VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/iprt-openssl.cpp@ 105589

Last change on this file since 105589 was 104745, checked in by vboxsync, 6 months ago

IPRT,Main: Reworked the newly introduced RTCrX509Certificate_Generate function. It's now called RTCrX509Certificate_GenerateSelfSignedRsa and takes a few more parameters. We still can't read the output it creates. Added a create-self-signed-rsa-cert command to RTSignTool for easy testing. bugref:10310

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 9.3 KB
Line 
1/* $Id: iprt-openssl.cpp 104745 2024-05-21 12:52:09Z vboxsync $ */
2/** @file
3 * IPRT - Crypto - OpenSSL Helpers.
4 */
5
6/*
7 * Copyright (C) 2006-2023 Oracle and/or its affiliates.
8 *
9 * This file is part of VirtualBox base platform packages, as
10 * available from https://www.virtualbox.org.
11 *
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation, in version 3 of the
15 * License.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 * General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, see <https://www.gnu.org/licenses>.
24 *
25 * The contents of this file may alternatively be used under the terms
26 * of the Common Development and Distribution License Version 1.0
27 * (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
28 * in the VirtualBox distribution, in which case the provisions of the
29 * CDDL are applicable instead of those of the GPL.
30 *
31 * You may elect to license modified versions of this file under the
32 * terms and conditions of either the GPL or the CDDL or both.
33 *
34 * SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
35 */
36
37
38/*********************************************************************************************************************************
39* Header Files *
40*********************************************************************************************************************************/
41#include "internal/iprt.h"
42
43#ifdef IPRT_WITH_OPENSSL /* Whole file. */
44# include <iprt/err.h>
45# include <iprt/file.h>
46# include <iprt/string.h>
47# include <iprt/mem.h>
48# include <iprt/asn1.h>
49# include <iprt/crypto/digest.h>
50# include <iprt/crypto/pkcs7.h>
51# include <iprt/crypto/spc.h>
52
53# include "internal/iprt-openssl.h"
54# include "internal/openssl-pre.h"
55# include <openssl/x509.h>
56# include <openssl/err.h>
57# include "internal/openssl-post.h"
58
59
60DECLHIDDEN(void) rtCrOpenSslInit(void)
61{
62 static bool s_fOssInitalized;
63 if (!s_fOssInitalized)
64 {
65 OpenSSL_add_all_algorithms();
66 ERR_load_ERR_strings();
67 ERR_load_crypto_strings();
68
69 /* Add some OIDs we might possibly want to use. */
70 static struct { const char *pszOid, *pszDesc; } const s_aOids[] =
71 {
72 { RTCRSPC_PE_IMAGE_HASHES_V1_OID, "Ms-SpcPeImagePageHashesV1" },
73 { RTCRSPC_PE_IMAGE_HASHES_V2_OID, "Ms-SpcPeImagePageHashesV2" },
74 { RTCRSPC_STMT_TYPE_INDIVIDUAL_CODE_SIGNING, "Ms-SpcIndividualCodeSigning" },
75 { RTCRSPCPEIMAGEDATA_OID, "Ms-SpcPeImageData" },
76 { RTCRSPCINDIRECTDATACONTENT_OID, "Ms-SpcIndirectDataContext" },
77 { RTCR_PKCS9_ID_MS_TIMESTAMP, "Ms-CounterSign" },
78 { RTCR_PKCS9_ID_MS_NESTED_SIGNATURE, "Ms-SpcNestedSignature" },
79 { RTCR_PKCS9_ID_MS_STATEMENT_TYPE, "Ms-SpcStatementType" },
80 { RTCR_PKCS9_ID_MS_SP_OPUS_INFO, "Ms-SpcOpusInfo" },
81 { "1.3.6.1.4.1.311.3.2.1", "Ms-SpcTimeStampRequest" }, /** @todo define */
82 { "1.3.6.1.4.1.311.10.1", "Ms-CertTrustList" }, /** @todo define */
83 };
84 for (unsigned i = 0; i < RT_ELEMENTS(s_aOids); i++)
85 OBJ_create(s_aOids[i].pszOid, s_aOids[i].pszDesc, s_aOids[i].pszDesc);
86
87 s_fOssInitalized = true;
88 }
89}
90
91
92DECLHIDDEN(int) rtCrOpenSslErrInfoCallback(const char *pach, size_t cch, void *pvUser)
93{
94 PRTERRINFO pErrInfo = (PRTERRINFO)pvUser;
95 size_t cchAlready = pErrInfo->fFlags & RTERRINFO_FLAGS_SET ? strlen(pErrInfo->pszMsg) : 0;
96 if (cchAlready + 1 < pErrInfo->cbMsg)
97 RTStrCopyEx(pErrInfo->pszMsg + cchAlready, pErrInfo->cbMsg - cchAlready, pach, cch);
98 return -1;
99}
100
101
102DECLHIDDEN(int) rtCrOpenSslConvertX509Cert(void **ppvOsslCert, PCRTCRX509CERTIFICATE pCert, PRTERRINFO pErrInfo)
103{
104 const unsigned char *pabEncoded;
105 uint32_t cbEncoded;
106 void *pvFree;
107 int rc = RTAsn1EncodeQueryRawBits(RTCrX509Certificate_GetAsn1Core(pCert),
108 (const uint8_t **)&pabEncoded, &cbEncoded, &pvFree, pErrInfo);
109 if (RT_SUCCESS(rc))
110 {
111 X509 *pOsslCert = NULL;
112 X509 *pOsslCertRet = d2i_X509(&pOsslCert, &pabEncoded, cbEncoded);
113 RTMemTmpFree(pvFree);
114 if (pOsslCert != NULL && pOsslCertRet == pOsslCert)
115 {
116 *ppvOsslCert = pOsslCert;
117 return VINF_SUCCESS;
118 }
119 rc = RTErrInfoSet(pErrInfo, VERR_CR_X509_OSSL_D2I_FAILED, "d2i_X509");
120
121 }
122 *ppvOsslCert = NULL;
123 return rc;
124}
125
126
127DECLHIDDEN(void) rtCrOpenSslFreeConvertedX509Cert(void *pvOsslCert)
128{
129 X509_free((X509 *)pvOsslCert);
130}
131
132
133DECLHIDDEN(int) rtCrOpenSslAddX509CertToStack(void *pvOsslStack, PCRTCRX509CERTIFICATE pCert, PRTERRINFO pErrInfo)
134{
135 X509 *pOsslCert = NULL;
136 int rc = rtCrOpenSslConvertX509Cert((void **)&pOsslCert, pCert, pErrInfo);
137 if (RT_SUCCESS(rc))
138 {
139 if (sk_X509_push((STACK_OF(X509) *)pvOsslStack, pOsslCert))
140 rc = VINF_SUCCESS;
141 else
142 {
143 rtCrOpenSslFreeConvertedX509Cert(pOsslCert);
144 rc = RTErrInfoSet(pErrInfo, VERR_NO_MEMORY, "sk_X509_push");
145 }
146 }
147 return rc;
148}
149
150
151DECLHIDDEN(const void /*EVP_MD*/ *) rtCrOpenSslConvertDigestType(RTDIGESTTYPE enmDigestType, PRTERRINFO pErrInfo)
152{
153 const char *pszAlgoObjId = RTCrDigestTypeToAlgorithmOid(enmDigestType);
154 AssertReturnStmt(pszAlgoObjId, RTErrInfoSetF(pErrInfo, VERR_INVALID_PARAMETER, "Invalid type: %d", enmDigestType), NULL);
155
156 int iAlgoNid = OBJ_txt2nid(pszAlgoObjId);
157 AssertReturnStmt(iAlgoNid != NID_undef,
158 RTErrInfoSetF(pErrInfo, VERR_CR_DIGEST_OSSL_DIGEST_INIT_ERROR,
159 "OpenSSL does not know: %s (%s)", pszAlgoObjId, RTCrDigestTypeToName(enmDigestType)),
160 NULL);
161
162 const char *pszAlgoSn = OBJ_nid2sn(iAlgoNid);
163 const EVP_MD *pEvpMdType = EVP_get_digestbyname(pszAlgoSn);
164 AssertReturnStmt(pEvpMdType,
165 RTErrInfoSetF(pErrInfo, VERR_CR_DIGEST_OSSL_DIGEST_INIT_ERROR, "OpenSSL/EVP does not know: %d (%s; %s; %s)",
166 iAlgoNid, pszAlgoSn, pszAlgoSn, RTCrDigestTypeToName(enmDigestType)),
167 NULL);
168
169 return pEvpMdType;
170}
171
172
173DECLHIDDEN(int) rtCrOpenSslConvertPkcs7Attribute(void **ppvOsslAttrib, PCRTCRPKCS7ATTRIBUTE pAttrib, PRTERRINFO pErrInfo)
174{
175 const unsigned char *pabEncoded = NULL;
176 uint32_t cbEncoded = 0;
177 void *pvFree = NULL;
178 int rc = RTAsn1EncodeQueryRawBits(RTCrPkcs7Attribute_GetAsn1Core(pAttrib),
179 (const uint8_t **)&pabEncoded, &cbEncoded, &pvFree, pErrInfo);
180 if (RT_SUCCESS(rc))
181 {
182 X509_ATTRIBUTE *pOsslAttrib = NULL;
183 X509_ATTRIBUTE *pOsslAttribRet = d2i_X509_ATTRIBUTE(&pOsslAttrib, &pabEncoded, cbEncoded);
184 RTMemTmpFree(pvFree);
185 if (pOsslAttrib != NULL && pOsslAttribRet == pOsslAttrib)
186 {
187 *ppvOsslAttrib = pOsslAttrib;
188 return VINF_SUCCESS;
189 }
190 rc = RTErrInfoSet(pErrInfo, VERR_CR_X509_OSSL_D2I_FAILED, "d2i_X509_ATTRIBUTE");
191 }
192 *ppvOsslAttrib = NULL;
193 return rc;
194}
195
196
197DECLHIDDEN(void) rtCrOpenSslFreeConvertedPkcs7Attribute(void *pvOsslAttrib)
198{
199 X509_ATTRIBUTE_free((X509_ATTRIBUTE *)pvOsslAttrib);
200}
201
202
203/**
204 * Writes the content of the @a pvMemBio to the new file @a pszFilename.
205 *
206 * @returns IPRT status code.
207 * @param pvMemBio The memory BIO to write out.
208 * @param pszFilename The destination file. This will be created.
209 * The function will fail if this already exists.
210 * @param pErrInfo Where to provide additional error details. Optional.
211 */
212DECLHIDDEN(int) rtCrOpenSslWriteMemBioToNewFile(void *pvMemBio, const char *pszFilename, PRTERRINFO pErrInfo)
213{
214 int rc;
215
216 /* Get the BIO buffer pointer first. */
217 BUF_MEM *pBioBuf = NULL;
218 long rcOssl = BIO_get_mem_ptr((BIO *)pvMemBio, &pBioBuf);
219 if (rcOssl > 0)
220 {
221 AssertPtr(pBioBuf);
222 RTFILE hFile = NIL_RTFILE;
223 rc = RTFileOpen(&hFile, pszFilename,
224 RTFILE_O_WRITE | RTFILE_O_DENY_ALL | RTFILE_O_CREATE | (0600 << RTFILE_O_CREATE_MODE_SHIFT));
225 if (RT_SUCCESS(rc))
226 {
227 rc = RTFileWrite(hFile, pBioBuf->data, pBioBuf->length, NULL);
228 if (RT_SUCCESS(rc))
229 {
230 rc = RTFileClose(hFile);
231 AssertRCStmt(rc, rc = RTErrInfoSetF(pErrInfo, rc, "RTFileClose failed on '%s'", pszFilename));
232 }
233 else
234 {
235 rc = RTErrInfoSetF(pErrInfo, rc, "RTFileWrite(,,%#zx,) failed on '%s'", pBioBuf->length, pszFilename);
236 RTFileClose(hFile);
237 }
238 if (RT_FAILURE(rc))
239 RTFileDelete(pszFilename);
240 }
241 else
242 rc = RTErrInfoSetF(pErrInfo, rc, "RTFileOpen failed on '%s'", pszFilename);
243 }
244 else
245 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "BIO_get_mem_ptr");
246 return rc;
247}
248
249
250#endif /* IPRT_WITH_OPENSSL */
251
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette