1 | /* $Id: x509-sanity.cpp 93115 2022-01-01 11:31:46Z vboxsync $ */
|
---|
2 | /** @file
|
---|
3 | * IPRT - Crypto - X.509, Sanity Checkers.
|
---|
4 | */
|
---|
5 |
|
---|
6 | /*
|
---|
7 | * Copyright (C) 2006-2022 Oracle Corporation
|
---|
8 | *
|
---|
9 | * This file is part of VirtualBox Open Source Edition (OSE), as
|
---|
10 | * available from http://www.virtualbox.org. This file is free software;
|
---|
11 | * you can redistribute it and/or modify it under the terms of the GNU
|
---|
12 | * General Public License (GPL) as published by the Free Software
|
---|
13 | * Foundation, in version 2 as it comes in the "COPYING" file of the
|
---|
14 | * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
|
---|
15 | * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
|
---|
16 | *
|
---|
17 | * The contents of this file may alternatively be used under the terms
|
---|
18 | * of the Common Development and Distribution License Version 1.0
|
---|
19 | * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
|
---|
20 | * VirtualBox OSE distribution, in which case the provisions of the
|
---|
21 | * CDDL are applicable instead of those of the GPL.
|
---|
22 | *
|
---|
23 | * You may elect to license modified versions of this file under the
|
---|
24 | * terms and conditions of either the GPL or the CDDL or both.
|
---|
25 | */
|
---|
26 |
|
---|
27 |
|
---|
28 | /*********************************************************************************************************************************
|
---|
29 | * Header Files *
|
---|
30 | *********************************************************************************************************************************/
|
---|
31 | #include "internal/iprt.h"
|
---|
32 | #include <iprt/crypto/x509.h>
|
---|
33 |
|
---|
34 | #include <iprt/err.h>
|
---|
35 | #include <iprt/string.h>
|
---|
36 |
|
---|
37 | #include "x509-internal.h"
|
---|
38 |
|
---|
39 |
|
---|
40 |
|
---|
41 | static int rtCrX509Validity_CheckSanityExtra(PCRTCRX509VALIDITY pThis, uint32_t fFlags, PRTERRINFO pErrInfo, const char *pszErrorTag)
|
---|
42 | {
|
---|
43 | RT_NOREF_PV(fFlags);
|
---|
44 |
|
---|
45 | if (RTAsn1Time_Compare(&pThis->NotBefore, &pThis->NotAfter) > 0)
|
---|
46 | return RTErrInfoSetF(pErrInfo, VERR_CR_X509_VALIDITY_SWAPPED, "%s: NotBefore is after NotAfter", pszErrorTag);
|
---|
47 | /** @todo check tag constraints? */
|
---|
48 | return VINF_SUCCESS;
|
---|
49 | }
|
---|
50 |
|
---|
51 |
|
---|
52 | static int rtCrX509Name_CheckSanityExtra(PCRTCRX509NAME pThis, uint32_t fFlags, PRTERRINFO pErrInfo, const char *pszErrorTag)
|
---|
53 | {
|
---|
54 | RT_NOREF_PV(fFlags);
|
---|
55 |
|
---|
