VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/store-cert-add-basic.cpp@ 67979

Last change on this file since 67979 was 63451, checked in by vboxsync, 8 years ago

Runtime: warnings

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 34.3 KB
Line 
1/* $Id: store-cert-add-basic.cpp 63451 2016-08-15 00:39:40Z vboxsync $ */
2/** @file
3 * IPRT - Cryptographic (Certificate) Store, RTCrStoreCertAddFromDir.
4 */
5
6/*
7 * Copyright (C) 2006-2016 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#include "internal/iprt.h"
32#include <iprt/crypto/store.h>
33
34#include <iprt/assert.h>
35#include <iprt/crypto/pem.h>
36#include <iprt/dir.h>
37#include <iprt/err.h>
38#include <iprt/file.h>
39#include <iprt/mem.h>
40#include <iprt/path.h>
41#include <iprt/sha.h>
42#include <iprt/string.h>
43
44#include "x509-internal.h"
45
46
47/*********************************************************************************************************************************
48* Global Variables *
49*********************************************************************************************************************************/
50/** BEGIN CERTIFICATE / END CERTIFICATE. */
51static RTCRPEMMARKERWORD const g_aWords_Certificate[] =
52{
53 { RT_STR_TUPLE("CERTIFICATE") }
54};
55
56/** BEGIN TRUSTED CERTIFICATE / END TRUSTED CERTIFICATE. */
57static RTCRPEMMARKERWORD const g_aWords_TrustedCertificate[] =
58{
59 { RT_STR_TUPLE("TRUSTED") },
60 { RT_STR_TUPLE("CERTIFICATE") }
61};
62
63/** BEGIN X509 CERTIFICATE / END X509 CERTIFICATE. (old) */
64static RTCRPEMMARKERWORD const g_aWords_X509Certificate[] =
65{
66 { RT_STR_TUPLE("X509") },
67 { RT_STR_TUPLE("CERTIFICATE") }
68};
69
70/**
71 * X509 Certificate markers.
72 *
73 * @remark See crypto/pem/pem.h in OpenSSL for a matching list.
74 */
75static RTCRPEMMARKER const g_aX509CertificateMarkers[3] =
76{
77 { g_aWords_Certificate, RT_ELEMENTS(g_aWords_Certificate) },
78 { g_aWords_TrustedCertificate, RT_ELEMENTS(g_aWords_TrustedCertificate) },
79 { g_aWords_X509Certificate, RT_ELEMENTS(g_aWords_X509Certificate) }
80};
81
82
83
84#ifdef RT_STRICT
85/**
86 * Checks if we've found all the certificates already.
87 *
88 * @returns true if all found, false if not.
89 * @param afFound Indicator array.
90 * @param cWanted Number of wanted certificates.
91 */
92DECLINLINE(bool) rtCrStoreAllDone(bool const *afFound, size_t cWanted)
93{
94 while (cWanted-- > 0)
95 if (!afFound[cWanted])
96 return false;
97 return true;
98}
99#endif /* RT_STRICT */
100
101
102/**
103 * Checks if the given certificate specs matches the given wanted poster.
104 *
105 * @returns true if match, false if not.
106 * @param pWanted The certificate wanted poster.
107 * @param cbEncoded The candidate certificate encoded size.
108 * @param paSha1 The candidate certificate SHA-1 fingerprint.
109 * @param paSha512 The candidate certificate SHA-512 fingerprint.
110 * @param pCert The decoded candidate certificate, optional. If not
111 * given the result will be uncertain.
112 */
113DECLINLINE(bool) rtCrStoreIsCertEqualToWanted(PCRTCRCERTWANTED pWanted,
114 size_t cbEncoded,
115 uint8_t const pabSha1[RTSHA1_HASH_SIZE],
116 uint8_t const pabSha512[RTSHA512_HASH_SIZE],
117 PCRTCRX509CERTIFICATE pCert)
118{
119 if ( pWanted->cbEncoded != cbEncoded
120 && pWanted->cbEncoded != 0)
121 return false;
122
123 if ( pWanted->fSha1Fingerprint
124 && memcmp(pWanted->abSha1, pabSha1, RTSHA1_HASH_SIZE) != 0)
125 return false;
126
127 if ( pWanted->fSha512Fingerprint
128 && memcmp(pWanted->abSha512, pabSha512, RTSHA512_HASH_SIZE) != 0)
129 return false;
130
131 if ( pWanted->pszSubject
132 && pCert
133 && !RTCrX509Name_MatchWithString(&pCert->TbsCertificate.Subject, pWanted->pszSubject))
134 return false;
135
136 return true;
137}
138
139
140/**
141 * Checks if a certificate is wanted.
142 *
143 * @returns true if match, false if not.
144 * @param paWanted The certificate wanted posters.
145 * @param cWanted The number of wanted posters.
146 * @param apfFound Found initicators running paralell to @a paWanted.
147 * @param cbEncoded The candidate certificate encoded size.
148 * @param paSha1 The candidate certificate SHA-1 fingerprint.
149 * @param paSha512 The candidate certificate SHA-512 fingerprint.
150 * @param pCert The decoded candidate certificate, optional. If not
151 * given the result will be uncertain.
152 */
153DECLINLINE(bool) rtCrStoreIsCertWanted(PCRTCRCERTWANTED paWanted, size_t cWanted, bool const *pafFound, size_t cbEncoded,
154 uint8_t const pabSha1[RTSHA1_HASH_SIZE], uint8_t const pabSha512[RTSHA512_HASH_SIZE],
155 PCRTCRX509CERTIFICATE pCert)
156{
157 for (size_t iCert = 0; iCert < cWanted; iCert++)
158 if (!pafFound[iCert])
159 if (rtCrStoreIsCertEqualToWanted(&paWanted[iCert], cbEncoded, pabSha1, pabSha512, pCert))
160 return true;
161 return false;
162}
163
164
165/**
166 * Marks a certificate as found after it has been added to the store.
167 *
168 * May actually mark several certificates as found if there are duplicates or
169 * ambiguities in the wanted list.
170 *
171 * @returns true if all have been found, false if more to search for.
172 *
173 * @param apfFound Found initicators running paralell to @a paWanted.
174 * This is what this function updates.
175 * @param paWanted The certificate wanted posters.
176 * @param cWanted The number of wanted posters.
177 * @param cbEncoded The candidate certificate encoded size.
178 * @param paSha1 The candidate certificate SHA-1 fingerprint.
179 * @param paSha512 The candidate certificate SHA-512 fingerprint.
180 * @param pCert The decoded candidate certificate, optional. If not
181 * given the result will be uncertain.
182 */
183static bool rtCrStoreMarkCertFound(bool *pafFound, PCRTCRCERTWANTED paWanted, size_t cWanted, size_t cbEncoded,
184 uint8_t const pabSha1[RTSHA1_HASH_SIZE], uint8_t const pabSha512[RTSHA512_HASH_SIZE],
185 PCRTCRX509CERTIFICATE pCert)
186{
187 size_t cFound = 0;
188 for (size_t iCert = 0; iCert < cWanted; iCert++)
189 if (pafFound[iCert])
190 cFound++;
191 else if (rtCrStoreIsCertEqualToWanted(&paWanted[iCert], cbEncoded, pabSha1, pabSha512, pCert))
192 {
193 pafFound[iCert] = true;
194 cFound++;
195 }
196 return cFound == cWanted;
197}
198
199
200RTDECL(int) RTCrStoreCertAddFromStore(RTCRSTORE hStore, uint32_t fFlags, RTCRSTORE hStoreSrc)
201{
202 /*
203 * Validate input.
204 */
205 AssertReturn(!(fFlags & ~(RTCRCERTCTX_F_ADD_IF_NOT_FOUND | RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR)), VERR_INVALID_FLAGS);
206
207 /*
208 * Enumerate all the certificates in the source store, adding them to the destination.
209 */
210 RTCRSTORECERTSEARCH Search;
211 int rc = RTCrStoreCertFindAll(hStoreSrc, &Search);
212 if (RT_SUCCESS(rc))
213 {
214 PCRTCRCERTCTX pCertCtx;
215 while ((pCertCtx = RTCrStoreCertSearchNext(hStoreSrc, &Search)) != NULL)
216 {
217 int rc2 = RTCrStoreCertAddEncoded(hStore, pCertCtx->fFlags | (fFlags & RTCRCERTCTX_F_ADD_IF_NOT_FOUND),
218 pCertCtx->pabEncoded, pCertCtx->cbEncoded, NULL);
219 if (RT_FAILURE(rc2))
220 {
221 rc = rc2;
222 if (!(fFlags & RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR))
223 break;
224 }
225 RTCrCertCtxRelease(pCertCtx);
226 }
227
228 int rc2 = RTCrStoreCertSearchDestroy(hStoreSrc, &Search); AssertRC(rc2);
229 }
230 return rc;
231}
232RT_EXPORT_SYMBOL(RTCrStoreCertAddFromStore);
233
234
235RTDECL(int) RTCrStoreCertAddWantedFromStore(RTCRSTORE hStore, uint32_t fFlags, RTCRSTORE hSrcStore,
236 PCRTCRCERTWANTED paWanted, size_t cWanted, bool *pafFound)
237{
238 /*
239 * Validate input a little.
240 */
241 AssertReturn(!(fFlags & ~(RTCRCERTCTX_F_ADD_IF_NOT_FOUND | RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR)), VERR_INVALID_FLAGS);
242 fFlags |= RTCRCERTCTX_F_ADD_IF_NOT_FOUND; /* forced */
243
244 AssertReturn(cWanted, VERR_NOT_FOUND);
245 for (uint32_t i = 0; i < cWanted; i++)
246 {
247 AssertReturn(!paWanted[i].pszSubject || *paWanted[i].pszSubject, VERR_INVALID_PARAMETER);
248 AssertReturn( paWanted[i].pszSubject
249 || paWanted[i].fSha1Fingerprint
250 || paWanted[i].fSha512Fingerprint,
251 VERR_INVALID_PARAMETER);
252 }
253
254 /*
255 * Make sure we've got a result array.
256 */
257 bool *pafFoundFree = NULL;
258 if (!pafFound)
259 {
260 pafFound = pafFoundFree = (bool *)RTMemTmpAllocZ(sizeof(bool) * cWanted);
261 AssertReturn(pafFound, VERR_NO_TMP_MEMORY);
262 }
263
264 /*
265 * Enumerate the store entries.
266 */
267 RTCRSTORECERTSEARCH Search;
268 int rc = RTCrStoreCertFindAll(hSrcStore, &Search);
269 if (RT_SUCCESS(rc))
270 {
271 rc = VWRN_NOT_FOUND;
272 PCRTCRCERTCTX pCertCtx;
273 while ((pCertCtx = RTCrStoreCertSearchNext(hSrcStore, &Search)) != NULL)
274 {
275 if ( (pCertCtx->fFlags & RTCRCERTCTX_F_ENC_MASK) == RTCRCERTCTX_F_ENC_X509_DER
276 && pCertCtx->cbEncoded > 0
277 && pCertCtx->pCert)
278 {
279 /*
280 * If the certificate is wanted, try add it to the store.
281 */
282 uint8_t abSha1[RTSHA1_HASH_SIZE];
283 RTSha1(pCertCtx->pabEncoded, pCertCtx->cbEncoded, abSha1);
284 uint8_t abSha512[RTSHA512_HASH_SIZE];
285 RTSha512(pCertCtx->pabEncoded, pCertCtx->cbEncoded, abSha512);
286 if (rtCrStoreIsCertWanted(paWanted, cWanted, pafFound, pCertCtx->cbEncoded, abSha1, abSha512, pCertCtx->pCert))
287 {
288 int rc2 = RTCrStoreCertAddEncoded(hStore,
289 RTCRCERTCTX_F_ENC_X509_DER | (fFlags & RTCRCERTCTX_F_ADD_IF_NOT_FOUND),
290 pCertCtx->pabEncoded, pCertCtx->cbEncoded, NULL /*pErrInfo*/);
291 if (RT_SUCCESS(rc2))
292 {
293 /*
294 * Mark it as found, stop if we've found all.
295 */
296 if (rtCrStoreMarkCertFound(pafFound, paWanted, cWanted,
297 pCertCtx->cbEncoded, abSha1, abSha512, pCertCtx->pCert))
298 {
299 if (RT_SUCCESS(rc))
300 rc = VINF_SUCCESS;
301 RTCrCertCtxRelease(pCertCtx);
302 break;
303 }
304 }
305 else
306 {
307 /*
308 * Some error adding the certificate. Since it cannot be anything with
309 * the encoding, it must be something with the store or resources, so
310 * always return the error status.
311 */
312 rc = rc2;
313 if (!(fFlags & RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR))
314 {
315 RTCrCertCtxRelease(pCertCtx);
316 break;
317 }
318 }
319 }
320 }
321 RTCrCertCtxRelease(pCertCtx);
322 }
323 int rc2 = RTCrStoreCertSearchDestroy(hSrcStore, &Search);
324 AssertRC(rc2);
325 }
326
327 if (pafFoundFree)
328 RTMemTmpFree(pafFoundFree);
329 return rc;
330}
331RT_EXPORT_SYMBOL(RTCrStoreCertAddWantedFromStore);
332
333
334RTDECL(int) RTCrStoreCertCheckWanted(RTCRSTORE hStore, PCRTCRCERTWANTED paWanted, size_t cWanted, bool *pafFound)
335{
336 /*
337 * Validate input a little.
338 */
339 AssertReturn(cWanted, VERR_NOT_FOUND);
340 for (uint32_t i = 0; i < cWanted; i++)
341 {
342 AssertReturn(!paWanted[i].pszSubject || *paWanted[i].pszSubject, VERR_INVALID_PARAMETER);
343 AssertReturn( paWanted[i].pszSubject
344 || paWanted[i].fSha1Fingerprint
345 || paWanted[i].fSha512Fingerprint,
346 VERR_INVALID_PARAMETER);
347 }
348 AssertPtrReturn(pafFound, VERR_INVALID_POINTER);
349
350 /*
351 * Clear the found array.
352 */
353 for (uint32_t iCert = 0; iCert < cWanted; iCert++)
354 pafFound[iCert] = false;
355
356 /*
357 * Enumerate the store entries.
358 */
359 RTCRSTORECERTSEARCH Search;
360 int rc = RTCrStoreCertFindAll(hStore, &Search);
361 if (RT_SUCCESS(rc))
362 {
363 rc = VWRN_NOT_FOUND;
364 PCRTCRCERTCTX pCertCtx;
365 while ((pCertCtx = RTCrStoreCertSearchNext(hStore, &Search)) != NULL)
366 {
367 if ( (pCertCtx->fFlags & RTCRCERTCTX_F_ENC_MASK) == RTCRCERTCTX_F_ENC_X509_DER
368 && pCertCtx->cbEncoded > 0
369 && pCertCtx->pCert)
370 {
371 /*
372 * Hash it and check if it's wanted. Stop when we've found all.
373 */
374 uint8_t abSha1[RTSHA1_HASH_SIZE];
375 RTSha1(pCertCtx->pabEncoded, pCertCtx->cbEncoded, abSha1);
376 uint8_t abSha512[RTSHA512_HASH_SIZE];
377 RTSha512(pCertCtx->pabEncoded, pCertCtx->cbEncoded, abSha512);
378 if (rtCrStoreMarkCertFound(pafFound, paWanted, cWanted, pCertCtx->cbEncoded, abSha1, abSha512, pCertCtx->pCert))
379 {
380 rc = VINF_SUCCESS;
381 RTCrCertCtxRelease(pCertCtx);
382 break;
383 }
384 }
385 RTCrCertCtxRelease(pCertCtx);
386 }
387 int rc2 = RTCrStoreCertSearchDestroy(hStore, &Search);
388 AssertRC(rc2);
389 }
390
391 return rc;
392}
393RT_EXPORT_SYMBOL(RTCrStoreCertAddWantedFromStore);
394
395
396RTDECL(int) RTCrStoreCertAddFromFile(RTCRSTORE hStore, uint32_t fFlags, const char *pszFilename, PRTERRINFO pErrInfo)
397{
398 AssertReturn(!(fFlags & ~(RTCRCERTCTX_F_ADD_IF_NOT_FOUND | RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR)), VERR_INVALID_FLAGS);
399
400 size_t cbContent;
401 void *pvContent;
402 int rc = RTFileReadAllEx(pszFilename, 0, 64U*_1M, RTFILE_RDALL_O_DENY_WRITE, &pvContent, &cbContent);
403 if (RT_SUCCESS(rc))
404 {
405 /*
406 * Is it a java key store file?
407 */
408 if ( cbContent > 32
409 && ((uint32_t const *)pvContent)[0] == RT_H2BE_U32_C(UINT32_C(0xfeedfeed)) /* magic */
410 && ((uint32_t const *)pvContent)[1] == RT_H2BE_U32_C(UINT32_C(0x00000002)) /* version */ )
411 rc = RTCrStoreCertAddFromJavaKeyStoreInMem(hStore, fFlags, pvContent, cbContent, pszFilename, pErrInfo);
412 /*
413 * No assume PEM or DER encoded binary certificate.
414 */
415 else
416 {
417 PCRTCRPEMSECTION pSectionHead;
418 rc = RTCrPemParseContent(pvContent, cbContent,
419 (fFlags & RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR)
420 ? RTCRPEMREADFILE_F_CONTINUE_ON_ENCODING_ERROR : 0,
421 g_aX509CertificateMarkers, RT_ELEMENTS(g_aX509CertificateMarkers),
422 &pSectionHead, pErrInfo);
423 if (RT_SUCCESS(rc))
424 {
425 PCRTCRPEMSECTION pCurSec = pSectionHead;
426 while (pCurSec)
427 {
428 int rc2 = RTCrStoreCertAddEncoded(hStore,
429 RTCRCERTCTX_F_ENC_X509_DER | (fFlags & RTCRCERTCTX_F_ADD_IF_NOT_FOUND),
430 pCurSec->pbData, pCurSec->cbData,
431 !RTErrInfoIsSet(pErrInfo) ? pErrInfo : NULL);
432 if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
433 {
434 rc = rc2;
435 if (!(fFlags & RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR))
436 break;
437 }
438 pCurSec = pCurSec->pNext;
439 }
440
441 RTCrPemFreeSections(pSectionHead);
442 }
443 }
444 RTFileReadAllFree(pvContent, cbContent);
445 }
446 else
447 rc = RTErrInfoSetF(pErrInfo, rc, "RTFileReadAllEx failed with %Rrc on '%s'", rc, pszFilename);
448 return rc;
449}
450RT_EXPORT_SYMBOL(RTCrStoreCertAddFromFile);
451
452
453RTDECL(int) RTCrStoreCertAddWantedFromFile(RTCRSTORE hStore, uint32_t fFlags, const char *pszFilename,
454 PCRTCRCERTWANTED paWanted, size_t cWanted, bool *pafFound, PRTERRINFO pErrInfo)
455{
456 /*
457 * Validate input a little.
458 */
459 AssertReturn(!(fFlags & ~(RTCRCERTCTX_F_ADD_IF_NOT_FOUND | RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR)), VERR_INVALID_FLAGS);
460 fFlags |= RTCRCERTCTX_F_ADD_IF_NOT_FOUND; /* forced */
461
462 AssertReturn(cWanted, VERR_NOT_FOUND);
463 for (uint32_t i = 0; i < cWanted; i++)
464 {
465 AssertReturn(!paWanted[i].pszSubject || *paWanted[i].pszSubject, VERR_INVALID_PARAMETER);
466 AssertReturn( paWanted[i].pszSubject
467 || paWanted[i].fSha1Fingerprint
468 || paWanted[i].fSha512Fingerprint,
469 VERR_INVALID_PARAMETER);
470 }
471
472 /*
473 * Make sure we've got a result array.
474 */
475 bool *pafFoundFree = NULL;
476 if (!pafFound)
477 {
478 pafFound = pafFoundFree = (bool *)RTMemTmpAllocZ(sizeof(bool) * cWanted);
479 AssertReturn(pafFound, VERR_NO_TMP_MEMORY);
480 }
481
482 size_t cbContent;
483 void *pvContent;
484 int rc = RTFileReadAllEx(pszFilename, 0, 64U*_1M, RTFILE_RDALL_O_DENY_WRITE, &pvContent, &cbContent);
485 if (RT_SUCCESS(rc))
486 {
487 /*
488 * Is it a java key store file? If so, load it into a tmp store
489 * which we can search. Don't want to duplicate the JKS reader code.
490 */
491 if ( cbContent > 32
492 && ((uint32_t const *)pvContent)[0] == RT_H2BE_U32_C(UINT32_C(0xfeedfeed)) /* magic */
493 && ((uint32_t const *)pvContent)[1] == RT_H2BE_U32_C(UINT32_C(0x00000002)) /* version */ )
494 {
495 RTCRSTORE hTmpStore;
496 rc = RTCrStoreCreateInMem(&hTmpStore, 64);
497 if (RT_SUCCESS(rc))
498 {
499 rc = RTCrStoreCertAddFromJavaKeyStoreInMem(hStore, fFlags, pvContent, cbContent, pszFilename, pErrInfo);
500 if (RT_SUCCESS(rc))
501 rc = RTCrStoreCertAddWantedFromStore(hStore, fFlags, hTmpStore, paWanted, cWanted, pafFound);
502 RTCrStoreRelease(hTmpStore);
503 }
504 else
505 rc = RTErrInfoSet(pErrInfo, rc, "Error creating temporary crypto store");
506 }
507 /*
508 * No assume PEM or DER encoded binary certificate. Inspect them one by one.
509 */
510 else
511 {
512 PCRTCRPEMSECTION pSectionHead;
513 rc = RTCrPemParseContent(pvContent, cbContent,
514 (fFlags & RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR)
515 ? RTCRPEMREADFILE_F_CONTINUE_ON_ENCODING_ERROR : 0,
516 g_aX509CertificateMarkers, RT_ELEMENTS(g_aX509CertificateMarkers),
517 &pSectionHead, pErrInfo);
518 if (RT_SUCCESS(rc))
519 {
520 rc = VWRN_NOT_FOUND;
521 for (PCRTCRPEMSECTION pCurSec = pSectionHead; pCurSec; pCurSec = pCurSec->pNext)
522 {
523 if (!pCurSec->cbData)
524 continue;
525
526 /*
527 * See if this is a binary blob we might be interested in.
528 */
529 uint8_t abSha1[RTSHA1_HASH_SIZE];
530 RTSha1(pCurSec->pbData, pCurSec->cbData, abSha1);
531 uint8_t abSha512[RTSHA512_HASH_SIZE];
532 RTSha512(pCurSec->pbData, pCurSec->cbData, abSha512);
533 if (!rtCrStoreIsCertWanted(paWanted, cWanted, pafFound, pCurSec->cbData, abSha1, abSha512, NULL))
534 continue;
535
536 /*
537 * Decode the certificate so we can match the subject string.
538 */
539 RTASN1CURSORPRIMARY Cursor;
540 RTAsn1CursorInitPrimary(&Cursor, pCurSec->pbData, (uint32_t)pCurSec->cbData,
541 !RTErrInfoIsSet(pErrInfo) ? pErrInfo : NULL,
542 &g_RTAsn1DefaultAllocator, RTASN1CURSOR_FLAGS_DER, "InMem");
543 RTCRX509CERTIFICATE X509Cert;
544 int rc2 = RTCrX509Certificate_DecodeAsn1(&Cursor.Cursor, 0, &X509Cert, "Cert");
545 if (RT_SUCCESS(rc2))
546 {
547 rc2 = RTCrX509Certificate_CheckSanity(&X509Cert, 0, !RTErrInfoIsSet(pErrInfo) ? pErrInfo : NULL, "Cert");
548 if (RT_SUCCESS(rc2))
549 {
550 if (rtCrStoreIsCertWanted(paWanted, cWanted, pafFound, pCurSec->cbData, abSha1, abSha512, &X509Cert))
551 {
552 /*
553 * The certificate is wanted, now add it to the store.
554 */
555 rc2 = RTCrStoreCertAddEncoded(hStore,
556 RTCRCERTCTX_F_ENC_X509_DER
557 | (fFlags & RTCRCERTCTX_F_ADD_IF_NOT_FOUND),
558 pCurSec->pbData, pCurSec->cbData,
559 !RTErrInfoIsSet(pErrInfo) ? pErrInfo : NULL);
560 if (RT_SUCCESS(rc2))
561 {
562 /*
563 * Mark it as found, stop if we've found all.
564 */
565 if (rtCrStoreMarkCertFound(pafFound, paWanted, cWanted,
566 pCurSec->cbData, abSha1, abSha512, &X509Cert))
567 {
568 RTAsn1VtDelete(&X509Cert.SeqCore.Asn1Core);
569 rc = VINF_SUCCESS;
570 break;
571 }
572 }
573 }
574 }
575 else
576 Assert(!pErrInfo || RTErrInfoIsSet(pErrInfo));
577 RTAsn1VtDelete(&X509Cert.SeqCore.Asn1Core);
578 }
579 else if (!RTErrInfoIsSet(pErrInfo))
580 RTErrInfoSetF(pErrInfo, rc2, "RTCrX509Certificate_DecodeAsn1 failed");
581
582 /*
583 * Stop on error, if requested. Otherwise, let pErrInfo keep it.
584 */
585 if (RT_FAILURE(rc2) && !(fFlags & RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR))
586 {
587 rc = rc2;
588 break;
589 }
590 } /* For each PEM section. */
591
592 RTCrPemFreeSections(pSectionHead);
593 }
594 }
595 RTFileReadAllFree(pvContent, cbContent);
596 }
597 else
598 rc = RTErrInfoSetF(pErrInfo, rc, "RTFileReadAllEx failed with %Rrc on '%s'", rc, pszFilename);
599
600 if (pafFoundFree)
601 RTMemTmpFree(pafFoundFree);
602 return rc;
603}
604RT_EXPORT_SYMBOL(RTCrStoreCertAddWantedFromFile);
605
606
607/**
608 * Checks if the directory entry matches the specified suffixes.
609 *
610 * @returns true on match, false on mismatch.
611 * @param pDirEntry The directory to check.
612 * @param paSuffixes The array of suffixes to match against.
613 * @param cSuffixes The number of suffixes in the array.
614 */
615DECLINLINE(bool) rtCrStoreIsSuffixMatch(PCRTDIRENTRY pDirEntry, PCRTSTRTUPLE paSuffixes, size_t cSuffixes)
616{
617 if (cSuffixes == 0)
618 return true;
619
620 size_t const cchName = pDirEntry->cbName;
621 size_t i = cSuffixes;
622 while (i-- > 0)
623 if ( cchName > paSuffixes[i].cch
624 && memcmp(&pDirEntry->szName[cchName - paSuffixes[i].cch], paSuffixes[i].psz, paSuffixes[i].cch) == 0)
625 return true;
626
627 return false;
628}
629
630
631RTDECL(int) RTCrStoreCertAddFromDir(RTCRSTORE hStore, uint32_t fFlags, const char *pszDir,
632 PCRTSTRTUPLE paSuffixes, size_t cSuffixes, PRTERRINFO pErrInfo)
633{
634 /*
635 * Validate input.
636 */
637 AssertReturn(!(fFlags & ~(RTCRCERTCTX_F_ADD_IF_NOT_FOUND | RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR)), VERR_INVALID_FLAGS);
638 size_t i = cSuffixes;
639 while (i-- > 0)
640 {
641 Assert(paSuffixes[i].cch > 0);
642 Assert(strlen(paSuffixes[i].psz) == paSuffixes[i].cch);
643 }
644
645 /*
646 * Prepare for constructing path to the files in the directory, so that we
647 * can open them.
648 */
649 char szPath[RTPATH_MAX];
650 int rc = RTStrCopy(szPath, sizeof(szPath), pszDir);
651 if (RT_SUCCESS(rc))
652 {
653 size_t cchPath = RTPathEnsureTrailingSeparator(szPath, sizeof(szPath));
654 if (cchPath > 0)
655 {
656 size_t const cbMaxFilename = sizeof(szPath) - cchPath;
657
658 /*
659 * Enumerate the directory.
660 */
661 PRTDIR hDir;
662 rc = RTDirOpen(&hDir, pszDir);
663 if (RT_SUCCESS(rc))
664 {
665 for (;;)
666 {
667 /* Read the next entry. */
668 union
669 {
670 RTDIRENTRY DirEntry;
671 uint8_t abPadding[RTPATH_MAX + sizeof(RTDIRENTRY)];
672 } u;
673 size_t cbBuf = sizeof(u);
674 int rc2 = RTDirRead(hDir, &u.DirEntry, &cbBuf);
675 if (RT_SUCCESS(rc2))
676 {
677 if ( ( u.DirEntry.enmType == RTDIRENTRYTYPE_FILE
678 || u.DirEntry.enmType == RTDIRENTRYTYPE_SYMLINK
679 || ( u.DirEntry.enmType == RTDIRENTRYTYPE_UNKNOWN
680 && !RTDirEntryIsStdDotLink(&u.DirEntry)) )
681 && rtCrStoreIsSuffixMatch(&u.DirEntry, paSuffixes, cSuffixes) )
682 {
683 if (u.DirEntry.cbName < cbMaxFilename)
684 {
685 memcpy(&szPath[cchPath], u.DirEntry.szName, u.DirEntry.cbName + 1);
686 rc2 = RTDirQueryUnknownType(szPath, true /*fFollowSymlinks*/, &u.DirEntry.enmType);
687 if ( RT_SUCCESS(rc2)
688 && u.DirEntry.enmType == RTDIRENTRYTYPE_FILE)
689 {
690 /*
691 * Add it.
692 */
693 rc2 = RTCrStoreCertAddFromFile(hStore, fFlags, szPath, pErrInfo);
694 if (RT_FAILURE(rc2))
695 {
696 rc = rc2;
697 if (!(fFlags & RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR))
698 break;
699 }
700 }
701 }
702 else
703 {
704 rc = RTErrInfoAddF(pErrInfo, VERR_FILENAME_TOO_LONG,
705 " Too long filename (%u bytes)", u.DirEntry.cbName);
706 if (!(fFlags & RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR))
707 break;
708 }
709 }
710 }
711 else
712 {
713 if (rc2 != VERR_NO_MORE_FILES)
714 rc = RTErrInfoAddF(pErrInfo, rc2, " RTDirRead failed: %Rrc", rc2);
715 break;
716 }
717 }
718
719 RTDirClose(hDir);
720 }
721 else
722 rc = RTErrInfoAddF(pErrInfo, rc, " RTDirOpen('%s'): %Rrc", pszDir, rc);
723 }
724 else
725 rc = VERR_FILENAME_TOO_LONG;
726 }
727 return rc;
728}
729RT_EXPORT_SYMBOL(RTCrStoreCertAddFromDir);
730
731
732RTDECL(int) RTCrStoreCertAddWantedFromDir(RTCRSTORE hStore, uint32_t fFlags,
733 const char *pszDir, PCRTSTRTUPLE paSuffixes, size_t cSuffixes,
734 PCRTCRCERTWANTED paWanted, size_t cWanted, bool *pafFound, PRTERRINFO pErrInfo)
735{
736 /*
737 * Validate input a little.
738 */
739 AssertReturn(*pszDir, VERR_PATH_ZERO_LENGTH);
740 AssertReturn(!(fFlags & ~(RTCRCERTCTX_F_ADD_IF_NOT_FOUND | RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR)), VERR_INVALID_FLAGS);
741 fFlags |= RTCRCERTCTX_F_ADD_IF_NOT_FOUND; /* forced */
742
743 AssertReturn(cWanted, VERR_NOT_FOUND);
744 for (uint32_t i = 0; i < cWanted; i++)
745 {
746 AssertReturn(!paWanted[i].pszSubject || *paWanted[i].pszSubject, VERR_INVALID_PARAMETER);
747 AssertReturn( paWanted[i].pszSubject
748 || paWanted[i].fSha1Fingerprint
749 || paWanted[i].fSha512Fingerprint,
750 VERR_INVALID_PARAMETER);
751 }
752
753 /*
754 * Prepare for constructing path to the files in the directory, so that we
755 * can open them.
756 */
757 char szPath[RTPATH_MAX];
758 int rc = RTStrCopy(szPath, sizeof(szPath), pszDir);
759 if (RT_SUCCESS(rc))
760 {
761 size_t cchPath = RTPathEnsureTrailingSeparator(szPath, sizeof(szPath));
762 if (cchPath > 0)
763 {
764 size_t const cbMaxFilename = sizeof(szPath) - cchPath;
765
766 /*
767 * Enumerate the directory.
768 */
769 PRTDIR hDir;
770 rc = RTDirOpen(&hDir, pszDir);
771 if (RT_SUCCESS(rc))
772 {
773 rc = VWRN_NOT_FOUND;
774 for (;;)
775 {
776 /* Read the next entry. */
777 union
778 {
779 RTDIRENTRY DirEntry;
780 uint8_t abPadding[RTPATH_MAX + sizeof(RTDIRENTRY)];
781 } u;
782 size_t cbEntry = sizeof(u);
783 int rc2 = RTDirRead(hDir, &u.DirEntry, &cbEntry);
784 if (RT_SUCCESS(rc2))
785 {
786 if ( ( u.DirEntry.enmType == RTDIRENTRYTYPE_FILE
787 || u.DirEntry.enmType == RTDIRENTRYTYPE_SYMLINK
788 || ( u.DirEntry.enmType == RTDIRENTRYTYPE_UNKNOWN
789 && !RTDirEntryIsStdDotLink(&u.DirEntry)) )
790 && rtCrStoreIsSuffixMatch(&u.DirEntry, paSuffixes, cSuffixes) )
791 {
792 if (u.DirEntry.cbName < cbMaxFilename)
793 {
794 memcpy(&szPath[cchPath], u.DirEntry.szName, u.DirEntry.cbName);
795 szPath[cchPath + u.DirEntry.cbName] = '\0';
796 if (u.DirEntry.enmType != RTDIRENTRYTYPE_FILE)
797 RTDirQueryUnknownType(szPath, true /*fFollowSymlinks*/, &u.DirEntry.enmType);
798 if (u.DirEntry.enmType == RTDIRENTRYTYPE_FILE)
799 {
800 rc2 = RTCrStoreCertAddWantedFromFile(hStore, fFlags, szPath,
801 paWanted, cWanted, pafFound, pErrInfo);
802 if (rc2 == VINF_SUCCESS)
803 {
804 Assert(rtCrStoreAllDone(pafFound, cWanted));
805 if (RT_SUCCESS(rc))
806 rc = VINF_SUCCESS;
807 break;
808 }
809 if (RT_FAILURE(rc2) && !(fFlags & RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR))
810 {
811 rc = rc2;
812 break;
813 }
814 }
815 }
816 else
817 {
818 /*
819 * pErrInfo keeps the status code unless it's fatal.
820 */
821 RTErrInfoAddF(pErrInfo, VERR_FILENAME_TOO_LONG,
822 " Too long filename (%u bytes)", u.DirEntry.cbName);
823 if (!(fFlags & RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR))
824 {
825 rc = VERR_FILENAME_TOO_LONG;
826 break;
827 }
828 }
829 }
830 }
831 else
832 {
833 if (rc2 != VERR_NO_MORE_FILES)
834 {
835 RTErrInfoAddF(pErrInfo, rc2, "RTDirRead failed: %Rrc", rc2);
836 if (!(fFlags & RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR))
837 rc = rc2;
838 }
839 break;
840 }
841 }
842 RTDirClose(hDir);
843 }
844 }
845 else
846 rc = VERR_FILENAME_TOO_LONG;
847 }
848 return rc;
849}
850RT_EXPORT_SYMBOL(RTCrStoreCertAddWantedFromDir);
851
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette