VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/x509-certpaths.cpp@ 82968

Last change on this file since 82968 was 82968, checked in by vboxsync, 5 years ago

Copyright year updates by scm.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 106.7 KB
Line 
1/* $Id: x509-certpaths.cpp 82968 2020-02-04 10:35:17Z vboxsync $ */
2/** @file
3 * IPRT - Crypto - X.509, Simple Certificate Path Builder & Validator.
4 */
5
6/*
7 * Copyright (C) 2006-2020 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#define LOG_GROUP RTLOGGROUP_CRYPTO
32#include "internal/iprt.h"
33#include <iprt/crypto/x509.h>
34
35#include <iprt/asm.h>
36#include <iprt/ctype.h>
37#include <iprt/err.h>
38#include <iprt/mem.h>
39#include <iprt/string.h>
40#include <iprt/list.h>
41#include <iprt/log.h>
42#include <iprt/time.h>
43#include <iprt/crypto/applecodesign.h> /* critical extension OIDs */
44#include <iprt/crypto/pkcs7.h> /* PCRTCRPKCS7SETOFCERTS */
45#include <iprt/crypto/store.h>
46
47#include "x509-internal.h"
48
49
50/*********************************************************************************************************************************
51* Structures and Typedefs *
52*********************************************************************************************************************************/
53/**
54 * X.509 certificate path node.
55 */
56typedef struct RTCRX509CERTPATHNODE
57{
58 /** Sibling list entry. */
59 RTLISTNODE SiblingEntry;
60 /** List of children or leaf list entry. */
61 RTLISTANCHOR ChildListOrLeafEntry;
62 /** Pointer to the parent node. NULL for root. */
63 struct RTCRX509CERTPATHNODE *pParent;
64
65 /** The distance between this node and the target. */
66 uint32_t uDepth : 8;
67 /** Indicates the source of this certificate. */
68 uint32_t uSrc : 3;
69 /** Set if this is a leaf node. */
70 uint32_t fLeaf : 1;
71 /** Makes sure it's a 32-bit bitfield. */
72 uint32_t uReserved : 20;
73
74 /** Leaf only: The result of the last path vertification. */
75 int rcVerify;
76
77 /** Pointer to the certificate. This can be NULL only for trust anchors. */
78 PCRTCRX509CERTIFICATE pCert;
79
80 /** If the certificate or trust anchor was obtained from a store, this is the
81 * associated certificate context (referenced of course). This is used to
82 * access the trust anchor information, if present.
83 *
84 * (If this is NULL it's from a certificate array or some such given directly to
85 * the path building code. It's assumed the caller doesn't free these until the
86 * path validation/whatever is done with and the paths destroyed.) */
87 PCRTCRCERTCTX pCertCtx;
88} RTCRX509CERTPATHNODE;
89/** Pointer to a X.509 path node. */
90typedef RTCRX509CERTPATHNODE *PRTCRX509CERTPATHNODE;
91
92/** @name RTCRX509CERTPATHNODE::uSrc values.
93 * The trusted and untrusted sources ordered in priority order, where higher
94 * number means high priority in case of duplicates.
95 * @{ */
96#define RTCRX509CERTPATHNODE_SRC_NONE 0
97#define RTCRX509CERTPATHNODE_SRC_TARGET 1
98#define RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET 2
99#define RTCRX509CERTPATHNODE_SRC_UNTRUSTED_ARRAY 3
100#define RTCRX509CERTPATHNODE_SRC_UNTRUSTED_STORE 4
101#define RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE 5
102#define RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT 6
103#define RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(uSrc) ((uSrc) >= RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE)
104/** @} */
105
106
107/**
108 * Policy tree node.
109 */
110typedef struct RTCRX509CERTPATHSPOLICYNODE
111{
112 /** Sibling list entry. */
113 RTLISTNODE SiblingEntry;
114 /** Tree depth list entry. */
115 RTLISTNODE DepthEntry;
116 /** List of children or leaf list entry. */
117 RTLISTANCHOR ChildList;
118 /** Pointer to the parent. */
119 struct RTCRX509CERTPATHSPOLICYNODE *pParent;
120
121 /** The policy object ID. */
122 PCRTASN1OBJID pValidPolicy;
123
124 /** Optional sequence of policy qualifiers. */
125 PCRTCRX509POLICYQUALIFIERINFOS pPolicyQualifiers;
126
127 /** The first policy ID in the exepcted policy set. */
128 PCRTASN1OBJID pExpectedPolicyFirst;
129 /** Set if we've already mapped pExpectedPolicyFirst. */
130 bool fAlreadyMapped;
131 /** Number of additional items in the expected policy set. */
132 uint32_t cMoreExpectedPolicySet;
133 /** Additional items in the expected policy set. */
134 PCRTASN1OBJID *papMoreExpectedPolicySet;
135} RTCRX509CERTPATHSPOLICYNODE;
136/** Pointer to a policy tree node. */
137typedef RTCRX509CERTPATHSPOLICYNODE *PRTCRX509CERTPATHSPOLICYNODE;
138
139
140/**
141 * Path builder and validator instance.
142 *
143 * The path builder creates a tree of certificates by forward searching from the
144 * end-entity towards a trusted source. The leaf nodes are inserted into list
145 * ordered by the source of the leaf certificate and the path length (i.e. tree
146 * depth).
147 *
148 * The path validator works the tree from the leaf end and validates each
149 * potential path found by the builder. It is generally happy with one working
150 * path, but may be told to verify all of them.
151 */
152typedef struct RTCRX509CERTPATHSINT
153{
154 /** Magic number. */
155 uint32_t u32Magic;
156 /** Reference counter. */
157 uint32_t volatile cRefs;
158
159 /** @name Input
160 * @{ */
161 /** The target certificate (end entity) to build a trusted path for. */
162 PCRTCRX509CERTIFICATE pTarget;
163
164 /** Lone trusted certificate. */
165 PCRTCRX509CERTIFICATE pTrustedCert;
166 /** Store of trusted certificates. */
167 RTCRSTORE hTrustedStore;
168
169 /** Store of untrusted certificates. */
170 RTCRSTORE hUntrustedStore;
171 /** Array of untrusted certificates, typically from the protocol. */
172 PCRTCRX509CERTIFICATE paUntrustedCerts;
173 /** Number of entries in paUntrusted. */
174 uint32_t cUntrustedCerts;
175 /** Set of untrusted PKCS \#7 / CMS certificatess. */
176 PCRTCRPKCS7SETOFCERTS pUntrustedCertsSet;
177
178 /** UTC time we're going to validate the path at, requires
179 * RTCRX509CERTPATHSINT_F_VALID_TIME to be set. */
180 RTTIMESPEC ValidTime;
181 /** Number of policy OIDs in the user initial policy set, 0 means anyPolicy. */
182 uint32_t cInitialUserPolicySet;
183 /** The user initial policy set. As with all other user provided data, we
184 * assume it's immutable and remains valid for the usage period of the path
185 * builder & validator. */
186 PCRTASN1OBJID *papInitialUserPolicySet;
187 /** Number of certificates before the user wants an explicit policy result.
188 * Set to UINT32_MAX no explicit policy restriction required by the user. */
189 uint32_t cInitialExplicitPolicy;
190 /** Number of certificates before the user wants policy mapping to be
191 * inhibited. Set to UINT32_MAX if no initial policy mapping inhibition
192 * desired by the user. */
193 uint32_t cInitialPolicyMappingInhibit;
194 /** Number of certificates before the user wants the anyPolicy to be rejected.
195 * Set to UINT32_MAX no explicit policy restriction required by the user. */
196 uint32_t cInitialInhibitAnyPolicy;
197 /** Initial name restriction: Permitted subtrees. */
198 PCRTCRX509GENERALSUBTREES pInitialPermittedSubtrees;
199 /** Initial name restriction: Excluded subtrees. */
200 PCRTCRX509GENERALSUBTREES pInitialExcludedSubtrees;
201
202 /** Flags RTCRX509CERTPATHSINT_F_XXX. */
203 uint32_t fFlags;
204 /** @} */
205
206 /** Sticky status for remembering allocation errors and the like. */
207 int32_t rc;
208 /** Where to store extended error info (optional). */
209 PRTERRINFO pErrInfo;
210
211 /** @name Path Builder Output
212 * @{ */
213 /** Pointer to the root of the tree. This will always be non-NULL after path
214 * building and thus can be reliably used to tell if path building has taken
215 * place or not. */
216 PRTCRX509CERTPATHNODE pRoot;
217 /** List of working leaf tree nodes. */
218 RTLISTANCHOR LeafList;
219 /** The number of paths (leafs). */
220 uint32_t cPaths;
221 /** @} */
222
223 /** Path Validator State. */
224 struct
225 {
226 /** Number of nodes in the certificate path we're validating (aka 'n'). */
227 uint32_t cNodes;
228 /** The current node (0 being the trust anchor). */
229 uint32_t iNode;
230
231 /** The root node of the valid policy tree. */
232 PRTCRX509CERTPATHSPOLICYNODE pValidPolicyTree;
233 /** An array of length cNodes + 1 which tracks all nodes at the given (index)
234 * tree depth via the RTCRX509CERTPATHSPOLICYNODE::DepthEntry member. */
235 PRTLISTANCHOR paValidPolicyDepthLists;
236
237 /** Number of entries in paPermittedSubtrees (name constraints).
238 * If zero, no permitted name constrains currently in effect. */
239 uint32_t cPermittedSubtrees;
240 /** The allocated size of papExcludedSubtrees */
241 uint32_t cPermittedSubtreesAlloc;
242 /** Array of permitted subtrees we've collected so far (name constraints). */
243 PCRTCRX509GENERALSUBTREE *papPermittedSubtrees;
244 /** Set if we end up with an empty set after calculating a name constraints
245 * union. */
246 bool fNoPermittedSubtrees;
247
248 /** Number of entries in paExcludedSubtrees (name constraints).
249 * If zero, no excluded name constrains currently in effect. */
250 uint32_t cExcludedSubtrees;
251 /** Array of excluded subtrees we've collected so far (name constraints). */
252 PCRTCRX509GENERALSUBTREES *papExcludedSubtrees;
253
254 /** Number of non-self-issued certificates to be processed before a non-NULL
255 * paValidPolicyTree is required. */
256 uint32_t cExplicitPolicy;
257 /** Number of non-self-issued certificates to be processed we stop processing
258 * policy mapping extensions. */
259 uint32_t cInhibitPolicyMapping;
260 /** Number of non-self-issued certificates to be processed before a the
261 * anyPolicy is rejected. */
262 uint32_t cInhibitAnyPolicy;
263 /** Number of non-self-issued certificates we're allowed to process. */
264 uint32_t cMaxPathLength;
265
266 /** The working issuer name. */
267 PCRTCRX509NAME pWorkingIssuer;
268 /** The working public key algorithm ID. */
269 PCRTASN1OBJID pWorkingPublicKeyAlgorithm;
270 /** The working public key algorithm parameters. */
271 PCRTASN1DYNTYPE pWorkingPublicKeyParameters;
272 /** A bit string containing the public key. */
273 PCRTASN1BITSTRING pWorkingPublicKey;
274 } v;
275
276 /** An object identifier initialized to anyPolicy. */
277 RTASN1OBJID AnyPolicyObjId;
278
279 /** Temporary scratch space. */
280 char szTmp[1024];
281} RTCRX509CERTPATHSINT;
282typedef RTCRX509CERTPATHSINT *PRTCRX509CERTPATHSINT;
283
284/** Magic value for RTCRX509CERTPATHSINT::u32Magic (Bruce Schneier). */
285#define RTCRX509CERTPATHSINT_MAGIC UINT32_C(0x19630115)
286
287/** @name RTCRX509CERTPATHSINT_F_XXX - Certificate path build flags.
288 * @{ */
289#define RTCRX509CERTPATHSINT_F_VALID_TIME RT_BIT_32(0)
290#define RTCRX509CERTPATHSINT_F_ELIMINATE_UNTRUSTED_PATHS RT_BIT_32(1)
291#define RTCRX509CERTPATHSINT_F_VALID_MASK UINT32_C(0x00000003)
292/** @} */
293
294
295/*********************************************************************************************************************************
296* Internal Functions *
297*********************************************************************************************************************************/
298static void rtCrX509CertPathsDestroyTree(PRTCRX509CERTPATHSINT pThis);
299static void rtCrX509CpvCleanup(PRTCRX509CERTPATHSINT pThis);
300
301
302/** @name Path Builder and Validator Config APIs
303 * @{
304 */
305
306RTDECL(int) RTCrX509CertPathsCreate(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget)
307{
308 AssertPtrReturn(phCertPaths, VERR_INVALID_POINTER);
309
310 PRTCRX509CERTPATHSINT pThis = (PRTCRX509CERTPATHSINT)RTMemAllocZ(sizeof(*pThis));
311 if (pThis)
312 {
313 int rc = RTAsn1ObjId_InitFromString(&pThis->AnyPolicyObjId, RTCRX509_ID_CE_CP_ANY_POLICY_OID, &g_RTAsn1DefaultAllocator);
314 if (RT_SUCCESS(rc))
315 {
316 pThis->u32Magic = RTCRX509CERTPATHSINT_MAGIC;
317 pThis->cRefs = 1;
318 pThis->pTarget = pTarget;
319 pThis->hTrustedStore = NIL_RTCRSTORE;
320 pThis->hUntrustedStore = NIL_RTCRSTORE;
321 pThis->cInitialExplicitPolicy = UINT32_MAX;
322 pThis->cInitialPolicyMappingInhibit = UINT32_MAX;
323 pThis->cInitialInhibitAnyPolicy = UINT32_MAX;
324 pThis->rc = VINF_SUCCESS;
325 RTListInit(&pThis->LeafList);
326 *phCertPaths = pThis;
327 return VINF_SUCCESS;
328 }
329 return rc;
330 }
331 return VERR_NO_MEMORY;
332}
333
334
335RTDECL(uint32_t) RTCrX509CertPathsRetain(RTCRX509CERTPATHS hCertPaths)
336{
337 PRTCRX509CERTPATHSINT pThis = hCertPaths;
338 AssertPtrReturn(pThis, UINT32_MAX);
339
340 uint32_t cRefs = ASMAtomicIncU32(&pThis->cRefs);
341 Assert(cRefs > 0 && cRefs < 64);
342 return cRefs;
343}
344
345
346RTDECL(uint32_t) RTCrX509CertPathsRelease(RTCRX509CERTPATHS hCertPaths)
347{
348 uint32_t cRefs;
349 if (hCertPaths != NIL_RTCRX509CERTPATHS)
350 {
351 PRTCRX509CERTPATHSINT pThis = hCertPaths;
352 AssertPtrReturn(pThis, UINT32_MAX);
353 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, UINT32_MAX);
354
355 cRefs = ASMAtomicDecU32(&pThis->cRefs);
356 Assert(cRefs < 64);
357 if (!cRefs)
358 {
359 /*
360 * No more references, destroy the whole thing.
361 */
362 ASMAtomicWriteU32(&pThis->u32Magic, ~RTCRX509CERTPATHSINT_MAGIC);
363
364 /* config */
365 pThis->pTarget = NULL; /* Referencing user memory. */
366 pThis->pTrustedCert = NULL; /* Referencing user memory. */
367 RTCrStoreRelease(pThis->hTrustedStore);
368 pThis->hTrustedStore = NIL_RTCRSTORE;
369 RTCrStoreRelease(pThis->hUntrustedStore);
370 pThis->hUntrustedStore = NIL_RTCRSTORE;
371 pThis->paUntrustedCerts = NULL; /* Referencing user memory. */
372 pThis->pUntrustedCertsSet = NULL; /* Referencing user memory. */
373 pThis->papInitialUserPolicySet = NULL; /* Referencing user memory. */
374 pThis->pInitialPermittedSubtrees = NULL; /* Referencing user memory. */
375 pThis->pInitialExcludedSubtrees = NULL; /* Referencing user memory. */
376
377 /* builder */
378 rtCrX509CertPathsDestroyTree(pThis);
379
380 /* validator */
381 rtCrX509CpvCleanup(pThis);
382
383 /* misc */
384 RTAsn1VtDelete(&pThis->AnyPolicyObjId.Asn1Core);
385
386 /* Finally, the instance itself. */
387 RTMemFree(pThis);
388 }
389 }
390 else
391 cRefs = 0;
392 return cRefs;
393}
394
395
396
397RTDECL(int) RTCrX509CertPathsSetTrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hTrustedStore)
398{
399 PRTCRX509CERTPATHSINT pThis = hCertPaths;
400 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
401 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
402 AssertReturn(pThis->pRoot == NULL, VERR_WRONG_ORDER);
403
404 if (pThis->hTrustedStore != NIL_RTCRSTORE)
405 {
406 RTCrStoreRelease(pThis->hTrustedStore);
407 pThis->hTrustedStore = NIL_RTCRSTORE;
408 }
409 if (hTrustedStore != NIL_RTCRSTORE)
410 {
411 AssertReturn(RTCrStoreRetain(hTrustedStore) != UINT32_MAX, VERR_INVALID_HANDLE);
412 pThis->hTrustedStore = hTrustedStore;
413 }
414 return VINF_SUCCESS;
415}
416
417
418RTDECL(int) RTCrX509CertPathsSetUntrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hUntrustedStore)
419{
420 PRTCRX509CERTPATHSINT pThis = hCertPaths;
421 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
422 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
423 AssertReturn(pThis->pRoot == NULL, VERR_WRONG_ORDER);
424
425 if (pThis->hUntrustedStore != NIL_RTCRSTORE)
426 {
427 RTCrStoreRelease(pThis->hUntrustedStore);
428 pThis->hUntrustedStore = NIL_RTCRSTORE;
429 }
430 if (hUntrustedStore != NIL_RTCRSTORE)
431 {
432 AssertReturn(RTCrStoreRetain(hUntrustedStore) != UINT32_MAX, VERR_INVALID_HANDLE);
433 pThis->hUntrustedStore = hUntrustedStore;
434 }
435 return VINF_SUCCESS;
436}
437
438
439RTDECL(int) RTCrX509CertPathsSetUntrustedArray(RTCRX509CERTPATHS hCertPaths, PCRTCRX509CERTIFICATE paCerts, uint32_t cCerts)
440{
441 PRTCRX509CERTPATHSINT pThis = hCertPaths;
442 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
443 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
444
445 pThis->paUntrustedCerts = paCerts;
446 pThis->cUntrustedCerts = cCerts;
447 return VINF_SUCCESS;
448}
449
450
451RTDECL(int) RTCrX509CertPathsSetUntrustedSet(RTCRX509CERTPATHS hCertPaths, PCRTCRPKCS7SETOFCERTS pSetOfCerts)
452{
453 PRTCRX509CERTPATHSINT pThis = hCertPaths;
454 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
455 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
456
457 pThis->pUntrustedCertsSet = pSetOfCerts;
458 return VINF_SUCCESS;
459}
460
461
462RTDECL(int) RTCrX509CertPathsSetValidTime(RTCRX509CERTPATHS hCertPaths, PCRTTIME pTime)
463{
464 PRTCRX509CERTPATHSINT pThis = hCertPaths;
465 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
466 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
467
468 /* Allow this after building paths, as it's only used during verification. */
469
470 if (pTime)
471 {
472 if (RTTimeImplode(&pThis->ValidTime, pTime))
473 return VERR_INVALID_PARAMETER;
474 pThis->fFlags |= RTCRX509CERTPATHSINT_F_VALID_TIME;
475 }
476 else
477 pThis->fFlags &= ~RTCRX509CERTPATHSINT_F_VALID_TIME;
478 return VINF_SUCCESS;
479}
480
481
482RTDECL(int) RTCrX509CertPathsSetValidTimeSpec(RTCRX509CERTPATHS hCertPaths, PCRTTIMESPEC pTimeSpec)
483{
484 PRTCRX509CERTPATHSINT pThis = hCertPaths;
485 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
486 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
487
488 /* Allow this after building paths, as it's only used during verification. */
489
490 if (pTimeSpec)
491 {
492 pThis->ValidTime = *pTimeSpec;
493 pThis->fFlags |= RTCRX509CERTPATHSINT_F_VALID_TIME;
494 }
495 else
496 pThis->fFlags &= ~RTCRX509CERTPATHSINT_F_VALID_TIME;
497 return VINF_SUCCESS;
498}
499
500
501RTDECL(int) RTCrX509CertPathsCreateEx(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget, RTCRSTORE hTrustedStore,
502 RTCRSTORE hUntrustedStore, PCRTCRX509CERTIFICATE paUntrustedCerts, uint32_t cUntrustedCerts,
503 PCRTTIMESPEC pValidTime)
504{
505 int rc = RTCrX509CertPathsCreate(phCertPaths, pTarget);
506 if (RT_SUCCESS(rc))
507 {
508 PRTCRX509CERTPATHSINT pThis = *phCertPaths;
509
510 rc = RTCrX509CertPathsSetTrustedStore(pThis, hTrustedStore);
511 if (RT_SUCCESS(rc))
512 {
513 rc = RTCrX509CertPathsSetUntrustedStore(pThis, hUntrustedStore);
514 if (RT_SUCCESS(rc))
515 {
516 rc = RTCrX509CertPathsSetUntrustedArray(pThis, paUntrustedCerts, cUntrustedCerts);
517 if (RT_SUCCESS(rc))
518 {
519 rc = RTCrX509CertPathsSetValidTimeSpec(pThis, pValidTime);
520 if (RT_SUCCESS(rc))
521 {
522 return VINF_SUCCESS;
523 }
524 }
525 RTCrStoreRelease(pThis->hUntrustedStore);
526 }
527 RTCrStoreRelease(pThis->hTrustedStore);
528 }
529 RTMemFree(pThis);
530 *phCertPaths = NIL_RTCRX509CERTPATHS;
531 }
532 return rc;
533}
534
535/** @} */
536
537
538
539/** @name Path Builder and Validator Common Utility Functions.
540 * @{
541 */
542
543/**
544 * Checks if the certificate is self-issued.
545 *
546 * @returns true / false.
547 * @param pNode The path node to check..
548 */
549static bool rtCrX509CertPathsIsSelfIssued(PRTCRX509CERTPATHNODE pNode)
550{
551 return pNode->pCert
552 && RTCrX509Name_MatchByRfc5280(&pNode->pCert->TbsCertificate.Subject, &pNode->pCert->TbsCertificate.Issuer);
553}
554
555/** @} */
556
557
558
559/** @name Path Builder Functions.
560 * @{
561 */
562
563/**
564 *
565 * @returns
566 * @param pThis .
567 */
568static PRTCRX509CERTPATHNODE rtCrX509CertPathsNewNode(PRTCRX509CERTPATHSINT pThis)
569{
570 PRTCRX509CERTPATHNODE pNode = (PRTCRX509CERTPATHNODE)RTMemAllocZ(sizeof(*pNode));
571 if (RT_LIKELY(pNode))
572 {
573 RTListInit(&pNode->SiblingEntry);
574 RTListInit(&pNode->ChildListOrLeafEntry);
575 pNode->rcVerify = VERR_CR_X509_NOT_VERIFIED;
576
577 return pNode;
578 }
579
580 pThis->rc = RTErrInfoSet(pThis->pErrInfo, VERR_NO_MEMORY, "No memory for path node");
581 return NULL;
582}
583
584
585static void rtCrX509CertPathsDestroyNode(PRTCRX509CERTPATHNODE pNode)
586{
587 if (pNode->pCertCtx)
588 {
589 RTCrCertCtxRelease(pNode->pCertCtx);
590 pNode->pCertCtx = NULL;
591 }
592 RT_ZERO(*pNode);
593 RTMemFree(pNode);
594}
595
596
597static void rtCrX509CertPathsAddIssuer(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pParent,
598 PCRTCRX509CERTIFICATE pCert, PCRTCRCERTCTX pCertCtx, uint8_t uSrc)
599{
600 /*
601 * Check if we've seen this certificate already in the current path or
602 * among the already gathered issuers.
603 */
604 if (pCert)
605 {
606 /* No duplicate certificates in the path. */
607 PRTCRX509CERTPATHNODE pTmpNode = pParent;
608 while (pTmpNode)
609 {
610 Assert(pTmpNode->pCert);
611 if ( pTmpNode->pCert == pCert
612 || RTCrX509Certificate_Compare(pTmpNode->pCert, pCert) == 0)
613 return;
614 pTmpNode = pTmpNode->pParent;
615 }
616
617 /* No duplicate tree branches. */
618 RTListForEach(&pParent->ChildListOrLeafEntry, pTmpNode, RTCRX509CERTPATHNODE, SiblingEntry)
619 {
620 if (RTCrX509Certificate_Compare(pTmpNode->pCert, pCert) == 0)
621 return;
622 }
623 }
624 else
625 Assert(pCertCtx);
626
627 /*
628 * Reference the context core before making the allocation.
629 */
630 if (pCertCtx)
631 AssertReturnVoidStmt(RTCrCertCtxRetain(pCertCtx) != UINT32_MAX,
632 pThis->rc = RTErrInfoSetF(pThis->pErrInfo, VERR_CR_X509_CPB_BAD_CERT_CTX,
633 "Bad pCertCtx=%p", pCertCtx));
634
635 /*
636 * We haven't see it, append it as a child.
637 */
638 PRTCRX509CERTPATHNODE pNew = rtCrX509CertPathsNewNode(pThis);
639 if (pNew)
640 {
641 pNew->pParent = pParent;
642 pNew->pCert = pCert;
643 pNew->pCertCtx = pCertCtx;
644 pNew->uSrc = uSrc;
645 pNew->uDepth = pParent->uDepth + 1;
646 RTListAppend(&pParent->ChildListOrLeafEntry, &pNew->SiblingEntry);
647 }
648 else
649 RTCrCertCtxRelease(pCertCtx);
650}
651
652
653static void rtCrX509CertPathsGetIssuersFromStore(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode,
654 PCRTCRX509NAME pIssuer, RTCRSTORE hStore, uint8_t uSrc)
655{
656 RTCRSTORECERTSEARCH Search;
657 int rc = RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280(hStore, pIssuer, &Search);
658 if (RT_SUCCESS(rc))
659 {
660 PCRTCRCERTCTX pCertCtx;
661 while ((pCertCtx = RTCrStoreCertSearchNext(hStore, &Search)) != NULL)
662 {
663 if ( pCertCtx->pCert
664 || ( RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(uSrc)
665 && pCertCtx->pTaInfo) )
666 rtCrX509CertPathsAddIssuer(pThis, pNode, pCertCtx->pCert, pCertCtx, uSrc);
667 RTCrCertCtxRelease(pCertCtx);
668 }
669 RTCrStoreCertSearchDestroy(hStore, &Search);
670 }
671}
672
673
674static void rtCrX509CertPathsGetIssuers(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
675{
676 Assert(RTListIsEmpty(&pNode->ChildListOrLeafEntry));
677 Assert(!pNode->fLeaf);
678 Assert(pNode->pCert);
679
680 /*
681 * Don't recurse infintely.
682 */
683 if (RT_UNLIKELY(pNode->uDepth >= 50))
684 return;
685
686 PCRTCRX509NAME const pIssuer = &pNode->pCert->TbsCertificate.Issuer;
687
688 /*
689 * Trusted certificate.
690 */
691 if ( pThis->pTrustedCert
692 && RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(pThis->pTrustedCert, pIssuer))
693 rtCrX509CertPathsAddIssuer(pThis, pNode, pThis->pTrustedCert, NULL, RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT);
694
695 /*
696 * Trusted certificate store.
697 */
698 if (pThis->hTrustedStore != NIL_RTCRSTORE)
699 rtCrX509CertPathsGetIssuersFromStore(pThis, pNode, pIssuer, pThis->hTrustedStore,
700 RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE);
701
702 /*
703 * Untrusted store.
704 */
705 if (pThis->hUntrustedStore != NIL_RTCRSTORE)
706 rtCrX509CertPathsGetIssuersFromStore(pThis, pNode, pIssuer, pThis->hTrustedStore,
707 RTCRX509CERTPATHNODE_SRC_UNTRUSTED_STORE);
708
709 /*
710 * Untrusted array.
711 */
712 if (pThis->paUntrustedCerts)
713 for (uint32_t i = 0; i < pThis->cUntrustedCerts; i++)
714 if (RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(&pThis->paUntrustedCerts[i], pIssuer))
715 rtCrX509CertPathsAddIssuer(pThis, pNode, &pThis->paUntrustedCerts[i], NULL,
716 RTCRX509CERTPATHNODE_SRC_UNTRUSTED_ARRAY);
717
718 /** @todo Rainy day: Should abstract the untrusted array and set so we don't get
719 * unnecessary PKCS7/CMS header dependencies. */
720
721 /*
722 * Untrusted set.
723 */
724 if (pThis->pUntrustedCertsSet)
725 {
726 uint32_t const cCerts = pThis->pUntrustedCertsSet->cItems;
727 PRTCRPKCS7CERT const *papCerts = pThis->pUntrustedCertsSet->papItems;
728 for (uint32_t i = 0; i < cCerts; i++)
729 {
730 PCRTCRPKCS7CERT pCert = papCerts[i];
731 if ( pCert->enmChoice == RTCRPKCS7CERTCHOICE_X509
732 && RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(pCert->u.pX509Cert, pIssuer))
733 rtCrX509CertPathsAddIssuer(pThis, pNode, pCert->u.pX509Cert, NULL, RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET);
734 }
735 }
736}
737
738
739static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetNextRightUp(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
740{
741 for (;;)
742 {
743 /* The root node has no siblings. */
744 PRTCRX509CERTPATHNODE pParent = pNode->pParent;
745 if (!pNode->pParent)
746 return NULL;
747
748 /* Try go to the right. */
749 PRTCRX509CERTPATHNODE pNext = RTListGetNext(&pParent->ChildListOrLeafEntry, pNode, RTCRX509CERTPATHNODE, SiblingEntry);
750 if (pNext)
751 return pNext;
752
753 /* Up. */
754 pNode = pParent;
755 }
756
757 RT_NOREF_PV(pThis);
758}
759
760
761static PRTCRX509CERTPATHNODE rtCrX509CertPathsEliminatePath(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
762{
763 for (;;)
764 {
765 Assert(RTListIsEmpty(&pNode->ChildListOrLeafEntry));
766
767 /* Don't remove the root node. */
768 PRTCRX509CERTPATHNODE pParent = pNode->pParent;
769 if (!pParent)
770 return NULL;
771
772 /* Before removing and deleting the node check if there is sibling
773 right to it that we should continue processing from. */
774 PRTCRX509CERTPATHNODE pNext = RTListGetNext(&pParent->ChildListOrLeafEntry, pNode, RTCRX509CERTPATHNODE, SiblingEntry);
775 RTListNodeRemove(&pNode->SiblingEntry);
776 rtCrX509CertPathsDestroyNode(pNode);
777
778 if (pNext)
779 return pNext;
780
781 /* If the parent node cannot be removed, do a normal get-next-rigth-up
782 to find the continuation point for the tree loop. */
783 if (!RTListIsEmpty(&pParent->ChildListOrLeafEntry))
784 return rtCrX509CertPathsGetNextRightUp(pThis, pParent);
785
786 pNode = pParent;
787 }
788}
789
790
791/**
792 * Destroys the whole path tree.
793 *
794 * @param pThis The path builder and verifier instance.
795 */
796static void rtCrX509CertPathsDestroyTree(PRTCRX509CERTPATHSINT pThis)
797{
798 PRTCRX509CERTPATHNODE pNode, pNextLeaf;
799 RTListForEachSafe(&pThis->LeafList, pNode, pNextLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
800 {
801 RTListNodeRemove(&pNode->ChildListOrLeafEntry);
802 RTListInit(&pNode->ChildListOrLeafEntry);
803
804 for (;;)
805 {
806 PRTCRX509CERTPATHNODE pParent = pNode->pParent;
807
808 RTListNodeRemove(&pNode->SiblingEntry);
809 rtCrX509CertPathsDestroyNode(pNode);
810
811 if (!pParent)
812 {
813 pThis->pRoot = NULL;
814 break;
815 }
816
817 if (!RTListIsEmpty(&pParent->ChildListOrLeafEntry))
818 break;
819
820 pNode = pParent;
821 }
822 }
823 Assert(!pThis->pRoot);
824}
825
826
827/**
828 * Adds a leaf node.
829 *
830 * This should normally be a trusted certificate, but the caller can also
831 * request the incomplete paths, in which case this will be an untrusted
832 * certificate.
833 *
834 * @returns Pointer to the next node in the tree to process.
835 * @param pThis The path builder instance.
836 * @param pNode The leaf node.
837 */
838static PRTCRX509CERTPATHNODE rtCrX509CertPathsAddLeaf(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
839{
840 pNode->fLeaf = true;
841
842 /*
843 * Priority insert by source and depth.
844 */
845 PRTCRX509CERTPATHNODE pCurLeaf;
846 RTListForEach(&pThis->LeafList, pCurLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
847 {
848 if ( pNode->uSrc > pCurLeaf->uSrc
849 || ( pNode->uSrc == pCurLeaf->uSrc
850 && pNode->uDepth < pCurLeaf->uDepth) )
851 {
852 RTListNodeInsertBefore(&pCurLeaf->ChildListOrLeafEntry, &pNode->ChildListOrLeafEntry);
853 pThis->cPaths++;
854 return rtCrX509CertPathsGetNextRightUp(pThis, pNode);
855 }
856 }
857
858 RTListAppend(&pThis->LeafList, &pNode->ChildListOrLeafEntry);
859 pThis->cPaths++;
860 return rtCrX509CertPathsGetNextRightUp(pThis, pNode);
861}
862
863
864
865RTDECL(int) RTCrX509CertPathsBuild(RTCRX509CERTPATHS hCertPaths, PRTERRINFO pErrInfo)
866{
867 /*
868 * Validate the input.
869 */
870 PRTCRX509CERTPATHSINT pThis = hCertPaths;
871 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
872 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
873 AssertReturn(!(pThis->fFlags & ~RTCRX509CERTPATHSINT_F_VALID_MASK), VERR_INVALID_PARAMETER);
874 AssertReturn( (pThis->paUntrustedCerts == NULL && pThis->cUntrustedCerts == 0)
875 || (pThis->paUntrustedCerts != NULL && pThis->cUntrustedCerts > 0),
876 VERR_INVALID_PARAMETER);
877 AssertReturn(RTListIsEmpty(&pThis->LeafList), VERR_INVALID_PARAMETER);
878 AssertReturn(pThis->pRoot == NULL, VERR_INVALID_PARAMETER);
879 AssertReturn(pThis->rc == VINF_SUCCESS, pThis->rc);
880 AssertPtrReturn(pThis->pTarget, VERR_INVALID_PARAMETER);
881 Assert(RT_SUCCESS(RTCrX509Certificate_CheckSanity(pThis->pTarget, 0, NULL, NULL)));
882
883 /*
884 * Set up the target.
885 */
886 PRTCRX509CERTPATHNODE pCur;
887 pThis->pRoot = pCur = rtCrX509CertPathsNewNode(pThis);
888 if (pThis->pRoot)
889 {
890 pCur->pCert = pThis->pTarget;
891 pCur->uDepth = 0;
892 pCur->uSrc = RTCRX509CERTPATHNODE_SRC_TARGET;
893
894 pThis->pErrInfo = pErrInfo;
895
896 /*
897 * The tree construction loop.
898 * Walks down, up, and right as the tree is constructed.
899 */
900 do
901 {
902 /*
903 * Check for the two leaf cases first.
904 */
905 if (RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pCur->uSrc))
906 pCur = rtCrX509CertPathsAddLeaf(pThis, pCur);
907#if 0 /* This isn't right.*/
908 else if (rtCrX509CertPathsIsSelfIssued(pCur))
909 {
910 if (pThis->fFlags & RTCRX509CERTPATHSINT_F_ELIMINATE_UNTRUSTED_PATHS)
911 pCur = rtCrX509CertPathsEliminatePath(pThis, pCur);
912 else
913 pCur = rtCrX509CertPathsAddLeaf(pThis, pCur);
914 }
915#endif
916 /*
917 * Not a leaf, find all potential issuers and decend into these.
918 */
919 else
920 {
921 rtCrX509CertPathsGetIssuers(pThis, pCur);
922 if (RT_FAILURE(pThis->rc))
923 break;
924
925 if (!RTListIsEmpty(&pCur->ChildListOrLeafEntry))
926 pCur = RTListGetFirst(&pCur->ChildListOrLeafEntry, RTCRX509CERTPATHNODE, SiblingEntry);
927 else if (pThis->fFlags & RTCRX509CERTPATHSINT_F_ELIMINATE_UNTRUSTED_PATHS)
928 pCur = rtCrX509CertPathsEliminatePath(pThis, pCur);
929 else
930 pCur = rtCrX509CertPathsAddLeaf(pThis, pCur);
931 }
932 if (pCur)
933 Log2(("RTCrX509CertPathsBuild: pCur=%p fLeaf=%d pParent=%p pNext=%p pPrev=%p\n",
934 pCur, pCur->fLeaf, pCur->pParent,
935 pCur->pParent ? RTListGetNext(&pCur->pParent->ChildListOrLeafEntry, pCur, RTCRX509CERTPATHNODE, SiblingEntry) : NULL,
936 pCur->pParent ? RTListGetPrev(&pCur->pParent->ChildListOrLeafEntry, pCur, RTCRX509CERTPATHNODE, SiblingEntry) : NULL));
937 } while (pCur);
938
939 pThis->pErrInfo = NULL;
940 if (RT_SUCCESS(pThis->rc))
941 return VINF_SUCCESS;
942 }
943 else
944 Assert(RT_FAILURE_NP(pThis->rc));
945 return pThis->rc;
946}
947
948
949/**
950 * Looks up path by leaf/path index.
951 *
952 * @returns Pointer to the leaf node of the path.
953 * @param pThis The path builder & validator instance.
954 * @param iPath The oridnal of the path to get.
955 */
956static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetLeafByIndex(PRTCRX509CERTPATHSINT pThis, uint32_t iPath)
957{
958 Assert(iPath < pThis->cPaths);
959
960 uint32_t iCurPath = 0;
961 PRTCRX509CERTPATHNODE pCurLeaf;
962 RTListForEach(&pThis->LeafList, pCurLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
963 {
964 if (iCurPath == iPath)
965 return pCurLeaf;
966 iCurPath++;
967 }
968
969 AssertFailedReturn(NULL);
970}
971
972
973static void rtDumpPrintf(PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser, const char *pszFormat, ...)
974{
975 va_list va;
976 va_start(va, pszFormat);
977 pfnPrintfV(pvUser, pszFormat, va);
978 va_end(va);
979}
980
981
982static void rtDumpIndent(PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser, uint32_t cchSpaces, const char *pszFormat, ...)
983{
984 static const char s_szSpaces[] = " ";
985 while (cchSpaces > 0)
986 {
987 uint32_t cchBurst = RT_MIN(sizeof(s_szSpaces) - 1, cchSpaces);
988 rtDumpPrintf(pfnPrintfV, pvUser, &s_szSpaces[sizeof(s_szSpaces) - cchBurst - 1]);
989 cchSpaces -= cchBurst;
990 }
991
992 va_list va;
993 va_start(va, pszFormat);
994 pfnPrintfV(pvUser, pszFormat, va);
995 va_end(va);
996}
997
998/** @name X.500 attribute types
999 * See RFC-4519 among others.
1000 * @{ */
1001#define RTCRX500_ID_AT_OBJECT_CLASS_OID "2.5.4.0"
1002#define RTCRX500_ID_AT_ALIASED_ENTRY_NAME_OID "2.5.4.1"
1003#define RTCRX500_ID_AT_KNOWLDGEINFORMATION_OID "2.5.4.2"
1004#define RTCRX500_ID_AT_COMMON_NAME_OID "2.5.4.3"
1005#define RTCRX500_ID_AT_SURNAME_OID "2.5.4.4"
1006#define RTCRX500_ID_AT_SERIAL_NUMBER_OID "2.5.4.5"
1007#define RTCRX500_ID_AT_COUNTRY_NAME_OID "2.5.4.6"
1008#define RTCRX500_ID_AT_LOCALITY_NAME_OID "2.5.4.7"
1009#define RTCRX500_ID_AT_STATE_OR_PROVINCE_NAME_OID "2.5.4.8"
1010#define RTCRX500_ID_AT_STREET_ADDRESS_OID "2.5.4.9"
1011#define RTCRX500_ID_AT_ORGANIZATION_NAME_OID "2.5.4.10"
1012#define RTCRX500_ID_AT_ORGANIZATION_UNIT_NAME_OID "2.5.4.11"
1013#define RTCRX500_ID_AT_TITLE_OID "2.5.4.12"
1014#define RTCRX500_ID_AT_DESCRIPTION_OID "2.5.4.13"
1015#define RTCRX500_ID_AT_SEARCH_GUIDE_OID "2.5.4.14"
1016#define RTCRX500_ID_AT_BUSINESS_CATEGORY_OID "2.5.4.15"
1017#define RTCRX500_ID_AT_POSTAL_ADDRESS_OID "2.5.4.16"
1018#define RTCRX500_ID_AT_POSTAL_CODE_OID "2.5.4.17"
1019#define RTCRX500_ID_AT_POST_OFFICE_BOX_OID "2.5.4.18"
1020#define RTCRX500_ID_AT_PHYSICAL_DELIVERY_OFFICE_NAME_OID "2.5.4.19"
1021#define RTCRX500_ID_AT_TELEPHONE_NUMBER_OID "2.5.4.20"
1022#define RTCRX500_ID_AT_TELEX_NUMBER_OID "2.5.4.21"
1023#define RTCRX500_ID_AT_TELETEX_TERMINAL_IDENTIFIER_OID "2.5.4.22"
1024#define RTCRX500_ID_AT_FACIMILE_TELEPHONE_NUMBER_OID "2.5.4.23"
1025#define RTCRX500_ID_AT_X121_ADDRESS_OID "2.5.4.24"
1026#define RTCRX500_ID_AT_INTERNATIONAL_ISDN_NUMBER_OID "2.5.4.25"
1027#define RTCRX500_ID_AT_REGISTERED_ADDRESS_OID "2.5.4.26"
1028#define RTCRX500_ID_AT_DESTINATION_INDICATOR_OID "2.5.4.27"
1029#define RTCRX500_ID_AT_PREFERRED_DELIVERY_METHOD_OID "2.5.4.28"
1030#define RTCRX500_ID_AT_PRESENTATION_ADDRESS_OID "2.5.4.29"
1031#define RTCRX500_ID_AT_SUPPORTED_APPLICATION_CONTEXT_OID "2.5.4.30"
1032#define RTCRX500_ID_AT_MEMBER_OID "2.5.4.31"
1033#define RTCRX500_ID_AT_OWNER_OID "2.5.4.32"
1034#define RTCRX500_ID_AT_ROLE_OCCUPANT_OID "2.5.4.33"
1035#define RTCRX500_ID_AT_SEE_ALSO_OID "2.5.4.34"
1036#define RTCRX500_ID_AT_USER_PASSWORD_OID "2.5.4.35"
1037#define RTCRX500_ID_AT_USER_CERTIFICATE_OID "2.5.4.36"
1038#define RTCRX500_ID_AT_CA_CERTIFICATE_OID "2.5.4.37"
1039#define RTCRX500_ID_AT_AUTHORITY_REVOCATION_LIST_OID "2.5.4.38"
1040#define RTCRX500_ID_AT_CERTIFICATE_REVOCATION_LIST_OID "2.5.4.39"
1041#define RTCRX500_ID_AT_CROSS_CERTIFICATE_PAIR_OID "2.5.4.40"
1042#define RTCRX500_ID_AT_NAME_OID "2.5.4.41"
1043#define RTCRX500_ID_AT_GIVEN_NAME_OID "2.5.4.42"
1044#define RTCRX500_ID_AT_INITIALS_OID "2.5.4.43"
1045#define RTCRX500_ID_AT_GENERATION_QUALIFIER_OID "2.5.4.44"
1046#define RTCRX500_ID_AT_UNIQUE_IDENTIFIER_OID "2.5.4.45"
1047#define RTCRX500_ID_AT_DN_QUALIFIER_OID "2.5.4.46"
1048#define RTCRX500_ID_AT_ENHANCHED_SEARCH_GUIDE_OID "2.5.4.47"
1049#define RTCRX500_ID_AT_PROTOCOL_INFORMATION_OID "2.5.4.48"
1050#define RTCRX500_ID_AT_DISTINGUISHED_NAME_OID "2.5.4.49"
1051#define RTCRX500_ID_AT_UNIQUE_MEMBER_OID "2.5.4.50"
1052#define RTCRX500_ID_AT_HOUSE_IDENTIFIER_OID "2.5.4.51"
1053#define RTCRX500_ID_AT_SUPPORTED_ALGORITHMS_OID "2.5.4.52"
1054#define RTCRX500_ID_AT_DELTA_REVOCATION_LIST_OID "2.5.4.53"
1055#define RTCRX500_ID_AT_ATTRIBUTE_CERTIFICATE_OID "2.5.4.58"
1056#define RTCRX500_ID_AT_PSEUDONYM_OID "2.5.4.65"
1057/** @} */
1058
1059
1060static void rtCrX509NameDump(PCRTCRX509NAME pName, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
1061{
1062 for (uint32_t i = 0; i < pName->cItems; i++)
1063 {
1064 PCRTCRX509RELATIVEDISTINGUISHEDNAME const pRdn = pName->papItems[i];
1065 for (uint32_t j = 0; j < pRdn->cItems; j++)
1066 {
1067 PRTCRX509ATTRIBUTETYPEANDVALUE pAttrib = pRdn->papItems[j];
1068
1069 const char *pszType = pAttrib->Type.szObjId;
1070 if ( !strncmp(pAttrib->Type.szObjId, "2.5.4.", 6)
1071 && (pAttrib->Type.szObjId[8] == '\0' || pAttrib->Type.szObjId[9] == '\0'))
1072 {
1073 switch (RTStrToUInt8(&pAttrib->Type.szObjId[6]))
1074 {
1075 case 3: pszType = "cn"; break;
1076 case 4: pszType = "sn"; break;
1077 case 5: pszType = "serialNumber"; break;
1078 case 6: pszType = "c"; break;
1079 case 7: pszType = "l"; break;
1080 case 8: pszType = "st"; break;
1081 case 9: pszType = "street"; break;
1082 case 10: pszType = "o"; break;
1083 case 11: pszType = "ou"; break;
1084 case 13: pszType = "description"; break;
1085 case 15: pszType = "businessCategory"; break;
1086 case 16: pszType = "postalAddress"; break;
1087 case 17: pszType = "postalCode"; break;
1088 case 18: pszType = "postOfficeBox"; break;
1089 case 20: pszType = "telephoneNumber"; break;
1090 case 26: pszType = "registeredAddress"; break;
1091 case 31: pszType = "member"; break;
1092 case 41: pszType = "name"; break;
1093 case 42: pszType = "givenName"; break;
1094 case 43: pszType = "initials"; break;
1095 case 45: pszType = "x500UniqueIdentifier"; break;
1096 case 50: pszType = "uniqueMember"; break;
1097 }
1098 }
1099 rtDumpPrintf(pfnPrintfV, pvUser, "/%s=", pszType);
1100 if (pAttrib->Value.enmType == RTASN1TYPE_STRING)
1101 {
1102 if (pAttrib->Value.u.String.pszUtf8)
1103 rtDumpPrintf(pfnPrintfV, pvUser, "%s", pAttrib->Value.u.String.pszUtf8);
1104 else
1105 {
1106 const char *pch = pAttrib->Value.u.String.Asn1Core.uData.pch;
1107 uint32_t cch = pAttrib->Value.u.String.Asn1Core.cb;
1108 int rc = RTStrValidateEncodingEx(pch, cch, 0);
1109 if (RT_SUCCESS(rc) && cch)
1110 rtDumpPrintf(pfnPrintfV, pvUser, "%.*s", (size_t)cch, pch);
1111 else
1112 while (cch > 0)
1113 {
1114 if (RT_C_IS_PRINT(*pch))
1115 rtDumpPrintf(pfnPrintfV, pvUser, "%c", *pch);
1116 else
1117 rtDumpPrintf(pfnPrintfV, pvUser, "\\x%02x", *pch);
1118 cch--;
1119 pch++;
1120 }
1121 }
1122 }
1123 else
1124 rtDumpPrintf(pfnPrintfV, pvUser, "<not-string: uTag=%#x>", pAttrib->Value.u.Core.uTag);
1125 }
1126 }
1127}
1128
1129
1130static const char *rtCrX509CertPathsNodeGetSourceName(PRTCRX509CERTPATHNODE pNode)
1131{
1132 switch (pNode->uSrc)
1133 {
1134 case RTCRX509CERTPATHNODE_SRC_TARGET: return "target";
1135 case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET: return "untrusted_set";
1136 case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_ARRAY: return "untrusted_array";
1137 case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_STORE: return "untrusted_store";
1138 case RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE: return "trusted_store";
1139 case RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT: return "trusted_cert";
1140 default: return "invalid";
1141 }
1142}
1143
1144
1145static void rtCrX509CertPathsDumpOneWorker(PRTCRX509CERTPATHSINT pThis, uint32_t iPath, PRTCRX509CERTPATHNODE pCurLeaf,
1146 uint32_t uVerbosity, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
1147{
1148 RT_NOREF_PV(pThis);
1149 rtDumpPrintf(pfnPrintfV, pvUser, "Path #%u: %s, %u deep, rcVerify=%Rrc\n",
1150 iPath, RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pCurLeaf->uSrc) ? "trusted" : "untrusted", pCurLeaf->uDepth,
1151 pCurLeaf->rcVerify);
1152
1153 for (uint32_t iIndent = 2; pCurLeaf; iIndent += 2, pCurLeaf = pCurLeaf->pParent)
1154 {
1155 if (pCurLeaf->pCert)
1156 {
1157 rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Issuer : ");
1158 rtCrX509NameDump(&pCurLeaf->pCert->TbsCertificate.Issuer, pfnPrintfV, pvUser);
1159 rtDumpPrintf(pfnPrintfV, pvUser, "\n");
1160
1161 rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Subject: ");
1162 rtCrX509NameDump(&pCurLeaf->pCert->TbsCertificate.Subject, pfnPrintfV, pvUser);
1163 rtDumpPrintf(pfnPrintfV, pvUser, "\n");
1164
1165 if (uVerbosity >= 4)
1166 RTAsn1Dump(&pCurLeaf->pCert->SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
1167 else if (uVerbosity >= 3)
1168 RTAsn1Dump(&pCurLeaf->pCert->TbsCertificate.T3.Extensions.SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
1169 }
1170 else
1171 {
1172 Assert(pCurLeaf->pCertCtx); Assert(pCurLeaf->pCertCtx->pTaInfo);
1173 rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Subject: ");
1174 rtCrX509NameDump(&pCurLeaf->pCertCtx->pTaInfo->CertPath.TaName, pfnPrintfV, pvUser);
1175
1176 if (uVerbosity >= 4)
1177 RTAsn1Dump(&pCurLeaf->pCertCtx->pTaInfo->SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
1178 }
1179
1180 const char *pszSrc = rtCrX509CertPathsNodeGetSourceName(pCurLeaf);
1181 rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Source : %s\n", pszSrc);
1182 }
1183}
1184
1185
1186RTDECL(int) RTCrX509CertPathsDumpOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t uVerbosity,
1187 PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
1188{
1189 /*
1190 * Validate the input.
1191 */
1192 PRTCRX509CERTPATHSINT pThis = hCertPaths;
1193 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
1194 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
1195 AssertPtrReturn(pfnPrintfV, VERR_INVALID_POINTER);
1196 int rc;
1197 if (iPath < pThis->cPaths)
1198 {
1199 PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
1200 if (pLeaf)
1201 {
1202 rtCrX509CertPathsDumpOneWorker(pThis, iPath, pLeaf, uVerbosity, pfnPrintfV, pvUser);
1203 rc = VINF_SUCCESS;
1204 }
1205 else
1206 rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR;
1207 }
1208 else
1209 rc = VERR_NOT_FOUND;
1210 return rc;
1211}
1212
1213
1214RTDECL(int) RTCrX509CertPathsDumpAll(RTCRX509CERTPATHS hCertPaths, uint32_t uVerbosity, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
1215{
1216 /*
1217 * Validate the input.
1218 */
1219 PRTCRX509CERTPATHSINT pThis = hCertPaths;
1220 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
1221 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
1222 AssertPtrReturn(pfnPrintfV, VERR_INVALID_POINTER);
1223
1224 /*
1225 * Dump all the paths.
1226 */
1227 rtDumpPrintf(pfnPrintfV, pvUser, "%u paths, rc=%Rrc\n", pThis->cPaths, pThis->rc);
1228 uint32_t iPath = 0;
1229 PRTCRX509CERTPATHNODE pCurLeaf, pNextLeaf;
1230 RTListForEachSafe(&pThis->LeafList, pCurLeaf, pNextLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
1231 {
1232 rtCrX509CertPathsDumpOneWorker(pThis, iPath, pCurLeaf, uVerbosity, pfnPrintfV, pvUser);
1233 iPath++;
1234 }
1235
1236 return VINF_SUCCESS;
1237}
1238
1239
1240/** @} */
1241
1242
1243/** @name Path Validator Functions.
1244 * @{
1245 */
1246
1247
1248static void *rtCrX509CpvAllocZ(PRTCRX509CERTPATHSINT pThis, size_t cb, const char *pszWhat)
1249{
1250 void *pv = RTMemAllocZ(cb);
1251 if (!pv)
1252 pThis->rc = RTErrInfoSetF(pThis->pErrInfo, VERR_NO_MEMORY, "Failed to allocate %zu bytes for %s", cb, pszWhat);
1253 return pv;
1254}
1255
1256
1257DECL_NO_INLINE(static, bool) rtCrX509CpvFailed(PRTCRX509CERTPATHSINT pThis, int rc, const char *pszFormat, ...)
1258{
1259 va_list va;
1260 va_start(va, pszFormat);
1261 pThis->rc = RTErrInfoSetV(pThis->pErrInfo, rc, pszFormat, va);
1262 va_end(va);
1263 return false;
1264}
1265
1266
1267/**
1268 * Adds a sequence of excluded sub-trees.
1269 *
1270 * Don't waste time optimizing the output if this is supposed to be a union.
1271 * Unless the path is very long, it's a lot more work to optimize and the result
1272 * will be the same anyway.
1273 *
1274 * @returns success indicator.
1275 * @param pThis The validator instance.
1276 * @param pSubtrees The sequence of sub-trees to add.
1277 */
1278static bool rtCrX509CpvAddExcludedSubtrees(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREES pSubtrees)
1279{
1280 if (((pThis->v.cExcludedSubtrees + 1) & 0xf) == 0)
1281 {
1282 void *pvNew = RTMemRealloc(pThis->v.papExcludedSubtrees,
1283 (pThis->v.cExcludedSubtrees + 16) * sizeof(pThis->v.papExcludedSubtrees[0]));
1284 if (RT_UNLIKELY(!pvNew))
1285 return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Error growing subtrees pointer array to %u elements",
1286 pThis->v.cExcludedSubtrees + 16);
1287 pThis->v.papExcludedSubtrees = (PCRTCRX509GENERALSUBTREES *)pvNew;
1288 }
1289 pThis->v.papExcludedSubtrees[pThis->v.cExcludedSubtrees] = pSubtrees;
1290 pThis->v.cExcludedSubtrees++;
1291 return true;
1292}
1293
1294
1295/**
1296 * Checks if a sub-tree is according to RFC-5280.
1297 *
1298 * @returns Success indiciator.
1299 * @param pThis The validator instance.
1300 * @param pSubtree The subtree to check.
1301 */
1302static bool rtCrX509CpvCheckSubtreeValidity(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREE pSubtree)
1303{
1304 if ( pSubtree->Base.enmChoice <= RTCRX509GENERALNAMECHOICE_INVALID
1305 || pSubtree->Base.enmChoice >= RTCRX509GENERALNAMECHOICE_END)
1306 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNEXP_GENERAL_SUBTREE_CHOICE,
1307 "Unexpected GeneralSubtree choice %#x", pSubtree->Base.enmChoice);
1308
1309 if (RTAsn1Integer_UnsignedCompareWithU32(&pSubtree->Minimum, 0) != 0)
1310 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNEXP_GENERAL_SUBTREE_MIN,
1311 "Unexpected GeneralSubtree Minimum value: %#llx",
1312 pSubtree->Minimum.uValue);
1313
1314 if (RTAsn1Integer_IsPresent(&pSubtree->Maximum))
1315 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNEXP_GENERAL_SUBTREE_MAX,
1316 "Unexpected GeneralSubtree Maximum value: %#llx",
1317 pSubtree->Maximum.uValue);
1318
1319 return true;
1320}
1321
1322
1323/**
1324 * Grows the array of permitted sub-trees.
1325 *
1326 * @returns success indiciator.
1327 * @param pThis The validator instance.
1328 * @param cAdding The number of subtrees we should grow by
1329 * (relative to the current number of valid
1330 * entries).
1331 */
1332static bool rtCrX509CpvGrowPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, uint32_t cAdding)
1333{
1334 uint32_t cNew = RT_ALIGN_32(pThis->v.cPermittedSubtrees + cAdding, 16);
1335 if (cNew > pThis->v.cPermittedSubtreesAlloc)
1336 {
1337 if (cNew >= _4K)
1338 return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Too many permitted subtrees: %u (cur %u)",
1339 cNew, pThis->v.cPermittedSubtrees);
1340 void *pvNew = RTMemRealloc(pThis->v.papPermittedSubtrees, cNew * sizeof(pThis->v.papPermittedSubtrees[0]));
1341 if (RT_UNLIKELY(!pvNew))
1342 return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Error growing subtrees pointer array from %u to %u elements",
1343 pThis->v.cPermittedSubtreesAlloc, cNew);
1344 pThis->v.papPermittedSubtrees = (PCRTCRX509GENERALSUBTREE *)pvNew;
1345 }
1346 return true;
1347}
1348
1349
1350/**
1351 * Adds a sequence of permitted sub-trees.
1352 *
1353 * We store reference to each individual sub-tree because we must support
1354 * intersection calculation.
1355 *
1356 * @returns success indiciator.
1357 * @param pThis The validator instance.
1358 * @param cSubtrees The number of sub-trees to add.
1359 * @param papSubtrees Array of sub-trees to add.
1360 */
1361static bool rtCrX509CpvAddPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, uint32_t cSubtrees,
1362 PRTCRX509GENERALSUBTREE const *papSubtrees)
1363{
1364 /*
1365 * If the array is empty, assume no permitted names.
1366 */
1367 if (!cSubtrees)
1368 {
1369 pThis->v.fNoPermittedSubtrees = true;
1370 return true;
1371 }
1372
1373 /*
1374 * Grow the array if necessary.
1375 */
1376 if (!rtCrX509CpvGrowPermittedSubtrees(pThis, cSubtrees))
1377 return false;
1378
1379 /*
1380 * Append each subtree to the array.
1381 */
1382 uint32_t iDst = pThis->v.cPermittedSubtrees;
1383 for (uint32_t iSrc = 0; iSrc < cSubtrees; iSrc++)
1384 {
1385 if (!rtCrX509CpvCheckSubtreeValidity(pThis, papSubtrees[iSrc]))
1386 return false;
1387 pThis->v.papPermittedSubtrees[iDst] = papSubtrees[iSrc];
1388 iDst++;
1389 }
1390 pThis->v.cPermittedSubtrees = iDst;
1391
1392 return true;
1393}
1394
1395
1396/**
1397 * Adds a one permitted sub-tree.
1398 *
1399 * We store reference to each individual sub-tree because we must support
1400 * intersection calculation.
1401 *
1402 * @returns success indiciator.
1403 * @param pThis The validator instance.
1404 * @param pSubtree Array of sub-trees to add.
1405 */
1406static bool rtCrX509CpvAddPermittedSubtree(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREE pSubtree)
1407{
1408 return rtCrX509CpvAddPermittedSubtrees(pThis, 1, (PRTCRX509GENERALSUBTREE const *)&pSubtree);
1409}
1410
1411
1412/**
1413 * Calculates the intersection between @a pSubtrees and the current permitted
1414 * sub-trees.
1415 *
1416 * @returns Success indicator.
1417 * @param pThis The validator instance.
1418 * @param pSubtrees The sub-tree sequence to intersect with.
1419 */
1420static bool rtCrX509CpvIntersectionPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREES pSubtrees)
1421{
1422 /*
1423 * Deal with special cases first.
1424 */
1425 if (pThis->v.fNoPermittedSubtrees)
1426 {
1427 Assert(pThis->v.cPermittedSubtrees == 0);
1428 return true;
1429 }
1430
1431 uint32_t cRight = pSubtrees->cItems;
1432 PRTCRX509GENERALSUBTREE const *papRight = pSubtrees->papItems;
1433 if (cRight == 0)
1434 {
1435 pThis->v.cPermittedSubtrees = 0;
1436 pThis->v.fNoPermittedSubtrees = true;
1437 return true;
1438 }
1439
1440 uint32_t cLeft = pThis->v.cPermittedSubtrees;
1441 PCRTCRX509GENERALSUBTREE *papLeft = pThis->v.papPermittedSubtrees;
1442 if (!cLeft) /* first name constraint, no initial constraint */
1443 return rtCrX509CpvAddPermittedSubtrees(pThis, cRight, papRight);
1444
1445 /*
1446 * Create a new array with the intersection, freeing the old (left) array
1447 * once we're done.
1448 */
1449 bool afRightTags[RTCRX509GENERALNAMECHOICE_END] = { 0, 0, 0, 0, 0, 0, 0, 0, 0 };
1450
1451 pThis->v.cPermittedSubtrees = 0;
1452 pThis->v.cPermittedSubtreesAlloc = 0;
1453 pThis->v.papPermittedSubtrees = NULL;
1454
1455 for (uint32_t iRight = 0; iRight < cRight; iRight++)
1456 {
1457 if (!rtCrX509CpvCheckSubtreeValidity(pThis, papRight[iRight]))
1458 return false;
1459
1460 RTCRX509GENERALNAMECHOICE const enmRightChoice = papRight[iRight]->Base.enmChoice;
1461 afRightTags[enmRightChoice] = true;
1462
1463 bool fHaveRight = false;
1464 for (uint32_t iLeft = 0; iLeft < cLeft; iLeft++)
1465 if (papLeft[iLeft]->Base.enmChoice == enmRightChoice)
1466 {
1467 if (RTCrX509GeneralSubtree_Compare(papLeft[iLeft], papRight[iRight]) == 0)
1468 {
1469 if (!fHaveRight)
1470 {
1471 fHaveRight = true;
1472 rtCrX509CpvAddPermittedSubtree(pThis, papLeft[iLeft]);
1473 }
1474 }
1475 else if (RTCrX509GeneralSubtree_ConstraintMatch(papLeft[iLeft], papRight[iRight]))
1476 {
1477 if (!fHaveRight)
1478 {
1479 fHaveRight = true;
1480 rtCrX509CpvAddPermittedSubtree(pThis, papRight[iRight]);
1481 }
1482 }
1483 else if (RTCrX509GeneralSubtree_ConstraintMatch(papRight[iRight], papLeft[iLeft]))
1484 rtCrX509CpvAddPermittedSubtree(pThis, papLeft[iLeft]);
1485 }
1486 }
1487
1488 /*
1489 * Add missing types not specified in the right set.
1490 */
1491 for (uint32_t iLeft = 0; iLeft < cLeft; iLeft++)
1492 if (!afRightTags[papLeft[iLeft]->Base.enmChoice])
1493 rtCrX509CpvAddPermittedSubtree(pThis, papLeft[iLeft]);
1494
1495 /*
1496 * If we ended up with an empty set, no names are permitted any more.
1497 */
1498 if (pThis->v.cPermittedSubtrees == 0)
1499 pThis->v.fNoPermittedSubtrees = true;
1500
1501 RTMemFree(papLeft);
1502 return RT_SUCCESS(pThis->rc);
1503}
1504
1505
1506/**
1507 * Check if the given X.509 name is permitted by current name constraints.
1508 *
1509 * @returns true is permitteded, false if not (caller set error info).
1510 * @param pThis The validator instance.
1511 * @param pName The name to match.
1512 */
1513static bool rtCrX509CpvIsNamePermitted(PRTCRX509CERTPATHSINT pThis, PCRTCRX509NAME pName)
1514{
1515 uint32_t i = pThis->v.cPermittedSubtrees;
1516 if (i == 0)
1517 return !pThis->v.fNoPermittedSubtrees;
1518
1519 while (i-- > 0)
1520 {
1521 PCRTCRX509GENERALSUBTREE pConstraint = pThis->v.papPermittedSubtrees[i];
1522 if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(&pConstraint->Base)
1523 && RTCrX509Name_ConstraintMatch(&pConstraint->Base.u.pT4->DirectoryName, pName))
1524 return true;
1525 }
1526 return false;
1527}
1528
1529
1530/**
1531 * Check if the given X.509 general name is permitted by current name
1532 * constraints.
1533 *
1534 * @returns true is permitteded, false if not (caller sets error info).
1535 * @param pThis The validator instance.
1536 * @param pGeneralName The name to match.
1537 */
1538static bool rtCrX509CpvIsGeneralNamePermitted(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALNAME pGeneralName)
1539{
1540 uint32_t i = pThis->v.cPermittedSubtrees;
1541 if (i == 0)
1542 return !pThis->v.fNoPermittedSubtrees;
1543
1544 while (i-- > 0)
1545 if (RTCrX509GeneralName_ConstraintMatch(&pThis->v.papPermittedSubtrees[i]->Base, pGeneralName))
1546 return true;
1547 return false;
1548}
1549
1550
1551/**
1552 * Check if the given X.509 name is excluded by current name constraints.
1553 *
1554 * @returns true if excluded (caller sets error info), false if not explicitly
1555 * excluded.
1556 * @param pThis The validator instance.
1557 * @param pName The name to match.
1558 */
1559static bool rtCrX509CpvIsNameExcluded(PRTCRX509CERTPATHSINT pThis, PCRTCRX509NAME pName)
1560{
1561 uint32_t i = pThis->v.cExcludedSubtrees;
1562 while (i-- > 0)
1563 {
1564 PCRTCRX509GENERALSUBTREES pSubTrees = pThis->v.papExcludedSubtrees[i];
1565 uint32_t j = pSubTrees->cItems;
1566 while (j-- > 0)
1567 {
1568 PCRTCRX509GENERALSUBTREE const pSubTree = pSubTrees->papItems[j];
1569 if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(&pSubTree->Base)
1570 && RTCrX509Name_ConstraintMatch(&pSubTree->Base.u.pT4->DirectoryName, pName))
1571 return true;
1572 }
1573 }
1574 return false;
1575}
1576
1577
1578/**
1579 * Check if the given X.509 general name is excluded by current name
1580 * constraints.
1581 *
1582 * @returns true if excluded (caller sets error info), false if not explicitly
1583 * excluded.
1584 * @param pThis The validator instance.
1585 * @param pGeneralName The name to match.
1586 */
1587static bool rtCrX509CpvIsGeneralNameExcluded(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALNAME pGeneralName)
1588{
1589 uint32_t i = pThis->v.cExcludedSubtrees;
1590 while (i-- > 0)
1591 {
1592 PCRTCRX509GENERALSUBTREES pSubTrees = pThis->v.papExcludedSubtrees[i];
1593 uint32_t j = pSubTrees->cItems;
1594 while (j-- > 0)
1595 if (RTCrX509GeneralName_ConstraintMatch(&pSubTrees->papItems[j]->Base, pGeneralName))
1596 return true;
1597 }
1598 return false;
1599}
1600
1601
1602/**
1603 * Creates a new node and inserts it.
1604 *
1605 * @param pThis The path builder & validator instance.
1606 * @param pParent The parent node. NULL for the root node.
1607 * @param iDepth The tree depth to insert at.
1608 * @param pValidPolicy The valid policy of the new node.
1609 * @param pQualifiers The qualifiers of the new node.
1610 * @param pExpectedPolicy The (first) expected polcy of the new node.
1611 */
1612static bool rtCrX509CpvPolicyTreeInsertNew(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pParent, uint32_t iDepth,
1613 PCRTASN1OBJID pValidPolicy, PCRTCRX509POLICYQUALIFIERINFOS pQualifiers,
1614 PCRTASN1OBJID pExpectedPolicy)
1615{
1616 Assert(iDepth <= pThis->v.cNodes);
1617
1618 PRTCRX509CERTPATHSPOLICYNODE pNode;
1619 pNode = (PRTCRX509CERTPATHSPOLICYNODE)rtCrX509CpvAllocZ(pThis, sizeof(*pNode), "policy tree node");
1620 if (pNode)
1621 {
1622 pNode->pParent = pParent;
1623 if (pParent)
1624 RTListAppend(&pParent->ChildList, &pNode->SiblingEntry);
1625 else
1626 {
1627 Assert(pThis->v.pValidPolicyTree == NULL);
1628 pThis->v.pValidPolicyTree = pNode;
1629 RTListInit(&pNode->SiblingEntry);
1630 }
1631 RTListInit(&pNode->ChildList);
1632 RTListAppend(&pThis->v.paValidPolicyDepthLists[iDepth], &pNode->DepthEntry);
1633
1634 pNode->pValidPolicy = pValidPolicy;
1635 pNode->pPolicyQualifiers = pQualifiers;
1636 pNode->pExpectedPolicyFirst = pExpectedPolicy;
1637 pNode->cMoreExpectedPolicySet = 0;
1638 pNode->papMoreExpectedPolicySet = NULL;
1639 return true;
1640 }
1641 return false;
1642}
1643
1644
1645/**
1646 * Unlinks and frees a node in the valid policy tree.
1647 *
1648 * @param pThis The path builder & validator instance.
1649 * @param pNode The node to destroy.
1650 */
1651static void rtCrX509CpvPolicyTreeDestroyNode(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pNode)
1652{
1653 Assert(RTListIsEmpty(&pNode->ChildList));
1654 if (pNode->pParent)
1655 RTListNodeRemove(&pNode->SiblingEntry);
1656 else
1657 pThis->v.pValidPolicyTree = NULL;
1658 RTListNodeRemove(&pNode->DepthEntry);
1659 pNode->pParent = NULL;
1660
1661 if (pNode->papMoreExpectedPolicySet)
1662 {
1663 RTMemFree(pNode->papMoreExpectedPolicySet);
1664 pNode->papMoreExpectedPolicySet = NULL;
1665 }
1666 RTMemFree(pNode);
1667}
1668
1669
1670/**
1671 * Unlinks and frees a sub-tree in the valid policy tree.
1672 *
1673 * @param pThis The path builder & validator instance.
1674 * @param pNode The node that is the root of the subtree.
1675 */
1676static void rtCrX509CpvPolicyTreeDestroySubtree(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pNode)
1677{
1678 if (!RTListIsEmpty(&pNode->ChildList))
1679 {
1680 PRTCRX509CERTPATHSPOLICYNODE pCur = pNode;
1681 do
1682 {
1683 Assert(!RTListIsEmpty(&pCur->ChildList));
1684
1685 /* Decend until we find a leaf. */
1686 do
1687 pCur = RTListGetFirst(&pCur->ChildList, RTCRX509CERTPATHSPOLICYNODE, SiblingEntry);
1688 while (!RTListIsEmpty(&pCur->ChildList));
1689
1690 /* Remove it and all leafy siblings. */
1691 PRTCRX509CERTPATHSPOLICYNODE pParent = pCur->pParent;
1692 do
1693 {
1694 Assert(pCur != pNode);
1695 rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
1696 pCur = RTListGetFirst(&pParent->ChildList, RTCRX509CERTPATHSPOLICYNODE, SiblingEntry);
1697 if (!pCur)
1698 {
1699 pCur = pParent;
1700 pParent = pParent->pParent;
1701 }
1702 } while (RTListIsEmpty(&pCur->ChildList) && pCur != pNode);
1703 } while (pCur != pNode);
1704 }
1705
1706 rtCrX509CpvPolicyTreeDestroyNode(pThis, pNode);
1707}
1708
1709
1710
1711/**
1712 * Destroys the entire policy tree.
1713 *
1714 * @param pThis The path builder & validator instance.
1715 */
1716static void rtCrX509CpvPolicyTreeDestroy(PRTCRX509CERTPATHSINT pThis)
1717{
1718 uint32_t i = pThis->v.cNodes + 1;
1719 while (i-- > 0)
1720 {
1721 PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
1722 RTListForEachSafe(&pThis->v.paValidPolicyDepthLists[i], pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
1723 {
1724 rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
1725 }
1726 }
1727}
1728
1729
1730/**
1731 * Removes all leaf nodes at level @a iDepth and above.
1732 *
1733 * @param pThis The path builder & validator instance.
1734 * @param iDepth The depth to start pruning at.
1735 */
1736static void rtCrX509CpvPolicyTreePrune(PRTCRX509CERTPATHSINT pThis, uint32_t iDepth)
1737{
1738 do
1739 {
1740 PRTLISTANCHOR pList = &pThis->v.paValidPolicyDepthLists[iDepth];
1741 PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
1742 RTListForEachSafe(pList, pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
1743 {
1744 if (RTListIsEmpty(&pCur->ChildList))
1745 rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
1746 }
1747
1748 } while (iDepth-- > 0);
1749}
1750
1751
1752/**
1753 * Checks if @a pPolicy is the valid policy of a child of @a pNode.
1754 *
1755 * @returns true if in child node, false if not.
1756 * @param pNode The node which children to check.
1757 * @param pPolicy The valid policy to look for among the children.
1758 */
1759static bool rtCrX509CpvPolicyTreeIsChild(PRTCRX509CERTPATHSPOLICYNODE pNode, PCRTASN1OBJID pPolicy)
1760{
1761 PRTCRX509CERTPATHSPOLICYNODE pChild;
1762 RTListForEach(&pNode->ChildList, pChild, RTCRX509CERTPATHSPOLICYNODE, SiblingEntry)
1763 {
1764 if (RTAsn1ObjId_Compare(pChild->pValidPolicy, pPolicy) == 0)
1765 return true;
1766 }
1767 return true;
1768}
1769
1770
1771/**
1772 * Prunes the valid policy tree according to the specified user policy set.
1773 *
1774 * @returns Pointer to the policy object from @a papPolicies if found, NULL if
1775 * no match.
1776 * @param pObjId The object ID to locate at match in the set.
1777 * @param cPolicies The number of policies in @a papPolicies.
1778 * @param papPolicies The policy set to search.
1779 */
1780static PCRTASN1OBJID rtCrX509CpvFindObjIdInPolicySet(PCRTASN1OBJID pObjId, uint32_t cPolicies, PCRTASN1OBJID *papPolicies)
1781{
1782 uint32_t i = cPolicies;
1783 while (i-- > 0)
1784 if (RTAsn1ObjId_Compare(pObjId, papPolicies[i]) == 0)
1785 return papPolicies[i];
1786 return NULL;
1787}
1788
1789
1790/**
1791 * Prunes the valid policy tree according to the specified user policy set.
1792 *
1793 * @returns success indicator (allocates memory)
1794 * @param pThis The path builder & validator instance.
1795 * @param cPolicies The number of policies in @a papPolicies.
1796 * @param papPolicies The user initial policies.
1797 */
1798static bool rtCrX509CpvPolicyTreeIntersect(PRTCRX509CERTPATHSINT pThis, uint32_t cPolicies, PCRTASN1OBJID *papPolicies)
1799{
1800 /*
1801 * 4.1.6.g.i - NULL tree remains NULL.
1802 */
1803 if (!pThis->v.pValidPolicyTree)
1804 return true;
1805
1806 /*
1807 * 4.1.6.g.ii - If the user set includes anyPolicy, the whole tree is the
1808 * result of the intersection.
1809 */
1810 uint32_t i = cPolicies;
1811 while (i-- > 0)
1812 if (RTAsn1ObjId_CompareWithString(papPolicies[i], RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
1813 return true;
1814
1815 /*
1816 * 4.1.6.g.iii - Complicated.
1817 */
1818 PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
1819 PRTLISTANCHOR pList;
1820
1821 /* 1 & 2: Delete nodes which parent has valid policy == anyPolicy and which
1822 valid policy is neither anyPolicy nor a member of papszPolicies.
1823 While doing so, construct a set of unused user policies that
1824 we'll replace anyPolicy nodes with in step 3. */
1825 uint32_t cPoliciesLeft = 0;
1826 PCRTASN1OBJID *papPoliciesLeft = NULL;
1827 if (cPolicies)
1828 {
1829 papPoliciesLeft = (PCRTASN1OBJID *)rtCrX509CpvAllocZ(pThis, cPolicies * sizeof(papPoliciesLeft[0]), "papPoliciesLeft");
1830 if (!papPoliciesLeft)
1831 return false;
1832 for (i = 0; i < cPolicies; i++)
1833 papPoliciesLeft[i] = papPolicies[i];
1834 }
1835
1836 for (uint32_t iDepth = 1; iDepth <= pThis->v.cNodes; iDepth++)
1837 {
1838 pList = &pThis->v.paValidPolicyDepthLists[iDepth];
1839 RTListForEachSafe(pList, pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
1840 {
1841 Assert(pCur->pParent);
1842 if ( RTAsn1ObjId_CompareWithString(pCur->pParent->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0
1843 && RTAsn1ObjId_CompareWithString(pCur->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) != 0)
1844 {
1845 PCRTASN1OBJID pFound = rtCrX509CpvFindObjIdInPolicySet(pCur->pValidPolicy, cPolicies, papPolicies);
1846 if (!pFound)
1847 rtCrX509CpvPolicyTreeDestroySubtree(pThis, pCur);
1848 else
1849 for (i = 0; i < cPoliciesLeft; i++)
1850 if (papPoliciesLeft[i] == pFound)
1851 {
1852 cPoliciesLeft--;
1853 if (i < cPoliciesLeft)
1854 papPoliciesLeft[i] = papPoliciesLeft[cPoliciesLeft];
1855 papPoliciesLeft[cPoliciesLeft] = NULL;
1856 break;
1857 }
1858 }
1859 }
1860 }
1861
1862 /*
1863 * 4.1.5.g.iii.3 - Replace anyPolicy nodes on the final tree depth with
1864 * the policies in papPoliciesLeft.
1865 */
1866 pList = &pThis->v.paValidPolicyDepthLists[pThis->v.cNodes];
1867 RTListForEachSafe(pList, pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
1868 {
1869 if (RTAsn1ObjId_CompareWithString(pCur->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
1870 {
1871 for (i = 0; i < cPoliciesLeft; i++)
1872 rtCrX509CpvPolicyTreeInsertNew(pThis, pCur->pParent, pThis->v.cNodes - 1,
1873 papPoliciesLeft[i], pCur->pPolicyQualifiers, papPoliciesLeft[i]);
1874 rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
1875 }
1876 }
1877
1878 RTMemFree(papPoliciesLeft);
1879
1880 /*
1881 * 4.1.5.g.iii.4 - Prune the tree
1882 */
1883 rtCrX509CpvPolicyTreePrune(pThis, pThis->v.cNodes - 1);
1884
1885 return RT_SUCCESS(pThis->rc);
1886}
1887
1888
1889
1890/**
1891 * Frees the path validator state.
1892 *
1893 * @param pThis The path builder & validator instance.
1894 */
1895static void rtCrX509CpvCleanup(PRTCRX509CERTPATHSINT pThis)
1896{
1897 /*
1898 * Destroy the policy tree and all its nodes. We do this from the bottom
1899 * up via the depth lists, saving annoying tree traversal.
1900 */
1901 if (pThis->v.paValidPolicyDepthLists)
1902 {
1903 rtCrX509CpvPolicyTreeDestroy(pThis);
1904
1905 RTMemFree(pThis->v.paValidPolicyDepthLists);
1906 pThis->v.paValidPolicyDepthLists = NULL;
1907 }
1908
1909 Assert(pThis->v.pValidPolicyTree == NULL);
1910 pThis->v.pValidPolicyTree = NULL;
1911
1912 /*
1913 * Destroy the name constraint arrays.
1914 */
1915 if (pThis->v.papPermittedSubtrees)
1916 {
1917 RTMemFree(pThis->v.papPermittedSubtrees);
1918 pThis->v.papPermittedSubtrees = NULL;
1919 }
1920 pThis->v.cPermittedSubtrees = 0;
1921 pThis->v.cPermittedSubtreesAlloc = 0;
1922 pThis->v.fNoPermittedSubtrees = false;
1923
1924 if (pThis->v.papExcludedSubtrees)
1925 {
1926 RTMemFree(pThis->v.papExcludedSubtrees);
1927 pThis->v.papExcludedSubtrees = NULL;
1928 }
1929 pThis->v.cExcludedSubtrees = 0;
1930
1931 /*
1932 * Clear other pointers.
1933 */
1934 pThis->v.pWorkingIssuer = NULL;
1935 pThis->v.pWorkingPublicKey = NULL;
1936 pThis->v.pWorkingPublicKeyAlgorithm = NULL;
1937 pThis->v.pWorkingPublicKeyParameters = NULL;
1938}
1939
1940
1941
1942/**
1943 * Initializes the state.
1944 *
1945 * Caller must check pThis->rc.
1946 *
1947 * @param pThis The path builder & validator instance.
1948 * @param pTrustAnchor The trust anchor node for the path that we're about
1949 * to validate.
1950 */
1951static void rtCrX509CpvInit(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pTrustAnchor)
1952{
1953 rtCrX509CpvCleanup(pThis);
1954
1955 /*
1956 * The node count does not include the trust anchor.
1957 */
1958 pThis->v.cNodes = pTrustAnchor->uDepth;
1959
1960 /*
1961 * Valid policy tree starts with an anyPolicy node.
1962 */
1963 uint32_t i = pThis->v.cNodes + 1;
1964 pThis->v.paValidPolicyDepthLists = (PRTLISTANCHOR)rtCrX509CpvAllocZ(pThis, i * sizeof(RTLISTANCHOR),
1965 "paValidPolicyDepthLists");
1966 if (RT_UNLIKELY(!pThis->v.paValidPolicyDepthLists))
1967 return;
1968 while (i-- > 0)
1969 RTListInit(&pThis->v.paValidPolicyDepthLists[i]);
1970
1971 if (!rtCrX509CpvPolicyTreeInsertNew(pThis, NULL, 0 /* iDepth*/, &pThis->AnyPolicyObjId, NULL, &pThis->AnyPolicyObjId))
1972 return;
1973 Assert(!RTListIsEmpty(&pThis->v.paValidPolicyDepthLists[0])); Assert(pThis->v.pValidPolicyTree);
1974
1975 /*
1976 * Name constrains.
1977 */
1978 if (pThis->pInitialPermittedSubtrees)
1979 rtCrX509CpvAddPermittedSubtrees(pThis, pThis->pInitialPermittedSubtrees->cItems,
1980 pThis->pInitialPermittedSubtrees->papItems);
1981 if (pThis->pInitialExcludedSubtrees)
1982 rtCrX509CpvAddExcludedSubtrees(pThis, pThis->pInitialExcludedSubtrees);
1983
1984 /*
1985 * Counters.
1986 */
1987 pThis->v.cExplicitPolicy = pThis->cInitialExplicitPolicy;
1988 pThis->v.cInhibitPolicyMapping = pThis->cInitialPolicyMappingInhibit;
1989 pThis->v.cInhibitAnyPolicy = pThis->cInitialInhibitAnyPolicy;
1990 pThis->v.cMaxPathLength = pThis->v.cNodes;
1991
1992 /*
1993 * Certificate info from the trust anchor.
1994 */
1995 if (pTrustAnchor->pCert)
1996 {
1997 PCRTCRX509TBSCERTIFICATE const pTbsCert = &pTrustAnchor->pCert->TbsCertificate;
1998 pThis->v.pWorkingIssuer = &pTbsCert->Subject;
1999 pThis->v.pWorkingPublicKey = &pTbsCert->SubjectPublicKeyInfo.SubjectPublicKey;
2000 pThis->v.pWorkingPublicKeyAlgorithm = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm;
2001 pThis->v.pWorkingPublicKeyParameters = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters;
2002 }
2003 else
2004 {
2005 Assert(pTrustAnchor->pCertCtx); Assert(pTrustAnchor->pCertCtx->pTaInfo);
2006
2007 PCRTCRTAFTRUSTANCHORINFO const pTaInfo = pTrustAnchor->pCertCtx->pTaInfo;
2008 pThis->v.pWorkingIssuer = &pTaInfo->CertPath.TaName;
2009 pThis->v.pWorkingPublicKey = &pTaInfo->PubKey.SubjectPublicKey;
2010 pThis->v.pWorkingPublicKeyAlgorithm = &pTaInfo->PubKey.Algorithm.Algorithm;
2011 pThis->v.pWorkingPublicKeyParameters = &pTaInfo->PubKey.Algorithm.Parameters;
2012 }
2013 if ( !RTASN1CORE_IS_PRESENT(&pThis->v.pWorkingPublicKeyParameters->u.Core)
2014 || pThis->v.pWorkingPublicKeyParameters->enmType == RTASN1TYPE_NULL)
2015 pThis->v.pWorkingPublicKeyParameters = NULL;
2016}
2017
2018
2019/**
2020 * Step 6.1.3.a.
2021 */
2022static bool rtCrX509CpvCheckBasicCertInfo(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2023{
2024 /*
2025 * 6.1.3.a.1 - Verify the certificate signature.
2026 */
2027 int rc = RTCrX509Certificate_VerifySignature(pNode->pCert, pThis->v.pWorkingPublicKeyAlgorithm,
2028 pThis->v.pWorkingPublicKeyParameters, pThis->v.pWorkingPublicKey,
2029 pThis->pErrInfo);
2030 if (RT_FAILURE(rc))
2031 {
2032 pThis->rc = rc;
2033 return false;
2034 }
2035
2036 /*
2037 * 6.1.3.a.2 - Verify that the certificate is valid at the specified time.
2038 */
2039 AssertCompile(sizeof(pThis->szTmp) >= 36 * 3);
2040 if ( (pThis->fFlags & RTCRX509CERTPATHSINT_F_VALID_TIME)
2041 && !RTCrX509Validity_IsValidAtTimeSpec(&pNode->pCert->TbsCertificate.Validity, &pThis->ValidTime))
2042 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_VALID_AT_TIME,
2043 "Certificate is not valid (ValidTime=%s Validity=[%s...%s])",
2044 RTTimeSpecToString(&pThis->ValidTime, &pThis->szTmp[0], 36),
2045 RTTimeToString(&pNode->pCert->TbsCertificate.Validity.NotBefore.Time, &pThis->szTmp[36], 36),
2046 RTTimeToString(&pNode->pCert->TbsCertificate.Validity.NotAfter.Time, &pThis->szTmp[2*36], 36) );
2047
2048 /*
2049 * 6.1.3.a.3 - Verified that the certficiate is not revoked.
2050 */
2051 /** @todo rainy day. */
2052
2053 /*
2054 * 6.1.3.a.4 - Check the issuer name.
2055 */
2056 if (!RTCrX509Name_MatchByRfc5280(&pNode->pCert->TbsCertificate.Issuer, pThis->v.pWorkingIssuer))
2057 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_ISSUER_MISMATCH, "Issuer mismatch");
2058
2059 return true;
2060}
2061
2062
2063/**
2064 * Step 6.1.3.b-c.
2065 */
2066static bool rtCrX509CpvCheckNameConstraints(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2067{
2068 if (pThis->v.fNoPermittedSubtrees)
2069 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NO_PERMITTED_NAMES, "No permitted subtrees");
2070
2071 if ( pNode->pCert->TbsCertificate.Subject.cItems > 0
2072 && ( !rtCrX509CpvIsNamePermitted(pThis, &pNode->pCert->TbsCertificate.Subject)
2073 || rtCrX509CpvIsNameExcluded(pThis, &pNode->pCert->TbsCertificate.Subject)) )
2074 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NAME_NOT_PERMITTED,
2075 "Subject name is not permitted by current name constraints");
2076
2077 PCRTCRX509GENERALNAMES pAltSubjectName = pNode->pCert->TbsCertificate.T3.pAltSubjectName;
2078 if (pAltSubjectName)
2079 {
2080 uint32_t i = pAltSubjectName->cItems;
2081 while (i-- > 0)
2082 if ( !rtCrX509CpvIsGeneralNamePermitted(pThis, pAltSubjectName->papItems[i])
2083 || rtCrX509CpvIsGeneralNameExcluded(pThis, pAltSubjectName->papItems[i]))
2084 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_ALT_NAME_NOT_PERMITTED,
2085 "Alternative name #%u is is not permitted by current name constraints", i);
2086 }
2087
2088 return true;
2089}
2090
2091
2092/**
2093 * Step 6.1.3.d-f.
2094 */
2095static bool rtCrX509CpvWorkValidPolicyTree(PRTCRX509CERTPATHSINT pThis, uint32_t iDepth, PRTCRX509CERTPATHNODE pNode,
2096 bool fSelfIssued)
2097{
2098 PCRTCRX509CERTIFICATEPOLICIES pPolicies = pNode->pCert->TbsCertificate.T3.pCertificatePolicies;
2099 if (pPolicies)
2100 {
2101 /*
2102 * 6.1.3.d.1 - Work the certiciate policies into the tree.
2103 */
2104 PRTCRX509CERTPATHSPOLICYNODE pCur;
2105 PRTLISTANCHOR pListAbove = &pThis->v.paValidPolicyDepthLists[iDepth - 1];
2106 uint32_t iAnyPolicy = UINT32_MAX;
2107 uint32_t i = pPolicies->cItems;
2108 while (i-- > 0)
2109 {
2110 PCRTCRX509POLICYQUALIFIERINFOS const pQualifiers = &pPolicies->papItems[i]->PolicyQualifiers;
2111 PCRTASN1OBJID const pIdP = &pPolicies->papItems[i]->PolicyIdentifier;
2112 if (RTAsn1ObjId_CompareWithString(pIdP, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2113 {
2114 iAnyPolicy++;
2115 continue;
2116 }
2117
2118 /*
2119 * 6.1.3.d.1.i - Create children for matching policies.
2120 */
2121 uint32_t cMatches = 0;
2122 RTListForEach(pListAbove, pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2123 {
2124 bool fMatch = RTAsn1ObjId_Compare(pCur->pExpectedPolicyFirst, pIdP) == 0;
2125 if (!fMatch && pCur->cMoreExpectedPolicySet)
2126 for (uint32_t j = 0; !fMatch && j < pCur->cMoreExpectedPolicySet; j++)
2127 fMatch = RTAsn1ObjId_Compare(pCur->papMoreExpectedPolicySet[j], pIdP) == 0;
2128 if (fMatch)
2129 {
2130 if (!rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pIdP, pQualifiers, pIdP))
2131 return false;
2132 cMatches++;
2133 }
2134 }
2135
2136 /*
2137 * 6.1.3.d.1.ii - If no matches above do the same for anyPolicy
2138 * nodes, only match with valid policy this time.
2139 */
2140 if (cMatches == 0)
2141 {
2142 RTListForEach(pListAbove, pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2143 {
2144 if (RTAsn1ObjId_CompareWithString(pCur->pExpectedPolicyFirst, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2145 {
2146 if (!rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pIdP, pQualifiers, pIdP))
2147 return false;
2148 }
2149 }
2150 }
2151 }
2152
2153 /*
2154 * 6.1.3.d.2 - If anyPolicy present, make sure all expected policies
2155 * are propagated to the current depth.
2156 */
2157 if ( iAnyPolicy < pPolicies->cItems
2158 && ( pThis->v.cInhibitAnyPolicy > 0
2159 || (pNode->pParent && fSelfIssued) ) )
2160 {
2161 PCRTCRX509POLICYQUALIFIERINFOS pApQ = &pPolicies->papItems[iAnyPolicy]->PolicyQualifiers;
2162 RTListForEach(pListAbove, pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2163 {
2164 if (!rtCrX509CpvPolicyTreeIsChild(pCur, pCur->pExpectedPolicyFirst))
2165 rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pCur->pExpectedPolicyFirst, pApQ,
2166 pCur->pExpectedPolicyFirst);
2167 for (uint32_t j = 0; j < pCur->cMoreExpectedPolicySet; j++)
2168 if (!rtCrX509CpvPolicyTreeIsChild(pCur, pCur->papMoreExpectedPolicySet[j]))
2169 rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pCur->papMoreExpectedPolicySet[j], pApQ,
2170 pCur->papMoreExpectedPolicySet[j]);
2171 }
2172 }
2173 /*
2174 * 6.1.3.d.3 - Prune the tree.
2175 */
2176 else
2177 rtCrX509CpvPolicyTreePrune(pThis, iDepth - 1);
2178 }
2179 else
2180 {
2181 /*
2182 * 6.1.3.e - No policy extension present, set tree to NULL.
2183 */
2184 rtCrX509CpvPolicyTreeDestroy(pThis);
2185 }
2186
2187 /*
2188 * 6.1.3.f - NULL tree check.
2189 */
2190 if ( pThis->v.pValidPolicyTree == NULL
2191 && pThis->v.cExplicitPolicy == 0)
2192 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NO_VALID_POLICY,
2193 "An explicit policy is called for but the valid policy tree is NULL.");
2194 return RT_SUCCESS(pThis->rc);
2195}
2196
2197
2198/**
2199 * Step 6.1.4.a-b.
2200 */
2201static bool rtCrX509CpvSoakUpPolicyMappings(PRTCRX509CERTPATHSINT pThis, uint32_t iDepth,
2202 PCRTCRX509POLICYMAPPINGS pPolicyMappings)
2203{
2204 /*
2205 * 6.1.4.a - The anyPolicy is not allowed in policy mappings as it would
2206 * allow an evil intermediate certificate to expand the policy
2207 * scope of a certiciate chain without regard to upstream.
2208 */
2209 uint32_t i = pPolicyMappings->cItems;
2210 while (i-- > 0)
2211 {
2212 PCRTCRX509POLICYMAPPING const pOne = pPolicyMappings->papItems[i];
2213 if (RTAsn1ObjId_CompareWithString(&pOne->IssuerDomainPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2214 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_INVALID_POLICY_MAPPING,
2215 "Invalid policy mapping %#u: IssuerDomainPolicy is anyPolicy.", i);
2216
2217 if (RTAsn1ObjId_CompareWithString(&pOne->SubjectDomainPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2218 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_INVALID_POLICY_MAPPING,
2219 "Invalid policy mapping %#u: SubjectDomainPolicy is anyPolicy.", i);
2220 }
2221
2222 PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
2223 if (pThis->v.cInhibitPolicyMapping > 0)
2224 {
2225 /*
2226 * 6.1.4.b.1 - Do the policy mapping.
2227 */
2228 i = pPolicyMappings->cItems;
2229 while (i-- > 0)
2230 {
2231 PCRTCRX509POLICYMAPPING const pOne = pPolicyMappings->papItems[i];
2232
2233 uint32_t cFound = 0;
2234 RTListForEach(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2235 {
2236 if (RTAsn1ObjId_Compare(pCur->pValidPolicy, &pOne->IssuerDomainPolicy))
2237 {
2238 if (!pCur->fAlreadyMapped)
2239 {
2240 pCur->fAlreadyMapped = true;
2241 pCur->pExpectedPolicyFirst = &pOne->SubjectDomainPolicy;
2242 }
2243 else
2244 {
2245 uint32_t iExpected = pCur->cMoreExpectedPolicySet;
2246 void *pvNew = RTMemRealloc(pCur->papMoreExpectedPolicySet,
2247 sizeof(pCur->papMoreExpectedPolicySet[0]) * (iExpected + 1));
2248 if (!pvNew)
2249 return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY,
2250 "Error growing papMoreExpectedPolicySet array (cur %u, depth %u)",
2251 pCur->cMoreExpectedPolicySet, iDepth);
2252 pCur->papMoreExpectedPolicySet = (PCRTASN1OBJID *)pvNew;
2253 pCur->papMoreExpectedPolicySet[iExpected] = &pOne->SubjectDomainPolicy;
2254 pCur->cMoreExpectedPolicySet = iExpected + 1;
2255 }
2256 cFound++;
2257 }
2258 }
2259
2260 /*
2261 * If no mapping took place, look for an anyPolicy node.
2262 */
2263 if (!cFound)
2264 {
2265 RTListForEach(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2266 {
2267 if (RTAsn1ObjId_CompareWithString(pCur->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2268 {
2269 if (!rtCrX509CpvPolicyTreeInsertNew(pThis, pCur->pParent, iDepth,
2270 &pOne->IssuerDomainPolicy,
2271 pCur->pPolicyQualifiers,
2272 &pOne->SubjectDomainPolicy))
2273 return false;
2274 break;
2275 }
2276 }
2277 }
2278 }
2279 }
2280 else
2281 {
2282 /*
2283 * 6.1.4.b.2 - Remove matching policies from the tree if mapping is
2284 * inhibited and prune the tree.
2285 */
2286 uint32_t cRemoved = 0;
2287 i = pPolicyMappings->cItems;
2288 while (i-- > 0)
2289 {
2290 PCRTCRX509POLICYMAPPING const pOne = pPolicyMappings->papItems[i];
2291 RTListForEachSafe(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2292 {
2293 if (RTAsn1ObjId_Compare(pCur->pValidPolicy, &pOne->IssuerDomainPolicy))
2294 {
2295 rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
2296 cRemoved++;
2297 }
2298 }
2299 }
2300 if (cRemoved)
2301 rtCrX509CpvPolicyTreePrune(pThis, iDepth - 1);
2302 }
2303
2304 return true;
2305}
2306
2307
2308/**
2309 * Step 6.1.4.d-f & 6.1.5.c-e.
2310 */
2311static void rtCrX509CpvSetWorkingPublicKeyInfo(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2312{
2313 PCRTCRX509TBSCERTIFICATE const pTbsCert = &pNode->pCert->TbsCertificate;
2314
2315 /*
2316 * 6.1.4.d - The public key.
2317 */
2318 pThis->v.pWorkingPublicKey = &pTbsCert->SubjectPublicKeyInfo.SubjectPublicKey;
2319
2320 /*
2321 * 6.1.4.e - The public key parameters. Use new ones if present, keep old
2322 * if the algorithm remains the same.
2323 */
2324 if ( RTASN1CORE_IS_PRESENT(&pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters.u.Core)
2325 && pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters.enmType != RTASN1TYPE_NULL)
2326 pThis->v.pWorkingPublicKeyParameters = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters;
2327 else if ( pThis->v.pWorkingPublicKeyParameters
2328 && RTAsn1ObjId_Compare(pThis->v.pWorkingPublicKeyAlgorithm, &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm) != 0)
2329 pThis->v.pWorkingPublicKeyParameters = NULL;
2330
2331 /*
2332 * 6.1.4.f - The public algorithm.
2333 */
2334 pThis->v.pWorkingPublicKeyAlgorithm = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm;
2335}
2336
2337
2338/**
2339 * Step 6.1.4.g.
2340 */
2341static bool rtCrX509CpvSoakUpNameConstraints(PRTCRX509CERTPATHSINT pThis, PCRTCRX509NAMECONSTRAINTS pNameConstraints)
2342{
2343 if (pNameConstraints->T0.PermittedSubtrees.cItems > 0)
2344 if (!rtCrX509CpvIntersectionPermittedSubtrees(pThis, &pNameConstraints->T0.PermittedSubtrees))
2345 return false;
2346
2347 if (pNameConstraints->T1.ExcludedSubtrees.cItems > 0)
2348 if (!rtCrX509CpvAddExcludedSubtrees(pThis, &pNameConstraints->T1.ExcludedSubtrees))
2349 return false;
2350
2351 return true;
2352}
2353
2354
2355/**
2356 * Step 6.1.4.i.
2357 */
2358static bool rtCrX509CpvSoakUpPolicyConstraints(PRTCRX509CERTPATHSINT pThis, PCRTCRX509POLICYCONSTRAINTS pPolicyConstraints)
2359{
2360 if (RTAsn1Integer_IsPresent(&pPolicyConstraints->RequireExplicitPolicy))
2361 {
2362 if (RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->RequireExplicitPolicy, pThis->v.cExplicitPolicy) < 0)
2363 pThis->v.cExplicitPolicy = pPolicyConstraints->RequireExplicitPolicy.uValue.s.Lo;
2364 }
2365
2366 if (RTAsn1Integer_IsPresent(&pPolicyConstraints->InhibitPolicyMapping))
2367 {
2368 if (RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->InhibitPolicyMapping, pThis->v.cInhibitPolicyMapping) < 0)
2369 pThis->v.cInhibitPolicyMapping = pPolicyConstraints->InhibitPolicyMapping.uValue.s.Lo;
2370 }
2371 return true;
2372}
2373
2374
2375/**
2376 * Step 6.1.4.j.
2377 */
2378static bool rtCrX509CpvSoakUpInhibitAnyPolicy(PRTCRX509CERTPATHSINT pThis, PCRTASN1INTEGER pInhibitAnyPolicy)
2379{
2380 if (RTAsn1Integer_UnsignedCompareWithU32(pInhibitAnyPolicy, pThis->v.cInhibitAnyPolicy) < 0)
2381 pThis->v.cInhibitAnyPolicy = pInhibitAnyPolicy->uValue.s.Lo;
2382 return true;
2383}
2384
2385
2386/**
2387 * Steps 6.1.4.k, 6.1.4.l, 6.1.4.m, and 6.1.4.n.
2388 */
2389static bool rtCrX509CpvCheckAndSoakUpBasicConstraintsAndKeyUsage(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode,
2390 bool fSelfIssued)
2391{
2392 /* 6.1.4.k - If basic constraints present, CA must be set. */
2393 if (RTAsn1Integer_UnsignedCompareWithU32(&pNode->pCert->TbsCertificate.T0.Version, RTCRX509TBSCERTIFICATE_V3) != 0)
2394 {
2395 /* Note! Add flags if support for older certificates is needed later. */
2396 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_V3_CERT,
2397 "Only version 3 certificates are supported (Version=%llu)",
2398 pNode->pCert->TbsCertificate.T0.Version.uValue);
2399 }
2400 PCRTCRX509BASICCONSTRAINTS pBasicConstraints = pNode->pCert->TbsCertificate.T3.pBasicConstraints;
2401 if (pBasicConstraints)
2402 {
2403 if (!pBasicConstraints->CA.fValue)
2404 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_CA_CERT,
2405 "Intermediate certificate (#%u) is not marked as a CA", pThis->v.iNode);
2406 }
2407
2408 /* 6.1.4.l - Work cMaxPathLength. */
2409 if (!fSelfIssued)
2410 {
2411 if (pThis->v.cMaxPathLength > 0)
2412 pThis->v.cMaxPathLength--;
2413 else
2414 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_MAX_PATH_LENGTH,
2415 "Hit max path length at node #%u", pThis->v.iNode);
2416 }
2417
2418 /* 6.1.4.m - Update cMaxPathLength if basic constrain field is present and smaller. */
2419 if (pBasicConstraints)
2420 {
2421 if (RTAsn1Integer_IsPresent(&pBasicConstraints->PathLenConstraint))
2422 if (RTAsn1Integer_UnsignedCompareWithU32(&pBasicConstraints->PathLenConstraint, pThis->v.cMaxPathLength) < 0)
2423 pThis->v.cMaxPathLength = pBasicConstraints->PathLenConstraint.uValue.s.Lo;
2424 }
2425
2426 /* 6.1.4.n - Require keyCertSign in key usage if the extension is present. */
2427 PCRTCRX509TBSCERTIFICATE const pTbsCert = &pNode->pCert->TbsCertificate;
2428 if ( (pTbsCert->T3.fFlags & RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE)
2429 && !(pTbsCert->T3.fKeyUsage & RTCRX509CERT_KEY_USAGE_F_KEY_CERT_SIGN))
2430 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_MISSING_KEY_CERT_SIGN,
2431 "Node #%u does not have KeyCertSign set (keyUsage=%#x)",
2432 pThis->v.iNode, pTbsCert->T3.fKeyUsage);
2433
2434 return true;
2435}
2436
2437
2438/**
2439 * Step 6.1.4.o - check out critical extensions.
2440 */
2441static bool rtCrX509CpvCheckCriticalExtensions(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2442{
2443 uint32_t cLeft = pNode->pCert->TbsCertificate.T3.Extensions.cItems;
2444 PRTCRX509EXTENSION const *ppCur = pNode->pCert->TbsCertificate.T3.Extensions.papItems;
2445 while (cLeft-- > 0)
2446 {
2447 PCRTCRX509EXTENSION const pCur = *ppCur;
2448 if (pCur->Critical.fValue)
2449 {
2450 if ( RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_KEY_USAGE_OID) != 0
2451 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID) != 0
2452 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_ISSUER_ALT_NAME_OID) != 0
2453 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID) != 0
2454 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_NAME_CONSTRAINTS_OID) != 0
2455 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID) != 0
2456 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_POLICY_MAPPINGS_OID) != 0
2457 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID) != 0
2458 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_EXT_KEY_USAGE_OID) != 0
2459 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID) != 0
2460 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_APPLICATION_OID) != 0
2461 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_INSTALLER_OID) != 0
2462 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_KEXT_OID) != 0
2463 )
2464 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNKNOWN_CRITICAL_EXTENSION,
2465 "Node #%u has an unknown critical extension: %s", pThis->v.iNode, pCur->ExtnId.szObjId);
2466 }
2467
2468 ppCur++;
2469 }
2470
2471 return true;
2472}
2473
2474
2475/**
2476 * Step 6.1.5 - The wrapping up.
2477 */
2478static bool rtCrX509CpvWrapUp(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2479{
2480 Assert(!pNode->pParent); Assert(pThis->pTarget == pNode->pCert);
2481
2482 /*
2483 * 6.1.5.a - Decrement explicit policy.
2484 */
2485 if (pThis->v.cExplicitPolicy > 0)
2486 pThis->v.cExplicitPolicy--;
2487
2488 /*
2489 * 6.1.5.b - Policy constraints and explicit policy.
2490 */
2491 PCRTCRX509POLICYCONSTRAINTS pPolicyConstraints = pNode->pCert->TbsCertificate.T3.pPolicyConstraints;
2492 if ( pPolicyConstraints
2493 && RTAsn1Integer_IsPresent(&pPolicyConstraints->RequireExplicitPolicy)
2494 && RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->RequireExplicitPolicy, 0) == 0)
2495 pThis->v.cExplicitPolicy = 0;
2496
2497 /*
2498 * 6.1.5.c-e - Update working public key info.
2499 */
2500 rtCrX509CpvSetWorkingPublicKeyInfo(pThis, pNode);
2501
2502 /*
2503 * 6.1.5.f - Critical extensions.
2504 */
2505 if (!rtCrX509CpvCheckCriticalExtensions(pThis, pNode))
2506 return false;
2507
2508 /*
2509 * 6.1.5.g - Calculate the intersection between the user initial policy set
2510 * and the valid policy tree.
2511 */
2512 rtCrX509CpvPolicyTreeIntersect(pThis, pThis->cInitialUserPolicySet, pThis->papInitialUserPolicySet);
2513
2514 if ( pThis->v.cExplicitPolicy == 0
2515 && pThis->v.pValidPolicyTree == NULL)
2516 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NO_VALID_POLICY, "No valid policy (wrap-up).");
2517
2518 return true;
2519}
2520
2521
2522/**
2523 * Worker that validates one path.
2524 *
2525 * This implements the algorithm in RFC-5280, section 6.1, with exception of
2526 * the CRL checks in 6.1.3.a.3.
2527 *
2528 * @returns success indicator.
2529 * @param pThis The path builder & validator instance.
2530 * @param pTrustAnchor The trust anchor node.
2531 */
2532static bool rtCrX509CpvOneWorker(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pTrustAnchor)
2533{
2534 /*
2535 * Special case, target certificate is trusted.
2536 */
2537 if (!pTrustAnchor->pParent)
2538 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CERTPATHS_INTERNAL_ERROR, "Target certificate is trusted.");
2539
2540 /*
2541 * Normal processing.
2542 */
2543 rtCrX509CpvInit(pThis, pTrustAnchor);
2544 if (RT_SUCCESS(pThis->rc))
2545 {
2546 PRTCRX509CERTPATHNODE pNode = pTrustAnchor->pParent;
2547 uint32_t iNode = pThis->v.iNode = 1; /* We count to cNode (inclusive). Same a validation tree depth. */
2548 while (pNode && RT_SUCCESS(pThis->rc))
2549 {
2550 /*
2551 * Basic certificate processing.
2552 */
2553 if (!rtCrX509CpvCheckBasicCertInfo(pThis, pNode)) /* Step 6.1.3.a */
2554 break;
2555
2556 bool const fSelfIssued = rtCrX509CertPathsIsSelfIssued(pNode);
2557 if (!fSelfIssued || !pNode->pParent) /* Step 6.1.3.b-c */
2558 if (!rtCrX509CpvCheckNameConstraints(pThis, pNode))
2559 break;
2560
2561 if (!rtCrX509CpvWorkValidPolicyTree(pThis, iNode, pNode, fSelfIssued)) /* Step 6.1.3.d-f */
2562 break;
2563
2564 /*
2565 * If it's the last certificate in the path, do wrap-ups.
2566 */
2567 if (!pNode->pParent) /* Step 6.1.5 */
2568 {
2569 Assert(iNode == pThis->v.cNodes);
2570 if (!rtCrX509CpvWrapUp(pThis, pNode))
2571 break;
2572 AssertRCBreak(pThis->rc);
2573 return true;
2574 }
2575
2576 /*
2577 * Preparations for the next certificate.
2578 */
2579 PCRTCRX509TBSCERTIFICATE const pTbsCert = &pNode->pCert->TbsCertificate;
2580 if ( pTbsCert->T3.pPolicyMappings
2581 && !rtCrX509CpvSoakUpPolicyMappings(pThis, iNode, pTbsCert->T3.pPolicyMappings)) /* Step 6.1.4.a-b */
2582 break;
2583
2584 pThis->v.pWorkingIssuer = &pTbsCert->Subject; /* Step 6.1.4.c */
2585
2586 rtCrX509CpvSetWorkingPublicKeyInfo(pThis, pNode); /* Step 6.1.4.d-f */
2587
2588 if ( pTbsCert->T3.pNameConstraints /* Step 6.1.4.g */
2589 && !rtCrX509CpvSoakUpNameConstraints(pThis, pTbsCert->T3.pNameConstraints))
2590 break;
2591
2592 if (!fSelfIssued) /* Step 6.1.4.h */
2593 {
2594 if (pThis->v.cExplicitPolicy > 0)
2595 pThis->v.cExplicitPolicy--;
2596 if (pThis->v.cInhibitPolicyMapping > 0)
2597 pThis->v.cInhibitPolicyMapping--;
2598 if (pThis->v.cInhibitAnyPolicy > 0)
2599 pThis->v.cInhibitAnyPolicy--;
2600 }
2601
2602 if ( pTbsCert->T3.pPolicyConstraints /* Step 6.1.4.j */
2603 && !rtCrX509CpvSoakUpPolicyConstraints(pThis, pTbsCert->T3.pPolicyConstraints))
2604 break;
2605
2606 if ( pTbsCert->T3.pInhibitAnyPolicy /* Step 6.1.4.j */
2607 && !rtCrX509CpvSoakUpInhibitAnyPolicy(pThis, pTbsCert->T3.pInhibitAnyPolicy))
2608 break;
2609
2610 if (!rtCrX509CpvCheckAndSoakUpBasicConstraintsAndKeyUsage(pThis, pNode, fSelfIssued)) /* Step 6.1.4.k-n */
2611 break;
2612
2613 if (!rtCrX509CpvCheckCriticalExtensions(pThis, pNode)) /* Step 6.1.4.o */
2614 break;
2615
2616 /*
2617 * Advance to the next certificate.
2618 */
2619 pNode = pNode->pParent;
2620 pThis->v.iNode = ++iNode;
2621 }
2622 AssertStmt(RT_FAILURE_NP(pThis->rc), pThis->rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR);
2623 }
2624 return false;
2625}
2626
2627
2628RTDECL(int) RTCrX509CertPathsValidateOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, PRTERRINFO pErrInfo)
2629{
2630 /*
2631 * Validate the input.
2632 */
2633 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2634 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
2635 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
2636 AssertReturn(!(pThis->fFlags & ~RTCRX509CERTPATHSINT_F_VALID_MASK), VERR_INVALID_PARAMETER);
2637 AssertPtrReturn(pThis->pTarget, VERR_INVALID_PARAMETER);
2638 AssertPtrReturn(pThis->pRoot, VERR_INVALID_PARAMETER);
2639 AssertReturn(pThis->rc == VINF_SUCCESS, VERR_INVALID_PARAMETER);
2640
2641 /*
2642 * Locate the path and validate it.
2643 */
2644 int rc;
2645 if (iPath < pThis->cPaths)
2646 {
2647 PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2648 if (pLeaf)
2649 {
2650 if (RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pLeaf->uSrc))
2651 {
2652 pThis->pErrInfo = pErrInfo;
2653 rtCrX509CpvOneWorker(pThis, pLeaf);
2654 pThis->pErrInfo = NULL;
2655 rc = pThis->rc;
2656 pThis->rc = VINF_SUCCESS;
2657 }
2658 else
2659 rc = RTErrInfoSetF(pErrInfo, VERR_CR_X509_NO_TRUST_ANCHOR, "Path #%u is does not have a trust anchor: uSrc=%s",
2660 iPath, rtCrX509CertPathsNodeGetSourceName(pLeaf));
2661 pLeaf->rcVerify = rc;
2662 }
2663 else
2664 rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR;
2665 }
2666 else
2667 rc = VERR_NOT_FOUND;
2668 return rc;
2669}
2670
2671
2672RTDECL(int) RTCrX509CertPathsValidateAll(RTCRX509CERTPATHS hCertPaths, uint32_t *pcValidPaths, PRTERRINFO pErrInfo)
2673{
2674 /*
2675 * Validate the input.
2676 */
2677 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2678 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
2679 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
2680 AssertReturn(!(pThis->fFlags & ~RTCRX509CERTPATHSINT_F_VALID_MASK), VERR_INVALID_PARAMETER);
2681 AssertPtrReturn(pThis->pTarget, VERR_INVALID_PARAMETER);
2682 AssertPtrReturn(pThis->pRoot, VERR_INVALID_PARAMETER);
2683 AssertReturn(pThis->rc == VINF_SUCCESS, VERR_INVALID_PARAMETER);
2684 AssertPtrNullReturn(pcValidPaths, VERR_INVALID_POINTER);
2685
2686 /*
2687 * Validate the paths.
2688 */
2689 pThis->pErrInfo = pErrInfo;
2690
2691 int rcLastFailure = VINF_SUCCESS;
2692 uint32_t cValidPaths = 0;
2693 PRTCRX509CERTPATHNODE pCurLeaf;
2694 RTListForEach(&pThis->LeafList, pCurLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
2695 {
2696 if (RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pCurLeaf->uSrc))
2697 {
2698 rtCrX509CpvOneWorker(hCertPaths, pCurLeaf);
2699 if (RT_SUCCESS(pThis->rc))
2700 cValidPaths++;
2701 else
2702 rcLastFailure = pThis->rc;
2703 pCurLeaf->rcVerify = pThis->rc;
2704 pThis->rc = VINF_SUCCESS;
2705 }
2706 else
2707 pCurLeaf->rcVerify = VERR_CR_X509_NO_TRUST_ANCHOR;
2708 }
2709
2710 pThis->pErrInfo = NULL;
2711
2712 if (pcValidPaths)
2713 *pcValidPaths = cValidPaths;
2714 if (cValidPaths > 0)
2715 return VINF_SUCCESS;
2716 if (RT_SUCCESS_NP(rcLastFailure))
2717 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_CPV_NO_TRUSTED_PATHS,
2718 "None of the %u path(s) have a trust anchor.", pThis->cPaths);
2719 return rcLastFailure;
2720}
2721
2722
2723RTDECL(uint32_t) RTCrX509CertPathsGetPathCount(RTCRX509CERTPATHS hCertPaths)
2724{
2725 /*
2726 * Validate the input.
2727 */
2728 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2729 AssertPtrReturn(pThis, UINT32_MAX);
2730 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, UINT32_MAX);
2731 AssertPtrReturn(pThis->pRoot, UINT32_MAX);
2732
2733 /*
2734 * Return data.
2735 */
2736 return pThis->cPaths;
2737}
2738
2739
2740RTDECL(int) RTCrX509CertPathsQueryPathInfo(RTCRX509CERTPATHS hCertPaths, uint32_t iPath,
2741 bool *pfTrusted, uint32_t *pcNodes, PCRTCRX509NAME *ppSubject,
2742 PCRTCRX509SUBJECTPUBLICKEYINFO *ppPublicKeyInfo,
2743 PCRTCRX509CERTIFICATE *ppCert, PCRTCRCERTCTX *ppCertCtx,
2744 int *prcVerify)
2745{
2746 /*
2747 * Validate the input.
2748 */
2749 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2750 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
2751 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
2752 AssertPtrReturn(pThis->pRoot, VERR_WRONG_ORDER);
2753 AssertReturn(iPath < pThis->cPaths, VERR_NOT_FOUND);
2754
2755 /*
2756 * Get the data.
2757 */
2758 PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2759 AssertReturn(pLeaf, VERR_CR_X509_INTERNAL_ERROR);
2760
2761 if (pfTrusted)
2762 *pfTrusted = RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pLeaf->uSrc);
2763
2764 if (pcNodes)
2765 *pcNodes = pLeaf->uDepth + 1; /* Includes both trust anchor and target. */
2766
2767 if (ppSubject)
2768 *ppSubject = pLeaf->pCert ? &pLeaf->pCert->TbsCertificate.Subject : &pLeaf->pCertCtx->pTaInfo->CertPath.TaName;
2769
2770 if (ppPublicKeyInfo)
2771 *ppPublicKeyInfo = pLeaf->pCert ? &pLeaf->pCert->TbsCertificate.SubjectPublicKeyInfo : &pLeaf->pCertCtx->pTaInfo->PubKey;
2772
2773 if (ppCert)
2774 *ppCert = pLeaf->pCert;
2775
2776 if (ppCertCtx)
2777 {
2778 if (pLeaf->pCertCtx)
2779 {
2780 uint32_t cRefs = RTCrCertCtxRetain(pLeaf->pCertCtx);
2781 AssertReturn(cRefs != UINT32_MAX, VERR_CR_X509_INTERNAL_ERROR);
2782 }
2783 *ppCertCtx = pLeaf->pCertCtx;
2784 }
2785
2786 if (prcVerify)
2787 *prcVerify = pLeaf->rcVerify;
2788
2789 return VINF_SUCCESS;
2790}
2791
2792
2793RTDECL(uint32_t) RTCrX509CertPathsGetPathLength(RTCRX509CERTPATHS hCertPaths, uint32_t iPath)
2794{
2795 /*
2796 * Validate the input.
2797 */
2798 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2799 AssertPtrReturn(pThis, UINT32_MAX);
2800 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, UINT32_MAX);
2801 AssertPtrReturn(pThis->pRoot, UINT32_MAX);
2802 AssertReturn(iPath < pThis->cPaths, UINT32_MAX);
2803
2804 /*
2805 * Get the data.
2806 */
2807 PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2808 AssertReturn(pLeaf, UINT32_MAX);
2809 return pLeaf->uDepth + 1;
2810}
2811
2812
2813RTDECL(int) RTCrX509CertPathsGetPathVerifyResult(RTCRX509CERTPATHS hCertPaths, uint32_t iPath)
2814{
2815 /*
2816 * Validate the input.
2817 */
2818 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2819 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
2820 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
2821 AssertPtrReturn(pThis->pRoot, VERR_WRONG_ORDER);
2822 AssertReturn(iPath < pThis->cPaths, VERR_NOT_FOUND);
2823
2824 /*
2825 * Get the data.
2826 */
2827 PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2828 AssertReturn(pLeaf, VERR_CR_X509_INTERNAL_ERROR);
2829
2830 return pLeaf->rcVerify;
2831}
2832
2833
2834static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetPathNodeByIndexes(PRTCRX509CERTPATHSINT pThis, uint32_t iPath, uint32_t iNode)
2835{
2836 PRTCRX509CERTPATHNODE pNode = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2837 Assert(pNode);
2838 if (pNode)
2839 {
2840 if (iNode <= pNode->uDepth)
2841 {
2842 uint32_t uCertDepth = pNode->uDepth - iNode;
2843 while (pNode->uDepth > uCertDepth)
2844 pNode = pNode->pParent;
2845 Assert(pNode);
2846 Assert(pNode && pNode->uDepth == uCertDepth);
2847 return pNode;
2848 }
2849 }
2850
2851 return NULL;
2852}
2853
2854
2855RTDECL(PCRTCRX509CERTIFICATE) RTCrX509CertPathsGetPathNodeCert(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t iNode)
2856{
2857 /*
2858 * Validate the input.
2859 */
2860 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2861 AssertPtrReturn(pThis, NULL);
2862 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, NULL);
2863 AssertPtrReturn(pThis->pRoot, NULL);
2864 AssertReturn(iPath < pThis->cPaths, NULL);
2865
2866 /*
2867 * Get the data.
2868 */
2869 PRTCRX509CERTPATHNODE pNode = rtCrX509CertPathsGetPathNodeByIndexes(pThis, iPath, iNode);
2870 if (pNode)
2871 return pNode->pCert;
2872 return NULL;
2873}
2874
2875
2876/** @} */
2877
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette