1 | /* $Id: x509-verify.cpp 73666 2018-08-14 17:51:20Z vboxsync $ */
|
---|
2 | /** @file
|
---|
3 | * IPRT - Crypto - X.509, Signature verficiation.
|
---|
4 | */
|
---|
5 |
|
---|
6 | /*
|
---|
7 | * Copyright (C) 2006-2017 Oracle Corporation
|
---|
8 | *
|
---|
9 | * This file is part of VirtualBox Open Source Edition (OSE), as
|
---|
10 | * available from http://www.virtualbox.org. This file is free software;
|
---|
11 | * you can redistribute it and/or modify it under the terms of the GNU
|
---|
12 | * General Public License (GPL) as published by the Free Software
|
---|
13 | * Foundation, in version 2 as it comes in the "COPYING" file of the
|
---|
14 | * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
|
---|
15 | * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
|
---|
16 | *
|
---|
17 | * The contents of this file may alternatively be used under the terms
|
---|
18 | * of the Common Development and Distribution License Version 1.0
|
---|
19 | * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
|
---|
20 | * VirtualBox OSE distribution, in which case the provisions of the
|
---|
21 | * CDDL are applicable instead of those of the GPL.
|
---|
22 | *
|
---|
23 | * You may elect to license modified versions of this file under the
|
---|
24 | * terms and conditions of either the GPL or the CDDL or both.
|
---|
25 | */
|
---|
26 |
|
---|
27 |
|
---|
28 | /*********************************************************************************************************************************
|
---|
29 | * Header Files *
|
---|
30 | *********************************************************************************************************************************/
|
---|
31 | #include "internal/iprt.h"
|
---|
32 | #include <iprt/crypto/x509.h>
|
---|
33 | #include <iprt/crypto/pkix.h>
|
---|
34 | #include <iprt/crypto/key.h>
|
---|
35 |
|
---|
36 | #include <iprt/err.h>
|
---|
37 | #include <iprt/mem.h>
|
---|
38 | #include <iprt/string.h>
|
---|
39 |
|
---|
40 |
|
---|
41 | RTDECL(int) RTCrX509Certificate_VerifySignature(PCRTCRX509CERTIFICATE pThis, PCRTASN1OBJID pAlgorithm,
|
---|
42 | PCRTASN1DYNTYPE pParameters, PCRTASN1BITSTRING pPublicKey,
|
---|
43 | PRTERRINFO pErrInfo)
|
---|
44 | {
|
---|
45 | /*
|
---|
46 | * Validate the input a little.
|
---|
47 | */
|
---|
48 | AssertPtrReturn(pThis, VERR_INVALID_POINTER);
|
---|
49 | AssertReturn(RTCrX509Certificate_IsPresent(pThis), VERR_INVALID_PARAMETER);
|
---|
50 |
|
---|
51 | AssertPtrReturn(pAlgorithm, VERR_INVALID_POINTER);
|
---|
52 | AssertReturn(RTAsn1ObjId_IsPresent(pAlgorithm), VERR_INVALID_POINTER);
|
---|
53 |
|
---|
54 | if (pParameters)
|
---|
55 | {
|
---|
56 | AssertPtrReturn(pParameters, VERR_INVALID_POINTER);
|
---|
57 | if (pParameters->enmType == RTASN1TYPE_NULL)
|
---|
58 | pParameters = NULL;
|
---|
59 | }
|
---|
60 |
|
---|
61 | AssertPtrReturn(pPublicKey, VERR_INVALID_POINTER);
|
---|
62 | AssertReturn(RTAsn1BitString_IsPresent(pPublicKey), VERR_INVALID_POINTER);
|
---|
63 |
|
---|
64 | /*
|
---|
65 | * Check if the algorithm matches.
|
---|
66 | */
|
---|
67 | const char *pszCipherOid = RTCrPkixGetCiperOidFromSignatureAlgorithm(&pThis->SignatureAlgorithm.Algorithm);
|
---|
68 | if (!pszCipherOid)
|
---|
69 | return RTErrInfoSetF(pErrInfo, VERR_CR_X509_UNKNOWN_CERT_SIGN_ALGO,
|
---|
70 | "Certificate signature algorithm not known: %s",
|
---|
71 | pThis->SignatureAlgorithm.Algorithm.szObjId);
|
---|
72 |
|
---|
73 | if (RTAsn1ObjId_CompareWithString(pAlgorithm, pszCipherOid) != 0)
|
---|
74 | return RTErrInfoSetF(pErrInfo, VERR_CR_X509_CERT_SIGN_ALGO_MISMATCH,
|
---|
75 | "Certificate signature cipher algorithm mismatch: cert uses %s (%s) while key uses %s",
|
---|
76 | pszCipherOid, pThis->SignatureAlgorithm.Algorithm.szObjId, pAlgorithm->szObjId);
|
---|
77 |
|
---|
78 | /*
|
---|
79 | * Wrap up the public key.
|
---|
80 | */
|
---|
81 | RTCRKEY hPubKey;
|
---|
82 | int rc = RTCrKeyCreateFromPublicAlgorithmAndBits(&hPubKey, pAlgorithm, pPublicKey, pErrInfo, NULL);
|
---|
83 | if (RT_FAILURE(rc))
|
---|
84 | return rc;
|
---|
85 |
|
---|
86 | /*
|
---|
87 | * Here we should recode the to-be-signed part as DER, but we'll ASSUME
|
---|
88 | * that it's already in DER encoding and only does this if there the
|
---|
89 | * encoded bits are missing.
|
---|
90 | */
|
---|
91 | if ( pThis->TbsCertificate.SeqCore.Asn1Core.uData.pu8
|
---|
92 | && pThis->TbsCertificate.SeqCore.Asn1Core.cb > 0)
|
---|
93 | rc = RTCrPkixPubKeyVerifySignature(&pThis->SignatureAlgorithm.Algorithm, hPubKey, pParameters, &pThis->SignatureValue,
|
---|
94 | RTASN1CORE_GET_RAW_ASN1_PTR(&pThis->TbsCertificate.SeqCore.Asn1Core),
|
---|
95 | RTASN1CORE_GET_RAW_ASN1_SIZE(&pThis->TbsCertificate.SeqCore.Asn1Core),
|
---|
96 | pErrInfo);
|
---|
97 | else
|
---|
98 | {
|
---|
99 | uint32_t cbEncoded;
|
---|
100 | rc = RTAsn1EncodePrepare((PRTASN1CORE)&pThis->TbsCertificate.SeqCore.Asn1Core, RTASN1ENCODE_F_DER, &cbEncoded, pErrInfo);
|
---|
101 | if (RT_SUCCESS(rc))
|
---|
102 | {
|
---|
103 | void *pvTbsBits = RTMemTmpAlloc(cbEncoded);
|
---|
104 | if (pvTbsBits)
|
---|
105 | {
|
---|
106 | rc = RTAsn1EncodeToBuffer(&pThis->TbsCertificate.SeqCore.Asn1Core, RTASN1ENCODE_F_DER,
|
---|
107 | pvTbsBits, cbEncoded, pErrInfo);
|
---|
108 | if (RT_SUCCESS(rc))
|
---|
109 | rc = RTCrPkixPubKeyVerifySignature(&pThis->SignatureAlgorithm.Algorithm, hPubKey, pParameters,
|
---|
110 | &pThis->SignatureValue, pvTbsBits, cbEncoded, pErrInfo);
|
---|
111 | else
|
---|
112 | AssertRC(rc);
|
---|
113 | RTMemTmpFree(pvTbsBits);
|
---|
114 | }
|
---|
115 | else
|
---|
116 | rc = VERR_NO_TMP_MEMORY;
|
---|
117 | }
|
---|
118 | }
|
---|
119 |
|
---|
120 | /* Free the public key. */
|
---|
121 | uint32_t cRefs = RTCrKeyRelease(hPubKey);
|
---|
122 | Assert(cRefs == 0); NOREF(cRefs);
|
---|
123 |
|
---|
124 | return rc;
|
---|
125 | }
|
---|
126 |
|
---|
127 |
|
---|
128 | RTDECL(int) RTCrX509Certificate_VerifySignatureSelfSigned(PCRTCRX509CERTIFICATE pThis, PRTERRINFO pErrInfo)
|
---|
129 | {
|
---|
130 | /*
|
---|
131 | * Validate the input a little.
|
---|
132 | */
|
---|
133 | AssertPtrReturn(pThis, VERR_INVALID_POINTER);
|
---|
134 | AssertReturn(RTCrX509Certificate_IsPresent(pThis), VERR_INVALID_PARAMETER);
|
---|
135 |
|
---|
136 | /*
|
---|
137 | * Assemble parameters for the generic verification call.
|
---|
138 | */
|
---|
139 | PCRTCRX509TBSCERTIFICATE const pTbsCert = &pThis->TbsCertificate;
|
---|
140 | PCRTASN1DYNTYPE pParameters = NULL;
|
---|
141 | if ( RTASN1CORE_IS_PRESENT(&pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters.u.Core)
|
---|
142 | && pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters.enmType != RTASN1TYPE_NULL)
|
---|
143 | pParameters = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters;
|
---|
144 | return RTCrX509Certificate_VerifySignature(pThis, &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm, pParameters,
|
---|
145 | &pTbsCert->SubjectPublicKeyInfo.SubjectPublicKey, pErrInfo);
|
---|
146 | }
|
---|
147 |
|
---|