Thanks, Chao.
Cryptest just simply use the hard-coded test vectors for API usage
demonstration. So 64 is big enough for the given test X.509 data.
Best Regards & Thanks,
LONG, Qin
-----Original Message-----
From: Zhang, Chao B
Sent: Wednesday, September 20, 2017 2:57 PM
To: Long, Qin <qin.l...@intel.com>; Ye, Ting <ting...@intel.com>
Cc: edk2-devel@lists.01.org
Subject: RE: [PATCH] CryptoPkg: Add new API to retrieve commonName of X.509
certificate
Qin:
For cryptest, do we need to support 64 maximum CN name and NULL? That makes
buffer size 65 instead of 64.
Others are good to me.
-----Original Message-----
From: Long, Qin
Sent: Tuesday, September 19, 2017 11:39 AM
To: Ye, Ting <ting...@intel.com>; Zhang, Chao B <chao.b.zh...@intel.com>
Cc: edk2-devel@lists.01.org; Long, Qin <qin.l...@intel.com>
Subject: [PATCH] CryptoPkg: Add new API to retrieve commonName of X.509
certificate
Add one new API (X509GetCommonName()) to retrieve the subject commonName string
from one X.509 certificate.
Cc: Ting Ye <ting...@intel.com>
Cc: Chao Zhang <chao.b.zh...@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.l...@intel.com>
---
CryptoPkg/Application/Cryptest/RsaVerify2.c | 17 ++++
CryptoPkg/Include/Library/BaseCryptLib.h | 32 ++++++++
CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 93 ++++++++++++++++++++++
CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c | 32 ++++++++
.../Pk/CryptX509Null.c | 34 +++++++-
5 files changed, 207 insertions(+), 1 deletion(-)
diff --git a/CryptoPkg/Application/Cryptest/RsaVerify2.c
b/CryptoPkg/Application/Cryptest/RsaVerify2.c
index 98b5aad900..f9b70d5794 100644
--- a/CryptoPkg/Application/Cryptest/RsaVerify2.c
+++ b/CryptoPkg/Application/Cryptest/RsaVerify2.c
@@ -211,6 +211,9 @@ ValidateCryptRsa2 (
UINTN SigSize;
UINT8 *Subject;
UINTN SubjectSize;
+ CHAR8 CommonName[64];
+ CHAR16 CommonNameUnicode[64];
+ UINTN CommonNameSize;
Print (L"\nUEFI-OpenSSL RSA Key Retrieving Testing: ");
@@ -286,6 +289,20 @@ ValidateCryptRsa2 (
Print (L"[Pass]");
}
+ //
+ // Get CommonName from X509 Certificate Subject // CommonNameSize =
+ 64; ZeroMem (CommonName, CommonNameSize); Status = X509GetCommonName
+ (TestCert, sizeof (TestCert), CommonName, &CommonNameSize); if
+ (!Status) {
+ Print (L"\n - Retrieving Common Name - [Fail]");
+ return EFI_ABORTED;
+ } else {
+ AsciiStrToUnicodeStrS (CommonName, CommonNameUnicode, CommonNameSize);
+ Print (L"\n - Retrieving Common Name = \"%s\" (Size = %d)",
+ CommonNameUnicode, CommonNameSize); }
+
//
// X509 Certificate Verification.
//
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
b/CryptoPkg/Include/Library/BaseCryptLib.h
index 9c5ffcd9cf..d861be6725 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -2171,6 +2171,38 @@ X509GetSubjectName (
IN OUT UINTN *SubjectSize
);
+/**
+ Retrieve the common name (CN) string from one X.509 certificate.
+
+ If Cert or CommonNameSize is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] CommonName Buffer to contain the retrieved certificate
common
+ name string. At most CommonNameSize bytes
will be
+ written and the string will be null
terminated. May be
+ NULL in order to determine the size buffer
needed.
+ @param[in,out] CommonNameSize The size in bytes of the CommonName buffer
on input,
+ and the size of buffer returned CommonName
on output.
+ if CommonName is NULL then the amount of
space needed
+ in buffer (including the final null) is
returned.
+
+ @retval TRUE The certificate CommonName retrieved successfully.
+ @retval FALSE Invalid certificate, or CommonNameSize is NULL,
+ or no CommonName entry exists.
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+X509GetCommonName (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT CHAR8 *CommonName,
+ IN OUT UINTN *CommonNameSize
+ );
+
/**
Verify one X509 certificate was issued by the trusted CA.
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
index 7d275977c5..e45c214bd1 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
@@ -297,6 +297,99 @@ _Exit:
return Status;
}
+/**
+ Retrieve the common name (CN) string from one X.509 certificate.
+
+ If Cert or CommonNameSize is NULL, then return FALSE.
+ If this interface is not supported, then return FALSE.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] CommonName Buffer to contain the retrieved certificate
common
+ name string. At most CommonNameSize bytes
will be
+ written and the string will be null
terminated. May be
+ NULL in order to determine the size buffer
needed.
+ @param[in,out] CommonNameSize The size in bytes of the CommonName buffer
on input,
+ and the size of buffer returned CommonName
on output.
+ if CommonName is NULL then the amount of
space needed
+ in buffer (including the final null) is
returned.
+
+ @retval TRUE The certificate CommonName retrieved successfully.
+ @retval FALSE Invalid certificate, or CommonNameSize is NULL,
+ or no CommonName entry exists.
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+X509GetCommonName (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT CHAR8 *CommonName,
+ IN OUT UINTN *CommonNameSize
+ )
+{
+ BOOLEAN Status;
+ X509 *X509Cert;
+ X509_NAME *X509Name;
+ INTN Length;
+
+ //
+ // Check input parameters.
+ //
+ if ((Cert == NULL) || (CommonNameSize == NULL)) {
+ return FALSE;
+ }
+
+ X509Cert = NULL;
+
+ //
+ // Read DER-encoded X509 Certificate and Construct X509 object.
+ //
+ Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **)
+ &X509Cert); if ((X509Cert == NULL) || (!Status)) {
+ //
+ // Invalid X.509 Certificate
+ //
+ goto _Exit;
+ }
+
+ Status = FALSE;
+
+ //
+ // Retrieve subject name from certificate object.
+ //
+ X509Name = X509_get_subject_name (X509Cert); if (X509Name == NULL) {
+ goto _Exit;
+ }
+
+ //
+ // Retrieve the CommonName information from X.509 Subject // Length
+ = (INTN) X509_NAME_get_text_by_NID (X509Name, NID_commonName,
+ CommonName, (int)(*CommonNameSize)); if (Length < 0) {
+ //
+ // No CommonName entry exists in X509_NAME object
+ //
+ *CommonNameSize = 0;
+ goto _Exit;
+ }
+
+ *CommonNameSize = (UINTN)(Length + 1); Status = TRUE;
+
+_Exit:
+ //
+ // Release Resources.
+ //
+ if (X509Cert != NULL) {
+ X509_free (X509Cert);
+ }
+
+ return Status;
+}
+
/**
Retrieve the RSA Public Key from one DER-encoded X509 certificate.
diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c
b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c
index 51aa0633a8..81587003f2 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c
@@ -127,6 +127,38 @@ X509GetSubjectName (
return FALSE;
}
+/**
+ Retrieve the common name (CN) string from one X.509 certificate.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] CommonName Buffer to contain the retrieved certificate
common
+ name string. At most CommonNameSize bytes
will be
+ written and the string will be null
terminated. May be
+ NULL in order to determine the size buffer
needed.
+ @param[in,out] CommonNameSize The size in bytes of the CommonName buffer
on input,
+ and the size of buffer returned CommonName
on output.
+ if CommonName is NULL then the amount of
space needed
+ in buffer (including the final null) is
returned.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+X509GetCommonName (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT CHAR8 *CommonName,
+ IN OUT UINTN *CommonNameSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
/**
Retrieve the RSA Public Key from one DER-encoded X509 certificate.
diff --git
a/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/Pk/CryptX509Null.c
b/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/Pk/CryptX509Null.c
index f5d9aa1076..81587003f2 100644
--- a/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/Pk/CryptX509Null.c
+++ b/CryptoPkg/Library/BaseCryptLibRuntimeCryptProtocol/Pk/CryptX509Nul
+++ l.c
@@ -127,6 +127,38 @@ X509GetSubjectName (
return FALSE;
}
+/**
+ Retrieve the common name (CN) string from one X.509 certificate.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] Cert Pointer to the DER-encoded X509 certificate.
+ @param[in] CertSize Size of the X509 certificate in bytes.
+ @param[out] CommonName Buffer to contain the retrieved certificate
common
+ name string. At most CommonNameSize bytes
will be
+ written and the string will be null
terminated. May be
+ NULL in order to determine the size buffer
needed.
+ @param[in,out] CommonNameSize The size in bytes of the CommonName buffer
on input,
+ and the size of buffer returned CommonName
on output.
+ if CommonName is NULL then the amount of
space needed
+ in buffer (including the final null) is
returned.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+X509GetCommonName (
+ IN CONST UINT8 *Cert,
+ IN UINTN CertSize,
+ OUT CHAR8 *CommonName,
+ IN OUT UINTN *CommonNameSize
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
+
/**
Retrieve the RSA Public Key from one DER-encoded X509 certificate.
@@ -203,4 +235,4 @@ X509GetTBSCert (
{
ASSERT (FALSE);
return FALSE;
-}
\ No newline at end of file
+}
--
2.14.1.windows.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
