From nobody Fri May 3 22:24:12 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) smtp.mailfrom=edk2-devel-bounces@lists.01.org; dmarc=fail(p=none dis=none) header.from=intel.com Return-Path: Received: from ml01.01.org (ml01.01.org [198.145.21.10]) by mx.zohomail.com with SMTPS id 15271497282271012.5104900301884; Thu, 24 May 2018 01:15:28 -0700 (PDT) Received: from [127.0.0.1] (localhost [IPv6:::1]) by ml01.01.org (Postfix) with ESMTP id 234982083796D; Thu, 24 May 2018 01:11:45 -0700 (PDT) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 34A07207E5412 for ; Thu, 24 May 2018 01:11:43 -0700 (PDT) Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 May 2018 01:11:43 -0700 Received: from shwdepsi940.ccr.corp.intel.com ([10.239.9.147]) by fmsmga007.fm.intel.com with ESMTP; 24 May 2018 01:11:42 -0700 X-Original-To: edk2-devel@lists.01.org Received-SPF: none (zoho.com: 198.145.21.10 is neither permitted nor denied by domain of lists.01.org) client-ip=198.145.21.10; envelope-from=edk2-devel-bounces@lists.01.org; helo=ml01.01.org; Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.20; helo=mga02.intel.com; envelope-from=qin.long@intel.com; receiver=edk2-devel@lists.01.org X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,436,1520924400"; d="scan'208";a="41814974" From: Long Qin To: edk2-devel@lists.01.org Date: Thu, 24 May 2018 16:11:16 +0800 Message-Id: <20180524081116.5380-1-qin.long@intel.com> X-Mailer: git-send-email 2.16.1.windows.1 Subject: [edk2] [PATCH] CryptoPkg: Remove deprecated function usage in X509GetCommonName() X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: ting.ye@intel.com, Michael.Turner@microsoft.com MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Errors-To: edk2-devel-bounces@lists.01.org Sender: "edk2-devel" X-ZohoMail: RSF_4 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" BZ#: https://bugzilla.tianocore.org/show_bug.cgi?id=3D923 X509_NAME_get_text_by_NID() used in X509GetCommonName() implementation is one legacy function which have various limitations. The returned data may be not usable when the target cert contains multicharacter string type like a BMPString or a UTF8String. This patch replaced the legacy function usage with more general X509_NAME_get_index_by_NID() / X509_NAME_get_entry() APIs for X509 CommonName retrieving. Tests: Validated the commonName retrieving with test certificates containing PrintableString or BMPString data. Cc: Ye Ting Cc: Michael Turner Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Long Qin Reviewed-by: Ye Ting =20 --- CryptoPkg/Include/Library/BaseCryptLib.h | 4 +- CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 53 ++++++++++++++++++-= ---- CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c | 4 +- 3 files changed, 47 insertions(+), 14 deletions(-) diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/L= ibrary/BaseCryptLib.h index 027ea09feb..dc6aaf0635 100644 --- a/CryptoPkg/Include/Library/BaseCryptLib.h +++ b/CryptoPkg/Include/Library/BaseCryptLib.h @@ -4,7 +4,7 @@ primitives (Hash Serials, HMAC, RSA, Diffie-Hellman, etc) for UEFI secur= ity functionality enabling. =20 -Copyright (c) 2009 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at @@ -2177,7 +2177,7 @@ X509GetSubjectName ( @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. @param[in] CertSize Size of the X509 certificate in bytes. @param[out] CommonName Buffer to contain the retrieved certifi= cate common - name string. At most CommonNameSize byt= es will be + name string (UTF8). At most CommonNameS= ize bytes will be written and the string will be null ter= minated. May be NULL in order to determine the size buf= fer needed. @param[in,out] CommonNameSize The size in bytes of the CommonName buf= fer on input, diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c b/CryptoPkg/Libr= ary/BaseCryptLib/Pk/CryptX509.c index 56e66308ae..c137df357f 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c @@ -1,7 +1,7 @@ /** @file X.509 Certificate Handler Wrapper Implementation over OpenSSL. =20 -Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.
+Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at @@ -303,7 +303,7 @@ _Exit: @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. @param[in] CertSize Size of the X509 certificate in bytes. @param[out] CommonName Buffer to contain the retrieved certifi= cate common - name string. At most CommonNameSize byt= es will be + name string (UTF8). At most CommonNameS= ize bytes will be written and the string will be null ter= minated. May be NULL in order to determine the size buf= fer needed. @param[in,out] CommonNameSize The size in bytes of the CommonName buf= fer on input, @@ -332,13 +332,18 @@ X509GetCommonName ( IN OUT UINTN *CommonNameSize ) { - RETURN_STATUS ReturnStatus; - BOOLEAN Status; - X509 *X509Cert; - X509_NAME *X509Name; - INTN Length; + RETURN_STATUS ReturnStatus; + BOOLEAN Status; + X509 *X509Cert; + X509_NAME *X509Name; + INT32 Index; + INTN Length; + X509_NAME_ENTRY *Entry; + ASN1_STRING *EntryData; + UINT8 *UTF8Name; =20 ReturnStatus =3D RETURN_INVALID_PARAMETER; + UTF8Name =3D NULL; =20 // // Check input parameters. @@ -378,8 +383,8 @@ X509GetCommonName ( // // Retrieve the CommonName information from X.509 Subject // - Length =3D (INTN) X509_NAME_get_text_by_NID (X509Name, NID_commonName, C= ommonName, (int)(*CommonNameSize)); - if (Length < 0) { + Index =3D X509_NAME_get_index_by_NID (X509Name, NID_commonName, -1); + if (Index < 0) { // // No CommonName entry exists in X509_NAME object // @@ -388,10 +393,35 @@ X509GetCommonName ( goto _Exit; } =20 - *CommonNameSize =3D (UINTN)(Length + 1); + Entry =3D X509_NAME_get_entry (X509Name, Index); + if (Entry =3D=3D NULL) { + // + // Fail to retrieve name entry data + // + *CommonNameSize =3D 0; + ReturnStatus =3D RETURN_NOT_FOUND; + goto _Exit; + } + + EntryData =3D X509_NAME_ENTRY_get_data (Entry); + + Length =3D ASN1_STRING_to_UTF8 (&UTF8Name, EntryData); + if (Length < 0) { + // + // Fail to convert the commonName string + // + *CommonNameSize =3D 0; + ReturnStatus =3D RETURN_INVALID_PARAMETER; + goto _Exit; + } + if (CommonName =3D=3D NULL) { + *CommonNameSize =3D Length + 1; ReturnStatus =3D RETURN_BUFFER_TOO_SMALL; } else { + *CommonNameSize =3D MIN ((UINTN)Length, *CommonNameSize - 1) + 1; + CopyMem (CommonName, UTF8Name, *CommonNameSize - 1); + CommonName[*CommonNameSize - 1] =3D '\0'; ReturnStatus =3D RETURN_SUCCESS; } =20 @@ -402,6 +432,9 @@ _Exit: if (X509Cert !=3D NULL) { X509_free (X509Cert); } + if (UTF8Name !=3D NULL) { + OPENSSL_free (UTF8Name); + } =20 return ReturnStatus; } diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c b/CryptoPkg/= Library/BaseCryptLib/Pk/CryptX509Null.c index d00f38daa8..d86c784a7f 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptX509Null.c @@ -2,7 +2,7 @@ X.509 Certificate Handler Wrapper Implementation which does not provide real capabilities. =20 -Copyright (c) 2012 - 2014, Intel Corporation. All rights reserved.
+Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD = License which accompanies this distribution. The full text of the license may be = found at @@ -135,7 +135,7 @@ X509GetSubjectName ( @param[in] Cert Pointer to the DER-encoded X509 certifi= cate. @param[in] CertSize Size of the X509 certificate in bytes. @param[out] CommonName Buffer to contain the retrieved certifi= cate common - name string. At most CommonNameSize byt= es will be + name string (UTF8). At most CommonNameS= ize bytes will be written and the string will be null ter= minated. May be NULL in order to determine the size buf= fer needed. @param[in,out] CommonNameSize The size in bytes of the CommonName buf= fer on input, --=20 2.16.1.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel