VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/store.cpp@ 57444

Last change on this file since 57444 was 57358, checked in by vboxsync, 9 years ago

*: scm cleanup run.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 14.2 KB
Line 
1/* $Id: store.cpp 57358 2015-08-14 15:16:38Z vboxsync $ */
2/** @file
3 * IPRT - Cryptographic (Certificate) Store.
4 */
5
6/*
7 * Copyright (C) 2006-2015 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#include "internal/iprt.h"
32#include <iprt/crypto/store.h>
33
34#include <iprt/asm.h>
35#include <iprt/err.h>
36#include <iprt/mem.h>
37#include <iprt/string.h>
38
39#include <iprt/crypto/x509.h>
40
41#ifdef IPRT_WITH_OPENSSL
42# include <openssl/x509.h>
43#endif
44
45#include "store-internal.h"
46
47
48/*********************************************************************************************************************************
49* Structures and Typedefs *
50*********************************************************************************************************************************/
51/**
52 * Internal representation of a (certificate,++) store.
53 */
54typedef struct RTCRSTOREINT
55{
56 /** Magic number (RTCRSTOREINT_MAGIC). */
57 uint32_t u32Magic;
58 /** Reference counter. */
59 uint32_t volatile cRefs;
60 /** Pointer to the store provider. */
61 PCRTCRSTOREPROVIDER pProvider;
62 /** Provider specific data. */
63 void *pvProvider;
64} RTCRSTOREINT;
65/** Pointer to the internal representation of a store. */
66typedef RTCRSTOREINT *PRTCRSTOREINT;
67
68/** Magic value for RTCRSTOREINT::u32Magic (Alfred Dillwyn "Dilly" Knox). */
69#define RTCRSTOREINT_MAGIC UINT32_C(0x18840723)
70/** Dead magic value for RTCRSTOREINT::u32Magic. */
71#define RTCRSTOREINT_MAGIC_DEAD UINT32_C(0x19430227)
72
73
74
75/**
76 * Internal method a store provider uses to create a store handle.
77 *
78 * @returns IPRT status code
79 * @param pProvider Pointer to the store provider callback table.
80 * @param pvProvider Pointer to the provider specific instance data.
81 * @param phStore Where to return the store handle.
82 */
83DECLHIDDEN(int) rtCrStoreCreate(PCRTCRSTOREPROVIDER pProvider, void *pvProvider, PRTCRSTORE phStore)
84{
85 PRTCRSTOREINT pThis = (PRTCRSTOREINT)RTMemAlloc(sizeof(*pThis));
86 if (pThis)
87 {
88 pThis->pvProvider = pvProvider;
89 pThis->pProvider = pProvider;
90 pThis->cRefs = 1;
91 pThis->u32Magic = RTCRSTOREINT_MAGIC;
92 *phStore = pThis;
93 return VINF_SUCCESS;
94 }
95 return VERR_NO_MEMORY;
96}
97
98
99
100RTDECL(uint32_t) RTCrStoreRetain(RTCRSTORE hStore)
101{
102 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
103 AssertPtrReturn(pThis, UINT32_MAX);
104 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, UINT32_MAX);
105
106 uint32_t cRet = ASMAtomicIncU32(&pThis->cRefs);
107 Assert(cRet < 8192);
108 return cRet;
109}
110
111
112RTDECL(uint32_t) RTCrStoreRelease(RTCRSTORE hStore)
113{
114 if (hStore == NIL_RTCRSTORE)
115 return 0;
116
117 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
118 AssertPtrReturn(pThis, UINT32_MAX);
119 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, UINT32_MAX);
120
121 uint32_t cStore = ASMAtomicDecU32(&pThis->cRefs);
122 if (!cStore)
123 {
124 ASMAtomicWriteU32(&pThis->u32Magic, RTCRSTOREINT_MAGIC_DEAD);
125 pThis->pProvider->pfnDestroyStore(pThis->pvProvider);
126 RTMemFree(pThis);
127 }
128 return cStore;
129}
130
131
132RTDECL(PCRTCRCERTCTX) RTCrStoreCertByIssuerAndSerialNo(RTCRSTORE hStore, PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNo)
133{
134 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
135 AssertPtrReturn(pThis, NULL);
136 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, NULL);
137 AssertPtrReturn(pIssuer, NULL);
138
139 int rc;
140 RTCRSTORECERTSEARCH Search;
141 if (pThis->pProvider->pfnCertFindByIssuerAndSerialNo)
142 rc = pThis->pProvider->pfnCertFindByIssuerAndSerialNo(pThis->pvProvider, pIssuer, pSerialNo, &Search);
143 else
144 rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, &Search);
145
146 PCRTCRCERTCTX pCertCtx = NULL;
147 if (RT_SUCCESS(rc))
148 {
149 for (;;)
150 {
151 pCertCtx = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, &Search);
152 if (!pCertCtx)
153 break;
154
155 if ( pCertCtx->pCert
156 && RTCrX509Certificate_MatchIssuerAndSerialNumber(pCertCtx->pCert, pIssuer, pSerialNo))
157 break;
158 RTCrCertCtxRelease(pCertCtx);
159 }
160
161 pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, &Search);
162 }
163 else
164 AssertMsg(rc == VERR_NOT_FOUND, ("%Rrc\n", rc));
165 return pCertCtx;
166}
167
168
169RTDECL(int) RTCrStoreCertAddEncoded(RTCRSTORE hStore, uint32_t fFlags, void const *pvSrc, size_t cbSrc, PRTERRINFO pErrInfo)
170{
171 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
172 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
173 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
174 AssertPtrReturn(pvSrc, VERR_INVALID_POINTER);
175 AssertReturn(cbSrc > 16 && cbSrc < _1M, VERR_OUT_OF_RANGE);
176 AssertMsgReturn( fFlags == RTCRCERTCTX_F_ENC_X509_DER
177 || fFlags == RTCRCERTCTX_F_ENC_TAF_DER
178 , ("Only X.509 and TAF DER supported: %#x\n", fFlags), VERR_INVALID_FLAGS);
179
180 int rc;
181 if (pThis->pProvider->pfnCertAddEncoded)
182 rc = pThis->pProvider->pfnCertAddEncoded(pThis->pvProvider, fFlags, (uint8_t const *)pvSrc, (uint32_t)cbSrc, pErrInfo);
183 else
184 rc = VERR_WRITE_PROTECT;
185
186 return rc;
187}
188
189
190
191/*
192 * Searching.
193 * Searching.
194 * Searching.
195 */
196
197RTDECL(int) RTCrStoreCertFindAll(RTCRSTORE hStore, PRTCRSTORECERTSEARCH pSearch)
198{
199 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
200 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
201 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
202 AssertPtrReturn(pSearch, VERR_INVALID_POINTER);
203
204 return pThis->pProvider->pfnCertFindAll(pThis->pvProvider, pSearch);
205}
206
207
208/** Indicator for RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280 searches
209 * implemented by this front-end code. */
210#define RTCRSTORECERTSEARCH_BY_SUBECT_OR_ALT_SUBJECT_BY_RFC5280 UINT32_C(0x5be9145d)
211
212RTDECL(int) RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280(RTCRSTORE hStore, PCRTCRX509NAME pSubject,
213 PRTCRSTORECERTSEARCH pSearch)
214{
215 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
216 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
217 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
218 AssertPtrReturn(pSearch, VERR_INVALID_POINTER);
219
220 int rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, pSearch);
221 if (RT_SUCCESS(rc))
222 {
223 pSearch->auOpaque[2] = RTCRSTORECERTSEARCH_BY_SUBECT_OR_ALT_SUBJECT_BY_RFC5280;
224 pSearch->auOpaque[3] = (uintptr_t)pSubject;
225 }
226 return rc;
227}
228
229
230RTDECL(PCRTCRCERTCTX) RTCrStoreCertSearchNext(RTCRSTORE hStore, PRTCRSTORECERTSEARCH pSearch)
231{
232 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
233 AssertPtrReturn(pThis, NULL);
234 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, NULL);
235 AssertPtrReturn(pSearch, NULL);
236
237 PCRTCRCERTCTX pRet;
238 switch (pSearch->auOpaque[2])
239 {
240 default:
241 pRet = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, pSearch);
242 break;
243
244 case RTCRSTORECERTSEARCH_BY_SUBECT_OR_ALT_SUBJECT_BY_RFC5280:
245 {
246 PCRTCRX509NAME pSubject = (PCRTCRX509NAME)pSearch->auOpaque[3];
247 AssertPtrReturn(pSubject, NULL);
248
249 for (;;)
250 {
251 pRet = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, pSearch);
252 if (!pRet)
253 break;
254 if (pRet->pCert)
255 {
256 if (RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(pRet->pCert, pSubject))
257 break;
258 }
259 else if (pRet->pTaInfo)
260 {
261 if ( RTCrTafCertPathControls_IsPresent(&pRet->pTaInfo->CertPath)
262 && RTCrX509Name_MatchByRfc5280(&pRet->pTaInfo->CertPath.TaName, pSubject))
263 break;
264 }
265 RTCrCertCtxRelease(pRet);
266 }
267 break;
268 }
269 }
270 return pRet;
271}
272
273
274RTDECL(int) RTCrStoreCertSearchDestroy(RTCRSTORE hStore, PRTCRSTORECERTSEARCH pSearch)
275{
276 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
277 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
278 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
279 if (pSearch)
280 {
281 AssertPtrReturn(pSearch, VERR_INVALID_POINTER);
282 pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, pSearch);
283 }
284 return VINF_SUCCESS;
285}
286
287
288
289#ifdef IPRT_WITH_OPENSSL
290/*
291 * OpenSSL helper.
292 * OpenSSL helper.
293 * OpenSSL helper.
