]> git.proxmox.com Git - mirror_edk2.git/blame - CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c
projects / mirror_edk2.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
CrptoPkg/BaseCryptLib: Fix type mismatch when calling OpenSSL function
[mirror_edk2.git] / CryptoPkg / Library / BaseCryptLib / Pk / CryptX509.c
CommitLineData
4a567c96 1/** @file\r
2 X.509 Certificate Handler Wrapper Implementation over OpenSSL.\r
3\r
f56b11d2 4Copyright (c) 2010 - 2017, Intel Corporation. All rights reserved.<BR>\r
4a567c96 5This program and the accompanying materials\r
6are licensed and made available under the terms and conditions of the BSD License\r
7which accompanies this distribution. The full text of the license may be found at\r
8http://opensource.org/licenses/bsd-license.php\r
9\r
10THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
11WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
12\r
13**/\r
14\r
15#include "InternalCryptLib.h"\r
16#include <openssl/x509.h>\r
1cae0c83 17#include <openssl/rsa.h>\r
b7d320f8 18\r
19/**\r
20 Construct a X509 object from DER-encoded certificate data.\r
21\r
16d2c32c 22 If Cert is NULL, then return FALSE.\r
23 If SingleX509Cert is NULL, then return FALSE.\r
b7d320f8 24\r
25 @param[in] Cert Pointer to the DER-encoded certificate data.\r
26 @param[in] CertSize The size of certificate data in bytes.\r
27 @param[out] SingleX509Cert The generated X509 object.\r
28\r
29 @retval TRUE The X509 object generation succeeded.\r
30 @retval FALSE The operation failed.\r
31\r
32**/\r
33BOOLEAN\r
34EFIAPI\r
35X509ConstructCertificate (\r
36 IN CONST UINT8 *Cert,\r
37 IN UINTN CertSize,\r
38 OUT UINT8 **SingleX509Cert\r
39 )\r
40{\r
1463ce18
QL		 41 X509 *X509Cert;\r
42 CONST UINT8 *Temp;\r
b7d320f8 43\r
44 //\r
16d2c32c 45 // Check input parameters.\r
b7d320f8 46 //\r
16d2c32c 47 if (Cert == NULL || SingleX509Cert == NULL || CertSize > INT_MAX) {\r
48 return FALSE;\r
49 }\r
da9e7418 50\r
b7d320f8 51 //\r
52 // Read DER-encoded X509 Certificate and Construct X509 object.\r
53 //\r
1463ce18
QL		 54 Temp = Cert;\r
55 X509Cert = d2i_X509 (NULL, &Temp, (long) CertSize);\r
b7d320f8 56 if (X509Cert == NULL) {\r
02ee8d3b 57 return FALSE;\r
b7d320f8 58 }\r
59\r
60 *SingleX509Cert = (UINT8 *) X509Cert;\r
b7d320f8 61\r
02ee8d3b 62 return TRUE;\r
b7d320f8 63}\r
64\r
65/**\r
66 Construct a X509 stack object from a list of DER-encoded certificate data.\r
67\r
16d2c32c 68 If X509Stack is NULL, then return FALSE.\r
b7d320f8 69\r
952bd229 70 @param[in, out] X509Stack On input, pointer to an existing or NULL X509 stack object.\r
b7d320f8 71 On output, pointer to the X509 stack object with new\r
72 inserted X509 certificate.\r
73 @param ... A list of DER-encoded single certificate data followed\r
74 by certificate size. A NULL terminates the list. The\r
75 pairs are the arguments to X509ConstructCertificate().\r
