1 | /* $Id: x509-core.cpp 96407 2022-08-22 17:43:14Z vboxsync $ */
|
---|
2 | /** @file
|
---|
3 | * IPRT - Crypto - X.509, Core APIs.
|
---|
4 | */
|
---|
5 |
|
---|
6 | /*
|
---|
7 | * Copyright (C) 2006-2022 Oracle and/or its affiliates.
|
---|
8 | *
|
---|
9 | * This file is part of VirtualBox base platform packages, as
|
---|
10 | * available from https://www.virtualbox.org.
|
---|
11 | *
|
---|
12 | * This program is free software; you can redistribute it and/or
|
---|
13 | * modify it under the terms of the GNU General Public License
|
---|
14 | * as published by the Free Software Foundation, in version 3 of the
|
---|
15 | * License.
|
---|
16 | *
|
---|
17 | * This program is distributed in the hope that it will be useful, but
|
---|
18 | * WITHOUT ANY WARRANTY; without even the implied warranty of
|
---|
19 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
---|
20 | * General Public License for more details.
|
---|
21 | *
|
---|
22 | * You should have received a copy of the GNU General Public License
|
---|
23 | * along with this program; if not, see <https://www.gnu.org/licenses>.
|
---|
24 | *
|
---|
25 | * The contents of this file may alternatively be used under the terms
|
---|
26 | * of the Common Development and Distribution License Version 1.0
|
---|
27 | * (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
|
---|
28 | * in the VirtualBox distribution, in which case the provisions of the
|
---|
29 | * CDDL are applicable instead of those of the GPL.
|
---|
30 | *
|
---|
31 | * You may elect to license modified versions of this file under the
|
---|
32 | * terms and conditions of either the GPL or the CDDL or both.
|
---|
33 | *
|
---|
34 | * SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
|
---|
35 | */
|
---|
36 |
|
---|
37 |
|
---|
38 | /*********************************************************************************************************************************
|
---|
39 | * Header Files *
|
---|
40 | *********************************************************************************************************************************/
|
---|
41 | #include "internal/iprt.h"
|
---|
42 | #include <iprt/crypto/x509.h>
|
---|
43 |
|
---|
44 | #include <iprt/err.h>
|
---|
45 | #include <iprt/string.h>
|
---|
46 | #include <iprt/uni.h>
|
---|
47 |
|
---|
48 | #include "x509-internal.h"
|
---|
49 |
|
---|
50 |
|
---|
51 | /*
|
---|
52 | * Generate the code.
|
---|
53 | */
|
---|
54 | #include <iprt/asn1-generator-core.h>
|
---|
55 |
|
---|
56 |
|
---|
57 | /*
|
---|
58 | * X.509 Validity.
|
---|
59 | */
|
---|
60 |
|
---|
61 | RTDECL(bool) RTCrX509Validity_IsValidAtTimeSpec(PCRTCRX509VALIDITY pThis, PCRTTIMESPEC pTimeSpec)
|
---|
62 | {
|
---|
63 | if (RTAsn1Time_CompareWithTimeSpec(&pThis->NotBefore, pTimeSpec) > 0)
|
---|
64 | return false;
|
---|
65 | if (RTAsn1Time_CompareWithTimeSpec(&pThis->NotAfter, pTimeSpec) < 0)
|
---|
66 | return false;
|
---|
67 | return true;
|
---|
68 | }
|
---|
69 |
|
---|
70 |
|
---|
71 | /*
|
---|
72 | * One X.509 Algorithm Identifier.
|
---|
73 | */
|
---|
74 |
|
---|
75 | RTDECL(RTDIGESTTYPE) RTCrX509AlgorithmIdentifier_QueryDigestType(PCRTCRX509ALGORITHMIDENTIFIER pThis)
|
---|
76 | {
|
---|
77 | AssertPtrReturn(pThis, RTDIGESTTYPE_INVALID);
|
---|
78 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
|
---|
79 | return RTDIGESTTYPE_MD5;
|
---|
80 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
|
---|
81 | return RTDIGESTTYPE_SHA1;
|
---|
82 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
|
---|
83 | return RTDIGESTTYPE_SHA256;
|
---|
84 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
|
---|
85 | return RTDIGESTTYPE_SHA512;
|
---|
86 |
|
---|
87 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
|
---|
88 | return RTDIGESTTYPE_SHA384;
|
---|
89 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
|
---|
90 | return RTDIGESTTYPE_SHA224;
|
---|
91 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
|
---|
92 | return RTDIGESTTYPE_SHA512T224;
|
---|
93 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
|
---|
94 | return RTDIGESTTYPE_SHA512T256;
|
---|
95 |
|
---|
96 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224))
|
---|
97 | return RTDIGESTTYPE_SHA3_224;
|
---|
98 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256))
|
---|
99 | return RTDIGESTTYPE_SHA3_256;
|
---|
100 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384))
|
---|
101 | return RTDIGESTTYPE_SHA3_384;
|
---|
102 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512))
|
---|
103 | return RTDIGESTTYPE_SHA3_512;
|
---|
104 | return RTDIGESTTYPE_INVALID;
|
---|
105 | }
|
---|
106 |
|
---|
107 |
|
---|
108 | RTDECL(uint32_t) RTCrX509AlgorithmIdentifier_QueryDigestSize(PCRTCRX509ALGORITHMIDENTIFIER pThis)
|
---|
109 | {
|
---|
110 | AssertPtrReturn(pThis, UINT32_MAX);
|
---|
111 |
|
---|
112 | /* common */
|
---|
113 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
|
---|
114 | return 128 / 8;
|
---|
115 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
|
---|
116 | return 160 / 8;
|
---|
117 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
|
---|
118 | return 256 / 8;
|
---|
119 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
|
---|
120 | return 512 / 8;
|
---|
121 |
|
---|
122 | /* Less common. */
|
---|
123 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD2))
|
---|
124 | return 128 / 8;
|
---|
125 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD4))
|
---|
126 | return 128 / 8;
|
---|
127 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
|
---|
128 | return 384 / 8;
|
---|
129 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
|
---|
130 | return 224 / 8;
|
---|
131 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
|
---|
132 | return 224 / 8;
|
---|
133 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
|
---|
134 | return 256 / 8;
|
---|
135 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224))
|
---|
136 | return 224 / 8;
|
---|
137 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256))
|
---|
138 | return 256 / 8;
|
---|
139 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384))
|
---|
140 | return 384 / 8;
|
---|
141 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512))
|
---|
142 | return 512 / 8;
|
---|
143 | if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
|
---|
144 | return 512 / 8;
|
---|
145 |
|
---|
146 | return UINT32_MAX;
|
---|
147 | }
|
---|
148 |
|
---|
149 |
|
---|
150 | RTDECL(int) RTCrX509AlgorithmIdentifier_CompareWithString(PCRTCRX509ALGORITHMIDENTIFIER pThis, const char *pszObjId)
|
---|
151 | {
|
---|
152 | return strcmp(pThis->Algorithm.szObjId, pszObjId);
|
---|
153 | }
|
---|
154 |
|
---|
155 |
|
---|
156 | RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(const char *pszDigestOid,
|
---|
157 | const char *pszEncryptedDigestOid)
|
---|
158 | {
|
---|
159 | /* common */
|
---|
160 | if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5))
|
---|
161 | {
|
---|
162 | if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA))
|
---|
163 | return 0;
|
---|
164 | }
|
---|
165 | else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
|
---|
166 | {
|
---|
167 | if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA))
|
---|
168 | return 0;
|
---|
169 | }
|
---|
170 | else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
|
---|
171 | {
|
---|
172 | if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA))
|
---|
173 | return 0;
|
---|
174 | }
|
---|
175 | else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
|
---|
176 | {
|
---|
177 | if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA))
|
---|
178 | return 0;
|
---|
179 | }
|
---|
180 | /* Less common. */
|
---|
181 | else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2))
|
---|
182 | {
|
---|
183 | if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA))
|
---|
184 | return 0;
|
---|
185 | }
|
---|
186 | else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4))
|
---|
187 | {
|
---|
188 | if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA))
|
---|
189 | return 0;
|
---|
190 | }
|
---|
191 | else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
|
---|
192 | {
|
---|
193 | if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA))
|
---|
194 | return 0;
|
---|
195 | }
|
---|
196 | else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
|
---|
197 | {
|
---|
198 | if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA))
|
---|
199 | return 0;
|
---|
200 | }
|
---|
201 | else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
|
---|
202 | {
|
---|
203 | if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA))
|
---|
204 | return 0;
|
---|
205 | }
|
---|
206 | else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
|
---|
207 | {
|
---|
208 | if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA))
|
---|
209 | return 0;
|
---|
210 | }
|
---|
211 | else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224))
|
---|
212 | {
|
---|
213 | if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_RSA))
|
---|
214 | return 0;
|
---|
215 | }
|
---|
216 | else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256))
|
---|
217 | {
|
---|
218 | if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_RSA))
|
---|
219 | return 0;
|
---|
220 | }
|
---|
221 | else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384))
|
---|
222 | {
|
---|
223 | if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA))
|
---|
224 | return 0;
|
---|
225 | }
|
---|
226 | else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512))
|
---|
227 | {
|
---|
228 | if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA))
|
---|
229 | return 0;
|
---|
230 | }
|
---|
231 | else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
|
---|
232 | {
|
---|
233 | /* ?? */
|
---|
234 | }
|
---|
235 | else
|
---|
236 | return -1;
|
---|
237 | return 1;
|
---|
238 | }
|
---|
239 |
|
---|
240 | RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestAndEncryptedDigest(PCRTCRX509ALGORITHMIDENTIFIER pDigest,
|
---|
241 | PCRTCRX509ALGORITHMIDENTIFIER pEncryptedDigest)
|
---|
242 | {
|
---|
243 | return RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(pDigest->Algorithm.szObjId,
|
---|
244 | pEncryptedDigest->Algorithm.szObjId);
|
---|
245 | }
|
---|
246 |
|
---|
247 |
|
---|
248 | RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(const char *pszEncryptionOid,
|
---|
249 | const char *pszDigestOid)
|
---|
250 | {
|
---|
251 | /* RSA: */
|
---|
252 | if (!strcmp(pszEncryptionOid, RTCRX509ALGORITHMIDENTIFIERID_RSA))
|
---|
253 | {
|
---|
254 | if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5)
|
---|
255 | || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA))
|
---|
256 | return RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA;
|
---|
257 | if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1)
|
---|
258 | || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA))
|
---|
259 | return RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA;
|
---|
260 | if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256)
|
---|
261 | || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA))
|
---|
262 | return RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA;
|
---|
263 | if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512)
|
---|
264 | || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA))
|
---|
265 | return RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA;
|
---|
266 | if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2)
|
---|
267 | || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA))
|
---|
268 | return RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA;
|
---|
269 | if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4)
|
---|
270 | || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA))
|
---|
271 | return RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA;
|
---|
272 | if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384)
|
---|
273 | || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA))
|
---|
274 | return RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA;
|
---|
275 | if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224)
|
---|
276 | || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA))
|
---|
277 | return RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA;
|
---|
278 | if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224)
|
---|
279 | || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA))
|
---|
280 | return RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA;
|
---|
281 | if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256)
|
---|
282 | || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA))
|
---|
283 | return RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA;
|
---|
284 | if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224)
|
---|
285 | || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_RSA))
|
---|
286 | return RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_RSA;
|
---|
287 | if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256)
|
---|
288 | || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_RSA))
|
---|
289 | return RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_RSA;
|
---|
290 | if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384)
|
---|
291 | || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA))
|
---|
292 | return RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA;
|
---|
293 | if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512)
|
---|
294 | || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA))
|
---|
295 | return RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA;
|
---|
296 |
|
---|
297 | /* if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
|
---|
298 | return ???; */
|
---|
299 | }
|
---|
300 | else if (RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(pszDigestOid, pszEncryptionOid) == 0)
|
---|
301 | return pszEncryptionOid;
|
---|
302 |
|
---|
303 | AssertMsgFailed(("enc=%s hash=%s\n", pszEncryptionOid, pszDigestOid));
|
---|
304 | return NULL;
|
---|
305 | }
|
---|
306 |
|
---|
307 |
|
---|
308 | RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionAndDigest(PCRTCRX509ALGORITHMIDENTIFIER pEncryption,
|
---|
309 | PCRTCRX509ALGORITHMIDENTIFIER pDigest)
|
---|
310 | {
|
---|
311 | return RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(pEncryption->Algorithm.szObjId,
|
---|
312 | pDigest->Algorithm.szObjId);
|
---|
313 | }
|
---|
314 |
|
---|
315 |
|
---|
316 | /*
|
---|
317 | * Set of X.509 Algorithm Identifiers.
|
---|
318 | */
|
---|
319 |
|
---|
320 |
|
---|
321 | /*
|
---|
322 | * One X.509 AttributeTypeAndValue.
|
---|
323 | */
|
---|
324 |
|
---|
325 |
|
---|
326 | /*
|
---|
327 | * Set of X.509 AttributeTypeAndValues / X.509 RelativeDistinguishedName.
|
---|
328 | */
|
---|
329 |
|
---|
330 | /**
|
---|
331 | * Slow code path of rtCrX509CanNameIsNothing.
|
---|
332 | *
|
---|
333 | * @returns true if @uc maps to nothing, false if not.
|
---|
334 | * @param uc The unicode code point.
|
---|
335 | */
|
---|
336 | static bool rtCrX509CanNameIsNothingSlow(RTUNICP uc)
|
---|
337 | {
|
---|
338 | switch (uc)
|
---|
339 | {
|
---|
340 | /* 2.2 Map - Paragraph 1: */
|
---|
341 | case 0x00ad:
|
---|
342 | case 0x1806:
|
---|
343 | case 0x034f:
|
---|
344 | case 0x180b: case 0x180c: case 0x180d:
|
---|
345 |
|
---|
346 | case 0xfe00: case 0xfe01: case 0xfe02: case 0xfe03:
|
---|
347 | case 0xfe04: case 0xfe05: case 0xfe06: case 0xfe07:
|
---|
348 | case 0xfe08: case 0xfe09: case 0xfe0a: case 0xfe0b:
|
---|
349 | case 0xfe0c: case 0xfe0d: case 0xfe0e: case 0xfe0f:
|
---|
350 |
|
---|
351 | case 0xfffc:
|
---|
352 |
|
---|
353 | /* 2.2 Map - Paragraph 3 (control code/function): */
|
---|
354 | case 0x0000: case 0x0001: case 0x0002: case 0x0003:
|
---|
355 | case 0x0004: case 0x0005: case 0x0006: case 0x0007:
|
---|
356 | case 0x0008:
|
---|
357 |
|
---|
358 | case 0x000e: case 0x000f:
|
---|
359 | case 0x0010: case 0x0011: case 0x0012: case 0x0013:
|
---|
360 | case 0x0014: case 0x0015: case 0x0016: case 0x0017:
|
---|
361 | case 0x0018: case 0x0019: case 0x001a: case 0x001b:
|
---|
362 | case 0x001c: case 0x001d: case 0x001e: case 0x001f:
|
---|
363 |
|
---|
364 | case 0x007f:
|
---|
365 | case 0x0080: case 0x0081: case 0x0082: case 0x0083:
|
---|
366 | case 0x0084: /*case 0x0085:*/ case 0x0086: case 0x0087:
|
---|
367 | case 0x0088: case 0x0089: case 0x008a: case 0x008b:
|
---|
368 | case 0x008c: case 0x008d: case 0x008e: case 0x008f:
|
---|
369 | case 0x0090: case 0x0091: case 0x0092: case 0x0093:
|
---|
370 | case 0x0094: case 0x0095: case 0x0096: case 0x0097:
|
---|
371 | case 0x0098: case 0x0099: case 0x009a: case 0x009b:
|
---|
372 | case 0x009c: case 0x009d: case 0x009e: case 0x009f:
|
---|
373 |
|
---|
374 | case 0x06dd:
|
---|
375 | case 0x070f:
|
---|
376 | case 0x180e:
|
---|
377 | case 0x200c: case 0x200d: case 0x200e: case 0x200f:
|
---|
378 | case 0x202a: case 0x202b: case 0x202c: case 0x202d: case 0x202e:
|
---|
379 | case 0x2060: case 0x2061: case 0x2062: case 0x2063:
|
---|
380 | case 0x206a: case 0x206b: case 0x206c: case 0x206d: case 0x206e: case 0x206f:
|
---|
381 | case 0xfeff:
|
---|
382 | case 0xfff9: case 0xfffa: case 0xfffb:
|
---|
383 | case 0x1d173: case 0x1d174: case 0x1d175: case 0x1d176: case 0x1d177: case 0x1d178: case 0x1d179: case 0x1d17a:
|
---|
384 | case 0xe0001:
|
---|
385 | case 0xe0020: case 0xe0021: case 0xe0022: case 0xe0023:
|
---|
386 | case 0xe0024: case 0xe0025: case 0xe0026: case 0xe0027:
|
---|
387 | case 0xe0028: case 0xe0029: case 0xe002a: case 0xe002b:
|
---|
388 | case 0xe002c: case 0xe002d: case 0xe002e: case 0xe002f:
|
---|
389 | case 0xe0030: case 0xe0031: case 0xe0032: case 0xe0033:
|
---|
390 | case 0xe0034: case 0xe0035: case 0xe0036: case 0xe0037:
|
---|
391 | case 0xe0038: case 0xe0039: case 0xe003a: case 0xe003b:
|
---|
392 | case 0xe003c: case 0xe003d: case 0xe003e: case 0xe003f:
|
---|
393 | case 0xe0040: case 0xe0041: case 0xe0042: case 0xe0043:
|
---|
394 | case 0xe0044: case 0xe0045: case 0xe0046: case 0xe0047:
|
---|
395 | case 0xe0048: case 0xe0049: case 0xe004a: case 0xe004b:
|
---|
396 | case 0xe004c: case 0xe004d: case 0xe004e: case 0xe004f:
|
---|
397 | case 0xe0050: case 0xe0051: case 0xe0052: case 0xe0053:
|
---|
398 | case 0xe0054: case 0xe0055: case 0xe0056: case 0xe0057:
|
---|
399 | case 0xe0058: case 0xe0059: case 0xe005a: case 0xe005b:
|
---|
400 | case 0xe005c: case 0xe005d: case 0xe005e: case 0xe005f:
|
---|
401 | case 0xe0060: case 0xe0061: case 0xe0062: case 0xe0063:
|
---|
402 | case 0xe0064: case 0xe0065: case 0xe0066: case 0xe0067:
|
---|
403 | case 0xe0068: case 0xe0069: case 0xe006a: case 0xe006b:
|
---|
404 | case 0xe006c: case 0xe006d: case 0xe006e: case 0xe006f:
|
---|
405 | case 0xe0070: case 0xe0071: case 0xe0072: case 0xe0073:
|
---|
406 | case 0xe0074: case 0xe0075: case 0xe0076: case 0xe0077:
|
---|
407 | case 0xe0078: case 0xe0079: case 0xe007a: case 0xe007b:
|
---|
408 | case 0xe007c: case 0xe007d: case 0xe007e: case 0xe007f:
|
---|
409 |
|
---|
410 | /* 2.2 Map - Paragraph 4. */
|
---|
411 | case 0x200b:
|
---|
412 | return true;
|
---|
413 | }
|
---|
414 | return false;
|
---|
415 | }
|
---|
416 |
|
---|
417 |
|
---|
418 | /**
|
---|
419 | * Checks if @a uc maps to nothing according to mapping rules of RFC-5280 and
|
---|
420 | * RFC-4518.
|
---|
421 | *
|
---|
422 | * @returns true if @uc maps to nothing, false if not.
|
---|
423 | * @param uc The unicode code point.
|
---|
424 | */
|
---|
425 | DECLINLINE(bool) rtCrX509CanNameIsNothing(RTUNICP uc)
|
---|
426 | {
|
---|
427 | if (uc > 0x001f && uc < 0x00ad)
|
---|
428 | return false;
|
---|
429 | return rtCrX509CanNameIsNothingSlow(uc);
|
---|
430 | }
|
---|
431 |
|
---|
432 |
|
---|
433 | /**
|
---|
434 | * Slow code path of rtCrX509CanNameIsSpace.
|
---|
435 | *
|
---|
436 | * @returns true if space, false if not.
|
---|
437 | * @param uc The unicode code point.
|
---|
438 | */
|
---|
439 | static bool rtCrX509CanNameIsSpaceSlow(RTUNICP uc)
|
---|
440 | {
|
---|
441 | switch (uc)
|
---|
442 | {
|
---|
443 | /* 2.2 Map - Paragraph 2. */
|
---|
444 | case 0x09:
|
---|
445 | case 0x0a:
|
---|
446 | case 0x0b:
|
---|
447 | case 0x0c:
|
---|
448 | case 0x0d:
|
---|
449 | case 0x20:
|
---|
450 | case 0x0085:
|
---|
451 | case 0x00a0:
|
---|
452 | case 0x1680:
|
---|
453 | case 0x2000: case 0x2001: case 0x2002: case 0x2003:
|
---|
454 | case 0x2004: case 0x2005: case 0x2006: case 0x2007:
|
---|
455 | case 0x2008: case 0x2009: case 0x200a:
|
---|
456 | case 0x2028: case 0x2029:
|
---|
457 | case 0x202f:
|
---|
458 | case 0x205f:
|
---|
459 | case 0x3000:
|
---|
460 | return true;
|
---|
461 | }
|
---|
462 | return false;
|
---|
463 | }
|
---|
464 |
|
---|
465 |
|
---|
466 | /**
|
---|
467 | * Checks if @a uc is a space character according to the mapping rules of
|
---|
468 | * RFC-5280 and RFC-4518.
|
---|
469 | *
|
---|
470 | * @returns true if space, false if not.
|
---|
471 | * @param uc The unicode code point.
|
---|
472 | */
|
---|
473 | DECLINLINE(bool) rtCrX509CanNameIsSpace(RTUNICP uc)
|
---|
474 | {
|
---|
475 | if (uc < 0x0085)
|
---|
476 | {
|
---|
477 | if (uc > 0x0020)
|
---|
478 | return false;
|
---|
479 | if (uc == 0x0020) /* space */
|
---|
480 | return true;
|
---|
481 | }
|
---|
482 | return rtCrX509CanNameIsSpaceSlow(uc);
|
---|
483 | }
|
---|
484 |
|
---|
485 |
|
---|
486 | static const char *rtCrX509CanNameStripLeft(const char *psz, size_t *pcch)
|
---|
487 | {
|
---|
488 | /*
|
---|
489 | * Return space when we've encountered the first non-space-non-nothing code point.
|
---|
490 | */
|
---|
491 | const char * const pszStart = psz;
|
---|
492 | const char *pszPrev;
|
---|
493 | for (;;)
|
---|
494 | {
|
---|
495 | pszPrev = psz;
|
---|
496 | RTUNICP uc;
|
---|
497 | int rc = RTStrGetCpEx(&psz, &uc);
|
---|
498 | AssertRCBreak(rc);
|
---|
499 | if (!uc)
|
---|
500 | {
|
---|
501 | if ((uintptr_t)(pszPrev - pszStart) >= *pcch)
|
---|
502 | break;
|
---|
503 | /* NUL inside the string, maps to nothing => ignore it. */
|
---|
504 | }
|
---|
505 | else if (!rtCrX509CanNameIsSpace(uc) && !rtCrX509CanNameIsNothing(uc))
|
---|
506 | break;
|
---|
507 | }
|
---|
508 | *pcch -= (size_t)(pszPrev - pszStart);
|
---|
509 | return pszPrev;
|
---|
510 | }
|
---|
511 |
|
---|
512 |
|
---|
513 | static RTUNICP rtCrX509CanNameGetNextCpWithMappingSlowSpace(const char **ppsz, size_t *pcch)
|
---|
514 | {
|
---|
515 | /*
|
---|
516 | * Return space when we've encountered the first non-space-non-nothing code point.
|
---|
517 | */
|
---|
518 | RTUNICP uc;
|
---|
519 | const char *psz = *ppsz;
|
---|
520 | const char * const pszStart = psz;
|
---|
521 | const char *pszPrev;
|
---|
522 | for (;;)
|
---|
523 | {
|
---|
524 | pszPrev = psz;
|
---|
525 | int rc = RTStrGetCpEx(&psz, &uc);
|
---|
526 | AssertRCBreakStmt(rc, uc = 0x20);
|
---|
527 | if (!uc)
|
---|
528 | {
|
---|
529 | if ((uintptr_t)(pszPrev - pszStart) >= *pcch)
|
---|
530 | {
|
---|
531 | uc = 0; /* End of string: Ignore trailing spaces. */
|
---|
532 | break;
|
---|
533 | }
|
---|
534 | /* NUL inside the string, maps to nothing => ignore it. */
|
---|
535 | }
|
---|
536 | else if (!rtCrX509CanNameIsSpace(uc) && !rtCrX509CanNameIsNothing(uc))
|
---|
537 | {
|
---|
538 | uc = 0x20; /* Return space before current char. */
|
---|
539 | break;
|
---|
540 | }
|
---|
541 | }
|
---|
542 |
|
---|
543 | *ppsz = pszPrev;
|
---|
544 | *pcch -= (size_t)(pszPrev - pszStart);
|
---|
545 | return uc;
|
---|
546 | }
|
---|
547 |
|
---|
548 |
|
---|
549 | DECLINLINE(RTUNICP) rtCrX509CanNameGetNextCpIgnoreNul(const char **ppsz, size_t *pcch)
|
---|
550 | {
|
---|
551 | while (*pcch > 0)
|
---|
552 | {
|
---|
553 | const char *psz = *ppsz;
|
---|
554 | RTUNICP uc = (RTUNICP)*psz;
|
---|
555 | if (uc < 0x80)
|
---|
556 | {
|
---|
557 | *pcch -= 1;
|
---|
558 | *ppsz = psz + 1;
|
---|
559 | }
|
---|
560 | else
|
---|
561 | {
|
---|
562 | int rc = RTStrGetCpEx(ppsz, &uc);
|
---|
563 | AssertRCReturn(rc, uc);
|
---|
564 | size_t cchCp = (size_t)(*ppsz - psz);
|
---|
565 | AssertReturn(cchCp <= *pcch, 0);
|
---|
566 | *pcch -= cchCp;
|
---|
567 | }
|
---|
568 | if (uc != 0)
|
---|
569 | return uc;
|
---|
570 | }
|
---|
571 | return 0;
|
---|
572 | }
|
---|
573 |
|
---|
574 |
|
---|
575 | static RTUNICP rtCrX509CanNameGetNextCpWithMappingSlowNothing(const char **ppsz, size_t *pcch)
|
---|
576 | {
|
---|
577 | /*
|
---|
578 | * Return first code point which doesn't map to nothing. If we encounter
|
---|
579 | * a space, we defer to the mapping-after-space routine above.
|
---|
580 | */
|
---|
581 | for (;;)
|
---|
582 | {
|
---|
583 | RTUNICP uc = rtCrX509CanNameGetNextCpIgnoreNul(ppsz, pcch);
|
---|
584 | if (rtCrX509CanNameIsSpace(uc))
|
---|
585 | return rtCrX509CanNameGetNextCpWithMappingSlowSpace(ppsz, pcch);
|
---|
586 | if (!rtCrX509CanNameIsNothing(uc) || uc == 0)
|
---|
587 | return uc;
|
---|
588 | }
|
---|
589 | }
|
---|
590 |
|
---|
591 |
|
---|
592 | DECLINLINE(RTUNICP) rtCrX509CanNameGetNextCpWithMapping(const char **ppsz, size_t *pcch)
|
---|
593 | {
|
---|
594 | RTUNICP uc = rtCrX509CanNameGetNextCpIgnoreNul(ppsz, pcch);
|
---|
595 | if (uc)
|
---|
596 | {
|
---|
597 | if (!rtCrX509CanNameIsSpace(uc))
|
---|
598 | {
|
---|
599 | if (!rtCrX509CanNameIsNothing(uc))
|
---|
600 | return uc;
|
---|
601 | return rtCrX509CanNameGetNextCpWithMappingSlowNothing(ppsz, pcch);
|
---|
602 | }
|
---|
603 | return rtCrX509CanNameGetNextCpWithMappingSlowSpace(ppsz, pcch);
|
---|
604 | }
|
---|
605 | return uc;
|
---|
606 | }
|
---|
607 |
|
---|
608 |
|
---|
609 | RTDECL(bool) RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(PCRTCRX509ATTRIBUTETYPEANDVALUE pLeft,
|
---|
610 | PCRTCRX509ATTRIBUTETYPEANDVALUE pRight)
|
---|
611 | {
|
---|
612 | if (RTAsn1ObjId_Compare(&pLeft->Type, &pRight->Type) == 0)
|
---|
613 | {
|
---|
614 | /*
|
---|
615 | * Try for perfect match in case we get luck.
|
---|
616 | */
|
---|
617 | #ifdef DEBUG_bird /* Want to test the complicated code path first */
|
---|
618 | if (pLeft->Value.enmType != RTASN1TYPE_STRING || pRight->Value.enmType != RTASN1TYPE_STRING)
|
---|
619 | #endif
|
---|
620 | if (RTAsn1DynType_Compare(&pLeft->Value, &pRight->Value) == 0)
|
---|
621 | return true;
|
---|
622 |
|
---|
623 | /*
|
---|
624 | * If both are string types, we can compare them according to RFC-5280.
|
---|
625 | */
|
---|
626 | if ( pLeft->Value.enmType == RTASN1TYPE_STRING
|
---|
627 | && pRight->Value.enmType == RTASN1TYPE_STRING)
|
---|
628 | {
|
---|
629 | size_t cchLeft;
|
---|
630 | const char *pszLeft;
|
---|
631 | int rc = RTAsn1String_QueryUtf8(&pLeft->Value.u.String, &pszLeft, &cchLeft);
|
---|
632 | if (RT_SUCCESS(rc))
|
---|
633 | {
|
---|
634 | size_t cchRight;
|
---|
635 | const char *pszRight;
|
---|
636 | rc = RTAsn1String_QueryUtf8(&pRight->Value.u.String, &pszRight, &cchRight);
|
---|
637 | if (RT_SUCCESS(rc))
|
---|
638 | {
|
---|
639 | /*
|
---|
640 | * Perform a simplified RFC-5280 comparsion.
|
---|
641 | * The algorithm as be relaxed on the following counts:
|
---|
642 | * 1. No unicode normalization.
|
---|
643 | * 2. Prohibited characters not checked for.
|
---|
644 | * 3. Bidirectional characters are not ignored.
|
---|
645 | */
|
---|
646 | pszLeft = rtCrX509CanNameStripLeft(pszLeft, &cchLeft);
|
---|
647 | pszRight = rtCrX509CanNameStripLeft(pszRight, &cchRight);
|
---|
648 | while (*pszLeft && *pszRight)
|
---|
649 | {
|
---|
650 | RTUNICP ucLeft = rtCrX509CanNameGetNextCpWithMapping(&pszLeft, &cchLeft);
|
---|
651 | RTUNICP ucRight = rtCrX509CanNameGetNextCpWithMapping(&pszRight, &cchRight);
|
---|
652 | if (ucLeft != ucRight)
|
---|
653 | {
|
---|
654 | ucLeft = RTUniCpToLower(ucLeft);
|
---|
655 | ucRight = RTUniCpToLower(ucRight);
|
---|
656 | if (ucLeft != ucRight)
|
---|
657 | return false;
|
---|
658 | }
|
---|
659 | }
|
---|
660 |
|
---|
661 | return cchRight == 0 && cchLeft == 0;
|
---|
662 | }
|
---|
663 | }
|
---|
664 | }
|
---|
665 | }
|
---|
666 | return false;
|
---|
667 | }
|
---|
668 |
|
---|
669 |
|
---|
670 | RTDECL(bool) RTCrX509RelativeDistinguishedName_MatchByRfc5280(PCRTCRX509RELATIVEDISTINGUISHEDNAME pLeft,
|
---|
671 | PCRTCRX509RELATIVEDISTINGUISHEDNAME pRight)
|
---|
672 | {
|
---|
673 | /*
|
---|
674 | * No match if the attribute count differs.
|
---|
675 | */
|
---|
676 | uint32_t const cItems = pLeft->cItems;
|
---|
677 | if (cItems == pRight->cItems)
|
---|
678 | {
|
---|
679 | /*
|
---|
680 | * Compare each attribute, but don't insist on the same order nor
|
---|
681 | * bother checking for duplicates (too complicated).
|
---|
682 | */
|
---|
683 | for (uint32_t iLeft = 0; iLeft < cItems; iLeft++)
|
---|
684 | {
|
---|
685 | PCRTCRX509ATTRIBUTETYPEANDVALUE pLeftAttr = pLeft->papItems[iLeft];
|
---|
686 | bool fFound = false;
|
---|
687 | for (uint32_t iRight = 0; iRight < cItems; iRight++)
|
---|
688 | if (RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(pLeftAttr, pRight->papItems[iRight]))
|
---|
689 | {
|
---|
690 | fFound = true;
|
---|
691 | break;
|
---|
692 | }
|
---|
693 | if (!fFound)
|
---|
694 | return false;
|
---|
695 | }
|
---|
696 | return true;
|
---|
697 | }
|
---|
698 | return false;
|
---|
699 |
|
---|
700 | }
|
---|
701 |
|
---|
702 |
|
---|
703 | /*
|
---|
704 | * X.509 Name.
|
---|
705 | */
|
---|
706 |
|
---|
707 | RTDECL(bool) RTCrX509Name_MatchByRfc5280(PCRTCRX509NAME pLeft, PCRTCRX509NAME pRight)
|
---|
708 | {
|
---|
709 | uint32_t const cItems = pLeft->cItems;
|
---|
710 | if (cItems == pRight->cItems)
|
---|
711 | {
|
---|
712 | /* Require exact order. */
|
---|
713 | for (uint32_t iRdn = 0; iRdn < cItems; iRdn++)
|
---|
714 | if (!RTCrX509RelativeDistinguishedName_MatchByRfc5280(pLeft->papItems[iRdn], pRight->papItems[iRdn]))
|
---|
715 | return false;
|
---|
716 | return true;
|
---|
717 | }
|
---|
718 | return false;
|
---|
719 | }
|
---|
720 |
|
---|
721 |
|
---|
722 | RTDECL(bool) RTCrX509Name_ConstraintMatch(PCRTCRX509NAME pConstraint, PCRTCRX509NAME pName)
|
---|
723 | {
|
---|
724 | /*
|
---|
725 | * Check that the constraint is a prefix of the name. This means that
|
---|
726 | * the name must have at least as many components and the constraint.
|
---|
727 | */
|
---|
728 | if (pName->cItems >= pConstraint->cItems)
|
---|
729 | {
|
---|
730 | /*
|
---|
731 | * Parallel crawl of the two RDNs arrays.
|
---|
732 | */
|
---|
733 | for (uint32_t i = 0; pConstraint->cItems; i++)
|
---|
734 | {
|
---|
735 | PCRTCRX509RELATIVEDISTINGUISHEDNAME pConstrRdns = pConstraint->papItems[i];
|
---|
736 | PCRTCRX509RELATIVEDISTINGUISHEDNAME pNameRdns = pName->papItems[i];
|
---|
737 |
|
---|
738 | /*
|
---|
739 | * Walk the constraint attribute & value array.
|
---|
740 | */
|
---|
741 | for (uint32_t iConstrAttrib = 0; iConstrAttrib < pConstrRdns->cItems; iConstrAttrib++)
|
---|
742 | {
|
---|
743 | PCRTCRX509ATTRIBUTETYPEANDVALUE pConstrAttrib = pConstrRdns->papItems[iConstrAttrib];
|
---|
744 |
|
---|
745 | /*
|
---|
746 | * Find matching attribute & value in the name.
|
---|
747 | */
|
---|
748 | bool fFound = false;
|
---|
749 | for (uint32_t iNameAttrib = 0; iNameAttrib < pNameRdns->cItems; iNameAttrib++)
|
---|
750 | if (RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(pConstrAttrib, pNameRdns->papItems[iNameAttrib]))
|
---|
751 | {
|
---|
752 | fFound = true;
|
---|
753 | break;
|
---|
754 | }
|
---|
755 | if (fFound)
|
---|
756 | return false;
|
---|
757 | }
|
---|
758 | }
|
---|
759 | return true;
|
---|
760 | }
|
---|
761 | return false;
|
---|
762 | }
|
---|
763 |
|
---|
764 |
|
---|
765 | /**
|
---|
766 | * Mapping between X.500 object IDs and short and long names.
|
---|
767 | *
|
---|
768 | * See RFC-1327, RFC-4519 ...
|
---|
769 | */
|
---|
770 | static struct
|
---|
771 | {
|
---|
772 | const char *pszOid;
|
---|
773 | const char *pszShortNm;
|
---|
774 | size_t cchShortNm;
|
---|
775 | const char *pszLongNm;
|
---|
776 | } const g_aRdnMap[] =
|
---|
777 | {
|
---|
778 | { "0.9.2342.19200300.100.1.1", RT_STR_TUPLE("uid"), "userid" },
|
---|
779 | { "0.9.2342.19200300.100.1.3", RT_STR_TUPLE("Mail"), "Rfc822Mailbox" },
|
---|
780 | { "0.9.2342.19200300.100.1.25", RT_STR_TUPLE("DC"), "DomainComponent" },
|
---|
781 | { "1.2.840.113549.1.9.1", RT_STR_TUPLE("Email") /*nonstandard*/,"EmailAddress" },
|
---|
782 | { "2.5.4.3", RT_STR_TUPLE("CN"), "CommonName" },
|
---|
783 | { "2.5.4.4", RT_STR_TUPLE("SN"), "Surname" },
|
---|
784 | { "2.5.4.5", RT_STR_TUPLE("SRN") /*nonstandard*/, "SerialNumber" },
|
---|
785 | { "2.5.4.6", RT_STR_TUPLE("C"), "CountryName" },
|
---|
786 | { "2.5.4.7", RT_STR_TUPLE("L"), "LocalityName" },
|
---|
787 | { "2.5.4.8", RT_STR_TUPLE("ST"), "StateOrProviceName" },
|
---|
788 | { "2.5.4.9", RT_STR_TUPLE("street"), "Street" },
|
---|
789 | { "2.5.4.10", RT_STR_TUPLE("O"), "OrganizationName" },
|
---|
790 | { "2.5.4.11", RT_STR_TUPLE("OU"), "OrganizationalUnitName" },
|
---|
791 | { "2.5.4.12", RT_STR_TUPLE("title"), "Title" },
|
---|
792 | { "2.5.4.13", RT_STR_TUPLE("desc"), "Description" },
|
---|
793 | { "2.5.4.15", RT_STR_TUPLE("BC") /*nonstandard*/, "BusinessCategory" },
|
---|
794 | { "2.5.4.17", RT_STR_TUPLE("ZIP") /*nonstandard*/, "PostalCode" },
|
---|
795 | { "2.5.4.18", RT_STR_TUPLE("POBox") /*nonstandard*/,"PostOfficeBox" },
|
---|
796 | { "2.5.4.20", RT_STR_TUPLE("PN") /*nonstandard*/, "TelephoneNumber" },
|
---|
797 | { "2.5.4.33", RT_STR_TUPLE("RO") /*nonstandard*/, "RoleOccupant" },
|
---|
798 | { "2.5.4.34", RT_STR_TUPLE("SA") /*nonstandard*/, "StreetAddress" },
|
---|
799 | { "2.5.4.41", RT_STR_TUPLE("N") /*nonstandard*/, "Name" },
|
---|
800 | { "2.5.4.42", RT_STR_TUPLE("GN"), "GivenName" },
|
---|
801 | { "2.5.4.43", RT_STR_TUPLE("I") /*nonstandard*/, "Initials" },
|
---|
802 | { "2.5.4.44", RT_STR_TUPLE("GQ") /*nonstandard*/, "GenerationQualifier" },
|
---|
803 | { "2.5.4.46", RT_STR_TUPLE("DNQ") /*nonstandard*/, "DNQualifier" },
|
---|
804 | { "2.5.4.51", RT_STR_TUPLE("HID") /*nonstandard*/, "HouseIdentifier" },
|
---|
805 | };
|
---|
806 |
|
---|
807 |
|
---|
808 | RTDECL(const char *) RTCrX509Name_GetShortRdn(PCRTASN1OBJID pRdnId)
|
---|
809 | {
|
---|
810 | uint32_t iName = RT_ELEMENTS(g_aRdnMap);
|
---|
811 | while (iName-- > 0)
|
---|
812 | if (RTAsn1ObjId_CompareWithString(pRdnId, g_aRdnMap[iName].pszOid) == 0)
|
---|
813 | return g_aRdnMap[iName].pszShortNm;
|
---|
814 | return NULL;
|
---|
815 | }
|
---|
816 |
|
---|
817 |
|
---|
818 | RTDECL(bool) RTCrX509Name_MatchWithString(PCRTCRX509NAME pThis, const char *pszString)
|
---|
819 | {
|
---|
820 | /* Keep track of the string length. */
|
---|
821 | size_t cchString = strlen(pszString);
|
---|
822 |
|
---|
823 | /*
|
---|
824 | * The usual double loop for walking the components.
|
---|
825 | */
|
---|
826 | for (uint32_t i = 0; i < pThis->cItems; i++)
|
---|
827 | {
|
---|
828 | PCRTCRX509RELATIVEDISTINGUISHEDNAME pRdn = pThis->papItems[i];
|
---|
829 | for (uint32_t j = 0; j < pRdn->cItems; j++)
|
---|
830 | {
|
---|
831 | PCRTCRX509ATTRIBUTETYPEANDVALUE pComponent = pRdn->papItems[j];
|
---|
832 |
|
---|
833 | /*
|
---|
834 | * Must be a string.
|
---|
835 | */
|
---|
836 | if (pComponent->Value.enmType != RTASN1TYPE_STRING)
|
---|
837 | return false;
|
---|
838 |
|
---|
839 | /*
|
---|
840 | * Look up the component name prefix and check whether it's also in the string.
|
---|
841 | */
|
---|
842 | uint32_t iName = RT_ELEMENTS(g_aRdnMap);
|
---|
843 | while (iName-- > 0)
|
---|
844 | if (RTAsn1ObjId_CompareWithString(&pComponent->Type, g_aRdnMap[iName].pszOid) == 0)
|
---|
845 | break;
|
---|
846 | AssertMsgReturn(iName != UINT32_MAX, ("Please extend g_aRdnMap with '%s'.\n", pComponent->Type.szObjId), false);
|
---|
847 |
|
---|
848 | if ( strncmp(pszString, g_aRdnMap[iName].pszShortNm, g_aRdnMap[iName].cchShortNm) != 0
|
---|
849 | || pszString[g_aRdnMap[iName].cchShortNm] != '=')
|
---|
850 | return false;
|
---|
851 |
|
---|
852 | pszString += g_aRdnMap[iName].cchShortNm + 1;
|
---|
853 | cchString -= g_aRdnMap[iName].cchShortNm + 1;
|
---|
854 |
|
---|
855 | /*
|
---|
856 | * Compare the component string.
|
---|
857 | */
|
---|
858 | size_t cchComponent;
|
---|
859 | int rc = RTAsn1String_QueryUtf8Len(&pComponent->Value.u.String, &cchComponent);
|
---|
860 | AssertRCReturn(rc, false);
|
---|
861 |
|
---|
862 | if (cchComponent > cchString)
|
---|
863 | return false;
|
---|
864 | if (RTAsn1String_CompareWithString(&pComponent->Value.u.String, pszString, cchComponent) != 0)
|
---|
865 | return false;
|
---|
866 |
|
---|
867 | cchString -= cchComponent;
|
---|
868 | pszString += cchComponent;
|
---|
869 |
|
---|
870 | /*
|
---|
871 | * Check separator comma + space and skip extra spaces before the next component.
|
---|
872 | */
|
---|
873 | if (cchString)
|
---|
874 | {
|
---|
875 | if (pszString[0] != ',')
|
---|
876 | return false;
|
---|
877 | if (pszString[1] != ' ' && pszString[1] != '\t')
|
---|
878 | return false;
|
---|
879 | pszString += 2;
|
---|
880 | cchString -= 2;
|
---|
881 |
|
---|
882 | while (*pszString == ' ' || *pszString == '\t')
|
---|
883 | {
|
---|
884 | pszString++;
|
---|
885 | cchString--;
|
---|
886 | }
|
---|
887 | }
|
---|
888 | }
|
---|
889 | }
|
---|
890 |
|
---|
891 | /*
|
---|
892 | * If we got thru the whole name and the whole string, we're good.
|
---|
893 | */
|
---|
894 | return *pszString == '\0';
|
---|
895 | }
|
---|
896 |
|
---|
897 |
|
---|
898 | RTDECL(int) RTCrX509Name_FormatAsString(PCRTCRX509NAME pThis, char *pszBuf, size_t cbBuf, size_t *pcbActual)
|
---|
899 | {
|
---|
900 | /*
|
---|
901 | * The usual double loop for walking the components.
|
---|
902 | */
|
---|
903 | size_t off = 0;
|
---|
904 | int rc = VINF_SUCCESS;
|
---|
905 | for (uint32_t i = 0; i < pThis->cItems; i++)
|
---|
906 | {
|
---|
907 | PCRTCRX509RELATIVEDISTINGUISHEDNAME pRdn = pThis->papItems[i];
|
---|
908 | for (uint32_t j = 0; j < pRdn->cItems; j++)
|
---|
909 | {
|
---|
910 | PCRTCRX509ATTRIBUTETYPEANDVALUE pComponent = pRdn->papItems[j];
|
---|
911 |
|
---|
912 | /*
|
---|
913 | * Must be a string.
|
---|
914 | */
|
---|
915 | if (pComponent->Value.enmType != RTASN1TYPE_STRING)
|
---|
916 | return VERR_CR_X509_NAME_NOT_STRING;
|
---|
917 |
|
---|
918 | /*
|
---|
919 | * Look up the component name prefix.
|
---|
920 | */
|
---|
921 | uint32_t iName = RT_ELEMENTS(g_aRdnMap);
|
---|
922 | while (iName-- > 0)
|
---|
923 | if (RTAsn1ObjId_CompareWithString(&pComponent->Type, g_aRdnMap[iName].pszOid) == 0)
|
---|
924 | break;
|
---|
925 | AssertMsgReturn(iName != UINT32_MAX, ("Please extend g_aRdnMap with '%s'.\n", pComponent->Type.szObjId),
|
---|
926 | VERR_CR_X509_NAME_MISSING_RDN_MAP_ENTRY);
|
---|
927 |
|
---|
928 | /*
|
---|
929 | * Append the prefix.
|
---|
930 | */
|
---|
931 | if (off)
|
---|
932 | {
|
---|
933 | if (off + 2 < cbBuf)
|
---|
934 | {
|
---|
935 | pszBuf[off] = ',';
|
---|
936 | pszBuf[off + 1] = ' ';
|
---|
937 | }
|
---|
938 | else
|
---|
939 | rc = VERR_BUFFER_OVERFLOW;
|
---|
940 | off += 2;
|
---|
941 | }
|
---|
942 |
|
---|
943 | if (off + g_aRdnMap[iName].cchShortNm + 1 < cbBuf)
|
---|
944 | {
|
---|
945 | memcpy(&pszBuf[off], g_aRdnMap[iName].pszShortNm, g_aRdnMap[iName].cchShortNm);
|
---|
946 | pszBuf[off + g_aRdnMap[iName].cchShortNm] = '=';
|
---|
947 | }
|
---|
948 | else
|
---|
949 | rc = VERR_BUFFER_OVERFLOW;
|
---|
950 | off += g_aRdnMap[iName].cchShortNm + 1;
|
---|
951 |
|
---|
952 | /*
|
---|
953 | * Add the component string.
|
---|
954 | */
|
---|
955 | const char *pszUtf8;
|
---|
956 | size_t cchUtf8;
|
---|
957 | int rc2 = RTAsn1String_QueryUtf8(&pComponent->Value.u.String, &pszUtf8, &cchUtf8);
|
---|
958 | AssertRCReturn(rc2, rc2);
|
---|
959 | if (off + cchUtf8 < cbBuf)
|
---|
960 | memcpy(&pszBuf[off], pszUtf8, cchUtf8);
|
---|
961 | else
|
---|
962 | rc = VERR_BUFFER_OVERFLOW;
|
---|
963 | off += cchUtf8;
|
---|
964 | }
|
---|
965 | }
|
---|
966 |
|
---|
967 | if (pcbActual)
|
---|
968 | *pcbActual = off + 1;
|
---|
969 | if (off < cbBuf)
|
---|
970 | pszBuf[off] = '\0';
|
---|
971 | return rc;
|
---|
972 | }
|
---|
973 |
|
---|
974 |
|
---|
975 |
|
---|
976 | /*
|
---|
977 | * One X.509 GeneralName.
|
---|
978 | */
|
---|
979 |
|
---|
980 | /**
|
---|
981 | * Name constraint matching (RFC-5280): DNS Name.
|
---|
982 | *
|
---|
983 | * @returns true on match, false on mismatch.
|
---|
984 | * @param pConstraint The constraint name.
|
---|
985 | * @param pName The name to match against the constraint.
|
---|
986 | */
|
---|
987 | static bool rtCrX509GeneralName_ConstraintMatchDnsName(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
|
---|
988 | {
|
---|
989 | /*
|
---|
990 | * Empty constraint string is taken to match everything.
|
---|
991 | */
|
---|
992 | if (pConstraint->u.pT2_DnsName->Asn1Core.cb == 0)
|
---|
993 | return true;
|
---|
994 |
|
---|
995 | /*
|
---|
996 | * Get the UTF-8 strings for the two.
|
---|
997 | */
|
---|
998 | size_t cchConstraint;
|
---|
999 | char const *pszConstraint;
|
---|
1000 | int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT2_DnsName, &pszConstraint, &cchConstraint);
|
---|
1001 | if (RT_SUCCESS(rc))
|
---|
1002 | {
|
---|
1003 | size_t cchFull;
|
---|
1004 | char const *pszFull;
|
---|
1005 | rc = RTAsn1String_QueryUtf8(pName->u.pT2_DnsName, &pszFull, &cchFull);
|
---|
1006 | if (RT_SUCCESS(rc))
|
---|
1007 | {
|
---|
1008 | /*
|
---|
1009 | * No match if the constraint is longer.
|
---|
1010 | */
|
---|
1011 | if (cchConstraint > cchFull)
|
---|
1012 | return false;
|
---|
1013 |
|
---|
1014 | /*
|
---|
1015 | * No match if the constraint and name tail doesn't match
|
---|
1016 | * in a case-insensitive compare.
|
---|
1017 | */
|
---|
1018 | size_t offFull = cchFull - cchConstraint;
|
---|
1019 | if (RTStrICmp(&pszFull[offFull], pszConstraint) != 0)
|
---|
1020 | return false;
|
---|
1021 | if (!offFull)
|
---|
1022 | return true;
|
---|
1023 |
|
---|
1024 | /*
|
---|
1025 | * The matching constraint must be delimited by a dot in the full
|
---|
1026 | * name. There seems to be some discussion whether ".oracle.com"
|
---|
1027 | * should match "www..oracle.com". This implementation does choose
|
---|
1028 | * to not succeed in that case.
|
---|
1029 | */
|
---|
1030 | if ((pszFull[offFull - 1] == '.') ^ (pszFull[offFull] == '.'))
|
---|
1031 | return true;
|
---|
1032 |
|
---|
1033 | return false;
|
---|
1034 | }
|
---|
1035 | }
|
---|
1036 |
|
---|
1037 | /* fall back. */
|
---|
1038 | return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
|
---|
1039 | }
|
---|
1040 |
|
---|
1041 |
|
---|
1042 | /**
|
---|
1043 | * Name constraint matching (RFC-5280): RFC-822 (email).
|
---|
1044 | *
|
---|
1045 | * @returns true on match, false on mismatch.
|
---|
1046 | * @param pConstraint The constraint name.
|
---|
1047 | * @param pName The name to match against the constraint.
|
---|
1048 | */
|
---|
1049 | static bool rtCrX509GeneralName_ConstraintMatchRfc822Name(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
|
---|
1050 | {
|
---|
1051 | /*
|
---|
1052 | * Empty constraint string is taken to match everything.
|
---|
1053 | */
|
---|
1054 | if (pConstraint->u.pT1_Rfc822->Asn1Core.cb == 0)
|
---|
1055 | return true;
|
---|
1056 |
|
---|
1057 | /*
|
---|
1058 | * Get the UTF-8 strings for the two.
|
---|
1059 | */
|
---|
1060 | size_t cchConstraint;
|
---|
1061 | char const *pszConstraint;
|
---|
1062 | int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT1_Rfc822, &pszConstraint, &cchConstraint);
|
---|
1063 | if (RT_SUCCESS(rc))
|
---|
1064 | {
|
---|
1065 | size_t cchFull;
|
---|
1066 | char const *pszFull;
|
---|
1067 | rc = RTAsn1String_QueryUtf8(pName->u.pT1_Rfc822, &pszFull, &cchFull);
|
---|
1068 | if (RT_SUCCESS(rc))
|
---|
1069 | {
|
---|
1070 | /*
|
---|
1071 | * No match if the constraint is longer.
|
---|
1072 | */
|
---|
1073 | if (cchConstraint > cchFull)
|
---|
1074 | return false;
|
---|
1075 |
|
---|
1076 | /*
|
---|
1077 | * A lone dot matches everything.
|
---|
1078 | */
|
---|
1079 | if (cchConstraint == 1 && *pszConstraint == '.')
|
---|
1080 | return true;
|
---|
1081 |
|
---|
1082 | /*
|
---|
1083 | * If there is a '@' in the constraint, the entire address must match.
|
---|
1084 | */
|
---|
1085 | const char *pszConstraintAt = (const char *)memchr(pszConstraint, '@', cchConstraint);
|
---|
1086 | if (pszConstraintAt)
|
---|
1087 | return cchConstraint == cchFull && RTStrICmp(pszConstraint, pszFull) == 0;
|
---|
1088 |
|
---|
1089 | /*
|
---|
1090 | * No match if the constraint and name tail doesn't match
|
---|
1091 | * in a case-insensitive compare.
|
---|
1092 | */
|
---|
1093 | size_t offFull = cchFull - cchConstraint;
|
---|
1094 | if (RTStrICmp(&pszFull[offFull], pszConstraint) != 0)
|
---|
1095 | return false;
|
---|
1096 |
|
---|
1097 | /*
|
---|
1098 | * If the constraint starts with a dot, we're supposed to be
|
---|
1099 | * satisfied with a tail match.
|
---|
1100 | */
|
---|
1101 | /** @todo Check if this should match even if offFull == 0. */
|
---|
1102 | if (*pszConstraint == '.')
|
---|
1103 | return true;
|
---|
1104 |
|
---|
1105 | /*
|
---|
1106 | * Otherwise, we require a hostname match and thus expect an '@'
|
---|
1107 | * immediatly preceding the constraint match.
|
---|
1108 | */
|
---|
1109 | if (pszFull[offFull - 1] == '@')
|
---|
1110 | return true;
|
---|
1111 |
|
---|
1112 | return false;
|
---|
1113 | }
|
---|
1114 | }
|
---|
1115 |
|
---|
1116 | /* fall back. */
|
---|
1117 | return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
|
---|
1118 | }
|
---|
1119 |
|
---|
1120 |
|
---|
1121 | /**
|
---|
1122 | * Extracts the hostname from an URI.
|
---|
1123 | *
|
---|
1124 | * @returns true if successfully extract, false if no hostname present.
|
---|
1125 | * @param pszUri The URI.
|
---|
1126 | * @param pchHostName .
|
---|
1127 | * @param pcchHostName .
|
---|
1128 | */
|
---|
1129 | static bool rtCrX509GeneralName_ExtractHostName(const char *pszUri, const char **pchHostName, size_t *pcchHostName)
|
---|
1130 | {
|
---|
1131 | /*
|
---|
1132 | * Skip the schema name.
|
---|
1133 | */
|
---|
1134 | const char *pszStart = strchr(pszUri, ':');
|
---|
1135 | while (pszStart && (pszStart[1] != '/' || pszStart[2] != '/'))
|
---|
1136 | pszStart = strchr(pszStart + 1, ':');
|
---|
1137 | if (pszStart)
|
---|
1138 | {
|
---|
1139 | pszStart += 3;
|
---|
1140 |
|
---|
1141 | /*
|
---|
1142 | * The name ends with the first slash or ":port".
|
---|
1143 | */
|
---|
1144 | const char *pszEnd = strchr(pszStart, '/');
|
---|
1145 | if (!pszEnd)
|
---|
1146 | pszEnd = strchr(pszStart, '\0');
|
---|
1147 | if (memchr(pszStart, ':', (size_t)(pszEnd - pszStart)))
|
---|
1148 | do
|
---|
1149 | pszEnd--;
|
---|
1150 | while (*pszEnd != ':');
|
---|
1151 | if (pszEnd != pszStart)
|
---|
1152 | {
|
---|
1153 | /*
|
---|
1154 | * Drop access credentials at the front of the string if present.
|
---|
1155 | */
|
---|
1156 | const char *pszAt = (const char *)memchr(pszStart, '@', (size_t)(pszEnd - pszStart));
|
---|
1157 | if (pszAt)
|
---|
1158 | pszStart = pszAt + 1;
|
---|
1159 |
|
---|
1160 | /*
|
---|
1161 | * If there is still some string left, that's the host name.
|
---|
1162 | */
|
---|
1163 | if (pszEnd != pszStart)
|
---|
1164 | {
|
---|
1165 | *pcchHostName = (size_t)(pszEnd - pszStart);
|
---|
1166 | *pchHostName = pszStart;
|
---|
1167 | return true;
|
---|
1168 | }
|
---|
1169 | }
|
---|
1170 | }
|
---|
1171 |
|
---|
1172 | *pcchHostName = 0;
|
---|
1173 | *pchHostName = NULL;
|
---|
1174 | return false;
|
---|
1175 | }
|
---|
1176 |
|
---|
1177 |
|
---|
1178 | /**
|
---|
1179 | * Name constraint matching (RFC-5280): URI.
|
---|
1180 | *
|
---|
1181 | * @returns true on match, false on mismatch.
|
---|
1182 | * @param pConstraint The constraint name.
|
---|
1183 | * @param pName The name to match against the constraint.
|
---|
1184 | */
|
---|
1185 | static bool rtCrX509GeneralName_ConstraintMatchUri(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
|
---|
1186 | {
|
---|
1187 | /*
|
---|
1188 | * Empty constraint string is taken to match everything.
|
---|
1189 | */
|
---|
1190 | if (pConstraint->u.pT6_Uri->Asn1Core.cb == 0)
|
---|
1191 | return true;
|
---|
1192 |
|
---|
1193 | /*
|
---|
1194 | * Get the UTF-8 strings for the two.
|
---|
1195 | */
|
---|
1196 | size_t cchConstraint;
|
---|
1197 | char const *pszConstraint;
|
---|
1198 | int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT6_Uri, &pszConstraint, &cchConstraint);
|
---|
1199 | if (RT_SUCCESS(rc))
|
---|
1200 | {
|
---|
1201 | size_t cchFull;
|
---|
1202 | char const *pszFull;
|
---|
1203 | rc = RTAsn1String_QueryUtf8(pName->u.pT6_Uri, &pszFull, &cchFull);
|
---|
1204 | if (RT_SUCCESS(rc))
|
---|
1205 | {
|
---|
1206 | /*
|
---|
1207 | * Isolate the hostname in the name.
|
---|
1208 | */
|
---|
1209 | size_t cchHostName;
|
---|
1210 | const char *pchHostName;
|
---|
1211 | if (rtCrX509GeneralName_ExtractHostName(pszFull, &pchHostName, &cchHostName))
|
---|
1212 | {
|
---|
1213 | /*
|
---|
1214 | * Domain constraint.
|
---|
1215 | */
|
---|
1216 | if (*pszConstraint == '.')
|
---|
1217 | {
|
---|
1218 | if (cchHostName >= cchConstraint)
|
---|
1219 | {
|
---|
1220 | size_t offHostName = cchHostName - cchConstraint;
|
---|
1221 | if (RTStrICmp(&pchHostName[offHostName], pszConstraint) == 0)
|
---|
1222 | {
|
---|
1223 | /* "http://www..oracle.com" does not match ".oracle.com".
|
---|
1224 | It's debatable whether "http://.oracle.com/" should match. */
|
---|
1225 | if ( !offHostName
|
---|
1226 | || pchHostName[offHostName - 1] != '.')
|
---|
1227 | return true;
|
---|
1228 | }
|
---|
1229 | }
|
---|
1230 | }
|
---|
1231 | /*
|
---|
1232 | * Host name constraint. Full match required.
|
---|
1233 | */
|
---|
1234 | else if ( cchHostName == cchConstraint
|
---|
1235 | && RTStrNICmp(pchHostName, pszConstraint, cchHostName) == 0)
|
---|
1236 | return true;
|
---|
1237 | }
|
---|
1238 | return false;
|
---|
1239 | }
|
---|
1240 | }
|
---|
1241 |
|
---|
1242 | /* fall back. */
|
---|
1243 | return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
|
---|
1244 | }
|
---|
1245 |
|
---|
1246 |
|
---|
1247 | /**
|
---|
1248 | * Name constraint matching (RFC-5280): IP address.
|
---|
1249 | *
|
---|
1250 | * @returns true on match, false on mismatch.
|
---|
1251 | * @param pConstraint The constraint name.
|
---|
1252 | * @param pName The name to match against the constraint.
|
---|
1253 | */
|
---|
1254 | static bool rtCrX509GeneralName_ConstraintMatchIpAddress(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
|
---|
1255 | {
|
---|
1256 | uint8_t const *pbConstraint = pConstraint->u.pT7_IpAddress->Asn1Core.uData.pu8;
|
---|
1257 | uint8_t const *pbFull = pName->u.pT7_IpAddress->Asn1Core.uData.pu8;
|
---|
1258 |
|
---|
1259 | /*
|
---|
1260 | * IPv4.
|
---|
1261 | */
|
---|
1262 | if ( pConstraint->u.pT7_IpAddress->Asn1Core.cb == 8 /* ip+netmask*/
|
---|
1263 | && pName->u.pT7_IpAddress->Asn1Core.cb == 4) /* ip */
|
---|
1264 | return ((pbFull[0] ^ pbConstraint[0]) & pbConstraint[4]) == 0
|
---|
1265 | && ((pbFull[1] ^ pbConstraint[1]) & pbConstraint[5]) == 0
|
---|
1266 | && ((pbFull[2] ^ pbConstraint[2]) & pbConstraint[6]) == 0
|
---|
1267 | && ((pbFull[3] ^ pbConstraint[3]) & pbConstraint[7]) == 0;
|
---|
1268 |
|
---|
1269 | /*
|
---|
1270 | * IPv6.
|
---|
1271 | */
|
---|
1272 | if ( pConstraint->u.pT7_IpAddress->Asn1Core.cb == 32 /* ip+netmask*/
|
---|
1273 | && pName->u.pT7_IpAddress->Asn1Core.cb == 16) /* ip */
|
---|
1274 | {
|
---|
1275 | for (uint32_t i = 0; i < 16; i++)
|
---|
1276 | if (((pbFull[i] ^ pbConstraint[i]) & pbConstraint[i + 16]) != 0)
|
---|
1277 | return false;
|
---|
1278 | return true;
|
---|
1279 | }
|
---|
1280 |
|
---|
1281 | return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
|
---|
1282 | }
|
---|
1283 |
|
---|
1284 |
|
---|
1285 | RTDECL(bool) RTCrX509GeneralName_ConstraintMatch(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
|
---|
1286 | {
|
---|
1287 | if (pConstraint->enmChoice == pName->enmChoice)
|
---|
1288 | {
|
---|
1289 | if (RTCRX509GENERALNAME_IS_DIRECTORY_NAME(pConstraint))
|
---|
1290 | return RTCrX509Name_ConstraintMatch(&pConstraint->u.pT4->DirectoryName, &pName->u.pT4->DirectoryName);
|
---|
1291 |
|
---|
1292 | if (RTCRX509GENERALNAME_IS_DNS_NAME(pConstraint))
|
---|
1293 | return rtCrX509GeneralName_ConstraintMatchDnsName(pConstraint, pName);
|
---|
1294 |
|
---|
1295 | if (RTCRX509GENERALNAME_IS_RFC822_NAME(pConstraint))
|
---|
1296 | return rtCrX509GeneralName_ConstraintMatchRfc822Name(pConstraint, pName);
|
---|
1297 |
|
---|
1298 | if (RTCRX509GENERALNAME_IS_URI(pConstraint))
|
---|
1299 | return rtCrX509GeneralName_ConstraintMatchUri(pConstraint, pName);
|
---|
1300 |
|
---|
1301 | if (RTCRX509GENERALNAME_IS_IP_ADDRESS(pConstraint))
|
---|
1302 | return rtCrX509GeneralName_ConstraintMatchIpAddress(pConstraint, pName);
|
---|
1303 |
|
---|
1304 | AssertFailed();
|
---|
1305 | return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
|
---|
1306 | }
|
---|
1307 | return false;
|
---|
1308 | }
|
---|
1309 |
|
---|
1310 |
|
---|
1311 | /*
|
---|
1312 | * Sequence of X.509 GeneralNames.
|
---|
1313 | */
|
---|
1314 |
|
---|
1315 |
|
---|
1316 | /*
|
---|
1317 | * X.509 UniqueIdentifier.
|
---|
1318 | */
|
---|
1319 |
|
---|
1320 |
|
---|
1321 | /*
|
---|
1322 | * X.509 SubjectPublicKeyInfo.
|
---|
1323 | */
|
---|
1324 |
|
---|
1325 |
|
---|
1326 | /*
|
---|
1327 | * X.509 AuthorityKeyIdentifier (IPRT representation).
|
---|
1328 | */
|
---|
1329 |
|
---|
1330 |
|
---|
1331 | /*
|
---|
1332 | * One X.509 PolicyQualifierInfo.
|
---|
1333 | */
|
---|
1334 |
|
---|
1335 |
|
---|
1336 | /*
|
---|
1337 | * Sequence of X.509 PolicyQualifierInfo.
|
---|
1338 | */
|
---|
1339 |
|
---|
1340 |
|
---|
1341 | /*
|
---|
1342 | * One X.509 PolicyInformation.
|
---|
1343 | */
|
---|
1344 |
|
---|
1345 |
|
---|
1346 | /*
|
---|
1347 | * Sequence of X.509 CertificatePolicies.
|
---|
1348 | */
|
---|
1349 |
|
---|
1350 |
|
---|
1351 | /*
|
---|
1352 | * One X.509 PolicyMapping (IPRT representation).
|
---|
1353 | */
|
---|
1354 |
|
---|
1355 |
|
---|
1356 | /*
|
---|
1357 | * Sequence of X.509 PolicyMappings (IPRT representation).
|
---|
1358 | */
|
---|
1359 |
|
---|
1360 |
|
---|
1361 | /*
|
---|
1362 | * X.509 BasicConstraints (IPRT representation).
|
---|
1363 | */
|
---|
1364 |
|
---|
1365 |
|
---|
1366 | /*
|
---|
1367 | * X.509 GeneralSubtree (IPRT representation).
|
---|
1368 | */
|
---|
1369 |
|
---|
1370 |
|
---|
1371 | RTDECL(bool) RTCrX509GeneralSubtree_ConstraintMatch(PCRTCRX509GENERALSUBTREE pConstraint, PCRTCRX509GENERALSUBTREE pName)
|
---|
1372 | {
|
---|
1373 | return RTCrX509GeneralName_ConstraintMatch(&pConstraint->Base, &pName->Base);
|
---|
1374 | }
|
---|
1375 |
|
---|
1376 |
|
---|
1377 | /*
|
---|
1378 | * Sequence of X.509 GeneralSubtrees (IPRT representation).
|
---|
1379 | */
|
---|
1380 |
|
---|
1381 |
|
---|
1382 | /*
|
---|
1383 | * X.509 NameConstraints (IPRT representation).
|
---|
1384 | */
|
---|
1385 |
|
---|
1386 |
|
---|
1387 | /*
|
---|
1388 | * X.509 PolicyConstraints (IPRT representation).
|
---|
1389 | */
|
---|
1390 |
|
---|
1391 |
|
---|
1392 | /*
|
---|
1393 | * One X.509 Extension.
|
---|
1394 | */
|
---|
1395 |
|
---|
1396 |
|
---|
1397 | /*
|
---|
1398 | * Sequence of X.509 Extensions.
|
---|
1399 | */
|
---|
1400 |
|
---|
1401 |
|
---|
1402 | /*
|
---|
1403 | * X.509 TbsCertificate.
|
---|
1404 | */
|
---|
1405 |
|
---|
1406 | static void rtCrx509TbsCertificate_AddKeyUsageFlags(PRTCRX509TBSCERTIFICATE pThis, PCRTCRX509EXTENSION pExtension)
|
---|
1407 | {
|
---|
1408 | AssertReturnVoid(pExtension->enmValue == RTCRX509EXTENSIONVALUE_BIT_STRING);
|
---|
1409 | /* 3 = 1 byte for unused bit count, followed by one or two bytes containing actual bits. RFC-5280 defines bits 0 thru 8. */
|
---|
1410 | AssertReturnVoid(pExtension->ExtnValue.pEncapsulated->cb <= 3);
|
---|
1411 | pThis->T3.fKeyUsage |= (uint32_t)RTAsn1BitString_GetAsUInt64((PCRTASN1BITSTRING)pExtension->ExtnValue.pEncapsulated);
|
---|
1412 | }
|
---|
1413 |
|
---|
1414 |
|
---|
1415 | static void rtCrx509TbsCertificate_AddExtKeyUsageFlags(PRTCRX509TBSCERTIFICATE pThis, PCRTCRX509EXTENSION pExtension)
|
---|
1416 | {
|
---|
1417 | AssertReturnVoid(pExtension->enmValue == RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS);
|
---|
1418 | PCRTASN1SEQOFOBJIDS pObjIds = (PCRTASN1SEQOFOBJIDS)pExtension->ExtnValue.pEncapsulated;
|
---|
1419 | uint32_t i = pObjIds->cItems;
|
---|
1420 | while (i-- > 0)
|
---|
1421 | {
|
---|
1422 |
|
---|
1423 | if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_ANY_EXTENDED_KEY_USAGE_OID) == 0)
|
---|
1424 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_ANY;
|
---|
1425 | else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], RTCRX509_ID_KP_OID))
|
---|
1426 | {
|
---|
1427 | if (RTAsn1ObjIdCountComponents(pObjIds->papItems[i]) == 9)
|
---|
1428 | switch (RTAsn1ObjIdGetLastComponentsAsUInt32(pObjIds->papItems[i]))
|
---|
1429 | {
|
---|
1430 | case 1: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_SERVER_AUTH; break;
|
---|
1431 | case 2: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_CLIENT_AUTH; break;
|
---|
1432 | case 3: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_CODE_SIGNING; break;
|
---|
1433 | case 4: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_EMAIL_PROTECTION; break;
|
---|
1434 | case 5: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_IPSEC_END_SYSTEM; break;
|
---|
1435 | case 6: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_IPSEC_TUNNEL; break;
|
---|
1436 | case 7: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_IPSEC_USER; break;
|
---|
1437 | case 8: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_TIMESTAMPING; break;
|
---|
1438 | case 9: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OCSP_SIGNING; break;
|
---|
1439 | case 10: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_DVCS; break;
|
---|
1440 | case 11: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_SBGP_CERT_AA_SERVICE_AUTH; break;
|
---|
1441 | case 13: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_EAP_OVER_PPP; break;
|
---|
1442 | case 14: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_EAP_OVER_LAN; break;
|
---|
1443 | default: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER; break;
|
---|
1444 | }
|
---|
1445 | else
|
---|
1446 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER;
|
---|
1447 | }
|
---|
1448 | else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], RTCRX509_APPLE_EKU_APPLE_EXTENDED_KEY_USAGE_OID))
|
---|
1449 | {
|
---|
1450 | if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_OID) == 0)
|
---|
1451 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING;
|
---|
1452 | else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_DEVELOPMENT_OID) == 0)
|
---|
1453 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_DEVELOPMENT;
|
---|
1454 | else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_SOFTWARE_UPDATE_SIGNING_OID) == 0)
|
---|
1455 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_SOFTWARE_UPDATE_SIGNING;
|
---|
1456 | else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_THRID_PARTY_OID) == 0)
|
---|
1457 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_THIRD_PARTY;
|
---|
1458 | else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_RESOURCE_SIGNING_OID) == 0)
|
---|
1459 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_RESOURCE_SIGNING;
|
---|
1460 | else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_SYSTEM_IDENTITY_OID) == 0)
|
---|
1461 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_SYSTEM_IDENTITY;
|
---|
1462 | else
|
---|
1463 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER;
|
---|
1464 | }
|
---|
1465 | else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], "1.3.6.1.4.1.311"))
|
---|
1466 | {
|
---|
1467 | if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_TIMESTAMP_SIGNING_OID) == 0)
|
---|
1468 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_TIMESTAMP_SIGNING;
|
---|
1469 | else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_WHQL_CRYPTO_OID) == 0)
|
---|
1470 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_WHQL_CRYPTO;
|
---|
1471 | else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_ATTEST_WHQL_CRYPTO_OID) == 0)
|
---|
1472 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_ATTEST_WHQL_CRYPTO;
|
---|
1473 | else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_NT5_CRYPTO_OID) == 0)
|
---|
1474 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_NT5_CRYPTO;
|
---|
1475 | else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_OEM_WHQL_CRYPTO_OID) == 0)
|
---|
1476 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_OEM_WHQL_CRYPTO;
|
---|
1477 | else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_EMBEDDED_NT_CRYPTO_OID) == 0)
|
---|
1478 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_EMBEDDED_NT_CRYPTO;
|
---|
1479 | else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_KERNEL_MODE_CODE_SIGNING_OID) == 0)
|
---|
1480 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_KERNEL_MODE_CODE_SIGNING;
|
---|
1481 | else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_LIFETIME_SIGNING_OID) == 0)
|
---|
1482 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_LIFETIME_SIGNING;
|
---|
1483 | else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_DRM_OID) == 0)
|
---|
1484 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_DRM;
|
---|
1485 | else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_DRM_INDIVIDUALIZATION_OID) == 0)
|
---|
1486 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_DRM_INDIVIDUALIZATION;
|
---|
1487 | else
|
---|
1488 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER;
|
---|
1489 | }
|
---|
1490 | else
|
---|
1491 | pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER;
|
---|
1492 | }
|
---|
1493 | }
|
---|
1494 |
|
---|
1495 |
|
---|
1496 | /**
|
---|
1497 | * (Re-)Process the certificate extensions.
|
---|
1498 | *
|
---|
1499 | * Will fail if duplicate extensions are encountered.
|
---|
1500 | *
|
---|
1501 | * @returns IPRT status code.
|
---|
1502 | * @param pThis The to-be-signed certificate part.
|
---|
1503 | * @param pErrInfo Where to return extended error details,
|
---|
1504 | * optional.
|
---|
1505 | */
|
---|
1506 | RTDECL(int) RTCrX509TbsCertificate_ReprocessExtensions(PRTCRX509TBSCERTIFICATE pThis, PRTERRINFO pErrInfo)
|
---|
1507 | {
|
---|
1508 | /*
|
---|
1509 | * Clear all variables we will set.
|
---|
1510 | */
|
---|
1511 | pThis->T3.fFlags = 0;
|
---|
1512 | pThis->T3.fKeyUsage = 0;
|
---|
1513 | pThis->T3.fExtKeyUsage = 0;
|
---|
1514 | pThis->T3.pAuthorityKeyIdentifier = NULL;
|
---|
1515 | pThis->T3.pSubjectKeyIdentifier = NULL;
|
---|
1516 | pThis->T3.pAltSubjectName = NULL;
|
---|
1517 | pThis->T3.pAltIssuerName = NULL;
|
---|
1518 | pThis->T3.pCertificatePolicies = NULL;
|
---|
1519 | pThis->T3.pPolicyMappings = NULL;
|
---|
1520 | pThis->T3.pBasicConstraints = NULL;
|
---|
1521 | pThis->T3.pNameConstraints = NULL;
|
---|
1522 | pThis->T3.pPolicyConstraints = NULL;
|
---|
1523 | pThis->T3.pInhibitAnyPolicy = NULL;
|
---|
1524 |
|
---|
1525 | #define CHECK_SET_PRESENT_RET_ON_DUP(a_pThis, a_pErrInfo, a_fPresentFlag) \
|
---|
1526 | do { \
|
---|
1527 | if ((a_pThis)->T3.fFlags & (a_fPresentFlag)) \
|
---|
1528 | return RTErrInfoSet(a_pErrInfo, VERR_CR_X509_TBSCERT_DUPLICATE_EXTENSION, \
|
---|
1529 | "Duplicate extension " #a_fPresentFlag); \
|
---|
1530 | (a_pThis)->T3.fFlags |= (a_fPresentFlag); \
|
---|
1531 | } while (0)
|
---|
1532 |
|
---|
1533 | /*
|
---|
1534 | * Process all the extensions.
|
---|
1535 | */
|
---|
1536 | for (uint32_t i = 0; i < pThis->T3.Extensions.cItems; i++)
|
---|
1537 | {
|
---|
1538 | PCRTASN1OBJID pExtnId = &pThis->T3.Extensions.papItems[i]->ExtnId;
|
---|
1539 | PCRTASN1OCTETSTRING pExtValue = &pThis->T3.Extensions.papItems[i]->ExtnValue;
|
---|
1540 | if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_KEY_USAGE_OID) == 0)
|
---|
1541 | {
|
---|
1542 | CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE);
|
---|
1543 | rtCrx509TbsCertificate_AddKeyUsageFlags(pThis, pThis->T3.Extensions.papItems[i]);
|
---|
1544 | Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_BIT_STRING);
|
---|
1545 | }
|
---|
1546 | else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_EXT_KEY_USAGE_OID) == 0)
|
---|
1547 | {
|
---|
1548 | CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE);
|
---|
1549 | rtCrx509TbsCertificate_AddExtKeyUsageFlags(pThis, pThis->T3.Extensions.papItems[i]);
|
---|
1550 | Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS);
|
---|
1551 | }
|
---|
1552 | else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_AUTHORITY_KEY_IDENTIFIER_OID) == 0)
|
---|
1553 | {
|
---|
1554 | CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_AUTHORITY_KEY_IDENTIFIER);
|
---|
1555 | pThis->T3.pAuthorityKeyIdentifier = (PCRTCRX509AUTHORITYKEYIDENTIFIER)pExtValue->pEncapsulated;
|
---|
1556 | Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_AUTHORITY_KEY_IDENTIFIER);
|
---|
1557 | }
|
---|
1558 | else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_OLD_AUTHORITY_KEY_IDENTIFIER_OID) == 0)
|
---|
1559 | {
|
---|
1560 | CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_OLD_AUTHORITY_KEY_IDENTIFIER);
|
---|
1561 | pThis->T3.pOldAuthorityKeyIdentifier = (PCRTCRX509OLDAUTHORITYKEYIDENTIFIER)pExtValue->pEncapsulated;
|
---|
1562 | Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_OLD_AUTHORITY_KEY_IDENTIFIER);
|
---|
1563 | }
|
---|
1564 | else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID) == 0)
|
---|
1565 | {
|
---|
1566 | CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_KEY_IDENTIFIER);
|
---|
1567 | pThis->T3.pSubjectKeyIdentifier = (PCRTASN1OCTETSTRING)pExtValue->pEncapsulated;
|
---|
1568 | Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_OCTET_STRING);
|
---|
1569 | }
|
---|
1570 | else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID) == 0)
|
---|
1571 | {
|
---|
1572 | CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_ALT_NAME);
|
---|
1573 | pThis->T3.pAltSubjectName = (PCRTCRX509GENERALNAMES)pExtValue->pEncapsulated;
|
---|
1574 | Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES);
|
---|
1575 | }
|
---|
1576 | else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_ISSUER_ALT_NAME_OID) == 0)
|
---|
1577 | {
|
---|
1578 | CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_ISSUER_ALT_NAME);
|
---|
1579 | pThis->T3.pAltIssuerName = (PCRTCRX509GENERALNAMES)pExtValue->pEncapsulated;
|
---|
1580 | Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES);
|
---|
1581 | }
|
---|
1582 | else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID) == 0)
|
---|
1583 | {
|
---|
1584 | CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_CERTIFICATE_POLICIES);
|
---|
1585 | pThis->T3.pCertificatePolicies = (PCRTCRX509CERTIFICATEPOLICIES)pExtValue->pEncapsulated;
|
---|
1586 | Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_CERTIFICATE_POLICIES);
|
---|
1587 | }
|
---|
1588 | else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_POLICY_MAPPINGS_OID) == 0)
|
---|
1589 | {
|
---|
1590 | CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_MAPPINGS);
|
---|
1591 | pThis->T3.pPolicyMappings = (PCRTCRX509POLICYMAPPINGS)pExtValue->pEncapsulated;
|
---|
1592 | Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_POLICY_MAPPINGS);
|
---|
1593 | }
|
---|
1594 | else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID) == 0)
|
---|
1595 | {
|
---|
1596 | CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_BASIC_CONSTRAINTS);
|
---|
1597 | pThis->T3.pBasicConstraints = (PCRTCRX509BASICCONSTRAINTS)pExtValue->pEncapsulated;
|
---|
1598 | Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_BASIC_CONSTRAINTS);
|
---|
1599 | }
|
---|
1600 | else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_NAME_CONSTRAINTS_OID) == 0)
|
---|
1601 | {
|
---|
1602 | CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_NAME_CONSTRAINTS);
|
---|
1603 | pThis->T3.pNameConstraints = (PCRTCRX509NAMECONSTRAINTS)pExtValue->pEncapsulated;
|
---|
1604 | Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_NAME_CONSTRAINTS);
|
---|
1605 | }
|
---|
1606 | else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID) == 0)
|
---|
1607 | {
|
---|
1608 | CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_CONSTRAINTS);
|
---|
1609 | pThis->T3.pPolicyConstraints = (PCRTCRX509POLICYCONSTRAINTS)pExtValue->pEncapsulated;
|
---|
1610 | Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_POLICY_CONSTRAINTS);
|
---|
1611 | }
|
---|
1612 | else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID) == 0)
|
---|
1613 | {
|
---|
1614 | CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_INHIBIT_ANY_POLICY);
|
---|
1615 | pThis->T3.pInhibitAnyPolicy = (PCRTASN1INTEGER)pExtValue->pEncapsulated;
|
---|
1616 | Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_INTEGER);
|
---|
1617 | }
|
---|
1618 | else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_ACCEPTABLE_CERT_POLICIES_OID) == 0)
|
---|
1619 | pThis->T3.fFlags |= RTCRX509TBSCERTIFICATE_F_PRESENT_ACCEPTABLE_CERT_POLICIES;
|
---|
1620 | else
|
---|
1621 | pThis->T3.fFlags |= RTCRX509TBSCERTIFICATE_F_PRESENT_OTHER;
|
---|
1622 | }
|
---|
1623 |
|
---|
1624 | if (!pThis->T3.fFlags)
|
---|
1625 | pThis->T3.fFlags |= RTCRX509TBSCERTIFICATE_F_PRESENT_NONE;
|
---|
1626 |
|
---|
1627 | #undef CHECK_SET_PRESENT_RET_ON_DUP
|
---|
1628 | return VINF_SUCCESS;
|
---|
1629 | }
|
---|
1630 |
|
---|
1631 |
|
---|
1632 |
|
---|
1633 | /*
|
---|
1634 | * One X.509 Certificate.
|
---|
1635 | */
|
---|
1636 |
|
---|
1637 | RTDECL(bool) RTCrX509Certificate_MatchIssuerAndSerialNumber(PCRTCRX509CERTIFICATE pCertificate,
|
---|
1638 | PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber)
|
---|
1639 | {
|
---|
1640 | if ( RTAsn1Integer_UnsignedCompare(&pCertificate->TbsCertificate.SerialNumber, pSerialNumber) == 0
|
---|
1641 | && RTCrX509Name_Compare(&pCertificate->TbsCertificate.Issuer, pIssuer) == 0)
|
---|
1642 | return true;
|
---|
1643 | return false;
|
---|
1644 | }
|
---|
1645 |
|
---|
1646 |
|
---|
1647 | RTDECL(bool) RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(PCRTCRX509CERTIFICATE pThis, PCRTCRX509NAME pName)
|
---|
1648 | {
|
---|
1649 | if (RTCrX509Name_MatchByRfc5280(&pThis->TbsCertificate.Subject, pName))
|
---|
1650 | return true;
|
---|
1651 |
|
---|
1652 | if (RTCrX509Extensions_IsPresent(&pThis->TbsCertificate.T3.Extensions))
|
---|
1653 | for (uint32_t i = 0; i < pThis->TbsCertificate.T3.Extensions.cItems; i++)
|
---|
1654 | {
|
---|
1655 | PCRTCRX509EXTENSION pExt = pThis->TbsCertificate.T3.Extensions.papItems[i];
|
---|
1656 | if ( pExt->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES
|
---|
1657 | && RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID))
|
---|
1658 | {
|
---|
1659 | PCRTCRX509GENERALNAMES pGeneralNames = (PCRTCRX509GENERALNAMES)pExt->ExtnValue.pEncapsulated;
|
---|
1660 | for (uint32_t j = 0; j < pGeneralNames->cItems; j++)
|
---|
1661 | if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(pGeneralNames->papItems[j])
|
---|
1662 | && RTCrX509Name_MatchByRfc5280(&pGeneralNames->papItems[j]->u.pT4->DirectoryName, pName))
|
---|
1663 | return true;
|
---|
1664 | }
|
---|
1665 | }
|
---|
1666 | return false;
|
---|
1667 | }
|
---|
1668 |
|
---|
1669 |
|
---|
1670 | RTDECL(bool) RTCrX509Certificate_IsSelfSigned(PCRTCRX509CERTIFICATE pCertificate)
|
---|
1671 | {
|
---|
1672 | if (RTCrX509Certificate_IsPresent(pCertificate))
|
---|
1673 | {
|
---|
1674 | return RTCrX509Name_MatchByRfc5280(&pCertificate->TbsCertificate.Subject,
|
---|
1675 | &pCertificate->TbsCertificate.Issuer);
|
---|
1676 | }
|
---|
1677 | return false;
|
---|
1678 | }
|
---|
1679 |
|
---|
1680 |
|
---|
1681 | /*
|
---|
1682 | * Set of X.509 Certificates.
|
---|
1683 | */
|
---|
1684 |
|
---|
1685 | RTDECL(PCRTCRX509CERTIFICATE)
|
---|
1686 | RTCrX509Certificates_FindByIssuerAndSerialNumber(PCRTCRX509CERTIFICATES pCertificates,
|
---|
1687 | PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber)
|
---|
1688 | {
|
---|
1689 | for (uint32_t i = 0; i < pCertificates->cItems; i++)
|
---|
1690 | if (RTCrX509Certificate_MatchIssuerAndSerialNumber(pCertificates->papItems[i], pIssuer, pSerialNumber))
|
---|
1691 | return pCertificates->papItems[i];
|
---|
1692 | return NULL;
|
---|
1693 | }
|
---|
1694 |
|
---|