x509-certpaths.cpp

Last change on this file was 106061, checked in by vboxsync, 2 months ago
Copyright year updates by scm.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 112.8 KB

Line
1	/* $Id: x509-certpaths.cpp 106061 2024-09-16 14:03:52Z vboxsync $ */
2	/** @file
3	* IPRT - Crypto - X.509, Simple Certificate Path Builder & Validator.
4	*/
5
6	/*
7	* Copyright (C) 2006-2024 Oracle and/or its affiliates.
8	*
9	* This file is part of VirtualBox base platform packages, as
10	* available from https://www.virtualbox.org.
11	*
12	* This program is free software; you can redistribute it and/or
13	* modify it under the terms of the GNU General Public License
14	* as published by the Free Software Foundation, in version 3 of the
15	* License.
16	*
17	* This program is distributed in the hope that it will be useful, but
18	* WITHOUT ANY WARRANTY; without even the implied warranty of
19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20	* General Public License for more details.
21	*
22	* You should have received a copy of the GNU General Public License
23	* along with this program; if not, see <https://www.gnu.org/licenses>.
24	*
25	* The contents of this file may alternatively be used under the terms
26	* of the Common Development and Distribution License Version 1.0
27	* (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
28	* in the VirtualBox distribution, in which case the provisions of the
29	* CDDL are applicable instead of those of the GPL.
30	*
31	* You may elect to license modified versions of this file under the
32	* terms and conditions of either the GPL or the CDDL or both.
33	*
34	* SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
35	*/
36
37
38	/*********************************************************************************************************************************
39	* Header Files *
40	*********************************************************************************************************************************/
41	#define LOG_GROUP RTLOGGROUP_CRYPTO
42	#include "internal/iprt.h"
43	#include <iprt/crypto/x509.h>
44
45	#include <iprt/asm.h>
46	#include <iprt/ctype.h>
47	#include <iprt/err.h>
48	#include <iprt/mem.h>
49	#include <iprt/string.h>
50	#include <iprt/list.h>
51	#include <iprt/log.h>
52	#include <iprt/time.h>
53	#include <iprt/crypto/applecodesign.h> /* critical extension OIDs */
54	#include <iprt/crypto/pkcs7.h> /* PCRTCRPKCS7SETOFCERTS */
55	#include <iprt/crypto/store.h>
56
57	#include "x509-internal.h"
58
59
60	/*********************************************************************************************************************************
61	* Structures and Typedefs *
62	*********************************************************************************************************************************/
63	/**
64	* X.509 certificate path node.
65	*/
66	typedef struct RTCRX509CERTPATHNODE
67	{
68	/** Sibling list entry. */
69	RTLISTNODE SiblingEntry;
70	/** List of children or leaf list entry. */
71	RTLISTANCHOR ChildListOrLeafEntry;
72	/** Pointer to the parent node. NULL for root. */
73	struct RTCRX509CERTPATHNODE *pParent;
74
75	/** The distance between this node and the target. */
76	uint32_t uDepth : 8;
77	/** Indicates the source of this certificate. */
78	uint32_t uSrc : 3;
79	/** Set if this is a leaf node. */
80	uint32_t fLeaf : 1;
81	/** Makes sure it's a 32-bit bitfield. */
82	uint32_t uReserved : 20;
83
84	/** Leaf only: The result of the last path vertification. */
85	int rcVerify;
86
87	/** Pointer to the certificate. This can be NULL only for trust anchors. */
88	PCRTCRX509CERTIFICATE pCert;
89
90	/** If the certificate or trust anchor was obtained from a store, this is the
91	* associated certificate context (referenced of course). This is used to
92	* access the trust anchor information, if present.
93	*
94	* (If this is NULL it's from a certificate array or some such given directly to
95	* the path building code. It's assumed the caller doesn't free these until the
96	* path validation/whatever is done with and the paths destroyed.) */
97	PCRTCRCERTCTX pCertCtx;
98	} RTCRX509CERTPATHNODE;
99	/** Pointer to a X.509 path node. */
100	typedef RTCRX509CERTPATHNODE *PRTCRX509CERTPATHNODE;
101
102	/** @name RTCRX509CERTPATHNODE::uSrc values.
103	* The trusted and untrusted sources ordered in priority order, where higher
104	* number means high priority in case of duplicates.
105	* @{ */
106	#define RTCRX509CERTPATHNODE_SRC_NONE 0
107	#define RTCRX509CERTPATHNODE_SRC_TARGET 1
108	#define RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET 2
109	#define RTCRX509CERTPATHNODE_SRC_UNTRUSTED_ARRAY 3
110	#define RTCRX509CERTPATHNODE_SRC_UNTRUSTED_STORE 4
111	#define RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE 5
112	#define RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT 6
113	#define RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(uSrc) ((uSrc) >= RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE)
114	/** @} */
115
116
117	/**
118	* Policy tree node.
119	*/
120	typedef struct RTCRX509CERTPATHSPOLICYNODE
121	{
122	/** Sibling list entry. */
123	RTLISTNODE SiblingEntry;
124	/** Tree depth list entry. */
125	RTLISTNODE DepthEntry;
126	/** List of children or leaf list entry. */
127	RTLISTANCHOR ChildList;
128	/** Pointer to the parent. */
129	struct RTCRX509CERTPATHSPOLICYNODE *pParent;
130
131	/** The policy object ID. */
132	PCRTASN1OBJID pValidPolicy;
133
134	/** Optional sequence of policy qualifiers. */
135	PCRTCRX509POLICYQUALIFIERINFOS pPolicyQualifiers;
136
137	/** The first policy ID in the exepcted policy set. */
138	PCRTASN1OBJID pExpectedPolicyFirst;
139	/** Set if we've already mapped pExpectedPolicyFirst. */
140	bool fAlreadyMapped;
141	/** Number of additional items in the expected policy set. */
142	uint32_t cMoreExpectedPolicySet;
143	/** Additional items in the expected policy set. */
144	PCRTASN1OBJID *papMoreExpectedPolicySet;
145	} RTCRX509CERTPATHSPOLICYNODE;
146	/** Pointer to a policy tree node. */
147	typedef RTCRX509CERTPATHSPOLICYNODE *PRTCRX509CERTPATHSPOLICYNODE;
148
149
150	/**
151	* Path builder and validator instance.
152	*
153	* The path builder creates a tree of certificates by forward searching from the
154	* end-entity towards a trusted source. The leaf nodes are inserted into list
155	* ordered by the source of the leaf certificate and the path length (i.e. tree
156	* depth).
157	*
158	* The path validator works the tree from the leaf end and validates each
159	* potential path found by the builder. It is generally happy with one working
160	* path, but may be told to verify all of them.
161	*/
162	typedef struct RTCRX509CERTPATHSINT
163	{
164	/** Magic number. */
165	uint32_t u32Magic;
166	/** Reference counter. */
167	uint32_t volatile cRefs;
168
169	/** @name Input
170	* @{ */
171	/** The target certificate (end entity) to build a trusted path for. */
172	PCRTCRX509CERTIFICATE pTarget;
173
174	/** Lone trusted certificate. */
175	PCRTCRX509CERTIFICATE pTrustedCert;
176	/** Store of trusted certificates. */
177	RTCRSTORE hTrustedStore;
178
179	/** Store of untrusted certificates. */
180	RTCRSTORE hUntrustedStore;
181	/** Array of untrusted certificates, typically from the protocol. */
182	PCRTCRX509CERTIFICATE paUntrustedCerts;
183	/** Number of entries in paUntrusted. */
184	uint32_t cUntrustedCerts;
185	/** Set of untrusted PKCS \#7 / CMS certificatess. */
186	PCRTCRPKCS7SETOFCERTS pUntrustedCertsSet;
187
188	/** UTC time we're going to validate the path at, requires
189	* RTCRX509CERTPATHSINT_F_VALID_TIME to be set. */
190	RTTIMESPEC ValidTime;
191	/** Number of policy OIDs in the user initial policy set, 0 means anyPolicy. */
192	uint32_t cInitialUserPolicySet;
193	/** The user initial policy set. As with all other user provided data, we
194	* assume it's immutable and remains valid for the usage period of the path
195	* builder & validator. */
196	PCRTASN1OBJID *papInitialUserPolicySet;
197	/** Number of certificates before the user wants an explicit policy result.
198	* Set to UINT32_MAX no explicit policy restriction required by the user. */
199	uint32_t cInitialExplicitPolicy;
200	/** Number of certificates before the user wants policy mapping to be
201	* inhibited. Set to UINT32_MAX if no initial policy mapping inhibition
202	* desired by the user. */
203	uint32_t cInitialPolicyMappingInhibit;
204	/** Number of certificates before the user wants the anyPolicy to be rejected.
205	* Set to UINT32_MAX no explicit policy restriction required by the user. */
206	uint32_t cInitialInhibitAnyPolicy;
207	/** Initial name restriction: Permitted subtrees. */
208	PCRTCRX509GENERALSUBTREES pInitialPermittedSubtrees;
209	/** Initial name restriction: Excluded subtrees. */
210	PCRTCRX509GENERALSUBTREES pInitialExcludedSubtrees;
211
212	/** Flags RTCRX509CERTPATHSINT_F_XXX. */
213	uint32_t fFlags;
214	/** @} */
215
216	/** Sticky status for remembering allocation errors and the like. */
217	int32_t rc;
218	/** Where to store extended error info (optional). */
219	PRTERRINFO pErrInfo;
220
221	/** @name Path Builder Output
222	* @{ */
223	/** Pointer to the root of the tree. This will always be non-NULL after path
224	* building and thus can be reliably used to tell if path building has taken
225	* place or not. */
226	PRTCRX509CERTPATHNODE pRoot;
227	/** List of working leaf tree nodes. */
228	RTLISTANCHOR LeafList;
229	/** The number of paths (leafs). */
230	uint32_t cPaths;
231	/** @} */
232
233	/** Path Validator State. */
234	struct
235	{
236	/** Number of nodes in the certificate path we're validating (aka 'n'). */
237	uint32_t cNodes;
238	/** The current node (0 being the trust anchor). */
239	uint32_t iNode;
240
241	/** The root node of the valid policy tree. */
242	PRTCRX509CERTPATHSPOLICYNODE pValidPolicyTree;
243	/** An array of length cNodes + 1 which tracks all nodes at the given (index)
244	* tree depth via the RTCRX509CERTPATHSPOLICYNODE::DepthEntry member. */
245	PRTLISTANCHOR paValidPolicyDepthLists;
246
247	/** Number of entries in paPermittedSubtrees (name constraints).
248	* If zero, no permitted name constrains currently in effect. */
249	uint32_t cPermittedSubtrees;
250	/** The allocated size of papExcludedSubtrees */
251	uint32_t cPermittedSubtreesAlloc;
252	/** Array of permitted subtrees we've collected so far (name constraints). */
253	PCRTCRX509GENERALSUBTREE *papPermittedSubtrees;
254	/** Set if we end up with an empty set after calculating a name constraints
255	* union. */
256	bool fNoPermittedSubtrees;
257
258	/** Number of entries in paExcludedSubtrees (name constraints).
259	* If zero, no excluded name constrains currently in effect. */
260	uint32_t cExcludedSubtrees;
261	/** Array of excluded subtrees we've collected so far (name constraints). */
262	PCRTCRX509GENERALSUBTREES *papExcludedSubtrees;
263
264	/** Number of non-self-issued certificates to be processed before a non-NULL
265	* paValidPolicyTree is required. */
266	uint32_t cExplicitPolicy;
267	/** Number of non-self-issued certificates to be processed we stop processing
268	* policy mapping extensions. */
269	uint32_t cInhibitPolicyMapping;
270	/** Number of non-self-issued certificates to be processed before a the
271	* anyPolicy is rejected. */
272	uint32_t cInhibitAnyPolicy;
273	/** Number of non-self-issued certificates we're allowed to process. */
274	uint32_t cMaxPathLength;
275
276	/** The working issuer name. */
277	PCRTCRX509NAME pWorkingIssuer;
278	/** The working public key algorithm ID. */
279	PCRTASN1OBJID pWorkingPublicKeyAlgorithm;
280	/** The working public key algorithm parameters. */
281	PCRTASN1DYNTYPE pWorkingPublicKeyParameters;
282	/** A bit string containing the public key. */
283	PCRTASN1BITSTRING pWorkingPublicKey;
284	} v;
285
286	/** An object identifier initialized to anyPolicy. */
287	RTASN1OBJID AnyPolicyObjId;
288
289	/** Temporary scratch space. */
290	char szTmp[1024];
291	} RTCRX509CERTPATHSINT;
292	typedef RTCRX509CERTPATHSINT *PRTCRX509CERTPATHSINT;
293
294	/** Magic value for RTCRX509CERTPATHSINT::u32Magic (Bruce Schneier). */
295	#define RTCRX509CERTPATHSINT_MAGIC UINT32_C(0x19630115)
296
297	/** @name RTCRX509CERTPATHSINT_F_XXX - Certificate path build flags.
298	* @{ */
299	#define RTCRX509CERTPATHSINT_F_VALID_TIME RT_BIT_32(0)
300	#define RTCRX509CERTPATHSINT_F_ELIMINATE_UNTRUSTED_PATHS RT_BIT_32(1)
301	/** Whether checking the trust anchor signature (if self signed) and
302	* that it is valid at the verification time, also require it to be a CA if not
303	* leaf node. */
304	#define RTCRX509CERTPATHSINT_F_CHECK_TRUST_ANCHOR RT_BIT_32(2)
305	#define RTCRX509CERTPATHSINT_F_VALID_MASK UINT32_C(0x00000007)
306	/** @} */
307
308
309	/*********************************************************************************************************************************
310	* Internal Functions *
311	*********************************************************************************************************************************/
312	static void rtCrX509CertPathsDestroyTree(PRTCRX509CERTPATHSINT pThis);
313	static void rtCrX509CpvCleanup(PRTCRX509CERTPATHSINT pThis);
314
315
316	/** @name Path Builder and Validator Config APIs
317	* @{
318	*/
319
320	RTDECL(int) RTCrX509CertPathsCreate(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget)
321	{
322	AssertPtrReturn(phCertPaths, VERR_INVALID_POINTER);
323
324	PRTCRX509CERTPATHSINT pThis = (PRTCRX509CERTPATHSINT)RTMemAllocZ(sizeof(*pThis));
325	if (pThis)
326	{
327	int rc = RTAsn1ObjId_InitFromString(&pThis->AnyPolicyObjId, RTCRX509_ID_CE_CP_ANY_POLICY_OID, &g_RTAsn1DefaultAllocator);
328	if (RT_SUCCESS(rc))
329	{
330	pThis->u32Magic = RTCRX509CERTPATHSINT_MAGIC;
331	pThis->cRefs = 1;
332	pThis->pTarget = pTarget;
333	pThis->hTrustedStore = NIL_RTCRSTORE;
334	pThis->hUntrustedStore = NIL_RTCRSTORE;
335	pThis->cInitialExplicitPolicy = UINT32_MAX;
336	pThis->cInitialPolicyMappingInhibit = UINT32_MAX;
337	pThis->cInitialInhibitAnyPolicy = UINT32_MAX;
338	pThis->rc = VINF_SUCCESS;
339	RTListInit(&pThis->LeafList);
340	*phCertPaths = pThis;
341	return VINF_SUCCESS;
342	}
343	return rc;
344	}
345	return VERR_NO_MEMORY;
346	}
347
348
349	RTDECL(uint32_t) RTCrX509CertPathsRetain(RTCRX509CERTPATHS hCertPaths)
350	{
351	PRTCRX509CERTPATHSINT pThis = hCertPaths;
352	AssertPtrReturn(pThis, UINT32_MAX);
353
354	uint32_t cRefs = ASMAtomicIncU32(&pThis->cRefs);
355	Assert(cRefs > 0 && cRefs < 64);
356	return cRefs;
357	}
358
359
360	RTDECL(uint32_t) RTCrX509CertPathsRelease(RTCRX509CERTPATHS hCertPaths)
361	{
362	uint32_t cRefs;
363	if (hCertPaths != NIL_RTCRX509CERTPATHS)
364	{
365	PRTCRX509CERTPATHSINT pThis = hCertPaths;
366	AssertPtrReturn(pThis, UINT32_MAX);
367	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, UINT32_MAX);
368
369	cRefs = ASMAtomicDecU32(&pThis->cRefs);
370	Assert(cRefs < 64);
371	if (!cRefs)
372	{
373	/*
374	* No more references, destroy the whole thing.
375	*/
376	ASMAtomicWriteU32(&pThis->u32Magic, ~RTCRX509CERTPATHSINT_MAGIC);
377
378	/* config */
379	pThis->pTarget = NULL; /* Referencing user memory. */
380	pThis->pTrustedCert = NULL; /* Referencing user memory. */
381	RTCrStoreRelease(pThis->hTrustedStore);
382	pThis->hTrustedStore = NIL_RTCRSTORE;
383	RTCrStoreRelease(pThis->hUntrustedStore);
384	pThis->hUntrustedStore = NIL_RTCRSTORE;
385	pThis->paUntrustedCerts = NULL; /* Referencing user memory. */
386	pThis->pUntrustedCertsSet = NULL; /* Referencing user memory. */
387	pThis->papInitialUserPolicySet = NULL; /* Referencing user memory. */
388	pThis->pInitialPermittedSubtrees = NULL; /* Referencing user memory. */
389	pThis->pInitialExcludedSubtrees = NULL; /* Referencing user memory. */
390
391	/* builder */
392	rtCrX509CertPathsDestroyTree(pThis);
393
394	/* validator */
395	rtCrX509CpvCleanup(pThis);
396
397	/* misc */
398	RTAsn1VtDelete(&pThis->AnyPolicyObjId.Asn1Core);
399
400	/* Finally, the instance itself. */
401	RTMemFree(pThis);
402	}
403	}
404	else
405	cRefs = 0;
406	return cRefs;
407	}
408
409
410
411	RTDECL(int) RTCrX509CertPathsSetTrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hTrustedStore)
412	{
413	PRTCRX509CERTPATHSINT pThis = hCertPaths;
414	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
415	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
416	AssertReturn(pThis->pRoot == NULL, VERR_WRONG_ORDER);
417
418	if (pThis->hTrustedStore != NIL_RTCRSTORE)
419	{
420	RTCrStoreRelease(pThis->hTrustedStore);
421	pThis->hTrustedStore = NIL_RTCRSTORE;
422	}
423	if (hTrustedStore != NIL_RTCRSTORE)
424	{
425	AssertReturn(RTCrStoreRetain(hTrustedStore) != UINT32_MAX, VERR_INVALID_HANDLE);
426	pThis->hTrustedStore = hTrustedStore;
427	}
428	return VINF_SUCCESS;
429	}
430
431
432	RTDECL(int) RTCrX509CertPathsSetUntrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hUntrustedStore)
433	{
434	PRTCRX509CERTPATHSINT pThis = hCertPaths;
435	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
436	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
437	AssertReturn(pThis->pRoot == NULL, VERR_WRONG_ORDER);
438
439	if (pThis->hUntrustedStore != NIL_RTCRSTORE)
440	{
441	RTCrStoreRelease(pThis->hUntrustedStore);
442	pThis->hUntrustedStore = NIL_RTCRSTORE;
443	}
444	if (hUntrustedStore != NIL_RTCRSTORE)
445	{
446	AssertReturn(RTCrStoreRetain(hUntrustedStore) != UINT32_MAX, VERR_INVALID_HANDLE);
447	pThis->hUntrustedStore = hUntrustedStore;
448	}
449	return VINF_SUCCESS;
450	}
451
452
453	RTDECL(int) RTCrX509CertPathsSetUntrustedArray(RTCRX509CERTPATHS hCertPaths, PCRTCRX509CERTIFICATE paCerts, uint32_t cCerts)
454	{
455	PRTCRX509CERTPATHSINT pThis = hCertPaths;
456	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
457	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
458
459	pThis->paUntrustedCerts = paCerts;
460	pThis->cUntrustedCerts = cCerts;
461	return VINF_SUCCESS;
462	}
463
464
465	RTDECL(int) RTCrX509CertPathsSetUntrustedSet(RTCRX509CERTPATHS hCertPaths, PCRTCRPKCS7SETOFCERTS pSetOfCerts)
466	{
467	PRTCRX509CERTPATHSINT pThis = hCertPaths;
468	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
469	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
470
471	pThis->pUntrustedCertsSet = pSetOfCerts;
472	return VINF_SUCCESS;
473	}
474
475
476	RTDECL(int) RTCrX509CertPathsSetValidTime(RTCRX509CERTPATHS hCertPaths, PCRTTIME pTime)
477	{
478	PRTCRX509CERTPATHSINT pThis = hCertPaths;
479	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
480	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
481
482	/* Allow this after building paths, as it's only used during verification. */
483
484	if (pTime)
485	{
486	if (RTTimeImplode(&pThis->ValidTime, pTime))
487	return VERR_INVALID_PARAMETER;
488	pThis->fFlags \|= RTCRX509CERTPATHSINT_F_VALID_TIME;
489	}
490	else
491	pThis->fFlags &= ~RTCRX509CERTPATHSINT_F_VALID_TIME;
492	return VINF_SUCCESS;
493	}
494
495
496	RTDECL(int) RTCrX509CertPathsSetValidTimeSpec(RTCRX509CERTPATHS hCertPaths, PCRTTIMESPEC pTimeSpec)
497	{
498	PRTCRX509CERTPATHSINT pThis = hCertPaths;
499	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
500	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
501
502	/* Allow this after building paths, as it's only used during verification. */
503
504	if (pTimeSpec)
505	{
506	pThis->ValidTime = *pTimeSpec;
507	pThis->fFlags \|= RTCRX509CERTPATHSINT_F_VALID_TIME;
508	}
509	else
510	pThis->fFlags &= ~RTCRX509CERTPATHSINT_F_VALID_TIME;
511	return VINF_SUCCESS;
512	}
513
514
515	RTDECL(int) RTCrX509CertPathsSetTrustAnchorChecks(RTCRX509CERTPATHS hCertPaths, bool fEnable)
516	{
517	PRTCRX509CERTPATHSINT pThis = hCertPaths;
518	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
519	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
520
521	if (fEnable)
522	pThis->fFlags \|= RTCRX509CERTPATHSINT_F_CHECK_TRUST_ANCHOR;
523	else
524	pThis->fFlags &= ~RTCRX509CERTPATHSINT_F_CHECK_TRUST_ANCHOR;
525	return VINF_SUCCESS;
526	}
527
528
529	RTDECL(int) RTCrX509CertPathsCreateEx(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget, RTCRSTORE hTrustedStore,
530	RTCRSTORE hUntrustedStore, PCRTCRX509CERTIFICATE paUntrustedCerts, uint32_t cUntrustedCerts,
531	PCRTTIMESPEC pValidTime)
532	{
533	int rc = RTCrX509CertPathsCreate(phCertPaths, pTarget);
534	if (RT_SUCCESS(rc))
535	{
536	PRTCRX509CERTPATHSINT pThis = *phCertPaths;
537
538	rc = RTCrX509CertPathsSetTrustedStore(pThis, hTrustedStore);
539	if (RT_SUCCESS(rc))
540	{
541	rc = RTCrX509CertPathsSetUntrustedStore(pThis, hUntrustedStore);
542	if (RT_SUCCESS(rc))
543	{
544	rc = RTCrX509CertPathsSetUntrustedArray(pThis, paUntrustedCerts, cUntrustedCerts);
545	if (RT_SUCCESS(rc))
546	{
547	rc = RTCrX509CertPathsSetValidTimeSpec(pThis, pValidTime);
548	if (RT_SUCCESS(rc))
549	{
550	return VINF_SUCCESS;
551	}
552	}
553	RTCrStoreRelease(pThis->hUntrustedStore);
554	}
555	RTCrStoreRelease(pThis->hTrustedStore);
556	}
557	RTMemFree(pThis);
558	*phCertPaths = NIL_RTCRX509CERTPATHS;
559	}
560	return rc;
561	}
562
563	/** @} */
564
565
566
567	/** @name Path Builder and Validator Common Utility Functions.
568	* @{
569	*/
570
571	/**
572	* Checks if the certificate is self-issued.
573	*
574	* @returns true / false.
575	* @param pNode The path node to check..
576	*/
577	static bool rtCrX509CertPathsIsSelfIssued(PRTCRX509CERTPATHNODE pNode)
578	{
579	return pNode->pCert
580	&& RTCrX509Name_MatchByRfc5280(&pNode->pCert->TbsCertificate.Subject, &pNode->pCert->TbsCertificate.Issuer);
581	}
582
583	/**
584	* Helper for checking whether a certificate is in the trusted store or not.
585	*/
586	static bool rtCrX509CertPathsIsCertInStore(PRTCRX509CERTPATHNODE pNode, RTCRSTORE hStore)
587	{
588	bool fRc = false;
589	PCRTCRCERTCTX pCertCtx = RTCrStoreCertByIssuerAndSerialNo(hStore, &pNode->pCert->TbsCertificate.Issuer,
590	&pNode->pCert->TbsCertificate.SerialNumber);
591	if (pCertCtx)
592	{
593	if (pCertCtx->pCert)
594	fRc = RTCrX509Certificate_Compare(pCertCtx->pCert, pNode->pCert) == 0;
595	RTCrCertCtxRelease(pCertCtx);
596	}
597	return fRc;
598	}
599
600	/** @} */
601
602
603
604	/** @name Path Builder Functions.
605	* @{
606	*/
607
608	static PRTCRX509CERTPATHNODE rtCrX509CertPathsNewNode(PRTCRX509CERTPATHSINT pThis)
609	{
610	PRTCRX509CERTPATHNODE pNode = (PRTCRX509CERTPATHNODE)RTMemAllocZ(sizeof(*pNode));
611	if (RT_LIKELY(pNode))
612	{
613	RTListInit(&pNode->SiblingEntry);
614	RTListInit(&pNode->ChildListOrLeafEntry);
615	pNode->rcVerify = VERR_CR_X509_NOT_VERIFIED;
616
617	return pNode;
618	}
619
620	pThis->rc = RTErrInfoSet(pThis->pErrInfo, VERR_NO_MEMORY, "No memory for path node");
621	return NULL;
622	}
623
624
625	static void rtCrX509CertPathsDestroyNode(PRTCRX509CERTPATHNODE pNode)
626	{
627	if (pNode->pCertCtx)
628	{
629	RTCrCertCtxRelease(pNode->pCertCtx);
630	pNode->pCertCtx = NULL;
631	}
632	RT_ZERO(*pNode);
633	RTMemFree(pNode);
634	}
635
636
637	static void rtCrX509CertPathsAddIssuer(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pParent,
638	PCRTCRX509CERTIFICATE pCert, PCRTCRCERTCTX pCertCtx, uint8_t uSrc)
639	{
640	/*
641	* Check if we've seen this certificate already in the current path or
642	* among the already gathered issuers.
643	*/
644	if (pCert)
645	{
646	/* No duplicate certificates in the path. */
647	PRTCRX509CERTPATHNODE pTmpNode = pParent;
648	while (pTmpNode)
649	{
650	Assert(pTmpNode->pCert);
651	if ( pTmpNode->pCert == pCert
652	\|\| RTCrX509Certificate_Compare(pTmpNode->pCert, pCert) == 0)
653	{
654	/* If target and the source it trusted, upgrade the source so we can successfully verify single node 'paths'. */
655	if ( RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(uSrc)
656	&& pTmpNode == pParent
657	&& pTmpNode->uSrc == RTCRX509CERTPATHNODE_SRC_TARGET)
658	{
659	AssertReturnVoid(!pTmpNode->pParent);
660	pTmpNode->uSrc = uSrc;
661	}
662	return;
663	}
664	pTmpNode = pTmpNode->pParent;
665	}
666
667	/* No duplicate tree branches. */
668	RTListForEach(&pParent->ChildListOrLeafEntry, pTmpNode, RTCRX509CERTPATHNODE, SiblingEntry)
669	{
670	if (RTCrX509Certificate_Compare(pTmpNode->pCert, pCert) == 0)
671	return;
672	}
673	}
674	else
675	Assert(pCertCtx);
676
677	/*
678	* Reference the context core before making the allocation.
679	*/
680	if (pCertCtx)
681	AssertReturnVoidStmt(RTCrCertCtxRetain(pCertCtx) != UINT32_MAX,
682	pThis->rc = RTErrInfoSetF(pThis->pErrInfo, VERR_CR_X509_CPB_BAD_CERT_CTX,
683	"Bad pCertCtx=%p", pCertCtx));
684
685	/*
686	* We haven't see it, append it as a child.
687	*/
688	PRTCRX509CERTPATHNODE pNew = rtCrX509CertPathsNewNode(pThis);
689	if (pNew)
690	{
691	pNew->pParent = pParent;
692	pNew->pCert = pCert;
693	pNew->pCertCtx = pCertCtx;
694	pNew->uSrc = uSrc;
695	pNew->uDepth = pParent->uDepth + 1;
696	RTListAppend(&pParent->ChildListOrLeafEntry, &pNew->SiblingEntry);
697	Log2Func(("pNew=%p uSrc=%u uDepth=%u\n", pNew, uSrc, pNew->uDepth));
698	}
699	else
700	RTCrCertCtxRelease(pCertCtx);
701	}
702
703
704	static void rtCrX509CertPathsGetIssuersFromStore(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode,
705	PCRTCRX509NAME pIssuer, RTCRSTORE hStore, uint8_t uSrc)
706	{
707	RTCRSTORECERTSEARCH Search;
708	int rc = RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280(hStore, pIssuer, &Search);
709	if (RT_SUCCESS(rc))
710	{
711	PCRTCRCERTCTX pCertCtx;
712	while ((pCertCtx = RTCrStoreCertSearchNext(hStore, &Search)) != NULL)
713	{
714	if ( pCertCtx->pCert
715	\|\| ( RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(uSrc)
716	&& pCertCtx->pTaInfo) )
717	rtCrX509CertPathsAddIssuer(pThis, pNode, pCertCtx->pCert, pCertCtx, uSrc);
718	RTCrCertCtxRelease(pCertCtx);
719	}
720	RTCrStoreCertSearchDestroy(hStore, &Search);
721	}
722	}
723
724
725	static void rtCrX509CertPathsGetIssuers(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
726	{
727	Assert(RTListIsEmpty(&pNode->ChildListOrLeafEntry));
728	Assert(!pNode->fLeaf);
729	Assert(pNode->pCert);
730
731	/*
732	* Don't recurse infintely.
733	*/
734	if (RT_UNLIKELY(pNode->uDepth >= 50))
735	return;
736
737	PCRTCRX509NAME const pIssuer = &pNode->pCert->TbsCertificate.Issuer;
738	#if defined(LOG_ENABLED) && defined(IN_RING3)
739	if (LogIs2Enabled())
740	{
741	char szIssuer[128] = {0};
742	RTCrX509Name_FormatAsString(pIssuer, szIssuer, sizeof(szIssuer), NULL);
743	char szSubject[128] = {0};
744	RTCrX509Name_FormatAsString(&pNode->pCert->TbsCertificate.Subject, szSubject, sizeof(szSubject), NULL);
745	Log2Func(("pNode=%p uSrc=%u uDepth=%u Issuer='%s' (Subject='%s')\n", pNode, pNode->uSrc, pNode->uDepth, szIssuer, szSubject));
746	}
747	#endif
748
749	/*
750	* Trusted certificate.
751	*/
752	if ( pThis->pTrustedCert
753	&& RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(pThis->pTrustedCert, pIssuer))
754	rtCrX509CertPathsAddIssuer(pThis, pNode, pThis->pTrustedCert, NULL, RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT);
755
756	/*
757	* Trusted certificate store.
758	*/
759	if (pThis->hTrustedStore != NIL_RTCRSTORE)
760	rtCrX509CertPathsGetIssuersFromStore(pThis, pNode, pIssuer, pThis->hTrustedStore,
761	RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE);
762
763	/*
764	* Untrusted store.
765	*/
766	if (pThis->hUntrustedStore != NIL_RTCRSTORE)
767	rtCrX509CertPathsGetIssuersFromStore(pThis, pNode, pIssuer, pThis->hUntrustedStore,
768	RTCRX509CERTPATHNODE_SRC_UNTRUSTED_STORE);
769
770	/*
771	* Untrusted array.
772	*/
773	if (pThis->paUntrustedCerts)
774	for (uint32_t i = 0; i < pThis->cUntrustedCerts; i++)
775	if (RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(&pThis->paUntrustedCerts[i], pIssuer))
776	rtCrX509CertPathsAddIssuer(pThis, pNode, &pThis->paUntrustedCerts[i], NULL,
777	RTCRX509CERTPATHNODE_SRC_UNTRUSTED_ARRAY);
778
779	/** @todo Rainy day: Should abstract the untrusted array and set so we don't get
780	* unnecessary PKCS7/CMS header dependencies. */
781
782	/*
783	* Untrusted set.
784	*/
785	if (pThis->pUntrustedCertsSet)
786	{
787	uint32_t const cCerts = pThis->pUntrustedCertsSet->cItems;
788	PRTCRPKCS7CERT const *papCerts = pThis->pUntrustedCertsSet->papItems;
789	for (uint32_t i = 0; i < cCerts; i++)
790	{
791	PCRTCRPKCS7CERT pCert = papCerts[i];
792	if ( pCert->enmChoice == RTCRPKCS7CERTCHOICE_X509
793	&& RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(pCert->u.pX509Cert, pIssuer))
794	rtCrX509CertPathsAddIssuer(pThis, pNode, pCert->u.pX509Cert, NULL, RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET);
795	}
796	}
797	}
798
799
800	static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetNextRightUp(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
801	{
802	for (;;)
803	{
804	/* The root node has no siblings. */
805	PRTCRX509CERTPATHNODE pParent = pNode->pParent;
806	if (!pNode->pParent)
807	return NULL;
808
809	/* Try go to the right. */
810	PRTCRX509CERTPATHNODE pNext = RTListGetNext(&pParent->ChildListOrLeafEntry, pNode, RTCRX509CERTPATHNODE, SiblingEntry);
811	if (pNext)
812	return pNext;
813
814	/* Up. */
815	pNode = pParent;
816	}
817
818	RT_NOREF_PV(pThis);
819	}
820
821
822	static PRTCRX509CERTPATHNODE rtCrX509CertPathsEliminatePath(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
823	{
824	for (;;)
825	{
826	Assert(RTListIsEmpty(&pNode->ChildListOrLeafEntry));
827
828	/* Don't remove the root node. */
829	PRTCRX509CERTPATHNODE pParent = pNode->pParent;
830	if (!pParent)
831	return NULL;
832
833	/* Before removing and deleting the node check if there is sibling
834	right to it that we should continue processing from. */
835	PRTCRX509CERTPATHNODE pNext = RTListGetNext(&pParent->ChildListOrLeafEntry, pNode, RTCRX509CERTPATHNODE, SiblingEntry);
836	RTListNodeRemove(&pNode->SiblingEntry);
837	rtCrX509CertPathsDestroyNode(pNode);
838
839	if (pNext)
840	return pNext;
841
842	/* If the parent node cannot be removed, do a normal get-next-rigth-up
843	to find the continuation point for the tree loop. */
844	if (!RTListIsEmpty(&pParent->ChildListOrLeafEntry))
845	return rtCrX509CertPathsGetNextRightUp(pThis, pParent);
846
847	pNode = pParent;
848	}
849	}
850
851
852	/**
853	* Destroys the whole path tree.
854	*
855	* @param pThis The path builder and verifier instance.
856	*/
857	static void rtCrX509CertPathsDestroyTree(PRTCRX509CERTPATHSINT pThis)
858	{
859	PRTCRX509CERTPATHNODE pNode, pNextLeaf;
860	RTListForEachSafe(&pThis->LeafList, pNode, pNextLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
861	{
862	RTListNodeRemove(&pNode->ChildListOrLeafEntry);
863	RTListInit(&pNode->ChildListOrLeafEntry);
864
865	for (;;)
866	{
867	PRTCRX509CERTPATHNODE pParent = pNode->pParent;
868
869	RTListNodeRemove(&pNode->SiblingEntry);
870	rtCrX509CertPathsDestroyNode(pNode);
871
872	if (!pParent)
873	{
874	pThis->pRoot = NULL;
875	break;
876	}
877
878	if (!RTListIsEmpty(&pParent->ChildListOrLeafEntry))
879	break;
880
881	pNode = pParent;
882	}
883	}
884	Assert(!pThis->pRoot);
885	}
886
887
888	/**
889	* Adds a leaf node.
890	*
891	* This should normally be a trusted certificate, but the caller can also
892	* request the incomplete paths, in which case this will be an untrusted
893	* certificate.
894	*
895	* @returns Pointer to the next node in the tree to process.
896	* @param pThis The path builder instance.
897	* @param pNode The leaf node.
898	*/
899	static PRTCRX509CERTPATHNODE rtCrX509CertPathsAddLeaf(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
900	{
901	pNode->fLeaf = true;
902
903	/*
904	* Priority insert by source and depth.
905	*/
906	PRTCRX509CERTPATHNODE pCurLeaf;
907	RTListForEach(&pThis->LeafList, pCurLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
908	{
909	if ( pNode->uSrc > pCurLeaf->uSrc
910	\|\| ( pNode->uSrc == pCurLeaf->uSrc
911	&& pNode->uDepth < pCurLeaf->uDepth) )
912	{
913	RTListNodeInsertBefore(&pCurLeaf->ChildListOrLeafEntry, &pNode->ChildListOrLeafEntry);
914	pThis->cPaths++;
915	return rtCrX509CertPathsGetNextRightUp(pThis, pNode);
916	}
917	}
918
919	RTListAppend(&pThis->LeafList, &pNode->ChildListOrLeafEntry);
920	pThis->cPaths++;
921	return rtCrX509CertPathsGetNextRightUp(pThis, pNode);
922	}
923
924
925
926	RTDECL(int) RTCrX509CertPathsBuild(RTCRX509CERTPATHS hCertPaths, PRTERRINFO pErrInfo)
927	{
928	/*
929	* Validate the input.
930	*/
931	PRTCRX509CERTPATHSINT pThis = hCertPaths;
932	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
933	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
934	AssertReturn(!(pThis->fFlags & ~RTCRX509CERTPATHSINT_F_VALID_MASK), VERR_INVALID_PARAMETER);
935	AssertReturn( (pThis->paUntrustedCerts == NULL && pThis->cUntrustedCerts == 0)
936	\|\| (pThis->paUntrustedCerts != NULL && pThis->cUntrustedCerts > 0),
937	VERR_INVALID_PARAMETER);
938	AssertReturn(RTListIsEmpty(&pThis->LeafList), VERR_INVALID_PARAMETER);
939	AssertReturn(pThis->pRoot == NULL, VERR_INVALID_PARAMETER);
940	AssertReturn(pThis->rc == VINF_SUCCESS, pThis->rc);
941	AssertPtrReturn(pThis->pTarget, VERR_INVALID_PARAMETER);
942	Assert(RT_SUCCESS(RTCrX509Certificate_CheckSanity(pThis->pTarget, 0, NULL, NULL)));
943
944	/*
945	* Set up the target.
946	*/
947	PRTCRX509CERTPATHNODE pCur;
948	pThis->pRoot = pCur = rtCrX509CertPathsNewNode(pThis);
949	if (pThis->pRoot)
950	{
951	pCur->pCert = pThis->pTarget;
952	pCur->uDepth = 0;
953	pCur->uSrc = RTCRX509CERTPATHNODE_SRC_TARGET;
954
955	/* Check if the target is trusted and do the upgrade (this is outside the RFC,
956	but this simplifies the path validator usage a lot (less work for the caller)). */
957	if ( pThis->pTrustedCert
958	&& RTCrX509Certificate_Compare(pThis->pTrustedCert, pCur->pCert) == 0)
959	pCur->uSrc = RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT;
960	else if ( pThis->hTrustedStore != NIL_RTCRSTORE
961	&& rtCrX509CertPathsIsCertInStore(pCur, pThis->hTrustedStore))
962	pCur->uSrc = RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE;
963
964	pThis->pErrInfo = pErrInfo;
965
966	/*
967	* The tree construction loop.
968	* Walks down, up, and right as the tree is constructed.
969	*/
970	do
971	{
972	/*
973	* Check for the two leaf cases first.
974	*/
975	if (RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pCur->uSrc))
976	pCur = rtCrX509CertPathsAddLeaf(pThis, pCur);
977	#if 0 /* This isn't right.*/
978	else if (rtCrX509CertPathsIsSelfIssued(pCur))
979	{
980	if (pThis->fFlags & RTCRX509CERTPATHSINT_F_ELIMINATE_UNTRUSTED_PATHS)
981	pCur = rtCrX509CertPathsEliminatePath(pThis, pCur);
982	else
983	pCur = rtCrX509CertPathsAddLeaf(pThis, pCur);
984	}
985	#endif
986	/*
987	* Not a leaf, find all potential issuers and decend into these.
988	*/
989	else
990	{
991	rtCrX509CertPathsGetIssuers(pThis, pCur);
992	if (RT_FAILURE(pThis->rc))
993	break;
994
995	if (!RTListIsEmpty(&pCur->ChildListOrLeafEntry))
996	pCur = RTListGetFirst(&pCur->ChildListOrLeafEntry, RTCRX509CERTPATHNODE, SiblingEntry);
997	else if (pThis->fFlags & RTCRX509CERTPATHSINT_F_ELIMINATE_UNTRUSTED_PATHS)
998	pCur = rtCrX509CertPathsEliminatePath(pThis, pCur);
999	else
1000	pCur = rtCrX509CertPathsAddLeaf(pThis, pCur);
1001	}
1002	if (pCur)
1003	Log2(("RTCrX509CertPathsBuild: pCur=%p fLeaf=%d pParent=%p pNext=%p pPrev=%p\n",
1004	pCur, pCur->fLeaf, pCur->pParent,
1005	pCur->pParent ? RTListGetNext(&pCur->pParent->ChildListOrLeafEntry, pCur, RTCRX509CERTPATHNODE, SiblingEntry) : NULL,
1006	pCur->pParent ? RTListGetPrev(&pCur->pParent->ChildListOrLeafEntry, pCur, RTCRX509CERTPATHNODE, SiblingEntry) : NULL));
1007	} while (pCur);
1008
1009	pThis->pErrInfo = NULL;
1010	if (RT_SUCCESS(pThis->rc))
1011	return VINF_SUCCESS;
1012	}
1013	else
1014	Assert(RT_FAILURE_NP(pThis->rc));
1015	return pThis->rc;
1016	}
1017
1018
1019	/**
1020	* Looks up path by leaf/path index.
1021	*
1022	* @returns Pointer to the leaf node of the path.
1023	* @param pThis The path builder & validator instance.
1024	* @param iPath The oridnal of the path to get.
1025	*/
1026	static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetLeafByIndex(PRTCRX509CERTPATHSINT pThis, uint32_t iPath)
1027	{
1028	Assert(iPath < pThis->cPaths);
1029
1030	uint32_t iCurPath = 0;
1031	PRTCRX509CERTPATHNODE pCurLeaf;
1032	RTListForEach(&pThis->LeafList, pCurLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
1033	{
1034	if (iCurPath == iPath)
1035	return pCurLeaf;
1036	iCurPath++;
1037	}
1038
1039	AssertFailedReturn(NULL);
1040	}
1041
1042
1043	static void rtDumpPrintf(PFNRTDUMPPRINTFV pfnPrintfV, void pvUser, const char pszFormat, ...)
1044	{
1045	va_list va;
1046	va_start(va, pszFormat);
1047	pfnPrintfV(pvUser, pszFormat, va);
1048	va_end(va);
1049	}
1050
1051
1052	static void rtDumpIndent(PFNRTDUMPPRINTFV pfnPrintfV, void pvUser, uint32_t cchSpaces, const char pszFormat, ...)
1053	{
1054	static const char s_szSpaces[] = " ";
1055	while (cchSpaces > 0)
1056	{
1057	uint32_t cchBurst = RT_MIN(sizeof(s_szSpaces) - 1, cchSpaces);
1058	rtDumpPrintf(pfnPrintfV, pvUser, &s_szSpaces[sizeof(s_szSpaces) - cchBurst - 1]);
1059	cchSpaces -= cchBurst;
1060	}
1061
1062	va_list va;
1063	va_start(va, pszFormat);
1064	pfnPrintfV(pvUser, pszFormat, va);
1065	va_end(va);
1066	}
1067
1068	/** @name X.500 attribute types
1069	* See RFC-4519 among others.
1070	* @{ */
1071	#define RTCRX500_ID_AT_OBJECT_CLASS_OID "2.5.4.0"
1072	#define RTCRX500_ID_AT_ALIASED_ENTRY_NAME_OID "2.5.4.1"
1073	#define RTCRX500_ID_AT_KNOWLDGEINFORMATION_OID "2.5.4.2"
1074	#define RTCRX500_ID_AT_COMMON_NAME_OID "2.5.4.3"
1075	#define RTCRX500_ID_AT_SURNAME_OID "2.5.4.4"
1076	#define RTCRX500_ID_AT_SERIAL_NUMBER_OID "2.5.4.5"
1077	#define RTCRX500_ID_AT_COUNTRY_NAME_OID "2.5.4.6"
1078	#define RTCRX500_ID_AT_LOCALITY_NAME_OID "2.5.4.7"
1079	#define RTCRX500_ID_AT_STATE_OR_PROVINCE_NAME_OID "2.5.4.8"
1080	#define RTCRX500_ID_AT_STREET_ADDRESS_OID "2.5.4.9"
1081	#define RTCRX500_ID_AT_ORGANIZATION_NAME_OID "2.5.4.10"
1082	#define RTCRX500_ID_AT_ORGANIZATION_UNIT_NAME_OID "2.5.4.11"
1083	#define RTCRX500_ID_AT_TITLE_OID "2.5.4.12"
1084	#define RTCRX500_ID_AT_DESCRIPTION_OID "2.5.4.13"
1085	#define RTCRX500_ID_AT_SEARCH_GUIDE_OID "2.5.4.14"
1086	#define RTCRX500_ID_AT_BUSINESS_CATEGORY_OID "2.5.4.15"
1087	#define RTCRX500_ID_AT_POSTAL_ADDRESS_OID "2.5.4.16"
1088	#define RTCRX500_ID_AT_POSTAL_CODE_OID "2.5.4.17"
1089	#define RTCRX500_ID_AT_POST_OFFICE_BOX_OID "2.5.4.18"
1090	#define RTCRX500_ID_AT_PHYSICAL_DELIVERY_OFFICE_NAME_OID "2.5.4.19"
1091	#define RTCRX500_ID_AT_TELEPHONE_NUMBER_OID "2.5.4.20"
1092	#define RTCRX500_ID_AT_TELEX_NUMBER_OID "2.5.4.21"
1093	#define RTCRX500_ID_AT_TELETEX_TERMINAL_IDENTIFIER_OID "2.5.4.22"
1094	#define RTCRX500_ID_AT_FACIMILE_TELEPHONE_NUMBER_OID "2.5.4.23"
1095	#define RTCRX500_ID_AT_X121_ADDRESS_OID "2.5.4.24"
1096	#define RTCRX500_ID_AT_INTERNATIONAL_ISDN_NUMBER_OID "2.5.4.25"
1097	#define RTCRX500_ID_AT_REGISTERED_ADDRESS_OID "2.5.4.26"
1098	#define RTCRX500_ID_AT_DESTINATION_INDICATOR_OID "2.5.4.27"
1099	#define RTCRX500_ID_AT_PREFERRED_DELIVERY_METHOD_OID "2.5.4.28"
1100	#define RTCRX500_ID_AT_PRESENTATION_ADDRESS_OID "2.5.4.29"
1101	#define RTCRX500_ID_AT_SUPPORTED_APPLICATION_CONTEXT_OID "2.5.4.30"
1102	#define RTCRX500_ID_AT_MEMBER_OID "2.5.4.31"
1103	#define RTCRX500_ID_AT_OWNER_OID "2.5.4.32"
1104	#define RTCRX500_ID_AT_ROLE_OCCUPANT_OID "2.5.4.33"
1105	#define RTCRX500_ID_AT_SEE_ALSO_OID "2.5.4.34"
1106	#define RTCRX500_ID_AT_USER_PASSWORD_OID "2.5.4.35"
1107	#define RTCRX500_ID_AT_USER_CERTIFICATE_OID "2.5.4.36"
1108	#define RTCRX500_ID_AT_CA_CERTIFICATE_OID "2.5.4.37"
1109	#define RTCRX500_ID_AT_AUTHORITY_REVOCATION_LIST_OID "2.5.4.38"
1110	#define RTCRX500_ID_AT_CERTIFICATE_REVOCATION_LIST_OID "2.5.4.39"
1111	#define RTCRX500_ID_AT_CROSS_CERTIFICATE_PAIR_OID "2.5.4.40"
1112	#define RTCRX500_ID_AT_NAME_OID "2.5.4.41"
1113	#define RTCRX500_ID_AT_GIVEN_NAME_OID "2.5.4.42"
1114	#define RTCRX500_ID_AT_INITIALS_OID "2.5.4.43"
1115	#define RTCRX500_ID_AT_GENERATION_QUALIFIER_OID "2.5.4.44"
1116	#define RTCRX500_ID_AT_UNIQUE_IDENTIFIER_OID "2.5.4.45"
1117	#define RTCRX500_ID_AT_DN_QUALIFIER_OID "2.5.4.46"
1118	#define RTCRX500_ID_AT_ENHANCHED_SEARCH_GUIDE_OID "2.5.4.47"
1119	#define RTCRX500_ID_AT_PROTOCOL_INFORMATION_OID "2.5.4.48"
1120	#define RTCRX500_ID_AT_DISTINGUISHED_NAME_OID "2.5.4.49"
1121	#define RTCRX500_ID_AT_UNIQUE_MEMBER_OID "2.5.4.50"
1122	#define RTCRX500_ID_AT_HOUSE_IDENTIFIER_OID "2.5.4.51"
1123	#define RTCRX500_ID_AT_SUPPORTED_ALGORITHMS_OID "2.5.4.52"
1124	#define RTCRX500_ID_AT_DELTA_REVOCATION_LIST_OID "2.5.4.53"
1125	#define RTCRX500_ID_AT_ATTRIBUTE_CERTIFICATE_OID "2.5.4.58"
1126	#define RTCRX500_ID_AT_PSEUDONYM_OID "2.5.4.65"
1127	/** @} */
1128
1129
1130	static void rtCrX509NameDump(PCRTCRX509NAME pName, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
1131	{
1132	for (uint32_t i = 0; i < pName->cItems; i++)
1133	{
1134	PCRTCRX509RELATIVEDISTINGUISHEDNAME const pRdn = pName->papItems[i];
1135	for (uint32_t j = 0; j < pRdn->cItems; j++)
1136	{
1137	PRTCRX509ATTRIBUTETYPEANDVALUE pAttrib = pRdn->papItems[j];
1138
1139	const char *pszType = RTCrX509Name_GetShortRdn(&pAttrib->Type);
1140	if (!pszType)
1141	pszType = pAttrib->Type.szObjId;
1142	rtDumpPrintf(pfnPrintfV, pvUser, "/%s=", pszType);
1143	if (pAttrib->Value.enmType == RTASN1TYPE_STRING)
1144	{
1145	if (pAttrib->Value.u.String.pszUtf8)
1146	rtDumpPrintf(pfnPrintfV, pvUser, "%s", pAttrib->Value.u.String.pszUtf8);
1147	else
1148	{
1149	const char *pch = pAttrib->Value.u.String.Asn1Core.uData.pch;
1150	uint32_t cch = pAttrib->Value.u.String.Asn1Core.cb;
1151	int rc = RTStrValidateEncodingEx(pch, cch, 0);
1152	if (RT_SUCCESS(rc) && cch)
1153	rtDumpPrintf(pfnPrintfV, pvUser, "%.*s", (size_t)cch, pch);
1154	else
1155	while (cch > 0)
1156	{
1157	if (RT_C_IS_PRINT(*pch))
1158	rtDumpPrintf(pfnPrintfV, pvUser, "%c", *pch);
1159	else
1160	rtDumpPrintf(pfnPrintfV, pvUser, "\\x%02x", *pch);
1161	cch--;
1162	pch++;
1163	}
1164	}
1165	}
1166	else
1167	rtDumpPrintf(pfnPrintfV, pvUser, "<not-string: uTag=%#x>", pAttrib->Value.u.Core.uTag);
1168	}
1169	}
1170	}
1171
1172
1173	static const char *rtCrX509CertPathsNodeGetSourceName(PRTCRX509CERTPATHNODE pNode)
1174	{
1175	switch (pNode->uSrc)
1176	{
1177	case RTCRX509CERTPATHNODE_SRC_TARGET: return "target";
1178	case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET: return "untrusted_set";
1179	case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_ARRAY: return "untrusted_array";
1180	case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_STORE: return "untrusted_store";
1181	case RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE: return "trusted_store";
1182	case RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT: return "trusted_cert";
1183	default: return "invalid";
1184	}
1185	}
1186
1187
1188	static void rtCrX509CertPathsDumpOneWorker(PRTCRX509CERTPATHSINT pThis, uint32_t iPath, PRTCRX509CERTPATHNODE pCurLeaf,
1189	uint32_t uVerbosity, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
1190	{
1191	RT_NOREF_PV(pThis);
1192	rtDumpPrintf(pfnPrintfV, pvUser, "Path #%u: %s, %u deep, rcVerify=%Rrc\n",
1193	iPath, RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pCurLeaf->uSrc) ? "trusted" : "untrusted", pCurLeaf->uDepth,
1194	pCurLeaf->rcVerify);
1195
1196	for (uint32_t iIndent = 2; pCurLeaf; iIndent += 2, pCurLeaf = pCurLeaf->pParent)
1197	{
1198	if (pCurLeaf->pCert)
1199	{
1200	rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Issuer : ");
1201	rtCrX509NameDump(&pCurLeaf->pCert->TbsCertificate.Issuer, pfnPrintfV, pvUser);
1202	rtDumpPrintf(pfnPrintfV, pvUser, "\n");
1203
1204	rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Subject: ");
1205	rtCrX509NameDump(&pCurLeaf->pCert->TbsCertificate.Subject, pfnPrintfV, pvUser);
1206	rtDumpPrintf(pfnPrintfV, pvUser, "\n");
1207
1208	if (uVerbosity >= 4)
1209	RTAsn1Dump(&pCurLeaf->pCert->SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
1210	else if (uVerbosity >= 3)
1211	RTAsn1Dump(&pCurLeaf->pCert->TbsCertificate.T3.Extensions.SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
1212
1213	rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Valid : %s thru %s\n",
1214	RTTimeToString(&pCurLeaf->pCert->TbsCertificate.Validity.NotBefore.Time,
1215	pThis->szTmp, sizeof(pThis->szTmp) / 2),
1216	RTTimeToString(&pCurLeaf->pCert->TbsCertificate.Validity.NotAfter.Time,
1217	&pThis->szTmp[sizeof(pThis->szTmp) / 2], sizeof(pThis->szTmp) / 2) );
1218	}
1219	else
1220	{
1221	Assert(pCurLeaf->pCertCtx); Assert(pCurLeaf->pCertCtx->pTaInfo);
1222	rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Subject: ");
1223	rtCrX509NameDump(&pCurLeaf->pCertCtx->pTaInfo->CertPath.TaName, pfnPrintfV, pvUser);
1224
1225	if (uVerbosity >= 4)
1226	RTAsn1Dump(&pCurLeaf->pCertCtx->pTaInfo->SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
1227	}
1228
1229	const char *pszSrc = rtCrX509CertPathsNodeGetSourceName(pCurLeaf);
1230	rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Source : %s\n", pszSrc);
1231	}
1232	}
1233
1234
1235	RTDECL(int) RTCrX509CertPathsDumpOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t uVerbosity,
1236	PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
1237	{
1238	/*
1239	* Validate the input.
1240	*/
1241	PRTCRX509CERTPATHSINT pThis = hCertPaths;
1242	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
1243	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
1244	AssertPtrReturn(pfnPrintfV, VERR_INVALID_POINTER);
1245	int rc;
1246	if (iPath < pThis->cPaths)
1247	{
1248	PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
1249	if (pLeaf)
1250	{
1251	rtCrX509CertPathsDumpOneWorker(pThis, iPath, pLeaf, uVerbosity, pfnPrintfV, pvUser);
1252	rc = VINF_SUCCESS;
1253	}
1254	else
1255	rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR;
1256	}
1257	else
1258	rc = VERR_NOT_FOUND;
1259	return rc;
1260	}
1261
1262
1263	RTDECL(int) RTCrX509CertPathsDumpAll(RTCRX509CERTPATHS hCertPaths, uint32_t uVerbosity, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
1264	{
1265	/*
1266	* Validate the input.
1267	*/
1268	PRTCRX509CERTPATHSINT pThis = hCertPaths;
1269	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
1270	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
1271	AssertPtrReturn(pfnPrintfV, VERR_INVALID_POINTER);
1272
1273	/*
1274	* Dump all the paths.
1275	*/
1276	rtDumpPrintf(pfnPrintfV, pvUser, "%u paths, rc=%Rrc\n", pThis->cPaths, pThis->rc);
1277	uint32_t iPath = 0;
1278	PRTCRX509CERTPATHNODE pCurLeaf, pNextLeaf;
1279	RTListForEachSafe(&pThis->LeafList, pCurLeaf, pNextLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
1280	{
1281	rtCrX509CertPathsDumpOneWorker(pThis, iPath, pCurLeaf, uVerbosity, pfnPrintfV, pvUser);
1282	iPath++;
1283	}
1284
1285	return VINF_SUCCESS;
1286	}
1287
1288
1289	/** @} */
1290
1291
1292	/** @name Path Validator Functions.
1293	* @{
1294	*/
1295
1296
1297	static void rtCrX509CpvAllocZ(PRTCRX509CERTPATHSINT pThis, size_t cb, const char pszWhat)
1298	{
1299	void *pv = RTMemAllocZ(cb);
1300	if (!pv)
1301	pThis->rc = RTErrInfoSetF(pThis->pErrInfo, VERR_NO_MEMORY, "Failed to allocate %zu bytes for %s", cb, pszWhat);
1302	return pv;
1303	}
1304
1305
1306	DECL_NO_INLINE(static, bool) rtCrX509CpvFailed(PRTCRX509CERTPATHSINT pThis, int rc, const char *pszFormat, ...)
1307	{
1308	va_list va;
1309	va_start(va, pszFormat);
1310	pThis->rc = RTErrInfoSetV(pThis->pErrInfo, rc, pszFormat, va);
1311	va_end(va);
1312	return false;
1313	}
1314
1315
1316	/**
1317	* Adds a sequence of excluded sub-trees.
1318	*
1319	* Don't waste time optimizing the output if this is supposed to be a union.
1320	* Unless the path is very long, it's a lot more work to optimize and the result
1321	* will be the same anyway.
1322	*
1323	* @returns success indicator.
1324	* @param pThis The validator instance.
1325	* @param pSubtrees The sequence of sub-trees to add.
1326	*/
1327	static bool rtCrX509CpvAddExcludedSubtrees(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREES pSubtrees)
1328	{
1329	if (((pThis->v.cExcludedSubtrees + 1) & 0xf) == 0)
1330	{
1331	void *pvNew = RTMemRealloc(pThis->v.papExcludedSubtrees,
1332	(pThis->v.cExcludedSubtrees + 16) * sizeof(pThis->v.papExcludedSubtrees[0]));
1333	if (RT_UNLIKELY(!pvNew))
1334	return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Error growing subtrees pointer array to %u elements",
1335	pThis->v.cExcludedSubtrees + 16);
1336	pThis->v.papExcludedSubtrees = (PCRTCRX509GENERALSUBTREES *)pvNew;
1337	}
1338	pThis->v.papExcludedSubtrees[pThis->v.cExcludedSubtrees] = pSubtrees;
1339	pThis->v.cExcludedSubtrees++;
1340	return true;
1341	}
1342
1343
1344	/**
1345	* Checks if a sub-tree is according to RFC-5280.
1346	*
1347	* @returns Success indiciator.
1348	* @param pThis The validator instance.
1349	* @param pSubtree The subtree to check.
1350	*/
1351	static bool rtCrX509CpvCheckSubtreeValidity(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREE pSubtree)
1352	{
1353	if ( pSubtree->Base.enmChoice <= RTCRX509GENERALNAMECHOICE_INVALID
1354	\|\| pSubtree->Base.enmChoice >= RTCRX509GENERALNAMECHOICE_END)
1355	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNEXP_GENERAL_SUBTREE_CHOICE,
1356	"Unexpected GeneralSubtree choice %#x", pSubtree->Base.enmChoice);
1357
1358	if (RTAsn1Integer_UnsignedCompareWithU32(&pSubtree->Minimum, 0) != 0)
1359	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNEXP_GENERAL_SUBTREE_MIN,
1360	"Unexpected GeneralSubtree Minimum value: %#llx",
1361	pSubtree->Minimum.uValue);
1362
1363	if (RTAsn1Integer_IsPresent(&pSubtree->Maximum))
1364	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNEXP_GENERAL_SUBTREE_MAX,
1365	"Unexpected GeneralSubtree Maximum value: %#llx",
1366	pSubtree->Maximum.uValue);
1367
1368	return true;
1369	}
1370
1371
1372	/**
1373	* Grows the array of permitted sub-trees.
1374	*
1375	* @returns success indiciator.
1376	* @param pThis The validator instance.
1377	* @param cAdding The number of subtrees we should grow by
1378	* (relative to the current number of valid
1379	* entries).
1380	*/
1381	static bool rtCrX509CpvGrowPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, uint32_t cAdding)
1382	{
1383	uint32_t cNew = RT_ALIGN_32(pThis->v.cPermittedSubtrees + cAdding, 16);
1384	if (cNew > pThis->v.cPermittedSubtreesAlloc)
1385	{
1386	if (cNew >= _4K)
1387	return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Too many permitted subtrees: %u (cur %u)",
1388	cNew, pThis->v.cPermittedSubtrees);
1389	void pvNew = RTMemRealloc(pThis->v.papPermittedSubtrees, cNew sizeof(pThis->v.papPermittedSubtrees[0]));
1390	if (RT_UNLIKELY(!pvNew))
1391	return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Error growing subtrees pointer array from %u to %u elements",
1392	pThis->v.cPermittedSubtreesAlloc, cNew);
1393	pThis->v.papPermittedSubtrees = (PCRTCRX509GENERALSUBTREE *)pvNew;
1394	}
1395	return true;
1396	}
1397
1398
1399	/**
1400	* Adds a sequence of permitted sub-trees.
1401	*
1402	* We store reference to each individual sub-tree because we must support
1403	* intersection calculation.
1404	*
1405	* @returns success indiciator.
1406	* @param pThis The validator instance.
1407	* @param cSubtrees The number of sub-trees to add.
1408	* @param papSubtrees Array of sub-trees to add.
1409	*/
1410	static bool rtCrX509CpvAddPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, uint32_t cSubtrees,
1411	PRTCRX509GENERALSUBTREE const *papSubtrees)
1412	{
1413	/*
1414	* If the array is empty, assume no permitted names.
1415	*/
1416	if (!cSubtrees)
1417	{
1418	pThis->v.fNoPermittedSubtrees = true;
1419	return true;
1420	}
1421
1422	/*
1423	* Grow the array if necessary.
1424	*/
1425	if (!rtCrX509CpvGrowPermittedSubtrees(pThis, cSubtrees))
1426	return false;
1427
1428	/*
1429	* Append each subtree to the array.
1430	*/
1431	uint32_t iDst = pThis->v.cPermittedSubtrees;
1432	for (uint32_t iSrc = 0; iSrc < cSubtrees; iSrc++)
1433	{
1434	if (!rtCrX509CpvCheckSubtreeValidity(pThis, papSubtrees[iSrc]))
1435	return false;
1436	pThis->v.papPermittedSubtrees[iDst] = papSubtrees[iSrc];
1437	iDst++;
1438	}
1439	pThis->v.cPermittedSubtrees = iDst;
1440
1441	return true;
1442	}
1443
1444
1445	/**
1446	* Adds a one permitted sub-tree.
1447	*
1448	* We store reference to each individual sub-tree because we must support
1449	* intersection calculation.
1450	*
1451	* @returns success indiciator.
1452	* @param pThis The validator instance.
1453	* @param pSubtree Array of sub-trees to add.
1454	*/
1455	static bool rtCrX509CpvAddPermittedSubtree(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREE pSubtree)
1456	{
1457	return rtCrX509CpvAddPermittedSubtrees(pThis, 1, (PRTCRX509GENERALSUBTREE const *)&pSubtree);
1458	}
1459
1460
1461	/**
1462	* Calculates the intersection between @a pSubtrees and the current permitted
1463	* sub-trees.
1464	*
1465	* @returns Success indicator.
1466	* @param pThis The validator instance.
1467	* @param pSubtrees The sub-tree sequence to intersect with.
1468	*/
1469	static bool rtCrX509CpvIntersectionPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREES pSubtrees)
1470	{
1471	/*
1472	* Deal with special cases first.
1473	*/
1474	if (pThis->v.fNoPermittedSubtrees)
1475	{
1476	Assert(pThis->v.cPermittedSubtrees == 0);
1477	return true;
1478	}
1479
1480	uint32_t cRight = pSubtrees->cItems;
1481	PRTCRX509GENERALSUBTREE const *papRight = pSubtrees->papItems;
1482	if (cRight == 0)
1483	{
1484	pThis->v.cPermittedSubtrees = 0;
1485	pThis->v.fNoPermittedSubtrees = true;
1486	return true;
1487	}
1488
1489	uint32_t cLeft = pThis->v.cPermittedSubtrees;
1490	PCRTCRX509GENERALSUBTREE *papLeft = pThis->v.papPermittedSubtrees;
1491	if (!cLeft) /* first name constraint, no initial constraint */
1492	return rtCrX509CpvAddPermittedSubtrees(pThis, cRight, papRight);
1493
1494	/*
1495	* Create a new array with the intersection, freeing the old (left) array
1496	* once we're done.
1497	*/
1498	bool afRightTags[RTCRX509GENERALNAMECHOICE_END] = { 0, 0, 0, 0, 0, 0, 0, 0, 0 };
1499
1500	pThis->v.cPermittedSubtrees = 0;
1501	pThis->v.cPermittedSubtreesAlloc = 0;
1502	pThis->v.papPermittedSubtrees = NULL;
1503
1504	for (uint32_t iRight = 0; iRight < cRight; iRight++)
1505	{
1506	if (!rtCrX509CpvCheckSubtreeValidity(pThis, papRight[iRight]))
1507	return false;
1508
1509	RTCRX509GENERALNAMECHOICE const enmRightChoice = papRight[iRight]->Base.enmChoice;
1510	afRightTags[enmRightChoice] = true;
1511
1512	bool fHaveRight = false;
1513	for (uint32_t iLeft = 0; iLeft < cLeft; iLeft++)
1514	if (papLeft[iLeft]->Base.enmChoice == enmRightChoice)
1515	{
1516	if (RTCrX509GeneralSubtree_Compare(papLeft[iLeft], papRight[iRight]) == 0)
1517	{
1518	if (!fHaveRight)
1519	{
1520	fHaveRight = true;
1521	rtCrX509CpvAddPermittedSubtree(pThis, papLeft[iLeft]);
1522	}
1523	}
1524	else if (RTCrX509GeneralSubtree_ConstraintMatch(papLeft[iLeft], papRight[iRight]))
1525	{
1526	if (!fHaveRight)
1527	{
1528	fHaveRight = true;
1529	rtCrX509CpvAddPermittedSubtree(pThis, papRight[iRight]);
1530	}
1531	}
1532	else if (RTCrX509GeneralSubtree_ConstraintMatch(papRight[iRight], papLeft[iLeft]))
1533	rtCrX509CpvAddPermittedSubtree(pThis, papLeft[iLeft]);
1534	}
1535	}
1536
1537	/*
1538	* Add missing types not specified in the right set.
1539	*/
1540	for (uint32_t iLeft = 0; iLeft < cLeft; iLeft++)
1541	if (!afRightTags[papLeft[iLeft]->Base.enmChoice])
1542	rtCrX509CpvAddPermittedSubtree(pThis, papLeft[iLeft]);
1543
1544	/*
1545	* If we ended up with an empty set, no names are permitted any more.
1546	*/
1547	if (pThis->v.cPermittedSubtrees == 0)
1548	pThis->v.fNoPermittedSubtrees = true;
1549
1550	RTMemFree(papLeft);
1551	return RT_SUCCESS(pThis->rc);
1552	}
1553
1554
1555	/**
1556	* Check if the given X.509 name is permitted by current name constraints.
1557	*
1558	* @returns true is permitteded, false if not (caller set error info).
1559	* @param pThis The validator instance.
1560	* @param pName The name to match.
1561	*/
1562	static bool rtCrX509CpvIsNamePermitted(PRTCRX509CERTPATHSINT pThis, PCRTCRX509NAME pName)
1563	{
1564	uint32_t i = pThis->v.cPermittedSubtrees;
1565	if (i == 0)
1566	return !pThis->v.fNoPermittedSubtrees;
1567
1568	while (i-- > 0)
1569	{
1570	PCRTCRX509GENERALSUBTREE pConstraint = pThis->v.papPermittedSubtrees[i];
1571	if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(&pConstraint->Base)
1572	&& RTCrX509Name_ConstraintMatch(&pConstraint->Base.u.pT4->DirectoryName, pName))
1573	return true;
1574	}
1575	return false;
1576	}
1577
1578
1579	/**
1580	* Check if the given X.509 general name is permitted by current name
1581	* constraints.
1582	*
1583	* @returns true is permitteded, false if not (caller sets error info).
1584	* @param pThis The validator instance.
1585	* @param pGeneralName The name to match.
1586	*/
1587	static bool rtCrX509CpvIsGeneralNamePermitted(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALNAME pGeneralName)
1588	{
1589	uint32_t i = pThis->v.cPermittedSubtrees;
1590	if (i == 0)
1591	return !pThis->v.fNoPermittedSubtrees;
1592
1593	while (i-- > 0)
1594	if (RTCrX509GeneralName_ConstraintMatch(&pThis->v.papPermittedSubtrees[i]->Base, pGeneralName))
1595	return true;
1596	return false;
1597	}
1598
1599
1600	/**
1601	* Check if the given X.509 name is excluded by current name constraints.
1602	*
1603	* @returns true if excluded (caller sets error info), false if not explicitly
1604	* excluded.
1605	* @param pThis The validator instance.
1606	* @param pName The name to match.
1607	*/
1608	static bool rtCrX509CpvIsNameExcluded(PRTCRX509CERTPATHSINT pThis, PCRTCRX509NAME pName)
1609	{
1610	uint32_t i = pThis->v.cExcludedSubtrees;
1611	while (i-- > 0)
1612	{
1613	PCRTCRX509GENERALSUBTREES pSubTrees = pThis->v.papExcludedSubtrees[i];
1614	uint32_t j = pSubTrees->cItems;
1615	while (j-- > 0)
1616	{
1617	PCRTCRX509GENERALSUBTREE const pSubTree = pSubTrees->papItems[j];
1618	if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(&pSubTree->Base)
1619	&& RTCrX509Name_ConstraintMatch(&pSubTree->Base.u.pT4->DirectoryName, pName))
1620	return true;
1621	}
1622	}
1623	return false;
1624	}
1625
1626
1627	/**
1628	* Check if the given X.509 general name is excluded by current name
1629	* constraints.
1630	*
1631	* @returns true if excluded (caller sets error info), false if not explicitly
1632	* excluded.
1633	* @param pThis The validator instance.
1634	* @param pGeneralName The name to match.
1635	*/
1636	static bool rtCrX509CpvIsGeneralNameExcluded(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALNAME pGeneralName)
1637	{
1638	uint32_t i = pThis->v.cExcludedSubtrees;
1639	while (i-- > 0)
1640	{
1641	PCRTCRX509GENERALSUBTREES pSubTrees = pThis->v.papExcludedSubtrees[i];
1642	uint32_t j = pSubTrees->cItems;
1643	while (j-- > 0)
1644	if (RTCrX509GeneralName_ConstraintMatch(&pSubTrees->papItems[j]->Base, pGeneralName))
1645	return true;
1646	}
1647	return false;
1648	}
1649
1650
1651	/**
1652	* Creates a new node and inserts it.
1653	*
1654	* @param pThis The path builder & validator instance.
1655	* @param pParent The parent node. NULL for the root node.
1656	* @param iDepth The tree depth to insert at.
1657	* @param pValidPolicy The valid policy of the new node.
1658	* @param pQualifiers The qualifiers of the new node.
1659	* @param pExpectedPolicy The (first) expected polcy of the new node.
1660	*/
1661	static bool rtCrX509CpvPolicyTreeInsertNew(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pParent, uint32_t iDepth,
1662	PCRTASN1OBJID pValidPolicy, PCRTCRX509POLICYQUALIFIERINFOS pQualifiers,
1663	PCRTASN1OBJID pExpectedPolicy)
1664	{
1665	Assert(iDepth <= pThis->v.cNodes);
1666
1667	PRTCRX509CERTPATHSPOLICYNODE pNode;
1668	pNode = (PRTCRX509CERTPATHSPOLICYNODE)rtCrX509CpvAllocZ(pThis, sizeof(*pNode), "policy tree node");
1669	if (pNode)
1670	{
1671	pNode->pParent = pParent;
1672	if (pParent)
1673	RTListAppend(&pParent->ChildList, &pNode->SiblingEntry);
1674	else
1675	{
1676	Assert(pThis->v.pValidPolicyTree == NULL);
1677	pThis->v.pValidPolicyTree = pNode;
1678	RTListInit(&pNode->SiblingEntry);
1679	}
1680	RTListInit(&pNode->ChildList);
1681	RTListAppend(&pThis->v.paValidPolicyDepthLists[iDepth], &pNode->DepthEntry);
1682
1683	pNode->pValidPolicy = pValidPolicy;
1684	pNode->pPolicyQualifiers = pQualifiers;
1685	pNode->pExpectedPolicyFirst = pExpectedPolicy;
1686	pNode->cMoreExpectedPolicySet = 0;
1687	pNode->papMoreExpectedPolicySet = NULL;
1688	return true;
1689	}
1690	return false;
1691	}
1692
1693
1694	/**
1695	* Unlinks and frees a node in the valid policy tree.
1696	*
1697	* @param pThis The path builder & validator instance.
1698	* @param pNode The node to destroy.
1699	*/
1700	static void rtCrX509CpvPolicyTreeDestroyNode(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pNode)
1701	{
1702	Assert(RTListIsEmpty(&pNode->ChildList));
1703	if (pNode->pParent)
1704	RTListNodeRemove(&pNode->SiblingEntry);
1705	else
1706	pThis->v.pValidPolicyTree = NULL;
1707	RTListNodeRemove(&pNode->DepthEntry);
1708	pNode->pParent = NULL;
1709
1710	if (pNode->papMoreExpectedPolicySet)
1711	{
1712	RTMemFree(pNode->papMoreExpectedPolicySet);
1713	pNode->papMoreExpectedPolicySet = NULL;
1714	}
1715	RTMemFree(pNode);
1716	}
1717
1718
1719	/**
1720	* Unlinks and frees a sub-tree in the valid policy tree.
1721	*
1722	* @param pThis The path builder & validator instance.
1723	* @param pNode The node that is the root of the subtree.
1724	*/
1725	static void rtCrX509CpvPolicyTreeDestroySubtree(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pNode)
1726	{
1727	if (!RTListIsEmpty(&pNode->ChildList))
1728	{
1729	PRTCRX509CERTPATHSPOLICYNODE pCur = pNode;
1730	do
1731	{
1732	Assert(!RTListIsEmpty(&pCur->ChildList));
1733
1734	/* Decend until we find a leaf. */
1735	do
1736	pCur = RTListGetFirst(&pCur->ChildList, RTCRX509CERTPATHSPOLICYNODE, SiblingEntry);
1737	while (!RTListIsEmpty(&pCur->ChildList));
1738
1739	/* Remove it and all leafy siblings. */
1740	PRTCRX509CERTPATHSPOLICYNODE pParent = pCur->pParent;
1741	do
1742	{
1743	Assert(pCur != pNode);
1744	rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
1745	pCur = RTListGetFirst(&pParent->ChildList, RTCRX509CERTPATHSPOLICYNODE, SiblingEntry);
1746	if (!pCur)
1747	{
1748	pCur = pParent;
1749	pParent = pParent->pParent;
1750	}
1751	} while (RTListIsEmpty(&pCur->ChildList) && pCur != pNode);
1752	} while (pCur != pNode);
1753	}
1754
1755	rtCrX509CpvPolicyTreeDestroyNode(pThis, pNode);
1756	}
1757
1758
1759
1760	/**
1761	* Destroys the entire policy tree.
1762	*
1763	* @param pThis The path builder & validator instance.
1764	*/
1765	static void rtCrX509CpvPolicyTreeDestroy(PRTCRX509CERTPATHSINT pThis)
1766	{
1767	uint32_t i = pThis->v.cNodes + 1;
1768	while (i-- > 0)
1769	{
1770	PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
1771	RTListForEachSafe(&pThis->v.paValidPolicyDepthLists[i], pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
1772	{
1773	rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
1774	}
1775	}
1776	}
1777
1778
1779	/**
1780	* Removes all leaf nodes at level @a iDepth and above.
1781	*
1782	* @param pThis The path builder & validator instance.
1783	* @param iDepth The depth to start pruning at.
1784	*/
1785	static void rtCrX509CpvPolicyTreePrune(PRTCRX509CERTPATHSINT pThis, uint32_t iDepth)
1786	{
1787	do
1788	{
1789	PRTLISTANCHOR pList = &pThis->v.paValidPolicyDepthLists[iDepth];
1790	PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
1791	RTListForEachSafe(pList, pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
1792	{
1793	if (RTListIsEmpty(&pCur->ChildList))
1794	rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
1795	}
1796
1797	} while (iDepth-- > 0);
1798	}
1799
1800
1801	/**
1802	* Checks if @a pPolicy is the valid policy of a child of @a pNode.
1803	*
1804	* @returns true if in child node, false if not.
1805	* @param pNode The node which children to check.
1806	* @param pPolicy The valid policy to look for among the children.
1807	*/
1808	static bool rtCrX509CpvPolicyTreeIsChild(PRTCRX509CERTPATHSPOLICYNODE pNode, PCRTASN1OBJID pPolicy)
1809	{
1810	PRTCRX509CERTPATHSPOLICYNODE pChild;
1811	RTListForEach(&pNode->ChildList, pChild, RTCRX509CERTPATHSPOLICYNODE, SiblingEntry)
1812	{
1813	if (RTAsn1ObjId_Compare(pChild->pValidPolicy, pPolicy) == 0)
1814	return true;
1815	}
1816	return true;
1817	}
1818
1819
1820	/**
1821	* Prunes the valid policy tree according to the specified user policy set.
1822	*
1823	* @returns Pointer to the policy object from @a papPolicies if found, NULL if
1824	* no match.
1825	* @param pObjId The object ID to locate at match in the set.
1826	* @param cPolicies The number of policies in @a papPolicies.
1827	* @param papPolicies The policy set to search.
1828	*/
1829	static PCRTASN1OBJID rtCrX509CpvFindObjIdInPolicySet(PCRTASN1OBJID pObjId, uint32_t cPolicies, PCRTASN1OBJID *papPolicies)
1830	{
1831	uint32_t i = cPolicies;
1832	while (i-- > 0)
1833	if (RTAsn1ObjId_Compare(pObjId, papPolicies[i]) == 0)
1834	return papPolicies[i];
1835	return NULL;
1836	}
1837
1838
1839	/**
1840	* Prunes the valid policy tree according to the specified user policy set.
1841	*
1842	* @returns success indicator (allocates memory)
1843	* @param pThis The path builder & validator instance.
1844	* @param cPolicies The number of policies in @a papPolicies.
1845	* @param papPolicies The user initial policies.
1846	*/
1847	static bool rtCrX509CpvPolicyTreeIntersect(PRTCRX509CERTPATHSINT pThis, uint32_t cPolicies, PCRTASN1OBJID *papPolicies)
1848	{
1849	/*
1850	* 4.1.6.g.i - NULL tree remains NULL.
1851	*/
1852	if (!pThis->v.pValidPolicyTree)
1853	return true;
1854
1855	/*
1856	* 4.1.6.g.ii - If the user set includes anyPolicy, the whole tree is the
1857	* result of the intersection.
1858	*/
1859	uint32_t i = cPolicies;
1860	while (i-- > 0)
1861	if (RTAsn1ObjId_CompareWithString(papPolicies[i], RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
1862	return true;
1863
1864	/*
1865	* 4.1.6.g.iii - Complicated.
1866	*/
1867	PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
1868	PRTLISTANCHOR pList;
1869
1870	/* 1 & 2: Delete nodes which parent has valid policy == anyPolicy and which
1871	valid policy is neither anyPolicy nor a member of papszPolicies.
1872	While doing so, construct a set of unused user policies that
1873	we'll replace anyPolicy nodes with in step 3. */
1874	uint32_t cPoliciesLeft = 0;
1875	PCRTASN1OBJID *papPoliciesLeft = NULL;
1876	if (cPolicies)
1877	{
1878	papPoliciesLeft = (PCRTASN1OBJID )rtCrX509CpvAllocZ(pThis, cPolicies sizeof(papPoliciesLeft[0]), "papPoliciesLeft");
1879	if (!papPoliciesLeft)
1880	return false;
1881	for (i = 0; i < cPolicies; i++)
1882	papPoliciesLeft[i] = papPolicies[i];
1883	}
1884
1885	for (uint32_t iDepth = 1; iDepth <= pThis->v.cNodes; iDepth++)
1886	{
1887	pList = &pThis->v.paValidPolicyDepthLists[iDepth];
1888	RTListForEachSafe(pList, pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
1889	{
1890	Assert(pCur->pParent);
1891	if ( RTAsn1ObjId_CompareWithString(pCur->pParent->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0
1892	&& RTAsn1ObjId_CompareWithString(pCur->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) != 0)
1893	{
1894	PCRTASN1OBJID pFound = rtCrX509CpvFindObjIdInPolicySet(pCur->pValidPolicy, cPolicies, papPolicies);
1895	if (!pFound)
1896	rtCrX509CpvPolicyTreeDestroySubtree(pThis, pCur);
1897	else
1898	for (i = 0; i < cPoliciesLeft; i++)
1899	if (papPoliciesLeft[i] == pFound)
1900	{
1901	cPoliciesLeft--;
1902	if (i < cPoliciesLeft)
1903	papPoliciesLeft[i] = papPoliciesLeft[cPoliciesLeft];
1904	papPoliciesLeft[cPoliciesLeft] = NULL;
1905	break;
1906	}
1907	}
1908	}
1909	}
1910
1911	/*
1912	* 4.1.5.g.iii.3 - Replace anyPolicy nodes on the final tree depth with
1913	* the policies in papPoliciesLeft.
1914	*/
1915	pList = &pThis->v.paValidPolicyDepthLists[pThis->v.cNodes];
1916	RTListForEachSafe(pList, pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
1917	{
1918	if (RTAsn1ObjId_CompareWithString(pCur->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
1919	{
1920	for (i = 0; i < cPoliciesLeft; i++)
1921	rtCrX509CpvPolicyTreeInsertNew(pThis, pCur->pParent, pThis->v.cNodes - 1,
1922	papPoliciesLeft[i], pCur->pPolicyQualifiers, papPoliciesLeft[i]);
1923	rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
1924	}
1925	}
1926
1927	RTMemFree(papPoliciesLeft);
1928
1929	/*
1930	* 4.1.5.g.iii.4 - Prune the tree
1931	*/
1932	rtCrX509CpvPolicyTreePrune(pThis, pThis->v.cNodes - 1);
1933
1934	return RT_SUCCESS(pThis->rc);
1935	}
1936
1937
1938
1939	/**
1940	* Frees the path validator state.
1941	*
1942	* @param pThis The path builder & validator instance.
1943	*/
1944	static void rtCrX509CpvCleanup(PRTCRX509CERTPATHSINT pThis)
1945	{
1946	/*
1947	* Destroy the policy tree and all its nodes. We do this from the bottom
1948	* up via the depth lists, saving annoying tree traversal.
1949	*/
1950	if (pThis->v.paValidPolicyDepthLists)
1951	{
1952	rtCrX509CpvPolicyTreeDestroy(pThis);
1953
1954	RTMemFree(pThis->v.paValidPolicyDepthLists);
1955	pThis->v.paValidPolicyDepthLists = NULL;
1956	}
1957
1958	Assert(pThis->v.pValidPolicyTree == NULL);
1959	pThis->v.pValidPolicyTree = NULL;
1960
1961	/*
1962	* Destroy the name constraint arrays.
1963	*/
1964	if (pThis->v.papPermittedSubtrees)
1965	{
1966	RTMemFree(pThis->v.papPermittedSubtrees);
1967	pThis->v.papPermittedSubtrees = NULL;
1968	}
1969	pThis->v.cPermittedSubtrees = 0;
1970	pThis->v.cPermittedSubtreesAlloc = 0;
1971	pThis->v.fNoPermittedSubtrees = false;
1972
1973	if (pThis->v.papExcludedSubtrees)
1974	{
1975	RTMemFree(pThis->v.papExcludedSubtrees);
1976	pThis->v.papExcludedSubtrees = NULL;
1977	}
1978	pThis->v.cExcludedSubtrees = 0;
1979
1980	/*
1981	* Clear other pointers.
1982	*/
1983	pThis->v.pWorkingIssuer = NULL;
1984	pThis->v.pWorkingPublicKey = NULL;
1985	pThis->v.pWorkingPublicKeyAlgorithm = NULL;
1986	pThis->v.pWorkingPublicKeyParameters = NULL;
1987	}
1988
1989
1990	/**
1991	* Initializes the state.
1992	*
1993	* Caller must check pThis->rc.
1994	*
1995	* @param pThis The path builder & validator instance.
1996	* @param pTrustAnchor The trust anchor node for the path that we're about
1997	* to validate.
1998	*/
1999	static void rtCrX509CpvInit(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pTrustAnchor)
2000	{
2001	rtCrX509CpvCleanup(pThis);
2002
2003	/*
2004	* The node count does not include the trust anchor.
2005	*/
2006	pThis->v.cNodes = pTrustAnchor->uDepth;
2007
2008	/*
2009	* Valid policy tree starts with an anyPolicy node.
2010	*/
2011	uint32_t i = pThis->v.cNodes + 1;
2012	pThis->v.paValidPolicyDepthLists = (PRTLISTANCHOR)rtCrX509CpvAllocZ(pThis, i * sizeof(RTLISTANCHOR),
2013	"paValidPolicyDepthLists");
2014	if (RT_UNLIKELY(!pThis->v.paValidPolicyDepthLists))
2015	return;
2016	while (i-- > 0)
2017	RTListInit(&pThis->v.paValidPolicyDepthLists[i]);
2018
2019	if (!rtCrX509CpvPolicyTreeInsertNew(pThis, NULL, 0 /* iDepth*/, &pThis->AnyPolicyObjId, NULL, &pThis->AnyPolicyObjId))
2020	return;
2021	Assert(!RTListIsEmpty(&pThis->v.paValidPolicyDepthLists[0])); Assert(pThis->v.pValidPolicyTree);
2022
2023	/*
2024	* Name constrains.
2025	*/
2026	if (pThis->pInitialPermittedSubtrees)
2027	rtCrX509CpvAddPermittedSubtrees(pThis, pThis->pInitialPermittedSubtrees->cItems,
2028	pThis->pInitialPermittedSubtrees->papItems);
2029	if (pThis->pInitialExcludedSubtrees)
2030	rtCrX509CpvAddExcludedSubtrees(pThis, pThis->pInitialExcludedSubtrees);
2031
2032	/*
2033	* Counters.
2034	*/
2035	pThis->v.cExplicitPolicy = pThis->cInitialExplicitPolicy;
2036	pThis->v.cInhibitPolicyMapping = pThis->cInitialPolicyMappingInhibit;
2037	pThis->v.cInhibitAnyPolicy = pThis->cInitialInhibitAnyPolicy;
2038	pThis->v.cMaxPathLength = pThis->v.cNodes;
2039
2040	/*
2041	* Certificate info from the trust anchor.
2042	*/
2043	if (pTrustAnchor->pCert)
2044	{
2045	PCRTCRX509TBSCERTIFICATE const pTbsCert = &pTrustAnchor->pCert->TbsCertificate;
2046	pThis->v.pWorkingIssuer = &pTbsCert->Subject;
2047	pThis->v.pWorkingPublicKey = &pTbsCert->SubjectPublicKeyInfo.SubjectPublicKey;
2048	pThis->v.pWorkingPublicKeyAlgorithm = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm;
2049	pThis->v.pWorkingPublicKeyParameters = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters;
2050	}
2051	else
2052	{
2053	Assert(pTrustAnchor->pCertCtx); Assert(pTrustAnchor->pCertCtx->pTaInfo);
2054
2055	PCRTCRTAFTRUSTANCHORINFO const pTaInfo = pTrustAnchor->pCertCtx->pTaInfo;
2056	pThis->v.pWorkingIssuer = &pTaInfo->CertPath.TaName;
2057	pThis->v.pWorkingPublicKey = &pTaInfo->PubKey.SubjectPublicKey;
2058	pThis->v.pWorkingPublicKeyAlgorithm = &pTaInfo->PubKey.Algorithm.Algorithm;
2059	pThis->v.pWorkingPublicKeyParameters = &pTaInfo->PubKey.Algorithm.Parameters;
2060	}
2061	if ( !RTASN1CORE_IS_PRESENT(&pThis->v.pWorkingPublicKeyParameters->u.Core)
2062	\|\| pThis->v.pWorkingPublicKeyParameters->enmType == RTASN1TYPE_NULL)
2063	pThis->v.pWorkingPublicKeyParameters = NULL;
2064	}
2065
2066
2067	/**
2068	* This does basic trust anchor checks (similar to 6.1.3.a) before starting on
2069	* the RFC-5280 algorithm.
2070	*/
2071	static bool rtCrX509CpvMaybeCheckTrustAnchor(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pTrustAnchor)
2072	{
2073	/*
2074	* This is optional (not part of RFC-5280) and we need a full certificate
2075	* structure to do it.
2076	*/
2077	if (!(pThis->fFlags & RTCRX509CERTPATHSINT_F_CHECK_TRUST_ANCHOR))
2078	return true;
2079
2080	PCRTCRX509CERTIFICATE const pCert = pTrustAnchor->pCert;
2081	if (!pCert)
2082	return true;
2083
2084	/*
2085	* Verify the certificate signature if self-signed.
2086	*/
2087	if (RTCrX509Certificate_IsSelfSigned(pCert))
2088	{
2089	int rc = RTCrX509Certificate_VerifySignature(pCert, pThis->v.pWorkingPublicKeyAlgorithm,
2090	pThis->v.pWorkingPublicKeyParameters, pThis->v.pWorkingPublicKey,
2091	pThis->pErrInfo);
2092	if (RT_FAILURE(rc))
2093	{
2094	pThis->rc = rc;
2095	return false;
2096	}
2097	}
2098
2099	/*
2100	* Verify that the certificate is valid at the specified time.
2101	*/
2102	AssertCompile(sizeof(pThis->szTmp) >= 36 * 3);
2103	if ( (pThis->fFlags & RTCRX509CERTPATHSINT_F_VALID_TIME)
2104	&& !RTCrX509Validity_IsValidAtTimeSpec(&pCert->TbsCertificate.Validity, &pThis->ValidTime))
2105	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_VALID_AT_TIME,
2106	"Certificate is not valid (ValidTime=%s Validity=[%s...%s])",
2107	RTTimeSpecToString(&pThis->ValidTime, &pThis->szTmp[0], 36),
2108	RTTimeToString(&pCert->TbsCertificate.Validity.NotBefore.Time, &pThis->szTmp[36], 36),
2109	RTTimeToString(&pCert->TbsCertificate.Validity.NotAfter.Time, &pThis->szTmp[2*36], 36) );
2110
2111	/*
2112	* Verified that the certficiate is not revoked.
2113	*/
2114	/** @todo rainy day. */
2115
2116	/*
2117	* If non-leaf certificate CA must be set, if basic constraints are present.
2118	*/
2119	if (pTrustAnchor->pParent)
2120	{
2121	if (RTAsn1Integer_UnsignedCompareWithU32(&pTrustAnchor->pCert->TbsCertificate.T0.Version, RTCRX509TBSCERTIFICATE_V3) != 0)
2122	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_V3_CERT,
2123	"Only version 3 TA certificates are supported (Version=%llu)",
2124	pTrustAnchor->pCert->TbsCertificate.T0.Version.uValue);
2125	PCRTCRX509BASICCONSTRAINTS pBasicConstraints = pTrustAnchor->pCert->TbsCertificate.T3.pBasicConstraints;
2126	if (pBasicConstraints && !pBasicConstraints->CA.fValue)
2127	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_CA_CERT,
2128	"Trust anchor certificate is not marked as a CA");
2129	}
2130
2131	return true;
2132	}
2133
2134
2135	/**
2136	* Step 6.1.3.a.
2137	*/
2138	static bool rtCrX509CpvCheckBasicCertInfo(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2139	{
2140	/*
2141	* 6.1.3.a.1 - Verify the certificate signature.
2142	*/
2143	int rc = RTCrX509Certificate_VerifySignature(pNode->pCert, pThis->v.pWorkingPublicKeyAlgorithm,
2144	pThis->v.pWorkingPublicKeyParameters, pThis->v.pWorkingPublicKey,
2145	pThis->pErrInfo);
2146	if (RT_FAILURE(rc))
2147	{
2148	pThis->rc = rc;
2149	return false;
2150	}
2151
2152	/*
2153	* 6.1.3.a.2 - Verify that the certificate is valid at the specified time.
2154	*/
2155	AssertCompile(sizeof(pThis->szTmp) >= 36 * 3);
2156	if ( (pThis->fFlags & RTCRX509CERTPATHSINT_F_VALID_TIME)
2157	&& !RTCrX509Validity_IsValidAtTimeSpec(&pNode->pCert->TbsCertificate.Validity, &pThis->ValidTime))
2158	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_VALID_AT_TIME,
2159	"Certificate is not valid (ValidTime=%s Validity=[%s...%s])",
2160	RTTimeSpecToString(&pThis->ValidTime, &pThis->szTmp[0], 36),
2161	RTTimeToString(&pNode->pCert->TbsCertificate.Validity.NotBefore.Time, &pThis->szTmp[36], 36),
2162	RTTimeToString(&pNode->pCert->TbsCertificate.Validity.NotAfter.Time, &pThis->szTmp[2*36], 36) );
2163
2164	/*
2165	* 6.1.3.a.3 - Verified that the certficiate is not revoked.
2166	*/
2167	/** @todo rainy day. */
2168
2169	/*
2170	* 6.1.3.a.4 - Check the issuer name.
2171	*/
2172	if (!RTCrX509Name_MatchByRfc5280(&pNode->pCert->TbsCertificate.Issuer, pThis->v.pWorkingIssuer))
2173	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_ISSUER_MISMATCH, "Issuer mismatch");
2174
2175	return true;
2176	}
2177
2178
2179	/**
2180	* Step 6.1.3.b-c.
2181	*/
2182	static bool rtCrX509CpvCheckNameConstraints(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2183	{
2184	if (pThis->v.fNoPermittedSubtrees)
2185	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NO_PERMITTED_NAMES, "No permitted subtrees");
2186
2187	if ( pNode->pCert->TbsCertificate.Subject.cItems > 0
2188	&& ( !rtCrX509CpvIsNamePermitted(pThis, &pNode->pCert->TbsCertificate.Subject)
2189	\|\| rtCrX509CpvIsNameExcluded(pThis, &pNode->pCert->TbsCertificate.Subject)) )
2190	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NAME_NOT_PERMITTED,
2191	"Subject name is not permitted by current name constraints");
2192
2193	PCRTCRX509GENERALNAMES pAltSubjectName = pNode->pCert->TbsCertificate.T3.pAltSubjectName;
2194	if (pAltSubjectName)
2195	{
2196	uint32_t i = pAltSubjectName->cItems;
2197	while (i-- > 0)
2198	if ( !rtCrX509CpvIsGeneralNamePermitted(pThis, pAltSubjectName->papItems[i])
2199	\|\| rtCrX509CpvIsGeneralNameExcluded(pThis, pAltSubjectName->papItems[i]))
2200	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_ALT_NAME_NOT_PERMITTED,
2201	"Alternative name #%u is is not permitted by current name constraints", i);
2202	}
2203
2204	return true;
2205	}
2206
2207
2208	/**
2209	* Step 6.1.3.d-f.
2210	*/
2211	static bool rtCrX509CpvWorkValidPolicyTree(PRTCRX509CERTPATHSINT pThis, uint32_t iDepth, PRTCRX509CERTPATHNODE pNode,
2212	bool fSelfIssued)
2213	{
2214	PCRTCRX509CERTIFICATEPOLICIES pPolicies = pNode->pCert->TbsCertificate.T3.pCertificatePolicies;
2215	if (pPolicies)
2216	{
2217	/*
2218	* 6.1.3.d.1 - Work the certiciate policies into the tree.
2219	*/
2220	PRTCRX509CERTPATHSPOLICYNODE pCur;
2221	PRTLISTANCHOR pListAbove = &pThis->v.paValidPolicyDepthLists[iDepth - 1];
2222	uint32_t iAnyPolicy = UINT32_MAX;
2223	uint32_t i = pPolicies->cItems;
2224	while (i-- > 0)
2225	{
2226	PCRTCRX509POLICYQUALIFIERINFOS const pQualifiers = &pPolicies->papItems[i]->PolicyQualifiers;
2227	PCRTASN1OBJID const pIdP = &pPolicies->papItems[i]->PolicyIdentifier;
2228	if (RTAsn1ObjId_CompareWithString(pIdP, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2229	{
2230	iAnyPolicy++;
2231	continue;
2232	}
2233
2234	/*
2235	* 6.1.3.d.1.i - Create children for matching policies.
2236	*/
2237	uint32_t cMatches = 0;
2238	RTListForEach(pListAbove, pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2239	{
2240	bool fMatch = RTAsn1ObjId_Compare(pCur->pExpectedPolicyFirst, pIdP) == 0;
2241	if (!fMatch && pCur->cMoreExpectedPolicySet)
2242	for (uint32_t j = 0; !fMatch && j < pCur->cMoreExpectedPolicySet; j++)
2243	fMatch = RTAsn1ObjId_Compare(pCur->papMoreExpectedPolicySet[j], pIdP) == 0;
2244	if (fMatch)
2245	{
2246	if (!rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pIdP, pQualifiers, pIdP))
2247	return false;
2248	cMatches++;
2249	}
2250	}
2251
2252	/*
2253	* 6.1.3.d.1.ii - If no matches above do the same for anyPolicy
2254	* nodes, only match with valid policy this time.
2255	*/
2256	if (cMatches == 0)
2257	{
2258	RTListForEach(pListAbove, pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2259	{
2260	if (RTAsn1ObjId_CompareWithString(pCur->pExpectedPolicyFirst, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2261	{
2262	if (!rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pIdP, pQualifiers, pIdP))
2263	return false;
2264	}
2265	}
2266	}
2267	}
2268
2269	/*
2270	* 6.1.3.d.2 - If anyPolicy present, make sure all expected policies
2271	* are propagated to the current depth.
2272	*/
2273	if ( iAnyPolicy < pPolicies->cItems
2274	&& ( pThis->v.cInhibitAnyPolicy > 0
2275	\|\| (pNode->pParent && fSelfIssued) ) )
2276	{
2277	PCRTCRX509POLICYQUALIFIERINFOS pApQ = &pPolicies->papItems[iAnyPolicy]->PolicyQualifiers;
2278	RTListForEach(pListAbove, pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2279	{
2280	if (!rtCrX509CpvPolicyTreeIsChild(pCur, pCur->pExpectedPolicyFirst))
2281	rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pCur->pExpectedPolicyFirst, pApQ,
2282	pCur->pExpectedPolicyFirst);
2283	for (uint32_t j = 0; j < pCur->cMoreExpectedPolicySet; j++)
2284	if (!rtCrX509CpvPolicyTreeIsChild(pCur, pCur->papMoreExpectedPolicySet[j]))
2285	rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pCur->papMoreExpectedPolicySet[j], pApQ,
2286	pCur->papMoreExpectedPolicySet[j]);
2287	}
2288	}
2289	/*
2290	* 6.1.3.d.3 - Prune the tree.
2291	*/
2292	else
2293	rtCrX509CpvPolicyTreePrune(pThis, iDepth - 1);
2294	}
2295	else
2296	{
2297	/*
2298	* 6.1.3.e - No policy extension present, set tree to NULL.
2299	*/
2300	rtCrX509CpvPolicyTreeDestroy(pThis);
2301	}
2302
2303	/*
2304	* 6.1.3.f - NULL tree check.
2305	*/
2306	if ( pThis->v.pValidPolicyTree == NULL
2307	&& pThis->v.cExplicitPolicy == 0)
2308	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NO_VALID_POLICY,
2309	"An explicit policy is called for but the valid policy tree is NULL.");
2310	return RT_SUCCESS(pThis->rc);
2311	}
2312
2313
2314	/**
2315	* Step 6.1.4.a-b.
2316	*/
2317	static bool rtCrX509CpvSoakUpPolicyMappings(PRTCRX509CERTPATHSINT pThis, uint32_t iDepth,
2318	PCRTCRX509POLICYMAPPINGS pPolicyMappings)
2319	{
2320	/*
2321	* 6.1.4.a - The anyPolicy is not allowed in policy mappings as it would
2322	* allow an evil intermediate certificate to expand the policy
2323	* scope of a certiciate chain without regard to upstream.
2324	*/
2325	uint32_t i = pPolicyMappings->cItems;
2326	while (i-- > 0)
2327	{
2328	PCRTCRX509POLICYMAPPING const pOne = pPolicyMappings->papItems[i];
2329	if (RTAsn1ObjId_CompareWithString(&pOne->IssuerDomainPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2330	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_INVALID_POLICY_MAPPING,
2331	"Invalid policy mapping %#u: IssuerDomainPolicy is anyPolicy.", i);
2332
2333	if (RTAsn1ObjId_CompareWithString(&pOne->SubjectDomainPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2334	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_INVALID_POLICY_MAPPING,
2335	"Invalid policy mapping %#u: SubjectDomainPolicy is anyPolicy.", i);
2336	}
2337
2338	PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
2339	if (pThis->v.cInhibitPolicyMapping > 0)
2340	{
2341	/*
2342	* 6.1.4.b.1 - Do the policy mapping.
2343	*/
2344	i = pPolicyMappings->cItems;
2345	while (i-- > 0)
2346	{
2347	PCRTCRX509POLICYMAPPING const pOne = pPolicyMappings->papItems[i];
2348
2349	uint32_t cFound = 0;
2350	RTListForEach(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2351	{
2352	if (RTAsn1ObjId_Compare(pCur->pValidPolicy, &pOne->IssuerDomainPolicy))
2353	{
2354	if (!pCur->fAlreadyMapped)
2355	{
2356	pCur->fAlreadyMapped = true;
2357	pCur->pExpectedPolicyFirst = &pOne->SubjectDomainPolicy;
2358	}
2359	else
2360	{
2361	uint32_t iExpected = pCur->cMoreExpectedPolicySet;
2362	void *pvNew = RTMemRealloc(pCur->papMoreExpectedPolicySet,
2363	sizeof(pCur->papMoreExpectedPolicySet[0]) * (iExpected + 1));
2364	if (!pvNew)
2365	return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY,
2366	"Error growing papMoreExpectedPolicySet array (cur %u, depth %u)",
2367	pCur->cMoreExpectedPolicySet, iDepth);
2368	pCur->papMoreExpectedPolicySet = (PCRTASN1OBJID *)pvNew;
2369	pCur->papMoreExpectedPolicySet[iExpected] = &pOne->SubjectDomainPolicy;
2370	pCur->cMoreExpectedPolicySet = iExpected + 1;
2371	}
2372	cFound++;
2373	}
2374	}
2375
2376	/*
2377	* If no mapping took place, look for an anyPolicy node.
2378	*/
2379	if (!cFound)
2380	{
2381	RTListForEach(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2382	{
2383	if (RTAsn1ObjId_CompareWithString(pCur->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2384	{
2385	if (!rtCrX509CpvPolicyTreeInsertNew(pThis, pCur->pParent, iDepth,
2386	&pOne->IssuerDomainPolicy,
2387	pCur->pPolicyQualifiers,
2388	&pOne->SubjectDomainPolicy))
2389	return false;
2390	break;
2391	}
2392	}
2393	}
2394	}
2395	}
2396	else
2397	{
2398	/*
2399	* 6.1.4.b.2 - Remove matching policies from the tree if mapping is
2400	* inhibited and prune the tree.
2401	*/
2402	uint32_t cRemoved = 0;
2403	i = pPolicyMappings->cItems;
2404	while (i-- > 0)
2405	{
2406	PCRTCRX509POLICYMAPPING const pOne = pPolicyMappings->papItems[i];
2407	RTListForEachSafe(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2408	{
2409	if (RTAsn1ObjId_Compare(pCur->pValidPolicy, &pOne->IssuerDomainPolicy))
2410	{
2411	rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
2412	cRemoved++;
2413	}
2414	}
2415	}
2416	if (cRemoved)
2417	rtCrX509CpvPolicyTreePrune(pThis, iDepth - 1);
2418	}
2419
2420	return true;
2421	}
2422
2423
2424	/**
2425	* Step 6.1.4.d-f & 6.1.5.c-e.
2426	*/
2427	static void rtCrX509CpvSetWorkingPublicKeyInfo(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2428	{
2429	PCRTCRX509TBSCERTIFICATE const pTbsCert = &pNode->pCert->TbsCertificate;
2430
2431	/*
2432	* 6.1.4.d - The public key.
2433	*/
2434	pThis->v.pWorkingPublicKey = &pTbsCert->SubjectPublicKeyInfo.SubjectPublicKey;
2435
2436	/*
2437	* 6.1.4.e - The public key parameters. Use new ones if present, keep old
2438	* if the algorithm remains the same.
2439	*/
2440	if ( RTASN1CORE_IS_PRESENT(&pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters.u.Core)
2441	&& pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters.enmType != RTASN1TYPE_NULL)
2442	pThis->v.pWorkingPublicKeyParameters = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters;
2443	else if ( pThis->v.pWorkingPublicKeyParameters
2444	&& RTAsn1ObjId_Compare(pThis->v.pWorkingPublicKeyAlgorithm, &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm) != 0)
2445	pThis->v.pWorkingPublicKeyParameters = NULL;
2446
2447	/*
2448	* 6.1.4.f - The public algorithm.
2449	*/
2450	pThis->v.pWorkingPublicKeyAlgorithm = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm;
2451	}
2452
2453
2454	/**
2455	* Step 6.1.4.g.
2456	*/
2457	static bool rtCrX509CpvSoakUpNameConstraints(PRTCRX509CERTPATHSINT pThis, PCRTCRX509NAMECONSTRAINTS pNameConstraints)
2458	{
2459	if (pNameConstraints->T0.PermittedSubtrees.cItems > 0)
2460	if (!rtCrX509CpvIntersectionPermittedSubtrees(pThis, &pNameConstraints->T0.PermittedSubtrees))
2461	return false;
2462
2463	if (pNameConstraints->T1.ExcludedSubtrees.cItems > 0)
2464	if (!rtCrX509CpvAddExcludedSubtrees(pThis, &pNameConstraints->T1.ExcludedSubtrees))
2465	return false;
2466
2467	return true;
2468	}
2469
2470
2471	/**
2472	* Step 6.1.4.i.
2473	*/
2474	static bool rtCrX509CpvSoakUpPolicyConstraints(PRTCRX509CERTPATHSINT pThis, PCRTCRX509POLICYCONSTRAINTS pPolicyConstraints)
2475	{
2476	if (RTAsn1Integer_IsPresent(&pPolicyConstraints->RequireExplicitPolicy))
2477	{
2478	if (RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->RequireExplicitPolicy, pThis->v.cExplicitPolicy) < 0)
2479	pThis->v.cExplicitPolicy = pPolicyConstraints->RequireExplicitPolicy.uValue.s.Lo;
2480	}
2481
2482	if (RTAsn1Integer_IsPresent(&pPolicyConstraints->InhibitPolicyMapping))
2483	{
2484	if (RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->InhibitPolicyMapping, pThis->v.cInhibitPolicyMapping) < 0)
2485	pThis->v.cInhibitPolicyMapping = pPolicyConstraints->InhibitPolicyMapping.uValue.s.Lo;
2486	}
2487	return true;
2488	}
2489
2490
2491	/**
2492	* Step 6.1.4.j.
2493	*/
2494	static bool rtCrX509CpvSoakUpInhibitAnyPolicy(PRTCRX509CERTPATHSINT pThis, PCRTASN1INTEGER pInhibitAnyPolicy)
2495	{
2496	if (RTAsn1Integer_UnsignedCompareWithU32(pInhibitAnyPolicy, pThis->v.cInhibitAnyPolicy) < 0)
2497	pThis->v.cInhibitAnyPolicy = pInhibitAnyPolicy->uValue.s.Lo;
2498	return true;
2499	}
2500
2501
2502	/**
2503	* Steps 6.1.4.k, 6.1.4.l, 6.1.4.m, and 6.1.4.n.
2504	*/
2505	static bool rtCrX509CpvCheckAndSoakUpBasicConstraintsAndKeyUsage(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode,
2506	bool fSelfIssued)
2507	{
2508	/* 6.1.4.k - If basic constraints present, CA must be set. */
2509	if (RTAsn1Integer_UnsignedCompareWithU32(&pNode->pCert->TbsCertificate.T0.Version, RTCRX509TBSCERTIFICATE_V3) != 0)
2510	{
2511	/* Note! Add flags if support for older certificates is needed later. */
2512	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_V3_CERT,
2513	"Only version 3 certificates are supported (Version=%llu)",
2514	pNode->pCert->TbsCertificate.T0.Version.uValue);
2515	}
2516	PCRTCRX509BASICCONSTRAINTS pBasicConstraints = pNode->pCert->TbsCertificate.T3.pBasicConstraints;
2517	if (pBasicConstraints)
2518	{
2519	if (!pBasicConstraints->CA.fValue)
2520	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_CA_CERT,
2521	"Intermediate certificate (#%u) is not marked as a CA", pThis->v.iNode);
2522	}
2523
2524	/* 6.1.4.l - Work cMaxPathLength. */
2525	if (!fSelfIssued)
2526	{
2527	if (pThis->v.cMaxPathLength > 0)
2528	pThis->v.cMaxPathLength--;
2529	else
2530	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_MAX_PATH_LENGTH,
2531	"Hit max path length at node #%u", pThis->v.iNode);
2532	}
2533
2534	/* 6.1.4.m - Update cMaxPathLength if basic constrain field is present and smaller. */
2535	if (pBasicConstraints)
2536	{
2537	if (RTAsn1Integer_IsPresent(&pBasicConstraints->PathLenConstraint))
2538	if (RTAsn1Integer_UnsignedCompareWithU32(&pBasicConstraints->PathLenConstraint, pThis->v.cMaxPathLength) < 0)
2539	pThis->v.cMaxPathLength = pBasicConstraints->PathLenConstraint.uValue.s.Lo;
2540	}
2541
2542	/* 6.1.4.n - Require keyCertSign in key usage if the extension is present. */
2543	PCRTCRX509TBSCERTIFICATE const pTbsCert = &pNode->pCert->TbsCertificate;
2544	if ( (pTbsCert->T3.fFlags & RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE)
2545	&& !(pTbsCert->T3.fKeyUsage & RTCRX509CERT_KEY_USAGE_F_KEY_CERT_SIGN))
2546	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_MISSING_KEY_CERT_SIGN,
2547	"Node #%u does not have KeyCertSign set (keyUsage=%#x)",
2548	pThis->v.iNode, pTbsCert->T3.fKeyUsage);
2549
2550	return true;
2551	}
2552
2553
2554	/**
2555	* Step 6.1.4.o - check out critical extensions.
2556	*/
2557	static bool rtCrX509CpvCheckCriticalExtensions(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2558	{
2559	uint32_t cLeft = pNode->pCert->TbsCertificate.T3.Extensions.cItems;
2560	PRTCRX509EXTENSION const *ppCur = pNode->pCert->TbsCertificate.T3.Extensions.papItems;
2561	while (cLeft-- > 0)
2562	{
2563	PCRTCRX509EXTENSION const pCur = *ppCur;
2564	if (pCur->Critical.fValue)
2565	{
2566	if ( RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_KEY_USAGE_OID) != 0
2567	&& RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID) != 0
2568	&& RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_ISSUER_ALT_NAME_OID) != 0
2569	&& RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID) != 0
2570	&& RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_NAME_CONSTRAINTS_OID) != 0
2571	&& RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID) != 0
2572	&& RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_POLICY_MAPPINGS_OID) != 0
2573	&& RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID) != 0
2574	&& RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_EXT_KEY_USAGE_OID) != 0
2575	&& RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID) != 0
2576	&& RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_APPLICATION_OID) != 0
2577	&& RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_INSTALLER_OID) != 0
2578	&& RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_KEXT_OID) != 0
2579	&& RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_IPHONE_SW_DEV_OID) != 0
2580	&& RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_MAC_SW_DEV_OID) != 0
2581	)
2582	{
2583	/* @bugref{10130}: An IntelGraphicsPE2021 cert issued by iKG_AZSKGFDCS has a critical subjectKeyIdentifier
2584	which we quietly ignore here. RFC-5280 conforming CAs should not mark this as critical.
2585	On an end entity this extension can have relevance to path construction. */
2586	if ( pNode->uSrc == RTCRX509CERTPATHNODE_SRC_TARGET
2587	&& RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID) == 0)
2588	LogFunc(("Ignoring non-standard subjectKeyIdentifier on target certificate.\n"));
2589	else
2590	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNKNOWN_CRITICAL_EXTENSION,
2591	"Node #%u has an unknown critical extension: %s",
2592	pThis->v.iNode, pCur->ExtnId.szObjId);
2593	}
2594	}
2595
2596	ppCur++;
2597	}
2598
2599	return true;
2600	}
2601
2602
2603	/**
2604	* Step 6.1.5 - The wrapping up.
2605	*/
2606	static bool rtCrX509CpvWrapUp(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2607	{
2608	Assert(!pNode->pParent); Assert(pThis->pTarget == pNode->pCert);
2609
2610	/*
2611	* 6.1.5.a - Decrement explicit policy.
2612	*/
2613	if (pThis->v.cExplicitPolicy > 0)
2614	pThis->v.cExplicitPolicy--;
2615
2616	/*
2617	* 6.1.5.b - Policy constraints and explicit policy.
2618	*/
2619	PCRTCRX509POLICYCONSTRAINTS pPolicyConstraints = pNode->pCert->TbsCertificate.T3.pPolicyConstraints;
2620	if ( pPolicyConstraints
2621	&& RTAsn1Integer_IsPresent(&pPolicyConstraints->RequireExplicitPolicy)
2622	&& RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->RequireExplicitPolicy, 0) == 0)
2623	pThis->v.cExplicitPolicy = 0;
2624
2625	/*
2626	* 6.1.5.c-e - Update working public key info.
2627	*/
2628	rtCrX509CpvSetWorkingPublicKeyInfo(pThis, pNode);
2629
2630	/*
2631	* 6.1.5.f - Critical extensions.
2632	*/
2633	if (!rtCrX509CpvCheckCriticalExtensions(pThis, pNode))
2634	return false;
2635
2636	/*
2637	* 6.1.5.g - Calculate the intersection between the user initial policy set
2638	* and the valid policy tree.
2639	*/
2640	rtCrX509CpvPolicyTreeIntersect(pThis, pThis->cInitialUserPolicySet, pThis->papInitialUserPolicySet);
2641
2642	if ( pThis->v.cExplicitPolicy == 0
2643	&& pThis->v.pValidPolicyTree == NULL)
2644	return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NO_VALID_POLICY, "No valid policy (wrap-up).");
2645
2646	return true;
2647	}
2648
2649
2650	/**
2651	* Worker that validates one path.
2652	*
2653	* This implements the algorithm in RFC-5280, section 6.1, with exception of
2654	* the CRL checks in 6.1.3.a.3.
2655	*
2656	* @returns success indicator.
2657	* @param pThis The path builder & validator instance.
2658	* @param pTrustAnchor The trust anchor node.
2659	*/
2660	static bool rtCrX509CpvOneWorker(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pTrustAnchor)
2661	{
2662	/*
2663	* Init.
2664	*/
2665	rtCrX509CpvInit(pThis, pTrustAnchor);
2666	if (RT_SUCCESS(pThis->rc))
2667	{
2668	/*
2669	* Maybe do some trust anchor checks.
2670	*/
2671	if (!rtCrX509CpvMaybeCheckTrustAnchor(pThis, pTrustAnchor))
2672	{
2673	AssertStmt(RT_FAILURE_NP(pThis->rc), pThis->rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR);
2674	return false;
2675	}
2676
2677	/*
2678	* Special case, target certificate is trusted.
2679	*/
2680	if (!pTrustAnchor->pParent)
2681	return true; /* rtCrX509CpvWrapUp should not be needed here. */
2682
2683	/*
2684	* Normal processing.
2685	*/
2686	PRTCRX509CERTPATHNODE pNode = pTrustAnchor->pParent;
2687	uint32_t iNode = pThis->v.iNode = 1; /* We count to cNode (inclusive). Same a validation tree depth. */
2688	while (pNode && RT_SUCCESS(pThis->rc))
2689	{
2690	/*
2691	* Basic certificate processing.
2692	*/
2693	if (!rtCrX509CpvCheckBasicCertInfo(pThis, pNode)) /* Step 6.1.3.a */
2694	break;
2695
2696	bool const fSelfIssued = rtCrX509CertPathsIsSelfIssued(pNode);
2697	if (!fSelfIssued \|\| !pNode->pParent) /* Step 6.1.3.b-c */
2698	if (!rtCrX509CpvCheckNameConstraints(pThis, pNode))
2699	break;
2700
2701	if (!rtCrX509CpvWorkValidPolicyTree(pThis, iNode, pNode, fSelfIssued)) /* Step 6.1.3.d-f */
2702	break;
2703
2704	/*
2705	* If it's the last certificate in the path, do wrap-ups.
2706	*/
2707	if (!pNode->pParent) /* Step 6.1.5 */
2708	{
2709	Assert(iNode == pThis->v.cNodes);
2710	if (!rtCrX509CpvWrapUp(pThis, pNode))
2711	break;
2712	AssertRCBreak(pThis->rc);
2713	return true;
2714	}
2715
2716	/*
2717	* Preparations for the next certificate.
2718	*/
2719	PCRTCRX509TBSCERTIFICATE const pTbsCert = &pNode->pCert->TbsCertificate;
2720	if ( pTbsCert->T3.pPolicyMappings
2721	&& !rtCrX509CpvSoakUpPolicyMappings(pThis, iNode, pTbsCert->T3.pPolicyMappings)) /* Step 6.1.4.a-b */
2722	break;
2723
2724	pThis->v.pWorkingIssuer = &pTbsCert->Subject; /* Step 6.1.4.c */
2725
2726	rtCrX509CpvSetWorkingPublicKeyInfo(pThis, pNode); /* Step 6.1.4.d-f */
2727
2728	if ( pTbsCert->T3.pNameConstraints /* Step 6.1.4.g */
2729	&& !rtCrX509CpvSoakUpNameConstraints(pThis, pTbsCert->T3.pNameConstraints))
2730	break;
2731
2732	if (!fSelfIssued) /* Step 6.1.4.h */
2733	{
2734	if (pThis->v.cExplicitPolicy > 0)
2735	pThis->v.cExplicitPolicy--;
2736	if (pThis->v.cInhibitPolicyMapping > 0)
2737	pThis->v.cInhibitPolicyMapping--;
2738	if (pThis->v.cInhibitAnyPolicy > 0)
2739	pThis->v.cInhibitAnyPolicy--;
2740	}
2741
2742	if ( pTbsCert->T3.pPolicyConstraints /* Step 6.1.4.j */
2743	&& !rtCrX509CpvSoakUpPolicyConstraints(pThis, pTbsCert->T3.pPolicyConstraints))
2744	break;
2745
2746	if ( pTbsCert->T3.pInhibitAnyPolicy /* Step 6.1.4.j */
2747	&& !rtCrX509CpvSoakUpInhibitAnyPolicy(pThis, pTbsCert->T3.pInhibitAnyPolicy))
2748	break;
2749
2750	if (!rtCrX509CpvCheckAndSoakUpBasicConstraintsAndKeyUsage(pThis, pNode, fSelfIssued)) /* Step 6.1.4.k-n */
2751	break;
2752
2753	if (!rtCrX509CpvCheckCriticalExtensions(pThis, pNode)) /* Step 6.1.4.o */
2754	break;
2755
2756	/*
2757	* Advance to the next certificate.
2758	*/
2759	pNode = pNode->pParent;
2760	pThis->v.iNode = ++iNode;
2761	}
2762	AssertStmt(RT_FAILURE_NP(pThis->rc), pThis->rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR);
2763	}
2764	return false;
2765	}
2766
2767
2768	RTDECL(int) RTCrX509CertPathsValidateOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, PRTERRINFO pErrInfo)
2769	{
2770	/*
2771	* Validate the input.
2772	*/
2773	PRTCRX509CERTPATHSINT pThis = hCertPaths;
2774	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
2775	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
2776	AssertReturn(!(pThis->fFlags & ~RTCRX509CERTPATHSINT_F_VALID_MASK), VERR_INVALID_PARAMETER);
2777	AssertPtrReturn(pThis->pTarget, VERR_INVALID_PARAMETER);
2778	AssertPtrReturn(pThis->pRoot, VERR_INVALID_PARAMETER);
2779	AssertReturn(pThis->rc == VINF_SUCCESS, VERR_INVALID_PARAMETER);
2780
2781	/*
2782	* Locate the path and validate it.
2783	*/
2784	int rc;
2785	if (iPath < pThis->cPaths)
2786	{
2787	PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2788	if (pLeaf)
2789	{
2790	if (RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pLeaf->uSrc))
2791	{
2792	pThis->pErrInfo = pErrInfo;
2793	rtCrX509CpvOneWorker(pThis, pLeaf);
2794	pThis->pErrInfo = NULL;
2795	rc = pThis->rc;
2796	pThis->rc = VINF_SUCCESS;
2797	}
2798	else
2799	rc = RTErrInfoSetF(pErrInfo, VERR_CR_X509_NO_TRUST_ANCHOR, "Path #%u is does not have a trust anchor: uSrc=%s",
2800	iPath, rtCrX509CertPathsNodeGetSourceName(pLeaf));
2801	pLeaf->rcVerify = rc;
2802	}
2803	else
2804	rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR;
2805	}
2806	else
2807	rc = VERR_NOT_FOUND;
2808	return rc;
2809	}
2810
2811
2812	RTDECL(int) RTCrX509CertPathsValidateAll(RTCRX509CERTPATHS hCertPaths, uint32_t *pcValidPaths, PRTERRINFO pErrInfo)
2813	{
2814	/*
2815	* Validate the input.
2816	*/
2817	PRTCRX509CERTPATHSINT pThis = hCertPaths;
2818	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
2819	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
2820	AssertReturn(!(pThis->fFlags & ~RTCRX509CERTPATHSINT_F_VALID_MASK), VERR_INVALID_PARAMETER);
2821	AssertPtrReturn(pThis->pTarget, VERR_INVALID_PARAMETER);
2822	AssertPtrReturn(pThis->pRoot, VERR_INVALID_PARAMETER);
2823	AssertReturn(pThis->rc == VINF_SUCCESS, VERR_INVALID_PARAMETER);
2824	AssertPtrNullReturn(pcValidPaths, VERR_INVALID_POINTER);
2825
2826	/*
2827	* Validate the paths.
2828	*/
2829	pThis->pErrInfo = pErrInfo;
2830
2831	int rcLastFailure = VINF_SUCCESS;
2832	uint32_t cValidPaths = 0;
2833	PRTCRX509CERTPATHNODE pCurLeaf;
2834	RTListForEach(&pThis->LeafList, pCurLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
2835	{
2836	if (RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pCurLeaf->uSrc))
2837	{
2838	rtCrX509CpvOneWorker(hCertPaths, pCurLeaf);
2839	if (RT_SUCCESS(pThis->rc))
2840	cValidPaths++;
2841	else
2842	rcLastFailure = pThis->rc;
2843	pCurLeaf->rcVerify = pThis->rc;
2844	pThis->rc = VINF_SUCCESS;
2845	}
2846	else
2847	pCurLeaf->rcVerify = VERR_CR_X509_NO_TRUST_ANCHOR;
2848	}
2849
2850	pThis->pErrInfo = NULL;
2851
2852	if (pcValidPaths)
2853	*pcValidPaths = cValidPaths;
2854	if (cValidPaths > 0)
2855	return VINF_SUCCESS;
2856	if (RT_SUCCESS_NP(rcLastFailure))
2857	return RTErrInfoSetF(pErrInfo, VERR_CR_X509_CPV_NO_TRUSTED_PATHS,
2858	"None of the %u path(s) have a trust anchor.", pThis->cPaths);
2859	return rcLastFailure;
2860	}
2861
2862
2863	RTDECL(uint32_t) RTCrX509CertPathsGetPathCount(RTCRX509CERTPATHS hCertPaths)
2864	{
2865	/*
2866	* Validate the input.
2867	*/
2868	PRTCRX509CERTPATHSINT pThis = hCertPaths;
2869	AssertPtrReturn(pThis, UINT32_MAX);
2870	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, UINT32_MAX);
2871	AssertPtrReturn(pThis->pRoot, UINT32_MAX);
2872
2873	/*
2874	* Return data.
2875	*/
2876	return pThis->cPaths;
2877	}
2878
2879
2880	RTDECL(int) RTCrX509CertPathsQueryPathInfo(RTCRX509CERTPATHS hCertPaths, uint32_t iPath,
2881	bool pfTrusted, uint32_t pcNodes, PCRTCRX509NAME *ppSubject,
2882	PCRTCRX509SUBJECTPUBLICKEYINFO *ppPublicKeyInfo,
2883	PCRTCRX509CERTIFICATE ppCert, PCRTCRCERTCTX ppCertCtx,
2884	int *prcVerify)
2885	{
2886	/*
2887	* Validate the input.
2888	*/
2889	PRTCRX509CERTPATHSINT pThis = hCertPaths;
2890	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
2891	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
2892	AssertPtrReturn(pThis->pRoot, VERR_WRONG_ORDER);
2893	AssertReturn(iPath < pThis->cPaths, VERR_NOT_FOUND);
2894
2895	/*
2896	* Get the data.
2897	*/
2898	PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2899	AssertReturn(pLeaf, VERR_CR_X509_INTERNAL_ERROR);
2900
2901	if (pfTrusted)
2902	*pfTrusted = RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pLeaf->uSrc);
2903
2904	if (pcNodes)
2905	pcNodes = pLeaf->uDepth + 1; / Includes both trust anchor and target. */
2906
2907	if (ppSubject)
2908	*ppSubject = pLeaf->pCert ? &pLeaf->pCert->TbsCertificate.Subject : &pLeaf->pCertCtx->pTaInfo->CertPath.TaName;
2909
2910	if (ppPublicKeyInfo)
2911	*ppPublicKeyInfo = pLeaf->pCert ? &pLeaf->pCert->TbsCertificate.SubjectPublicKeyInfo : &pLeaf->pCertCtx->pTaInfo->PubKey;
2912
2913	if (ppCert)
2914	*ppCert = pLeaf->pCert;
2915
2916	if (ppCertCtx)
2917	{
2918	if (pLeaf->pCertCtx)
2919	{
2920	uint32_t cRefs = RTCrCertCtxRetain(pLeaf->pCertCtx);
2921	AssertReturn(cRefs != UINT32_MAX, VERR_CR_X509_INTERNAL_ERROR);
2922	}
2923	*ppCertCtx = pLeaf->pCertCtx;
2924	}
2925
2926	if (prcVerify)
2927	*prcVerify = pLeaf->rcVerify;
2928
2929	return VINF_SUCCESS;
2930	}
2931
2932
2933	RTDECL(uint32_t) RTCrX509CertPathsGetPathLength(RTCRX509CERTPATHS hCertPaths, uint32_t iPath)
2934	{
2935	/*
2936	* Validate the input.
2937	*/
2938	PRTCRX509CERTPATHSINT pThis = hCertPaths;
2939	AssertPtrReturn(pThis, UINT32_MAX);
2940	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, UINT32_MAX);
2941	AssertPtrReturn(pThis->pRoot, UINT32_MAX);
2942	AssertReturn(iPath < pThis->cPaths, UINT32_MAX);
2943
2944	/*
2945	* Get the data.
2946	*/
2947	PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2948	AssertReturn(pLeaf, UINT32_MAX);
2949	return pLeaf->uDepth + 1;
2950	}
2951
2952
2953	RTDECL(int) RTCrX509CertPathsGetPathVerifyResult(RTCRX509CERTPATHS hCertPaths, uint32_t iPath)
2954	{
2955	/*
2956	* Validate the input.
2957	*/
2958	PRTCRX509CERTPATHSINT pThis = hCertPaths;
2959	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
2960	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
2961	AssertPtrReturn(pThis->pRoot, VERR_WRONG_ORDER);
2962	AssertReturn(iPath < pThis->cPaths, VERR_NOT_FOUND);
2963
2964	/*
2965	* Get the data.
2966	*/
2967	PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2968	AssertReturn(pLeaf, VERR_CR_X509_INTERNAL_ERROR);
2969
2970	return pLeaf->rcVerify;
2971	}
2972
2973
2974	static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetPathNodeByIndexes(PRTCRX509CERTPATHSINT pThis, uint32_t iPath, uint32_t iNode)
2975	{
2976	PRTCRX509CERTPATHNODE pNode = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2977	Assert(pNode);
2978	if (pNode)
2979	{
2980	if (iNode <= pNode->uDepth)
2981	{
2982	uint32_t uCertDepth = pNode->uDepth - iNode;
2983	while (pNode->uDepth > uCertDepth)
2984	pNode = pNode->pParent;
2985	Assert(pNode);
2986	Assert(pNode && pNode->uDepth == uCertDepth);
2987	return pNode;
2988	}
2989	}
2990
2991	return NULL;
2992	}
2993
2994
2995	RTDECL(PCRTCRX509CERTIFICATE) RTCrX509CertPathsGetPathNodeCert(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t iNode)
2996	{
2997	/*
2998	* Validate the input.
2999	*/
3000	PRTCRX509CERTPATHSINT pThis = hCertPaths;
3001	AssertPtrReturn(pThis, NULL);
3002	AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, NULL);
3003	AssertPtrReturn(pThis->pRoot, NULL);
3004	AssertReturn(iPath < pThis->cPaths, NULL);
3005
3006	/*
3007	* Get the data.
3008	*/
3009	PRTCRX509CERTPATHNODE pNode = rtCrX509CertPathsGetPathNodeByIndexes(pThis, iPath, iNode);
3010	if (pNode)
3011	return pNode->pCert;
3012	return NULL;
3013	}
3014
3015
3016	/** @} */
3017

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/Runtime/common/crypto/x509-certpaths.cpp

Download in other formats: