VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/x509-core.cpp@ 96407

Last change on this file since 96407 was 96407, checked in by vboxsync, 2 years ago

scm copyright and license note update

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 64.2 KB
Line 
1/* $Id: x509-core.cpp 96407 2022-08-22 17:43:14Z vboxsync $ */
2/** @file
3 * IPRT - Crypto - X.509, Core APIs.
4 */
5
6/*
7 * Copyright (C) 2006-2022 Oracle and/or its affiliates.
8 *
9 * This file is part of VirtualBox base platform packages, as
10 * available from https://www.virtualbox.org.
11 *
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation, in version 3 of the
15 * License.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20 * General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, see <https://www.gnu.org/licenses>.
24 *
25 * The contents of this file may alternatively be used under the terms
26 * of the Common Development and Distribution License Version 1.0
27 * (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
28 * in the VirtualBox distribution, in which case the provisions of the
29 * CDDL are applicable instead of those of the GPL.
30 *
31 * You may elect to license modified versions of this file under the
32 * terms and conditions of either the GPL or the CDDL or both.
33 *
34 * SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
35 */
36
37
38/*********************************************************************************************************************************
39* Header Files *
40*********************************************************************************************************************************/
41#include "internal/iprt.h"
42#include <iprt/crypto/x509.h>
43
44#include <iprt/err.h>
45#include <iprt/string.h>
46#include <iprt/uni.h>
47
48#include "x509-internal.h"
49
50
51/*
52 * Generate the code.
53 */
54#include <iprt/asn1-generator-core.h>
55
56
57/*
58 * X.509 Validity.
59 */
60
61RTDECL(bool) RTCrX509Validity_IsValidAtTimeSpec(PCRTCRX509VALIDITY pThis, PCRTTIMESPEC pTimeSpec)
62{
63 if (RTAsn1Time_CompareWithTimeSpec(&pThis->NotBefore, pTimeSpec) > 0)
64 return false;
65 if (RTAsn1Time_CompareWithTimeSpec(&pThis->NotAfter, pTimeSpec) < 0)
66 return false;
67 return true;
68}
69
70
71/*
72 * One X.509 Algorithm Identifier.
73 */
74
75RTDECL(RTDIGESTTYPE) RTCrX509AlgorithmIdentifier_QueryDigestType(PCRTCRX509ALGORITHMIDENTIFIER pThis)
76{
77 AssertPtrReturn(pThis, RTDIGESTTYPE_INVALID);
78 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
79 return RTDIGESTTYPE_MD5;
80 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
81 return RTDIGESTTYPE_SHA1;
82 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
83 return RTDIGESTTYPE_SHA256;
84 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
85 return RTDIGESTTYPE_SHA512;
86
87 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
88 return RTDIGESTTYPE_SHA384;
89 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
90 return RTDIGESTTYPE_SHA224;
91 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
92 return RTDIGESTTYPE_SHA512T224;
93 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
94 return RTDIGESTTYPE_SHA512T256;
95
96 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224))
97 return RTDIGESTTYPE_SHA3_224;
98 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256))
99 return RTDIGESTTYPE_SHA3_256;
100 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384))
101 return RTDIGESTTYPE_SHA3_384;
102 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512))
103 return RTDIGESTTYPE_SHA3_512;
104 return RTDIGESTTYPE_INVALID;
105}
106
107
108RTDECL(uint32_t) RTCrX509AlgorithmIdentifier_QueryDigestSize(PCRTCRX509ALGORITHMIDENTIFIER pThis)
109{
110 AssertPtrReturn(pThis, UINT32_MAX);
111
112 /* common */
113 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
114 return 128 / 8;
115 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
116 return 160 / 8;
117 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
118 return 256 / 8;
119 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
120 return 512 / 8;
121
122 /* Less common. */
123 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD2))
124 return 128 / 8;
125 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD4))
126 return 128 / 8;
127 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
128 return 384 / 8;
129 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
130 return 224 / 8;
131 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
132 return 224 / 8;
133 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
134 return 256 / 8;
135 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224))
136 return 224 / 8;
137 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256))
138 return 256 / 8;
139 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384))
140 return 384 / 8;
141 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512))
142 return 512 / 8;
143 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
144 return 512 / 8;
145
146 return UINT32_MAX;
147}
148
149
150RTDECL(int) RTCrX509AlgorithmIdentifier_CompareWithString(PCRTCRX509ALGORITHMIDENTIFIER pThis, const char *pszObjId)
151{
152 return strcmp(pThis->Algorithm.szObjId, pszObjId);
153}
154
155
156RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(const char *pszDigestOid,
157 const char *pszEncryptedDigestOid)
158{
159 /* common */
160 if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5))
161 {
162 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA))
163 return 0;
164 }
165 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
166 {
167 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA))
168 return 0;
169 }
170 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
171 {
172 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA))
173 return 0;
174 }
175 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
176 {
177 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA))
178 return 0;
179 }
180 /* Less common. */
181 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2))
182 {
183 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA))
184 return 0;
185 }
186 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4))
187 {
188 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA))
189 return 0;
190 }
191 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
192 {
193 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA))
194 return 0;
195 }
196 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
197 {
198 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA))
199 return 0;
200 }
201 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
202 {
203 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA))
204 return 0;
205 }
206 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
207 {
208 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA))
209 return 0;
210 }
211 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224))
212 {
213 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_RSA))
214 return 0;
215 }
216 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256))
217 {
218 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_RSA))
219 return 0;
220 }
221 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384))
222 {
223 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA))
224 return 0;
225 }
226 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512))
227 {
228 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA))
229 return 0;
230 }
231 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
232 {
233 /* ?? */
234 }
235 else
236 return -1;
237 return 1;
238}
239
240RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestAndEncryptedDigest(PCRTCRX509ALGORITHMIDENTIFIER pDigest,
241 PCRTCRX509ALGORITHMIDENTIFIER pEncryptedDigest)
242{
243 return RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(pDigest->Algorithm.szObjId,
244 pEncryptedDigest->Algorithm.szObjId);
245}
246
247
248RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(const char *pszEncryptionOid,
249 const char *pszDigestOid)
250{
251 /* RSA: */
252 if (!strcmp(pszEncryptionOid, RTCRX509ALGORITHMIDENTIFIERID_RSA))
253 {
254 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5)
255 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA))
256 return RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA;
257 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1)
258 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA))
259 return RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA;
260 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256)
261 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA))
262 return RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA;
263 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512)
264 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA))
265 return RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA;
266 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2)
267 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA))
268 return RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA;
269 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4)
270 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA))
271 return RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA;
272 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384)
273 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA))
274 return RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA;
275 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224)
276 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA))
277 return RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA;
278 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224)
279 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA))
280 return RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA;
281 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256)
282 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA))
283 return RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA;
284 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224)
285 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_RSA))
286 return RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_RSA;
287 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256)
288 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_RSA))
289 return RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_RSA;
290 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384)
291 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA))
292 return RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA;
293 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512)
294 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA))
295 return RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA;
296
297 /* if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
298 return ???; */
299 }
300 else if (RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(pszDigestOid, pszEncryptionOid) == 0)
301 return pszEncryptionOid;
302
303 AssertMsgFailed(("enc=%s hash=%s\n", pszEncryptionOid, pszDigestOid));
304 return NULL;
305}
306
307
308RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionAndDigest(PCRTCRX509ALGORITHMIDENTIFIER pEncryption,
309 PCRTCRX509ALGORITHMIDENTIFIER pDigest)
310{
311 return RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(pEncryption->Algorithm.szObjId,
312 pDigest->Algorithm.szObjId);
313}
314
315
316/*
317 * Set of X.509 Algorithm Identifiers.
318 */
319
320
321/*
322 * One X.509 AttributeTypeAndValue.
323 */
324
325
326/*
327 * Set of X.509 AttributeTypeAndValues / X.509 RelativeDistinguishedName.
328 */
329
330/**
331 * Slow code path of rtCrX509CanNameIsNothing.
332 *
333 * @returns true if @uc maps to nothing, false if not.
334 * @param uc The unicode code point.
335 */
336static bool rtCrX509CanNameIsNothingSlow(RTUNICP uc)
337{
338 switch (uc)
339 {
340 /* 2.2 Map - Paragraph 1: */
341 case 0x00ad:
342 case 0x1806:
343 case 0x034f:
344 case 0x180b: case 0x180c: case 0x180d:
345
346 case 0xfe00: case 0xfe01: case 0xfe02: case 0xfe03:
347 case 0xfe04: case 0xfe05: case 0xfe06: case 0xfe07:
348 case 0xfe08: case 0xfe09: case 0xfe0a: case 0xfe0b:
349 case 0xfe0c: case 0xfe0d: case 0xfe0e: case 0xfe0f:
350
351 case 0xfffc:
352
353 /* 2.2 Map - Paragraph 3 (control code/function): */
354 case 0x0000: case 0x0001: case 0x0002: case 0x0003:
355 case 0x0004: case 0x0005: case 0x0006: case 0x0007:
356 case 0x0008:
357
358 case 0x000e: case 0x000f:
359 case 0x0010: case 0x0011: case 0x0012: case 0x0013:
360 case 0x0014: case 0x0015: case 0x0016: case 0x0017:
361 case 0x0018: case 0x0019: case 0x001a: case 0x001b:
362 case 0x001c: case 0x001d: case 0x001e: case 0x001f:
363
364 case 0x007f:
365 case 0x0080: case 0x0081: case 0x0082: case 0x0083:
366 case 0x0084: /*case 0x0085:*/ case 0x0086: case 0x0087:
367 case 0x0088: case 0x0089: case 0x008a: case 0x008b:
368 case 0x008c: case 0x008d: case 0x008e: case 0x008f:
369 case 0x0090: case 0x0091: case 0x0092: case 0x0093:
370 case 0x0094: case 0x0095: case 0x0096: case 0x0097:
371 case 0x0098: case 0x0099: case 0x009a: case 0x009b:
372 case 0x009c: case 0x009d: case 0x009e: case 0x009f:
373
374 case 0x06dd:
375 case 0x070f:
376 case 0x180e:
377 case 0x200c: case 0x200d: case 0x200e: case 0x200f:
378 case 0x202a: case 0x202b: case 0x202c: case 0x202d: case 0x202e:
379 case 0x2060: case 0x2061: case 0x2062: case 0x2063:
380 case 0x206a: case 0x206b: case 0x206c: case 0x206d: case 0x206e: case 0x206f:
381 case 0xfeff:
382 case 0xfff9: case 0xfffa: case 0xfffb:
383 case 0x1d173: case 0x1d174: case 0x1d175: case 0x1d176: case 0x1d177: case 0x1d178: case 0x1d179: case 0x1d17a:
384 case 0xe0001:
385 case 0xe0020: case 0xe0021: case 0xe0022: case 0xe0023:
386 case 0xe0024: case 0xe0025: case 0xe0026: case 0xe0027:
387 case 0xe0028: case 0xe0029: case 0xe002a: case 0xe002b:
388 case 0xe002c: case 0xe002d: case 0xe002e: case 0xe002f:
389 case 0xe0030: case 0xe0031: case 0xe0032: case 0xe0033:
390 case 0xe0034: case 0xe0035: case 0xe0036: case 0xe0037:
391 case 0xe0038: case 0xe0039: case 0xe003a: case 0xe003b:
392 case 0xe003c: case 0xe003d: case 0xe003e: case 0xe003f:
393 case 0xe0040: case 0xe0041: case 0xe0042: case 0xe0043:
394 case 0xe0044: case 0xe0045: case 0xe0046: case 0xe0047:
395 case 0xe0048: case 0xe0049: case 0xe004a: case 0xe004b:
396 case 0xe004c: case 0xe004d: case 0xe004e: case 0xe004f:
397 case 0xe0050: case 0xe0051: case 0xe0052: case 0xe0053:
398 case 0xe0054: case 0xe0055: case 0xe0056: case 0xe0057:
399 case 0xe0058: case 0xe0059: case 0xe005a: case 0xe005b:
400 case 0xe005c: case 0xe005d: case 0xe005e: case 0xe005f:
401 case 0xe0060: case 0xe0061: case 0xe0062: case 0xe0063:
402 case 0xe0064: case 0xe0065: case 0xe0066: case 0xe0067:
403 case 0xe0068: case 0xe0069: case 0xe006a: case 0xe006b:
404 case 0xe006c: case 0xe006d: case 0xe006e: case 0xe006f:
405 case 0xe0070: case 0xe0071: case 0xe0072: case 0xe0073:
406 case 0xe0074: case 0xe0075: case 0xe0076: case 0xe0077:
407 case 0xe0078: case 0xe0079: case 0xe007a: case 0xe007b:
408 case 0xe007c: case 0xe007d: case 0xe007e: case 0xe007f:
409
410 /* 2.2 Map - Paragraph 4. */
411 case 0x200b:
412 return true;
413 }
414 return false;
415}
416
417
418/**
419 * Checks if @a uc maps to nothing according to mapping rules of RFC-5280 and
420 * RFC-4518.
421 *
422 * @returns true if @uc maps to nothing, false if not.
423 * @param uc The unicode code point.
424 */
425DECLINLINE(bool) rtCrX509CanNameIsNothing(RTUNICP uc)
426{
427 if (uc > 0x001f && uc < 0x00ad)
428 return false;
429 return rtCrX509CanNameIsNothingSlow(uc);
430}
431
432
433/**
434 * Slow code path of rtCrX509CanNameIsSpace.
435 *
436 * @returns true if space, false if not.
437 * @param uc The unicode code point.
438 */
439static bool rtCrX509CanNameIsSpaceSlow(RTUNICP uc)
440{
441 switch (uc)
442 {
443 /* 2.2 Map - Paragraph 2. */
444 case 0x09:
445 case 0x0a:
446 case 0x0b:
447 case 0x0c:
448 case 0x0d:
449 case 0x20:
450 case 0x0085:
451 case 0x00a0:
452 case 0x1680:
453 case 0x2000: case 0x2001: case 0x2002: case 0x2003:
454 case 0x2004: case 0x2005: case 0x2006: case 0x2007:
455 case 0x2008: case 0x2009: case 0x200a:
456 case 0x2028: case 0x2029:
457 case 0x202f:
458 case 0x205f:
459 case 0x3000:
460 return true;
461 }
462 return false;
463}
464
465
466/**
467 * Checks if @a uc is a space character according to the mapping rules of
468 * RFC-5280 and RFC-4518.
469 *
470 * @returns true if space, false if not.
471 * @param uc The unicode code point.
472 */
473DECLINLINE(bool) rtCrX509CanNameIsSpace(RTUNICP uc)
474{
475 if (uc < 0x0085)
476 {
477 if (uc > 0x0020)
478 return false;
479 if (uc == 0x0020) /* space */
480 return true;
481 }
482 return rtCrX509CanNameIsSpaceSlow(uc);
483}
484
485
486static const char *rtCrX509CanNameStripLeft(const char *psz, size_t *pcch)
487{
488 /*
489 * Return space when we've encountered the first non-space-non-nothing code point.
490 */
491 const char * const pszStart = psz;
492 const char *pszPrev;
493 for (;;)
494 {
495 pszPrev = psz;
496 RTUNICP uc;
497 int rc = RTStrGetCpEx(&psz, &uc);
498 AssertRCBreak(rc);
499 if (!uc)
500 {
501 if ((uintptr_t)(pszPrev - pszStart) >= *pcch)
502 break;
503 /* NUL inside the string, maps to nothing => ignore it. */
504 }
505 else if (!rtCrX509CanNameIsSpace(uc) && !rtCrX509CanNameIsNothing(uc))
506 break;
507 }
508 *pcch -= (size_t)(pszPrev - pszStart);
509 return pszPrev;
510}
511
512
513static RTUNICP rtCrX509CanNameGetNextCpWithMappingSlowSpace(const char **ppsz, size_t *pcch)
514{
515 /*
516 * Return space when we've encountered the first non-space-non-nothing code point.
517 */
518 RTUNICP uc;
519 const char *psz = *ppsz;
520 const char * const pszStart = psz;
521 const char *pszPrev;
522 for (;;)
523 {
524 pszPrev = psz;
525 int rc = RTStrGetCpEx(&psz, &uc);
526 AssertRCBreakStmt(rc, uc = 0x20);
527 if (!uc)
528 {
529 if ((uintptr_t)(pszPrev - pszStart) >= *pcch)
530 {
531 uc = 0; /* End of string: Ignore trailing spaces. */
532 break;
533 }
534 /* NUL inside the string, maps to nothing => ignore it. */
535 }
536 else if (!rtCrX509CanNameIsSpace(uc) && !rtCrX509CanNameIsNothing(uc))
537 {
538 uc = 0x20; /* Return space before current char. */
539 break;
540 }
541 }
542
543 *ppsz = pszPrev;
544 *pcch -= (size_t)(pszPrev - pszStart);
545 return uc;
546}
547
548
549DECLINLINE(RTUNICP) rtCrX509CanNameGetNextCpIgnoreNul(const char **ppsz, size_t *pcch)
550{
551 while (*pcch > 0)
552 {
553 const char *psz = *ppsz;
554 RTUNICP uc = (RTUNICP)*psz;
555 if (uc < 0x80)
556 {
557 *pcch -= 1;
558 *ppsz = psz + 1;
559 }
560 else
561 {
562 int rc = RTStrGetCpEx(ppsz, &uc);
563 AssertRCReturn(rc, uc);
564 size_t cchCp = (size_t)(*ppsz - psz);
565 AssertReturn(cchCp <= *pcch, 0);
566 *pcch -= cchCp;
567 }
568 if (uc != 0)
569 return uc;
570 }
571 return 0;
572}
573
574
575static RTUNICP rtCrX509CanNameGetNextCpWithMappingSlowNothing(const char **ppsz, size_t *pcch)
576{
577 /*
578 * Return first code point which doesn't map to nothing. If we encounter
579 * a space, we defer to the mapping-after-space routine above.
580 */
581 for (;;)
582 {
583 RTUNICP uc = rtCrX509CanNameGetNextCpIgnoreNul(ppsz, pcch);
584 if (rtCrX509CanNameIsSpace(uc))
585 return rtCrX509CanNameGetNextCpWithMappingSlowSpace(ppsz, pcch);
586 if (!rtCrX509CanNameIsNothing(uc) || uc == 0)
587 return uc;
588 }
589}
590
591
592DECLINLINE(RTUNICP) rtCrX509CanNameGetNextCpWithMapping(const char **ppsz, size_t *pcch)
593{
594 RTUNICP uc = rtCrX509CanNameGetNextCpIgnoreNul(ppsz, pcch);
595 if (uc)
596 {
597 if (!rtCrX509CanNameIsSpace(uc))
598 {
599 if (!rtCrX509CanNameIsNothing(uc))
600 return uc;
601 return rtCrX509CanNameGetNextCpWithMappingSlowNothing(ppsz, pcch);
602 }
603 return rtCrX509CanNameGetNextCpWithMappingSlowSpace(ppsz, pcch);
604 }
605 return uc;
606}
607
608
609RTDECL(bool) RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(PCRTCRX509ATTRIBUTETYPEANDVALUE pLeft,
610 PCRTCRX509ATTRIBUTETYPEANDVALUE pRight)
611{
612 if (RTAsn1ObjId_Compare(&pLeft->Type, &pRight->Type) == 0)
613 {
614 /*
615 * Try for perfect match in case we get luck.
616 */
617#ifdef DEBUG_bird /* Want to test the complicated code path first */
618 if (pLeft->Value.enmType != RTASN1TYPE_STRING || pRight->Value.enmType != RTASN1TYPE_STRING)
619#endif
620 if (RTAsn1DynType_Compare(&pLeft->Value, &pRight->Value) == 0)
621 return true;
622
623 /*
624 * If both are string types, we can compare them according to RFC-5280.
625 */
626 if ( pLeft->Value.enmType == RTASN1TYPE_STRING
627 && pRight->Value.enmType == RTASN1TYPE_STRING)
628 {
629 size_t cchLeft;
630 const char *pszLeft;
631 int rc = RTAsn1String_QueryUtf8(&pLeft->Value.u.String, &pszLeft, &cchLeft);
632 if (RT_SUCCESS(rc))
633 {
634 size_t cchRight;
635 const char *pszRight;
636 rc = RTAsn1String_QueryUtf8(&pRight->Value.u.String, &pszRight, &cchRight);
637 if (RT_SUCCESS(rc))
638 {
639 /*
640 * Perform a simplified RFC-5280 comparsion.
641 * The algorithm as be relaxed on the following counts:
642 * 1. No unicode normalization.
643 * 2. Prohibited characters not checked for.
644 * 3. Bidirectional characters are not ignored.
645 */
646 pszLeft = rtCrX509CanNameStripLeft(pszLeft, &cchLeft);
647 pszRight = rtCrX509CanNameStripLeft(pszRight, &cchRight);
648 while (*pszLeft && *pszRight)
649 {
650 RTUNICP ucLeft = rtCrX509CanNameGetNextCpWithMapping(&pszLeft, &cchLeft);
651 RTUNICP ucRight = rtCrX509CanNameGetNextCpWithMapping(&pszRight, &cchRight);
652 if (ucLeft != ucRight)
653 {
654 ucLeft = RTUniCpToLower(ucLeft);
655 ucRight = RTUniCpToLower(ucRight);
656 if (ucLeft != ucRight)
657 return false;
658 }
659 }
660
661 return cchRight == 0 && cchLeft == 0;
662 }
663 }
664 }
665 }
666 return false;
667}
668
669
670RTDECL(bool) RTCrX509RelativeDistinguishedName_MatchByRfc5280(PCRTCRX509RELATIVEDISTINGUISHEDNAME pLeft,
671 PCRTCRX509RELATIVEDISTINGUISHEDNAME pRight)
672{
673 /*
674 * No match if the attribute count differs.
675 */
676 uint32_t const cItems = pLeft->cItems;
677 if (cItems == pRight->cItems)
678 {
679 /*
680 * Compare each attribute, but don't insist on the same order nor
681 * bother checking for duplicates (too complicated).
682 */
683 for (uint32_t iLeft = 0; iLeft < cItems; iLeft++)
684 {
685 PCRTCRX509ATTRIBUTETYPEANDVALUE pLeftAttr = pLeft->papItems[iLeft];
686 bool fFound = false;
687 for (uint32_t iRight = 0; iRight < cItems; iRight++)
688 if (RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(pLeftAttr, pRight->papItems[iRight]))
689 {
690 fFound = true;
691 break;
692 }
693 if (!fFound)
694 return false;
695 }
696 return true;
697 }
698 return false;
699
700}
701
702
703/*
704 * X.509 Name.
705 */
706
707RTDECL(bool) RTCrX509Name_MatchByRfc5280(PCRTCRX509NAME pLeft, PCRTCRX509NAME pRight)
708{
709 uint32_t const cItems = pLeft->cItems;
710 if (cItems == pRight->cItems)
711 {
712 /* Require exact order. */
713 for (uint32_t iRdn = 0; iRdn < cItems; iRdn++)
714 if (!RTCrX509RelativeDistinguishedName_MatchByRfc5280(pLeft->papItems[iRdn], pRight->papItems[iRdn]))
715 return false;
716 return true;
717 }
718 return false;
719}
720
721
722RTDECL(bool) RTCrX509Name_ConstraintMatch(PCRTCRX509NAME pConstraint, PCRTCRX509NAME pName)
723{
724 /*
725 * Check that the constraint is a prefix of the name. This means that
726 * the name must have at least as many components and the constraint.
727 */
728 if (pName->cItems >= pConstraint->cItems)
729 {
730 /*
731 * Parallel crawl of the two RDNs arrays.
732 */
733 for (uint32_t i = 0; pConstraint->cItems; i++)
734 {
735 PCRTCRX509RELATIVEDISTINGUISHEDNAME pConstrRdns = pConstraint->papItems[i];
736 PCRTCRX509RELATIVEDISTINGUISHEDNAME pNameRdns = pName->papItems[i];
737
738 /*
739 * Walk the constraint attribute & value array.
740 */
741 for (uint32_t iConstrAttrib = 0; iConstrAttrib < pConstrRdns->cItems; iConstrAttrib++)
742 {
743 PCRTCRX509ATTRIBUTETYPEANDVALUE pConstrAttrib = pConstrRdns->papItems[iConstrAttrib];
744
745 /*
746 * Find matching attribute & value in the name.
747 */
748 bool fFound = false;
749 for (uint32_t iNameAttrib = 0; iNameAttrib < pNameRdns->cItems; iNameAttrib++)
750 if (RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(pConstrAttrib, pNameRdns->papItems[iNameAttrib]))
751 {
752 fFound = true;
753 break;
754 }
755 if (fFound)
756 return false;
757 }
758 }
759 return true;
760 }
761 return false;
762}
763
764
765/**
766 * Mapping between X.500 object IDs and short and long names.
767 *
768 * See RFC-1327, RFC-4519 ...
769 */
770static struct
771{
772 const char *pszOid;
773 const char *pszShortNm;
774 size_t cchShortNm;
775 const char *pszLongNm;
776} const g_aRdnMap[] =
777{
778 { "0.9.2342.19200300.100.1.1", RT_STR_TUPLE("uid"), "userid" },
779 { "0.9.2342.19200300.100.1.3", RT_STR_TUPLE("Mail"), "Rfc822Mailbox" },
780 { "0.9.2342.19200300.100.1.25", RT_STR_TUPLE("DC"), "DomainComponent" },
781 { "1.2.840.113549.1.9.1", RT_STR_TUPLE("Email") /*nonstandard*/,"EmailAddress" },
782 { "2.5.4.3", RT_STR_TUPLE("CN"), "CommonName" },
783 { "2.5.4.4", RT_STR_TUPLE("SN"), "Surname" },
784 { "2.5.4.5", RT_STR_TUPLE("SRN") /*nonstandard*/, "SerialNumber" },
785 { "2.5.4.6", RT_STR_TUPLE("C"), "CountryName" },
786 { "2.5.4.7", RT_STR_TUPLE("L"), "LocalityName" },
787 { "2.5.4.8", RT_STR_TUPLE("ST"), "StateOrProviceName" },
788 { "2.5.4.9", RT_STR_TUPLE("street"), "Street" },
789 { "2.5.4.10", RT_STR_TUPLE("O"), "OrganizationName" },
790 { "2.5.4.11", RT_STR_TUPLE("OU"), "OrganizationalUnitName" },
791 { "2.5.4.12", RT_STR_TUPLE("title"), "Title" },
792 { "2.5.4.13", RT_STR_TUPLE("desc"), "Description" },
793 { "2.5.4.15", RT_STR_TUPLE("BC") /*nonstandard*/, "BusinessCategory" },
794 { "2.5.4.17", RT_STR_TUPLE("ZIP") /*nonstandard*/, "PostalCode" },
795 { "2.5.4.18", RT_STR_TUPLE("POBox") /*nonstandard*/,"PostOfficeBox" },
796 { "2.5.4.20", RT_STR_TUPLE("PN") /*nonstandard*/, "TelephoneNumber" },
797 { "2.5.4.33", RT_STR_TUPLE("RO") /*nonstandard*/, "RoleOccupant" },
798 { "2.5.4.34", RT_STR_TUPLE("SA") /*nonstandard*/, "StreetAddress" },
799 { "2.5.4.41", RT_STR_TUPLE("N") /*nonstandard*/, "Name" },
800 { "2.5.4.42", RT_STR_TUPLE("GN"), "GivenName" },
801 { "2.5.4.43", RT_STR_TUPLE("I") /*nonstandard*/, "Initials" },
802 { "2.5.4.44", RT_STR_TUPLE("GQ") /*nonstandard*/, "GenerationQualifier" },
803 { "2.5.4.46", RT_STR_TUPLE("DNQ") /*nonstandard*/, "DNQualifier" },
804 { "2.5.4.51", RT_STR_TUPLE("HID") /*nonstandard*/, "HouseIdentifier" },
805};
806
807
808RTDECL(const char *) RTCrX509Name_GetShortRdn(PCRTASN1OBJID pRdnId)
809{
810 uint32_t iName = RT_ELEMENTS(g_aRdnMap);
811 while (iName-- > 0)
812 if (RTAsn1ObjId_CompareWithString(pRdnId, g_aRdnMap[iName].pszOid) == 0)
813 return g_aRdnMap[iName].pszShortNm;
814 return NULL;
815}
816
817
818RTDECL(bool) RTCrX509Name_MatchWithString(PCRTCRX509NAME pThis, const char *pszString)
819{
820 /* Keep track of the string length. */
821 size_t cchString = strlen(pszString);
822
823 /*
824 * The usual double loop for walking the components.
825 */
826 for (uint32_t i = 0; i < pThis->cItems; i++)
827 {
828 PCRTCRX509RELATIVEDISTINGUISHEDNAME pRdn = pThis->papItems[i];
829 for (uint32_t j = 0; j < pRdn->cItems; j++)
830 {
831 PCRTCRX509ATTRIBUTETYPEANDVALUE pComponent = pRdn->papItems[j];
832
833 /*
834 * Must be a string.
835 */
836 if (pComponent->Value.enmType != RTASN1TYPE_STRING)
837 return false;
838
839 /*
840 * Look up the component name prefix and check whether it's also in the string.
841 */
842 uint32_t iName = RT_ELEMENTS(g_aRdnMap);
843 while (iName-- > 0)
844 if (RTAsn1ObjId_CompareWithString(&pComponent->Type, g_aRdnMap[iName].pszOid) == 0)
845 break;
846 AssertMsgReturn(iName != UINT32_MAX, ("Please extend g_aRdnMap with '%s'.\n", pComponent->Type.szObjId), false);
847
848 if ( strncmp(pszString, g_aRdnMap[iName].pszShortNm, g_aRdnMap[iName].cchShortNm) != 0
849 || pszString[g_aRdnMap[iName].cchShortNm] != '=')
850 return false;
851
852 pszString += g_aRdnMap[iName].cchShortNm + 1;
853 cchString -= g_aRdnMap[iName].cchShortNm + 1;
854
855 /*
856 * Compare the component string.
857 */
858 size_t cchComponent;
859 int rc = RTAsn1String_QueryUtf8Len(&pComponent->Value.u.String, &cchComponent);
860 AssertRCReturn(rc, false);
861
862 if (cchComponent > cchString)
863 return false;
864 if (RTAsn1String_CompareWithString(&pComponent->Value.u.String, pszString, cchComponent) != 0)
865 return false;
866
867 cchString -= cchComponent;
868 pszString += cchComponent;
869
870 /*
871 * Check separator comma + space and skip extra spaces before the next component.
872 */
873 if (cchString)
874 {
875 if (pszString[0] != ',')
876 return false;
877 if (pszString[1] != ' ' && pszString[1] != '\t')
878 return false;
879 pszString += 2;
880 cchString -= 2;
881
882 while (*pszString == ' ' || *pszString == '\t')
883 {
884 pszString++;
885 cchString--;
886 }
887 }
888 }
889 }
890
891 /*
892 * If we got thru the whole name and the whole string, we're good.