294 */
295
296RTDECL(int) RTCrStoreConvertToOpenSslCertStore(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStore)
297{
298 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
299 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
300 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
301
302 /*
303 * Use the pfnCertFindAll method to add all certificates to the store we're returning.
304 */
305 int rc;
306 X509_STORE *pOsslStore = X509_STORE_new();
307 if (pOsslStore)
308 {
309 RTCRSTORECERTSEARCH Search;
310 rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, &Search);
311 if (RT_SUCCESS(rc))
312 {
313 do
314 {
315 PCRTCRCERTCTX pCertCtx = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, &Search);
316 if (!pCertCtx)
317 break;
318
319 if (pCertCtx->fFlags & RTCRCERTCTX_F_ENC_X509_DER)
320 {
321 X509 *pOsslCert = NULL;
322 const unsigned char *pabEncoded = (const unsigned char *)pCertCtx->pabEncoded;
323 if (d2i_X509(&pOsslCert, &pabEncoded, pCertCtx->cbEncoded) == pOsslCert)
324 {
325 if (!X509_STORE_add_cert(pOsslStore, pOsslCert))
326 rc = VERR_NO_MEMORY;
327 X509_free(pOsslCert);
328 }
329 }
330
331 RTCrCertCtxRelease(pCertCtx);
332 } while (RT_SUCCESS(rc));
333
334 pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, &Search);
335 if (RT_SUCCESS(rc))
336 {
337 *ppvOpenSslStore = pOsslStore;
338 return VINF_SUCCESS;
339 }
340 }
341 X509_STORE_free(pOsslStore);
342 }
343 else
344 rc = VERR_NO_MEMORY;
345 return rc;
346}
347
348
349RTDECL(int) RTCrStoreConvertToOpenSslCertStack(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStack)
350{
351 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
352 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
353 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
354
355 /*
356 * Use the pfnCertFindAll method to add all certificates to the store we're returning.
357 */
358 int rc;
359 STACK_OF(X509) *pOsslStack = sk_X509_new_null();
360 if (pOsslStack)
361 {
362 RTCRSTORECERTSEARCH Search;
363 rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, &Search);
364 if (RT_SUCCESS(rc))
365 {
366 do
367 {
368 PCRTCRCERTCTX pCertCtx = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, &Search);
369 if (!pCertCtx)
370 break;
371
372 if (pCertCtx->fFlags & RTCRCERTCTX_F_ENC_X509_DER)
373 {
374 X509 *pOsslCert = NULL;
375 const unsigned char *pabEncoded = (const unsigned char *)pCertCtx->pabEncoded;
376 if (d2i_X509(&pOsslCert, &pabEncoded, pCertCtx->cbEncoded) == pOsslCert)
377 {
378 if (!sk_X509_push(pOsslStack, pOsslCert))
379 {
380 rc = VERR_NO_MEMORY;
381 X509_free(pOsslCert);
382 }
383 }
384 }
385
386 RTCrCertCtxRelease(pCertCtx);
387 } while (RT_SUCCESS(rc));
388
389 pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, &Search);
390 if (RT_SUCCESS(rc))
391 {
392 *ppvOpenSslStack = pOsslStack;
393 return VINF_SUCCESS;
394 }
395 }
396 sk_X509_pop_free(pOsslStack, X509_free);
397 }
398 else
399 rc = VERR_NO_MEMORY;
400 return rc;
401}
402
403#endif /* IPRT_WITH_OPENSSL */
404
405
406/*
407 * Certificate context.
408 * Certificate context.
409 * Certificate context.
410 */
411
412
413RTDECL(uint32_t) RTCrCertCtxRetain(PCRTCRCERTCTX pCertCtx)
414{
415 AssertPtrReturn(pCertCtx, UINT32_MAX);
416 PRTCRCERTCTXINT pThis = RT_FROM_MEMBER(pCertCtx, RTCRCERTCTXINT, Public);
417 AssertReturn(pThis->u32Magic == RTCRCERTCTXINT_MAGIC, UINT32_MAX);
418 uint32_t cRet = ASMAtomicIncU32(&pThis->cRefs);
419 Assert(cRet < 64);
420 return cRet;
421}
422
423
424RTDECL(uint32_t) RTCrCertCtxRelease(PCRTCRCERTCTX pCertCtx)
425{
426 if (!pCertCtx)
427 return 0;
428
429 AssertPtrReturn(pCertCtx, UINT32_MAX);
430 PRTCRCERTCTXINT pThis = RT_FROM_MEMBER(pCertCtx, RTCRCERTCTXINT, Public);
431 AssertReturn(pThis->u32Magic == RTCRCERTCTXINT_MAGIC, UINT32_MAX);
432 uint32_t cRet = ASMAtomicDecU32(&pThis->cRefs);
433 if (!cRet)
434 {
435 ASMAtomicWriteU32(&pThis->u32Magic, RTCRCERTCTXINT_MAGIC_DEAD);
436 pThis->pfnDtor(pThis);
437 }
438 return cRet;
439}
440
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette