VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/x509-verify.cpp@ 84379

Last change on this file since 84379 was 84310, checked in by vboxsync, 5 years ago

IPRT/crypto: Adding RTAsn1EncodeQueryRawBits to deal with getting encoded bytes cheaply if possible and always safely. Fixed another place using RTASN1CORE_GET_RAW_ASN1_PTR and assuming input was decoded and had valid data pointers. Added RTCrStoreCertAddPkcs7 and RTCrStoreCertAddX509 for more conveniently adding decoded certs to stores. Added RTCRPKCS7VERIFY_SD_F_TRUST_ALL_CERTS to the PKCS7 verification code. Added RTCrPkcs7_ReadFromBuffer. bugref:9699

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 5.2 KB
Line 
1/* $Id: x509-verify.cpp 84310 2020-05-14 17:40:35Z vboxsync $ */
2/** @file
3 * IPRT - Crypto - X.509, Signature verficiation.
4 */
5
6/*
7 * Copyright (C) 2006-2020 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#include "internal/iprt.h"
32#include <iprt/crypto/x509.h>
33#include <iprt/crypto/pkix.h>
34#include <iprt/crypto/key.h>
35
36#include <iprt/err.h>
37#include <iprt/mem.h>
38#include <iprt/string.h>
39
40
41RTDECL(int) RTCrX509Certificate_VerifySignature(PCRTCRX509CERTIFICATE pThis, PCRTASN1OBJID pAlgorithm,
42 PCRTASN1DYNTYPE pParameters, PCRTASN1BITSTRING pPublicKey,
43 PRTERRINFO pErrInfo)
44{
45 /*
46 * Validate the input a little.
47 */
48 AssertPtrReturn(pThis, VERR_INVALID_POINTER);
49 AssertReturn(RTCrX509Certificate_IsPresent(pThis), VERR_INVALID_PARAMETER);
50
51 AssertPtrReturn(pAlgorithm, VERR_INVALID_POINTER);
52 AssertReturn(RTAsn1ObjId_IsPresent(pAlgorithm), VERR_INVALID_POINTER);
53
54 if (pParameters)
55 {
56 AssertPtrReturn(pParameters, VERR_INVALID_POINTER);
57 if (pParameters->enmType == RTASN1TYPE_NULL)
58 pParameters = NULL;
59 }
60
61 AssertPtrReturn(pPublicKey, VERR_INVALID_POINTER);
62 AssertReturn(RTAsn1BitString_IsPresent(pPublicKey), VERR_INVALID_POINTER);
63
64 /*
65 * Check if the algorithm matches.
66 */
67 const char *pszCipherOid = RTCrPkixGetCiperOidFromSignatureAlgorithm(&pThis->SignatureAlgorithm.Algorithm);
68 if (!pszCipherOid)
69 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_UNKNOWN_CERT_SIGN_ALGO,
70 "Certificate signature algorithm not known: %s",
71 pThis->SignatureAlgorithm.Algorithm.szObjId);
72
73 if (RTAsn1ObjId_CompareWithString(pAlgorithm, pszCipherOid) != 0)
74 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_CERT_SIGN_ALGO_MISMATCH,
75 "Certificate signature cipher algorithm mismatch: cert uses %s (%s) while key uses %s",
76 pszCipherOid, pThis->SignatureAlgorithm.Algorithm.szObjId, pAlgorithm->szObjId);
77
78 /*
79 * Wrap up the public key.
80 */
81 RTCRKEY hPubKey;
82 int rc = RTCrKeyCreateFromPublicAlgorithmAndBits(&hPubKey, pAlgorithm, pPublicKey, pErrInfo, NULL);
83 if (RT_FAILURE(rc))
84 return rc;
85
86 /*
87 * Here we should recode the to-be-signed part as DER, but we'll ASSUME
88 * that it's already in DER encoding and only does this if there the
89 * encoded bits are missing.
90 */
91 const uint8_t *pbRaw;
92 uint32_t cbRaw;
93 void *pvFree = NULL;
94 rc = RTAsn1EncodeQueryRawBits(RTCrX509TbsCertificate_GetAsn1Core(&pThis->TbsCertificate), &pbRaw, &cbRaw, &pvFree, pErrInfo);
95 if (RT_SUCCESS(rc))
96 {
97 rc = RTCrPkixPubKeyVerifySignature(&pThis->SignatureAlgorithm.Algorithm, hPubKey, pParameters, &pThis->SignatureValue,
98 pbRaw, cbRaw, pErrInfo);
99 RTMemTmpFree(pvFree);
100 }
101
102 /* Free the public key. */
103 uint32_t cRefs = RTCrKeyRelease(hPubKey);
104 Assert(cRefs == 0); NOREF(cRefs);
105
106 return rc;
107}
108
109
110RTDECL(int) RTCrX509Certificate_VerifySignatureSelfSigned(PCRTCRX509CERTIFICATE pThis, PRTERRINFO pErrInfo)
111{
112 /*
113 * Validate the input a little.
114 */
115 AssertPtrReturn(pThis, VERR_INVALID_POINTER);
116 AssertReturn(RTCrX509Certificate_IsPresent(pThis), VERR_INVALID_PARAMETER);
117
118 /*
119 * Assemble parameters for the generic verification call.
120 */
121 PCRTCRX509TBSCERTIFICATE const pTbsCert = &pThis->TbsCertificate;
122 PCRTASN1DYNTYPE pParameters = NULL;
123 if ( RTASN1CORE_IS_PRESENT(&pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters.u.Core)
124 && pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters.enmType != RTASN1TYPE_NULL)
125 pParameters = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters;
126 return RTCrX509Certificate_VerifySignature(pThis, &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm, pParameters,
127 &pTbsCert->SubjectPublicKeyInfo.SubjectPublicKey, pErrInfo);
128}
129
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette