1 | /* $Id: x509-certpaths.cpp 96407 2022-08-22 17:43:14Z vboxsync $ */
|
---|
2 | /** @file
|
---|
3 | * IPRT - Crypto - X.509, Simple Certificate Path Builder & Validator.
|
---|
4 | */
|
---|
5 |
|
---|
6 | /*
|
---|
7 | * Copyright (C) 2006-2022 Oracle and/or its affiliates.
|
---|
8 | *
|
---|
9 | * This file is part of VirtualBox base platform packages, as
|
---|
10 | * available from https://www.virtualbox.org.
|
---|
11 | *
|
---|
12 | * This program is free software; you can redistribute it and/or
|
---|
13 | * modify it under the terms of the GNU General Public License
|
---|
14 | * as published by the Free Software Foundation, in version 3 of the
|
---|
15 | * License.
|
---|
16 | *
|
---|
17 | * This program is distributed in the hope that it will be useful, but
|
---|
18 | * WITHOUT ANY WARRANTY; without even the implied warranty of
|
---|
19 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
---|
20 | * General Public License for more details.
|
---|
21 | *
|
---|
22 | * You should have received a copy of the GNU General Public License
|
---|
23 | * along with this program; if not, see <https://www.gnu.org/licenses>.
|
---|
24 | *
|
---|
25 | * The contents of this file may alternatively be used under the terms
|
---|
26 | * of the Common Development and Distribution License Version 1.0
|
---|
27 | * (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
|
---|
28 | * in the VirtualBox distribution, in which case the provisions of the
|
---|
29 | * CDDL are applicable instead of those of the GPL.
|
---|
30 | *
|
---|
31 | * You may elect to license modified versions of this file under the
|
---|
32 | * terms and conditions of either the GPL or the CDDL or both.
|
---|
33 | *
|
---|
34 | * SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
|
---|
35 | */
|
---|
36 |
|
---|
37 |
|
---|
38 | /*********************************************************************************************************************************
|
---|
39 | * Header Files *
|
---|
40 | *********************************************************************************************************************************/
|
---|
41 | #define LOG_GROUP RTLOGGROUP_CRYPTO
|
---|
42 | #include "internal/iprt.h"
|
---|
43 | #include <iprt/crypto/x509.h>
|
---|
44 |
|
---|
45 | #include <iprt/asm.h>
|
---|
46 | #include <iprt/ctype.h>
|
---|
47 | #include <iprt/err.h>
|
---|
48 | #include <iprt/mem.h>
|
---|
49 | #include <iprt/string.h>
|
---|
50 | #include <iprt/list.h>
|
---|
51 | #include <iprt/log.h>
|
---|
52 | #include <iprt/time.h>
|
---|
53 | #include <iprt/crypto/applecodesign.h> /* critical extension OIDs */
|
---|
54 | #include <iprt/crypto/pkcs7.h> /* PCRTCRPKCS7SETOFCERTS */
|
---|
55 | #include <iprt/crypto/store.h>
|
---|
56 |
|
---|
57 | #include "x509-internal.h"
|
---|
58 |
|
---|
59 |
|
---|
60 | /*********************************************************************************************************************************
|
---|
61 | * Structures and Typedefs *
|
---|
62 | *********************************************************************************************************************************/
|
---|
63 | /**
|
---|
64 | * X.509 certificate path node.
|
---|
65 | */
|
---|
66 | typedef struct RTCRX509CERTPATHNODE
|
---|
67 | {
|
---|
68 | /** Sibling list entry. */
|
---|
69 | RTLISTNODE SiblingEntry;
|
---|
70 | /** List of children or leaf list entry. */
|
---|
71 | RTLISTANCHOR ChildListOrLeafEntry;
|
---|
72 | /** Pointer to the parent node. NULL for root. */
|
---|
73 | struct RTCRX509CERTPATHNODE *pParent;
|
---|
74 |
|
---|
75 | /** The distance between this node and the target. */
|
---|
76 | uint32_t uDepth : 8;
|
---|
77 | /** Indicates the source of this certificate. */
|
---|
78 | uint32_t uSrc : 3;
|
---|
79 | /** Set if this is a leaf node. */
|
---|
80 | uint32_t fLeaf : 1;
|
---|
81 | /** Makes sure it's a 32-bit bitfield. */
|
---|
82 | uint32_t uReserved : 20;
|
---|
83 |
|
---|
84 | /** Leaf only: The result of the last path vertification. */
|
---|
85 | int rcVerify;
|
---|
86 |
|
---|
87 | /** Pointer to the certificate. This can be NULL only for trust anchors. */
|
---|
88 | PCRTCRX509CERTIFICATE pCert;
|
---|
89 |
|
---|
90 | /** If the certificate or trust anchor was obtained from a store, this is the
|
---|
91 | * associated certificate context (referenced of course). This is used to
|
---|
92 | * access the trust anchor information, if present.
|
---|
93 | *
|
---|
94 | * (If this is NULL it's from a certificate array or some such given directly to
|
---|
95 | * the path building code. It's assumed the caller doesn't free these until the
|
---|
96 | * path validation/whatever is done with and the paths destroyed.) */
|
---|
97 | PCRTCRCERTCTX pCertCtx;
|
---|
98 | } RTCRX509CERTPATHNODE;
|
---|
99 | /** Pointer to a X.509 path node. */
|
---|
100 | typedef RTCRX509CERTPATHNODE *PRTCRX509CERTPATHNODE;
|
---|
101 |
|
---|
102 | /** @name RTCRX509CERTPATHNODE::uSrc values.
|
---|
103 | * The trusted and untrusted sources ordered in priority order, where higher
|
---|
104 | * number means high priority in case of duplicates.
|
---|
105 | * @{ */
|
---|
106 | #define RTCRX509CERTPATHNODE_SRC_NONE 0
|
---|
107 | #define RTCRX509CERTPATHNODE_SRC_TARGET 1
|
---|
108 | #define RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET 2
|
---|
109 | #define RTCRX509CERTPATHNODE_SRC_UNTRUSTED_ARRAY 3
|
---|
110 | #define RTCRX509CERTPATHNODE_SRC_UNTRUSTED_STORE 4
|
---|
111 | #define RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE 5
|
---|
112 | #define RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT 6
|
---|
113 | #define RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(uSrc) ((uSrc) >= RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE)
|
---|
114 | /** @} */
|
---|
115 |
|
---|
116 |
|
---|
117 | /**
|
---|
118 | * Policy tree node.
|
---|
119 | */
|
---|
120 | typedef struct RTCRX509CERTPATHSPOLICYNODE
|
---|
121 | {
|
---|
122 | /** Sibling list entry. */
|
---|
123 | RTLISTNODE SiblingEntry;
|
---|
124 | /** Tree depth list entry. */
|
---|
125 | RTLISTNODE DepthEntry;
|
---|
126 | /** List of children or leaf list entry. */
|
---|
127 | RTLISTANCHOR ChildList;
|
---|
128 | /** Pointer to the parent. */
|
---|
129 | struct RTCRX509CERTPATHSPOLICYNODE *pParent;
|
---|
130 |
|
---|
131 | /** The policy object ID. */
|
---|
132 | PCRTASN1OBJID pValidPolicy;
|
---|
133 |
|
---|
134 | /** Optional sequence of policy qualifiers. */
|
---|
135 | PCRTCRX509POLICYQUALIFIERINFOS pPolicyQualifiers;
|
---|
136 |
|
---|
137 | /** The first policy ID in the exepcted policy set. */
|
---|
138 | PCRTASN1OBJID pExpectedPolicyFirst;
|
---|
139 | /** Set if we've already mapped pExpectedPolicyFirst. */
|
---|
140 | bool fAlreadyMapped;
|
---|
141 | /** Number of additional items in the expected policy set. */
|
---|
142 | uint32_t cMoreExpectedPolicySet;
|
---|
143 | /** Additional items in the expected policy set. */
|
---|
144 | PCRTASN1OBJID *papMoreExpectedPolicySet;
|
---|
145 | } RTCRX509CERTPATHSPOLICYNODE;
|
---|
146 | /** Pointer to a policy tree node. */
|
---|
147 | typedef RTCRX509CERTPATHSPOLICYNODE *PRTCRX509CERTPATHSPOLICYNODE;
|
---|
148 |
|
---|
149 |
|
---|
150 | /**
|
---|
151 | * Path builder and validator instance.
|
---|
152 | *
|
---|
153 | * The path builder creates a tree of certificates by forward searching from the
|
---|
154 | * end-entity towards a trusted source. The leaf nodes are inserted into list
|
---|
155 | * ordered by the source of the leaf certificate and the path length (i.e. tree
|
---|
156 | * depth).
|
---|
157 | *
|
---|
158 | * The path validator works the tree from the leaf end and validates each
|
---|
159 | * potential path found by the builder. It is generally happy with one working
|
---|
160 | * path, but may be told to verify all of them.
|
---|
161 | */
|
---|
162 | typedef struct RTCRX509CERTPATHSINT
|
---|
163 | {
|
---|
164 | /** Magic number. */
|
---|
165 | uint32_t u32Magic;
|
---|
166 | /** Reference counter. */
|
---|
167 | uint32_t volatile cRefs;
|
---|
168 |
|
---|
169 | /** @name Input
|
---|
170 | * @{ */
|
---|
171 | /** The target certificate (end entity) to build a trusted path for. */
|
---|
172 | PCRTCRX509CERTIFICATE pTarget;
|
---|
173 |
|
---|
174 | /** Lone trusted certificate. */
|
---|
175 | PCRTCRX509CERTIFICATE pTrustedCert;
|
---|
176 | /** Store of trusted certificates. */
|
---|
177 | RTCRSTORE hTrustedStore;
|
---|
178 |
|
---|
179 | /** Store of untrusted certificates. */
|
---|
180 | RTCRSTORE hUntrustedStore;
|
---|
181 | /** Array of untrusted certificates, typically from the protocol. */
|
---|
182 | PCRTCRX509CERTIFICATE paUntrustedCerts;
|
---|
183 | /** Number of entries in paUntrusted. */
|
---|
184 | uint32_t cUntrustedCerts;
|
---|
185 | /** Set of untrusted PKCS \#7 / CMS certificatess. */
|
---|
186 | PCRTCRPKCS7SETOFCERTS pUntrustedCertsSet;
|
---|
187 |
|
---|
188 | /** UTC time we're going to validate the path at, requires
|
---|
189 | * RTCRX509CERTPATHSINT_F_VALID_TIME to be set. */
|
---|
190 | RTTIMESPEC ValidTime;
|
---|
191 | /** Number of policy OIDs in the user initial policy set, 0 means anyPolicy. */
|
---|
192 | uint32_t cInitialUserPolicySet;
|
---|
193 | /** The user initial policy set. As with all other user provided data, we
|
---|
194 | * assume it's immutable and remains valid for the usage period of the path
|
---|
195 | * builder & validator. */
|
---|
196 | PCRTASN1OBJID *papInitialUserPolicySet;
|
---|
197 | /** Number of certificates before the user wants an explicit policy result.
|
---|
198 | * Set to UINT32_MAX no explicit policy restriction required by the user. */
|
---|
199 | uint32_t cInitialExplicitPolicy;
|
---|
200 | /** Number of certificates before the user wants policy mapping to be
|
---|
201 | * inhibited. Set to UINT32_MAX if no initial policy mapping inhibition
|
---|
202 | * desired by the user. */
|
---|
203 | uint32_t cInitialPolicyMappingInhibit;
|
---|
204 | /** Number of certificates before the user wants the anyPolicy to be rejected.
|
---|
205 | * Set to UINT32_MAX no explicit policy restriction required by the user. */
|
---|
206 | uint32_t cInitialInhibitAnyPolicy;
|
---|
207 | /** Initial name restriction: Permitted subtrees. */
|
---|
208 | PCRTCRX509GENERALSUBTREES pInitialPermittedSubtrees;
|
---|
209 | /** Initial name restriction: Excluded subtrees. */
|
---|
210 | PCRTCRX509GENERALSUBTREES pInitialExcludedSubtrees;
|
---|
211 |
|
---|
212 | /** Flags RTCRX509CERTPATHSINT_F_XXX. */
|
---|
213 | uint32_t fFlags;
|
---|
214 | /** @} */
|
---|
215 |
|
---|
216 | /** Sticky status for remembering allocation errors and the like. */
|
---|
217 | int32_t rc;
|
---|
218 | /** Where to store extended error info (optional). */
|
---|
219 | PRTERRINFO pErrInfo;
|
---|
220 |
|
---|
221 | /** @name Path Builder Output
|
---|
222 | * @{ */
|
---|
223 | /** Pointer to the root of the tree. This will always be non-NULL after path
|
---|
224 | * building and thus can be reliably used to tell if path building has taken
|
---|
225 | * place or not. */
|
---|
226 | PRTCRX509CERTPATHNODE pRoot;
|
---|
227 | /** List of working leaf tree nodes. */
|
---|
228 | RTLISTANCHOR LeafList;
|
---|
229 | /** The number of paths (leafs). */
|
---|
230 | uint32_t cPaths;
|
---|
231 | /** @} */
|
---|
232 |
|
---|
233 | /** Path Validator State. */
|
---|
234 | struct
|
---|
235 | {
|
---|
236 | /** Number of nodes in the certificate path we're validating (aka 'n'). */
|
---|
237 | uint32_t cNodes;
|
---|
238 | /** The current node (0 being the trust anchor). */
|
---|
239 | uint32_t iNode;
|
---|
240 |
|
---|
241 | /** The root node of the valid policy tree. */
|
---|
242 | PRTCRX509CERTPATHSPOLICYNODE pValidPolicyTree;
|
---|
243 | /** An array of length cNodes + 1 which tracks all nodes at the given (index)
|
---|
244 | * tree depth via the RTCRX509CERTPATHSPOLICYNODE::DepthEntry member. */
|
---|
245 | PRTLISTANCHOR paValidPolicyDepthLists;
|
---|
246 |
|
---|
247 | /** Number of entries in paPermittedSubtrees (name constraints).
|
---|
248 | * If zero, no permitted name constrains currently in effect. */
|
---|
249 | uint32_t cPermittedSubtrees;
|
---|
250 | /** The allocated size of papExcludedSubtrees */
|
---|
251 | uint32_t cPermittedSubtreesAlloc;
|
---|
252 | /** Array of permitted subtrees we've collected so far (name constraints). */
|
---|
253 | PCRTCRX509GENERALSUBTREE *papPermittedSubtrees;
|
---|
254 | /** Set if we end up with an empty set after calculating a name constraints
|
---|
255 | * union. */
|
---|
256 | bool fNoPermittedSubtrees;
|
---|
257 |
|
---|
258 | /** Number of entries in paExcludedSubtrees (name constraints).
|
---|
259 | * If zero, no excluded name constrains currently in effect. */
|
---|
260 | uint32_t cExcludedSubtrees;
|
---|
261 | /** Array of excluded subtrees we've collected so far (name constraints). */
|
---|
262 | PCRTCRX509GENERALSUBTREES *papExcludedSubtrees;
|
---|
263 |
|
---|
264 | /** Number of non-self-issued certificates to be processed before a non-NULL
|
---|
265 | * paValidPolicyTree is required. */
|
---|
266 | uint32_t cExplicitPolicy;
|
---|
267 | /** Number of non-self-issued certificates to be processed we stop processing
|
---|
268 | * policy mapping extensions. */
|
---|
269 | uint32_t cInhibitPolicyMapping;
|
---|
270 | /** Number of non-self-issued certificates to be processed before a the
|
---|
271 | * anyPolicy is rejected. */
|
---|
272 | uint32_t cInhibitAnyPolicy;
|
---|
273 | /** Number of non-self-issued certificates we're allowed to process. */
|
---|
274 | uint32_t cMaxPathLength;
|
---|
275 |
|
---|
276 | /** The working issuer name. */
|
---|
277 | PCRTCRX509NAME pWorkingIssuer;
|
---|
278 | /** The working public key algorithm ID. */
|
---|
279 | PCRTASN1OBJID pWorkingPublicKeyAlgorithm;
|
---|
280 | /** The working public key algorithm parameters. */
|
---|
281 | PCRTASN1DYNTYPE pWorkingPublicKeyParameters;
|
---|
282 | /** A bit string containing the public key. */
|
---|
283 | PCRTASN1BITSTRING pWorkingPublicKey;
|
---|
284 | } v;
|
---|
285 |
|
---|
286 | /** An object identifier initialized to anyPolicy. */
|
---|
287 | RTASN1OBJID AnyPolicyObjId;
|
---|
288 |
|
---|
289 | /** Temporary scratch space. */
|
---|
290 | char szTmp[1024];
|
---|
291 | } RTCRX509CERTPATHSINT;
|
---|
292 | typedef RTCRX509CERTPATHSINT *PRTCRX509CERTPATHSINT;
|
---|
293 |
|
---|
294 | /** Magic value for RTCRX509CERTPATHSINT::u32Magic (Bruce Schneier). */
|
---|
295 | #define RTCRX509CERTPATHSINT_MAGIC UINT32_C(0x19630115)
|
---|
296 |
|
---|
297 | /** @name RTCRX509CERTPATHSINT_F_XXX - Certificate path build flags.
|
---|
298 | * @{ */
|
---|
299 | #define RTCRX509CERTPATHSINT_F_VALID_TIME RT_BIT_32(0)
|
---|
300 | #define RTCRX509CERTPATHSINT_F_ELIMINATE_UNTRUSTED_PATHS RT_BIT_32(1)
|
---|
301 | /** Whether checking the trust anchor signature (if self signed) and
|
---|
302 | * that it is valid at the verification time, also require it to be a CA if not
|
---|
303 | * leaf node. */
|
---|
304 | #define RTCRX509CERTPATHSINT_F_CHECK_TRUST_ANCHOR RT_BIT_32(2)
|
---|
305 | #define RTCRX509CERTPATHSINT_F_VALID_MASK UINT32_C(0x00000007)
|
---|
306 | /** @} */
|
---|
307 |
|
---|
308 |
|
---|
309 | /*********************************************************************************************************************************
|
---|
310 | * Internal Functions *
|
---|
311 | *********************************************************************************************************************************/
|
---|
312 | static void rtCrX509CertPathsDestroyTree(PRTCRX509CERTPATHSINT pThis);
|
---|
313 | static void rtCrX509CpvCleanup(PRTCRX509CERTPATHSINT pThis);
|
---|
314 |
|
---|
315 |
|
---|
316 | /** @name Path Builder and Validator Config APIs
|
---|
317 | * @{
|
---|
318 | */
|
---|
319 |
|
---|
320 | RTDECL(int) RTCrX509CertPathsCreate(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget)
|
---|
321 | {
|
---|
322 | AssertPtrReturn(phCertPaths, VERR_INVALID_POINTER);
|
---|
323 |
|
---|
324 | PRTCRX509CERTPATHSINT pThis = (PRTCRX509CERTPATHSINT)RTMemAllocZ(sizeof(*pThis));
|
---|
325 | if (pThis)
|
---|
326 | {
|
---|
327 | int rc = RTAsn1ObjId_InitFromString(&pThis->AnyPolicyObjId, RTCRX509_ID_CE_CP_ANY_POLICY_OID, &g_RTAsn1DefaultAllocator);
|
---|
328 | if (RT_SUCCESS(rc))
|
---|
329 | {
|
---|
330 | pThis->u32Magic = RTCRX509CERTPATHSINT_MAGIC;
|
---|
331 | pThis->cRefs = 1;
|
---|
332 | pThis->pTarget = pTarget;
|
---|
333 | pThis->hTrustedStore = NIL_RTCRSTORE;
|
---|
334 | pThis->hUntrustedStore = NIL_RTCRSTORE;
|
---|
335 | pThis->cInitialExplicitPolicy = UINT32_MAX;
|
---|
336 | pThis->cInitialPolicyMappingInhibit = UINT32_MAX;
|
---|
337 | pThis->cInitialInhibitAnyPolicy = UINT32_MAX;
|
---|
338 | pThis->rc = VINF_SUCCESS;
|
---|
339 | RTListInit(&pThis->LeafList);
|
---|
340 | *phCertPaths = pThis;
|
---|
341 | return VINF_SUCCESS;
|
---|
342 | }
|
---|
343 | return rc;
|
---|
344 | }
|
---|
345 | return VERR_NO_MEMORY;
|
---|
346 | }
|
---|
347 |
|
---|
348 |
|
---|
349 | RTDECL(uint32_t) RTCrX509CertPathsRetain(RTCRX509CERTPATHS hCertPaths)
|
---|
350 | {
|
---|
351 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
352 | AssertPtrReturn(pThis, UINT32_MAX);
|
---|
353 |
|
---|
354 | uint32_t cRefs = ASMAtomicIncU32(&pThis->cRefs);
|
---|
355 | Assert(cRefs > 0 && cRefs < 64);
|
---|
356 | return cRefs;
|
---|
357 | }
|
---|
358 |
|
---|
359 |
|
---|
360 | RTDECL(uint32_t) RTCrX509CertPathsRelease(RTCRX509CERTPATHS hCertPaths)
|
---|
361 | {
|
---|
362 | uint32_t cRefs;
|
---|
363 | if (hCertPaths != NIL_RTCRX509CERTPATHS)
|
---|
364 | {
|
---|
365 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
366 | AssertPtrReturn(pThis, UINT32_MAX);
|
---|
367 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, UINT32_MAX);
|
---|
368 |
|
---|
369 | cRefs = ASMAtomicDecU32(&pThis->cRefs);
|
---|
370 | Assert(cRefs < 64);
|
---|
371 | if (!cRefs)
|
---|
372 | {
|
---|
373 | /*
|
---|
374 | * No more references, destroy the whole thing.
|
---|
375 | */
|
---|
376 | ASMAtomicWriteU32(&pThis->u32Magic, ~RTCRX509CERTPATHSINT_MAGIC);
|
---|
377 |
|
---|
378 | /* config */
|
---|
379 | pThis->pTarget = NULL; /* Referencing user memory. */
|
---|
380 | pThis->pTrustedCert = NULL; /* Referencing user memory. */
|
---|
381 | RTCrStoreRelease(pThis->hTrustedStore);
|
---|
382 | pThis->hTrustedStore = NIL_RTCRSTORE;
|
---|
383 | RTCrStoreRelease(pThis->hUntrustedStore);
|
---|
384 | pThis->hUntrustedStore = NIL_RTCRSTORE;
|
---|
385 | pThis->paUntrustedCerts = NULL; /* Referencing user memory. */
|
---|
386 | pThis->pUntrustedCertsSet = NULL; /* Referencing user memory. */
|
---|
387 | pThis->papInitialUserPolicySet = NULL; /* Referencing user memory. */
|
---|
388 | pThis->pInitialPermittedSubtrees = NULL; /* Referencing user memory. */
|
---|
389 | pThis->pInitialExcludedSubtrees = NULL; /* Referencing user memory. */
|
---|
390 |
|
---|
391 | /* builder */
|
---|
392 | rtCrX509CertPathsDestroyTree(pThis);
|
---|
393 |
|
---|
394 | /* validator */
|
---|
395 | rtCrX509CpvCleanup(pThis);
|
---|
396 |
|
---|
397 | /* misc */
|
---|
398 | RTAsn1VtDelete(&pThis->AnyPolicyObjId.Asn1Core);
|
---|
399 |
|
---|
400 | /* Finally, the instance itself. */
|
---|
401 | RTMemFree(pThis);
|
---|
402 | }
|
---|
403 | }
|
---|
404 | else
|
---|
405 | cRefs = 0;
|
---|
406 | return cRefs;
|
---|
407 | }
|
---|
408 |
|
---|
409 |
|
---|
410 |
|
---|
411 | RTDECL(int) RTCrX509CertPathsSetTrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hTrustedStore)
|
---|
412 | {
|
---|
413 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
414 | AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
|
---|
415 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
|
---|
416 | AssertReturn(pThis->pRoot == NULL, VERR_WRONG_ORDER);
|
---|
417 |
|
---|
418 | if (pThis->hTrustedStore != NIL_RTCRSTORE)
|
---|
419 | {
|
---|
420 | RTCrStoreRelease(pThis->hTrustedStore);
|
---|
421 | pThis->hTrustedStore = NIL_RTCRSTORE;
|
---|
422 | }
|
---|
423 | if (hTrustedStore != NIL_RTCRSTORE)
|
---|
424 | {
|
---|
425 | AssertReturn(RTCrStoreRetain(hTrustedStore) != UINT32_MAX, VERR_INVALID_HANDLE);
|
---|
426 | pThis->hTrustedStore = hTrustedStore;
|
---|
427 | }
|
---|
428 | return VINF_SUCCESS;
|
---|
429 | }
|
---|
430 |
|
---|
431 |
|
---|
432 | RTDECL(int) RTCrX509CertPathsSetUntrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hUntrustedStore)
|
---|
433 | {
|
---|
434 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
435 | AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
|
---|
436 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
|
---|
437 | AssertReturn(pThis->pRoot == NULL, VERR_WRONG_ORDER);
|
---|
438 |
|
---|
439 | if (pThis->hUntrustedStore != NIL_RTCRSTORE)
|
---|
440 | {
|
---|
441 | RTCrStoreRelease(pThis->hUntrustedStore);
|
---|
442 | pThis->hUntrustedStore = NIL_RTCRSTORE;
|
---|
443 | }
|
---|
444 | if (hUntrustedStore != NIL_RTCRSTORE)
|
---|
445 | {
|
---|
446 | AssertReturn(RTCrStoreRetain(hUntrustedStore) != UINT32_MAX, VERR_INVALID_HANDLE);
|
---|
447 | pThis->hUntrustedStore = hUntrustedStore;
|
---|
448 | }
|
---|
449 | return VINF_SUCCESS;
|
---|
450 | }
|
---|
451 |
|
---|
452 |
|
---|
453 | RTDECL(int) RTCrX509CertPathsSetUntrustedArray(RTCRX509CERTPATHS hCertPaths, PCRTCRX509CERTIFICATE paCerts, uint32_t cCerts)
|
---|
454 | {
|
---|
455 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
456 | AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
|
---|
457 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
|
---|
458 |
|
---|
459 | pThis->paUntrustedCerts = paCerts;
|
---|
460 | pThis->cUntrustedCerts = cCerts;
|
---|
461 | return VINF_SUCCESS;
|
---|
462 | }
|
---|
463 |
|
---|
464 |
|
---|
465 | RTDECL(int) RTCrX509CertPathsSetUntrustedSet(RTCRX509CERTPATHS hCertPaths, PCRTCRPKCS7SETOFCERTS pSetOfCerts)
|
---|
466 | {
|
---|
467 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
468 | AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
|
---|
469 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
|
---|
470 |
|
---|
471 | pThis->pUntrustedCertsSet = pSetOfCerts;
|
---|
472 | return VINF_SUCCESS;
|
---|
473 | }
|
---|
474 |
|
---|
475 |
|
---|
476 | RTDECL(int) RTCrX509CertPathsSetValidTime(RTCRX509CERTPATHS hCertPaths, PCRTTIME pTime)
|
---|
477 | {
|
---|
478 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
479 | AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
|
---|
480 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
|
---|
481 |
|
---|
482 | /* Allow this after building paths, as it's only used during verification. */
|
---|
483 |
|
---|
484 | if (pTime)
|
---|
485 | {
|
---|
486 | if (RTTimeImplode(&pThis->ValidTime, pTime))
|
---|
487 | return VERR_INVALID_PARAMETER;
|
---|
488 | pThis->fFlags |= RTCRX509CERTPATHSINT_F_VALID_TIME;
|
---|
489 | }
|
---|
490 | else
|
---|
491 | pThis->fFlags &= ~RTCRX509CERTPATHSINT_F_VALID_TIME;
|
---|
492 | return VINF_SUCCESS;
|
---|
493 | }
|
---|
494 |
|
---|
495 |
|
---|
496 | RTDECL(int) RTCrX509CertPathsSetValidTimeSpec(RTCRX509CERTPATHS hCertPaths, PCRTTIMESPEC pTimeSpec)
|
---|
497 | {
|
---|
498 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
499 | AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
|
---|
500 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
|
---|
501 |
|
---|
502 | /* Allow this after building paths, as it's only used during verification. */
|
---|
503 |
|
---|
504 | if (pTimeSpec)
|
---|
505 | {
|
---|
506 | pThis->ValidTime = *pTimeSpec;
|
---|
507 | pThis->fFlags |= RTCRX509CERTPATHSINT_F_VALID_TIME;
|
---|
508 | }
|
---|
509 | else
|
---|
510 | pThis->fFlags &= ~RTCRX509CERTPATHSINT_F_VALID_TIME;
|
---|
511 | return VINF_SUCCESS;
|
---|
512 | }
|
---|
513 |
|
---|
514 |
|
---|
515 | RTDECL(int) RTCrX509CertPathsSetTrustAnchorChecks(RTCRX509CERTPATHS hCertPaths, bool fEnable)
|
---|
516 | {
|
---|
517 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
518 | AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
|
---|
519 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
|
---|
520 |
|
---|
521 | if (fEnable)
|
---|
522 | pThis->fFlags |= RTCRX509CERTPATHSINT_F_CHECK_TRUST_ANCHOR;
|
---|
523 | else
|
---|
524 | pThis->fFlags &= ~RTCRX509CERTPATHSINT_F_CHECK_TRUST_ANCHOR;
|
---|
525 | return VINF_SUCCESS;
|
---|
526 | }
|
---|
527 |
|
---|
528 |
|
---|
529 | RTDECL(int) RTCrX509CertPathsCreateEx(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget, RTCRSTORE hTrustedStore,
|
---|
530 | RTCRSTORE hUntrustedStore, PCRTCRX509CERTIFICATE paUntrustedCerts, uint32_t cUntrustedCerts,
|
---|
531 | PCRTTIMESPEC pValidTime)
|
---|
532 | {
|
---|
533 | int rc = RTCrX509CertPathsCreate(phCertPaths, pTarget);
|
---|
534 | if (RT_SUCCESS(rc))
|
---|
535 | {
|
---|
536 | PRTCRX509CERTPATHSINT pThis = *phCertPaths;
|
---|
537 |
|
---|
538 | rc = RTCrX509CertPathsSetTrustedStore(pThis, hTrustedStore);
|
---|
539 | if (RT_SUCCESS(rc))
|
---|
540 | {
|
---|
541 | rc = RTCrX509CertPathsSetUntrustedStore(pThis, hUntrustedStore);
|
---|
542 | if (RT_SUCCESS(rc))
|
---|
543 | {
|
---|
544 | rc = RTCrX509CertPathsSetUntrustedArray(pThis, paUntrustedCerts, cUntrustedCerts);
|
---|
545 | if (RT_SUCCESS(rc))
|
---|
546 | {
|
---|
547 | rc = RTCrX509CertPathsSetValidTimeSpec(pThis, pValidTime);
|
---|
548 | if (RT_SUCCESS(rc))
|
---|
549 | {
|
---|
550 | return VINF_SUCCESS;
|
---|
551 | }
|
---|
552 | }
|
---|
553 | RTCrStoreRelease(pThis->hUntrustedStore);
|
---|
554 | }
|
---|
555 | RTCrStoreRelease(pThis->hTrustedStore);
|
---|
556 | }
|
---|
557 | RTMemFree(pThis);
|
---|
558 | *phCertPaths = NIL_RTCRX509CERTPATHS;
|
---|
559 | }
|
---|
560 | return rc;
|
---|
561 | }
|
---|
562 |
|
---|
563 | /** @} */
|
---|
564 |
|
---|
565 |
|
---|
566 |
|
---|
567 | /** @name Path Builder and Validator Common Utility Functions.
|
---|
568 | * @{
|
---|
569 | */
|
---|
570 |
|
---|
571 | /**
|
---|
572 | * Checks if the certificate is self-issued.
|
---|
573 | *
|
---|
574 | * @returns true / false.
|
---|
575 | * @param pNode The path node to check..
|
---|
576 | */
|
---|
577 | static bool rtCrX509CertPathsIsSelfIssued(PRTCRX509CERTPATHNODE pNode)
|
---|
578 | {
|
---|
579 | return pNode->pCert
|
---|
580 | && RTCrX509Name_MatchByRfc5280(&pNode->pCert->TbsCertificate.Subject, &pNode->pCert->TbsCertificate.Issuer);
|
---|
581 | }
|
---|
582 |
|
---|
583 | /**
|
---|
584 | * Helper for checking whether a certificate is in the trusted store or not.
|
---|
585 | */
|
---|
586 | static bool rtCrX509CertPathsIsCertInStore(PRTCRX509CERTPATHNODE pNode, RTCRSTORE hStore)
|
---|
587 | {
|
---|
588 | bool fRc = false;
|
---|
589 | PCRTCRCERTCTX pCertCtx = RTCrStoreCertByIssuerAndSerialNo(hStore, &pNode->pCert->TbsCertificate.Issuer,
|
---|
590 | &pNode->pCert->TbsCertificate.SerialNumber);
|
---|
591 | if (pCertCtx)
|
---|
592 | {
|
---|
593 | if (pCertCtx->pCert)
|
---|
594 | fRc = RTCrX509Certificate_Compare(pCertCtx->pCert, pNode->pCert) == 0;
|
---|
595 | RTCrCertCtxRelease(pCertCtx);
|
---|
596 | }
|
---|
597 | return fRc;
|
---|
598 | }
|
---|
599 |
|
---|
600 | /** @} */
|
---|
601 |
|
---|
602 |
|
---|
603 |
|
---|
604 | /** @name Path Builder Functions.
|
---|
605 | * @{
|
---|
606 | */
|
---|
607 |
|
---|
608 | static PRTCRX509CERTPATHNODE rtCrX509CertPathsNewNode(PRTCRX509CERTPATHSINT pThis)
|
---|
609 | {
|
---|
610 | PRTCRX509CERTPATHNODE pNode = (PRTCRX509CERTPATHNODE)RTMemAllocZ(sizeof(*pNode));
|
---|
611 | if (RT_LIKELY(pNode))
|
---|
612 | {
|
---|
613 | RTListInit(&pNode->SiblingEntry);
|
---|
614 | RTListInit(&pNode->ChildListOrLeafEntry);
|
---|
615 | pNode->rcVerify = VERR_CR_X509_NOT_VERIFIED;
|
---|
616 |
|
---|
617 | return pNode;
|
---|
618 | }
|
---|
619 |
|
---|
620 | pThis->rc = RTErrInfoSet(pThis->pErrInfo, VERR_NO_MEMORY, "No memory for path node");
|
---|
621 | return NULL;
|
---|
622 | }
|
---|
623 |
|
---|
624 |
|
---|
625 | static void rtCrX509CertPathsDestroyNode(PRTCRX509CERTPATHNODE pNode)
|
---|
626 | {
|
---|
627 | if (pNode->pCertCtx)
|
---|
628 | {
|
---|
629 | RTCrCertCtxRelease(pNode->pCertCtx);
|
---|
630 | pNode->pCertCtx = NULL;
|
---|
631 | }
|
---|
632 | RT_ZERO(*pNode);
|
---|
633 | RTMemFree(pNode);
|
---|
634 | }
|
---|
635 |
|
---|
636 |
|
---|
637 | static void rtCrX509CertPathsAddIssuer(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pParent,
|
---|
638 | PCRTCRX509CERTIFICATE pCert, PCRTCRCERTCTX pCertCtx, uint8_t uSrc)
|
---|
639 | {
|
---|
640 | /*
|
---|
641 | * Check if we've seen this certificate already in the current path or
|
---|
642 | * among the already gathered issuers.
|
---|
643 | */
|
---|
644 | if (pCert)
|
---|
645 | {
|
---|
646 | /* No duplicate certificates in the path. */
|
---|
647 | PRTCRX509CERTPATHNODE pTmpNode = pParent;
|
---|
648 | while (pTmpNode)
|
---|
649 | {
|
---|
650 | Assert(pTmpNode->pCert);
|
---|
651 | if ( pTmpNode->pCert == pCert
|
---|
652 | || RTCrX509Certificate_Compare(pTmpNode->pCert, pCert) == 0)
|
---|
653 | {
|
---|
654 | /* If target and the source it trusted, upgrade the source so we can successfully verify single node 'paths'. */
|
---|
655 | if ( RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(uSrc)
|
---|
656 | && pTmpNode == pParent
|
---|
657 | && pTmpNode->uSrc == RTCRX509CERTPATHNODE_SRC_TARGET)
|
---|
658 | {
|
---|
659 | AssertReturnVoid(!pTmpNode->pParent);
|
---|
660 | pTmpNode->uSrc = uSrc;
|
---|
661 | }
|
---|
662 | return;
|
---|
663 | }
|
---|
664 | pTmpNode = pTmpNode->pParent;
|
---|
665 | }
|
---|
666 |
|
---|
667 | /* No duplicate tree branches. */
|
---|
668 | RTListForEach(&pParent->ChildListOrLeafEntry, pTmpNode, RTCRX509CERTPATHNODE, SiblingEntry)
|
---|
669 | {
|
---|
670 | if (RTCrX509Certificate_Compare(pTmpNode->pCert, pCert) == 0)
|
---|
671 | return;
|
---|
672 | }
|
---|
673 | }
|
---|
674 | else
|
---|
675 | Assert(pCertCtx);
|
---|
676 |
|
---|
677 | /*
|
---|
678 | * Reference the context core before making the allocation.
|
---|
679 | */
|
---|
680 | if (pCertCtx)
|
---|
681 | AssertReturnVoidStmt(RTCrCertCtxRetain(pCertCtx) != UINT32_MAX,
|
---|
682 | pThis->rc = RTErrInfoSetF(pThis->pErrInfo, VERR_CR_X509_CPB_BAD_CERT_CTX,
|
---|
683 | "Bad pCertCtx=%p", pCertCtx));
|
---|
684 |
|
---|
685 | /*
|
---|
686 | * We haven't see it, append it as a child.
|
---|
687 | */
|
---|
688 | PRTCRX509CERTPATHNODE pNew = rtCrX509CertPathsNewNode(pThis);
|
---|
689 | if (pNew)
|
---|
690 | {
|
---|
691 | pNew->pParent = pParent;
|
---|
692 | pNew->pCert = pCert;
|
---|
693 | pNew->pCertCtx = pCertCtx;
|
---|
694 | pNew->uSrc = uSrc;
|
---|
695 | pNew->uDepth = pParent->uDepth + 1;
|
---|
696 | RTListAppend(&pParent->ChildListOrLeafEntry, &pNew->SiblingEntry);
|
---|
697 | Log2Func(("pNew=%p uSrc=%u uDepth=%u\n", pNew, uSrc, pNew->uDepth));
|
---|
698 | }
|
---|
699 | else
|
---|
700 | RTCrCertCtxRelease(pCertCtx);
|
---|
701 | }
|
---|
702 |
|
---|
703 |
|
---|
704 | static void rtCrX509CertPathsGetIssuersFromStore(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode,
|
---|
705 | PCRTCRX509NAME pIssuer, RTCRSTORE hStore, uint8_t uSrc)
|
---|
706 | {
|
---|
707 | RTCRSTORECERTSEARCH Search;
|
---|
708 | int rc = RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280(hStore, pIssuer, &Search);
|
---|
709 | if (RT_SUCCESS(rc))
|
---|
710 | {
|
---|
711 | PCRTCRCERTCTX pCertCtx;
|
---|
712 | while ((pCertCtx = RTCrStoreCertSearchNext(hStore, &Search)) != NULL)
|
---|
713 | {
|
---|
714 | if ( pCertCtx->pCert
|
---|
715 | || ( RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(uSrc)
|
---|
716 | && pCertCtx->pTaInfo) )
|
---|
717 | rtCrX509CertPathsAddIssuer(pThis, pNode, pCertCtx->pCert, pCertCtx, uSrc);
|
---|
718 | RTCrCertCtxRelease(pCertCtx);
|
---|
719 | }
|
---|
720 | RTCrStoreCertSearchDestroy(hStore, &Search);
|
---|
721 | }
|
---|
722 | }
|
---|
723 |
|
---|
724 |
|
---|
725 | static void rtCrX509CertPathsGetIssuers(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
|
---|
726 | {
|
---|
727 | Assert(RTListIsEmpty(&pNode->ChildListOrLeafEntry));
|
---|
728 | Assert(!pNode->fLeaf);
|
---|
729 | Assert(pNode->pCert);
|
---|
730 |
|
---|
731 | /*
|
---|
732 | * Don't recurse infintely.
|
---|
733 | */
|
---|
734 | if (RT_UNLIKELY(pNode->uDepth >= 50))
|
---|
735 | return;
|
---|
736 |
|
---|
737 | PCRTCRX509NAME const pIssuer = &pNode->pCert->TbsCertificate.Issuer;
|
---|
738 | #if defined(LOG_ENABLED) && defined(IN_RING3)
|
---|
739 | if (LogIs2Enabled())
|
---|
740 | {
|
---|
741 | char szIssuer[128] = {0};
|
---|
742 | RTCrX509Name_FormatAsString(pIssuer, szIssuer, sizeof(szIssuer), NULL);
|
---|
743 | char szSubject[128] = {0};
|
---|
744 | RTCrX509Name_FormatAsString(&pNode->pCert->TbsCertificate.Subject, szSubject, sizeof(szSubject), NULL);
|
---|
745 | Log2Func(("pNode=%p uSrc=%u uDepth=%u Issuer='%s' (Subject='%s')\n", pNode, pNode->uSrc, pNode->uDepth, szIssuer, szSubject));
|
---|
746 | }
|
---|
747 | #endif
|
---|
748 |
|
---|
749 | /*
|
---|
750 | * Trusted certificate.
|
---|
751 | */
|
---|
752 | if ( pThis->pTrustedCert
|
---|
753 | && RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(pThis->pTrustedCert, pIssuer))
|
---|
754 | rtCrX509CertPathsAddIssuer(pThis, pNode, pThis->pTrustedCert, NULL, RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT);
|
---|
755 |
|
---|
756 | /*
|
---|
757 | * Trusted certificate store.
|
---|
758 | */
|
---|
759 | if (pThis->hTrustedStore != NIL_RTCRSTORE)
|
---|
760 | rtCrX509CertPathsGetIssuersFromStore(pThis, pNode, pIssuer, pThis->hTrustedStore,
|
---|
761 | RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE);
|
---|
762 |
|
---|
763 | /*
|
---|
764 | * Untrusted store.
|
---|
765 | */
|
---|
766 | if (pThis->hUntrustedStore != NIL_RTCRSTORE)
|
---|
767 | rtCrX509CertPathsGetIssuersFromStore(pThis, pNode, pIssuer, pThis->hTrustedStore,
|
---|
768 | RTCRX509CERTPATHNODE_SRC_UNTRUSTED_STORE);
|
---|
769 |
|
---|
770 | /*
|
---|
771 | * Untrusted array.
|
---|
772 | */
|
---|
773 | if (pThis->paUntrustedCerts)
|
---|
774 | for (uint32_t i = 0; i < pThis->cUntrustedCerts; i++)
|
---|
775 | if (RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(&pThis->paUntrustedCerts[i], pIssuer))
|
---|
776 | rtCrX509CertPathsAddIssuer(pThis, pNode, &pThis->paUntrustedCerts[i], NULL,
|
---|
777 | RTCRX509CERTPATHNODE_SRC_UNTRUSTED_ARRAY);
|
---|
778 |
|
---|
779 | /** @todo Rainy day: Should abstract the untrusted array and set so we don't get
|
---|
780 | * unnecessary PKCS7/CMS header dependencies. */
|
---|
781 |
|
---|
782 | /*
|
---|
783 | * Untrusted set.
|
---|
784 | */
|
---|
785 | if (pThis->pUntrustedCertsSet)
|
---|
786 | {
|
---|
787 | uint32_t const cCerts = pThis->pUntrustedCertsSet->cItems;
|
---|
788 | PRTCRPKCS7CERT const *papCerts = pThis->pUntrustedCertsSet->papItems;
|
---|
789 | for (uint32_t i = 0; i < cCerts; i++)
|
---|
790 | {
|
---|
791 | PCRTCRPKCS7CERT pCert = papCerts[i];
|
---|
792 | if ( pCert->enmChoice == RTCRPKCS7CERTCHOICE_X509
|
---|
793 | && RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(pCert->u.pX509Cert, pIssuer))
|
---|
794 | rtCrX509CertPathsAddIssuer(pThis, pNode, pCert->u.pX509Cert, NULL, RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET);
|
---|
795 | }
|
---|
796 | }
|
---|
797 | }
|
---|
798 |
|
---|
799 |
|
---|
800 | static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetNextRightUp(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
|
---|
801 | {
|
---|
802 | for (;;)
|
---|
803 | {
|
---|
804 | /* The root node has no siblings. */
|
---|
805 | PRTCRX509CERTPATHNODE pParent = pNode->pParent;
|
---|
806 | if (!pNode->pParent)
|
---|
807 | return NULL;
|
---|
808 |
|
---|
809 | /* Try go to the right. */
|
---|
810 | PRTCRX509CERTPATHNODE pNext = RTListGetNext(&pParent->ChildListOrLeafEntry, pNode, RTCRX509CERTPATHNODE, SiblingEntry);
|
---|
811 | if (pNext)
|
---|
812 | return pNext;
|
---|
813 |
|
---|
814 | /* Up. */
|
---|
815 | pNode = pParent;
|
---|
816 | }
|
---|
817 |
|
---|
818 | RT_NOREF_PV(pThis);
|
---|
819 | }
|
---|
820 |
|
---|
821 |
|
---|
822 | static PRTCRX509CERTPATHNODE rtCrX509CertPathsEliminatePath(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
|
---|
823 | {
|
---|
824 | for (;;)
|
---|
825 | {
|
---|
826 | Assert(RTListIsEmpty(&pNode->ChildListOrLeafEntry));
|
---|
827 |
|
---|
828 | /* Don't remove the root node. */
|
---|
829 | PRTCRX509CERTPATHNODE pParent = pNode->pParent;
|
---|
830 | if (!pParent)
|
---|
831 | return NULL;
|
---|
832 |
|
---|
833 | /* Before removing and deleting the node check if there is sibling
|
---|
834 | right to it that we should continue processing from. */
|
---|
835 | PRTCRX509CERTPATHNODE pNext = RTListGetNext(&pParent->ChildListOrLeafEntry, pNode, RTCRX509CERTPATHNODE, SiblingEntry);
|
---|
836 | RTListNodeRemove(&pNode->SiblingEntry);
|
---|
837 | rtCrX509CertPathsDestroyNode(pNode);
|
---|
838 |
|
---|
839 | if (pNext)
|
---|
840 | return pNext;
|
---|
841 |
|
---|
842 | /* If the parent node cannot be removed, do a normal get-next-rigth-up
|
---|
843 | to find the continuation point for the tree loop. */
|
---|
844 | if (!RTListIsEmpty(&pParent->ChildListOrLeafEntry))
|
---|
845 | return rtCrX509CertPathsGetNextRightUp(pThis, pParent);
|
---|
846 |
|
---|
847 | pNode = pParent;
|
---|
848 | }
|
---|
849 | }
|
---|
850 |
|
---|
851 |
|
---|
852 | /**
|
---|
853 | * Destroys the whole path tree.
|
---|
854 | *
|
---|
855 | * @param pThis The path builder and verifier instance.
|
---|
856 | */
|
---|
857 | static void rtCrX509CertPathsDestroyTree(PRTCRX509CERTPATHSINT pThis)
|
---|
858 | {
|
---|
859 | PRTCRX509CERTPATHNODE pNode, pNextLeaf;
|
---|
860 | RTListForEachSafe(&pThis->LeafList, pNode, pNextLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
|
---|
861 | {
|
---|
862 | RTListNodeRemove(&pNode->ChildListOrLeafEntry);
|
---|
863 | RTListInit(&pNode->ChildListOrLeafEntry);
|
---|
864 |
|
---|
865 | for (;;)
|
---|
866 | {
|
---|
867 | PRTCRX509CERTPATHNODE pParent = pNode->pParent;
|
---|
868 |
|
---|
869 | RTListNodeRemove(&pNode->SiblingEntry);
|
---|
870 | rtCrX509CertPathsDestroyNode(pNode);
|
---|
871 |
|
---|
872 | if (!pParent)
|
---|
873 | {
|
---|
874 | pThis->pRoot = NULL;
|
---|
875 | break;
|
---|
876 | }
|
---|
877 |
|
---|
878 | if (!RTListIsEmpty(&pParent->ChildListOrLeafEntry))
|
---|
879 | break;
|
---|
880 |
|
---|
881 | pNode = pParent;
|
---|
882 | }
|
---|
883 | }
|
---|
884 | Assert(!pThis->pRoot);
|
---|
885 | }
|
---|
886 |
|
---|
887 |
|
---|
888 | /**
|
---|
889 | * Adds a leaf node.
|
---|
890 | *
|
---|
891 | * This should normally be a trusted certificate, but the caller can also
|
---|
892 | * request the incomplete paths, in which case this will be an untrusted
|
---|
893 | * certificate.
|
---|
894 | *
|
---|
895 | * @returns Pointer to the next node in the tree to process.
|
---|
896 | * @param pThis The path builder instance.
|
---|
897 | * @param pNode The leaf node.
|
---|
898 | */
|
---|
899 | static PRTCRX509CERTPATHNODE rtCrX509CertPathsAddLeaf(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
|
---|
900 | {
|
---|
901 | pNode->fLeaf = true;
|
---|
902 |
|
---|
903 | /*
|
---|
904 | * Priority insert by source and depth.
|
---|
905 | */
|
---|
906 | PRTCRX509CERTPATHNODE pCurLeaf;
|
---|
907 | RTListForEach(&pThis->LeafList, pCurLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
|
---|
908 | {
|
---|
909 | if ( pNode->uSrc > pCurLeaf->uSrc
|
---|
910 | || ( pNode->uSrc == pCurLeaf->uSrc
|
---|
911 | && pNode->uDepth < pCurLeaf->uDepth) )
|
---|
912 | {
|
---|
913 | RTListNodeInsertBefore(&pCurLeaf->ChildListOrLeafEntry, &pNode->ChildListOrLeafEntry);
|
---|
914 | pThis->cPaths++;
|
---|
915 | return rtCrX509CertPathsGetNextRightUp(pThis, pNode);
|
---|
916 | }
|
---|
917 | }
|
---|
918 |
|
---|
919 | RTListAppend(&pThis->LeafList, &pNode->ChildListOrLeafEntry);
|
---|
920 | pThis->cPaths++;
|
---|
921 | return rtCrX509CertPathsGetNextRightUp(pThis, pNode);
|
---|
922 | }
|
---|
923 |
|
---|
924 |
|
---|
925 |
|
---|
926 | RTDECL(int) RTCrX509CertPathsBuild(RTCRX509CERTPATHS hCertPaths, PRTERRINFO pErrInfo)
|
---|
927 | {
|
---|
928 | /*
|
---|
929 | * Validate the input.
|
---|
930 | */
|
---|
931 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
932 | AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
|
---|
933 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
|
---|
934 | AssertReturn(!(pThis->fFlags & ~RTCRX509CERTPATHSINT_F_VALID_MASK), VERR_INVALID_PARAMETER);
|
---|
935 | AssertReturn( (pThis->paUntrustedCerts == NULL && pThis->cUntrustedCerts == 0)
|
---|
936 | || (pThis->paUntrustedCerts != NULL && pThis->cUntrustedCerts > 0),
|
---|
937 | VERR_INVALID_PARAMETER);
|
---|
938 | AssertReturn(RTListIsEmpty(&pThis->LeafList), VERR_INVALID_PARAMETER);
|
---|
939 | AssertReturn(pThis->pRoot == NULL, VERR_INVALID_PARAMETER);
|
---|
940 | AssertReturn(pThis->rc == VINF_SUCCESS, pThis->rc);
|
---|
941 | AssertPtrReturn(pThis->pTarget, VERR_INVALID_PARAMETER);
|
---|
942 | Assert(RT_SUCCESS(RTCrX509Certificate_CheckSanity(pThis->pTarget, 0, NULL, NULL)));
|
---|
943 |
|
---|
944 | /*
|
---|
945 | * Set up the target.
|
---|
946 | */
|
---|
947 | PRTCRX509CERTPATHNODE pCur;
|
---|
948 | pThis->pRoot = pCur = rtCrX509CertPathsNewNode(pThis);
|
---|
949 | if (pThis->pRoot)
|
---|
950 | {
|
---|
951 | pCur->pCert = pThis->pTarget;
|
---|
952 | pCur->uDepth = 0;
|
---|
953 | pCur->uSrc = RTCRX509CERTPATHNODE_SRC_TARGET;
|
---|
954 |
|
---|
955 | /* Check if the target is trusted and do the upgrade (this is outside the RFC,
|
---|
956 | but this simplifies the path validator usage a lot (less work for the caller)). */
|
---|
957 | if ( pThis->pTrustedCert
|
---|
958 | && RTCrX509Certificate_Compare(pThis->pTrustedCert, pCur->pCert) == 0)
|
---|
959 | pCur->uSrc = RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT;
|
---|
960 | else if ( pThis->hTrustedStore != NIL_RTCRSTORE
|
---|
961 | && rtCrX509CertPathsIsCertInStore(pCur, pThis->hTrustedStore))
|
---|
962 | pCur->uSrc = RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE;
|
---|
963 |
|
---|
964 | pThis->pErrInfo = pErrInfo;
|
---|
965 |
|
---|
966 | /*
|
---|
967 | * The tree construction loop.
|
---|
968 | * Walks down, up, and right as the tree is constructed.
|
---|
969 | */
|
---|
970 | do
|
---|
971 | {
|
---|
972 | /*
|
---|
973 | * Check for the two leaf cases first.
|
---|
974 | */
|
---|
975 | if (RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pCur->uSrc))
|
---|
976 | pCur = rtCrX509CertPathsAddLeaf(pThis, pCur);
|
---|
977 | #if 0 /* This isn't right.*/
|
---|
978 | else if (rtCrX509CertPathsIsSelfIssued(pCur))
|
---|
979 | {
|
---|
980 | if (pThis->fFlags & RTCRX509CERTPATHSINT_F_ELIMINATE_UNTRUSTED_PATHS)
|
---|
981 | pCur = rtCrX509CertPathsEliminatePath(pThis, pCur);
|
---|
982 | else
|
---|
983 | pCur = rtCrX509CertPathsAddLeaf(pThis, pCur);
|
---|
984 | }
|
---|
985 | #endif
|
---|
986 | /*
|
---|
987 | * Not a leaf, find all potential issuers and decend into these.
|
---|
988 | */
|
---|
989 | else
|
---|
990 | {
|
---|
991 | rtCrX509CertPathsGetIssuers(pThis, pCur);
|
---|
992 | if (RT_FAILURE(pThis->rc))
|
---|
993 | break;
|
---|
994 |
|
---|
995 | if (!RTListIsEmpty(&pCur->ChildListOrLeafEntry))
|
---|
996 | pCur = RTListGetFirst(&pCur->ChildListOrLeafEntry, RTCRX509CERTPATHNODE, SiblingEntry);
|
---|
997 | else if (pThis->fFlags & RTCRX509CERTPATHSINT_F_ELIMINATE_UNTRUSTED_PATHS)
|
---|
998 | pCur = rtCrX509CertPathsEliminatePath(pThis, pCur);
|
---|
999 | else
|
---|
1000 | pCur = rtCrX509CertPathsAddLeaf(pThis, pCur);
|
---|
1001 | }
|
---|
1002 | if (pCur)
|
---|
1003 | Log2(("RTCrX509CertPathsBuild: pCur=%p fLeaf=%d pParent=%p pNext=%p pPrev=%p\n",
|
---|
1004 | pCur, pCur->fLeaf, pCur->pParent,
|
---|
1005 | pCur->pParent ? RTListGetNext(&pCur->pParent->ChildListOrLeafEntry, pCur, RTCRX509CERTPATHNODE, SiblingEntry) : NULL,
|
---|
1006 | pCur->pParent ? RTListGetPrev(&pCur->pParent->ChildListOrLeafEntry, pCur, RTCRX509CERTPATHNODE, SiblingEntry) : NULL));
|
---|
1007 | } while (pCur);
|
---|
1008 |
|
---|
1009 | pThis->pErrInfo = NULL;
|
---|
1010 | if (RT_SUCCESS(pThis->rc))
|
---|
1011 | return VINF_SUCCESS;
|
---|
1012 | }
|
---|
1013 | else
|
---|
1014 | Assert(RT_FAILURE_NP(pThis->rc));
|
---|
1015 | return pThis->rc;
|
---|
1016 | }
|
---|
1017 |
|
---|
1018 |
|
---|
1019 | /**
|
---|
1020 | * Looks up path by leaf/path index.
|
---|
1021 | *
|
---|
1022 | * @returns Pointer to the leaf node of the path.
|
---|
1023 | * @param pThis The path builder & validator instance.
|
---|
1024 | * @param iPath The oridnal of the path to get.
|
---|
1025 | */
|
---|
1026 | static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetLeafByIndex(PRTCRX509CERTPATHSINT pThis, uint32_t iPath)
|
---|
1027 | {
|
---|
1028 | Assert(iPath < pThis->cPaths);
|
---|
1029 |
|
---|
1030 | uint32_t iCurPath = 0;
|
---|
1031 | PRTCRX509CERTPATHNODE pCurLeaf;
|
---|
1032 | RTListForEach(&pThis->LeafList, pCurLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
|
---|
1033 | {
|
---|
1034 | if (iCurPath == iPath)
|
---|
1035 | return pCurLeaf;
|
---|
1036 | iCurPath++;
|
---|
1037 | }
|
---|
1038 |
|
---|
1039 | AssertFailedReturn(NULL);
|
---|
1040 | }
|
---|
1041 |
|
---|
1042 |
|
---|
1043 | static void rtDumpPrintf(PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser, const char *pszFormat, ...)
|
---|
1044 | {
|
---|
1045 | va_list va;
|
---|
1046 | va_start(va, pszFormat);
|
---|
1047 | pfnPrintfV(pvUser, pszFormat, va);
|
---|
1048 | va_end(va);
|
---|
1049 | }
|
---|
1050 |
|
---|
1051 |
|
---|
1052 | static void rtDumpIndent(PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser, uint32_t cchSpaces, const char *pszFormat, ...)
|
---|
1053 | {
|
---|
1054 | static const char s_szSpaces[] = " ";
|
---|
1055 | while (cchSpaces > 0)
|
---|
1056 | {
|
---|
1057 | uint32_t cchBurst = RT_MIN(sizeof(s_szSpaces) - 1, cchSpaces);
|
---|
1058 | rtDumpPrintf(pfnPrintfV, pvUser, &s_szSpaces[sizeof(s_szSpaces) - cchBurst - 1]);
|
---|
1059 | cchSpaces -= cchBurst;
|
---|
1060 | }
|
---|
1061 |
|
---|
1062 | va_list va;
|
---|
1063 | va_start(va, pszFormat);
|
---|
1064 | pfnPrintfV(pvUser, pszFormat, va);
|
---|
1065 | va_end(va);
|
---|
1066 | }
|
---|
1067 |
|
---|
1068 | /** @name X.500 attribute types
|
---|
1069 | * See RFC-4519 among others.
|
---|
1070 | * @{ */
|
---|
1071 | #define RTCRX500_ID_AT_OBJECT_CLASS_OID "2.5.4.0"
|
---|
1072 | #define RTCRX500_ID_AT_ALIASED_ENTRY_NAME_OID "2.5.4.1"
|
---|
1073 | #define RTCRX500_ID_AT_KNOWLDGEINFORMATION_OID "2.5.4.2"
|
---|
1074 | #define RTCRX500_ID_AT_COMMON_NAME_OID "2.5.4.3"
|
---|
1075 | #define RTCRX500_ID_AT_SURNAME_OID "2.5.4.4"
|
---|
1076 | #define RTCRX500_ID_AT_SERIAL_NUMBER_OID "2.5.4.5"
|
---|
1077 | #define RTCRX500_ID_AT_COUNTRY_NAME_OID "2.5.4.6"
|
---|
1078 | #define RTCRX500_ID_AT_LOCALITY_NAME_OID "2.5.4.7"
|
---|
1079 | #define RTCRX500_ID_AT_STATE_OR_PROVINCE_NAME_OID "2.5.4.8"
|
---|
1080 | #define RTCRX500_ID_AT_STREET_ADDRESS_OID "2.5.4.9"
|
---|
1081 | #define RTCRX500_ID_AT_ORGANIZATION_NAME_OID "2.5.4.10"
|
---|
1082 | #define RTCRX500_ID_AT_ORGANIZATION_UNIT_NAME_OID "2.5.4.11"
|
---|
1083 | #define RTCRX500_ID_AT_TITLE_OID "2.5.4.12"
|
---|
1084 | #define RTCRX500_ID_AT_DESCRIPTION_OID "2.5.4.13"
|
---|
1085 | #define RTCRX500_ID_AT_SEARCH_GUIDE_OID "2.5.4.14"
|
---|
1086 | #define RTCRX500_ID_AT_BUSINESS_CATEGORY_OID "2.5.4.15"
|
---|
1087 | #define RTCRX500_ID_AT_POSTAL_ADDRESS_OID "2.5.4.16"
|
---|
1088 | #define RTCRX500_ID_AT_POSTAL_CODE_OID "2.5.4.17"
|
---|
1089 | #define RTCRX500_ID_AT_POST_OFFICE_BOX_OID "2.5.4.18"
|
---|
1090 | #define RTCRX500_ID_AT_PHYSICAL_DELIVERY_OFFICE_NAME_OID "2.5.4.19"
|
---|
1091 | #define RTCRX500_ID_AT_TELEPHONE_NUMBER_OID "2.5.4.20"
|
---|
1092 | #define RTCRX500_ID_AT_TELEX_NUMBER_OID "2.5.4.21"
|
---|
1093 | #define RTCRX500_ID_AT_TELETEX_TERMINAL_IDENTIFIER_OID "2.5.4.22"
|
---|
1094 | #define RTCRX500_ID_AT_FACIMILE_TELEPHONE_NUMBER_OID "2.5.4.23"
|
---|
1095 | #define RTCRX500_ID_AT_X121_ADDRESS_OID "2.5.4.24"
|
---|
1096 | #define RTCRX500_ID_AT_INTERNATIONAL_ISDN_NUMBER_OID "2.5.4.25"
|
---|
1097 | #define RTCRX500_ID_AT_REGISTERED_ADDRESS_OID "2.5.4.26"
|
---|
1098 | #define RTCRX500_ID_AT_DESTINATION_INDICATOR_OID "2.5.4.27"
|
---|
1099 | #define RTCRX500_ID_AT_PREFERRED_DELIVERY_METHOD_OID "2.5.4.28"
|
---|
1100 | #define RTCRX500_ID_AT_PRESENTATION_ADDRESS_OID "2.5.4.29"
|
---|
1101 | #define RTCRX500_ID_AT_SUPPORTED_APPLICATION_CONTEXT_OID "2.5.4.30"
|
---|
1102 | #define RTCRX500_ID_AT_MEMBER_OID "2.5.4.31"
|
---|
1103 | #define RTCRX500_ID_AT_OWNER_OID "2.5.4.32"
|
---|
1104 | #define RTCRX500_ID_AT_ROLE_OCCUPANT_OID "2.5.4.33"
|
---|
1105 | #define RTCRX500_ID_AT_SEE_ALSO_OID "2.5.4.34"
|
---|
1106 | #define RTCRX500_ID_AT_USER_PASSWORD_OID "2.5.4.35"
|
---|
1107 | #define RTCRX500_ID_AT_USER_CERTIFICATE_OID "2.5.4.36"
|
---|
1108 | #define RTCRX500_ID_AT_CA_CERTIFICATE_OID "2.5.4.37"
|
---|
1109 | #define RTCRX500_ID_AT_AUTHORITY_REVOCATION_LIST_OID "2.5.4.38"
|
---|
1110 | #define RTCRX500_ID_AT_CERTIFICATE_REVOCATION_LIST_OID "2.5.4.39"
|
---|
1111 | #define RTCRX500_ID_AT_CROSS_CERTIFICATE_PAIR_OID "2.5.4.40"
|
---|
1112 | #define RTCRX500_ID_AT_NAME_OID "2.5.4.41"
|
---|
1113 | #define RTCRX500_ID_AT_GIVEN_NAME_OID "2.5.4.42"
|
---|
1114 | #define RTCRX500_ID_AT_INITIALS_OID "2.5.4.43"
|
---|
1115 | #define RTCRX500_ID_AT_GENERATION_QUALIFIER_OID "2.5.4.44"
|
---|
1116 | #define RTCRX500_ID_AT_UNIQUE_IDENTIFIER_OID "2.5.4.45"
|
---|
1117 | #define RTCRX500_ID_AT_DN_QUALIFIER_OID "2.5.4.46"
|
---|
1118 | #define RTCRX500_ID_AT_ENHANCHED_SEARCH_GUIDE_OID "2.5.4.47"
|
---|
1119 | #define RTCRX500_ID_AT_PROTOCOL_INFORMATION_OID "2.5.4.48"
|
---|
1120 | #define RTCRX500_ID_AT_DISTINGUISHED_NAME_OID "2.5.4.49"
|
---|
1121 | #define RTCRX500_ID_AT_UNIQUE_MEMBER_OID "2.5.4.50"
|
---|
1122 | #define RTCRX500_ID_AT_HOUSE_IDENTIFIER_OID "2.5.4.51"
|
---|
1123 | #define RTCRX500_ID_AT_SUPPORTED_ALGORITHMS_OID "2.5.4.52"
|
---|
1124 | #define RTCRX500_ID_AT_DELTA_REVOCATION_LIST_OID "2.5.4.53"
|
---|
1125 | #define RTCRX500_ID_AT_ATTRIBUTE_CERTIFICATE_OID "2.5.4.58"
|
---|
1126 | #define RTCRX500_ID_AT_PSEUDONYM_OID "2.5.4.65"
|
---|
1127 | /** @} */
|
---|
1128 |
|
---|
1129 |
|
---|
1130 | static void rtCrX509NameDump(PCRTCRX509NAME pName, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
|
---|
1131 | {
|
---|
1132 | for (uint32_t i = 0; i < pName->cItems; i++)
|
---|
1133 | {
|
---|
1134 | PCRTCRX509RELATIVEDISTINGUISHEDNAME const pRdn = pName->papItems[i];
|
---|
1135 | for (uint32_t j = 0; j < pRdn->cItems; j++)
|
---|
1136 | {
|
---|
1137 | PRTCRX509ATTRIBUTETYPEANDVALUE pAttrib = pRdn->papItems[j];
|
---|
1138 |
|
---|
1139 | const char *pszType = RTCrX509Name_GetShortRdn(&pAttrib->Type);
|
---|
1140 | if (!pszType)
|
---|
1141 | pszType = pAttrib->Type.szObjId;
|
---|
1142 | rtDumpPrintf(pfnPrintfV, pvUser, "/%s=", pszType);
|
---|
1143 | if (pAttrib->Value.enmType == RTASN1TYPE_STRING)
|
---|
1144 | {
|
---|
1145 | if (pAttrib->Value.u.String.pszUtf8)
|
---|
1146 | rtDumpPrintf(pfnPrintfV, pvUser, "%s", pAttrib->Value.u.String.pszUtf8);
|
---|
1147 | else
|
---|
1148 | {
|
---|
1149 | const char *pch = pAttrib->Value.u.String.Asn1Core.uData.pch;
|
---|
1150 | uint32_t cch = pAttrib->Value.u.String.Asn1Core.cb;
|
---|
1151 | int rc = RTStrValidateEncodingEx(pch, cch, 0);
|
---|
1152 | if (RT_SUCCESS(rc) && cch)
|
---|
1153 | rtDumpPrintf(pfnPrintfV, pvUser, "%.*s", (size_t)cch, pch);
|
---|
1154 | else
|
---|
1155 | while (cch > 0)
|
---|
1156 | {
|
---|
1157 | if (RT_C_IS_PRINT(*pch))
|
---|
1158 | rtDumpPrintf(pfnPrintfV, pvUser, "%c", *pch);
|
---|
1159 | else
|
---|
1160 | rtDumpPrintf(pfnPrintfV, pvUser, "\\x%02x", *pch);
|
---|
1161 | cch--;
|
---|
1162 | pch++;
|
---|
1163 | }
|
---|
1164 | }
|
---|
1165 | }
|
---|
1166 | else
|
---|
1167 | rtDumpPrintf(pfnPrintfV, pvUser, "<not-string: uTag=%#x>", pAttrib->Value.u.Core.uTag);
|
---|
1168 | }
|
---|
1169 | }
|
---|
1170 | }
|
---|
1171 |
|
---|
1172 |
|
---|
1173 | static const char *rtCrX509CertPathsNodeGetSourceName(PRTCRX509CERTPATHNODE pNode)
|
---|
1174 | {
|
---|
1175 | switch (pNode->uSrc)
|
---|
1176 | {
|
---|
1177 | case RTCRX509CERTPATHNODE_SRC_TARGET: return "target";
|
---|
1178 | case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET: return "untrusted_set";
|
---|
1179 | case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_ARRAY: return "untrusted_array";
|
---|
1180 | case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_STORE: return "untrusted_store";
|
---|
1181 | case RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE: return "trusted_store";
|
---|
1182 | case RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT: return "trusted_cert";
|
---|
1183 | default: return "invalid";
|
---|
1184 | }
|
---|
1185 | }
|
---|
1186 |
|
---|
1187 |
|
---|
1188 | static void rtCrX509CertPathsDumpOneWorker(PRTCRX509CERTPATHSINT pThis, uint32_t iPath, PRTCRX509CERTPATHNODE pCurLeaf,
|
---|
1189 | uint32_t uVerbosity, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
|
---|
1190 | {
|
---|
1191 | RT_NOREF_PV(pThis);
|
---|
1192 | rtDumpPrintf(pfnPrintfV, pvUser, "Path #%u: %s, %u deep, rcVerify=%Rrc\n",
|
---|
1193 | iPath, RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pCurLeaf->uSrc) ? "trusted" : "untrusted", pCurLeaf->uDepth,
|
---|
1194 | pCurLeaf->rcVerify);
|
---|
1195 |
|
---|
1196 | for (uint32_t iIndent = 2; pCurLeaf; iIndent += 2, pCurLeaf = pCurLeaf->pParent)
|
---|
1197 | {
|
---|
1198 | if (pCurLeaf->pCert)
|
---|
1199 | {
|
---|
1200 | rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Issuer : ");
|
---|
1201 | rtCrX509NameDump(&pCurLeaf->pCert->TbsCertificate.Issuer, pfnPrintfV, pvUser);
|
---|
1202 | rtDumpPrintf(pfnPrintfV, pvUser, "\n");
|
---|
1203 |
|
---|
1204 | rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Subject: ");
|
---|
1205 | rtCrX509NameDump(&pCurLeaf->pCert->TbsCertificate.Subject, pfnPrintfV, pvUser);
|
---|
1206 | rtDumpPrintf(pfnPrintfV, pvUser, "\n");
|
---|
1207 |
|
---|
1208 | if (uVerbosity >= 4)
|
---|
1209 | RTAsn1Dump(&pCurLeaf->pCert->SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
|
---|
1210 | else if (uVerbosity >= 3)
|
---|
1211 | RTAsn1Dump(&pCurLeaf->pCert->TbsCertificate.T3.Extensions.SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
|
---|
1212 |
|
---|
1213 | rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Valid : %s thru %s\n",
|
---|
1214 | RTTimeToString(&pCurLeaf->pCert->TbsCertificate.Validity.NotBefore.Time,
|
---|
1215 | pThis->szTmp, sizeof(pThis->szTmp) / 2),
|
---|
1216 | RTTimeToString(&pCurLeaf->pCert->TbsCertificate.Validity.NotAfter.Time,
|
---|
1217 | &pThis->szTmp[sizeof(pThis->szTmp) / 2], sizeof(pThis->szTmp) / 2) );
|
---|
1218 | }
|
---|
1219 | else
|
---|
1220 | {
|
---|
1221 | Assert(pCurLeaf->pCertCtx); Assert(pCurLeaf->pCertCtx->pTaInfo);
|
---|
1222 | rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Subject: ");
|
---|
1223 | rtCrX509NameDump(&pCurLeaf->pCertCtx->pTaInfo->CertPath.TaName, pfnPrintfV, pvUser);
|
---|
1224 |
|
---|
1225 | if (uVerbosity >= 4)
|
---|
1226 | RTAsn1Dump(&pCurLeaf->pCertCtx->pTaInfo->SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
|
---|
1227 | }
|
---|
1228 |
|
---|
1229 | const char *pszSrc = rtCrX509CertPathsNodeGetSourceName(pCurLeaf);
|
---|
1230 | rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Source : %s\n", pszSrc);
|
---|
1231 | }
|
---|
1232 | }
|
---|
1233 |
|
---|
1234 |
|
---|
1235 | RTDECL(int) RTCrX509CertPathsDumpOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t uVerbosity,
|
---|
1236 | PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
|
---|
1237 | {
|
---|
1238 | /*
|
---|
1239 | * Validate the input.
|
---|
1240 | */
|
---|
1241 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
1242 | AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
|
---|
1243 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
|
---|
1244 | AssertPtrReturn(pfnPrintfV, VERR_INVALID_POINTER);
|
---|
1245 | int rc;
|
---|
1246 | if (iPath < pThis->cPaths)
|
---|
1247 | {
|
---|
1248 | PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
|
---|
1249 | if (pLeaf)
|
---|
1250 | {
|
---|
1251 | rtCrX509CertPathsDumpOneWorker(pThis, iPath, pLeaf, uVerbosity, pfnPrintfV, pvUser);
|
---|
1252 | rc = VINF_SUCCESS;
|
---|
1253 | }
|
---|
1254 | else
|
---|
1255 | rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR;
|
---|
1256 | }
|
---|
1257 | else
|
---|
1258 | rc = VERR_NOT_FOUND;
|
---|
1259 | return rc;
|
---|
1260 | }
|
---|
1261 |
|
---|
1262 |
|
---|
1263 | RTDECL(int) RTCrX509CertPathsDumpAll(RTCRX509CERTPATHS hCertPaths, uint32_t uVerbosity, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
|
---|
1264 | {
|
---|
1265 | /*
|
---|
1266 | * Validate the input.
|
---|
1267 | */
|
---|
1268 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
1269 | AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
|
---|
1270 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
|
---|
1271 | AssertPtrReturn(pfnPrintfV, VERR_INVALID_POINTER);
|
---|
1272 |
|
---|
1273 | /*
|
---|
1274 | * Dump all the paths.
|
---|
1275 | */
|
---|
1276 | rtDumpPrintf(pfnPrintfV, pvUser, "%u paths, rc=%Rrc\n", pThis->cPaths, pThis->rc);
|
---|
1277 | uint32_t iPath = 0;
|
---|
1278 | PRTCRX509CERTPATHNODE pCurLeaf, pNextLeaf;
|
---|
1279 | RTListForEachSafe(&pThis->LeafList, pCurLeaf, pNextLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
|
---|
1280 | {
|
---|
1281 | rtCrX509CertPathsDumpOneWorker(pThis, iPath, pCurLeaf, uVerbosity, pfnPrintfV, pvUser);
|
---|
1282 | iPath++;
|
---|
1283 | }
|
---|
1284 |
|
---|
1285 | return VINF_SUCCESS;
|
---|
1286 | }
|
---|
1287 |
|
---|
1288 |
|
---|
1289 | /** @} */
|
---|
1290 |
|
---|
1291 |
|
---|
1292 | /** @name Path Validator Functions.
|
---|
1293 | * @{
|
---|
1294 | */
|
---|
1295 |
|
---|
1296 |
|
---|
1297 | static void *rtCrX509CpvAllocZ(PRTCRX509CERTPATHSINT pThis, size_t cb, const char *pszWhat)
|
---|
1298 | {
|
---|
1299 | void *pv = RTMemAllocZ(cb);
|
---|
1300 | if (!pv)
|
---|
1301 | pThis->rc = RTErrInfoSetF(pThis->pErrInfo, VERR_NO_MEMORY, "Failed to allocate %zu bytes for %s", cb, pszWhat);
|
---|
1302 | return pv;
|
---|
1303 | }
|
---|
1304 |
|
---|
1305 |
|
---|
1306 | DECL_NO_INLINE(static, bool) rtCrX509CpvFailed(PRTCRX509CERTPATHSINT pThis, int rc, const char *pszFormat, ...)
|
---|
1307 | {
|
---|
1308 | va_list va;
|
---|
1309 | va_start(va, pszFormat);
|
---|
1310 | pThis->rc = RTErrInfoSetV(pThis->pErrInfo, rc, pszFormat, va);
|
---|
1311 | va_end(va);
|
---|
1312 | return false;
|
---|
1313 | }
|
---|
1314 |
|
---|
1315 |
|
---|
1316 | /**
|
---|
1317 | * Adds a sequence of excluded sub-trees.
|
---|
1318 | *
|
---|
1319 | * Don't waste time optimizing the output if this is supposed to be a union.
|
---|
1320 | * Unless the path is very long, it's a lot more work to optimize and the result
|
---|
1321 | * will be the same anyway.
|
---|
1322 | *
|
---|
1323 | * @returns success indicator.
|
---|
1324 | * @param pThis The validator instance.
|
---|
1325 | * @param pSubtrees The sequence of sub-trees to add.
|
---|
1326 | */
|
---|
1327 | static bool rtCrX509CpvAddExcludedSubtrees(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREES pSubtrees)
|
---|
1328 | {
|
---|
1329 | if (((pThis->v.cExcludedSubtrees + 1) & 0xf) == 0)
|
---|
1330 | {
|
---|
1331 | void *pvNew = RTMemRealloc(pThis->v.papExcludedSubtrees,
|
---|
1332 | (pThis->v.cExcludedSubtrees + 16) * sizeof(pThis->v.papExcludedSubtrees[0]));
|
---|
1333 | if (RT_UNLIKELY(!pvNew))
|
---|
1334 | return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Error growing subtrees pointer array to %u elements",
|
---|
1335 | pThis->v.cExcludedSubtrees + 16);
|
---|
1336 | pThis->v.papExcludedSubtrees = (PCRTCRX509GENERALSUBTREES *)pvNew;
|
---|
1337 | }
|
---|
1338 | pThis->v.papExcludedSubtrees[pThis->v.cExcludedSubtrees] = pSubtrees;
|
---|
1339 | pThis->v.cExcludedSubtrees++;
|
---|
1340 | return true;
|
---|
1341 | }
|
---|
1342 |
|
---|
1343 |
|
---|
1344 | /**
|
---|
1345 | * Checks if a sub-tree is according to RFC-5280.
|
---|
1346 | *
|
---|
1347 | * @returns Success indiciator.
|
---|
1348 | * @param pThis The validator instance.
|
---|
1349 | * @param pSubtree The subtree to check.
|
---|
1350 | */
|
---|
1351 | static bool rtCrX509CpvCheckSubtreeValidity(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREE pSubtree)
|
---|
1352 | {
|
---|
1353 | if ( pSubtree->Base.enmChoice <= RTCRX509GENERALNAMECHOICE_INVALID
|
---|
1354 | || pSubtree->Base.enmChoice >= RTCRX509GENERALNAMECHOICE_END)
|
---|
1355 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNEXP_GENERAL_SUBTREE_CHOICE,
|
---|
1356 | "Unexpected GeneralSubtree choice %#x", pSubtree->Base.enmChoice);
|
---|
1357 |
|
---|
1358 | if (RTAsn1Integer_UnsignedCompareWithU32(&pSubtree->Minimum, 0) != 0)
|
---|
1359 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNEXP_GENERAL_SUBTREE_MIN,
|
---|
1360 | "Unexpected GeneralSubtree Minimum value: %#llx",
|
---|
1361 | pSubtree->Minimum.uValue);
|
---|
1362 |
|
---|
1363 | if (RTAsn1Integer_IsPresent(&pSubtree->Maximum))
|
---|
1364 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNEXP_GENERAL_SUBTREE_MAX,
|
---|
1365 | "Unexpected GeneralSubtree Maximum value: %#llx",
|
---|
1366 | pSubtree->Maximum.uValue);
|
---|
1367 |
|
---|
1368 | return true;
|
---|
1369 | }
|
---|
1370 |
|
---|
1371 |
|
---|
1372 | /**
|
---|
1373 | * Grows the array of permitted sub-trees.
|
---|
1374 | *
|
---|
1375 | * @returns success indiciator.
|
---|
1376 | * @param pThis The validator instance.
|
---|
1377 | * @param cAdding The number of subtrees we should grow by
|
---|
1378 | * (relative to the current number of valid
|
---|
1379 | * entries).
|
---|
1380 | */
|
---|
1381 | static bool rtCrX509CpvGrowPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, uint32_t cAdding)
|
---|
1382 | {
|
---|
1383 | uint32_t cNew = RT_ALIGN_32(pThis->v.cPermittedSubtrees + cAdding, 16);
|
---|
1384 | if (cNew > pThis->v.cPermittedSubtreesAlloc)
|
---|
1385 | {
|
---|
1386 | if (cNew >= _4K)
|
---|
1387 | return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Too many permitted subtrees: %u (cur %u)",
|
---|
1388 | cNew, pThis->v.cPermittedSubtrees);
|
---|
1389 | void *pvNew = RTMemRealloc(pThis->v.papPermittedSubtrees, cNew * sizeof(pThis->v.papPermittedSubtrees[0]));
|
---|
1390 | if (RT_UNLIKELY(!pvNew))
|
---|
1391 | return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Error growing subtrees pointer array from %u to %u elements",
|
---|
1392 | pThis->v.cPermittedSubtreesAlloc, cNew);
|
---|
1393 | pThis->v.papPermittedSubtrees = (PCRTCRX509GENERALSUBTREE *)pvNew;
|
---|
1394 | }
|
---|
1395 | return true;
|
---|
1396 | }
|
---|
1397 |
|
---|
1398 |
|
---|
1399 | /**
|
---|
1400 | * Adds a sequence of permitted sub-trees.
|
---|
1401 | *
|
---|
1402 | * We store reference to each individual sub-tree because we must support
|
---|
1403 | * intersection calculation.
|
---|
1404 | *
|
---|
1405 | * @returns success indiciator.
|
---|
1406 | * @param pThis The validator instance.
|
---|
1407 | * @param cSubtrees The number of sub-trees to add.
|
---|
1408 | * @param papSubtrees Array of sub-trees to add.
|
---|
1409 | */
|
---|
1410 | static bool rtCrX509CpvAddPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, uint32_t cSubtrees,
|
---|
1411 | PRTCRX509GENERALSUBTREE const *papSubtrees)
|
---|
1412 | {
|
---|
1413 | /*
|
---|
1414 | * If the array is empty, assume no permitted names.
|
---|
1415 | */
|
---|
1416 | if (!cSubtrees)
|
---|
1417 | {
|
---|
1418 | pThis->v.fNoPermittedSubtrees = true;
|
---|
1419 | return true;
|
---|
1420 | }
|
---|
1421 |
|
---|
1422 | /*
|
---|
1423 | * Grow the array if necessary.
|
---|
1424 | */
|
---|
1425 | if (!rtCrX509CpvGrowPermittedSubtrees(pThis, cSubtrees))
|
---|
1426 | return false;
|
---|
1427 |
|
---|
1428 | /*
|
---|
1429 | * Append each subtree to the array.
|
---|
1430 | */
|
---|
1431 | uint32_t iDst = pThis->v.cPermittedSubtrees;
|
---|
1432 | for (uint32_t iSrc = 0; iSrc < cSubtrees; iSrc++)
|
---|
1433 | {
|
---|
1434 | if (!rtCrX509CpvCheckSubtreeValidity(pThis, papSubtrees[iSrc]))
|
---|
1435 | return false;
|
---|
1436 | pThis->v.papPermittedSubtrees[iDst] = papSubtrees[iSrc];
|
---|
1437 | iDst++;
|
---|
1438 | }
|
---|
1439 | pThis->v.cPermittedSubtrees = iDst;
|
---|
1440 |
|
---|
1441 | return true;
|
---|
1442 | }
|
---|
1443 |
|
---|
1444 |
|
---|
1445 | /**
|
---|
1446 | * Adds a one permitted sub-tree.
|
---|
1447 | *
|
---|
1448 | * We store reference to each individual sub-tree because we must support
|
---|
1449 | * intersection calculation.
|
---|
1450 | *
|
---|
1451 | * @returns success indiciator.
|
---|
1452 | * @param pThis The validator instance.
|
---|
1453 | * @param pSubtree Array of sub-trees to add.
|
---|
1454 | */
|
---|
1455 | static bool rtCrX509CpvAddPermittedSubtree(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREE pSubtree)
|
---|
1456 | {
|
---|
1457 | return rtCrX509CpvAddPermittedSubtrees(pThis, 1, (PRTCRX509GENERALSUBTREE const *)&pSubtree);
|
---|
1458 | }
|
---|
1459 |
|
---|
1460 |
|
---|
1461 | /**
|
---|
1462 | * Calculates the intersection between @a pSubtrees and the current permitted
|
---|
1463 | * sub-trees.
|
---|
1464 | *
|
---|
1465 | * @returns Success indicator.
|
---|
1466 | * @param pThis The validator instance.
|
---|
1467 | * @param pSubtrees The sub-tree sequence to intersect with.
|
---|
1468 | */
|
---|
1469 | static bool rtCrX509CpvIntersectionPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREES pSubtrees)
|
---|
1470 | {
|
---|
1471 | /*
|
---|
1472 | * Deal with special cases first.
|
---|
1473 | */
|
---|
1474 | if (pThis->v.fNoPermittedSubtrees)
|
---|
1475 | {
|
---|
1476 | Assert(pThis->v.cPermittedSubtrees == 0);
|
---|
1477 | return true;
|
---|
1478 | }
|
---|
1479 |
|
---|
1480 | uint32_t cRight = pSubtrees->cItems;
|
---|
1481 | PRTCRX509GENERALSUBTREE const *papRight = pSubtrees->papItems;
|
---|
1482 | if (cRight == 0)
|
---|
1483 | {
|
---|
1484 | pThis->v.cPermittedSubtrees = 0;
|
---|
1485 | pThis->v.fNoPermittedSubtrees = true;
|
---|
1486 | return true;
|
---|
1487 | }
|
---|
1488 |
|
---|
1489 | uint32_t cLeft = pThis->v.cPermittedSubtrees;
|
---|
1490 | PCRTCRX509GENERALSUBTREE *papLeft = pThis->v.papPermittedSubtrees;
|
---|
1491 | if (!cLeft) /* first name constraint, no initial constraint */
|
---|
1492 | return rtCrX509CpvAddPermittedSubtrees(pThis, cRight, papRight);
|
---|
1493 |
|
---|
1494 | /*
|
---|
1495 | * Create a new array with the intersection, freeing the old (left) array
|
---|
1496 | * once we're done.
|
---|
1497 | */
|
---|
1498 | bool afRightTags[RTCRX509GENERALNAMECHOICE_END] = { 0, 0, 0, 0, 0, 0, 0, 0, 0 };
|
---|
1499 |
|
---|
1500 | pThis->v.cPermittedSubtrees = 0;
|
---|
1501 | pThis->v.cPermittedSubtreesAlloc = 0;
|
---|
1502 | pThis->v.papPermittedSubtrees = NULL;
|
---|
1503 |
|
---|
1504 | for (uint32_t iRight = 0; iRight < cRight; iRight++)
|
---|
1505 | {
|
---|
1506 | if (!rtCrX509CpvCheckSubtreeValidity(pThis, papRight[iRight]))
|
---|
1507 | return false;
|
---|
1508 |
|
---|
1509 | RTCRX509GENERALNAMECHOICE const enmRightChoice = papRight[iRight]->Base.enmChoice;
|
---|
1510 | afRightTags[enmRightChoice] = true;
|
---|
1511 |
|
---|
1512 | bool fHaveRight = false;
|
---|
1513 | for (uint32_t iLeft = 0; iLeft < cLeft; iLeft++)
|
---|
1514 | if (papLeft[iLeft]->Base.enmChoice == enmRightChoice)
|
---|
1515 | {
|
---|
1516 | if (RTCrX509GeneralSubtree_Compare(papLeft[iLeft], papRight[iRight]) == 0)
|
---|
1517 | {
|
---|
1518 | if (!fHaveRight)
|
---|
1519 | {
|
---|
1520 | fHaveRight = true;
|
---|
1521 | rtCrX509CpvAddPermittedSubtree(pThis, papLeft[iLeft]);
|
---|
1522 | }
|
---|
1523 | }
|
---|
1524 | else if (RTCrX509GeneralSubtree_ConstraintMatch(papLeft[iLeft], papRight[iRight]))
|
---|
1525 | {
|
---|
1526 | if (!fHaveRight)
|
---|
1527 | {
|
---|
1528 | fHaveRight = true;
|
---|
1529 | rtCrX509CpvAddPermittedSubtree(pThis, papRight[iRight]);
|
---|
1530 | }
|
---|
1531 | }
|
---|
1532 | else if (RTCrX509GeneralSubtree_ConstraintMatch(papRight[iRight], papLeft[iLeft]))
|
---|
1533 | rtCrX509CpvAddPermittedSubtree(pThis, papLeft[iLeft]);
|
---|
1534 | }
|
---|
1535 | }
|
---|
1536 |
|
---|
1537 | /*
|
---|
1538 | * Add missing types not specified in the right set.
|
---|
1539 | */
|
---|
1540 | for (uint32_t iLeft = 0; iLeft < cLeft; iLeft++)
|
---|
1541 | if (!afRightTags[papLeft[iLeft]->Base.enmChoice])
|
---|
1542 | rtCrX509CpvAddPermittedSubtree(pThis, papLeft[iLeft]);
|
---|
1543 |
|
---|
1544 | /*
|
---|
1545 | * If we ended up with an empty set, no names are permitted any more.
|
---|
1546 | */
|
---|
1547 | if (pThis->v.cPermittedSubtrees == 0)
|
---|
1548 | pThis->v.fNoPermittedSubtrees = true;
|
---|
1549 |
|
---|
1550 | RTMemFree(papLeft);
|
---|
1551 | return RT_SUCCESS(pThis->rc);
|
---|
1552 | }
|
---|
1553 |
|
---|
1554 |
|
---|
1555 | /**
|
---|
1556 | * Check if the given X.509 name is permitted by current name constraints.
|
---|
1557 | *
|
---|
1558 | * @returns true is permitteded, false if not (caller set error info).
|
---|
1559 | * @param pThis The validator instance.
|
---|
1560 | * @param pName The name to match.
|
---|
1561 | */
|
---|
1562 | static bool rtCrX509CpvIsNamePermitted(PRTCRX509CERTPATHSINT pThis, PCRTCRX509NAME pName)
|
---|
1563 | {
|
---|
1564 | uint32_t i = pThis->v.cPermittedSubtrees;
|
---|
1565 | if (i == 0)
|
---|
1566 | return !pThis->v.fNoPermittedSubtrees;
|
---|
1567 |
|
---|
1568 | while (i-- > 0)
|
---|
1569 | {
|
---|
1570 | PCRTCRX509GENERALSUBTREE pConstraint = pThis->v.papPermittedSubtrees[i];
|
---|
1571 | if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(&pConstraint->Base)
|
---|
1572 | && RTCrX509Name_ConstraintMatch(&pConstraint->Base.u.pT4->DirectoryName, pName))
|
---|
1573 | return true;
|
---|
1574 | }
|
---|
1575 | return false;
|
---|
1576 | }
|
---|
1577 |
|
---|
1578 |
|
---|
1579 | /**
|
---|
1580 | * Check if the given X.509 general name is permitted by current name
|
---|
1581 | * constraints.
|
---|
1582 | *
|
---|
1583 | * @returns true is permitteded, false if not (caller sets error info).
|
---|
1584 | * @param pThis The validator instance.
|
---|
1585 | * @param pGeneralName The name to match.
|
---|
1586 | */
|
---|
1587 | static bool rtCrX509CpvIsGeneralNamePermitted(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALNAME pGeneralName)
|
---|
1588 | {
|
---|
1589 | uint32_t i = pThis->v.cPermittedSubtrees;
|
---|
1590 | if (i == 0)
|
---|
1591 | return !pThis->v.fNoPermittedSubtrees;
|
---|
1592 |
|
---|
1593 | while (i-- > 0)
|
---|
1594 | if (RTCrX509GeneralName_ConstraintMatch(&pThis->v.papPermittedSubtrees[i]->Base, pGeneralName))
|
---|
1595 | return true;
|
---|
1596 | return false;
|
---|
1597 | }
|
---|
1598 |
|
---|
1599 |
|
---|
1600 | /**
|
---|
1601 | * Check if the given X.509 name is excluded by current name constraints.
|
---|
1602 | *
|
---|
1603 | * @returns true if excluded (caller sets error info), false if not explicitly
|
---|
1604 | * excluded.
|
---|
1605 | * @param pThis The validator instance.
|
---|
1606 | * @param pName The name to match.
|
---|
1607 | */
|
---|
1608 | static bool rtCrX509CpvIsNameExcluded(PRTCRX509CERTPATHSINT pThis, PCRTCRX509NAME pName)
|
---|
1609 | {
|
---|
1610 | uint32_t i = pThis->v.cExcludedSubtrees;
|
---|
1611 | while (i-- > 0)
|
---|
1612 | {
|
---|
1613 | PCRTCRX509GENERALSUBTREES pSubTrees = pThis->v.papExcludedSubtrees[i];
|
---|
1614 | uint32_t j = pSubTrees->cItems;
|
---|
1615 | while (j-- > 0)
|
---|
1616 | {
|
---|
1617 | PCRTCRX509GENERALSUBTREE const pSubTree = pSubTrees->papItems[j];
|
---|
1618 | if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(&pSubTree->Base)
|
---|
1619 | && RTCrX509Name_ConstraintMatch(&pSubTree->Base.u.pT4->DirectoryName, pName))
|
---|
1620 | return true;
|
---|
1621 | }
|
---|
1622 | }
|
---|
1623 | return false;
|
---|
1624 | }
|
---|
1625 |
|
---|
1626 |
|
---|
1627 | /**
|
---|
1628 | * Check if the given X.509 general name is excluded by current name
|
---|
1629 | * constraints.
|
---|
1630 | *
|
---|
1631 | * @returns true if excluded (caller sets error info), false if not explicitly
|
---|
1632 | * excluded.
|
---|
1633 | * @param pThis The validator instance.
|
---|
1634 | * @param pGeneralName The name to match.
|
---|
1635 | */
|
---|
1636 | static bool rtCrX509CpvIsGeneralNameExcluded(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALNAME pGeneralName)
|
---|
1637 | {
|
---|
1638 | uint32_t i = pThis->v.cExcludedSubtrees;
|
---|
1639 | while (i-- > 0)
|
---|
1640 | {
|
---|
1641 | PCRTCRX509GENERALSUBTREES pSubTrees = pThis->v.papExcludedSubtrees[i];
|
---|
1642 | uint32_t j = pSubTrees->cItems;
|
---|
1643 | while (j-- > 0)
|
---|
1644 | if (RTCrX509GeneralName_ConstraintMatch(&pSubTrees->papItems[j]->Base, pGeneralName))
|
---|
1645 | return true;
|
---|
1646 | }
|
---|
1647 | return false;
|
---|
1648 | }
|
---|
1649 |
|
---|
1650 |
|
---|
1651 | /**
|
---|
1652 | * Creates a new node and inserts it.
|
---|
1653 | *
|
---|
1654 | * @param pThis The path builder & validator instance.
|
---|
1655 | * @param pParent The parent node. NULL for the root node.
|
---|
1656 | * @param iDepth The tree depth to insert at.
|
---|
1657 | * @param pValidPolicy The valid policy of the new node.
|
---|
1658 | * @param pQualifiers The qualifiers of the new node.
|
---|
1659 | * @param pExpectedPolicy The (first) expected polcy of the new node.
|
---|
1660 | */
|
---|
1661 | static bool rtCrX509CpvPolicyTreeInsertNew(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pParent, uint32_t iDepth,
|
---|
1662 | PCRTASN1OBJID pValidPolicy, PCRTCRX509POLICYQUALIFIERINFOS pQualifiers,
|
---|
1663 | PCRTASN1OBJID pExpectedPolicy)
|
---|
1664 | {
|
---|
1665 | Assert(iDepth <= pThis->v.cNodes);
|
---|
1666 |
|
---|
1667 | PRTCRX509CERTPATHSPOLICYNODE pNode;
|
---|
1668 | pNode = (PRTCRX509CERTPATHSPOLICYNODE)rtCrX509CpvAllocZ(pThis, sizeof(*pNode), "policy tree node");
|
---|
1669 | if (pNode)
|
---|
1670 | {
|
---|
1671 | pNode->pParent = pParent;
|
---|
1672 | if (pParent)
|
---|
1673 | RTListAppend(&pParent->ChildList, &pNode->SiblingEntry);
|
---|
1674 | else
|
---|
1675 | {
|
---|
1676 | Assert(pThis->v.pValidPolicyTree == NULL);
|
---|
1677 | pThis->v.pValidPolicyTree = pNode;
|
---|
1678 | RTListInit(&pNode->SiblingEntry);
|
---|
1679 | }
|
---|
1680 | RTListInit(&pNode->ChildList);
|
---|
1681 | RTListAppend(&pThis->v.paValidPolicyDepthLists[iDepth], &pNode->DepthEntry);
|
---|
1682 |
|
---|
1683 | pNode->pValidPolicy = pValidPolicy;
|
---|
1684 | pNode->pPolicyQualifiers = pQualifiers;
|
---|
1685 | pNode->pExpectedPolicyFirst = pExpectedPolicy;
|
---|
1686 | pNode->cMoreExpectedPolicySet = 0;
|
---|
1687 | pNode->papMoreExpectedPolicySet = NULL;
|
---|
1688 | return true;
|
---|
1689 | }
|
---|
1690 | return false;
|
---|
1691 | }
|
---|
1692 |
|
---|
1693 |
|
---|
1694 | /**
|
---|
1695 | * Unlinks and frees a node in the valid policy tree.
|
---|
1696 | *
|
---|
1697 | * @param pThis The path builder & validator instance.
|
---|
1698 | * @param pNode The node to destroy.
|
---|
1699 | */
|
---|
1700 | static void rtCrX509CpvPolicyTreeDestroyNode(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pNode)
|
---|
1701 | {
|
---|
1702 | Assert(RTListIsEmpty(&pNode->ChildList));
|
---|
1703 | if (pNode->pParent)
|
---|
1704 | RTListNodeRemove(&pNode->SiblingEntry);
|
---|
1705 | else
|
---|
1706 | pThis->v.pValidPolicyTree = NULL;
|
---|
1707 | RTListNodeRemove(&pNode->DepthEntry);
|
---|
1708 | pNode->pParent = NULL;
|
---|
1709 |
|
---|
1710 | if (pNode->papMoreExpectedPolicySet)
|
---|
1711 | {
|
---|
1712 | RTMemFree(pNode->papMoreExpectedPolicySet);
|
---|
1713 | pNode->papMoreExpectedPolicySet = NULL;
|
---|
1714 | }
|
---|
1715 | RTMemFree(pNode);
|
---|
1716 | }
|
---|
1717 |
|
---|
1718 |
|
---|
1719 | /**
|
---|
1720 | * Unlinks and frees a sub-tree in the valid policy tree.
|
---|
1721 | *
|
---|
1722 | * @param pThis The path builder & validator instance.
|
---|
1723 | * @param pNode The node that is the root of the subtree.
|
---|
1724 | */
|
---|
1725 | static void rtCrX509CpvPolicyTreeDestroySubtree(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pNode)
|
---|
1726 | {
|
---|
1727 | if (!RTListIsEmpty(&pNode->ChildList))
|
---|
1728 | {
|
---|
1729 | PRTCRX509CERTPATHSPOLICYNODE pCur = pNode;
|
---|
1730 | do
|
---|
1731 | {
|
---|
1732 | Assert(!RTListIsEmpty(&pCur->ChildList));
|
---|
1733 |
|
---|
1734 | /* Decend until we find a leaf. */
|
---|
1735 | do
|
---|
1736 | pCur = RTListGetFirst(&pCur->ChildList, RTCRX509CERTPATHSPOLICYNODE, SiblingEntry);
|
---|
1737 | while (!RTListIsEmpty(&pCur->ChildList));
|
---|
1738 |
|
---|
1739 | /* Remove it and all leafy siblings. */
|
---|
1740 | PRTCRX509CERTPATHSPOLICYNODE pParent = pCur->pParent;
|
---|
1741 | do
|
---|
1742 | {
|
---|
1743 | Assert(pCur != pNode);
|
---|
1744 | rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
|
---|
1745 | pCur = RTListGetFirst(&pParent->ChildList, RTCRX509CERTPATHSPOLICYNODE, SiblingEntry);
|
---|
1746 | if (!pCur)
|
---|
1747 | {
|
---|
1748 | pCur = pParent;
|
---|
1749 | pParent = pParent->pParent;
|
---|
1750 | }
|
---|
1751 | } while (RTListIsEmpty(&pCur->ChildList) && pCur != pNode);
|
---|
1752 | } while (pCur != pNode);
|
---|
1753 | }
|
---|
1754 |
|
---|
1755 | rtCrX509CpvPolicyTreeDestroyNode(pThis, pNode);
|
---|
1756 | }
|
---|
1757 |
|
---|
1758 |
|
---|
1759 |
|
---|
1760 | /**
|
---|
1761 | * Destroys the entire policy tree.
|
---|
1762 | *
|
---|
1763 | * @param pThis The path builder & validator instance.
|
---|
1764 | */
|
---|
1765 | static void rtCrX509CpvPolicyTreeDestroy(PRTCRX509CERTPATHSINT pThis)
|
---|
1766 | {
|
---|
1767 | uint32_t i = pThis->v.cNodes + 1;
|
---|
1768 | while (i-- > 0)
|
---|
1769 | {
|
---|
1770 | PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
|
---|
1771 | RTListForEachSafe(&pThis->v.paValidPolicyDepthLists[i], pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
|
---|
1772 | {
|
---|
1773 | rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
|
---|
1774 | }
|
---|
1775 | }
|
---|
1776 | }
|
---|
1777 |
|
---|
1778 |
|
---|
1779 | /**
|
---|
1780 | * Removes all leaf nodes at level @a iDepth and above.
|
---|
1781 | *
|
---|
1782 | * @param pThis The path builder & validator instance.
|
---|
1783 | * @param iDepth The depth to start pruning at.
|
---|
1784 | */
|
---|
1785 | static void rtCrX509CpvPolicyTreePrune(PRTCRX509CERTPATHSINT pThis, uint32_t iDepth)
|
---|
1786 | {
|
---|
1787 | do
|
---|
1788 | {
|
---|
1789 | PRTLISTANCHOR pList = &pThis->v.paValidPolicyDepthLists[iDepth];
|
---|
1790 | PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
|
---|
1791 | RTListForEachSafe(pList, pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
|
---|
1792 | {
|
---|
1793 | if (RTListIsEmpty(&pCur->ChildList))
|
---|
1794 | rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
|
---|
1795 | }
|
---|
1796 |
|
---|
1797 | } while (iDepth-- > 0);
|
---|
1798 | }
|
---|
1799 |
|
---|
1800 |
|
---|
1801 | /**
|
---|
1802 | * Checks if @a pPolicy is the valid policy of a child of @a pNode.
|
---|
1803 | *
|
---|
1804 | * @returns true if in child node, false if not.
|
---|
1805 | * @param pNode The node which children to check.
|
---|
1806 | * @param pPolicy The valid policy to look for among the children.
|
---|
1807 | */
|
---|
1808 | static bool rtCrX509CpvPolicyTreeIsChild(PRTCRX509CERTPATHSPOLICYNODE pNode, PCRTASN1OBJID pPolicy)
|
---|
1809 | {
|
---|
1810 | PRTCRX509CERTPATHSPOLICYNODE pChild;
|
---|
1811 | RTListForEach(&pNode->ChildList, pChild, RTCRX509CERTPATHSPOLICYNODE, SiblingEntry)
|
---|
1812 | {
|
---|
1813 | if (RTAsn1ObjId_Compare(pChild->pValidPolicy, pPolicy) == 0)
|
---|
1814 | return true;
|
---|
1815 | }
|
---|
1816 | return true;
|
---|
1817 | }
|
---|
1818 |
|
---|
1819 |
|
---|
1820 | /**
|
---|
1821 | * Prunes the valid policy tree according to the specified user policy set.
|
---|
1822 | *
|
---|
1823 | * @returns Pointer to the policy object from @a papPolicies if found, NULL if
|
---|
1824 | * no match.
|
---|
1825 | * @param pObjId The object ID to locate at match in the set.
|
---|
1826 | * @param cPolicies The number of policies in @a papPolicies.
|
---|
1827 | * @param papPolicies The policy set to search.
|
---|
1828 | */
|
---|
1829 | static PCRTASN1OBJID rtCrX509CpvFindObjIdInPolicySet(PCRTASN1OBJID pObjId, uint32_t cPolicies, PCRTASN1OBJID *papPolicies)
|
---|
1830 | {
|
---|
1831 | uint32_t i = cPolicies;
|
---|
1832 | while (i-- > 0)
|
---|
1833 | if (RTAsn1ObjId_Compare(pObjId, papPolicies[i]) == 0)
|
---|
1834 | return papPolicies[i];
|
---|
1835 | return NULL;
|
---|
1836 | }
|
---|
1837 |
|
---|
1838 |
|
---|
1839 | /**
|
---|
1840 | * Prunes the valid policy tree according to the specified user policy set.
|
---|
1841 | *
|
---|
1842 | * @returns success indicator (allocates memory)
|
---|
1843 | * @param pThis The path builder & validator instance.
|
---|
1844 | * @param cPolicies The number of policies in @a papPolicies.
|
---|
1845 | * @param papPolicies The user initial policies.
|
---|
1846 | */
|
---|
1847 | static bool rtCrX509CpvPolicyTreeIntersect(PRTCRX509CERTPATHSINT pThis, uint32_t cPolicies, PCRTASN1OBJID *papPolicies)
|
---|
1848 | {
|
---|
1849 | /*
|
---|
1850 | * 4.1.6.g.i - NULL tree remains NULL.
|
---|
1851 | */
|
---|
1852 | if (!pThis->v.pValidPolicyTree)
|
---|
1853 | return true;
|
---|
1854 |
|
---|
1855 | /*
|
---|
1856 | * 4.1.6.g.ii - If the user set includes anyPolicy, the whole tree is the
|
---|
1857 | * result of the intersection.
|
---|
1858 | */
|
---|
1859 | uint32_t i = cPolicies;
|
---|
1860 | while (i-- > 0)
|
---|
1861 | if (RTAsn1ObjId_CompareWithString(papPolicies[i], RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
|
---|
1862 | return true;
|
---|
1863 |
|
---|
1864 | /*
|
---|
1865 | * 4.1.6.g.iii - Complicated.
|
---|
1866 | */
|
---|
1867 | PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
|
---|
1868 | PRTLISTANCHOR pList;
|
---|
1869 |
|
---|
1870 | /* 1 & 2: Delete nodes which parent has valid policy == anyPolicy and which
|
---|
1871 | valid policy is neither anyPolicy nor a member of papszPolicies.
|
---|
1872 | While doing so, construct a set of unused user policies that
|
---|
1873 | we'll replace anyPolicy nodes with in step 3. */
|
---|
1874 | uint32_t cPoliciesLeft = 0;
|
---|
1875 | PCRTASN1OBJID *papPoliciesLeft = NULL;
|
---|
1876 | if (cPolicies)
|
---|
1877 | {
|
---|
1878 | papPoliciesLeft = (PCRTASN1OBJID *)rtCrX509CpvAllocZ(pThis, cPolicies * sizeof(papPoliciesLeft[0]), "papPoliciesLeft");
|
---|
1879 | if (!papPoliciesLeft)
|
---|
1880 | return false;
|
---|
1881 | for (i = 0; i < cPolicies; i++)
|
---|
1882 | papPoliciesLeft[i] = papPolicies[i];
|
---|
1883 | }
|
---|
1884 |
|
---|
1885 | for (uint32_t iDepth = 1; iDepth <= pThis->v.cNodes; iDepth++)
|
---|
1886 | {
|
---|
1887 | pList = &pThis->v.paValidPolicyDepthLists[iDepth];
|
---|
1888 | RTListForEachSafe(pList, pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
|
---|
1889 | {
|
---|
1890 | Assert(pCur->pParent);
|
---|
1891 | if ( RTAsn1ObjId_CompareWithString(pCur->pParent->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0
|
---|
1892 | && RTAsn1ObjId_CompareWithString(pCur->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) != 0)
|
---|
1893 | {
|
---|
1894 | PCRTASN1OBJID pFound = rtCrX509CpvFindObjIdInPolicySet(pCur->pValidPolicy, cPolicies, papPolicies);
|
---|
1895 | if (!pFound)
|
---|
1896 | rtCrX509CpvPolicyTreeDestroySubtree(pThis, pCur);
|
---|
1897 | else
|
---|
1898 | for (i = 0; i < cPoliciesLeft; i++)
|
---|
1899 | if (papPoliciesLeft[i] == pFound)
|
---|
1900 | {
|
---|
1901 | cPoliciesLeft--;
|
---|
1902 | if (i < cPoliciesLeft)
|
---|
1903 | papPoliciesLeft[i] = papPoliciesLeft[cPoliciesLeft];
|
---|
1904 | papPoliciesLeft[cPoliciesLeft] = NULL;
|
---|
1905 | break;
|
---|
1906 | }
|
---|
1907 | }
|
---|
1908 | }
|
---|
1909 | }
|
---|
1910 |
|
---|
1911 | /*
|
---|
1912 | * 4.1.5.g.iii.3 - Replace anyPolicy nodes on the final tree depth with
|
---|
1913 | * the policies in papPoliciesLeft.
|
---|
1914 | */
|
---|
1915 | pList = &pThis->v.paValidPolicyDepthLists[pThis->v.cNodes];
|
---|
1916 | RTListForEachSafe(pList, pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
|
---|
1917 | {
|
---|
1918 | if (RTAsn1ObjId_CompareWithString(pCur->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
|
---|
1919 | {
|
---|
1920 | for (i = 0; i < cPoliciesLeft; i++)
|
---|
1921 | rtCrX509CpvPolicyTreeInsertNew(pThis, pCur->pParent, pThis->v.cNodes - 1,
|
---|
1922 | papPoliciesLeft[i], pCur->pPolicyQualifiers, papPoliciesLeft[i]);
|
---|
1923 | rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
|
---|
1924 | }
|
---|
1925 | }
|
---|
1926 |
|
---|
1927 | RTMemFree(papPoliciesLeft);
|
---|
1928 |
|
---|
1929 | /*
|
---|
1930 | * 4.1.5.g.iii.4 - Prune the tree
|
---|
1931 | */
|
---|
1932 | rtCrX509CpvPolicyTreePrune(pThis, pThis->v.cNodes - 1);
|
---|
1933 |
|
---|
1934 | return RT_SUCCESS(pThis->rc);
|
---|
1935 | }
|
---|
1936 |
|
---|
1937 |
|
---|
1938 |
|
---|
1939 | /**
|
---|
1940 | * Frees the path validator state.
|
---|
1941 | *
|
---|
1942 | * @param pThis The path builder & validator instance.
|
---|
1943 | */
|
---|
1944 | static void rtCrX509CpvCleanup(PRTCRX509CERTPATHSINT pThis)
|
---|
1945 | {
|
---|
1946 | /*
|
---|
1947 | * Destroy the policy tree and all its nodes. We do this from the bottom
|
---|
1948 | * up via the depth lists, saving annoying tree traversal.
|
---|
1949 | */
|
---|
1950 | if (pThis->v.paValidPolicyDepthLists)
|
---|
1951 | {
|
---|
1952 | rtCrX509CpvPolicyTreeDestroy(pThis);
|
---|
1953 |
|
---|
1954 | RTMemFree(pThis->v.paValidPolicyDepthLists);
|
---|
1955 | pThis->v.paValidPolicyDepthLists = NULL;
|
---|
1956 | }
|
---|
1957 |
|
---|
1958 | Assert(pThis->v.pValidPolicyTree == NULL);
|
---|
1959 | pThis->v.pValidPolicyTree = NULL;
|
---|
1960 |
|
---|
1961 | /*
|
---|
1962 | * Destroy the name constraint arrays.
|
---|
1963 | */
|
---|
1964 | if (pThis->v.papPermittedSubtrees)
|
---|
1965 | {
|
---|
1966 | RTMemFree(pThis->v.papPermittedSubtrees);
|
---|
1967 | pThis->v.papPermittedSubtrees = NULL;
|
---|
1968 | }
|
---|
1969 | pThis->v.cPermittedSubtrees = 0;
|
---|
1970 | pThis->v.cPermittedSubtreesAlloc = 0;
|
---|
1971 | pThis->v.fNoPermittedSubtrees = false;
|
---|
1972 |
|
---|
1973 | if (pThis->v.papExcludedSubtrees)
|
---|
1974 | {
|
---|
1975 | RTMemFree(pThis->v.papExcludedSubtrees);
|
---|
1976 | pThis->v.papExcludedSubtrees = NULL;
|
---|
1977 | }
|
---|
1978 | pThis->v.cExcludedSubtrees = 0;
|
---|
1979 |
|
---|
1980 | /*
|
---|
1981 | * Clear other pointers.
|
---|
1982 | */
|
---|
1983 | pThis->v.pWorkingIssuer = NULL;
|
---|
1984 | pThis->v.pWorkingPublicKey = NULL;
|
---|
1985 | pThis->v.pWorkingPublicKeyAlgorithm = NULL;
|
---|
1986 | pThis->v.pWorkingPublicKeyParameters = NULL;
|
---|
1987 | }
|
---|
1988 |
|
---|
1989 |
|
---|
1990 | /**
|
---|
1991 | * Initializes the state.
|
---|
1992 | *
|
---|
1993 | * Caller must check pThis->rc.
|
---|
1994 | *
|
---|
1995 | * @param pThis The path builder & validator instance.
|
---|
1996 | * @param pTrustAnchor The trust anchor node for the path that we're about
|
---|
1997 | * to validate.
|
---|
1998 | */
|
---|
1999 | static void rtCrX509CpvInit(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pTrustAnchor)
|
---|
2000 | {
|
---|
2001 | rtCrX509CpvCleanup(pThis);
|
---|
2002 |
|
---|
2003 | /*
|
---|
2004 | * The node count does not include the trust anchor.
|
---|
2005 | */
|
---|
2006 | pThis->v.cNodes = pTrustAnchor->uDepth;
|
---|
2007 |
|
---|
2008 | /*
|
---|
2009 | * Valid policy tree starts with an anyPolicy node.
|
---|
2010 | */
|
---|
2011 | uint32_t i = pThis->v.cNodes + 1;
|
---|
2012 | pThis->v.paValidPolicyDepthLists = (PRTLISTANCHOR)rtCrX509CpvAllocZ(pThis, i * sizeof(RTLISTANCHOR),
|
---|
2013 | "paValidPolicyDepthLists");
|
---|
2014 | if (RT_UNLIKELY(!pThis->v.paValidPolicyDepthLists))
|
---|
2015 | return;
|
---|
2016 | while (i-- > 0)
|
---|
2017 | RTListInit(&pThis->v.paValidPolicyDepthLists[i]);
|
---|
2018 |
|
---|
2019 | if (!rtCrX509CpvPolicyTreeInsertNew(pThis, NULL, 0 /* iDepth*/, &pThis->AnyPolicyObjId, NULL, &pThis->AnyPolicyObjId))
|
---|
2020 | return;
|
---|
2021 | Assert(!RTListIsEmpty(&pThis->v.paValidPolicyDepthLists[0])); Assert(pThis->v.pValidPolicyTree);
|
---|
2022 |
|
---|
2023 | /*
|
---|
2024 | * Name constrains.
|
---|
2025 | */
|
---|
2026 | if (pThis->pInitialPermittedSubtrees)
|
---|
2027 | rtCrX509CpvAddPermittedSubtrees(pThis, pThis->pInitialPermittedSubtrees->cItems,
|
---|
2028 | pThis->pInitialPermittedSubtrees->papItems);
|
---|
2029 | if (pThis->pInitialExcludedSubtrees)
|
---|
2030 | rtCrX509CpvAddExcludedSubtrees(pThis, pThis->pInitialExcludedSubtrees);
|
---|
2031 |
|
---|
2032 | /*
|
---|
2033 | * Counters.
|
---|
2034 | */
|
---|
2035 | pThis->v.cExplicitPolicy = pThis->cInitialExplicitPolicy;
|
---|
2036 | pThis->v.cInhibitPolicyMapping = pThis->cInitialPolicyMappingInhibit;
|
---|
2037 | pThis->v.cInhibitAnyPolicy = pThis->cInitialInhibitAnyPolicy;
|
---|
2038 | pThis->v.cMaxPathLength = pThis->v.cNodes;
|
---|
2039 |
|
---|
2040 | /*
|
---|
2041 | * Certificate info from the trust anchor.
|
---|
2042 | */
|
---|
2043 | if (pTrustAnchor->pCert)
|
---|
2044 | {
|
---|
2045 | PCRTCRX509TBSCERTIFICATE const pTbsCert = &pTrustAnchor->pCert->TbsCertificate;
|
---|
2046 | pThis->v.pWorkingIssuer = &pTbsCert->Subject;
|
---|
2047 | pThis->v.pWorkingPublicKey = &pTbsCert->SubjectPublicKeyInfo.SubjectPublicKey;
|
---|
2048 | pThis->v.pWorkingPublicKeyAlgorithm = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm;
|
---|
2049 | pThis->v.pWorkingPublicKeyParameters = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters;
|
---|
2050 | }
|
---|
2051 | else
|
---|
2052 | {
|
---|
2053 | Assert(pTrustAnchor->pCertCtx); Assert(pTrustAnchor->pCertCtx->pTaInfo);
|
---|
2054 |
|
---|
2055 | PCRTCRTAFTRUSTANCHORINFO const pTaInfo = pTrustAnchor->pCertCtx->pTaInfo;
|
---|
2056 | pThis->v.pWorkingIssuer = &pTaInfo->CertPath.TaName;
|
---|
2057 | pThis->v.pWorkingPublicKey = &pTaInfo->PubKey.SubjectPublicKey;
|
---|
2058 | pThis->v.pWorkingPublicKeyAlgorithm = &pTaInfo->PubKey.Algorithm.Algorithm;
|
---|
2059 | pThis->v.pWorkingPublicKeyParameters = &pTaInfo->PubKey.Algorithm.Parameters;
|
---|
2060 | }
|
---|
2061 | if ( !RTASN1CORE_IS_PRESENT(&pThis->v.pWorkingPublicKeyParameters->u.Core)
|
---|
2062 | || pThis->v.pWorkingPublicKeyParameters->enmType == RTASN1TYPE_NULL)
|
---|
2063 | pThis->v.pWorkingPublicKeyParameters = NULL;
|
---|
2064 | }
|
---|
2065 |
|
---|
2066 |
|
---|
2067 | /**
|
---|
2068 | * This does basic trust anchor checks (similar to 6.1.3.a) before starting on
|
---|
2069 | * the RFC-5280 algorithm.
|
---|
2070 | */
|
---|
2071 | static bool rtCrX509CpvMaybeCheckTrustAnchor(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pTrustAnchor)
|
---|
2072 | {
|
---|
2073 | /*
|
---|
2074 | * This is optional (not part of RFC-5280) and we need a full certificate
|
---|
2075 | * structure to do it.
|
---|
2076 | */
|
---|
2077 | if (!(pThis->fFlags & RTCRX509CERTPATHSINT_F_CHECK_TRUST_ANCHOR))
|
---|
2078 | return true;
|
---|
2079 |
|
---|
2080 | PCRTCRX509CERTIFICATE const pCert = pTrustAnchor->pCert;
|
---|
2081 | if (!pCert)
|
---|
2082 | return true;
|
---|
2083 |
|
---|
2084 | /*
|
---|
2085 | * Verify the certificate signature if self-signed.
|
---|
2086 | */
|
---|
2087 | if (RTCrX509Certificate_IsSelfSigned(pCert))
|
---|
2088 | {
|
---|
2089 | int rc = RTCrX509Certificate_VerifySignature(pCert, pThis->v.pWorkingPublicKeyAlgorithm,
|
---|
2090 | pThis->v.pWorkingPublicKeyParameters, pThis->v.pWorkingPublicKey,
|
---|
2091 | pThis->pErrInfo);
|
---|
2092 | if (RT_FAILURE(rc))
|
---|
2093 | {
|
---|
2094 | pThis->rc = rc;
|
---|
2095 | return false;
|
---|
2096 | }
|
---|
2097 | }
|
---|
2098 |
|
---|
2099 | /*
|
---|
2100 | * Verify that the certificate is valid at the specified time.
|
---|
2101 | */
|
---|
2102 | AssertCompile(sizeof(pThis->szTmp) >= 36 * 3);
|
---|
2103 | if ( (pThis->fFlags & RTCRX509CERTPATHSINT_F_VALID_TIME)
|
---|
2104 | && !RTCrX509Validity_IsValidAtTimeSpec(&pCert->TbsCertificate.Validity, &pThis->ValidTime))
|
---|
2105 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_VALID_AT_TIME,
|
---|
2106 | "Certificate is not valid (ValidTime=%s Validity=[%s...%s])",
|
---|
2107 | RTTimeSpecToString(&pThis->ValidTime, &pThis->szTmp[0], 36),
|
---|
2108 | RTTimeToString(&pCert->TbsCertificate.Validity.NotBefore.Time, &pThis->szTmp[36], 36),
|
---|
2109 | RTTimeToString(&pCert->TbsCertificate.Validity.NotAfter.Time, &pThis->szTmp[2*36], 36) );
|
---|
2110 |
|
---|
2111 | /*
|
---|
2112 | * Verified that the certficiate is not revoked.
|
---|
2113 | */
|
---|
2114 | /** @todo rainy day. */
|
---|
2115 |
|
---|
2116 | /*
|
---|
2117 | * If non-leaf certificate CA must be set, if basic constraints are present.
|
---|
2118 | */
|
---|
2119 | if (pTrustAnchor->pParent)
|
---|
2120 | {
|
---|
2121 | if (RTAsn1Integer_UnsignedCompareWithU32(&pTrustAnchor->pCert->TbsCertificate.T0.Version, RTCRX509TBSCERTIFICATE_V3) != 0)
|
---|
2122 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_V3_CERT,
|
---|
2123 | "Only version 3 TA certificates are supported (Version=%llu)",
|
---|
2124 | pTrustAnchor->pCert->TbsCertificate.T0.Version.uValue);
|
---|
2125 | PCRTCRX509BASICCONSTRAINTS pBasicConstraints = pTrustAnchor->pCert->TbsCertificate.T3.pBasicConstraints;
|
---|
2126 | if (pBasicConstraints && !pBasicConstraints->CA.fValue)
|
---|
2127 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_CA_CERT,
|
---|
2128 | "Trust anchor certificate is not marked as a CA");
|
---|
2129 | }
|
---|
2130 |
|
---|
2131 | return true;
|
---|
2132 | }
|
---|
2133 |
|
---|
2134 |
|
---|
2135 | /**
|
---|
2136 | * Step 6.1.3.a.
|
---|
2137 | */
|
---|
2138 | static bool rtCrX509CpvCheckBasicCertInfo(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
|
---|
2139 | {
|
---|
2140 | /*
|
---|
2141 | * 6.1.3.a.1 - Verify the certificate signature.
|
---|
2142 | */
|
---|
2143 | int rc = RTCrX509Certificate_VerifySignature(pNode->pCert, pThis->v.pWorkingPublicKeyAlgorithm,
|
---|
2144 | pThis->v.pWorkingPublicKeyParameters, pThis->v.pWorkingPublicKey,
|
---|
2145 | pThis->pErrInfo);
|
---|
2146 | if (RT_FAILURE(rc))
|
---|
2147 | {
|
---|
2148 | pThis->rc = rc;
|
---|
2149 | return false;
|
---|
2150 | }
|
---|
2151 |
|
---|
2152 | /*
|
---|
2153 | * 6.1.3.a.2 - Verify that the certificate is valid at the specified time.
|
---|
2154 | */
|
---|
2155 | AssertCompile(sizeof(pThis->szTmp) >= 36 * 3);
|
---|
2156 | if ( (pThis->fFlags & RTCRX509CERTPATHSINT_F_VALID_TIME)
|
---|
2157 | && !RTCrX509Validity_IsValidAtTimeSpec(&pNode->pCert->TbsCertificate.Validity, &pThis->ValidTime))
|
---|
2158 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_VALID_AT_TIME,
|
---|
2159 | "Certificate is not valid (ValidTime=%s Validity=[%s...%s])",
|
---|
2160 | RTTimeSpecToString(&pThis->ValidTime, &pThis->szTmp[0], 36),
|
---|
2161 | RTTimeToString(&pNode->pCert->TbsCertificate.Validity.NotBefore.Time, &pThis->szTmp[36], 36),
|
---|
2162 | RTTimeToString(&pNode->pCert->TbsCertificate.Validity.NotAfter.Time, &pThis->szTmp[2*36], 36) );
|
---|
2163 |
|
---|
2164 | /*
|
---|
2165 | * 6.1.3.a.3 - Verified that the certficiate is not revoked.
|
---|
2166 | */
|
---|
2167 | /** @todo rainy day. */
|
---|
2168 |
|
---|
2169 | /*
|
---|
2170 | * 6.1.3.a.4 - Check the issuer name.
|
---|
2171 | */
|
---|
2172 | if (!RTCrX509Name_MatchByRfc5280(&pNode->pCert->TbsCertificate.Issuer, pThis->v.pWorkingIssuer))
|
---|
2173 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_ISSUER_MISMATCH, "Issuer mismatch");
|
---|
2174 |
|
---|
2175 | return true;
|
---|
2176 | }
|
---|
2177 |
|
---|
2178 |
|
---|
2179 | /**
|
---|
2180 | * Step 6.1.3.b-c.
|
---|
2181 | */
|
---|
2182 | static bool rtCrX509CpvCheckNameConstraints(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
|
---|
2183 | {
|
---|
2184 | if (pThis->v.fNoPermittedSubtrees)
|
---|
2185 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NO_PERMITTED_NAMES, "No permitted subtrees");
|
---|
2186 |
|
---|
2187 | if ( pNode->pCert->TbsCertificate.Subject.cItems > 0
|
---|
2188 | && ( !rtCrX509CpvIsNamePermitted(pThis, &pNode->pCert->TbsCertificate.Subject)
|
---|
2189 | || rtCrX509CpvIsNameExcluded(pThis, &pNode->pCert->TbsCertificate.Subject)) )
|
---|
2190 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NAME_NOT_PERMITTED,
|
---|
2191 | "Subject name is not permitted by current name constraints");
|
---|
2192 |
|
---|
2193 | PCRTCRX509GENERALNAMES pAltSubjectName = pNode->pCert->TbsCertificate.T3.pAltSubjectName;
|
---|
2194 | if (pAltSubjectName)
|
---|
2195 | {
|
---|
2196 | uint32_t i = pAltSubjectName->cItems;
|
---|
2197 | while (i-- > 0)
|
---|
2198 | if ( !rtCrX509CpvIsGeneralNamePermitted(pThis, pAltSubjectName->papItems[i])
|
---|
2199 | || rtCrX509CpvIsGeneralNameExcluded(pThis, pAltSubjectName->papItems[i]))
|
---|
2200 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_ALT_NAME_NOT_PERMITTED,
|
---|
2201 | "Alternative name #%u is is not permitted by current name constraints", i);
|
---|
2202 | }
|
---|
2203 |
|
---|
2204 | return true;
|
---|
2205 | }
|
---|
2206 |
|
---|
2207 |
|
---|
2208 | /**
|
---|
2209 | * Step 6.1.3.d-f.
|
---|
2210 | */
|
---|
2211 | static bool rtCrX509CpvWorkValidPolicyTree(PRTCRX509CERTPATHSINT pThis, uint32_t iDepth, PRTCRX509CERTPATHNODE pNode,
|
---|
2212 | bool fSelfIssued)
|
---|
2213 | {
|
---|
2214 | PCRTCRX509CERTIFICATEPOLICIES pPolicies = pNode->pCert->TbsCertificate.T3.pCertificatePolicies;
|
---|
2215 | if (pPolicies)
|
---|
2216 | {
|
---|
2217 | /*
|
---|
2218 | * 6.1.3.d.1 - Work the certiciate policies into the tree.
|
---|
2219 | */
|
---|
2220 | PRTCRX509CERTPATHSPOLICYNODE pCur;
|
---|
2221 | PRTLISTANCHOR pListAbove = &pThis->v.paValidPolicyDepthLists[iDepth - 1];
|
---|
2222 | uint32_t iAnyPolicy = UINT32_MAX;
|
---|
2223 | uint32_t i = pPolicies->cItems;
|
---|
2224 | while (i-- > 0)
|
---|
2225 | {
|
---|
2226 | PCRTCRX509POLICYQUALIFIERINFOS const pQualifiers = &pPolicies->papItems[i]->PolicyQualifiers;
|
---|
2227 | PCRTASN1OBJID const pIdP = &pPolicies->papItems[i]->PolicyIdentifier;
|
---|
2228 | if (RTAsn1ObjId_CompareWithString(pIdP, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
|
---|
2229 | {
|
---|
2230 | iAnyPolicy++;
|
---|
2231 | continue;
|
---|
2232 | }
|
---|
2233 |
|
---|
2234 | /*
|
---|
2235 | * 6.1.3.d.1.i - Create children for matching policies.
|
---|
2236 | */
|
---|
2237 | uint32_t cMatches = 0;
|
---|
2238 | RTListForEach(pListAbove, pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
|
---|
2239 | {
|
---|
2240 | bool fMatch = RTAsn1ObjId_Compare(pCur->pExpectedPolicyFirst, pIdP) == 0;
|
---|
2241 | if (!fMatch && pCur->cMoreExpectedPolicySet)
|
---|
2242 | for (uint32_t j = 0; !fMatch && j < pCur->cMoreExpectedPolicySet; j++)
|
---|
2243 | fMatch = RTAsn1ObjId_Compare(pCur->papMoreExpectedPolicySet[j], pIdP) == 0;
|
---|
2244 | if (fMatch)
|
---|
2245 | {
|
---|
2246 | if (!rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pIdP, pQualifiers, pIdP))
|
---|
2247 | return false;
|
---|
2248 | cMatches++;
|
---|
2249 | }
|
---|
2250 | }
|
---|
2251 |
|
---|
2252 | /*
|
---|
2253 | * 6.1.3.d.1.ii - If no matches above do the same for anyPolicy
|
---|
2254 | * nodes, only match with valid policy this time.
|
---|
2255 | */
|
---|
2256 | if (cMatches == 0)
|
---|
2257 | {
|
---|
2258 | RTListForEach(pListAbove, pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
|
---|
2259 | {
|
---|
2260 | if (RTAsn1ObjId_CompareWithString(pCur->pExpectedPolicyFirst, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
|
---|
2261 | {
|
---|
2262 | if (!rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pIdP, pQualifiers, pIdP))
|
---|
2263 | return false;
|
---|
2264 | }
|
---|
2265 | }
|
---|
2266 | }
|
---|
2267 | }
|
---|
2268 |
|
---|
2269 | /*
|
---|
2270 | * 6.1.3.d.2 - If anyPolicy present, make sure all expected policies
|
---|
2271 | * are propagated to the current depth.
|
---|
2272 | */
|
---|
2273 | if ( iAnyPolicy < pPolicies->cItems
|
---|
2274 | && ( pThis->v.cInhibitAnyPolicy > 0
|
---|
2275 | || (pNode->pParent && fSelfIssued) ) )
|
---|
2276 | {
|
---|
2277 | PCRTCRX509POLICYQUALIFIERINFOS pApQ = &pPolicies->papItems[iAnyPolicy]->PolicyQualifiers;
|
---|
2278 | RTListForEach(pListAbove, pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
|
---|
2279 | {
|
---|
2280 | if (!rtCrX509CpvPolicyTreeIsChild(pCur, pCur->pExpectedPolicyFirst))
|
---|
2281 | rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pCur->pExpectedPolicyFirst, pApQ,
|
---|
2282 | pCur->pExpectedPolicyFirst);
|
---|
2283 | for (uint32_t j = 0; j < pCur->cMoreExpectedPolicySet; j++)
|
---|
2284 | if (!rtCrX509CpvPolicyTreeIsChild(pCur, pCur->papMoreExpectedPolicySet[j]))
|
---|
2285 | rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pCur->papMoreExpectedPolicySet[j], pApQ,
|
---|
2286 | pCur->papMoreExpectedPolicySet[j]);
|
---|
2287 | }
|
---|
2288 | }
|
---|
2289 | /*
|
---|
2290 | * 6.1.3.d.3 - Prune the tree.
|
---|
2291 | */
|
---|
2292 | else
|
---|
2293 | rtCrX509CpvPolicyTreePrune(pThis, iDepth - 1);
|
---|
2294 | }
|
---|
2295 | else
|
---|
2296 | {
|
---|
2297 | /*
|
---|
2298 | * 6.1.3.e - No policy extension present, set tree to NULL.
|
---|
2299 | */
|
---|
2300 | rtCrX509CpvPolicyTreeDestroy(pThis);
|
---|
2301 | }
|
---|
2302 |
|
---|
2303 | /*
|
---|
2304 | * 6.1.3.f - NULL tree check.
|
---|
2305 | */
|
---|
2306 | if ( pThis->v.pValidPolicyTree == NULL
|
---|
2307 | && pThis->v.cExplicitPolicy == 0)
|
---|
2308 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NO_VALID_POLICY,
|
---|
2309 | "An explicit policy is called for but the valid policy tree is NULL.");
|
---|
2310 | return RT_SUCCESS(pThis->rc);
|
---|
2311 | }
|
---|
2312 |
|
---|
2313 |
|
---|
2314 | /**
|
---|
2315 | * Step 6.1.4.a-b.
|
---|
2316 | */
|
---|
2317 | static bool rtCrX509CpvSoakUpPolicyMappings(PRTCRX509CERTPATHSINT pThis, uint32_t iDepth,
|
---|
2318 | PCRTCRX509POLICYMAPPINGS pPolicyMappings)
|
---|
2319 | {
|
---|
2320 | /*
|
---|
2321 | * 6.1.4.a - The anyPolicy is not allowed in policy mappings as it would
|
---|
2322 | * allow an evil intermediate certificate to expand the policy
|
---|
2323 | * scope of a certiciate chain without regard to upstream.
|
---|
2324 | */
|
---|
2325 | uint32_t i = pPolicyMappings->cItems;
|
---|
2326 | while (i-- > 0)
|
---|
2327 | {
|
---|
2328 | PCRTCRX509POLICYMAPPING const pOne = pPolicyMappings->papItems[i];
|
---|
2329 | if (RTAsn1ObjId_CompareWithString(&pOne->IssuerDomainPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
|
---|
2330 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_INVALID_POLICY_MAPPING,
|
---|
2331 | "Invalid policy mapping %#u: IssuerDomainPolicy is anyPolicy.", i);
|
---|
2332 |
|
---|
2333 | if (RTAsn1ObjId_CompareWithString(&pOne->SubjectDomainPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
|
---|
2334 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_INVALID_POLICY_MAPPING,
|
---|
2335 | "Invalid policy mapping %#u: SubjectDomainPolicy is anyPolicy.", i);
|
---|
2336 | }
|
---|
2337 |
|
---|
2338 | PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
|
---|
2339 | if (pThis->v.cInhibitPolicyMapping > 0)
|
---|
2340 | {
|
---|
2341 | /*
|
---|
2342 | * 6.1.4.b.1 - Do the policy mapping.
|
---|
2343 | */
|
---|
2344 | i = pPolicyMappings->cItems;
|
---|
2345 | while (i-- > 0)
|
---|
2346 | {
|
---|
2347 | PCRTCRX509POLICYMAPPING const pOne = pPolicyMappings->papItems[i];
|
---|
2348 |
|
---|
2349 | uint32_t cFound = 0;
|
---|
2350 | RTListForEach(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
|
---|
2351 | {
|
---|
2352 | if (RTAsn1ObjId_Compare(pCur->pValidPolicy, &pOne->IssuerDomainPolicy))
|
---|
2353 | {
|
---|
2354 | if (!pCur->fAlreadyMapped)
|
---|
2355 | {
|
---|
2356 | pCur->fAlreadyMapped = true;
|
---|
2357 | pCur->pExpectedPolicyFirst = &pOne->SubjectDomainPolicy;
|
---|
2358 | }
|
---|
2359 | else
|
---|
2360 | {
|
---|
2361 | uint32_t iExpected = pCur->cMoreExpectedPolicySet;
|
---|
2362 | void *pvNew = RTMemRealloc(pCur->papMoreExpectedPolicySet,
|
---|
2363 | sizeof(pCur->papMoreExpectedPolicySet[0]) * (iExpected + 1));
|
---|
2364 | if (!pvNew)
|
---|
2365 | return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY,
|
---|
2366 | "Error growing papMoreExpectedPolicySet array (cur %u, depth %u)",
|
---|
2367 | pCur->cMoreExpectedPolicySet, iDepth);
|
---|
2368 | pCur->papMoreExpectedPolicySet = (PCRTASN1OBJID *)pvNew;
|
---|
2369 | pCur->papMoreExpectedPolicySet[iExpected] = &pOne->SubjectDomainPolicy;
|
---|
2370 | pCur->cMoreExpectedPolicySet = iExpected + 1;
|
---|
2371 | }
|
---|
2372 | cFound++;
|
---|
2373 | }
|
---|
2374 | }
|
---|
2375 |
|
---|
2376 | /*
|
---|
2377 | * If no mapping took place, look for an anyPolicy node.
|
---|
2378 | */
|
---|
2379 | if (!cFound)
|
---|
2380 | {
|
---|
2381 | RTListForEach(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
|
---|
2382 | {
|
---|
2383 | if (RTAsn1ObjId_CompareWithString(pCur->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
|
---|
2384 | {
|
---|
2385 | if (!rtCrX509CpvPolicyTreeInsertNew(pThis, pCur->pParent, iDepth,
|
---|
2386 | &pOne->IssuerDomainPolicy,
|
---|
2387 | pCur->pPolicyQualifiers,
|
---|
2388 | &pOne->SubjectDomainPolicy))
|
---|
2389 | return false;
|
---|
2390 | break;
|
---|
2391 | }
|
---|
2392 | }
|
---|
2393 | }
|
---|
2394 | }
|
---|
2395 | }
|
---|
2396 | else
|
---|
2397 | {
|
---|
2398 | /*
|
---|
2399 | * 6.1.4.b.2 - Remove matching policies from the tree if mapping is
|
---|
2400 | * inhibited and prune the tree.
|
---|
2401 | */
|
---|
2402 | uint32_t cRemoved = 0;
|
---|
2403 | i = pPolicyMappings->cItems;
|
---|
2404 | while (i-- > 0)
|
---|
2405 | {
|
---|
2406 | PCRTCRX509POLICYMAPPING const pOne = pPolicyMappings->papItems[i];
|
---|
2407 | RTListForEachSafe(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
|
---|
2408 | {
|
---|
2409 | if (RTAsn1ObjId_Compare(pCur->pValidPolicy, &pOne->IssuerDomainPolicy))
|
---|
2410 | {
|
---|
2411 | rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
|
---|
2412 | cRemoved++;
|
---|
2413 | }
|
---|
2414 | }
|
---|
2415 | }
|
---|
2416 | if (cRemoved)
|
---|
2417 | rtCrX509CpvPolicyTreePrune(pThis, iDepth - 1);
|
---|
2418 | }
|
---|
2419 |
|
---|
2420 | return true;
|
---|
2421 | }
|
---|
2422 |
|
---|
2423 |
|
---|
2424 | /**
|
---|
2425 | * Step 6.1.4.d-f & 6.1.5.c-e.
|
---|
2426 | */
|
---|
2427 | static void rtCrX509CpvSetWorkingPublicKeyInfo(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
|
---|
2428 | {
|
---|
2429 | PCRTCRX509TBSCERTIFICATE const pTbsCert = &pNode->pCert->TbsCertificate;
|
---|
2430 |
|
---|
2431 | /*
|
---|
2432 | * 6.1.4.d - The public key.
|
---|
2433 | */
|
---|
2434 | pThis->v.pWorkingPublicKey = &pTbsCert->SubjectPublicKeyInfo.SubjectPublicKey;
|
---|
2435 |
|
---|
2436 | /*
|
---|
2437 | * 6.1.4.e - The public key parameters. Use new ones if present, keep old
|
---|
2438 | * if the algorithm remains the same.
|
---|
2439 | */
|
---|
2440 | if ( RTASN1CORE_IS_PRESENT(&pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters.u.Core)
|
---|
2441 | && pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters.enmType != RTASN1TYPE_NULL)
|
---|
2442 | pThis->v.pWorkingPublicKeyParameters = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters;
|
---|
2443 | else if ( pThis->v.pWorkingPublicKeyParameters
|
---|
2444 | && RTAsn1ObjId_Compare(pThis->v.pWorkingPublicKeyAlgorithm, &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm) != 0)
|
---|
2445 | pThis->v.pWorkingPublicKeyParameters = NULL;
|
---|
2446 |
|
---|
2447 | /*
|
---|
2448 | * 6.1.4.f - The public algorithm.
|
---|
2449 | */
|
---|
2450 | pThis->v.pWorkingPublicKeyAlgorithm = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm;
|
---|
2451 | }
|
---|
2452 |
|
---|
2453 |
|
---|
2454 | /**
|
---|
2455 | * Step 6.1.4.g.
|
---|
2456 | */
|
---|
2457 | static bool rtCrX509CpvSoakUpNameConstraints(PRTCRX509CERTPATHSINT pThis, PCRTCRX509NAMECONSTRAINTS pNameConstraints)
|
---|
2458 | {
|
---|
2459 | if (pNameConstraints->T0.PermittedSubtrees.cItems > 0)
|
---|
2460 | if (!rtCrX509CpvIntersectionPermittedSubtrees(pThis, &pNameConstraints->T0.PermittedSubtrees))
|
---|
2461 | return false;
|
---|
2462 |
|
---|
2463 | if (pNameConstraints->T1.ExcludedSubtrees.cItems > 0)
|
---|
2464 | if (!rtCrX509CpvAddExcludedSubtrees(pThis, &pNameConstraints->T1.ExcludedSubtrees))
|
---|
2465 | return false;
|
---|
2466 |
|
---|
2467 | return true;
|
---|
2468 | }
|
---|
2469 |
|
---|
2470 |
|
---|
2471 | /**
|
---|
2472 | * Step 6.1.4.i.
|
---|
2473 | */
|
---|
2474 | static bool rtCrX509CpvSoakUpPolicyConstraints(PRTCRX509CERTPATHSINT pThis, PCRTCRX509POLICYCONSTRAINTS pPolicyConstraints)
|
---|
2475 | {
|
---|
2476 | if (RTAsn1Integer_IsPresent(&pPolicyConstraints->RequireExplicitPolicy))
|
---|
2477 | {
|
---|
2478 | if (RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->RequireExplicitPolicy, pThis->v.cExplicitPolicy) < 0)
|
---|
2479 | pThis->v.cExplicitPolicy = pPolicyConstraints->RequireExplicitPolicy.uValue.s.Lo;
|
---|
2480 | }
|
---|
2481 |
|
---|
2482 | if (RTAsn1Integer_IsPresent(&pPolicyConstraints->InhibitPolicyMapping))
|
---|
2483 | {
|
---|
2484 | if (RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->InhibitPolicyMapping, pThis->v.cInhibitPolicyMapping) < 0)
|
---|
2485 | pThis->v.cInhibitPolicyMapping = pPolicyConstraints->InhibitPolicyMapping.uValue.s.Lo;
|
---|
2486 | }
|
---|
2487 | return true;
|
---|
2488 | }
|
---|
2489 |
|
---|
2490 |
|
---|
2491 | /**
|
---|
2492 | * Step 6.1.4.j.
|
---|
2493 | */
|
---|
2494 | static bool rtCrX509CpvSoakUpInhibitAnyPolicy(PRTCRX509CERTPATHSINT pThis, PCRTASN1INTEGER pInhibitAnyPolicy)
|
---|
2495 | {
|
---|
2496 | if (RTAsn1Integer_UnsignedCompareWithU32(pInhibitAnyPolicy, pThis->v.cInhibitAnyPolicy) < 0)
|
---|
2497 | pThis->v.cInhibitAnyPolicy = pInhibitAnyPolicy->uValue.s.Lo;
|
---|
2498 | return true;
|
---|
2499 | }
|
---|
2500 |
|
---|
2501 |
|
---|
2502 | /**
|
---|
2503 | * Steps 6.1.4.k, 6.1.4.l, 6.1.4.m, and 6.1.4.n.
|
---|
2504 | */
|
---|
2505 | static bool rtCrX509CpvCheckAndSoakUpBasicConstraintsAndKeyUsage(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode,
|
---|
2506 | bool fSelfIssued)
|
---|
2507 | {
|
---|
2508 | /* 6.1.4.k - If basic constraints present, CA must be set. */
|
---|
2509 | if (RTAsn1Integer_UnsignedCompareWithU32(&pNode->pCert->TbsCertificate.T0.Version, RTCRX509TBSCERTIFICATE_V3) != 0)
|
---|
2510 | {
|
---|
2511 | /* Note! Add flags if support for older certificates is needed later. */
|
---|
2512 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_V3_CERT,
|
---|
2513 | "Only version 3 certificates are supported (Version=%llu)",
|
---|
2514 | pNode->pCert->TbsCertificate.T0.Version.uValue);
|
---|
2515 | }
|
---|
2516 | PCRTCRX509BASICCONSTRAINTS pBasicConstraints = pNode->pCert->TbsCertificate.T3.pBasicConstraints;
|
---|
2517 | if (pBasicConstraints)
|
---|
2518 | {
|
---|
2519 | if (!pBasicConstraints->CA.fValue)
|
---|
2520 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_CA_CERT,
|
---|
2521 | "Intermediate certificate (#%u) is not marked as a CA", pThis->v.iNode);
|
---|
2522 | }
|
---|
2523 |
|
---|
2524 | /* 6.1.4.l - Work cMaxPathLength. */
|
---|
2525 | if (!fSelfIssued)
|
---|
2526 | {
|
---|
2527 | if (pThis->v.cMaxPathLength > 0)
|
---|
2528 | pThis->v.cMaxPathLength--;
|
---|
2529 | else
|
---|
2530 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_MAX_PATH_LENGTH,
|
---|
2531 | "Hit max path length at node #%u", pThis->v.iNode);
|
---|
2532 | }
|
---|
2533 |
|
---|
2534 | /* 6.1.4.m - Update cMaxPathLength if basic constrain field is present and smaller. */
|
---|
2535 | if (pBasicConstraints)
|
---|
2536 | {
|
---|
2537 | if (RTAsn1Integer_IsPresent(&pBasicConstraints->PathLenConstraint))
|
---|
2538 | if (RTAsn1Integer_UnsignedCompareWithU32(&pBasicConstraints->PathLenConstraint, pThis->v.cMaxPathLength) < 0)
|
---|
2539 | pThis->v.cMaxPathLength = pBasicConstraints->PathLenConstraint.uValue.s.Lo;
|
---|
2540 | }
|
---|
2541 |
|
---|
2542 | /* 6.1.4.n - Require keyCertSign in key usage if the extension is present. */
|
---|
2543 | PCRTCRX509TBSCERTIFICATE const pTbsCert = &pNode->pCert->TbsCertificate;
|
---|
2544 | if ( (pTbsCert->T3.fFlags & RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE)
|
---|
2545 | && !(pTbsCert->T3.fKeyUsage & RTCRX509CERT_KEY_USAGE_F_KEY_CERT_SIGN))
|
---|
2546 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_MISSING_KEY_CERT_SIGN,
|
---|
2547 | "Node #%u does not have KeyCertSign set (keyUsage=%#x)",
|
---|
2548 | pThis->v.iNode, pTbsCert->T3.fKeyUsage);
|
---|
2549 |
|
---|
2550 | return true;
|
---|
2551 | }
|
---|
2552 |
|
---|
2553 |
|
---|
2554 | /**
|
---|
2555 | * Step 6.1.4.o - check out critical extensions.
|
---|
2556 | */
|
---|
2557 | static bool rtCrX509CpvCheckCriticalExtensions(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
|
---|
2558 | {
|
---|
2559 | uint32_t cLeft = pNode->pCert->TbsCertificate.T3.Extensions.cItems;
|
---|
2560 | PRTCRX509EXTENSION const *ppCur = pNode->pCert->TbsCertificate.T3.Extensions.papItems;
|
---|
2561 | while (cLeft-- > 0)
|
---|
2562 | {
|
---|
2563 | PCRTCRX509EXTENSION const pCur = *ppCur;
|
---|
2564 | if (pCur->Critical.fValue)
|
---|
2565 | {
|
---|
2566 | if ( RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_KEY_USAGE_OID) != 0
|
---|
2567 | && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID) != 0
|
---|
2568 | && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_ISSUER_ALT_NAME_OID) != 0
|
---|
2569 | && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID) != 0
|
---|
2570 | && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_NAME_CONSTRAINTS_OID) != 0
|
---|
2571 | && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID) != 0
|
---|
2572 | && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_POLICY_MAPPINGS_OID) != 0
|
---|
2573 | && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID) != 0
|
---|
2574 | && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_EXT_KEY_USAGE_OID) != 0
|
---|
2575 | && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID) != 0
|
---|
2576 | && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_APPLICATION_OID) != 0
|
---|
2577 | && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_INSTALLER_OID) != 0
|
---|
2578 | && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_KEXT_OID) != 0
|
---|
2579 | && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_IPHONE_SW_DEV_OID) != 0
|
---|
2580 | && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_MAC_SW_DEV_OID) != 0
|
---|
2581 | )
|
---|
2582 | {
|
---|
2583 | /* @bugref{10130}: An IntelGraphicsPE2021 cert issued by iKG_AZSKGFDCS has a critical subjectKeyIdentifier
|
---|
2584 | which we quietly ignore here. RFC-5280 conforming CAs should not mark this as critical.
|
---|
2585 | On an end entity this extension can have relevance to path construction. */
|
---|
2586 | if ( pNode->uSrc == RTCRX509CERTPATHNODE_SRC_TARGET
|
---|
2587 | && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID) == 0)
|
---|
2588 | LogFunc(("Ignoring non-standard subjectKeyIdentifier on target certificate.\n"));
|
---|
2589 | else
|
---|
2590 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNKNOWN_CRITICAL_EXTENSION,
|
---|
2591 | "Node #%u has an unknown critical extension: %s",
|
---|
2592 | pThis->v.iNode, pCur->ExtnId.szObjId);
|
---|
2593 | }
|
---|
2594 | }
|
---|
2595 |
|
---|
2596 | ppCur++;
|
---|
2597 | }
|
---|
2598 |
|
---|
2599 | return true;
|
---|
2600 | }
|
---|
2601 |
|
---|
2602 |
|
---|
2603 | /**
|
---|
2604 | * Step 6.1.5 - The wrapping up.
|
---|
2605 | */
|
---|
2606 | static bool rtCrX509CpvWrapUp(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
|
---|
2607 | {
|
---|
2608 | Assert(!pNode->pParent); Assert(pThis->pTarget == pNode->pCert);
|
---|
2609 |
|
---|
2610 | /*
|
---|
2611 | * 6.1.5.a - Decrement explicit policy.
|
---|
2612 | */
|
---|
2613 | if (pThis->v.cExplicitPolicy > 0)
|
---|
2614 | pThis->v.cExplicitPolicy--;
|
---|
2615 |
|
---|
2616 | /*
|
---|
2617 | * 6.1.5.b - Policy constraints and explicit policy.
|
---|
2618 | */
|
---|
2619 | PCRTCRX509POLICYCONSTRAINTS pPolicyConstraints = pNode->pCert->TbsCertificate.T3.pPolicyConstraints;
|
---|
2620 | if ( pPolicyConstraints
|
---|
2621 | && RTAsn1Integer_IsPresent(&pPolicyConstraints->RequireExplicitPolicy)
|
---|
2622 | && RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->RequireExplicitPolicy, 0) == 0)
|
---|
2623 | pThis->v.cExplicitPolicy = 0;
|
---|
2624 |
|
---|
2625 | /*
|
---|
2626 | * 6.1.5.c-e - Update working public key info.
|
---|
2627 | */
|
---|
2628 | rtCrX509CpvSetWorkingPublicKeyInfo(pThis, pNode);
|
---|
2629 |
|
---|
2630 | /*
|
---|
2631 | * 6.1.5.f - Critical extensions.
|
---|
2632 | */
|
---|
2633 | if (!rtCrX509CpvCheckCriticalExtensions(pThis, pNode))
|
---|
2634 | return false;
|
---|
2635 |
|
---|
2636 | /*
|
---|
2637 | * 6.1.5.g - Calculate the intersection between the user initial policy set
|
---|
2638 | * and the valid policy tree.
|
---|
2639 | */
|
---|
2640 | rtCrX509CpvPolicyTreeIntersect(pThis, pThis->cInitialUserPolicySet, pThis->papInitialUserPolicySet);
|
---|
2641 |
|
---|
2642 | if ( pThis->v.cExplicitPolicy == 0
|
---|
2643 | && pThis->v.pValidPolicyTree == NULL)
|
---|
2644 | return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NO_VALID_POLICY, "No valid policy (wrap-up).");
|
---|
2645 |
|
---|
2646 | return true;
|
---|
2647 | }
|
---|
2648 |
|
---|
2649 |
|
---|
2650 | /**
|
---|
2651 | * Worker that validates one path.
|
---|
2652 | *
|
---|
2653 | * This implements the algorithm in RFC-5280, section 6.1, with exception of
|
---|
2654 | * the CRL checks in 6.1.3.a.3.
|
---|
2655 | *
|
---|
2656 | * @returns success indicator.
|
---|
2657 | * @param pThis The path builder & validator instance.
|
---|
2658 | * @param pTrustAnchor The trust anchor node.
|
---|
2659 | */
|
---|
2660 | static bool rtCrX509CpvOneWorker(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pTrustAnchor)
|
---|
2661 | {
|
---|
2662 | /*
|
---|
2663 | * Init.
|
---|
2664 | */
|
---|
2665 | rtCrX509CpvInit(pThis, pTrustAnchor);
|
---|
2666 | if (RT_SUCCESS(pThis->rc))
|
---|
2667 | {
|
---|
2668 | /*
|
---|
2669 | * Maybe do some trust anchor checks.
|
---|
2670 | */
|
---|
2671 | if (!rtCrX509CpvMaybeCheckTrustAnchor(pThis, pTrustAnchor))
|
---|
2672 | {
|
---|
2673 | AssertStmt(RT_FAILURE_NP(pThis->rc), pThis->rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR);
|
---|
2674 | return false;
|
---|
2675 | }
|
---|
2676 |
|
---|
2677 | /*
|
---|
2678 | * Special case, target certificate is trusted.
|
---|
2679 | */
|
---|
2680 | if (!pTrustAnchor->pParent)
|
---|
2681 | return true; /* rtCrX509CpvWrapUp should not be needed here. */
|
---|
2682 |
|
---|
2683 | /*
|
---|
2684 | * Normal processing.
|
---|
2685 | */
|
---|
2686 | PRTCRX509CERTPATHNODE pNode = pTrustAnchor->pParent;
|
---|
2687 | uint32_t iNode = pThis->v.iNode = 1; /* We count to cNode (inclusive). Same a validation tree depth. */
|
---|
2688 | while (pNode && RT_SUCCESS(pThis->rc))
|
---|
2689 | {
|
---|
2690 | /*
|
---|
2691 | * Basic certificate processing.
|
---|
2692 | */
|
---|
2693 | if (!rtCrX509CpvCheckBasicCertInfo(pThis, pNode)) /* Step 6.1.3.a */
|
---|
2694 | break;
|
---|
2695 |
|
---|
2696 | bool const fSelfIssued = rtCrX509CertPathsIsSelfIssued(pNode);
|
---|
2697 | if (!fSelfIssued || !pNode->pParent) /* Step 6.1.3.b-c */
|
---|
2698 | if (!rtCrX509CpvCheckNameConstraints(pThis, pNode))
|
---|
2699 | break;
|
---|
2700 |
|
---|
2701 | if (!rtCrX509CpvWorkValidPolicyTree(pThis, iNode, pNode, fSelfIssued)) /* Step 6.1.3.d-f */
|
---|
2702 | break;
|
---|
2703 |
|
---|
2704 | /*
|
---|
2705 | * If it's the last certificate in the path, do wrap-ups.
|
---|
2706 | */
|
---|
2707 | if (!pNode->pParent) /* Step 6.1.5 */
|
---|
2708 | {
|
---|
2709 | Assert(iNode == pThis->v.cNodes);
|
---|
2710 | if (!rtCrX509CpvWrapUp(pThis, pNode))
|
---|
2711 | break;
|
---|
2712 | AssertRCBreak(pThis->rc);
|
---|
2713 | return true;
|
---|
2714 | }
|
---|
2715 |
|
---|
2716 | /*
|
---|
2717 | * Preparations for the next certificate.
|
---|
2718 | */
|
---|
2719 | PCRTCRX509TBSCERTIFICATE const pTbsCert = &pNode->pCert->TbsCertificate;
|
---|
2720 | if ( pTbsCert->T3.pPolicyMappings
|
---|
2721 | && !rtCrX509CpvSoakUpPolicyMappings(pThis, iNode, pTbsCert->T3.pPolicyMappings)) /* Step 6.1.4.a-b */
|
---|
2722 | break;
|
---|
2723 |
|
---|
2724 | pThis->v.pWorkingIssuer = &pTbsCert->Subject; /* Step 6.1.4.c */
|
---|
2725 |
|
---|
2726 | rtCrX509CpvSetWorkingPublicKeyInfo(pThis, pNode); /* Step 6.1.4.d-f */
|
---|
2727 |
|
---|
2728 | if ( pTbsCert->T3.pNameConstraints /* Step 6.1.4.g */
|
---|
2729 | && !rtCrX509CpvSoakUpNameConstraints(pThis, pTbsCert->T3.pNameConstraints))
|
---|
2730 | break;
|
---|
2731 |
|
---|
2732 | if (!fSelfIssued) /* Step 6.1.4.h */
|
---|
2733 | {
|
---|
2734 | if (pThis->v.cExplicitPolicy > 0)
|
---|
2735 | pThis->v.cExplicitPolicy--;
|
---|
2736 | if (pThis->v.cInhibitPolicyMapping > 0)
|
---|
2737 | pThis->v.cInhibitPolicyMapping--;
|
---|
2738 | if (pThis->v.cInhibitAnyPolicy > 0)
|
---|
2739 | pThis->v.cInhibitAnyPolicy--;
|
---|
2740 | }
|
---|
2741 |
|
---|
2742 | if ( pTbsCert->T3.pPolicyConstraints /* Step 6.1.4.j */
|
---|
2743 | && !rtCrX509CpvSoakUpPolicyConstraints(pThis, pTbsCert->T3.pPolicyConstraints))
|
---|
2744 | break;
|
---|
2745 |
|
---|
2746 | if ( pTbsCert->T3.pInhibitAnyPolicy /* Step 6.1.4.j */
|
---|
2747 | && !rtCrX509CpvSoakUpInhibitAnyPolicy(pThis, pTbsCert->T3.pInhibitAnyPolicy))
|
---|
2748 | break;
|
---|
2749 |
|
---|
2750 | if (!rtCrX509CpvCheckAndSoakUpBasicConstraintsAndKeyUsage(pThis, pNode, fSelfIssued)) /* Step 6.1.4.k-n */
|
---|
2751 | break;
|
---|
2752 |
|
---|
2753 | if (!rtCrX509CpvCheckCriticalExtensions(pThis, pNode)) /* Step 6.1.4.o */
|
---|
2754 | break;
|
---|
2755 |
|
---|
2756 | /*
|
---|
2757 | * Advance to the next certificate.
|
---|
2758 | */
|
---|
2759 | pNode = pNode->pParent;
|
---|
2760 | pThis->v.iNode = ++iNode;
|
---|
2761 | }
|
---|
2762 | AssertStmt(RT_FAILURE_NP(pThis->rc), pThis->rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR);
|
---|
2763 | }
|
---|
2764 | return false;
|
---|
2765 | }
|
---|
2766 |
|
---|
2767 |
|
---|
2768 | RTDECL(int) RTCrX509CertPathsValidateOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, PRTERRINFO pErrInfo)
|
---|
2769 | {
|
---|
2770 | /*
|
---|
2771 | * Validate the input.
|
---|
2772 | */
|
---|
2773 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
2774 | AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
|
---|
2775 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
|
---|
2776 | AssertReturn(!(pThis->fFlags & ~RTCRX509CERTPATHSINT_F_VALID_MASK), VERR_INVALID_PARAMETER);
|
---|
2777 | AssertPtrReturn(pThis->pTarget, VERR_INVALID_PARAMETER);
|
---|
2778 | AssertPtrReturn(pThis->pRoot, VERR_INVALID_PARAMETER);
|
---|
2779 | AssertReturn(pThis->rc == VINF_SUCCESS, VERR_INVALID_PARAMETER);
|
---|
2780 |
|
---|
2781 | /*
|
---|
2782 | * Locate the path and validate it.
|
---|
2783 | */
|
---|
2784 | int rc;
|
---|
2785 | if (iPath < pThis->cPaths)
|
---|
2786 | {
|
---|
2787 | PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
|
---|
2788 | if (pLeaf)
|
---|
2789 | {
|
---|
2790 | if (RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pLeaf->uSrc))
|
---|
2791 | {
|
---|
2792 | pThis->pErrInfo = pErrInfo;
|
---|
2793 | rtCrX509CpvOneWorker(pThis, pLeaf);
|
---|
2794 | pThis->pErrInfo = NULL;
|
---|
2795 | rc = pThis->rc;
|
---|
2796 | pThis->rc = VINF_SUCCESS;
|
---|
2797 | }
|
---|
2798 | else
|
---|
2799 | rc = RTErrInfoSetF(pErrInfo, VERR_CR_X509_NO_TRUST_ANCHOR, "Path #%u is does not have a trust anchor: uSrc=%s",
|
---|
2800 | iPath, rtCrX509CertPathsNodeGetSourceName(pLeaf));
|
---|
2801 | pLeaf->rcVerify = rc;
|
---|
2802 | }
|
---|
2803 | else
|
---|
2804 | rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR;
|
---|
2805 | }
|
---|
2806 | else
|
---|
2807 | rc = VERR_NOT_FOUND;
|
---|
2808 | return rc;
|
---|
2809 | }
|
---|
2810 |
|
---|
2811 |
|
---|
2812 | RTDECL(int) RTCrX509CertPathsValidateAll(RTCRX509CERTPATHS hCertPaths, uint32_t *pcValidPaths, PRTERRINFO pErrInfo)
|
---|
2813 | {
|
---|
2814 | /*
|
---|
2815 | * Validate the input.
|
---|
2816 | */
|
---|
2817 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
2818 | AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
|
---|
2819 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
|
---|
2820 | AssertReturn(!(pThis->fFlags & ~RTCRX509CERTPATHSINT_F_VALID_MASK), VERR_INVALID_PARAMETER);
|
---|
2821 | AssertPtrReturn(pThis->pTarget, VERR_INVALID_PARAMETER);
|
---|
2822 | AssertPtrReturn(pThis->pRoot, VERR_INVALID_PARAMETER);
|
---|
2823 | AssertReturn(pThis->rc == VINF_SUCCESS, VERR_INVALID_PARAMETER);
|
---|
2824 | AssertPtrNullReturn(pcValidPaths, VERR_INVALID_POINTER);
|
---|
2825 |
|
---|
2826 | /*
|
---|
2827 | * Validate the paths.
|
---|
2828 | */
|
---|
2829 | pThis->pErrInfo = pErrInfo;
|
---|
2830 |
|
---|
2831 | int rcLastFailure = VINF_SUCCESS;
|
---|
2832 | uint32_t cValidPaths = 0;
|
---|
2833 | PRTCRX509CERTPATHNODE pCurLeaf;
|
---|
2834 | RTListForEach(&pThis->LeafList, pCurLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
|
---|
2835 | {
|
---|
2836 | if (RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pCurLeaf->uSrc))
|
---|
2837 | {
|
---|
2838 | rtCrX509CpvOneWorker(hCertPaths, pCurLeaf);
|
---|
2839 | if (RT_SUCCESS(pThis->rc))
|
---|
2840 | cValidPaths++;
|
---|
2841 | else
|
---|
2842 | rcLastFailure = pThis->rc;
|
---|
2843 | pCurLeaf->rcVerify = pThis->rc;
|
---|
2844 | pThis->rc = VINF_SUCCESS;
|
---|
2845 | }
|
---|
2846 | else
|
---|
2847 | pCurLeaf->rcVerify = VERR_CR_X509_NO_TRUST_ANCHOR;
|
---|
2848 | }
|
---|
2849 |
|
---|
2850 | pThis->pErrInfo = NULL;
|
---|
2851 |
|
---|
2852 | if (pcValidPaths)
|
---|
2853 | *pcValidPaths = cValidPaths;
|
---|
2854 | if (cValidPaths > 0)
|
---|
2855 | return VINF_SUCCESS;
|
---|
2856 | if (RT_SUCCESS_NP(rcLastFailure))
|
---|
2857 | return RTErrInfoSetF(pErrInfo, VERR_CR_X509_CPV_NO_TRUSTED_PATHS,
|
---|
2858 | "None of the %u path(s) have a trust anchor.", pThis->cPaths);
|
---|
2859 | return rcLastFailure;
|
---|
2860 | }
|
---|
2861 |
|
---|
2862 |
|
---|
2863 | RTDECL(uint32_t) RTCrX509CertPathsGetPathCount(RTCRX509CERTPATHS hCertPaths)
|
---|
2864 | {
|
---|
2865 | /*
|
---|
2866 | * Validate the input.
|
---|
2867 | */
|
---|
2868 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
2869 | AssertPtrReturn(pThis, UINT32_MAX);
|
---|
2870 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, UINT32_MAX);
|
---|
2871 | AssertPtrReturn(pThis->pRoot, UINT32_MAX);
|
---|
2872 |
|
---|
2873 | /*
|
---|
2874 | * Return data.
|
---|
2875 | */
|
---|
2876 | return pThis->cPaths;
|
---|
2877 | }
|
---|
2878 |
|
---|
2879 |
|
---|
2880 | RTDECL(int) RTCrX509CertPathsQueryPathInfo(RTCRX509CERTPATHS hCertPaths, uint32_t iPath,
|
---|
2881 | bool *pfTrusted, uint32_t *pcNodes, PCRTCRX509NAME *ppSubject,
|
---|
2882 | PCRTCRX509SUBJECTPUBLICKEYINFO *ppPublicKeyInfo,
|
---|
2883 | PCRTCRX509CERTIFICATE *ppCert, PCRTCRCERTCTX *ppCertCtx,
|
---|
2884 | int *prcVerify)
|
---|
2885 | {
|
---|
2886 | /*
|
---|
2887 | * Validate the input.
|
---|
2888 | */
|
---|
2889 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
2890 | AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
|
---|
2891 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
|
---|
2892 | AssertPtrReturn(pThis->pRoot, VERR_WRONG_ORDER);
|
---|
2893 | AssertReturn(iPath < pThis->cPaths, VERR_NOT_FOUND);
|
---|
2894 |
|
---|
2895 | /*
|
---|
2896 | * Get the data.
|
---|
2897 | */
|
---|
2898 | PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
|
---|
2899 | AssertReturn(pLeaf, VERR_CR_X509_INTERNAL_ERROR);
|
---|
2900 |
|
---|
2901 | if (pfTrusted)
|
---|
2902 | *pfTrusted = RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pLeaf->uSrc);
|
---|
2903 |
|
---|
2904 | if (pcNodes)
|
---|
2905 | *pcNodes = pLeaf->uDepth + 1; /* Includes both trust anchor and target. */
|
---|
2906 |
|
---|
2907 | if (ppSubject)
|
---|
2908 | *ppSubject = pLeaf->pCert ? &pLeaf->pCert->TbsCertificate.Subject : &pLeaf->pCertCtx->pTaInfo->CertPath.TaName;
|
---|
2909 |
|
---|
2910 | if (ppPublicKeyInfo)
|
---|
2911 | *ppPublicKeyInfo = pLeaf->pCert ? &pLeaf->pCert->TbsCertificate.SubjectPublicKeyInfo : &pLeaf->pCertCtx->pTaInfo->PubKey;
|
---|
2912 |
|
---|
2913 | if (ppCert)
|
---|
2914 | *ppCert = pLeaf->pCert;
|
---|
2915 |
|
---|
2916 | if (ppCertCtx)
|
---|
2917 | {
|
---|
2918 | if (pLeaf->pCertCtx)
|
---|
2919 | {
|
---|
2920 | uint32_t cRefs = RTCrCertCtxRetain(pLeaf->pCertCtx);
|
---|
2921 | AssertReturn(cRefs != UINT32_MAX, VERR_CR_X509_INTERNAL_ERROR);
|
---|
2922 | }
|
---|
2923 | *ppCertCtx = pLeaf->pCertCtx;
|
---|
2924 | }
|
---|
2925 |
|
---|
2926 | if (prcVerify)
|
---|
2927 | *prcVerify = pLeaf->rcVerify;
|
---|
2928 |
|
---|
2929 | return VINF_SUCCESS;
|
---|
2930 | }
|
---|
2931 |
|
---|
2932 |
|
---|
2933 | RTDECL(uint32_t) RTCrX509CertPathsGetPathLength(RTCRX509CERTPATHS hCertPaths, uint32_t iPath)
|
---|
2934 | {
|
---|
2935 | /*
|
---|
2936 | * Validate the input.
|
---|
2937 | */
|
---|
2938 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
2939 | AssertPtrReturn(pThis, UINT32_MAX);
|
---|
2940 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, UINT32_MAX);
|
---|
2941 | AssertPtrReturn(pThis->pRoot, UINT32_MAX);
|
---|
2942 | AssertReturn(iPath < pThis->cPaths, UINT32_MAX);
|
---|
2943 |
|
---|
2944 | /*
|
---|
2945 | * Get the data.
|
---|
2946 | */
|
---|
2947 | PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
|
---|
2948 | AssertReturn(pLeaf, UINT32_MAX);
|
---|
2949 | return pLeaf->uDepth + 1;
|
---|
2950 | }
|
---|
2951 |
|
---|
2952 |
|
---|
2953 | RTDECL(int) RTCrX509CertPathsGetPathVerifyResult(RTCRX509CERTPATHS hCertPaths, uint32_t iPath)
|
---|
2954 | {
|
---|
2955 | /*
|
---|
2956 | * Validate the input.
|
---|
2957 | */
|
---|
2958 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
2959 | AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
|
---|
2960 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
|
---|
2961 | AssertPtrReturn(pThis->pRoot, VERR_WRONG_ORDER);
|
---|
2962 | AssertReturn(iPath < pThis->cPaths, VERR_NOT_FOUND);
|
---|
2963 |
|
---|
2964 | /*
|
---|
2965 | * Get the data.
|
---|
2966 | */
|
---|
2967 | PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
|
---|
2968 | AssertReturn(pLeaf, VERR_CR_X509_INTERNAL_ERROR);
|
---|
2969 |
|
---|
2970 | return pLeaf->rcVerify;
|
---|
2971 | }
|
---|
2972 |
|
---|
2973 |
|
---|
2974 | static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetPathNodeByIndexes(PRTCRX509CERTPATHSINT pThis, uint32_t iPath, uint32_t iNode)
|
---|
2975 | {
|
---|
2976 | PRTCRX509CERTPATHNODE pNode = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
|
---|
2977 | Assert(pNode);
|
---|
2978 | if (pNode)
|
---|
2979 | {
|
---|
2980 | if (iNode <= pNode->uDepth)
|
---|
2981 | {
|
---|
2982 | uint32_t uCertDepth = pNode->uDepth - iNode;
|
---|
2983 | while (pNode->uDepth > uCertDepth)
|
---|
2984 | pNode = pNode->pParent;
|
---|
2985 | Assert(pNode);
|
---|
2986 | Assert(pNode && pNode->uDepth == uCertDepth);
|
---|
2987 | return pNode;
|
---|
2988 | }
|
---|
2989 | }
|
---|
2990 |
|
---|
2991 | return NULL;
|
---|
2992 | }
|
---|
2993 |
|
---|
2994 |
|
---|
2995 | RTDECL(PCRTCRX509CERTIFICATE) RTCrX509CertPathsGetPathNodeCert(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t iNode)
|
---|
2996 | {
|
---|
2997 | /*
|
---|
2998 | * Validate the input.
|
---|
2999 | */
|
---|
3000 | PRTCRX509CERTPATHSINT pThis = hCertPaths;
|
---|
3001 | AssertPtrReturn(pThis, NULL);
|
---|
3002 | AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, NULL);
|
---|
3003 | AssertPtrReturn(pThis->pRoot, NULL);
|
---|
3004 | AssertReturn(iPath < pThis->cPaths, NULL);
|
---|
3005 |
|
---|
3006 | /*
|
---|
3007 | * Get the data.
|
---|
3008 | */
|
---|
3009 | PRTCRX509CERTPATHNODE pNode = rtCrX509CertPathsGetPathNodeByIndexes(pThis, iPath, iNode);
|
---|
3010 | if (pNode)
|
---|
3011 | return pNode->pCert;
|
---|
3012 | return NULL;
|
---|
3013 | }
|
---|
3014 |
|
---|
3015 |
|
---|
3016 | /** @} */
|
---|
3017 |
|
---|