f56b11d2 76\r
b7d320f8 77 @retval TRUE The X509 stack construction succeeded.\r
78 @retval FALSE The construction operation failed.\r
79\r
80**/\r
81BOOLEAN\r
82EFIAPI\r
83X509ConstructCertificateStack (\r
84 IN OUT UINT8 **X509Stack,\r
f56b11d2 85 ...\r
b7d320f8 86 )\r
87{\r
88 UINT8 *Cert;\r
89 UINTN CertSize;\r
90 X509 *X509Cert;\r
91 STACK_OF(X509) *CertStack;\r
92 BOOLEAN Status;\r
93 VA_LIST Args;\r
94 UINTN Index;\r
95\r
96 //\r
16d2c32c 97 // Check input parameters.\r
b7d320f8 98 //\r
16d2c32c 99 if (X509Stack == NULL) {\r
100 return FALSE;\r
101 }\r
b7d320f8 102\r
103 Status = FALSE;\r
104\r
105 //\r
106 // Initialize X509 stack object.\r
107 //\r
108 CertStack = (STACK_OF(X509) *) (*X509Stack);\r
109 if (CertStack == NULL) {\r
110 CertStack = sk_X509_new_null ();\r
111 if (CertStack == NULL) {\r
112 return Status;\r
113 }\r
114 }\r
115\r
116 VA_START (Args, X509Stack);\r
117\r
118 for (Index = 0; ; Index++) {\r
119 //\r
120 // If Cert is NULL, then it is the end of the list.\r
121 //\r
122 Cert = VA_ARG (Args, UINT8 *);\r
123 if (Cert == NULL) {\r
124 break;\r
125 }\r
126\r
127 CertSize = VA_ARG (Args, UINTN);\r
1463ce18
QL		 128 if (CertSize == 0) {\r
129 break;\r
130 }\r
b7d320f8 131\r
132 //\r
133 // Construct X509 Object from the given DER-encoded certificate data.\r
134 //\r
952bd229 135 X509Cert = NULL;\r
b7d320f8 136 Status = X509ConstructCertificate (\r
137 (CONST UINT8 *) Cert,\r
138 CertSize,\r
139 (UINT8 **) &X509Cert\r
140 );\r
141 if (!Status) {\r
1463ce18
QL		 142 if (X509Cert != NULL) {\r
143 X509_free (X509Cert);\r
144 }\r
b7d320f8 145 break;\r
146 }\r
147\r
148 //\r
149 // Insert the new X509 object into X509 stack object.\r
150 //\r
151 sk_X509_push (CertStack, X509Cert);\r
152 }\r
153\r
154 VA_END (Args);\r
155\r
156 if (!Status) {\r
157 sk_X509_pop_free (CertStack, X509_free);\r
158 } else {\r
159 *X509Stack = (UINT8 *) CertStack;\r
160 }\r
161\r
162 return Status;\r
163}\r
164\r
165/**\r
166 Release the specified X509 object.\r
167\r
16d2c32c 168 If X509Cert is NULL, then return FALSE.\r
b7d320f8 169\r
170 @param[in] X509Cert Pointer to the X509 object to be released.\r
171\r
172**/\r
173VOID\r
174EFIAPI\r
175X509Free (\r
176 IN VOID *X509Cert\r
177 )\r
f56b11d2 178{\r
16d2c32c 179 //\r
180 // Check input parameters.\r
181 //\r
182 if (X509Cert == NULL) {\r
183 return;\r
184 }\r
f56b11d2 185\r
b7d320f8 186 //\r
187 // Free OpenSSL X509 object.\r
188 //\r
189 X509_free ((X509 *) X509Cert);\r
190}\r
191\r
192/**\r
193 Release the specified X509 stack object.\r
194\r
16d2c32c 195 If X509Stack is NULL, then return FALSE.\r
b7d320f8 196\r
197 @param[in] X509Stack Pointer to the X509 stack object to be released.\r
198\r
199**/\r
200VOID\r
201EFIAPI\r
202X509StackFree (\r
203 IN VOID *X509Stack\r
204 )\r
205{\r
16d2c32c 206 //\r
207 // Check input parameters.\r
208 //\r
209 if (X509Stack == NULL) {\r
210 return;\r
211 }\r
f56b11d2 212\r
b7d320f8 213 //\r
214 // Free OpenSSL X509 stack object.\r
215 //\r
216 sk_X509_pop_free ((STACK_OF(X509) *) X509Stack, X509_free);\r
217}\r
218\r
4a567c96 219/**\r
220 Retrieve the subject bytes from one X.509 certificate.\r
221\r
222 @param[in] Cert Pointer to the DER-encoded X509 certificate.\r
223 @param[in] CertSize Size of the X509 certificate in bytes.\r
224 @param[out] CertSubject Pointer to the retrieved certificate subject bytes.\r
225 @param[in, out] SubjectSize The size in bytes of the CertSubject buffer on input,\r
226 and the size of buffer returned CertSubject on output.\r
227\r
16d2c32c 228 If Cert is NULL, then return FALSE.\r
229 If SubjectSize is NULL, then return FALSE.\r
4a567c96 230\r
231 @retval TRUE The certificate subject retrieved successfully.\r
232 @retval FALSE Invalid certificate, or the SubjectSize is too small for the result.\r
233 The SubjectSize will be updated with the required size.\r
234\r
235**/\r
236BOOLEAN\r
237EFIAPI\r
238X509GetSubjectName (\r
239 IN CONST UINT8 *Cert,\r
240 IN UINTN CertSize,\r
241 OUT UINT8 *CertSubject,\r
242 IN OUT UINTN *SubjectSize\r
243 )\r
244{\r
245 BOOLEAN Status;\r
4a567c96 246 X509 *X509Cert;\r
247 X509_NAME *X509Name;\r
eeb8928a 248 UINTN X509NameSize;\r
4a567c96 249\r
250 //\r
16d2c32c 251 // Check input parameters.\r
4a567c96 252 //\r
16d2c32c 253 if (Cert == NULL || SubjectSize == NULL) {\r
254 return FALSE;\r
255 }\r
4a567c96 256\r
4a567c96 257 X509Cert = NULL;\r
258\r
259 //\r
260 // Read DER-encoded X509 Certificate and Construct X509 object.\r
261 //\r
b7d320f8 262 Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert);\r
263 if ((X509Cert == NULL) || (!Status)) {\r
dda39f3a 264 Status = FALSE;\r
4a567c96 265 goto _Exit;\r
266 }\r
267\r
dda39f3a 268 Status = FALSE;\r
269\r
4a567c96 270 //\r
271 // Retrieve subject name from certificate object.\r
272 //\r
273 X509Name = X509_get_subject_name (X509Cert);\r
dda39f3a 274 if (X509Name == NULL) {\r
275 goto _Exit;\r
276 }\r
277\r
eeb8928a
DW		 278 X509NameSize = i2d_X509_NAME(X509Name, NULL);\r
279 if (*SubjectSize < X509NameSize) {\r
280 *SubjectSize = X509NameSize;\r
4a567c96 281 goto _Exit;\r
282 }\r
eeb8928a 283 *SubjectSize = X509NameSize;\r
4a567c96 284 if (CertSubject != NULL) {\r
eeb8928a 285 i2d_X509_NAME(X509Name, &CertSubject);\r
4a567c96 286 Status = TRUE;\r
287 }\r
288\r
289_Exit:\r
290 //\r
291 // Release Resources.\r
292 //\r
dda39f3a 293 if (X509Cert != NULL) {\r
294 X509_free (X509Cert);\r
295 }\r
4a567c96 296\r
297 return Status;\r
298}\r
5b7c2245
QL		 299\r
300/**\r
301 Retrieve the common name (CN) string from one X.509 certificate.\r
302\r
303 @param[in] Cert Pointer to the DER-encoded X509 certificate.\r
304 @param[in] CertSize Size of the X509 certificate in bytes.\r
305 @param[out] CommonName Buffer to contain the retrieved certificate common\r
306 name string. At most CommonNameSize bytes will be\r
307 written and the string will be null terminated. May be\r
308 NULL in order to determine the size buffer needed.\r
309 @param[in,out] CommonNameSize The size in bytes of the CommonName buffer on input,\r
310 and the size of buffer returned CommonName on output.\r
311 If CommonName is NULL then the amount of space needed\r
312 in buffer (including the final null) is returned.\r
313\r
314 @retval RETURN_SUCCESS The certificate CommonName retrieved successfully.\r
315 @retval RETURN_INVALID_PARAMETER If Cert is NULL.\r
316 If CommonNameSize is NULL.\r
317 If CommonName is not NULL and *CommonNameSize is 0.\r
318 If Certificate is invalid.\r
319 @retval RETURN_NOT_FOUND If no CommonName entry exists.\r
320 @retval RETURN_BUFFER_TOO_SMALL If the CommonName is NULL. The required buffer size\r
321 (including the final null) is returned in the \r
322 CommonNameSize parameter.\r
323 @retval RETURN_UNSUPPORTED The operation is not supported.\r
324\r
325**/\r
326RETURN_STATUS\r
327EFIAPI\r
328X509GetCommonName (\r
329 IN CONST UINT8 *Cert,\r
330 IN UINTN CertSize,\r
331 OUT CHAR8 *CommonName, OPTIONAL\r
332 IN OUT UINTN *CommonNameSize\r
333 )\r
334{\r
335 RETURN_STATUS ReturnStatus;\r
336 BOOLEAN Status;\r
337 X509 *X509Cert;\r
338 X509_NAME *X509Name;\r
339 INTN Length;\r
340\r
341 ReturnStatus = RETURN_INVALID_PARAMETER;\r
342\r
343 //\r
344 // Check input parameters.\r
345 //\r
346 if ((Cert == NULL) || (CertSize > INT_MAX) || (CommonNameSize == NULL)) {\r
347 return ReturnStatus;\r
348 }\r
349 if ((CommonName != NULL) && (*CommonNameSize == 0)) {\r
350 return ReturnStatus;\r
351 }\r
352\r
353 X509Cert = NULL;\r
354 //\r
355 // Read DER-encoded X509 Certificate and Construct X509 object.\r
356 //\r
357 Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert);\r
358 if ((X509Cert == NULL) || (!Status)) {\r
359 //\r
360 // Invalid X.509 Certificate\r
361 //\r
362 goto _Exit;\r
363 }\r
364\r
365 Status = FALSE;\r
366\r
367 //\r
368 // Retrieve subject name from certificate object.\r
369 //\r
370 X509Name = X509_get_subject_name (X509Cert);\r
371 if (X509Name == NULL) {\r
372 //\r
373 // Fail to retrieve subject name content\r
374 //\r
375 goto _Exit;\r
376 }\r
377\r
378 //\r
379 // Retrieve the CommonName information from X.509 Subject\r
380 //\r
381 Length = (INTN) X509_NAME_get_text_by_NID (X509Name, NID_commonName, CommonName, (int)(*CommonNameSize));\r
382 if (Length < 0) {\r
383 //\r
384 // No CommonName entry exists in X509_NAME object\r
385 //\r
386 *CommonNameSize = 0;\r
387 ReturnStatus = RETURN_NOT_FOUND;\r
388 goto _Exit;\r
389 }\r
390\r
391 *CommonNameSize = (UINTN)(Length + 1);\r
392 if (CommonName == NULL) {\r
393 ReturnStatus = RETURN_BUFFER_TOO_SMALL;\r
394 } else {\r
