Sb wizard part2

ArmVirtPkg/ArmVirtCloudHv.dsc

@@ -57,6 +57,7 @@
 
   TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
   TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
+  DxeImageVerificationLib|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
 
 !include MdePkg/MdeLibs.dsc.inc
 
@@ -255,7 +256,7 @@
 !if $(SECURE_BOOT_ENABLE) == TRUE
   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
     <LibraryClasses>
-      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationHandler.inf
   }
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
   OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf

ArmVirtPkg/ArmVirtQemu.dsc

@@ -95,6 +95,7 @@
 !endif
 
   ArmMonitorLib|ArmVirtPkg/Library/ArmVirtMonitorLib/ArmVirtMonitorLib.inf
+  DxeImageVerificationLib|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
 
 [LibraryClasses.AARCH64]
   ArmPlatformLib|ArmVirtPkg/Library/ArmPlatformLibQemu/ArmPlatformLibQemu.inf
@@ -389,7 +390,7 @@
 !if $(SECURE_BOOT_ENABLE) == TRUE
   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
     <LibraryClasses>
-      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationHandler.inf
 !if $(TPM2_ENABLE) == TRUE
       NULL|SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.inf
 !endif

ArmVirtPkg/ArmVirtQemuKernel.dsc

@@ -85,6 +85,7 @@
   TpmPlatformHierarchyLib|SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf
 
   ArmMonitorLib|ArmVirtPkg/Library/ArmVirtMonitorLib/ArmVirtMonitorLib.inf
+  DxeImageVerificationLib|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
 
 [LibraryClasses.common.DXE_DRIVER]
   AcpiPlatformLib|OvmfPkg/Library/AcpiPlatformLib/DxeAcpiPlatformLib.inf
@@ -311,7 +312,7 @@
 !if $(SECURE_BOOT_ENABLE) == TRUE
   MdeModulePkg/Universal/SecurityStubDxe/SecurityStubDxe.inf {
     <LibraryClasses>
-      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
+      NULL|SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationHandler.inf
   }
   SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe.inf
   OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.inf

CryptoPkg/Include/Library/BaseCryptLib.h

@@ -1876,6 +1876,7 @@ X509GetCommonName (
   IN OUT  UINTN        *CommonNameSize
   );
 
+
 /**
   Retrieve the organization name (O) string from one X.509 certificate.
 
@@ -2675,6 +2676,41 @@ X509GetIssuerName (
   IN OUT  UINTN        *CertIssuerSize
   );
 
+/**
+  Retrieve the issuer common name (CN) string from one X.509 certificate.
+
+  @param[in]      Cert             Pointer to the DER-encoded X509 certificate.
+  @param[in]      CertSize         Size of the X509 certificate in bytes.
+  @param[out]     CommonName       Buffer to contain the retrieved certificate issuer common
+                                   name string. At most CommonNameSize bytes will be
+                                   written and the string will be null terminated. May be
+                                   NULL in order to determine the size buffer needed.
+  @param[in,out]  CommonNameSize   The size in bytes of the CommonName buffer on input,
+                                   and the size of buffer returned CommonName on output.
+                                   If CommonName is NULL then the amount of space needed
+                                   in buffer (including the final null) is returned.
+
+  @retval RETURN_SUCCESS           The certificate Issuer CommonName retrieved successfully.
+  @retval RETURN_INVALID_PARAMETER If Cert is NULL.
+                                   If CommonNameSize is NULL.
+                                   If CommonName is not NULL and *CommonNameSize is 0.
+                                   If Certificate is invalid.
+  @retval RETURN_NOT_FOUND         If no CommonName entry exists.
+  @retval RETURN_BUFFER_TOO_SMALL  If the CommonName is NULL. The required buffer size
+                                   (including the final null) is returned in the
+                                   CommonNameSize parameter.
+  @retval RETURN_UNSUPPORTED       The operation is not supported.
+
+**/
+RETURN_STATUS
+EFIAPI
+X509GetIssuerCommonName (
+  IN CONST UINT8  *Cert,
+  IN UINTN        CertSize,
+  OUT CHAR8       *CommonName OPTIONAL,
+  IN OUT UINTN    *CommonNameSize
+  );
+
 /**
   Retrieve the Signature Algorithm from one X.509 certificate.
 

CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c

@@ -1157,6 +1157,192 @@ X509GetIssuerName (
   return Status;
 }
 
+
+/**
+  Retrieve a string from one X.509 certificate issuer base on the Request_NID.
+
+  @param[in]      Cert             Pointer to the DER-encoded X509 certificate.
+  @param[in]      CertSize         Size of the X509 certificate in bytes.
+  @param[in]      Request_NID      NID of string to obtain
+  @param[out]     CommonName       Buffer to contain the retrieved certificate issuer common
+                                   name string (UTF8). At most CommonNameSize bytes will be
+                                   written and the string will be null terminated. May be
+                                   NULL in order to determine the size buffer needed.
+  @param[in,out]  CommonNameSize   The size in bytes of the CommonName buffer on input,
+                                   and the size of buffer returned CommonName on output.
+                                   If CommonName is NULL then the amount of space needed
+                                   in buffer (including the final null) is returned.
+
+  @retval RETURN_SUCCESS           The certificate issuer CommonName retrieved successfully.
+  @retval RETURN_INVALID_PARAMETER If Cert is NULL.
+                                   If CommonNameSize is NULL.
+                                   If CommonName is not NULL and *CommonNameSize is 0.
+                                   If Certificate is invalid.
+  @retval RETURN_NOT_FOUND         If no NID Name entry exists.
+  @retval RETURN_BUFFER_TOO_SMALL  If the CommonName is NULL. The required buffer size
+                                   (including the final null) is returned in the
+                                   CommonNameSize parameter.
+  @retval RETURN_UNSUPPORTED       The operation is not supported.
+
+**/
+STATIC
+RETURN_STATUS
+InternalX509GetIssuerNIDName (
+  IN      CONST UINT8  *Cert,
+  IN      UINTN        CertSize,
+  IN      INT32        Request_NID,
+  OUT     CHAR8        *CommonName   OPTIONAL,
+  IN OUT  UINTN        *CommonNameSize
+  )
+{
+  RETURN_STATUS    ReturnStatus;
+  BOOLEAN          Status;
+  X509             *X509Cert;
+  X509_NAME        *X509Name;
+  INT32            Index;
+  INTN             Length;
+  X509_NAME_ENTRY  *Entry;
+  ASN1_STRING      *EntryData;
+  UINT8            *UTF8Name;
+
+  ReturnStatus = RETURN_INVALID_PARAMETER;
+  UTF8Name     = NULL;
+
+  //
+  // Check input parameters.
+  //
+  if ((Cert == NULL) || (CertSize > INT_MAX) || (CommonNameSize == NULL)) {
+    return ReturnStatus;
+  }
+
+  if ((CommonName != NULL) && (*CommonNameSize == 0)) {
+    return ReturnStatus;
+  }
+
+  X509Cert = NULL;
+  //
+  // Read DER-encoded X509 Certificate and Construct X509 object.
+  //
+  Status = X509ConstructCertificate (Cert, CertSize, (UINT8 **)&X509Cert);
+  if ((X509Cert == NULL) || (!Status)) {
+    //
+    // Invalid X.509 Certificate
+    //
+    goto _Exit;
+  }
+
+  Status = FALSE;
+
+  //
+  // Retrieve issuer name from certificate object.
+  //
+  X509Name = X509_get_issuer_name (X509Cert);
+  if (X509Name == NULL) {
+    //
+    // Fail to retrieve subject name content
+    //
+    goto _Exit;
+  }
+
+  //
+  // Retrive the string from X.509 Subject base on the Request_NID
+  //
+  Index = X509_NAME_get_index_by_NID (X509Name, Request_NID, -1);
+  if (Index < 0) {
+    //
+    // No Request_NID name entry exists in X509_NAME object
+    //
+    *CommonNameSize = 0;
+    ReturnStatus    = RETURN_NOT_FOUND;
+    goto _Exit;
+  }
+
+  Entry = X509_NAME_get_entry (X509Name, Index);
+  if (Entry == NULL) {
+    //
+    // Fail to retrieve name entry data
+    //
+    *CommonNameSize = 0;
+    ReturnStatus    = RETURN_NOT_FOUND;
+    goto _Exit;
+  }
+
+  EntryData = X509_NAME_ENTRY_get_data (Entry);
+
+  Length = ASN1_STRING_to_UTF8 (&UTF8Name, EntryData);
+  if (Length < 0) {
+    //
+    // Fail to convert the Name string
+    //
+    *CommonNameSize = 0;
+    ReturnStatus    = RETURN_INVALID_PARAMETER;
+    goto _Exit;
+  }
+
+  if (CommonName == NULL) {
+    *CommonNameSize = Length + 1;
+    ReturnStatus    = RETURN_BUFFER_TOO_SMALL;
+  } else {
+    *CommonNameSize = MIN ((UINTN)Length, *CommonNameSize - 1) + 1;
+    CopyMem (CommonName, UTF8Name, *CommonNameSize - 1);
+    CommonName[*CommonNameSize - 1] = '\0';
+    ReturnStatus                    = RETURN_SUCCESS;
+  }
+
+_Exit:
+  //
+  // Release Resources.
+  //
+  if (X509Cert != NULL) {
+    X509_free (X509Cert);
+  }
+
+  if (UTF8Name != NULL) {
+    OPENSSL_free (UTF8Name);
+  }
+
+  return ReturnStatus;
+}
+
+/**
+  Retrieve the issuer common name (CN) string from one X.509 certificate.
+
+  @param[in]      Cert             Pointer to the DER-encoded X509 certificate.
+  @param[in]      CertSize         Size of the X509 certificate in bytes.
+  @param[out]     CommonName       Buffer to contain the retrieved certificate issuer common
+                                   name string. At most CommonNameSize bytes will be
+                                   written and the string will be null terminated. May be
+                                   NULL in order to determine the size buffer needed.
+  @param[in,out]  CommonNameSize   The size in bytes of the CommonName buffer on input,
+                                   and the size of buffer returned CommonName on output.
+                                   If CommonName is NULL then the amount of space needed
+                                   in buffer (including the final null) is returned.
+
+  @retval RETURN_SUCCESS           The certificate Issuer CommonName retrieved successfully.
+  @retval RETURN_INVALID_PARAMETER If Cert is NULL.
+                                   If CommonNameSize is NULL.
+                                   If CommonName is not NULL and *CommonNameSize is 0.
+                                   If Certificate is invalid.
+  @retval RETURN_NOT_FOUND         If no CommonName entry exists.
+  @retval RETURN_BUFFER_TOO_SMALL  If the CommonName is NULL. The required buffer size
+                                   (including the final null) is returned in the
+                                   CommonNameSize parameter.
+  @retval RETURN_UNSUPPORTED       The operation is not supported.
+
+**/
+RETURN_STATUS
+EFIAPI
+X509GetIssuerCommonName (
+  IN CONST UINT8  *Cert,
+  IN UINTN        CertSize,
+  OUT CHAR8       *CommonName OPTIONAL,
+  IN OUT UINTN    *CommonNameSize
+  )
+{
+  return InternalX509GetIssuerNIDName (Cert, CertSize, NID_commonName, CommonName, CommonNameSize);
+}
+
+
 /**
   Retrieve the Signature Algorithm from one X.509 certificate.