x509-core.cpp@ 98103

Last change on this file since 98103 was 98103, checked in by vboxsync, 23 months ago
Copyright year updates by scm.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 64.2 KB

Line
1	/* $Id: x509-core.cpp 98103 2023-01-17 14:15:46Z vboxsync $ */
2	/** @file
3	* IPRT - Crypto - X.509, Core APIs.
4	*/
5
6	/*
7	* Copyright (C) 2006-2023 Oracle and/or its affiliates.
8	*
9	* This file is part of VirtualBox base platform packages, as
10	* available from https://www.virtualbox.org.
11	*
12	* This program is free software; you can redistribute it and/or
13	* modify it under the terms of the GNU General Public License
14	* as published by the Free Software Foundation, in version 3 of the
15	* License.
16	*
17	* This program is distributed in the hope that it will be useful, but
18	* WITHOUT ANY WARRANTY; without even the implied warranty of
19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
20	* General Public License for more details.
21	*
22	* You should have received a copy of the GNU General Public License
23	* along with this program; if not, see <https://www.gnu.org/licenses>.
24	*
25	* The contents of this file may alternatively be used under the terms
26	* of the Common Development and Distribution License Version 1.0
27	* (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
28	* in the VirtualBox distribution, in which case the provisions of the
29	* CDDL are applicable instead of those of the GPL.
30	*
31	* You may elect to license modified versions of this file under the
32	* terms and conditions of either the GPL or the CDDL or both.
33	*
34	* SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
35	*/
36
37
38	/*********************************************************************************************************************************
39	* Header Files *
40	*********************************************************************************************************************************/
41	#include "internal/iprt.h"
42	#include <iprt/crypto/x509.h>
43
44	#include <iprt/err.h>
45	#include <iprt/string.h>
46	#include <iprt/uni.h>
47
48	#include "x509-internal.h"
49
50
51	/*
52	* Generate the code.
53	*/
54	#include <iprt/asn1-generator-core.h>
55
56
57	/*
58	* X.509 Validity.
59	*/
60
61	RTDECL(bool) RTCrX509Validity_IsValidAtTimeSpec(PCRTCRX509VALIDITY pThis, PCRTTIMESPEC pTimeSpec)
62	{
63	if (RTAsn1Time_CompareWithTimeSpec(&pThis->NotBefore, pTimeSpec) > 0)
64	return false;
65	if (RTAsn1Time_CompareWithTimeSpec(&pThis->NotAfter, pTimeSpec) < 0)
66	return false;
67	return true;
68	}
69
70
71	/*
72	* One X.509 Algorithm Identifier.
73	*/
74
75	RTDECL(RTDIGESTTYPE) RTCrX509AlgorithmIdentifier_QueryDigestType(PCRTCRX509ALGORITHMIDENTIFIER pThis)
76	{
77	AssertPtrReturn(pThis, RTDIGESTTYPE_INVALID);
78	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
79	return RTDIGESTTYPE_MD5;
80	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
81	return RTDIGESTTYPE_SHA1;
82	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
83	return RTDIGESTTYPE_SHA256;
84	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
85	return RTDIGESTTYPE_SHA512;
86
87	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
88	return RTDIGESTTYPE_SHA384;
89	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
90	return RTDIGESTTYPE_SHA224;
91	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
92	return RTDIGESTTYPE_SHA512T224;
93	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
94	return RTDIGESTTYPE_SHA512T256;
95
96	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224))
97	return RTDIGESTTYPE_SHA3_224;
98	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256))
99	return RTDIGESTTYPE_SHA3_256;
100	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384))
101	return RTDIGESTTYPE_SHA3_384;
102	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512))
103	return RTDIGESTTYPE_SHA3_512;
104	return RTDIGESTTYPE_INVALID;
105	}
106
107
108	RTDECL(uint32_t) RTCrX509AlgorithmIdentifier_QueryDigestSize(PCRTCRX509ALGORITHMIDENTIFIER pThis)
109	{
110	AssertPtrReturn(pThis, UINT32_MAX);
111
112	/* common */
113	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
114	return 128 / 8;
115	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
116	return 160 / 8;
117	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
118	return 256 / 8;
119	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
120	return 512 / 8;
121
122	/* Less common. */
123	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD2))
124	return 128 / 8;
125	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD4))
126	return 128 / 8;
127	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
128	return 384 / 8;
129	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
130	return 224 / 8;
131	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
132	return 224 / 8;
133	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
134	return 256 / 8;
135	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224))
136	return 224 / 8;
137	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256))
138	return 256 / 8;
139	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384))
140	return 384 / 8;
141	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512))
142	return 512 / 8;
143	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
144	return 512 / 8;
145
146	return UINT32_MAX;
147	}
148
149
150	RTDECL(int) RTCrX509AlgorithmIdentifier_CompareWithString(PCRTCRX509ALGORITHMIDENTIFIER pThis, const char *pszObjId)
151	{
152	return strcmp(pThis->Algorithm.szObjId, pszObjId);
153	}
154
155
156	RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(const char *pszDigestOid,
157	const char *pszEncryptedDigestOid)
158	{
159	/* common */
160	if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5))
161	{
162	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA))
163	return 0;
164	}
165	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
166	{
167	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA))
168	return 0;
169	}
170	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
171	{
172	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA))
173	return 0;
174	}
175	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
176	{
177	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA))
178	return 0;
179	}
180	/* Less common. */
181	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2))
182	{
183	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA))
184	return 0;
185	}
186	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4))
187	{
188	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA))
189	return 0;
190	}
191	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
192	{
193	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA))
194	return 0;
195	}
196	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
197	{
198	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA))
199	return 0;
200	}
201	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
202	{
203	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA))
204	return 0;
205	}
206	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
207	{
208	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA))
209	return 0;
210	}
211	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224))
212	{
213	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_RSA))
214	return 0;
215	}
216	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256))
217	{
218	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_RSA))
219	return 0;
220	}
221	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384))
222	{
223	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA))
224	return 0;
225	}
226	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512))
227	{
228	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA))
229	return 0;
230	}
231	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
232	{
233	/* ?? */
234	}
235	else
236	return -1;
237	return 1;
238	}
239
240	RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestAndEncryptedDigest(PCRTCRX509ALGORITHMIDENTIFIER pDigest,
241	PCRTCRX509ALGORITHMIDENTIFIER pEncryptedDigest)
242	{
243	return RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(pDigest->Algorithm.szObjId,
244	pEncryptedDigest->Algorithm.szObjId);
245	}
246
247
248	RTDECL(const char ) RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(const char pszEncryptionOid,
249	const char *pszDigestOid)
250	{
251	/* RSA: */
252	if (!strcmp(pszEncryptionOid, RTCRX509ALGORITHMIDENTIFIERID_RSA))
253	{
254	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5)
255	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA))
256	return RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA;
257	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1)
258	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA))
259	return RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA;
260	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256)
261	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA))
262	return RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA;
263	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512)
264	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA))
265	return RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA;
266	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2)
267	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA))
268	return RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA;
269	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4)
270	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA))
271	return RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA;
272	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384)
273	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA))
274	return RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA;
275	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224)
276	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA))
277	return RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA;
278	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224)
279	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA))
280	return RTCRX509ALGORITHMIDENTIFIERID_SHA512T224_WITH_RSA;
281	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256)
282	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA))
283	return RTCRX509ALGORITHMIDENTIFIERID_SHA512T256_WITH_RSA;
284	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224)
285	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_RSA))
286	return RTCRX509ALGORITHMIDENTIFIERID_SHA3_224_WITH_RSA;
287	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256)
288	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_RSA))
289	return RTCRX509ALGORITHMIDENTIFIERID_SHA3_256_WITH_RSA;
290	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384)
291	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA))
292	return RTCRX509ALGORITHMIDENTIFIERID_SHA3_384_WITH_RSA;
293	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512)
294	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA))
295	return RTCRX509ALGORITHMIDENTIFIERID_SHA3_512_WITH_RSA;
296
297	/* if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
298	return ???; */
299	}
300	else if (RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(pszDigestOid, pszEncryptionOid) == 0)
301	return pszEncryptionOid;
302
303	AssertMsgFailed(("enc=%s hash=%s\n", pszEncryptionOid, pszDigestOid));
304	return NULL;
305	}
306
307
308	RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionAndDigest(PCRTCRX509ALGORITHMIDENTIFIER pEncryption,
309	PCRTCRX509ALGORITHMIDENTIFIER pDigest)
310	{
311	return RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(pEncryption->Algorithm.szObjId,
312	pDigest->Algorithm.szObjId);
313	}
314
315
316	/*
317	* Set of X.509 Algorithm Identifiers.
318	*/
319
320
321	/*
322	* One X.509 AttributeTypeAndValue.
323	*/
324
325
326	/*
327	* Set of X.509 AttributeTypeAndValues / X.509 RelativeDistinguishedName.
328	*/
329
330	/**
331	* Slow code path of rtCrX509CanNameIsNothing.
332	*
333	* @returns true if @uc maps to nothing, false if not.
334	* @param uc The unicode code point.
335	*/
336	static bool rtCrX509CanNameIsNothingSlow(RTUNICP uc)
337	{
338	switch (uc)
339	{
340	/* 2.2 Map - Paragraph 1: */
341	case 0x00ad:
342	case 0x1806:
343	case 0x034f:
344	case 0x180b: case 0x180c: case 0x180d:
345
346	case 0xfe00: case 0xfe01: case 0xfe02: case 0xfe03:
347	case 0xfe04: case 0xfe05: case 0xfe06: case 0xfe07:
348	case 0xfe08: case 0xfe09: case 0xfe0a: case 0xfe0b:
349	case 0xfe0c: case 0xfe0d: case 0xfe0e: case 0xfe0f:
350
351	case 0xfffc:
352
353	/* 2.2 Map - Paragraph 3 (control code/function): */
354	case 0x0000: case 0x0001: case 0x0002: case 0x0003:
355	case 0x0004: case 0x0005: case 0x0006: case 0x0007:
356	case 0x0008:
357
358	case 0x000e: case 0x000f:
359	case 0x0010: case 0x0011: case 0x0012: case 0x0013:
360	case 0x0014: case 0x0015: case 0x0016: case 0x0017:
361	case 0x0018: case 0x0019: case 0x001a: case 0x001b:
362	case 0x001c: case 0x001d: case 0x001e: case 0x001f:
363
364	case 0x007f:
365	case 0x0080: case 0x0081: case 0x0082: case 0x0083:
366	case 0x0084: /case 0x0085:/ case 0x0086: case 0x0087:
367	case 0x0088: case 0x0089: case 0x008a: case 0x008b:
368	case 0x008c: case 0x008d: case 0x008e: case 0x008f:
369	case 0x0090: case 0x0091: case 0x0092: case 0x0093:
370	case 0x0094: case 0x0095: case 0x0096: case 0x0097:
371	case 0x0098: case 0x0099: case 0x009a: case 0x009b:
372	case 0x009c: case 0x009d: case 0x009e: case 0x009f:
373
374	case 0x06dd:
375	case 0x070f:
376	case 0x180e:
377	case 0x200c: case 0x200d: case 0x200e: case 0x200f:
378	case 0x202a: case 0x202b: case 0x202c: case 0x202d: case 0x202e:
379	case 0x2060: case 0x2061: case 0x2062: case 0x2063:
380	case 0x206a: case 0x206b: case 0x206c: case 0x206d: case 0x206e: case 0x206f:
381	case 0xfeff:
382	case 0xfff9: case 0xfffa: case 0xfffb:
383	case 0x1d173: case 0x1d174: case 0x1d175: case 0x1d176: case 0x1d177: case 0x1d178: case 0x1d179: case 0x1d17a:
384	case 0xe0001:
385	case 0xe0020: case 0xe0021: case 0xe0022: case 0xe0023:
386	case 0xe0024: case 0xe0025: case 0xe0026: case 0xe0027:
387	case 0xe0028: case 0xe0029: case 0xe002a: case 0xe002b:
388	case 0xe002c: case 0xe002d: case 0xe002e: case 0xe002f:
389	case 0xe0030: case 0xe0031: case 0xe0032: case 0xe0033:
390	case 0xe0034: case 0xe0035: case 0xe0036: case 0xe0037:
391	case 0xe0038: case 0xe0039: case 0xe003a: case 0xe003b:
392	case 0xe003c: case 0xe003d: case 0xe003e: case 0xe003f:
393	case 0xe0040: case 0xe0041: case 0xe0042: case 0xe0043:
394	case 0xe0044: case 0xe0045: case 0xe0046: case 0xe0047:
395	case 0xe0048: case 0xe0049: case 0xe004a: case 0xe004b:
396	case 0xe004c: case 0xe004d: case 0xe004e: case 0xe004f:
397	case 0xe0050: case 0xe0051: case 0xe0052: case 0xe0053:
398	case 0xe0054: case 0xe0055: case 0xe0056: case 0xe0057:
399	case 0xe0058: case 0xe0059: case 0xe005a: case 0xe005b:
400	case 0xe005c: case 0xe005d: case 0xe005e: case 0xe005f:
401	case 0xe0060: case 0xe0061: case 0xe0062: case 0xe0063:
402	case 0xe0064: case 0xe0065: case 0xe0066: case 0xe0067:
403	case 0xe0068: case 0xe0069: case 0xe006a: case 0xe006b:
404	case 0xe006c: case 0xe006d: case 0xe006e: case 0xe006f:
405	case 0xe0070: case 0xe0071: case 0xe0072: case 0xe0073:
406	case 0xe0074: case 0xe0075: case 0xe0076: case 0xe0077:
407	case 0xe0078: case 0xe0079: case 0xe007a: case 0xe007b:
408	case 0xe007c: case 0xe007d: case 0xe007e: case 0xe007f:
409
410	/* 2.2 Map - Paragraph 4. */
411	case 0x200b:
412	return true;
413	}
414	return false;
415	}
416
417
418	/**
419	* Checks if @a uc maps to nothing according to mapping rules of RFC-5280 and
420	* RFC-4518.
421	*
422	* @returns true if @uc maps to nothing, false if not.
423	* @param uc The unicode code point.
424	*/
425	DECLINLINE(bool) rtCrX509CanNameIsNothing(RTUNICP uc)
426	{
427	if (uc > 0x001f && uc < 0x00ad)
428	return false;
429	return rtCrX509CanNameIsNothingSlow(uc);
430	}
431
432
433	/**
434	* Slow code path of rtCrX509CanNameIsSpace.
435	*
436	* @returns true if space, false if not.
437	* @param uc The unicode code point.
438	*/
439	static bool rtCrX509CanNameIsSpaceSlow(RTUNICP uc)
440	{
441	switch (uc)
442	{
443	/* 2.2 Map - Paragraph 2. */
444	case 0x09:
445	case 0x0a:
446	case 0x0b:
447	case 0x0c:
448	case 0x0d:
449	case 0x20:
450	case 0x0085:
451	case 0x00a0:
452	case 0x1680:
453	case 0x2000: case 0x2001: case 0x2002: case 0x2003:
454	case 0x2004: case 0x2005: case 0x2006: case 0x2007:
455	case 0x2008: case 0x2009: case 0x200a:
456	case 0x2028: case 0x2029:
457	case 0x202f:
458	case 0x205f:
459	case 0x3000:
460	return true;
461	}
462	return false;
463	}
464
465
466	/**
467	* Checks if @a uc is a space character according to the mapping rules of
468	* RFC-5280 and RFC-4518.
469	*
470	* @returns true if space, false if not.
471	* @param uc The unicode code point.
472	*/
473	DECLINLINE(bool) rtCrX509CanNameIsSpace(RTUNICP uc)
474	{
475	if (uc < 0x0085)
476	{
477	if (uc > 0x0020)
478	return false;
479	if (uc == 0x0020) /* space */
480	return true;
481	}
482	return rtCrX509CanNameIsSpaceSlow(uc);
483	}
484
485
486	static const char rtCrX509CanNameStripLeft(const char psz, size_t *pcch)
487	{
488	/*
489	* Return space when we've encountered the first non-space-non-nothing code point.
490	*/
491	const char * const pszStart = psz;
492	const char *pszPrev;
493	for (;;)
494	{
495	pszPrev = psz;
496	RTUNICP uc;
497	int rc = RTStrGetCpEx(&psz, &uc);
498	AssertRCBreak(rc);
499	if (!uc)
500	{
501	if ((uintptr_t)(pszPrev - pszStart) >= *pcch)
502	break;
503	/* NUL inside the string, maps to nothing => ignore it. */
504	}
505	else if (!rtCrX509CanNameIsSpace(uc) && !rtCrX509CanNameIsNothing(uc))
506	break;
507	}
508	*pcch -= (size_t)(pszPrev - pszStart);
509	return pszPrev;
510	}
511
512
513	static RTUNICP rtCrX509CanNameGetNextCpWithMappingSlowSpace(const char *ppsz, size_t pcch)
514	{
515	/*
516	* Return space when we've encountered the first non-space-non-nothing code point.
517	*/
518	RTUNICP uc;
519	const char psz = ppsz;
520	const char * const pszStart = psz;
521	const char *pszPrev;
522	for (;;)
523	{
524	pszPrev = psz;
525	int rc = RTStrGetCpEx(&psz, &uc);
526	AssertRCBreakStmt(rc, uc = 0x20);
527	if (!uc)
528	{
529	if ((uintptr_t)(pszPrev - pszStart) >= *pcch)
530	{
531	uc = 0; /* End of string: Ignore trailing spaces. */
532	break;
533	}
534	/* NUL inside the string, maps to nothing => ignore it. */
535	}
536	else if (!rtCrX509CanNameIsSpace(uc) && !rtCrX509CanNameIsNothing(uc))
537	{
538	uc = 0x20; /* Return space before current char. */
539	break;
540	}
541	}
542
543	*ppsz = pszPrev;
544	*pcch -= (size_t)(pszPrev - pszStart);
545	return uc;
546	}
547
548
549	DECLINLINE(RTUNICP) rtCrX509CanNameGetNextCpIgnoreNul(const char *ppsz, size_t pcch)
550	{
551	while (*pcch > 0)
552	{
553	const char psz = ppsz;
554	RTUNICP uc = (RTUNICP)*psz;
555	if (uc < 0x80)
556	{
557	*pcch -= 1;
558	*ppsz = psz + 1;
559	}
560	else
561	{
562	int rc = RTStrGetCpEx(ppsz, &uc);
563	AssertRCReturn(rc, uc);
564	size_t cchCp = (size_t)(*ppsz - psz);
565	AssertReturn(cchCp <= *pcch, 0);
566	*pcch -= cchCp;
567	}
568	if (uc != 0)
569	return uc;
570	}
571	return 0;
572	}
573
574
575	static RTUNICP rtCrX509CanNameGetNextCpWithMappingSlowNothing(const char *ppsz, size_t pcch)
576	{
577	/*
578	* Return first code point which doesn't map to nothing. If we encounter
579	* a space, we defer to the mapping-after-space routine above.
580	*/
581	for (;;)
582	{
583	RTUNICP uc = rtCrX509CanNameGetNextCpIgnoreNul(ppsz, pcch);
584	if (rtCrX509CanNameIsSpace(uc))
585	return rtCrX509CanNameGetNextCpWithMappingSlowSpace(ppsz, pcch);
586	if (!rtCrX509CanNameIsNothing(uc) \|\| uc == 0)
587	return uc;
588	}
589	}
590
591
592	DECLINLINE(RTUNICP) rtCrX509CanNameGetNextCpWithMapping(const char *ppsz, size_t pcch)
593	{
594	RTUNICP uc = rtCrX509CanNameGetNextCpIgnoreNul(ppsz, pcch);
595	if (uc)
596	{
597	if (!rtCrX509CanNameIsSpace(uc))
598	{
599	if (!rtCrX509CanNameIsNothing(uc))
600	return uc;
601	return rtCrX509CanNameGetNextCpWithMappingSlowNothing(ppsz, pcch);
602	}
603	return rtCrX509CanNameGetNextCpWithMappingSlowSpace(ppsz, pcch);
604	}
605	return uc;
606	}
607
608
609	RTDECL(bool) RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(PCRTCRX509ATTRIBUTETYPEANDVALUE pLeft,
610	PCRTCRX509ATTRIBUTETYPEANDVALUE pRight)
611	{
612	if (RTAsn1ObjId_Compare(&pLeft->Type, &pRight->Type) == 0)
613	{
614	/*
615	* Try for perfect match in case we get luck.
616	*/
617	#ifdef DEBUG_bird /* Want to test the complicated code path first */
618	if (pLeft->Value.enmType != RTASN1TYPE_STRING \|\| pRight->Value.enmType != RTASN1TYPE_STRING)
619	#endif
620	if (RTAsn1DynType_Compare(&pLeft->Value, &pRight->Value) == 0)
621	return true;
622
623	/*
624	* If both are string types, we can compare them according to RFC-5280.
625	*/
626	if ( pLeft->Value.enmType == RTASN1TYPE_STRING
627	&& pRight->Value.enmType == RTASN1TYPE_STRING)
628	{
629	size_t cchLeft;
630	const char *pszLeft;
631	int rc = RTAsn1String_QueryUtf8(&pLeft->Value.u.String, &pszLeft, &cchLeft);
632	if (RT_SUCCESS(rc))
633	{
634	size_t cchRight;
635	const char *pszRight;
636	rc = RTAsn1String_QueryUtf8(&pRight->Value.u.String, &pszRight, &cchRight);
637	if (RT_SUCCESS(rc))
638	{
639	/*
640	* Perform a simplified RFC-5280 comparsion.
641	* The algorithm as be relaxed on the following counts:
642	* 1. No unicode normalization.
643	* 2. Prohibited characters not checked for.
644	* 3. Bidirectional characters are not ignored.
645	*/
646	pszLeft = rtCrX509CanNameStripLeft(pszLeft, &cchLeft);
647	pszRight = rtCrX509CanNameStripLeft(pszRight, &cchRight);
648	while (pszLeft && pszRight)
649	{
650	RTUNICP ucLeft = rtCrX509CanNameGetNextCpWithMapping(&pszLeft, &cchLeft);
651	RTUNICP ucRight = rtCrX509CanNameGetNextCpWithMapping(&pszRight, &cchRight);
652	if (ucLeft != ucRight)
653	{
654	ucLeft = RTUniCpToLower(ucLeft);
655	ucRight = RTUniCpToLower(ucRight);
656	if (ucLeft != ucRight)
657	return false;
658	}
659	}
660
661	return cchRight == 0 && cchLeft == 0;
662	}
663	}
664	}
665	}
666	return false;
667	}
668
669
670	RTDECL(bool) RTCrX509RelativeDistinguishedName_MatchByRfc5280(PCRTCRX509RELATIVEDISTINGUISHEDNAME pLeft,
671	PCRTCRX509RELATIVEDISTINGUISHEDNAME pRight)
672	{
673	/*
674	* No match if the attribute count differs.
675	*/
676	uint32_t const cItems = pLeft->cItems;
677	if (cItems == pRight->cItems)
678	{
679	/*
680	* Compare each attribute, but don't insist on the same order nor
681	* bother checking for duplicates (too complicated).
682	*/
683	for (uint32_t iLeft = 0; iLeft < cItems; iLeft++)
684	{
685	PCRTCRX509ATTRIBUTETYPEANDVALUE pLeftAttr = pLeft->papItems[iLeft];
686	bool fFound = false;
687	for (uint32_t iRight = 0; iRight < cItems; iRight++)
688	if (RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(pLeftAttr, pRight->papItems[iRight]))
689	{
690	fFound = true;
691	break;
692	}
693	if (!fFound)
694	return false;
695	}
696	return true;
697	}
698	return false;
699
700	}
701
702
703	/*
704	* X.509 Name.
705	*/
706
707	RTDECL(bool) RTCrX509Name_MatchByRfc5280(PCRTCRX509NAME pLeft, PCRTCRX509NAME pRight)
708	{
709	uint32_t const cItems = pLeft->cItems;
710	if (cItems == pRight->cItems)
711	{
712	/* Require exact order. */
713	for (uint32_t iRdn = 0; iRdn < cItems; iRdn++)
714	if (!RTCrX509RelativeDistinguishedName_MatchByRfc5280(pLeft->papItems[iRdn], pRight->papItems[iRdn]))
715	return false;
716	return true;
717	}
718	return false;
719	}
720
721
722	RTDECL(bool) RTCrX509Name_ConstraintMatch(PCRTCRX509NAME pConstraint, PCRTCRX509NAME pName)
723	{
724	/*
725	* Check that the constraint is a prefix of the name. This means that
726	* the name must have at least as many components and the constraint.
727	*/
728	if (pName->cItems >= pConstraint->cItems)
729	{
730	/*
731	* Parallel crawl of the two RDNs arrays.
732	*/
733	for (uint32_t i = 0; pConstraint->cItems; i++)
734	{
735	PCRTCRX509RELATIVEDISTINGUISHEDNAME pConstrRdns = pConstraint->papItems[i];
736	PCRTCRX509RELATIVEDISTINGUISHEDNAME pNameRdns = pName->papItems[i];
737
738	/*
739	* Walk the constraint attribute & value array.
740	*/
741	for (uint32_t iConstrAttrib = 0; iConstrAttrib < pConstrRdns->cItems; iConstrAttrib++)
742	{
743	PCRTCRX509ATTRIBUTETYPEANDVALUE pConstrAttrib = pConstrRdns->papItems[iConstrAttrib];
744
745	/*
746	* Find matching attribute & value in the name.
747	*/
748	bool fFound = false;
749	for (uint32_t iNameAttrib = 0; iNameAttrib < pNameRdns->cItems; iNameAttrib++)
750	if (RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(pConstrAttrib, pNameRdns->papItems[iNameAttrib]))
751	{
752	fFound = true;
753	break;
754	}
755	if (fFound)
756	return false;
757	}
758	}
759	return true;
760	}
761	return false;
762	}
763
764
765	/**
766	* Mapping between X.500 object IDs and short and long names.
767	*
768	* See RFC-1327, RFC-4519 ...
769	*/
770	static struct
771	{
772	const char *pszOid;
773	const char *pszShortNm;
774	size_t cchShortNm;
775	const char *pszLongNm;
776	} const g_aRdnMap[] =
777	{
778	{ "0.9.2342.19200300.100.1.1", RT_STR_TUPLE("uid"), "userid" },
779	{ "0.9.2342.19200300.100.1.3", RT_STR_TUPLE("Mail"), "Rfc822Mailbox" },
780	{ "0.9.2342.19200300.100.1.25", RT_STR_TUPLE("DC"), "DomainComponent" },
781	{ "1.2.840.113549.1.9.1", RT_STR_TUPLE("Email") /nonstandard/,"EmailAddress" },
782	{ "2.5.4.3", RT_STR_TUPLE("CN"), "CommonName" },
783	{ "2.5.4.4", RT_STR_TUPLE("SN"), "Surname" },
784	{ "2.5.4.5", RT_STR_TUPLE("SRN") /nonstandard/, "SerialNumber" },
785	{ "2.5.4.6", RT_STR_TUPLE("C"), "CountryName" },
786	{ "2.5.4.7", RT_STR_TUPLE("L"), "LocalityName" },
787	{ "2.5.4.8", RT_STR_TUPLE("ST"), "StateOrProviceName" },
788	{ "2.5.4.9", RT_STR_TUPLE("street"), "Street" },
789	{ "2.5.4.10", RT_STR_TUPLE("O"), "OrganizationName" },
790	{ "2.5.4.11", RT_STR_TUPLE("OU"), "OrganizationalUnitName" },
791	{ "2.5.4.12", RT_STR_TUPLE("title"), "Title" },
792	{ "2.5.4.13", RT_STR_TUPLE("desc"), "Description" },
793	{ "2.5.4.15", RT_STR_TUPLE("BC") /nonstandard/, "BusinessCategory" },
794	{ "2.5.4.17", RT_STR_TUPLE("ZIP") /nonstandard/, "PostalCode" },
795	{ "2.5.4.18", RT_STR_TUPLE("POBox") /nonstandard/,"PostOfficeBox" },
796	{ "2.5.4.20", RT_STR_TUPLE("PN") /nonstandard/, "TelephoneNumber" },
797	{ "2.5.4.33", RT_STR_TUPLE("RO") /nonstandard/, "RoleOccupant" },
798	{ "2.5.4.34", RT_STR_TUPLE("SA") /nonstandard/, "StreetAddress" },
799	{ "2.5.4.41", RT_STR_TUPLE("N") /nonstandard/, "Name" },
800	{ "2.5.4.42", RT_STR_TUPLE("GN"), "GivenName" },
801	{ "2.5.4.43", RT_STR_TUPLE("I") /nonstandard/, "Initials" },
802	{ "2.5.4.44", RT_STR_TUPLE("GQ") /nonstandard/, "GenerationQualifier" },
803	{ "2.5.4.46", RT_STR_TUPLE("DNQ") /nonstandard/, "DNQualifier" },
804	{ "2.5.4.51", RT_STR_TUPLE("HID") /nonstandard/, "HouseIdentifier" },
805	};
806
807
808	RTDECL(const char *) RTCrX509Name_GetShortRdn(PCRTASN1OBJID pRdnId)
809	{
810	uint32_t iName = RT_ELEMENTS(g_aRdnMap);
811	while (iName-- > 0)
812	if (RTAsn1ObjId_CompareWithString(pRdnId, g_aRdnMap[iName].pszOid) == 0)
813	return g_aRdnMap[iName].pszShortNm;
814	return NULL;
815	}
816
817
818	RTDECL(bool) RTCrX509Name_MatchWithString(PCRTCRX509NAME pThis, const char *pszString)
819	{
820	/* Keep track of the string length. */
821	size_t cchString = strlen(pszString);
822
823	/*
824	* The usual double loop for walking the components.
825	*/
826	for (uint32_t i = 0; i < pThis->cItems; i++)
827	{
828	PCRTCRX509RELATIVEDISTINGUISHEDNAME pRdn = pThis->papItems[i];
829	for (uint32_t j = 0; j < pRdn->cItems; j++)
830	{
831	PCRTCRX509ATTRIBUTETYPEANDVALUE pComponent = pRdn->papItems[j];
832
833	/*
834	* Must be a string.
835	*/
836	if (pComponent->Value.enmType != RTASN1TYPE_STRING)
837	return false;
838
839	/*
840	* Look up the component name prefix and check whether it's also in the string.
841	*/
842	uint32_t iName = RT_ELEMENTS(g_aRdnMap);
843	while (iName-- > 0)
844	if (RTAsn1ObjId_CompareWithString(&pComponent->Type, g_aRdnMap[iName].pszOid) == 0)
845	break;
846	AssertMsgReturn(iName != UINT32_MAX, ("Please extend g_aRdnMap with '%s'.\n", pComponent->Type.szObjId), false);
847
848	if ( strncmp(pszString, g_aRdnMap[iName].pszShortNm, g_aRdnMap[iName].cchShortNm) != 0
849	\|\| pszString[g_aRdnMap[iName].cchShortNm] != '=')
850	return false;
851
852	pszString += g_aRdnMap[iName].cchShortNm + 1;
853	cchString -= g_aRdnMap[iName].cchShortNm + 1;
854
855	/*
856	* Compare the component string.
857	*/
858	size_t cchComponent;
859	int rc = RTAsn1String_QueryUtf8Len(&pComponent->Value.u.String, &cchComponent);
860	AssertRCReturn(rc, false);
861
862	if (cchComponent > cchString)
863	return false;
864	if (RTAsn1String_CompareWithString(&pComponent->Value.u.String, pszString, cchComponent) != 0)
865	return false;
866
867	cchString -= cchComponent;
868	pszString += cchComponent;
869
870	/*
871	* Check separator comma + space and skip extra spaces before the next component.
872	*/
873	if (cchString)
874	{
875	if (pszString[0] != ',')
876	return false;
877	if (pszString[1] != ' ' && pszString[1] != '\t')
878	return false;
879	pszString += 2;
880	cchString -= 2;
881
882	while (pszString == ' ' \|\| pszString == '\t')
883	{
884	pszString++;
885	cchString--;
886	}
887	}
888	}
889	}
890
891	/*
892	* If we got thru the whole name and the whole string, we're good.
893	*/
894	return *pszString == '\0';
895	}
896
897
898	RTDECL(int) RTCrX509Name_FormatAsString(PCRTCRX509NAME pThis, char pszBuf, size_t cbBuf, size_t pcbActual)
899	{
900	/*
901	* The usual double loop for walking the components.
902	*/
903	size_t off = 0;
904	int rc = VINF_SUCCESS;
905	for (uint32_t i = 0; i < pThis->cItems; i++)
906	{
907	PCRTCRX509RELATIVEDISTINGUISHEDNAME pRdn = pThis->papItems[i];
908	for (uint32_t j = 0; j < pRdn->cItems; j++)
909	{
910	PCRTCRX509ATTRIBUTETYPEANDVALUE pComponent = pRdn->papItems[j];
911
912	/*
913	* Must be a string.
914	*/
915	if (pComponent->Value.enmType != RTASN1TYPE_STRING)
916	return VERR_CR_X509_NAME_NOT_STRING;
917
918	/*
919	* Look up the component name prefix.
920	*/
921	uint32_t iName = RT_ELEMENTS(g_aRdnMap);
922	while (iName-- > 0)
923	if (RTAsn1ObjId_CompareWithString(&pComponent->Type, g_aRdnMap[iName].pszOid) == 0)
924	break;
925	AssertMsgReturn(iName != UINT32_MAX, ("Please extend g_aRdnMap with '%s'.\n", pComponent->Type.szObjId),
926	VERR_CR_X509_NAME_MISSING_RDN_MAP_ENTRY);
927
928	/*
929	* Append the prefix.
930	*/
931	if (off)
932	{
933	if (off + 2 < cbBuf)
934	{
935	pszBuf[off] = ',';
936	pszBuf[off + 1] = ' ';
937	}
938	else
939	rc = VERR_BUFFER_OVERFLOW;
940	off += 2;
941	}
942
943	if (off + g_aRdnMap[iName].cchShortNm + 1 < cbBuf)
944	{
945	memcpy(&pszBuf[off], g_aRdnMap[iName].pszShortNm, g_aRdnMap[iName].cchShortNm);
946	pszBuf[off + g_aRdnMap[iName].cchShortNm] = '=';
947	}
948	else
949	rc = VERR_BUFFER_OVERFLOW;
950	off += g_aRdnMap[iName].cchShortNm + 1;
951
952	/*
953	* Add the component string.
954	*/
955	const char *pszUtf8;
956	size_t cchUtf8;
957	int rc2 = RTAsn1String_QueryUtf8(&pComponent->Value.u.String, &pszUtf8, &cchUtf8);
958	AssertRCReturn(rc2, rc2);
959	if (off + cchUtf8 < cbBuf)
960	memcpy(&pszBuf[off], pszUtf8, cchUtf8);
961	else
962	rc = VERR_BUFFER_OVERFLOW;
963	off += cchUtf8;
964	}
965	}
966
967	if (pcbActual)
968	*pcbActual = off + 1;
969	if (off < cbBuf)
970	pszBuf[off] = '\0';
971	return rc;
972	}
973
974
975
976	/*
977	* One X.509 GeneralName.
978	*/
979
980	/**
981	* Name constraint matching (RFC-5280): DNS Name.
982	*
983	* @returns true on match, false on mismatch.
984	* @param pConstraint The constraint name.
985	* @param pName The name to match against the constraint.
986	*/
987	static bool rtCrX509GeneralName_ConstraintMatchDnsName(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
988	{
989	/*
990	* Empty constraint string is taken to match everything.
991	*/
992	if (pConstraint->u.pT2_DnsName->Asn1Core.cb == 0)
993	return true;
994
995	/*
996	* Get the UTF-8 strings for the two.
997	*/
998	size_t cchConstraint;
999	char const *pszConstraint;
1000	int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT2_DnsName, &pszConstraint, &cchConstraint);
1001	if (RT_SUCCESS(rc))
1002	{
1003	size_t cchFull;
1004	char const *pszFull;
1005	rc = RTAsn1String_QueryUtf8(pName->u.pT2_DnsName, &pszFull, &cchFull);
1006	if (RT_SUCCESS(rc))
1007	{
1008	/*
1009	* No match if the constraint is longer.
1010	*/
1011	if (cchConstraint > cchFull)
1012	return false;
1013
1014	/*
1015	* No match if the constraint and name tail doesn't match
1016	* in a case-insensitive compare.
1017	*/
1018	size_t offFull = cchFull - cchConstraint;
1019	if (RTStrICmp(&pszFull[offFull], pszConstraint) != 0)
1020	return false;
1021	if (!offFull)
1022	return true;
1023
1024	/*
1025	* The matching constraint must be delimited by a dot in the full
1026	* name. There seems to be some discussion whether ".oracle.com"
1027	* should match "www..oracle.com". This implementation does choose
1028	* to not succeed in that case.
1029	*/
1030	if ((pszFull[offFull - 1] == '.') ^ (pszFull[offFull] == '.'))
1031	return true;
1032
1033	return false;
1034	}
1035	}
1036
1037	/* fall back. */
1038	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1039	}
1040
1041
1042	/**
1043	* Name constraint matching (RFC-5280): RFC-822 (email).
1044	*
1045	* @returns true on match, false on mismatch.
1046	* @param pConstraint The constraint name.
1047	* @param pName The name to match against the constraint.
1048	*/
1049	static bool rtCrX509GeneralName_ConstraintMatchRfc822Name(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1050	{
1051	/*
1052	* Empty constraint string is taken to match everything.
1053	*/
1054	if (pConstraint->u.pT1_Rfc822->Asn1Core.cb == 0)
1055	return true;
1056
1057	/*
1058	* Get the UTF-8 strings for the two.
1059	*/
1060	size_t cchConstraint;
1061	char const *pszConstraint;
1062	int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT1_Rfc822, &pszConstraint, &cchConstraint);
1063	if (RT_SUCCESS(rc))
1064	{
1065	size_t cchFull;
1066	char const *pszFull;
1067	rc = RTAsn1String_QueryUtf8(pName->u.pT1_Rfc822, &pszFull, &cchFull);
1068	if (RT_SUCCESS(rc))
1069	{
1070	/*
1071	* No match if the constraint is longer.
1072	*/
1073	if (cchConstraint > cchFull)
1074	return false;
1075
1076	/*
1077	* A lone dot matches everything.
1078	*/
1079	if (cchConstraint == 1 && *pszConstraint == '.')
1080	return true;
1081
1082	/*
1083	* If there is a '@' in the constraint, the entire address must match.
1084	*/
1085	const char pszConstraintAt = (const char )memchr(pszConstraint, '@', cchConstraint);
1086	if (pszConstraintAt)
1087	return cchConstraint == cchFull && RTStrICmp(pszConstraint, pszFull) == 0;
1088
1089	/*
1090	* No match if the constraint and name tail doesn't match
1091	* in a case-insensitive compare.
1092	*/
1093	size_t offFull = cchFull - cchConstraint;
1094	if (RTStrICmp(&pszFull[offFull], pszConstraint) != 0)
1095	return false;
1096
1097	/*
1098	* If the constraint starts with a dot, we're supposed to be
1099	* satisfied with a tail match.
1100	*/
1101	/** @todo Check if this should match even if offFull == 0. */
1102	if (*pszConstraint == '.')
1103	return true;
1104
1105	/*
1106	* Otherwise, we require a hostname match and thus expect an '@'
1107	* immediatly preceding the constraint match.
1108	*/
1109	if (pszFull[offFull - 1] == '@')
1110	return true;
1111
1112	return false;
1113	}
1114	}
1115
1116	/* fall back. */
1117	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1118	}
1119
1120
1121	/**
1122	* Extracts the hostname from an URI.
1123	*
1124	* @returns true if successfully extract, false if no hostname present.
1125	* @param pszUri The URI.
1126	* @param pchHostName .
1127	* @param pcchHostName .
1128	*/
1129	static bool rtCrX509GeneralName_ExtractHostName(const char pszUri, const char pchHostName, size_t pcchHostName)
1130	{
1131	/*
1132	* Skip the schema name.
1133	*/
1134	const char *pszStart = strchr(pszUri, ':');
1135	while (pszStart && (pszStart[1] != '/' \|\| pszStart[2] != '/'))
1136	pszStart = strchr(pszStart + 1, ':');
1137	if (pszStart)
1138	{
1139	pszStart += 3;
1140
1141	/*
1142	* The name ends with the first slash or ":port".
1143	*/
1144	const char *pszEnd = strchr(pszStart, '/');
1145	if (!pszEnd)
1146	pszEnd = strchr(pszStart, '\0');
1147	if (memchr(pszStart, ':', (size_t)(pszEnd - pszStart)))
1148	do
1149	pszEnd--;
1150	while (*pszEnd != ':');
1151	if (pszEnd != pszStart)
1152	{
1153	/*
1154	* Drop access credentials at the front of the string if present.
1155	*/
1156	const char pszAt = (const char )memchr(pszStart, '@', (size_t)(pszEnd - pszStart));
1157	if (pszAt)
1158	pszStart = pszAt + 1;
1159
1160	/*
1161	* If there is still some string left, that's the host name.
1162	*/
1163	if (pszEnd != pszStart)
1164	{
1165	*pcchHostName = (size_t)(pszEnd - pszStart);
1166	*pchHostName = pszStart;
1167	return true;
1168	}
1169	}
1170	}
1171
1172	*pcchHostName = 0;
1173	*pchHostName = NULL;
1174	return false;
1175	}
1176
1177
1178	/**
1179	* Name constraint matching (RFC-5280): URI.
1180	*
1181	* @returns true on match, false on mismatch.
1182	* @param pConstraint The constraint name.
1183	* @param pName The name to match against the constraint.
1184	*/
1185	static bool rtCrX509GeneralName_ConstraintMatchUri(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1186	{
1187	/*
1188	* Empty constraint string is taken to match everything.
1189	*/
1190	if (pConstraint->u.pT6_Uri->Asn1Core.cb == 0)
1191	return true;
1192
1193	/*
1194	* Get the UTF-8 strings for the two.
1195	*/
1196	size_t cchConstraint;
1197	char const *pszConstraint;
1198	int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT6_Uri, &pszConstraint, &cchConstraint);
1199	if (RT_SUCCESS(rc))
1200	{
1201	size_t cchFull;
1202	char const *pszFull;
1203	rc = RTAsn1String_QueryUtf8(pName->u.pT6_Uri, &pszFull, &cchFull);
1204	if (RT_SUCCESS(rc))
1205	{
1206	/*
1207	* Isolate the hostname in the name.
1208	*/
1209	size_t cchHostName;
1210	const char *pchHostName;
1211	if (rtCrX509GeneralName_ExtractHostName(pszFull, &pchHostName, &cchHostName))
1212	{
1213	/*
1214	* Domain constraint.
1215	*/
1216	if (*pszConstraint == '.')
1217	{
1218	if (cchHostName >= cchConstraint)
1219	{
1220	size_t offHostName = cchHostName - cchConstraint;
1221	if (RTStrICmp(&pchHostName[offHostName], pszConstraint) == 0)
1222	{
1223	/* "http://www..oracle.com" does not match ".oracle.com".
1224	It's debatable whether "http://.oracle.com/" should match. */
1225	if ( !offHostName
1226	\|\| pchHostName[offHostName - 1] != '.')
1227	return true;
1228	}
1229	}
1230	}
1231	/*
1232	* Host name constraint. Full match required.
1233	*/
1234	else if ( cchHostName == cchConstraint
1235	&& RTStrNICmp(pchHostName, pszConstraint, cchHostName) == 0)
1236	return true;
1237	}
1238	return false;
1239	}
1240	}
1241
1242	/* fall back. */
1243	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1244	}
1245
1246
1247	/**
1248	* Name constraint matching (RFC-5280): IP address.
1249	*
1250	* @returns true on match, false on mismatch.
1251	* @param pConstraint The constraint name.
1252	* @param pName The name to match against the constraint.
1253	*/
1254	static bool rtCrX509GeneralName_ConstraintMatchIpAddress(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1255	{
1256	uint8_t const *pbConstraint = pConstraint->u.pT7_IpAddress->Asn1Core.uData.pu8;
1257	uint8_t const *pbFull = pName->u.pT7_IpAddress->Asn1Core.uData.pu8;
1258
1259	/*
1260	* IPv4.
1261	*/
1262	if ( pConstraint->u.pT7_IpAddress->Asn1Core.cb == 8 /* ip+netmask*/
1263	&& pName->u.pT7_IpAddress->Asn1Core.cb == 4) /* ip */
1264	return ((pbFull[0] ^ pbConstraint[0]) & pbConstraint[4]) == 0
1265	&& ((pbFull[1] ^ pbConstraint[1]) & pbConstraint[5]) == 0
1266	&& ((pbFull[2] ^ pbConstraint[2]) & pbConstraint[6]) == 0
1267	&& ((pbFull[3] ^ pbConstraint[3]) & pbConstraint[7]) == 0;
1268
1269	/*
1270	* IPv6.
1271	*/
1272	if ( pConstraint->u.pT7_IpAddress->Asn1Core.cb == 32 /* ip+netmask*/
1273	&& pName->u.pT7_IpAddress->Asn1Core.cb == 16) /* ip */
1274	{
1275	for (uint32_t i = 0; i < 16; i++)
1276	if (((pbFull[i] ^ pbConstraint[i]) & pbConstraint[i + 16]) != 0)
1277	return false;
1278	return true;
1279	}
1280
1281	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1282	}
1283
1284
1285	RTDECL(bool) RTCrX509GeneralName_ConstraintMatch(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1286	{
1287	if (pConstraint->enmChoice == pName->enmChoice)
1288	{
1289	if (RTCRX509GENERALNAME_IS_DIRECTORY_NAME(pConstraint))
1290	return RTCrX509Name_ConstraintMatch(&pConstraint->u.pT4->DirectoryName, &pName->u.pT4->DirectoryName);
1291
1292	if (RTCRX509GENERALNAME_IS_DNS_NAME(pConstraint))
1293	return rtCrX509GeneralName_ConstraintMatchDnsName(pConstraint, pName);
1294
1295	if (RTCRX509GENERALNAME_IS_RFC822_NAME(pConstraint))
1296	return rtCrX509GeneralName_ConstraintMatchRfc822Name(pConstraint, pName);
1297
1298	if (RTCRX509GENERALNAME_IS_URI(pConstraint))
1299	return rtCrX509GeneralName_ConstraintMatchUri(pConstraint, pName);
1300
1301	if (RTCRX509GENERALNAME_IS_IP_ADDRESS(pConstraint))
1302	return rtCrX509GeneralName_ConstraintMatchIpAddress(pConstraint, pName);
1303
1304	AssertFailed();
1305	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1306	}
1307	return false;
1308	}
1309
1310
1311	/*
1312	* Sequence of X.509 GeneralNames.
1313	*/
1314
1315
1316	/*
1317	* X.509 UniqueIdentifier.
1318	*/
1319
1320
1321	/*
1322	* X.509 SubjectPublicKeyInfo.
1323	*/
1324
1325
1326	/*
1327	* X.509 AuthorityKeyIdentifier (IPRT representation).
1328	*/
1329
1330
1331	/*
1332	* One X.509 PolicyQualifierInfo.
1333	*/
1334
1335
1336	/*
1337	* Sequence of X.509 PolicyQualifierInfo.
1338	*/
1339
1340
1341	/*
1342	* One X.509 PolicyInformation.
1343	*/
1344
1345
1346	/*
1347	* Sequence of X.509 CertificatePolicies.
1348	*/
1349
1350
1351	/*
1352	* One X.509 PolicyMapping (IPRT representation).
1353	*/
1354
1355
1356	/*
1357	* Sequence of X.509 PolicyMappings (IPRT representation).
1358	*/
1359
1360
1361	/*
1362	* X.509 BasicConstraints (IPRT representation).
1363	*/
1364
1365
1366	/*
1367	* X.509 GeneralSubtree (IPRT representation).
1368	*/
1369
1370
1371	RTDECL(bool) RTCrX509GeneralSubtree_ConstraintMatch(PCRTCRX509GENERALSUBTREE pConstraint, PCRTCRX509GENERALSUBTREE pName)
1372	{
1373	return RTCrX509GeneralName_ConstraintMatch(&pConstraint->Base, &pName->Base);
1374	}
1375
1376
1377	/*
1378	* Sequence of X.509 GeneralSubtrees (IPRT representation).
1379	*/
1380
1381
1382	/*
1383	* X.509 NameConstraints (IPRT representation).
1384	*/
1385
1386
1387	/*
1388	* X.509 PolicyConstraints (IPRT representation).
1389	*/
1390
1391
1392	/*
1393	* One X.509 Extension.
1394	*/
1395
1396
1397	/*
1398	* Sequence of X.509 Extensions.
1399	*/
1400
1401
1402	/*
1403	* X.509 TbsCertificate.
1404	*/
1405
1406	static void rtCrx509TbsCertificate_AddKeyUsageFlags(PRTCRX509TBSCERTIFICATE pThis, PCRTCRX509EXTENSION pExtension)
1407	{
1408	AssertReturnVoid(pExtension->enmValue == RTCRX509EXTENSIONVALUE_BIT_STRING);
1409	/* 3 = 1 byte for unused bit count, followed by one or two bytes containing actual bits. RFC-5280 defines bits 0 thru 8. */
1410	AssertReturnVoid(pExtension->ExtnValue.pEncapsulated->cb <= 3);
1411	pThis->T3.fKeyUsage \|= (uint32_t)RTAsn1BitString_GetAsUInt64((PCRTASN1BITSTRING)pExtension->ExtnValue.pEncapsulated);
1412	}
1413
1414
1415	static void rtCrx509TbsCertificate_AddExtKeyUsageFlags(PRTCRX509TBSCERTIFICATE pThis, PCRTCRX509EXTENSION pExtension)
1416	{
1417	AssertReturnVoid(pExtension->enmValue == RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS);
1418	PCRTASN1SEQOFOBJIDS pObjIds = (PCRTASN1SEQOFOBJIDS)pExtension->ExtnValue.pEncapsulated;
1419	uint32_t i = pObjIds->cItems;
1420	while (i-- > 0)
1421	{
1422
1423	if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_ANY_EXTENDED_KEY_USAGE_OID) == 0)
1424	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_ANY;
1425	else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], RTCRX509_ID_KP_OID))
1426	{
1427	if (RTAsn1ObjIdCountComponents(pObjIds->papItems[i]) == 9)
1428	switch (RTAsn1ObjIdGetLastComponentsAsUInt32(pObjIds->papItems[i]))
1429	{
1430	case 1: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_SERVER_AUTH; break;
1431	case 2: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_CLIENT_AUTH; break;
1432	case 3: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_CODE_SIGNING; break;
1433	case 4: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_EMAIL_PROTECTION; break;
1434	case 5: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_IPSEC_END_SYSTEM; break;
1435	case 6: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_IPSEC_TUNNEL; break;
1436	case 7: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_IPSEC_USER; break;
1437	case 8: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_TIMESTAMPING; break;
1438	case 9: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OCSP_SIGNING; break;
1439	case 10: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_DVCS; break;
1440	case 11: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_SBGP_CERT_AA_SERVICE_AUTH; break;
1441	case 13: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_EAP_OVER_PPP; break;
1442	case 14: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_EAP_OVER_LAN; break;
1443	default: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER; break;
1444	}
1445	else
1446	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER;
1447	}
1448	else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], RTCRX509_APPLE_EKU_APPLE_EXTENDED_KEY_USAGE_OID))
1449	{
1450	if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_OID) == 0)
1451	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING;
1452	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_DEVELOPMENT_OID) == 0)
1453	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_DEVELOPMENT;
1454	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_SOFTWARE_UPDATE_SIGNING_OID) == 0)
1455	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_SOFTWARE_UPDATE_SIGNING;
1456	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_THRID_PARTY_OID) == 0)
1457	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_THIRD_PARTY;
1458	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_RESOURCE_SIGNING_OID) == 0)
1459	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_RESOURCE_SIGNING;
1460	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_SYSTEM_IDENTITY_OID) == 0)
1461	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_SYSTEM_IDENTITY;
1462	else
1463	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER;
1464	}
1465	else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], "1.3.6.1.4.1.311"))
1466	{
1467	if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_TIMESTAMP_SIGNING_OID) == 0)
1468	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_TIMESTAMP_SIGNING;
1469	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_WHQL_CRYPTO_OID) == 0)
1470	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_WHQL_CRYPTO;
1471	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_ATTEST_WHQL_CRYPTO_OID) == 0)
1472	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_ATTEST_WHQL_CRYPTO;
1473	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_NT5_CRYPTO_OID) == 0)
1474	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_NT5_CRYPTO;
1475	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_OEM_WHQL_CRYPTO_OID) == 0)
1476	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_OEM_WHQL_CRYPTO;
1477	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_EMBEDDED_NT_CRYPTO_OID) == 0)
1478	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_EMBEDDED_NT_CRYPTO;
1479	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_KERNEL_MODE_CODE_SIGNING_OID) == 0)
1480	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_KERNEL_MODE_CODE_SIGNING;
1481	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_LIFETIME_SIGNING_OID) == 0)
1482	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_LIFETIME_SIGNING;
1483	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_DRM_OID) == 0)
1484	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_DRM;
1485	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_DRM_INDIVIDUALIZATION_OID) == 0)
1486	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_DRM_INDIVIDUALIZATION;
1487	else
1488	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER;
1489	}
1490	else
1491	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER;
1492	}
1493	}
1494
1495
1496	/**
1497	* (Re-)Process the certificate extensions.
1498	*
1499	* Will fail if duplicate extensions are encountered.
1500	*
1501	* @returns IPRT status code.
1502	* @param pThis The to-be-signed certificate part.
1503	* @param pErrInfo Where to return extended error details,
1504	* optional.
1505	*/
1506	RTDECL(int) RTCrX509TbsCertificate_ReprocessExtensions(PRTCRX509TBSCERTIFICATE pThis, PRTERRINFO pErrInfo)
1507	{
1508	/*
1509	* Clear all variables we will set.
1510	*/
1511	pThis->T3.fFlags = 0;
1512	pThis->T3.fKeyUsage = 0;
1513	pThis->T3.fExtKeyUsage = 0;
1514	pThis->T3.pAuthorityKeyIdentifier = NULL;
1515	pThis->T3.pSubjectKeyIdentifier = NULL;
1516	pThis->T3.pAltSubjectName = NULL;
1517	pThis->T3.pAltIssuerName = NULL;
1518	pThis->T3.pCertificatePolicies = NULL;
1519	pThis->T3.pPolicyMappings = NULL;
1520	pThis->T3.pBasicConstraints = NULL;
1521	pThis->T3.pNameConstraints = NULL;
1522	pThis->T3.pPolicyConstraints = NULL;
1523	pThis->T3.pInhibitAnyPolicy = NULL;
1524
1525	#define CHECK_SET_PRESENT_RET_ON_DUP(a_pThis, a_pErrInfo, a_fPresentFlag) \
1526	do { \
1527	if ((a_pThis)->T3.fFlags & (a_fPresentFlag)) \
1528	return RTErrInfoSet(a_pErrInfo, VERR_CR_X509_TBSCERT_DUPLICATE_EXTENSION, \
1529	"Duplicate extension " #a_fPresentFlag); \
1530	(a_pThis)->T3.fFlags \|= (a_fPresentFlag); \
1531	} while (0)
1532
1533	/*
1534	* Process all the extensions.
1535	*/
1536	for (uint32_t i = 0; i < pThis->T3.Extensions.cItems; i++)
1537	{
1538	PCRTASN1OBJID pExtnId = &pThis->T3.Extensions.papItems[i]->ExtnId;
1539	PCRTASN1OCTETSTRING pExtValue = &pThis->T3.Extensions.papItems[i]->ExtnValue;
1540	if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_KEY_USAGE_OID) == 0)
1541	{
1542	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE);
1543	rtCrx509TbsCertificate_AddKeyUsageFlags(pThis, pThis->T3.Extensions.papItems[i]);
1544	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_BIT_STRING);
1545	}
1546	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_EXT_KEY_USAGE_OID) == 0)
1547	{
1548	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE);
1549	rtCrx509TbsCertificate_AddExtKeyUsageFlags(pThis, pThis->T3.Extensions.papItems[i]);
1550	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS);
1551	}
1552	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_AUTHORITY_KEY_IDENTIFIER_OID) == 0)
1553	{
1554	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_AUTHORITY_KEY_IDENTIFIER);
1555	pThis->T3.pAuthorityKeyIdentifier = (PCRTCRX509AUTHORITYKEYIDENTIFIER)pExtValue->pEncapsulated;
1556	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_AUTHORITY_KEY_IDENTIFIER);
1557	}
1558	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_OLD_AUTHORITY_KEY_IDENTIFIER_OID) == 0)
1559	{
1560	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_OLD_AUTHORITY_KEY_IDENTIFIER);
1561	pThis->T3.pOldAuthorityKeyIdentifier = (PCRTCRX509OLDAUTHORITYKEYIDENTIFIER)pExtValue->pEncapsulated;
1562	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_OLD_AUTHORITY_KEY_IDENTIFIER);
1563	}
1564	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID) == 0)
1565	{
1566	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_KEY_IDENTIFIER);
1567	pThis->T3.pSubjectKeyIdentifier = (PCRTASN1OCTETSTRING)pExtValue->pEncapsulated;
1568	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_OCTET_STRING);
1569	}
1570	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID) == 0)
1571	{
1572	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_ALT_NAME);
1573	pThis->T3.pAltSubjectName = (PCRTCRX509GENERALNAMES)pExtValue->pEncapsulated;
1574	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES);
1575	}
1576	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_ISSUER_ALT_NAME_OID) == 0)
1577	{
1578	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_ISSUER_ALT_NAME);
1579	pThis->T3.pAltIssuerName = (PCRTCRX509GENERALNAMES)pExtValue->pEncapsulated;
1580	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES);
1581	}
1582	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID) == 0)
1583	{
1584	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_CERTIFICATE_POLICIES);
1585	pThis->T3.pCertificatePolicies = (PCRTCRX509CERTIFICATEPOLICIES)pExtValue->pEncapsulated;
1586	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_CERTIFICATE_POLICIES);
1587	}
1588	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_POLICY_MAPPINGS_OID) == 0)
1589	{
1590	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_MAPPINGS);
1591	pThis->T3.pPolicyMappings = (PCRTCRX509POLICYMAPPINGS)pExtValue->pEncapsulated;
1592	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_POLICY_MAPPINGS);
1593	}
1594	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID) == 0)
1595	{
1596	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_BASIC_CONSTRAINTS);
1597	pThis->T3.pBasicConstraints = (PCRTCRX509BASICCONSTRAINTS)pExtValue->pEncapsulated;
1598	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_BASIC_CONSTRAINTS);
1599	}
1600	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_NAME_CONSTRAINTS_OID) == 0)
1601	{
1602	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_NAME_CONSTRAINTS);
1603	pThis->T3.pNameConstraints = (PCRTCRX509NAMECONSTRAINTS)pExtValue->pEncapsulated;
1604	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_NAME_CONSTRAINTS);
1605	}
1606	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID) == 0)
1607	{
1608	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_CONSTRAINTS);
1609	pThis->T3.pPolicyConstraints = (PCRTCRX509POLICYCONSTRAINTS)pExtValue->pEncapsulated;
1610	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_POLICY_CONSTRAINTS);
1611	}
1612	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID) == 0)
1613	{
1614	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_INHIBIT_ANY_POLICY);
1615	pThis->T3.pInhibitAnyPolicy = (PCRTASN1INTEGER)pExtValue->pEncapsulated;
1616	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_INTEGER);
1617	}
1618	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_ACCEPTABLE_CERT_POLICIES_OID) == 0)
1619	pThis->T3.fFlags \|= RTCRX509TBSCERTIFICATE_F_PRESENT_ACCEPTABLE_CERT_POLICIES;
1620	else
1621	pThis->T3.fFlags \|= RTCRX509TBSCERTIFICATE_F_PRESENT_OTHER;
1622	}
1623
1624	if (!pThis->T3.fFlags)
1625	pThis->T3.fFlags \|= RTCRX509TBSCERTIFICATE_F_PRESENT_NONE;
1626
1627	#undef CHECK_SET_PRESENT_RET_ON_DUP
1628	return VINF_SUCCESS;
1629	}
1630
1631
1632
1633	/*
1634	* One X.509 Certificate.
1635	*/
1636
1637	RTDECL(bool) RTCrX509Certificate_MatchIssuerAndSerialNumber(PCRTCRX509CERTIFICATE pCertificate,
1638	PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber)
1639	{
1640	if ( RTAsn1Integer_UnsignedCompare(&pCertificate->TbsCertificate.SerialNumber, pSerialNumber) == 0
1641	&& RTCrX509Name_Compare(&pCertificate->TbsCertificate.Issuer, pIssuer) == 0)
1642	return true;
1643	return false;
1644	}
1645
1646
1647	RTDECL(bool) RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(PCRTCRX509CERTIFICATE pThis, PCRTCRX509NAME pName)
1648	{
1649	if (RTCrX509Name_MatchByRfc5280(&pThis->TbsCertificate.Subject, pName))
1650	return true;
1651
1652	if (RTCrX509Extensions_IsPresent(&pThis->TbsCertificate.T3.Extensions))
1653	for (uint32_t i = 0; i < pThis->TbsCertificate.T3.Extensions.cItems; i++)
1654	{
1655	PCRTCRX509EXTENSION pExt = pThis->TbsCertificate.T3.Extensions.papItems[i];
1656	if ( pExt->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES
1657	&& RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID))
1658	{
1659	PCRTCRX509GENERALNAMES pGeneralNames = (PCRTCRX509GENERALNAMES)pExt->ExtnValue.pEncapsulated;
1660	for (uint32_t j = 0; j < pGeneralNames->cItems; j++)
1661	if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(pGeneralNames->papItems[j])
1662	&& RTCrX509Name_MatchByRfc5280(&pGeneralNames->papItems[j]->u.pT4->DirectoryName, pName))
1663	return true;
1664	}
1665	}
1666	return false;
1667	}
1668
1669
1670	RTDECL(bool) RTCrX509Certificate_IsSelfSigned(PCRTCRX509CERTIFICATE pCertificate)
1671	{
1672	if (RTCrX509Certificate_IsPresent(pCertificate))
1673	{
1674	return RTCrX509Name_MatchByRfc5280(&pCertificate->TbsCertificate.Subject,
1675	&pCertificate->TbsCertificate.Issuer);
1676	}
1677	return false;
1678	}
1679
1680
1681	/*
1682	* Set of X.509 Certificates.
1683	*/
1684
1685	RTDECL(PCRTCRX509CERTIFICATE)
1686	RTCrX509Certificates_FindByIssuerAndSerialNumber(PCRTCRX509CERTIFICATES pCertificates,
1687	PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber)
1688	{
1689	for (uint32_t i = 0; i < pCertificates->cItems; i++)
1690	if (RTCrX509Certificate_MatchIssuerAndSerialNumber(pCertificates->papItems[i], pIssuer, pSerialNumber))
1691	return pCertificates->papItems[i];
1692	return NULL;
1693	}
1694

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/Runtime/common/crypto/x509-core.cpp@ 98103

Download in other formats: