CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c

   1 /** @file
   2   X.509 Certificate Handler Wrapper Implementation over OpenSSL.
   3
   4 Copyright (c) 2010 - 2011, Intel Corporation. All rights reserved.<BR>
   5 This program and the accompanying materials
   6 are licensed and made available under the terms and conditions of the BSD License
   7 which accompanies this distribution.  The full text of the license may be found at
   8 http://opensource.org/licenses/bsd-license.php
   9
  10 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
  11 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
  12
  13 **/
  14
  15 #include "InternalCryptLib.h"
  16 #include <openssl/x509.h>
  17
  18
  19 /**
  20   Construct a X509 object from DER-encoded certificate data.
  21
  22   If Cert is NULL, then ASSERT().
  23   If SingleX509Cert is NULL, then ASSERT().
  24
  25   @param[in]  Cert            Pointer to the DER-encoded certificate data.
  26   @param[in]  CertSize        The size of certificate data in bytes.
  27   @param[out] SingleX509Cert  The generated X509 object.
  28
  29   @retval     TRUE            The X509 object generation succeeded.
  30   @retval     FALSE           The operation failed.
  31
  32 **/
  33 BOOLEAN
  34 EFIAPI
  35 X509ConstructCertificate (
  36   IN   CONST UINT8  *Cert,
  37   IN   UINTN        CertSize,
  38   OUT  UINT8        **SingleX509Cert
  39   )
  40 {
  41   BIO      *CertBio;
  42   X509     *X509Cert;
  43   BOOLEAN  Status;
  44
  45   //
  46   // ASSERT if Cert is NULL or SingleX509Cert is NULL.
  47   //
  48   ASSERT (Cert           != NULL);
  49   ASSERT (SingleX509Cert != NULL);
  50   ASSERT (CertSize       <= INT_MAX);
  51
  52   Status = FALSE;
  53
  54   //
  55   // Read DER-encoded X509 Certificate and Construct X509 object.
  56   //
  57   CertBio = BIO_new (BIO_s_mem ());
  58   BIO_write (CertBio, Cert, (int) CertSize);
  59   if (CertBio == NULL) {
  60     goto _Exit;
  61   }
  62   X509Cert = d2i_X509_bio (CertBio, NULL);
  63   if (X509Cert == NULL) {
  64     goto _Exit;
  65   }
  66
  67   *SingleX509Cert = (UINT8 *) X509Cert;
  68   Status = TRUE;
  69
  70 _Exit:
  71   //
  72   // Release Resources.
  73   //
  74   BIO_free (CertBio);
  75
  76   return Status;
  77 }
  78
  79 /**
  80   Construct a X509 stack object from a list of DER-encoded certificate data.
  81
  82   If X509Stack is NULL, then ASSERT().
  83
  84   @param[in, out]  X509Stack  On input, pointer to an existing X509 stack object.
  85                               On output, pointer to the X509 stack object with new
  86                               inserted X509 certificate.
  87   @param           ...        A list of DER-encoded single certificate data followed
  88                               by certificate size. A NULL terminates the list. The
  89                               pairs are the arguments to X509ConstructCertificate().
  90
  91   @retval     TRUE            The X509 stack construction succeeded.
  92   @retval     FALSE           The construction operation failed.
  93
  94 **/
  95 BOOLEAN
  96 EFIAPI
  97 X509ConstructCertificateStack (
  98   IN OUT  UINT8  **X509Stack,
  99   ...
 100   )
 101 {
 102   UINT8           *Cert;
 103   UINTN           CertSize;
 104   X509            *X509Cert;
 105   STACK_OF(X509)  *CertStack;
 106   BOOLEAN         Status;
 107   VA_LIST         Args;
 108   UINTN           Index;
 109
 110   //
 111   // ASSERT if input X509Stack is NULL.
 112   //
 113   ASSERT (X509Stack != NULL);
 114
 115   Status = FALSE;
 116
 117   //
 118   // Initialize X509 stack object.
 119   //
 120   CertStack = (STACK_OF(X509) *) (*X509Stack);
 121   if (CertStack == NULL) {
 122     CertStack = sk_X509_new_null ();
 123     if (CertStack == NULL) {
 124       return Status;
 125     }
 126   }
 127
 128   VA_START (Args, X509Stack);
 129
 130   for (Index = 0; ; Index++) {
 131     //
 132     // If Cert is NULL, then it is the end of the list.
 133     //
 134     Cert = VA_ARG (Args, UINT8 *);
 135     if (Cert == NULL) {
 136       break;
 137     }
 138
 139     CertSize = VA_ARG (Args, UINTN);
 140
 141     //
 142     // Construct X509 Object from the given DER-encoded certificate data.
 143     //
 144     Status = X509ConstructCertificate (
 145                (CONST UINT8 *) Cert,
 146                CertSize,
 147                (UINT8 **) &X509Cert
 148                );
 149     if (!Status) {
 150       X509_free (X509Cert);
 151       break;
 152     }
 153
 154     //
 155     // Insert the new X509 object into X509 stack object.
 156     //
 157     sk_X509_push (CertStack, X509Cert);
 158   }
 159
 160   VA_END (Args);
 161
 162   if (!Status) {
 163     sk_X509_pop_free (CertStack, X509_free);
 164   } else {
 165     *X509Stack = (UINT8 *) CertStack;
 166   }
 167
 168   return Status;
 169 }
 170
 171 /**
 172   Release the specified X509 object.
 173
 174   If X509Cert is NULL, then ASSERT().
 175
 176   @param[in]  X509Cert  Pointer to the X509 object to be released.
 177
 178 **/
 179 VOID
 180 EFIAPI
 181 X509Free (
 182   IN  VOID  *X509Cert
 183   )
 184 {
 185   ASSERT (X509Cert != NULL);
 186
 187   //
 188   // Free OpenSSL X509 object.
 189   //
 190   X509_free ((X509 *) X509Cert);
 191 }
 192
 193 /**
 194   Release the specified X509 stack object.
 195
 196   If X509Stack is NULL, then ASSERT().
 197
 198   @param[in]  X509Stack  Pointer to the X509 stack object to be released.
 199
 200 **/
 201 VOID
 202 EFIAPI
 203 X509StackFree (
 204   IN  VOID  *X509Stack
 205   )
 206 {
 207   ASSERT (X509Stack != NULL);
 208
 209   //
 210   // Free OpenSSL X509 stack object.
 211   //
 212   sk_X509_pop_free ((STACK_OF(X509) *) X509Stack, X509_free);
 213 }
 214
 215 /**
 216   Retrieve the subject bytes from one X.509 certificate.
 217
 218   @param[in]      Cert         Pointer to the DER-encoded X509 certificate.
 219   @param[in]      CertSize     Size of the X509 certificate in bytes.
 220   @param[out]     CertSubject  Pointer to the retrieved certificate subject bytes.
 221   @param[in, out] SubjectSize  The size in bytes of the CertSubject buffer on input,
 222                                and the size of buffer returned CertSubject on output.
 223
 224   If Cert is NULL, then ASSERT().
 225   If SubjectSize is NULL, then ASSERT().
 226
 227   @retval  TRUE   The certificate subject retrieved successfully.
 228   @retval  FALSE  Invalid certificate, or the SubjectSize is too small for the result.
 229                   The SubjectSize will be updated with the required size.
 230
 231 **/
 232 BOOLEAN
 233 EFIAPI
 234 X509GetSubjectName (
 235   IN      CONST UINT8  *Cert,
 236   IN      UINTN        CertSize,
 237   OUT     UINT8        *CertSubject,
 238   IN OUT  UINTN        *SubjectSize
 239   )
 240 {
 241   BOOLEAN    Status;
 242   X509       *X509Cert;
 243   X509_NAME  *X509Name;
 244
 245   //
 246   // ASSERT if Cert is NULL or SubjectSize is NULL.
 247   //
 248   ASSERT (Cert        != NULL);
 249   ASSERT (SubjectSize != NULL);
 250
 251   Status   = FALSE;
 252   X509Cert = NULL;
 253
 254   //
 255   // Read DER-encoded X509 Certificate and Construct X509 object.
 256   //
 257   Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert);
 258   if ((X509Cert == NULL) || (!Status)) {
 259     goto _Exit;
 260   }
 261
 262   //
 263   // Retrieve subject name from certificate object.
 264   //
 265   X509Name = X509_get_subject_name (X509Cert);
 266   if (*SubjectSize < (UINTN) X509Name->bytes->length) {
 267     *SubjectSize = (UINTN) X509Name->bytes->length;
 268     goto _Exit;
 269   }
 270   *SubjectSize = (UINTN) X509Name->bytes->length;
 271   if (CertSubject != NULL) {
 272     CopyMem (CertSubject, (UINT8 *)X509Name->bytes->data, *SubjectSize);
 273     Status = TRUE;
 274   }
 275
 276 _Exit:
 277   //
 278   // Release Resources.
 279   //
 280   X509_free (X509Cert);
 281
 282   return Status;
 283 }
 284
 285 /**
 286   Retrieve the RSA Public Key from one DER-encoded X509 certificate.
 287
 288   @param[in]  Cert         Pointer to the DER-encoded X509 certificate.
 289   @param[in]  CertSize     Size of the X509 certificate in bytes.
 290   @param[out] RsaContext   Pointer to new-generated RSA context which contain the retrieved
 291                            RSA public key component. Use RsaFree() function to free the
 292                            resource.
 293
 294   If Cert is NULL, then ASSERT().
 295   If RsaContext is NULL, then ASSERT().
 296
 297   @retval  TRUE   RSA Public Key was retrieved successfully.
 298   @retval  FALSE  Fail to retrieve RSA public key from X509 certificate.
 299
 300 **/
 301 BOOLEAN
 302 EFIAPI
 303 RsaGetPublicKeyFromX509 (
 304   IN   CONST UINT8  *Cert,
 305   IN   UINTN        CertSize,
 306   OUT  VOID         **RsaContext
 307   )
 308 {
 309   BOOLEAN   Status;
 310   EVP_PKEY  *Pkey;
 311   X509      *X509Cert;
 312
 313   //
 314   // ASSERT if Cert is NULL or RsaContext is NULL.
 315   //
 316   ASSERT (Cert       != NULL);
 317   ASSERT (RsaContext != NULL);
 318
 319   Status   = FALSE;
 320   Pkey     = NULL;
 321   X509Cert = NULL;
 322
 323   //
 324   // Read DER-encoded X509 Certificate and Construct X509 object.
 325   //
 326   Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert);
 327   if ((X509Cert == NULL) || (!Status)) {
 328     goto _Exit;
 329   }
 330
 331   //
 332   // Retrieve and check EVP_PKEY data from X509 Certificate.
 333   //
 334   Pkey = X509_get_pubkey (X509Cert);
 335   if ((Pkey == NULL) || (Pkey->type != EVP_PKEY_RSA)) {
 336     goto _Exit;
 337   }
 338
 339   //
 340   // Duplicate RSA Context from the retrieved EVP_PKEY.
 341   //
 342   if ((*RsaContext = RSAPublicKey_dup (Pkey->pkey.rsa)) != NULL) {
 343     Status = TRUE;
 344   }
 345
 346 _Exit:
 347   //
 348   // Release Resources.
 349   //
 350   X509_free (X509Cert);
 351   EVP_PKEY_free (Pkey);
 352
 353   return Status;
 354 }
 355
 356 /**
 357   Verify one X509 certificate was issued by the trusted CA.
 358
 359   @param[in]      Cert         Pointer to the DER-encoded X509 certificate to be verified.
 360   @param[in]      CertSize     Size of the X509 certificate in bytes.
 361   @param[in]      CACert       Pointer to the DER-encoded trusted CA certificate.
 362   @param[in]      CACertSize   Size of the CA Certificate in bytes.
 363
 364   If Cert is NULL, then ASSERT().
 365   If CACert is NULL, then ASSERT().
 366
 367   @retval  TRUE   The certificate was issued by the trusted CA.
 368   @retval  FALSE  Invalid certificate or the certificate was not issued by the given
 369                   trusted CA.
 370
 371 **/
 372 BOOLEAN
 373 EFIAPI
 374 X509VerifyCert (
 375   IN  CONST UINT8  *Cert,
 376   IN  UINTN        CertSize,
 377   IN  CONST UINT8  *CACert,
 378   IN  UINTN        CACertSize
 379   )
 380 {
 381   BOOLEAN         Status;
 382   X509            *X509Cert;
 383   X509            *X509CACert;
 384   X509_STORE      *CertStore;
 385   X509_STORE_CTX  CertCtx;
 386
 387   //
 388   // ASSERT if Cert is NULL or CACert is NULL.
 389   //
 390   ASSERT (Cert   != NULL);
 391   ASSERT (CACert != NULL);
 392
 393   Status     = FALSE;
 394   X509Cert   = NULL;
 395   X509CACert = NULL;
 396   CertStore  = NULL;
 397
 398   //
 399   // Register & Initialize necessary digest algorithms for certificate verification.
 400   //
 401   EVP_add_digest (EVP_md5());
 402   EVP_add_digest (EVP_sha1());
 403   EVP_add_digest (EVP_sha256());
 404
 405   //
 406   // Read DER-encoded certificate to be verified and Construct X509 object.
 407   //
 408   Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **) &X509Cert);
 409   if ((X509Cert == NULL) || (!Status)) {
 410     goto _Exit;
 411   }
 412
 413   //
 414   // Read DER-encoded root certificate and Construct X509 object.
 415   //
 416   Status = X509ConstructCertificate (CACert, CACertSize, (UINT8 **) &X509CACert);
 417   if ((X509CACert == NULL) || (!Status)) {
 418     goto _Exit;
 419   }
 420
 421   //
 422   // Set up X509 Store for trusted certificate.
 423   //
 424   CertStore = X509_STORE_new ();
 425   if (CertStore == NULL) {
 426     goto _Exit;
 427   }
 428   if (!(X509_STORE_add_cert (CertStore, X509CACert))) {
 429     goto _Exit;
 430   }
 431
 432   //
 433   // Set up X509_STORE_CTX for the subsequent verification operation.
 434   //
 435   if (!X509_STORE_CTX_init (&CertCtx, CertStore, X509Cert, NULL)) {
 436     goto _Exit;
 437   }
 438
 439   //
 440   // X509 Certificate Verification.
 441   //
 442   Status = (BOOLEAN) X509_verify_cert (&CertCtx);
 443   X509_STORE_CTX_cleanup (&CertCtx);
 444
 445 _Exit:
 446   //
 447   // Release Resources.
 448   //
 449   X509_free (X509Cert);
 450   X509_free (X509CACert);
 451   X509_STORE_free (CertStore);
 452
 453   return Status;
 454 }