56 | if (pThis->cItems == 0)
|
---|
57 | return RTErrInfoSetF(pErrInfo, VERR_CR_X509_NAME_EMPTY_SET, "%s: Has no components.", pszErrorTag);
|
---|
58 |
|
---|
59 | for (uint32_t i = 0; i < pThis->cItems; i++)
|
---|
60 | {
|
---|
61 | PCRTCRX509RELATIVEDISTINGUISHEDNAME const pRdn = pThis->papItems[i];
|
---|
62 | if (pRdn->cItems == 0)
|
---|
63 | return RTErrInfoSetF(pErrInfo, VERR_CR_X509_NAME_EMPTY_SUB_SET,
|
---|
64 | "%s: Items[%u] has no sub components.", pszErrorTag, i);
|
---|
65 |
|
---|
66 | for (uint32_t j = 0; j < pRdn->cItems; j++)
|
---|
67 | {
|
---|
68 | PCRTCRX509ATTRIBUTETYPEANDVALUE const pAttr = pRdn->papItems[j];
|
---|
69 |
|
---|
70 | if (pAttr->Value.enmType != RTASN1TYPE_STRING)
|
---|
71 | return RTErrInfoSetF(pErrInfo, VERR_CR_X509_NAME_NOT_STRING,
|
---|
72 | "%s: Items[%u].paItems[%u].enmType is %d instead of string (%d).",
|
---|
73 | pszErrorTag, i, j, pAttr->Value.enmType, RTASN1TYPE_STRING);
|
---|
74 | if (pAttr->Value.u.String.Asn1Core.cb == 0)
|
---|
75 | return RTErrInfoSetF(pErrInfo, VERR_CR_X509_NAME_EMPTY_STRING,
|
---|
76 | "%s: Items[%u].paItems[%u] is an empty string", pszErrorTag, i, j);
|
---|
77 | switch (pAttr->Value.u.String.Asn1Core.uTag)
|
---|
78 | {
|
---|
79 | case ASN1_TAG_PRINTABLE_STRING:
|
---|
80 | case ASN1_TAG_UTF8_STRING:
|
---|
81 | break;
|
---|
82 | case ASN1_TAG_T61_STRING:
|
---|
83 | case ASN1_TAG_UNIVERSAL_STRING:
|
---|
84 | case ASN1_TAG_BMP_STRING:
|
---|
85 | break;
|
---|
86 | case ASN1_TAG_IA5_STRING: /* Used by "Microsoft Root Certificate Authority" in the "com" part of the Issuer. */
|
---|
87 | break;
|
---|
88 | default:
|
---|
89 | return RTErrInfoSetF(pErrInfo, VERR_CR_X509_INVALID_NAME_STRING_TAG,
|
---|
90 | "%s: Items[%u].paItems[%u] invalid string type: %u", pszErrorTag, i, j,
|
---|
91 | pAttr->Value.u.String.Asn1Core.uTag);
|
---|
92 | }
|
---|
93 | }
|
---|
94 | }
|
---|
95 |
|
---|
96 | return VINF_SUCCESS;
|
---|
97 | }
|
---|
98 |
|
---|
99 |
|
---|
100 | static int rtCrX509SubjectPublicKeyInfo_CheckSanityExtra(PCRTCRX509SUBJECTPUBLICKEYINFO pThis, uint32_t fFlags,
|
---|
101 | PRTERRINFO pErrInfo, const char *pszErrorTag)
|
---|
102 | {
|
---|
103 | RT_NOREF_PV(fFlags);
|
---|
104 | if (pThis->SubjectPublicKey.cBits <= 32)
|
---|
105 | return RTErrInfoSetF(pErrInfo, VERR_CR_X509_PUBLIC_KEY_TOO_SMALL,
|
---|
106 | "%s: SubjectPublicKey is too small, only %u bits", pszErrorTag, pThis->SubjectPublicKey.cBits);
|
---|
107 | return VINF_SUCCESS;
|
---|
108 | }
|
---|
109 |
|
---|
110 |
|
---|
111 | static int rtCrX509TbsCertificate_CheckSanityExtra(PCRTCRX509TBSCERTIFICATE pThis, uint32_t fFlags,
|
---|
112 | PRTERRINFO pErrInfo, const char *pszErrorTag)
|
---|
113 | {
|
---|
114 | RT_NOREF_PV(fFlags);
|
---|
115 |
|
---|
116 | if ( RTAsn1Integer_IsPresent(&pThis->T0.Version)
|
---|
117 | && RTAsn1Integer_UnsignedCompareWithU32(&pThis->T0.Version, RTCRX509TBSCERTIFICATE_V1) != 0
|
---|
118 | && RTAsn1Integer_UnsignedCompareWithU32(&pThis->T0.Version, RTCRX509TBSCERTIFICATE_V2) != 0
|
---|
119 | && RTAsn1Integer_UnsignedCompareWithU32(&pThis->T0.Version, RTCRX509TBSCERTIFICATE_V3) != 0)
|
---|
120 | return RTErrInfoSetF(pErrInfo, VERR_CR_X509_TBSCERT_UNSUPPORTED_VERSION,
|
---|
121 | "%s: Unknown Version number: %llu",
|
---|
122 | pszErrorTag, pThis->T0.Version.uValue.u);
|
---|
123 |
|
---|
124 | if ( pThis->SerialNumber.Asn1Core.cb < 1
|
---|
125 | || pThis->SerialNumber.Asn1Core.cb > 1024)
|
---|
126 | return RTErrInfoSetF(pErrInfo, VERR_CR_X509_TBSCERT_SERIAL_NUMBER_OUT_OF_BOUNDS,
|
---|
127 | "%s: Bad SerialNumber length: %u", pszErrorTag, pThis->SerialNumber.Asn1Core.cb);
|
---|
128 |
|
---|
129 | if ( ( RTAsn1BitString_IsPresent(&pThis->T1.IssuerUniqueId)
|
---|
130 | || RTAsn1BitString_IsPresent(&pThis->T2.SubjectUniqueId))
|
---|
131 | && RTAsn1Integer_UnsignedCompareWithU32(&pThis->T0.Version, RTCRX509TBSCERTIFICATE_V2) < 0)
|
---|
132 | return RTErrInfoSetF(pErrInfo, VERR_CR_X509_TBSCERT_UNIQUE_IDS_REQ_V2,
|
---|
133 | "%s: IssuerUniqueId and SubjectUniqueId requires version 2", pszErrorTag);
|
---|
134 |
|
---|
135 | if ( RTCrX509Extensions_IsPresent(&pThis->T3.Extensions)
|
---|
136 | && RTAsn1Integer_UnsignedCompareWithU32(&pThis->T0.Version, RTCRX509TBSCERTIFICATE_V3) < 0)
|
---|
137 | return RTErrInfoSetF(pErrInfo, VERR_CR_X509_TBSCERT_EXTS_REQ_V3, "%s: Extensions requires version 3", pszErrorTag);
|
---|
138 |
|
---|
139 | return VINF_SUCCESS;
|
---|
140 | }
|
---|
141 |
|
---|
142 |
|
---|
143 | static int rtCrX509Certificate_CheckSanityExtra(PCRTCRX509CERTIFICATE pThis, uint32_t fFlags,
|
---|
144 | PRTERRINFO pErrInfo, const char *pszErrorTag)
|
---|
145 | {
|
---|
146 | RT_NOREF_PV(fFlags);
|
---|
147 |
|
---|
148 | if (RTCrX509AlgorithmIdentifier_Compare(&pThis->SignatureAlgorithm, &pThis->TbsCertificate.Signature) != 0)
|
---|
149 | return RTErrInfoSetF(pErrInfo, VERR_CR_X509_CERT_TBS_SIGN_ALGO_MISMATCH,
|
---|
150 | "%s: SignatureAlgorithm (%s) does not match TbsCertificate.Signature (%s).", pszErrorTag,
|
---|
151 | pThis->SignatureAlgorithm.Algorithm.szObjId,
|
---|
152 | pThis->TbsCertificate.Signature.Algorithm.szObjId);
|
---|
153 | return VINF_SUCCESS;
|
---|
154 | }
|
---|
155 |
|
---|
156 |
|
---|
157 | /*
|
---|
158 | * Generate the code.
|
---|
159 | */
|
---|
160 | #include <iprt/asn1-generator-sanity.h>
|
---|
161 |
|
---|