893 */
894 return *pszString == '\0';
895}
896
897
898RTDECL(int) RTCrX509Name_FormatAsString(PCRTCRX509NAME pThis, char *pszBuf, size_t cbBuf, size_t *pcbActual)
899{
900 /*
901 * The usual double loop for walking the components.
902 */
903 size_t off = 0;
904 int rc = VINF_SUCCESS;
905 for (uint32_t i = 0; i < pThis->cItems; i++)
906 {
907 PCRTCRX509RELATIVEDISTINGUISHEDNAME pRdn = pThis->papItems[i];
908 for (uint32_t j = 0; j < pRdn->cItems; j++)
909 {
910 PCRTCRX509ATTRIBUTETYPEANDVALUE pComponent = pRdn->papItems[j];
911
912 /*
913 * Must be a string.
914 */
915 if (pComponent->Value.enmType != RTASN1TYPE_STRING)
916 return VERR_CR_X509_NAME_NOT_STRING;
917
918 /*
919 * Look up the component name prefix.
920 */
921 uint32_t iName = RT_ELEMENTS(g_aRdnMap);
922 while (iName-- > 0)
923 if (RTAsn1ObjId_CompareWithString(&pComponent->Type, g_aRdnMap[iName].pszOid) == 0)
924 break;
925 AssertMsgReturn(iName != UINT32_MAX, ("Please extend g_aRdnMap with '%s'.\n", pComponent->Type.szObjId),
926 VERR_CR_X509_NAME_MISSING_RDN_MAP_ENTRY);
927
928 /*
929 * Append the prefix.
930 */
931 if (off)
932 {
933 if (off + 2 < cbBuf)
934 {
935 pszBuf[off] = ',';
936 pszBuf[off + 1] = ' ';
937 }
938 else
939 rc = VERR_BUFFER_OVERFLOW;
940 off += 2;
941 }
942
943 if (off + g_aRdnMap[iName].cchShortNm + 1 < cbBuf)
944 {
945 memcpy(&pszBuf[off], g_aRdnMap[iName].pszShortNm, g_aRdnMap[iName].cchShortNm);
946 pszBuf[off + g_aRdnMap[iName].cchShortNm] = '=';
947 }
948 else
949 rc = VERR_BUFFER_OVERFLOW;
950 off += g_aRdnMap[iName].cchShortNm + 1;
951
952 /*
953 * Add the component string.
954 */
955 const char *pszUtf8;
956 size_t cchUtf8;
957 int rc2 = RTAsn1String_QueryUtf8(&pComponent->Value.u.String, &pszUtf8, &cchUtf8);
958 AssertRCReturn(rc2, rc2);
959 if (off + cchUtf8 < cbBuf)
960 memcpy(&pszBuf[off], pszUtf8, cchUtf8);
961 else
962 rc = VERR_BUFFER_OVERFLOW;
963 off += cchUtf8;
964 }
965 }
966
967 if (pcbActual)
968 *pcbActual = off + 1;
969 if (off < cbBuf)
970 pszBuf[off] = '\0';
971 return rc;
972}
973
974
975
976/*
977 * One X.509 GeneralName.
978 */
979
980/**
981 * Name constraint matching (RFC-5280): DNS Name.
982 *
983 * @returns true on match, false on mismatch.
984 * @param pConstraint The constraint name.
985 * @param pName The name to match against the constraint.
986 */
987static bool rtCrX509GeneralName_ConstraintMatchDnsName(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
988{
989 /*
990 * Empty constraint string is taken to match everything.
991 */
992 if (pConstraint->u.pT2_DnsName->Asn1Core.cb == 0)
993 return true;
994
995 /*
996 * Get the UTF-8 strings for the two.
997 */
998 size_t cchConstraint;
999 char const *pszConstraint;
1000 int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT2_DnsName, &pszConstraint, &cchConstraint);
1001 if (RT_SUCCESS(rc))
1002 {
1003 size_t cchFull;
1004 char const *pszFull;
1005 rc = RTAsn1String_QueryUtf8(pName->u.pT2_DnsName, &pszFull, &cchFull);
1006 if (RT_SUCCESS(rc))
1007 {
1008 /*
1009 * No match if the constraint is longer.
1010 */
1011 if (cchConstraint > cchFull)
1012 return false;
1013
1014 /*
1015 * No match if the constraint and name tail doesn't match
1016 * in a case-insensitive compare.
1017 */
1018 size_t offFull = cchFull - cchConstraint;
1019 if (RTStrICmp(&pszFull[offFull], pszConstraint) != 0)
1020 return false;
1021 if (!offFull)
1022 return true;
1023
1024 /*
1025 * The matching constraint must be delimited by a dot in the full
1026 * name. There seems to be some discussion whether ".oracle.com"
1027 * should match "www..oracle.com". This implementation does choose
1028 * to not succeed in that case.
1029 */
1030 if ((pszFull[offFull - 1] == '.') ^ (pszFull[offFull] == '.'))
1031 return true;
1032
1033 return false;
1034 }
1035 }
1036
1037 /* fall back. */
1038 return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1039}
1040
1041
1042/**
1043 * Name constraint matching (RFC-5280): RFC-822 (email).
1044 *
1045 * @returns true on match, false on mismatch.
1046 * @param pConstraint The constraint name.
1047 * @param pName The name to match against the constraint.
1048 */
1049static bool rtCrX509GeneralName_ConstraintMatchRfc822Name(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1050{
1051 /*
1052 * Empty constraint string is taken to match everything.
1053 */
1054 if (pConstraint->u.pT1_Rfc822->Asn1Core.cb == 0)
1055 return true;
1056
1057 /*
1058 * Get the UTF-8 strings for the two.
1059 */
1060 size_t cchConstraint;
1061 char const *pszConstraint;
1062 int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT1_Rfc822, &pszConstraint, &cchConstraint);
1063 if (RT_SUCCESS(rc))
1064 {
1065 size_t cchFull;
1066 char const *pszFull;
1067 rc = RTAsn1String_QueryUtf8(pName->u.pT1_Rfc822, &pszFull, &cchFull);
1068 if (RT_SUCCESS(rc))
1069 {
1070 /*
1071 * No match if the constraint is longer.
1072 */
1073 if (cchConstraint > cchFull)
1074 return false;
1075
1076 /*
1077 * A lone dot matches everything.
1078 */
1079 if (cchConstraint == 1 && *pszConstraint == '.')
1080 return true;
1081
1082 /*
1083 * If there is a '@' in the constraint, the entire address must match.
1084 */
1085 const char *pszConstraintAt = (const char *)memchr(pszConstraint, '@', cchConstraint);
1086 if (pszConstraintAt)
1087 return cchConstraint == cchFull && RTStrICmp(pszConstraint, pszFull) == 0;
1088
1089 /*
1090 * No match if the constraint and name tail doesn't match
1091 * in a case-insensitive compare.
1092 */
1093 size_t offFull = cchFull - cchConstraint;
1094 if (RTStrICmp(&pszFull[offFull], pszConstraint) != 0)
1095 return false;
1096
1097 /*
1098 * If the constraint starts with a dot, we're supposed to be
1099 * satisfied with a tail match.
1100 */
1101 /** @todo Check if this should match even if offFull == 0. */
1102 if (*pszConstraint == '.')
1103 return true;
1104
1105 /*
1106 * Otherwise, we require a hostname match and thus expect an '@'
1107 * immediatly preceding the constraint match.
1108 */
1109 if (pszFull[offFull - 1] == '@')
1110 return true;
1111
1112 return false;
1113 }
1114 }
1115
1116 /* fall back. */
1117 return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1118}
1119
1120
1121/**
1122 * Extracts the hostname from an URI.
1123 *
1124 * @returns true if successfully extract, false if no hostname present.
1125 * @param pszUri The URI.
1126 * @param pchHostName .
1127 * @param pcchHostName .
1128 */
1129static bool rtCrX509GeneralName_ExtractHostName(const char *pszUri, const char **pchHostName, size_t *pcchHostName)
1130{
1131 /*
1132 * Skip the schema name.
1133 */
1134 const char *pszStart = strchr(pszUri, ':');
1135 while (pszStart && (pszStart[1] != '/' || pszStart[2] != '/'))
1136 pszStart = strchr(pszStart + 1, ':');
1137 if (pszStart)
1138 {
1139 pszStart += 3;
1140
1141 /*
1142 * The name ends with the first slash or ":port".
1143 */
1144 const char *pszEnd = strchr(pszStart, '/');
1145 if (!pszEnd)
1146 pszEnd = strchr(pszStart, '\0');
1147 if (memchr(pszStart, ':', (size_t)(pszEnd - pszStart)))
1148 do
1149 pszEnd--;
1150 while (*pszEnd != ':');
1151 if (pszEnd != pszStart)
1152 {
1153 /*
1154 * Drop access credentials at the front of the string if present.
1155 */
1156 const char *pszAt = (const char *)memchr(pszStart, '@', (size_t)(pszEnd - pszStart));
1157 if (pszAt)
1158 pszStart = pszAt + 1;
1159
1160 /*
1161 * If there is still some string left, that's the host name.
1162 */
1163 if (pszEnd != pszStart)
1164 {
1165 *pcchHostName = (size_t)(pszEnd - pszStart);
1166 *pchHostName = pszStart;
1167 return true;
1168 }
1169 }
1170 }
1171
1172 *pcchHostName = 0;
1173 *pchHostName = NULL;
1174 return false;
1175}
1176
1177
1178/**
1179 * Name constraint matching (RFC-5280): URI.
1180 *
1181 * @returns true on match, false on mismatch.
1182 * @param pConstraint The constraint name.
1183 * @param pName The name to match against the constraint.
1184 */
1185static bool rtCrX509GeneralName_ConstraintMatchUri(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1186{
1187 /*
1188 * Empty constraint string is taken to match everything.
1189 */
1190 if (pConstraint->u.pT6_Uri->Asn1Core.cb == 0)
1191 return true;
1192
1193 /*
1194 * Get the UTF-8 strings for the two.
1195 */
1196 size_t cchConstraint;
1197 char const *pszConstraint;
1198 int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT6_Uri, &pszConstraint, &cchConstraint);
1199 if (RT_SUCCESS(rc))
1200 {
1201 size_t cchFull;
1202 char const *pszFull;
1203 rc = RTAsn1String_QueryUtf8(pName->u.pT6_Uri, &pszFull, &cchFull);
1204 if (RT_SUCCESS(rc))
1205 {
1206 /*
1207 * Isolate the hostname in the name.
1208 */
1209 size_t cchHostName;
1210 const char *pchHostName;
1211 if (rtCrX509GeneralName_ExtractHostName(pszFull, &pchHostName, &cchHostName))
1212 {
1213 /*
1214 * Domain constraint.
1215 */
1216 if (*pszConstraint == '.')
1217 {
1218 if (cchHostName >= cchConstraint)
1219 {
1220 size_t offHostName = cchHostName - cchConstraint;
1221 if (RTStrICmp(&pchHostName[offHostName], pszConstraint) == 0)
1222 {
1223 /* "http://www..oracle.com" does not match ".oracle.com".
1224 It's debatable whether "http://.oracle.com/" should match. */
1225 if ( !offHostName
1226 || pchHostName[offHostName - 1] != '.')
1227 return true;
1228 }
1229 }
1230 }
1231 /*
1232 * Host name constraint. Full match required.
1233 */
1234 else if ( cchHostName == cchConstraint
1235 && RTStrNICmp(pchHostName, pszConstraint, cchHostName) == 0)
1236 return true;
1237 }
1238 return false;
1239 }
1240 }
1241
1242 /* fall back. */
1243 return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1244}
1245
1246
1247/**
1248 * Name constraint matching (RFC-5280): IP address.
1249 *
1250 * @returns true on match, false on mismatch.
1251 * @param pConstraint The constraint name.
1252 * @param pName The name to match against the constraint.
1253 */
1254static bool rtCrX509GeneralName_ConstraintMatchIpAddress(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1255{
1256 uint8_t const *pbConstraint = pConstraint->u.pT7_IpAddress->Asn1Core.uData.pu8;
1257 uint8_t const *pbFull = pName->u.pT7_IpAddress->Asn1Core.uData.pu8;
1258
1259 /*
1260 * IPv4.
1261 */
1262 if ( pConstraint->u.pT7_IpAddress->Asn1Core.cb == 8 /* ip+netmask*/
1263 && pName->u.pT7_IpAddress->Asn1Core.cb == 4) /* ip */
1264 return ((pbFull[0] ^ pbConstraint[0]) & pbConstraint[4]) == 0
1265 && ((pbFull[1] ^ pbConstraint[1]) & pbConstraint[5]) == 0
1266 && ((pbFull[2] ^ pbConstraint[2]) & pbConstraint[6]) == 0
1267 && ((pbFull[3] ^ pbConstraint[3]) & pbConstraint[7]) == 0;
1268
1269 /*
1270 * IPv6.
1271 */
1272 if ( pConstraint->u.pT7_IpAddress->Asn1Core.cb == 32 /* ip+netmask*/
1273 && pName->u.pT7_IpAddress->Asn1Core.cb == 16) /* ip */
1274 {
1275 for (uint32_t i = 0; i < 16; i++)
1276 if (((pbFull[i] ^ pbConstraint[i]) & pbConstraint[i + 16]) != 0)
1277 return false;
1278 return true;
1279 }
1280
1281 return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1282}
1283
1284
1285RTDECL(bool) RTCrX509GeneralName_ConstraintMatch(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1286{
1287 if (pConstraint->enmChoice == pName->enmChoice)
1288 {
1289 if (RTCRX509GENERALNAME_IS_DIRECTORY_NAME(pConstraint))
1290 return RTCrX509Name_ConstraintMatch(&pConstraint->u.pT4->DirectoryName, &pName->u.pT4->DirectoryName);
1291
1292 if (RTCRX509GENERALNAME_IS_DNS_NAME(pConstraint))
1293 return rtCrX509GeneralName_ConstraintMatchDnsName(pConstraint, pName);
1294
1295 if (RTCRX509GENERALNAME_IS_RFC822_NAME(pConstraint))
1296 return rtCrX509GeneralName_ConstraintMatchRfc822Name(pConstraint, pName);
1297
1298 if (RTCRX509GENERALNAME_IS_URI(pConstraint))
1299 return rtCrX509GeneralName_ConstraintMatchUri(pConstraint, pName);
1300
1301 if (RTCRX509GENERALNAME_IS_IP_ADDRESS(pConstraint))
1302 return rtCrX509GeneralName_ConstraintMatchIpAddress(pConstraint, pName);
1303
1304 AssertFailed();
1305 return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1306 }
1307 return false;
1308}
1309
1310
1311/*
1312 * Sequence of X.509 GeneralNames.
1313 */
1314
1315
1316/*
1317 * X.509 UniqueIdentifier.
1318 */
1319
1320
1321/*
1322 * X.509 SubjectPublicKeyInfo.
1323 */
1324
1325
1326/*
1327 * X.509 AuthorityKeyIdentifier (IPRT representation).
1328 */
1329
1330
1331/*
1332 * One X.509 PolicyQualifierInfo.
1333 */
1334
1335
1336/*
1337 * Sequence of X.509 PolicyQualifierInfo.
1338 */
1339
1340
1341/*
1342 * One X.509 PolicyInformation.
1343 */
1344
1345
1346/*
1347 * Sequence of X.509 CertificatePolicies.
1348 */
1349
1350
1351/*
1352 * One X.509 PolicyMapping (IPRT representation).
1353 */
1354
1355
1356/*
1357 * Sequence of X.509 PolicyMappings (IPRT representation).
1358 */
1359
1360
1361/*
1362 * X.509 BasicConstraints (IPRT representation).
1363 */
1364
1365
1366/*
1367 * X.509 GeneralSubtree (IPRT representation).
1368 */
1369
1370
1371RTDECL(bool) RTCrX509GeneralSubtree_ConstraintMatch(PCRTCRX509GENERALSUBTREE pConstraint, PCRTCRX509GENERALSUBTREE pName)
1372{
1373 return RTCrX509GeneralName_ConstraintMatch(&pConstraint->Base, &pName->Base);
1374}
1375
1376
1377/*
1378 * Sequence of X.509 GeneralSubtrees (IPRT representation).
1379 */
1380
1381
1382/*
1383 * X.509 NameConstraints (IPRT representation).
1384 */
1385
1386
1387/*
1388 * X.509 PolicyConstraints (IPRT representation).
1389 */
1390
1391
1392/*
1393 * One X.509 Extension.
1394 */
1395
1396
1397/*
1398 * Sequence of X.509 Extensions.
1399 */
1400
1401
1402/*
1403 * X.509 TbsCertificate.
1404 */
1405
1406static void rtCrx509TbsCertificate_AddKeyUsageFlags(PRTCRX509TBSCERTIFICATE pThis, PCRTCRX509EXTENSION pExtension)
1407{
1408 AssertReturnVoid(pExtension->enmValue == RTCRX509EXTENSIONVALUE_BIT_STRING);
1409 /* 3 = 1 byte for unused bit count, followed by one or two bytes containing actual bits. RFC-5280 defines bits 0 thru 8. */
1410 AssertReturnVoid(pExtension->ExtnValue.pEncapsulated->cb <= 3);
1411 pThis->T3.fKeyUsage |= (uint32_t)RTAsn1BitString_GetAsUInt64((PCRTASN1BITSTRING)pExtension->ExtnValue.pEncapsulated);
1412}
1413
1414
1415static void rtCrx509TbsCertificate_AddExtKeyUsageFlags(PRTCRX509TBSCERTIFICATE pThis, PCRTCRX509EXTENSION pExtension)
1416{
1417 AssertReturnVoid(pExtension->enmValue == RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS);
1418 PCRTASN1SEQOFOBJIDS pObjIds = (PCRTASN1SEQOFOBJIDS)pExtension->ExtnValue.pEncapsulated;
1419 uint32_t i = pObjIds->cItems;
1420 while (i-- > 0)
1421 {
1422
1423 if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_ANY_EXTENDED_KEY_USAGE_OID) == 0)
1424 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_ANY;
1425 else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], RTCRX509_ID_KP_OID))
1426 {
1427 if (RTAsn1ObjIdCountComponents(pObjIds->papItems[i]) == 9)
1428 switch (RTAsn1ObjIdGetLastComponentsAsUInt32(pObjIds->papItems[i]))
1429 {
1430 case 1: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_SERVER_AUTH; break;
1431 case 2: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_CLIENT_AUTH; break;
1432 case 3: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_CODE_SIGNING; break;
1433 case 4: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_EMAIL_PROTECTION; break;
1434 case 5: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_IPSEC_END_SYSTEM; break;
1435 case 6: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_IPSEC_TUNNEL; break;
1436 case 7: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_IPSEC_USER; break;
1437 case 8: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_TIMESTAMPING; break;
1438 case 9: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OCSP_SIGNING; break;
1439 case 10: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_DVCS; break;
1440 case 11: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_SBGP_CERT_AA_SERVICE_AUTH; break;
1441 case 13: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_EAP_OVER_PPP; break;
1442 case 14: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_EAP_OVER_LAN; break;
1443 default: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER; break;
1444 }
1445 else
1446 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER;
1447 }
1448 else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], RTCRX509_APPLE_EKU_APPLE_EXTENDED_KEY_USAGE_OID))
1449 {
1450 if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_OID) == 0)
1451 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING;
1452 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_DEVELOPMENT_OID) == 0)
1453 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_DEVELOPMENT;
1454 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_SOFTWARE_UPDATE_SIGNING_OID) == 0)
1455 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_SOFTWARE_UPDATE_SIGNING;
1456 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_THRID_PARTY_OID) == 0)
1457 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_THIRD_PARTY;
1458 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_RESOURCE_SIGNING_OID) == 0)
1459 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_RESOURCE_SIGNING;
1460 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_SYSTEM_IDENTITY_OID) == 0)
1461 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_SYSTEM_IDENTITY;
1462 else
1463 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER;
1464 }
1465 else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], "1.3.6.1.4.1.311"))
1466 {
1467 if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_TIMESTAMP_SIGNING_OID) == 0)
1468 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_TIMESTAMP_SIGNING;
1469 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_WHQL_CRYPTO_OID) == 0)
1470 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_WHQL_CRYPTO;
1471 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_ATTEST_WHQL_CRYPTO_OID) == 0)
1472 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_ATTEST_WHQL_CRYPTO;
1473 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_NT5_CRYPTO_OID) == 0)
1474 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_NT5_CRYPTO;
1475 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_OEM_WHQL_CRYPTO_OID) == 0)
1476 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_OEM_WHQL_CRYPTO;
1477 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_EMBEDDED_NT_CRYPTO_OID) == 0)
1478 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_EMBEDDED_NT_CRYPTO;
1479 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_KERNEL_MODE_CODE_SIGNING_OID) == 0)
1480 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_KERNEL_MODE_CODE_SIGNING;
1481 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_LIFETIME_SIGNING_OID) == 0)
1482 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_LIFETIME_SIGNING;
1483 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_DRM_OID) == 0)
1484 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_DRM;
1485 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_DRM_INDIVIDUALIZATION_OID) == 0)
1486 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_DRM_INDIVIDUALIZATION;
1487 else
1488 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER;
1489 }
1490 else
1491 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER;
1492 }
1493}
1494
1495
1496/**
1497 * (Re-)Process the certificate extensions.
1498 *
1499 * Will fail if duplicate extensions are encountered.
1500 *
1501 * @returns IPRT status code.
1502 * @param pThis The to-be-signed certificate part.
1503 * @param pErrInfo Where to return extended error details,
1504 * optional.
1505 */
1506RTDECL(int) RTCrX509TbsCertificate_ReprocessExtensions(PRTCRX509TBSCERTIFICATE pThis, PRTERRINFO pErrInfo)
1507{
1508 /*
1509 * Clear all variables we will set.
1510 */
1511 pThis->T3.fFlags = 0;
1512 pThis->T3.fKeyUsage = 0;
1513 pThis->T3.fExtKeyUsage = 0;
1514 pThis->T3.pAuthorityKeyIdentifier = NULL;
1515 pThis->T3.pSubjectKeyIdentifier = NULL;
1516 pThis->T3.pAltSubjectName = NULL;
1517 pThis->T3.pAltIssuerName = NULL;
1518 pThis->T3.pCertificatePolicies = NULL;
1519 pThis->T3.pPolicyMappings = NULL;
1520 pThis->T3.pBasicConstraints = NULL;
1521 pThis->T3.pNameConstraints = NULL;
1522 pThis->T3.pPolicyConstraints = NULL;
1523 pThis->T3.pInhibitAnyPolicy = NULL;
1524
1525#define CHECK_SET_PRESENT_RET_ON_DUP(a_pThis, a_pErrInfo, a_fPresentFlag) \
1526 do { \
1527 if ((a_pThis)->T3.fFlags & (a_fPresentFlag)) \
1528 return RTErrInfoSet(a_pErrInfo, VERR_CR_X509_TBSCERT_DUPLICATE_EXTENSION, \
1529 "Duplicate extension " #a_fPresentFlag); \
1530 (a_pThis)->T3.fFlags |= (a_fPresentFlag); \
1531 } while (0)
1532
1533 /*
1534 * Process all the extensions.
1535 */
1536 for (uint32_t i = 0; i < pThis->T3.Extensions.cItems; i++)
1537 {
1538 PCRTASN1OBJID pExtnId = &pThis->T3.Extensions.papItems[i]->ExtnId;
1539 PCRTASN1OCTETSTRING pExtValue = &pThis->T3.Extensions.papItems[i]->ExtnValue;
1540 if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_KEY_USAGE_OID) == 0)
1541 {
1542 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE);
1543 rtCrx509TbsCertificate_AddKeyUsageFlags(pThis, pThis->T3.Extensions.papItems[i]);
1544 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_BIT_STRING);
1545 }
1546 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_EXT_KEY_USAGE_OID) == 0)
1547 {
1548 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE);
1549 rtCrx509TbsCertificate_AddExtKeyUsageFlags(pThis, pThis->T3.Extensions.papItems[i]);
1550 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS);
1551 }
1552 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_AUTHORITY_KEY_IDENTIFIER_OID) == 0)
1553 {
1554 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_AUTHORITY_KEY_IDENTIFIER);
1555 pThis->T3.pAuthorityKeyIdentifier = (PCRTCRX509AUTHORITYKEYIDENTIFIER)pExtValue->pEncapsulated;
1556 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_AUTHORITY_KEY_IDENTIFIER);
1557 }
1558 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_OLD_AUTHORITY_KEY_IDENTIFIER_OID) == 0)
1559 {
1560 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_OLD_AUTHORITY_KEY_IDENTIFIER);
1561 pThis->T3.pOldAuthorityKeyIdentifier = (PCRTCRX509OLDAUTHORITYKEYIDENTIFIER)pExtValue->pEncapsulated;
1562 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_OLD_AUTHORITY_KEY_IDENTIFIER);
1563 }
1564 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID) == 0)
1565 {
1566 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_KEY_IDENTIFIER);
1567 pThis->T3.pSubjectKeyIdentifier = (PCRTASN1OCTETSTRING)pExtValue->pEncapsulated;
1568 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_OCTET_STRING);
1569 }
1570 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID) == 0)
1571 {
1572 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_ALT_NAME);
1573 pThis->T3.pAltSubjectName = (PCRTCRX509GENERALNAMES)pExtValue->pEncapsulated;
1574 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES);
1575 }
1576 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_ISSUER_ALT_NAME_OID) == 0)
1577 {
1578 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_ISSUER_ALT_NAME);
1579 pThis->T3.pAltIssuerName = (PCRTCRX509GENERALNAMES)pExtValue->pEncapsulated;
1580 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES);
1581 }
1582 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID) == 0)
1583 {
1584 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_CERTIFICATE_POLICIES);
1585 pThis->T3.pCertificatePolicies = (PCRTCRX509CERTIFICATEPOLICIES)pExtValue->pEncapsulated;
1586 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_CERTIFICATE_POLICIES);
1587 }
1588 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_POLICY_MAPPINGS_OID) == 0)
1589 {
1590 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_MAPPINGS);
1591 pThis->T3.pPolicyMappings = (PCRTCRX509POLICYMAPPINGS)pExtValue->pEncapsulated;
1592 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_POLICY_MAPPINGS);
1593 }
1594 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID) == 0)
1595 {
1596 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_BASIC_CONSTRAINTS);
1597 pThis->T3.pBasicConstraints = (PCRTCRX509BASICCONSTRAINTS)pExtValue->pEncapsulated;
1598 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_BASIC_CONSTRAINTS);
1599 }
1600 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_NAME_CONSTRAINTS_OID) == 0)
1601 {
1602 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_NAME_CONSTRAINTS);
1603 pThis->T3.pNameConstraints = (PCRTCRX509NAMECONSTRAINTS)pExtValue->pEncapsulated;
1604 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_NAME_CONSTRAINTS);
1605 }
1606 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID) == 0)
1607 {
1608 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_CONSTRAINTS);
1609 pThis->T3.pPolicyConstraints = (PCRTCRX509POLICYCONSTRAINTS)pExtValue->pEncapsulated;
1610 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_POLICY_CONSTRAINTS);
1611 }
1612 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID) == 0)
1613 {
1614 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_INHIBIT_ANY_POLICY);
1615 pThis->T3.pInhibitAnyPolicy = (PCRTASN1INTEGER)pExtValue->pEncapsulated;
1616 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_INTEGER);
1617 }
1618 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_ACCEPTABLE_CERT_POLICIES_OID) == 0)
1619 pThis->T3.fFlags |= RTCRX509TBSCERTIFICATE_F_PRESENT_ACCEPTABLE_CERT_POLICIES;
1620 else
1621 pThis->T3.fFlags |= RTCRX509TBSCERTIFICATE_F_PRESENT_OTHER;
1622 }
1623
1624 if (!pThis->T3.fFlags)
1625 pThis->T3.fFlags |= RTCRX509TBSCERTIFICATE_F_PRESENT_NONE;
1626
1627#undef CHECK_SET_PRESENT_RET_ON_DUP
1628 return VINF_SUCCESS;
1629}
1630
1631
1632
1633/*
1634 * One X.509 Certificate.
1635 */
1636
1637RTDECL(bool) RTCrX509Certificate_MatchIssuerAndSerialNumber(PCRTCRX509CERTIFICATE pCertificate,
1638 PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber)
1639{
1640 if ( RTAsn1Integer_UnsignedCompare(&pCertificate->TbsCertificate.SerialNumber, pSerialNumber) == 0
1641 && RTCrX509Name_Compare(&pCertificate->TbsCertificate.Issuer, pIssuer) == 0)
1642 return true;
1643 return false;
1644}
1645
1646
1647RTDECL(bool) RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(PCRTCRX509CERTIFICATE pThis, PCRTCRX509NAME pName)
1648{
1649 if (RTCrX509Name_MatchByRfc5280(&pThis->TbsCertificate.Subject, pName))
1650 return true;
1651
1652 if (RTCrX509Extensions_IsPresent(&pThis->TbsCertificate.T3.Extensions))
1653 for (uint32_t i = 0; i < pThis->TbsCertificate.T3.Extensions.cItems; i++)
1654 {
1655 PCRTCRX509EXTENSION pExt = pThis->TbsCertificate.T3.Extensions.papItems[i];
1656 if ( pExt->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES
1657 && RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID))
1658 {
1659 PCRTCRX509GENERALNAMES pGeneralNames = (PCRTCRX509GENERALNAMES)pExt->ExtnValue.pEncapsulated;
1660 for (uint32_t j = 0; j < pGeneralNames->cItems; j++)
1661 if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(pGeneralNames->papItems[j])
1662 && RTCrX509Name_MatchByRfc5280(&pGeneralNames->papItems[j]->u.pT4->DirectoryName, pName))
1663 return true;
1664 }
1665 }
1666 return false;
1667}
1668
1669
1670RTDECL(bool) RTCrX509Certificate_IsSelfSigned(PCRTCRX509CERTIFICATE pCertificate)
1671{
1672 if (RTCrX509Certificate_IsPresent(pCertificate))
1673 {
1674 return RTCrX509Name_MatchByRfc5280(&pCertificate->TbsCertificate.Subject,
1675 &pCertificate->TbsCertificate.Issuer);
1676 }
1677 return false;
1678}
1679
1680
1681/*
1682 * Set of X.509 Certificates.
1683 */
1684
1685RTDECL(PCRTCRX509CERTIFICATE)
1686RTCrX509Certificates_FindByIssuerAndSerialNumber(PCRTCRX509CERTIFICATES pCertificates,
1687 PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber)
1688{
1689 for (uint32_t i = 0; i < pCertificates->cItems; i++)
1690 if (RTCrX509Certificate_MatchIssuerAndSerialNumber(pCertificates->papItems[i], pIssuer, pSerialNumber))
1691 return pCertificates->papItems[i];
1692 return NULL;
1693}
1694
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette