataTime object in DataTime Buffer=0D +=0D + If DateTimeStr is NULL, then return FALSE.=0D + If DateTimeSize is NULL, then return FALSE.=0D + If this interface is not supported, then return FALSE.=0D +=0D + @param[in] DateTimeStr DateTime string like YYYYMMDDhhmmssZ=0D + Ref: https://www.w3.org/TR/NOTE-datetim= e=0D + Z stand for UTC time=0D + @param[out] DateTime Pointer to a DateTime object.=0D + @param[in,out] DateTimeSize DateTime object buffer size.=0D +=0D + @retval TRUE The DateTime object create successfully= .=0D + @retval FALSE If DateTimeStr is NULL.=0D + If DateTimeSize is NULL.=0D + If DateTime is not NULL and *DateTimeSi= ze is 0.=0D + If Year Month Day Hour Minute Second co= mbination is invalid datetime.=0D + @retval FALSE If the DateTime is NULL. The required b= uffer size=0D + (including the final null) is returned = in the=0D + DateTimeSize parameter.=0D + @retval FALSE The operation is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +CryptoServiceX509FormatDateTime (=0D + IN CONST CHAR8 *DateTimeStr,=0D + OUT VOID *DateTime,=0D + IN OUT UINTN *DateTimeSize=0D + )=0D +{=0D + return CALL_BASECRYPTLIB (X509.Services.FormatDateTime, X509FormatDateTi= me, (DateTimeStr, DateTime, DateTimeSize), FALSE);=0D +}=0D +=0D +/**=0D + Compare DateTime1 object and DateTime2 object.=0D +=0D + If DateTime1 is NULL, then return -2.=0D + If DateTime2 is NULL, then return -2.=0D + If DateTime1 =3D=3D DateTime2, then return 0=0D + If DateTime1 > DateTime2, then return 1=0D + If DateTime1 < DateTime2, then return -1=0D +=0D + @param[in] DateTime1 Pointer to a DateTime Ojbect=0D + @param[in] DateTime2 Pointer to a DateTime Object=0D +=0D + @retval 0 If DateTime1 =3D=3D DateTime2=0D + @retval 1 If DateTime1 > DateTime2=0D + @retval -1 If DateTime1 < DateTime2=0D +**/=0D +INT32=0D +EFIAPI=0D +CryptoServiceX509CompareDateTime (=0D + IN CONST VOID *DateTime1,=0D + IN CONST VOID *DateTime2=0D + )=0D +{=0D + return CALL_BASECRYPTLIB (X509.Services.CompareDateTime, X509CompareDate= Time, (DateTime1, DateTime2), FALSE);=0D +}=0D +=0D +/**=0D + Retrieve the Key Usage from one X.509 certificate.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate.=0D + @param[in] CertSize Size of the X509 certificate in bytes.= =0D + @param[out] Usage Key Usage (CRYPTO_X509_KU_*)=0D +=0D + @retval TRUE The certificate Key Usage retrieved successfully.=0D + @retval FALSE Invalid certificate, or Usage is NULL=0D + @retval FALSE This interface is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +CryptoServiceX509GetKeyUsage (=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINTN *Usage=0D + )=0D +{=0D + return CALL_BASECRYPTLIB (X509.Services.GetKeyUsage, X509GetKeyUsage, (C= ert, CertSize, Usage), FALSE);=0D +}=0D +=0D +/**=0D + Verify one X509 certificate was issued by the trusted CA.=0D + @param[in] RootCert Trusted Root Certificate buffer=0D +=0D + @param[in] RootCertLength Trusted Root Certificate buffer length= =0D + @param[in] CertChain One or more ASN.1 DER-encoded X.509 ce= rtificates=0D + where the first certificate is signed = by the Root=0D + Certificate or is the Root Cerificate = itself. and=0D + subsequent cerificate is signed by the= preceding=0D + cerificate.=0D + @param[in] CertChainLength Total length of the certificate chain,= in bytes.=0D +=0D + @retval TRUE All cerificates was issued by the first certificate in X= 509Certchain.=0D + @retval FALSE Invalid certificate or the certificate was not issued by= the given=0D + trusted CA.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +CryptoServiceX509VerifyCertChain (=0D + IN CONST UINT8 *RootCert,=0D + IN UINTN RootCertLength,=0D + IN CONST UINT8 *CertChain,=0D + IN UINTN CertChainLength=0D + )=0D +{=0D + return CALL_BASECRYPTLIB (X509.Services.VerifyCertChain, X509VerifyCertC= hain, (RootCert, RootCertLength, CertChain, CertChainLength), FALSE);=0D +}=0D +=0D +/**=0D + Get one X509 certificate from CertChain.=0D +=0D + @param[in] CertChain One or more ASN.1 DER-encoded X.509 ce= rtificates=0D + where the first certificate is signed = by the Root=0D + Certificate or is the Root Cerificate = itself. and=0D + subsequent cerificate is signed by the= preceding=0D + cerificate.=0D + @param[in] CertChainLength Total length of the certificate chain,= in bytes.=0D +=0D + @param[in] CertIndex Index of certificate.=0D +=0D + @param[out] Cert The certificate at the index of CertCh= ain.=0D + @param[out] CertLength The length certificate at the index of= CertChain.=0D +=0D + @retval TRUE Success.=0D + @retval FALSE Failed to get certificate from certificate chain.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +CryptoServiceX509GetCertFromCertChain (=0D + IN CONST UINT8 *CertChain,=0D + IN UINTN CertChainLength,=0D + IN CONST INT32 CertIndex,=0D + OUT CONST UINT8 **Cert,=0D + OUT UINTN *CertLength=0D + )=0D +{=0D + return CALL_BASECRYPTLIB (X509.Services.GetCertFromCertChain, X509GetCer= tFromCertChain, (CertChain, CertChainLength, CertIndex, Cert, CertLength), = FALSE);=0D +}=0D +=0D +/**=0D + Retrieve the tag and length of the tag.=0D +=0D + @param Ptr The position in the ASN.1 data=0D + @param End End of data=0D + @param Length The variable that will receive the length=0D + @param Tag The expected tag=0D +=0D + @retval TRUE Get tag successful=0D + @retval FALSe Failed to get tag or tag not match=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +CryptoServiceAsn1GetTag (=0D + IN OUT UINT8 **Ptr,=0D + IN CONST UINT8 *End,=0D + OUT UINTN *Length,=0D + IN UINT32 Tag=0D + )=0D +{=0D + return CALL_BASECRYPTLIB (X509.Services.Asn1GetTag, Asn1GetTag, (Ptr, En= d, Length, Tag), FALSE);=0D +}=0D +=0D +/**=0D + Retrieve the basic constraints from one X.509 certificate.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509= certificate.=0D + @param[in] CertSize size of the X509 certificate in= bytes.=0D + @param[out] BasicConstraints basic constraints bytes.=0D + @param[in, out] BasicConstraintsSize basic constraints buffer sizs i= n bytes.=0D +=0D + @retval TRUE The basic constraints retrieve successf= ully.=0D + @retval FALSE If cert is NULL.=0D + If cert_size is NULL.=0D + If basic_constraints is not NULL and *b= asic_constraints_size is 0.=0D + If cert is invalid.=0D + @retval FALSE The required buffer size is small.=0D + The return buffer size is basic_constra= ints_size parameter.=0D + @retval FALSE If no Extension entry match oid.=0D + @retval FALSE The operation is not supported.=0D + **/=0D +BOOLEAN=0D +EFIAPI=0D +CryptoServiceX509GetExtendedBasicConstraints (=0D + CONST UINT8 *Cert,=0D + UINTN CertSize,=0D + UINT8 *BasicConstraints,=0D + UINTN *BasicConstraintsSize=0D + )=0D +{=0D + return CALL_BASECRYPTLIB (X509.Services.GetExtendedBasicConstraints, X50= 9GetExtendedBasicConstraints, (Cert, CertSize, BasicConstraints, BasicConst= raintsSize), FALSE);=0D +}=0D +=0D /**=0D Derives a key from a password using a salt and iteration count, based on= PKCS#5 v2.0=0D password based encryption key derivation function PBKDF2, as specified i= n RFC 2898.=0D @@ -6416,5 +6831,20 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto =3D { CryptoServiceTlsSetSignatureAlgoList,=0D CryptoServiceTlsSetEcCurve,=0D /// TLS Get (continued)=0D - CryptoServiceTlsGetExportKey=0D + CryptoServiceTlsGetExportKey,=0D + /// X509 (Continued)=0D + CryptoServiceX509GetVersion,=0D + CryptoServiceX509GetSerialNumber,=0D + CryptoServiceX509GetIssuerName,=0D + CryptoServiceX509GetSignatureAlgorithm,=0D + CryptoServiceX509GetExtensionData,=0D + CryptoServiceX509GetExtendedKeyUsage,=0D + CryptoServiceX509GetValidity,=0D + CryptoServiceX509FormatDateTime,=0D + CryptoServiceX509CompareDateTime,=0D + CryptoServiceX509GetKeyUsage,=0D + CryptoServiceX509VerifyCertChain,=0D + CryptoServiceX509GetCertFromCertChain,=0D + CryptoServiceAsn1GetTag,=0D + CryptoServiceX509GetExtendedBasicConstraints=0D };=0D diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoP= kg/Include/Pcd/PcdCryptoServiceFamilyEnable.h index 4740589417..9d3651338b 100644 --- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h +++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h @@ -187,16 +187,30 @@ typedef struct { } Sha512;=0D union {=0D struct {=0D - UINT8 GetSubjectName : 1;=0D - UINT8 GetCommonName : 1;=0D - UINT8 GetOrganizationName : 1;=0D - UINT8 VerifyCert : 1;=0D - UINT8 ConstructCertificate : 1;=0D - UINT8 ConstructCertificateStack : 1;=0D - UINT8 ConstructCertificateStackV : 1;=0D - UINT8 Free : 1;=0D - UINT8 StackFree : 1;=0D - UINT8 GetTBSCert : 1;=0D + UINT8 GetSubjectName : 1;=0D + UINT8 GetCommonName : 1;=0D + UINT8 GetOrganizationName : 1;=0D + UINT8 VerifyCert : 1;=0D + UINT8 ConstructCertificate : 1;=0D + UINT8 ConstructCertificateStack : 1;=0D + UINT8 ConstructCertificateStackV : 1;=0D + UINT8 Free : 1;=0D + UINT8 StackFree : 1;=0D + UINT8 GetTBSCert : 1;=0D + UINT8 GetVersion : 1;=0D + UINT8 GetSerialNumber : 1;=0D + UINT8 GetIssuerName : 1;=0D + UINT8 GetSignatureAlgorithm : 1;=0D + UINT8 GetExtensionData : 1;=0D + UINT8 GetExtendedKeyUsage : 1;=0D + UINT8 GetValidity : 1;=0D + UINT8 FormatDateTime : 1;=0D + UINT8 CompareDateTime : 1;=0D + UINT8 GetKeyUsage : 1;=0D + UINT8 VerifyCertChain : 1;=0D + UINT8 GetCertFromCertChain : 1;=0D + UINT8 Asn1GetTag : 1;=0D + UINT8 GetExtendedBasicConstraints : 1;=0D } Services;=0D UINT32 Family;=0D } X509;=0D diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/Crypt= oPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c index 52b934a545..6862adf061 100644 --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c @@ -2322,6 +2322,421 @@ X509GetTBSCert ( CALL_CRYPTO_SERVICE (X509GetTBSCert, (Cert, CertSize, TBSCert, TBSCertSi= ze), FALSE);=0D }=0D =0D +/**=0D + Retrieve the version from one X.509 certificate.=0D +=0D + If Cert is NULL, then return FALSE.=0D + If CertSize is 0, then return FALSE.=0D + If this interface is not supported, then return FALSE.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certificate= .=0D + @param[in] CertSize Size of the X509 certificate in bytes.=0D + @param[out] Version Pointer to the retrieved version integer.=0D +=0D + @retval TRUE The certificate version retrieved successfully.=0D + @retval FALSE If Cert is NULL or CertSize is Zero.=0D + @retval FALSE The operation is not supported.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +X509GetVersion (=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINTN *Version=0D + )=0D +{=0D + CALL_CRYPTO_SERVICE (X509GetVersion, (Cert, CertSize, Version), FALSE);= =0D +}=0D +=0D +/**=0D + Retrieve the serialNumber from one X.509 certificate.=0D +=0D + If Cert is NULL, then return FALSE.=0D + If CertSize is 0, then return FALSE.=0D + If this interface is not supported, then return FALSE.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certificate= .=0D + @param[in] CertSize Size of the X509 certificate in bytes.=0D + @param[out] SerialNumber Pointer to the retrieved certificate Seria= lNumber bytes.=0D + @param[in, out] SerialNumberSize The size in bytes of the SerialNumber = buffer on input,=0D + and the size of buffer returned SerialNumbe= r on output.=0D +=0D + @retval TRUE The certificate serialNumber retrieved = successfully.=0D + @retval FALSE If Cert is NULL or CertSize is Zero.=0D + If SerialNumberSize is NULL.=0D + If Certificate is invalid.=0D + @retval FALSE If no SerialNumber exists.=0D + @retval FALSE If the SerialNumber is NULL. The requir= ed buffer size=0D + (including the final null) is returned = in the=0D + SerialNumberSize parameter.=0D + @retval FALSE The operation is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +X509GetSerialNumber (=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINT8 *SerialNumber, OPTIONAL=0D + IN OUT UINTN *SerialNumberSize=0D + )=0D +{=0D + CALL_CRYPTO_SERVICE (X509GetSerialNumber, (Cert, CertSize, SerialNumber,= SerialNumberSize), FALSE);=0D +}=0D +=0D +/**=0D + Retrieve the issuer bytes from one X.509 certificate.=0D +=0D + If Cert is NULL, then return FALSE.=0D + If CertIssuerSize is NULL, then return FALSE.=0D + If this interface is not supported, then return FALSE.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certificate= .=0D + @param[in] CertSize Size of the X509 certificate in bytes.=0D + @param[out] CertIssuer Pointer to the retrieved certificate subject= bytes.=0D + @param[in, out] CertIssuerSize The size in bytes of the CertIssuer buff= er on input,=0D + and the size of buffer returned CertSubject= on output.=0D +=0D + @retval TRUE The certificate issuer retrieved successfully.=0D + @retval FALSE Invalid certificate, or the CertIssuerSize is too small = for the result.=0D + The CertIssuerSize will be updated with the required siz= e.=0D + @retval FALSE This interface is not supported.=0D +=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +X509GetIssuerName (=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINT8 *CertIssuer,=0D + IN OUT UINTN *CertIssuerSize=0D + )=0D +{=0D + CALL_CRYPTO_SERVICE (X509GetIssuerName, (Cert, CertSize, CertIssuer, Cer= tIssuerSize), FALSE);=0D +}=0D +=0D +/**=0D + Retrieve the Signature Algorithm from one X.509 certificate.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate.=0D + @param[in] CertSize Size of the X509 certificate in bytes.= =0D + @param[out] Oid Signature Algorithm Object identifier b= uffer.=0D + @param[in,out] OidSize Signature Algorithm Object identifier b= uffer size=0D +=0D + @retval TRUE The certificate Extension data retrieved successf= ully.=0D + @retval FALSE If Cert is NULL.=0D + If OidSize is NULL.=0D + If Oid is not NULL and *OidSize is 0.=0D + If Certificate is invalid.=0D + @retval FALSE If no SignatureType.=0D + @retval FALSE If the Oid is NULL. The required buffer= size=0D + is returned in the OidSize.=0D + @retval FALSE The operation is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +X509GetSignatureAlgorithm (=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINT8 *Oid, OPTIONAL=0D + IN OUT UINTN *OidSize=0D + )=0D +{=0D + CALL_CRYPTO_SERVICE (X509GetSignatureAlgorithm, (Cert, CertSize, Oid, Oi= dSize), FALSE);=0D +}=0D +=0D +/**=0D + Retrieve Extension data from one X.509 certificate.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate.=0D + @param[in] CertSize Size of the X509 certificate in bytes.= =0D + @param[in] Oid Object identifier buffer=0D + @param[in] OidSize Object identifier buffer size=0D + @param[out] ExtensionData Extension bytes.=0D + @param[in, out] ExtensionDataSize Extension bytes size.=0D +=0D + @retval TRUE The certificate Extension data retrieve= d successfully.=0D + @retval FALSE If Cert is NULL.=0D + If ExtensionDataSize is NULL.=0D + If ExtensionData is not NULL and *Exten= sionDataSize is 0.=0D + If Certificate is invalid.=0D + @retval FALSE If no Extension entry match Oid.=0D + @retval FALSE If the ExtensionData is NULL. The requi= red buffer size=0D + is returned in the ExtensionDataSize pa= rameter.=0D + @retval FALSE The operation is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +X509GetExtensionData (=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + IN CONST UINT8 *Oid,=0D + IN UINTN OidSize,=0D + OUT UINT8 *ExtensionData,=0D + IN OUT UINTN *ExtensionDataSize=0D + )=0D +{=0D + CALL_CRYPTO_SERVICE (X509GetExtensionData, (Cert, CertSize, Oid, OidSize= , ExtensionData, ExtensionDataSize), FALSE);=0D +}=0D +=0D +/**=0D + Retrieve the Extended Key Usage from one X.509 certificate.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate.=0D + @param[in] CertSize Size of the X509 certificate in bytes.= =0D + @param[out] Usage Key Usage bytes.=0D + @param[in, out] UsageSize Key Usage buffer sizs in bytes.=0D +=0D + @retval TRUE The Usage bytes retrieve successfully.= =0D + @retval FALSE If Cert is NULL.=0D + If CertSize is NULL.=0D + If Usage is not NULL and *UsageSize is = 0.=0D + If Cert is invalid.=0D + @retval FALSE If the Usage is NULL. The required buff= er size=0D + is returned in the UsageSize parameter.= =0D + @retval FALSE The operation is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +X509GetExtendedKeyUsage (=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINT8 *Usage,=0D + IN OUT UINTN *UsageSize=0D + )=0D +{=0D + CALL_CRYPTO_SERVICE (X509GetExtendedKeyUsage, (Cert, CertSize, Usage, Us= ageSize), FALSE);=0D +}=0D +=0D +/**=0D + Retrieve the Validity from one X.509 certificate=0D +=0D + If Cert is NULL, then return FALSE.=0D + If CertIssuerSize is NULL, then return FALSE.=0D + If this interface is not supported, then return FALSE.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certificate= .=0D + @param[in] CertSize Size of the X509 certificate in bytes.=0D + @param[in] From notBefore Pointer to DateTime object.=0D + @param[in,out] FromSize notBefore DateTime object size.=0D + @param[in] To notAfter Pointer to DateTime object.=0D + @param[in,out] ToSize notAfter DateTime object size.=0D +=0D + Note: X509CompareDateTime to compare DateTime oject=0D + x509SetDateTime to get a DateTime object from a DateTimeStr=0D +=0D + @retval TRUE The certificate Validity retrieved successfully.=0D + @retval FALSE Invalid certificate, or Validity retrieve failed.=0D + @retval FALSE This interface is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +X509GetValidity (=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + IN UINT8 *From,=0D + IN OUT UINTN *FromSize,=0D + IN UINT8 *To,=0D + IN OUT UINTN *ToSize=0D + )=0D +{=0D + CALL_CRYPTO_SERVICE (X509GetValidity, (Cert, CertSize, From, FromSize, T= o, ToSize), FALSE);=0D +}=0D +=0D +/**=0D + Format a DateTimeStr to DataTime object in DataTime Buffer=0D +=0D + If DateTimeStr is NULL, then return FALSE.=0D + If DateTimeSize is NULL, then return FALSE.=0D + If this interface is not supported, then return FALSE.=0D +=0D + @param[in] DateTimeStr DateTime string like YYYYMMDDhhmmssZ=0D + Ref: https://www.w3.org/TR/NOTE-datetim= e=0D + Z stand for UTC time=0D + @param[out] DateTime Pointer to a DateTime object.=0D + @param[in,out] DateTimeSize DateTime object buffer size.=0D +=0D + @retval TRUE The DateTime object create successfully= .=0D + @retval FALSE If DateTimeStr is NULL.=0D + If DateTimeSize is NULL.=0D + If DateTime is not NULL and *DateTimeSi= ze is 0.=0D + If Year Month Day Hour Minute Second co= mbination is invalid datetime.=0D + @retval FALSE If the DateTime is NULL. The required b= uffer size=0D + (including the final null) is returned = in the=0D + DateTimeSize parameter.=0D + @retval FALSE The operation is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +X509FormatDateTime (=0D + IN CONST CHAR8 *DateTimeStr,=0D + OUT VOID *DateTime,=0D + IN OUT UINTN *DateTimeSize=0D + )=0D +{=0D + CALL_CRYPTO_SERVICE (X509FormatDateTime, (DateTimeStr, DateTime, DateTim= eSize), FALSE);=0D +}=0D +=0D +/**=0D + Compare DateTime1 object and DateTime2 object.=0D +=0D + If DateTime1 is NULL, then return -2.=0D + If DateTime2 is NULL, then return -2.=0D + If DateTime1 =3D=3D DateTime2, then return 0=0D + If DateTime1 > DateTime2, then return 1=0D + If DateTime1 < DateTime2, then return -1=0D +=0D + @param[in] DateTime1 Pointer to a DateTime Ojbect=0D + @param[in] DateTime2 Pointer to a DateTime Object=0D +=0D + @retval 0 If DateTime1 =3D=3D DateTime2=0D + @retval 1 If DateTime1 > DateTime2=0D + @retval -1 If DateTime1 < DateTime2=0D +**/=0D +INT32=0D +EFIAPI=0D +X509CompareDateTime (=0D + IN CONST VOID *DateTime1,=0D + IN CONST VOID *DateTime2=0D + )=0D +{=0D + CALL_CRYPTO_SERVICE (X509CompareDateTime, (DateTime1, DateTime2), FALSE)= ;=0D +}=0D +=0D +/**=0D + Retrieve the Key Usage from one X.509 certificate.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate.=0D + @param[in] CertSize Size of the X509 certificate in bytes.= =0D + @param[out] Usage Key Usage (CRYPTO_X509_KU_*)=0D +=0D + @retval TRUE The certificate Key Usage retrieved successfully.=0D + @retval FALSE Invalid certificate, or Usage is NULL=0D + @retval FALSE This interface is not supported.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +X509GetKeyUsage (=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINTN *Usage=0D + )=0D +{=0D + CALL_CRYPTO_SERVICE (X509GetKeyUsage, (Cert, CertSize, Usage), FALSE);=0D +}=0D +=0D +/**=0D + Verify one X509 certificate was issued by the trusted CA.=0D + @param[in] RootCert Trusted Root Certificate buffer=0D +=0D + @param[in] RootCertLength Trusted Root Certificate buffer length= =0D + @param[in] CertChain One or more ASN.1 DER-encoded X.509 ce= rtificates=0D + where the first certificate is signed = by the Root=0D + Certificate or is the Root Cerificate = itself. and=0D + subsequent cerificate is signed by the= preceding=0D + cerificate.=0D + @param[in] CertChainLength Total length of the certificate chain,= in bytes.=0D +=0D + @retval TRUE All cerificates was issued by the first certificate in X= 509Certchain.=0D + @retval FALSE Invalid certificate or the certificate was not issued by= the given=0D + trusted CA.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +X509VerifyCertChain (=0D + IN CONST UINT8 *RootCert,=0D + IN UINTN RootCertLength,=0D + IN CONST UINT8 *CertChain,=0D + IN UINTN CertChainLength=0D + )=0D +{=0D + CALL_CRYPTO_SERVICE (X509VerifyCertChain, (RootCert, RootCertLength, Cer= tChain, CertChainLength), FALSE);=0D +}=0D +=0D +/**=0D + Get one X509 certificate from CertChain.=0D +=0D + @param[in] CertChain One or more ASN.1 DER-encoded X.509 ce= rtificates=0D + where the first certificate is signed = by the Root=0D + Certificate or is the Root Cerificate = itself. and=0D + subsequent cerificate is signed by the= preceding=0D + cerificate.=0D + @param[in] CertChainLength Total length of the certificate chain,= in bytes.=0D +=0D + @param[in] CertIndex Index of certificate.=0D +=0D + @param[out] Cert The certificate at the index of CertCh= ain.=0D + @param[out] CertLength The length certificate at the index of= CertChain.=0D +=0D + @retval TRUE Success.=0D + @retval FALSE Failed to get certificate from certificate chain.=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +X509GetCertFromCertChain (=0D + IN CONST UINT8 *CertChain,=0D + IN UINTN CertChainLength,=0D + IN CONST INT32 CertIndex,=0D + OUT CONST UINT8 **Cert,=0D + OUT UINTN *CertLength=0D + )=0D +{=0D + CALL_CRYPTO_SERVICE (X509GetCertFromCertChain, (CertChain, CertChainLeng= th, CertIndex, Cert, CertLength), FALSE);=0D +}=0D +=0D +/**=0D + Retrieve the tag and length of the tag.=0D +=0D + @param Ptr The position in the ASN.1 data=0D + @param End End of data=0D + @param Length The variable that will receive the length=0D + @param Tag The expected tag=0D +=0D + @retval TRUE Get tag successful=0D + @retval FALSe Failed to get tag or tag not match=0D +**/=0D +BOOLEAN=0D +EFIAPI=0D +Asn1GetTag (=0D + IN OUT UINT8 **Ptr,=0D + IN CONST UINT8 *End,=0D + OUT UINTN *Length,=0D + IN UINT32 Tag=0D + )=0D +{=0D + CALL_CRYPTO_SERVICE (Asn1GetTag, (Ptr, End, Length, Tag), FALSE);=0D +}=0D +=0D +/**=0D + Retrieve the basic constraints from one X.509 certificate.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509= certificate.=0D + @param[in] CertSize size of the X509 certificate in= bytes.=0D + @param[out] BasicConstraints basic constraints bytes.=0D + @param[in, out] BasicConstraintsSize basic constraints buffer sizs i= n bytes.=0D +=0D + @retval TRUE The basic constraints retrieve successf= ully.=0D + @retval FALSE If cert is NULL.=0D + If cert_size is NULL.=0D + If basic_constraints is not NULL and *b= asic_constraints_size is 0.=0D + If cert is invalid.=0D + @retval FALSE The required buffer size is small.=0D + The return buffer size is basic_constra= ints_size parameter.=0D + @retval FALSE If no Extension entry match oid.=0D + @retval FALSE The operation is not supported.=0D + **/=0D +BOOLEAN=0D +EFIAPI=0D +X509GetExtendedBasicConstraints (=0D + CONST UINT8 *Cert,=0D + UINTN CertSize,=0D + UINT8 *BasicConstraints,=0D + UINTN *BasicConstraintsSize=0D + )=0D +{=0D + CALL_CRYPTO_SERVICE (X509GetExtendedBasicConstraints, (Cert, CertSize, B= asicConstraints, BasicConstraintsSize), FALSE);=0D +}=0D +=0D /**=0D Derives a key from a password using a salt and iteration count, based on= PKCS#5 v2.0=0D password based encryption key derivation function PBKDF2, as specified i= n RFC 2898.=0D diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protoc= ol/Crypto.h index 6293efa36b..7408e11ec6 100644 --- a/CryptoPkg/Private/Protocol/Crypto.h +++ b/CryptoPkg/Private/Protocol/Crypto.h @@ -2351,6 +2351,381 @@ BOOLEAN OUT UINTN *TBSCertSize=0D );=0D =0D +/**=0D + Retrieve the version from one X.509 certificate.=0D +=0D + If Cert is NULL, then return FALSE.=0D + If CertSize is 0, then return FALSE.=0D + If this interface is not supported, then return FALSE.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certificate= .=0D + @param[in] CertSize Size of the X509 certificate in bytes.=0D + @param[out] Version Pointer to the retrieved version integer.=0D +=0D + @retval TRUE The certificate version retrieved successfully.=0D + @retval FALSE If Cert is NULL or CertSize is Zero.=0D + @retval FALSE The operation is not supported.=0D +=0D +**/=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *EDKII_CRYPTO_X509_GET_VERSION)(=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINTN *Version=0D + );=0D +=0D +/**=0D + Retrieve the serialNumber from one X.509 certificate.=0D +=0D + If Cert is NULL, then return FALSE.=0D + If CertSize is 0, then return FALSE.=0D + If this interface is not supported, then return FALSE.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certificate= .=0D + @param[in] CertSize Size of the X509 certificate in bytes.=0D + @param[out] SerialNumber Pointer to the retrieved certificate Seria= lNumber bytes.=0D + @param[in, out] SerialNumberSize The size in bytes of the SerialNumber = buffer on input,=0D + and the size of buffer returned SerialNumbe= r on output.=0D +=0D + @retval TRUE The certificate serialNumber retrieved = successfully.=0D + @retval FALSE If Cert is NULL or CertSize is Zero.=0D + If SerialNumberSize is NULL.=0D + If Certificate is invalid.=0D + @retval FALSE If no SerialNumber exists.=0D + @retval FALSE If the SerialNumber is NULL. The requir= ed buffer size=0D + (including the final null) is returned = in the=0D + SerialNumberSize parameter.=0D + @retval FALSE The operation is not supported.=0D +**/=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *EDKII_CRYPTO_X509_GET_SERIAL_NUMBER)(=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINT8 *SerialNumber, OPTIONAL=0D + IN OUT UINTN *SerialNumberSize=0D + );=0D +=0D +/**=0D + Retrieve the issuer bytes from one X.509 certificate.=0D +=0D + If Cert is NULL, then return FALSE.=0D + If CertIssuerSize is NULL, then return FALSE.=0D + If this interface is not supported, then return FALSE.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certificate= .=0D + @param[in] CertSize Size of the X509 certificate in bytes.=0D + @param[out] CertIssuer Pointer to the retrieved certificate subject= bytes.=0D + @param[in, out] CertIssuerSize The size in bytes of the CertIssuer buff= er on input,=0D + and the size of buffer returned CertSubject= on output.=0D +=0D + @retval TRUE The certificate issuer retrieved successfully.=0D + @retval FALSE Invalid certificate, or the CertIssuerSize is too small = for the result.=0D + The CertIssuerSize will be updated with the required siz= e.=0D + @retval FALSE This interface is not supported.=0D +=0D +**/=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *EDKII_CRYPTO_X509_GET_ISSUER_NAME)(=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINT8 *CertIssuer,=0D + IN OUT UINTN *CertIssuerSize=0D + );=0D +=0D +/**=0D + Retrieve the Signature Algorithm from one X.509 certificate.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate.=0D + @param[in] CertSize Size of the X509 certificate in bytes.= =0D + @param[out] Oid Signature Algorithm Object identifier b= uffer.=0D + @param[in,out] OidSize Signature Algorithm Object identifier b= uffer size=0D +=0D + @retval TRUE The certificate Extension data retrieved successf= ully.=0D + @retval FALSE If Cert is NULL.=0D + If OidSize is NULL.=0D + If Oid is not NULL and *OidSize is 0.=0D + If Certificate is invalid.=0D + @retval FALSE If no SignatureType.=0D + @retval FALSE If the Oid is NULL. The required buffer= size=0D + is returned in the OidSize.=0D + @retval FALSE The operation is not supported.=0D +**/=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *EDKII_CRYPTO_X509_GET_SIGNATURE_ALGORITHM)(=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINT8 *Oid, OPTIONAL=0D + IN OUT UINTN *OidSize=0D + );=0D +=0D +/**=0D + Retrieve Extension data from one X.509 certificate.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate.=0D + @param[in] CertSize Size of the X509 certificate in bytes.= =0D + @param[in] Oid Object identifier buffer=0D + @param[in] OidSize Object identifier buffer size=0D + @param[out] ExtensionData Extension bytes.=0D + @param[in, out] ExtensionDataSize Extension bytes size.=0D +=0D + @retval TRUE The certificate Extension data retrieve= d successfully.=0D + @retval FALSE If Cert is NULL.=0D + If ExtensionDataSize is NULL.=0D + If ExtensionData is not NULL and *Exten= sionDataSize is 0.=0D + If Certificate is invalid.=0D + @retval FALSE If no Extension entry match Oid.=0D + @retval FALSE If the ExtensionData is NULL. The requi= red buffer size=0D + is returned in the ExtensionDataSize pa= rameter.=0D + @retval FALSE The operation is not supported.=0D +**/=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *EDKII_CRYPTO_X509_GET_EXTENSION_DATA)(=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + IN CONST UINT8 *Oid,=0D + IN UINTN OidSize,=0D + OUT UINT8 *ExtensionData,=0D + IN OUT UINTN *ExtensionDataSize=0D + );=0D +=0D +/**=0D + Retrieve the Extended Key Usage from one X.509 certificate.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate.=0D + @param[in] CertSize Size of the X509 certificate in bytes.= =0D + @param[out] Usage Key Usage bytes.=0D + @param[in, out] UsageSize Key Usage buffer sizs in bytes.=0D +=0D + @retval TRUE The Usage bytes retrieve successfully.= =0D + @retval FALSE If Cert is NULL.=0D + If CertSize is NULL.=0D + If Usage is not NULL and *UsageSize is = 0.=0D + If Cert is invalid.=0D + @retval FALSE If the Usage is NULL. The required buff= er size=0D + is returned in the UsageSize parameter.= =0D + @retval FALSE The operation is not supported.=0D +**/=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *EDKII_CRYPTO_X509_GET_EXTENDED_KEY_USAGE)(=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINT8 *Usage,=0D + IN OUT UINTN *UsageSize=0D + );=0D +=0D +/**=0D + Retrieve the Validity from one X.509 certificate=0D +=0D + If Cert is NULL, then return FALSE.=0D + If CertIssuerSize is NULL, then return FALSE.=0D + If this interface is not supported, then return FALSE.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certificate= .=0D + @param[in] CertSize Size of the X509 certificate in bytes.=0D + @param[out] From notBefore Pointer to DateTime object.=0D + @param[in,out] FromSize notBefore DateTime object size.=0D + @param[out] To notAfter Pointer to DateTime object.=0D + @param[in,out] ToSize notAfter DateTime object size.=0D +=0D + Note: X509CompareDateTime to compare DateTime oject=0D + x509SetDateTime to get a DateTime object from a DateTimeStr=0D +=0D + @retval TRUE The certificate Validity retrieved successfully.=0D + @retval FALSE Invalid certificate, or Validity retrieve failed.=0D + @retval FALSE This interface is not supported.=0D +**/=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *EDKII_CRYPTO_X509_GET_VALIDITY)(=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + IN UINT8 *From,=0D + IN OUT UINTN *FromSize,=0D + IN UINT8 *To,=0D + IN OUT UINTN *ToSize=0D + );=0D +=0D +/**=0D + Format a DateTimeStr to DataTime object in DataTime Buffer=0D +=0D + If DateTimeStr is NULL, then return FALSE.=0D + If DateTimeSize is NULL, then return FALSE.=0D + If this interface is not supported, then return FALSE.=0D +=0D + @param[in] DateTimeStr DateTime string like YYYYMMDDhhmmssZ=0D + Ref: https://www.w3.org/TR/NOTE-datetim= e=0D + Z stand for UTC time=0D + @param[in,out] DateTime Pointer to a DateTime object.=0D + @param[in,out] DateTimeSize DateTime object buffer size.=0D +=0D + @retval TRUE The DateTime object create successfully= .=0D + @retval FALSE If DateTimeStr is NULL.=0D + If DateTimeSize is NULL.=0D + If DateTime is not NULL and *DateTimeSi= ze is 0.=0D + If Year Month Day Hour Minute Second co= mbination is invalid datetime.=0D + @retval FALSE If the DateTime is NULL. The required b= uffer size=0D + (including the final null) is returned = in the=0D + DateTimeSize parameter.=0D + @retval FALSE The operation is not supported.=0D +**/=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *EDKII_CRYPTO_X509_FORMAT_DATE_TIME)(=0D + IN CONST CHAR8 *DateTimeStr,=0D + OUT VOID *DateTime,=0D + IN OUT UINTN *DateTimeSize=0D + );=0D +=0D +/**=0D + Compare DateTime1 object and DateTime2 object.=0D +=0D + If DateTime1 is NULL, then return -2.=0D + If DateTime2 is NULL, then return -2.=0D + If DateTime1 =3D=3D DateTime2, then return 0=0D + If DateTime1 > DateTime2, then return 1=0D + If DateTime1 < DateTime2, then return -1=0D +=0D + @param[in] DateTime1 Pointer to a DateTime Ojbect=0D + @param[in] DateTime2 Pointer to a DateTime Object=0D +=0D + @retval 0 If DateTime1 =3D=3D DateTime2=0D + @retval 1 If DateTime1 > DateTime2=0D + @retval -1 If DateTime1 < DateTime2=0D +**/=0D +typedef=0D +INT32=0D +(EFIAPI *EDKII_CRYPTO_X509_COMPARE_DATE_TIME)(=0D + IN CONST VOID *DateTime1,=0D + IN CONST VOID *DateTime2=0D + );=0D +=0D +/**=0D + Retrieve the Key Usage from one X.509 certificate.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509 certifi= cate.=0D + @param[in] CertSize Size of the X509 certificate in bytes.= =0D + @param[out] Usage Key Usage (CRYPTO_X509_KU_*)=0D +=0D + @retval TRUE The certificate Key Usage retrieved successfully.=0D + @retval FALSE Invalid certificate, or Usage is NULL=0D + @retval FALSE This interface is not supported.=0D +**/=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *EDKII_CRYPTO_X509_GET_KEY_USAGE)(=0D + IN CONST UINT8 *Cert,=0D + IN UINTN CertSize,=0D + OUT UINTN *Usage=0D + );=0D +=0D +/**=0D + Verify one X509 certificate was issued by the trusted CA.=0D +=0D + @param[in] CertChain One or more ASN.1 DER-encoded X.509 ce= rtificates=0D + where the first certificate is signed = by the Root=0D + Certificate or is the Root Cerificate = itself. and=0D + subsequent cerificate is signed by the= preceding=0D + cerificate.=0D + @param[in] CertChainLength Total length of the certificate chain,= in bytes.=0D +=0D + @param[in] RootCert Trusted Root Certificate buffer=0D +=0D + @param[in] RootCertLength Trusted Root Certificate buffer length= =0D +=0D + @retval TRUE All cerificates was issued by the first certificate in X= 509Certchain.=0D + @retval FALSE Invalid certificate or the certificate was not issued by= the given=0D + trusted CA.=0D +**/=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *EDKII_CRYPTO_X509_VERIFY_CERT_CHAIN)(=0D + IN CONST UINT8 *RootCert,=0D + IN UINTN RootCertLength,=0D + IN CONST UINT8 *CertChain,=0D + IN UINTN CertChainLength=0D + );=0D +=0D +/**=0D + Get one X509 certificate from CertChain.=0D +=0D + @param[in] CertChain One or more ASN.1 DER-encoded X.509 ce= rtificates=0D + where the first certificate is signed = by the Root=0D + Certificate or is the Root Cerificate = itself. and=0D + subsequent cerificate is signed by the= preceding=0D + cerificate.=0D + @param[in] CertChainLength Total length of the certificate chain,= in bytes.=0D +=0D + @param[in] CertIndex Index of certificate.=0D +=0D + @param[out] Cert The certificate at the index of CertCh= ain.=0D + @param[out] CertLength The length certificate at the index of= CertChain.=0D +=0D + @retval TRUE Success.=0D + @retval FALSE Failed to get certificate from certificate chain.=0D +**/=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *EDKII_CRYPTO_X509_GET_CERT_FROM_CERT_CHAIN)(=0D + IN CONST UINT8 *CertChain,=0D + IN UINTN CertChainLength,=0D + IN CONST INT32 CertIndex,=0D + OUT CONST UINT8 **Cert,=0D + OUT UINTN *CertLength=0D + );=0D +=0D +/**=0D + Retrieve the tag and length of the tag.=0D +=0D + @param Ptr The position in the ASN.1 data=0D + @param End End of data=0D + @param Length The variable that will receive the length=0D + @param Tag The expected tag=0D +=0D + @retval TRUE Get tag successful=0D + @retval FALSe Failed to get tag or tag not match=0D +**/=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *EDKII_CRYPTO_ASN1_GET_TAG)(=0D + IN OUT UINT8 **Ptr,=0D + IN CONST UINT8 *End,=0D + OUT UINTN *Length,=0D + IN UINT32 Tag=0D + );=0D +=0D +/**=0D + Retrieve the basic constraints from one X.509 certificate.=0D +=0D + @param[in] Cert Pointer to the DER-encoded X509= certificate.=0D + @param[in] CertSize size of the X509 certificate in= bytes.=0D + @param[out] BasicConstraints basic constraints bytes.=0D + @param[in, out] BasicConstraintsSize basic constraints buffer sizs i= n bytes.=0D +=0D + @retval TRUE The basic constraints retrieve successf= ully.=0D + @retval FALSE If cert is NULL.=0D + If cert_size is NULL.=0D + If basic_constraints is not NULL and *b= asic_constraints_size is 0.=0D + If cert is invalid.=0D + @retval FALSE The required buffer size is small.=0D + The return buffer size is basic_constra= ints_size parameter.=0D + @retval FALSE If no Extension entry match oid.=0D + @retval FALSE The operation is not supported.=0D + **/=0D +typedef=0D +BOOLEAN=0D +(EFIAPI *EDKII_CRYPTO_X509_GET_EXTENDED_BASIC_CONSTRAINTS)(=0D + CONST UINT8 *Cert,=0D + UINTN CertSize,=0D + UINT8 *BasicConstraints,=0D + UINTN *BasicConstraintsSize=0D + );=0D +=0D // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0D // Symmetric Cryptography Primitive=0D // =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0D @@ -5084,6 +5459,21 @@ struct _EDKII_CRYPTO_PROTOCOL { EDKII_CRYPTO_TLS_SET_EC_CURVE TlsSetEcCurve;=0D /// TLS Get (continued)=0D EDKII_CRYPTO_TLS_GET_EXPORT_KEY TlsGetExportKey;=0D + /// X509 (Continued)=0D + EDKII_CRYPTO_X509_GET_VERSION X509GetVersion;=0D + EDKII_CRYPTO_X509_GET_SERIAL_NUMBER X509GetSerialNumber;= =0D + EDKII_CRYPTO_X509_GET_ISSUER_NAME X509GetIssuerName;=0D + EDKII_CRYPTO_X509_GET_SIGNATURE_ALGORITHM X509GetSignatureAlgo= rithm;=0D + EDKII_CRYPTO_X509_GET_EXTENSION_DATA X509GetExtensionData= ;=0D + EDKII_CRYPTO_X509_GET_EXTENDED_KEY_USAGE X509GetExtendedKeyUs= age;=0D + EDKII_CRYPTO_X509_GET_VALIDITY X509GetValidity;=0D + EDKII_CRYPTO_X509_FORMAT_DATE_TIME X509FormatDateTime;= =0D + EDKII_CRYPTO_X509_COMPARE_DATE_TIME X509CompareDateTime;= =0D + EDKII_CRYPTO_X509_GET_KEY_USAGE X509GetKeyUsage;=0D + EDKII_CRYPTO_X509_VERIFY_CERT_CHAIN X509VerifyCertChain;= =0D + EDKII_CRYPTO_X509_GET_CERT_FROM_CERT_CHAIN X509GetCertFromCertC= hain;=0D + EDKII_CRYPTO_ASN1_GET_TAG Asn1GetTag;=0D + EDKII_CRYPTO_X509_GET_EXTENDED_BASIC_CONSTRAINTS X509GetExtendedBasic= Constraints;=0D };=0D =0D extern GUID gEdkiiCryptoProtocolGuid;=0D --=20 2.26.2.windows.1