395 ReturnStatus = RETURN_SUCCESS;\r
396 }\r
397\r
398_Exit:\r
399 //\r
400 // Release Resources.\r
401 //\r
402 if (X509Cert != NULL) {\r
403 X509_free (X509Cert);\r
404 }\r
405\r
406 return ReturnStatus;\r
407}\r
4a567c96 408\r
409/**\r
410 Retrieve the RSA Public Key from one DER-encoded X509 certificate.\r
411\r
412 @param[in] Cert Pointer to the DER-encoded X509 certificate.\r
413 @param[in] CertSize Size of the X509 certificate in bytes.\r
414 @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved\r
415 RSA public key component. Use RsaFree() function to free the\r
416 resource.\r
417\r
16d2c32c 418 If Cert is NULL, then return FALSE.\r
419 If RsaContext is NULL, then return FALSE.\r
4a567c96 420\r
421 @retval TRUE RSA Public Key was retrieved successfully.\r
422 @retval FALSE Fail to retrieve RSA public key from X509 certificate.\r
423\r
424**/\r
425BOOLEAN\r
426EFIAPI\r
427RsaGetPublicKeyFromX509 (\r
428 IN CONST UINT8 *Cert,\r
429 IN UINTN CertSize,\r
430 OUT VOID **RsaContext\r
431 )\r
432{\r
433 BOOLEAN Status;\r
434 EVP_PKEY *Pkey;\r
4a567c96 435 X509 *X509Cert;\r
f56b11d2 436\r
4a567c96 437 //\r
16d2c32c 438 // Check input parameters.\r
4a567c96 439 //\r
16d2c32c 440 if (Cert == NULL || RsaContext == NULL) {\r
441 return FALSE;\r
442 }\r
4a567c96 443\r
4a567c96 444 Pkey = NULL;\r
4a567c96 445 X509Cert = NULL;\r
446\r
447 //\r
448 // Read DER-encoded X509 Certificate and Construct X509 object.\r
449 //\r
b7d320f8 450 Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert);\r
451 if ((X509Cert == NULL) || (!Status)) {\r
dda39f3a 452 Status = FALSE;\r
4a567c96 453 goto _Exit;\r
454 }\r
455\r
dda39f3a 456 Status = FALSE;\r
457\r
4a567c96 458 //\r
459 // Retrieve and check EVP_PKEY data from X509 Certificate.\r
460 //\r
461 Pkey = X509_get_pubkey (X509Cert);\r
f56b11d2 462 if ((Pkey == NULL) || (EVP_PKEY_id (Pkey) != EVP_PKEY_RSA)) {\r
4a567c96 463 goto _Exit;\r
464 }\r
465\r
466 //\r
467 // Duplicate RSA Context from the retrieved EVP_PKEY.\r
468 //\r
f56b11d2 469 if ((*RsaContext = RSAPublicKey_dup (EVP_PKEY_get0_RSA (Pkey))) != NULL) {\r
4a567c96 470 Status = TRUE;\r
471 }\r
472\r
473_Exit:\r
474 //\r
475 // Release Resources.\r
476 //\r
dda39f3a 477 if (X509Cert != NULL) {\r
478 X509_free (X509Cert);\r
479 }\r
480\r
481 if (Pkey != NULL) {\r
482 EVP_PKEY_free (Pkey);\r
f56b11d2 483 }\r
4a567c96 484\r
485 return Status;\r
486}\r
487\r
488/**\r
489 Verify one X509 certificate was issued by the trusted CA.\r
490\r
491 @param[in] Cert Pointer to the DER-encoded X509 certificate to be verified.\r
492 @param[in] CertSize Size of the X509 certificate in bytes.\r
493 @param[in] CACert Pointer to the DER-encoded trusted CA certificate.\r
494 @param[in] CACertSize Size of the CA Certificate in bytes.\r
495\r
16d2c32c 496 If Cert is NULL, then return FALSE.\r
497 If CACert is NULL, then return FALSE.\r
4a567c96 498\r
499 @retval TRUE The certificate was issued by the trusted CA.\r
500 @retval FALSE Invalid certificate or the certificate was not issued by the given\r
501 trusted CA.\r
502\r
503**/\r
504BOOLEAN\r
505EFIAPI\r
506X509VerifyCert (\r
507 IN CONST UINT8 *Cert,\r
508 IN UINTN CertSize,\r
509 IN CONST UINT8 *CACert,\r
510 IN UINTN CACertSize\r
511 )\r
512{\r
513 BOOLEAN Status;\r
4a567c96 514 X509 *X509Cert;\r
515 X509 *X509CACert;\r
516 X509_STORE *CertStore;\r
f56b11d2
QL		 517 X509_STORE_CTX *CertCtx;\r
518\r
4a567c96 519 //\r
16d2c32c 520 // Check input parameters.\r
4a567c96 521 //\r
16d2c32c 522 if (Cert == NULL || CACert == NULL) {\r
523 return FALSE;\r
524 }\r
4a567c96 525\r
526 Status = FALSE;\r
4a567c96 527 X509Cert = NULL;\r
528 X509CACert = NULL;\r
529 CertStore = NULL;\r
f56b11d2 530 CertCtx = NULL;\r
4a567c96 531\r
532 //\r
533 // Register & Initialize necessary digest algorithms for certificate verification.\r
534 //\r
dda39f3a 535 if (EVP_add_digest (EVP_md5 ()) == 0) {\r
536 goto _Exit;\r
537 }\r
538 if (EVP_add_digest (EVP_sha1 ()) == 0) {\r
539 goto _Exit;\r
540 }\r
541 if (EVP_add_digest (EVP_sha256 ()) == 0) {\r
542 goto _Exit;\r
543 }\r
4a567c96 544\r
545 //\r
546 // Read DER-encoded certificate to be verified and Construct X509 object.\r
547 //\r
b7d320f8 548 Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert);\r
549 if ((X509Cert == NULL) || (!Status)) {\r
dda39f3a 550 Status = FALSE;\r
4a567c96 551 goto _Exit;\r
552 }\r
553\r
554 //\r
555 // Read DER-encoded root certificate and Construct X509 object.\r
556 //\r
b7d320f8 557 Status = X509ConstructCertificate (CACert, CACertSize, (UINT8 **) &X509CACert);\r
558 if ((X509CACert == NULL) || (!Status)) {\r
dda39f3a 559 Status = FALSE;\r
4a567c96 560 goto _Exit;\r
561 }\r
562\r
dda39f3a 563 Status = FALSE;\r
564\r
4a567c96 565 //\r
566 // Set up X509 Store for trusted certificate.\r
567 //\r
568 CertStore = X509_STORE_new ();\r
569 if (CertStore == NULL) {\r
570 goto _Exit;\r
571 }\r
572 if (!(X509_STORE_add_cert (CertStore, X509CACert))) {\r
573 goto _Exit;\r
574 }\r
575\r
68547181
DW		 576 //\r
577 // Allow partial certificate chains, terminated by a non-self-signed but\r
de0408be 578 // still trusted intermediate certificate. Also disable time checks.\r
68547181 579 //\r
de0408be
DW		 580 X509_STORE_set_flags (CertStore,\r
581 X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME);\r
68547181 582\r
4a567c96 583 //\r
584 // Set up X509_STORE_CTX for the subsequent verification operation.\r
585 //\r
f56b11d2
QL		 586 CertCtx = X509_STORE_CTX_new ();\r
587 if (CertCtx == NULL) {\r
588 goto _Exit;\r
589 }\r
590 if (!X509_STORE_CTX_init (CertCtx, CertStore, X509Cert, NULL)) {\r
4a567c96 591 goto _Exit;\r
592 }\r
593\r
594 //\r
595 // X509 Certificate Verification.\r
596 //\r
f56b11d2
QL		 597 Status = (BOOLEAN) X509_verify_cert (CertCtx);\r
598 X509_STORE_CTX_cleanup (CertCtx);\r
4a567c96 599\r
600_Exit:\r
601 //\r
602 // Release Resources.\r
603 //\r
dda39f3a 604 if (X509Cert != NULL) {\r
605 X509_free (X509Cert);\r
606 }\r
607\r
608 if (X509CACert != NULL) {\r
609 X509_free (X509CACert);\r
610 }\r
4a567c96 611\r
dda39f3a 612 if (CertStore != NULL) {\r
613 X509_STORE_free (CertStore);\r
614 }\r
f56b11d2
QL		 615\r
616 X509_STORE_CTX_free (CertCtx);\r
617\r
4a567c96 618 return Status;\r
619}\r
12d95665
LQ		 620\r
621/**\r
622 Retrieve the TBSCertificate from one given X.509 certificate.\r
623\r
624 @param[in] Cert Pointer to the given DER-encoded X509 certificate.\r
625 @param[in] CertSize Size of the X509 certificate in bytes.\r
626 @param[out] TBSCert DER-Encoded To-Be-Signed certificate.\r
627 @param[out] TBSCertSize Size of the TBS certificate in bytes.\r
628\r
629 If Cert is NULL, then return FALSE.\r
630 If TBSCert is NULL, then return FALSE.\r
631 If TBSCertSize is NULL, then return FALSE.\r
632\r
633 @retval TRUE The TBSCertificate was retrieved successfully.\r
634 @retval FALSE Invalid X.509 certificate.\r
635\r
636**/\r
637BOOLEAN\r
638EFIAPI\r
639X509GetTBSCert (\r
640 IN CONST UINT8 *Cert,\r
641 IN UINTN CertSize,\r
642 OUT UINT8 **TBSCert,\r
643 OUT UINTN *TBSCertSize\r
644 )\r
645{\r
646 CONST UINT8 *Temp;\r
2067d9f8
ZC		 647 UINT32 Asn1Tag;\r
648 UINT32 ObjClass;\r
12d95665
LQ		 649 UINTN Length;\r
650\r
651 //\r
652 // Check input parameters.\r
653 //\r
1463ce18
QL		 654 if ((Cert == NULL) || (TBSCert == NULL) ||\r
655 (TBSCertSize == NULL) || (CertSize > INT_MAX)) {\r
12d95665
LQ		 656 return FALSE;\r
657 }\r
658\r
659 //\r
660 // An X.509 Certificate is: (defined in RFC3280)\r
661 // Certificate ::= SEQUENCE {\r
662 // tbsCertificate TBSCertificate,\r
663 // signatureAlgorithm AlgorithmIdentifier,\r
664 // signature BIT STRING }\r
665 //\r
666 // and\r
667 //\r
668 // TBSCertificate ::= SEQUENCE {\r
669 // version [0] Version DEFAULT v1,\r
670 // ...\r
671 // }\r
672 //\r
673 // So we can just ASN1-parse the x.509 DER-encoded data. If we strip\r
674 // the first SEQUENCE, the second SEQUENCE is the TBSCertificate.\r
675 //\r
2067d9f8
ZC		 676 Temp = Cert;\r
677 Length = 0;\r
12d95665
LQ		 678 ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int *)&ObjClass, (long)CertSize);\r
679\r
680 if (Asn1Tag != V_ASN1_SEQUENCE) {\r
681 return FALSE;\r
682 }\r
683\r
684 *TBSCert = (UINT8 *)Temp;\r
685\r
686 ASN1_get_object (&Temp, (long *)&Length, (int *)&Asn1Tag, (int *)&ObjClass, (long)Length);\r
687 //\r
688 // Verify the parsed TBSCertificate is one correct SEQUENCE data.\r
689 //\r
690 if (Asn1Tag != V_ASN1_SEQUENCE) {\r
691 return FALSE;\r
692 }\r
693\r
694 *TBSCertSize = Length + (Temp - *TBSCert);\r
f56b11d2 695\r
12d95665
LQ		 696 return TRUE;\r
697}\r
EFI Development Kit II mirror for PVE