VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/store.cpp@ 57572

Last change on this file since 57572 was 57572, checked in by vboxsync, 9 years ago

IPRT: Started on accessing system certificate stores to get SSL roots for cURL.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 14.4 KB
Line 
1/* $Id: store.cpp 57572 2015-08-28 01:31:29Z vboxsync $ */
2/** @file
3 * IPRT - Cryptographic (Certificate) Store.
4 */
5
6/*
7 * Copyright (C) 2006-2015 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#include "internal/iprt.h"
32#include <iprt/crypto/store.h>
33
34#include <iprt/asm.h>
35#include <iprt/err.h>
36#include <iprt/mem.h>
37#include <iprt/string.h>
38
39#include <iprt/crypto/x509.h>
40
41#ifdef IPRT_WITH_OPENSSL
42# include <openssl/x509.h>
43#endif
44
45#include "store-internal.h"
46
47
48/*********************************************************************************************************************************
49* Structures and Typedefs *
50*********************************************************************************************************************************/
51/**
52 * Internal representation of a (certificate,++) store.
53 */
54typedef struct RTCRSTOREINT
55{
56 /** Magic number (RTCRSTOREINT_MAGIC). */
57 uint32_t u32Magic;
58 /** Reference counter. */
59 uint32_t volatile cRefs;
60 /** Pointer to the store provider. */
61 PCRTCRSTOREPROVIDER pProvider;
62 /** Provider specific data. */
63 void *pvProvider;
64} RTCRSTOREINT;
65/** Pointer to the internal representation of a store. */
66typedef RTCRSTOREINT *PRTCRSTOREINT;
67
68/** Magic value for RTCRSTOREINT::u32Magic (Alfred Dillwyn "Dilly" Knox). */
69#define RTCRSTOREINT_MAGIC UINT32_C(0x18840723)
70/** Dead magic value for RTCRSTOREINT::u32Magic. */
71#define RTCRSTOREINT_MAGIC_DEAD UINT32_C(0x19430227)
72
73
74
75/**
76 * Internal method a store provider uses to create a store handle.
77 *
78 * @returns IPRT status code
79 * @param pProvider Pointer to the store provider callback table.
80 * @param pvProvider Pointer to the provider specific instance data.
81 * @param phStore Where to return the store handle.
82 */
83DECLHIDDEN(int) rtCrStoreCreate(PCRTCRSTOREPROVIDER pProvider, void *pvProvider, PRTCRSTORE phStore)
84{
85 PRTCRSTOREINT pThis = (PRTCRSTOREINT)RTMemAlloc(sizeof(*pThis));
86 if (pThis)
87 {
88 pThis->pvProvider = pvProvider;
89 pThis->pProvider = pProvider;
90 pThis->cRefs = 1;
91 pThis->u32Magic = RTCRSTOREINT_MAGIC;
92 *phStore = pThis;
93 return VINF_SUCCESS;
94 }
95 return VERR_NO_MEMORY;
96}
97
98
99
100RTDECL(uint32_t) RTCrStoreRetain(RTCRSTORE hStore)
101{
102 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
103 AssertPtrReturn(pThis, UINT32_MAX);
104 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, UINT32_MAX);
105
106 uint32_t cRet = ASMAtomicIncU32(&pThis->cRefs);
107 Assert(cRet < 8192);
108 return cRet;
109}
110
111
112RTDECL(uint32_t) RTCrStoreRelease(RTCRSTORE hStore)
113{
114 if (hStore == NIL_RTCRSTORE)
115 return 0;
116
117 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
118 AssertPtrReturn(pThis, UINT32_MAX);
119 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, UINT32_MAX);
120
121 uint32_t cStore = ASMAtomicDecU32(&pThis->cRefs);
122 if (!cStore)
123 {
124 ASMAtomicWriteU32(&pThis->u32Magic, RTCRSTOREINT_MAGIC_DEAD);
125 pThis->pProvider->pfnDestroyStore(pThis->pvProvider);
126 RTMemFree(pThis);
127 }
128 return cStore;
129}
130
131
132RTDECL(PCRTCRCERTCTX) RTCrStoreCertByIssuerAndSerialNo(RTCRSTORE hStore, PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNo)
133{
134 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
135 AssertPtrReturn(pThis, NULL);
136 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, NULL);
137 AssertPtrReturn(pIssuer, NULL);
138
139 int rc;
140 RTCRSTORECERTSEARCH Search;
141 if (pThis->pProvider->pfnCertFindByIssuerAndSerialNo)
142 rc = pThis->pProvider->pfnCertFindByIssuerAndSerialNo(pThis->pvProvider, pIssuer, pSerialNo, &Search);
143 else
144 rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, &Search);
145
146 PCRTCRCERTCTX pCertCtx = NULL;
147 if (RT_SUCCESS(rc))
148 {
149 for (;;)
150 {
151 pCertCtx = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, &Search);
152 if (!pCertCtx)
153 break;
154
155 if ( pCertCtx->pCert
156 && RTCrX509Certificate_MatchIssuerAndSerialNumber(pCertCtx->pCert, pIssuer, pSerialNo))
157 break;
158 RTCrCertCtxRelease(pCertCtx);
159 }
160
161 pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, &Search);
162 }
163 else
164 AssertMsg(rc == VERR_NOT_FOUND, ("%Rrc\n", rc));
165 return pCertCtx;
166}
167
168
169RTDECL(int) RTCrStoreCertAddEncoded(RTCRSTORE hStore, uint32_t fFlags, void const *pvSrc, size_t cbSrc, PRTERRINFO pErrInfo)
170{
171 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
172 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
173 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
174 AssertPtrReturn(pvSrc, VERR_INVALID_POINTER);
175 AssertReturn(cbSrc > 16 && cbSrc < _1M, VERR_OUT_OF_RANGE);
176 AssertReturn(!(fFlags & ~(RTCRCERTCTX_F_ADD_IF_NOT_FOUND | RTCRCERTCTX_F_ENC_MASK)), VERR_INVALID_FLAGS);
177 AssertMsgReturn( (fFlags & RTCRCERTCTX_F_ENC_MASK) == RTCRCERTCTX_F_ENC_X509_DER
178 || (fFlags & RTCRCERTCTX_F_ENC_MASK) == RTCRCERTCTX_F_ENC_TAF_DER
179 , ("Only X.509 and TAF DER supported: %#x\n", fFlags), VERR_INVALID_FLAGS);
180
181 int rc;
182 if (pThis->pProvider->pfnCertAddEncoded)
183 rc = pThis->pProvider->pfnCertAddEncoded(pThis->pvProvider, fFlags, (uint8_t const *)pvSrc, (uint32_t)cbSrc, pErrInfo);
184 else
185 rc = VERR_WRITE_PROTECT;
186
187 return rc;
188}
189
190
191
192/*
193 * Searching.
194 * Searching.
195 * Searching.
196 */
197
198RTDECL(int) RTCrStoreCertFindAll(RTCRSTORE hStore, PRTCRSTORECERTSEARCH pSearch)
199{
200 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
201 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
202 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
203 AssertPtrReturn(pSearch, VERR_INVALID_POINTER);
204
205 return pThis->pProvider->pfnCertFindAll(pThis->pvProvider, pSearch);
206}
207
208
209/** Indicator for RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280 searches
210 * implemented by this front-end code. */
211#define RTCRSTORECERTSEARCH_BY_SUBECT_OR_ALT_SUBJECT_BY_RFC5280 UINT32_C(0x5be9145d)
212
213RTDECL(int) RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280(RTCRSTORE hStore, PCRTCRX509NAME pSubject,
214 PRTCRSTORECERTSEARCH pSearch)
215{
216 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
217 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
218 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
219 AssertPtrReturn(pSearch, VERR_INVALID_POINTER);
220
221 int rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, pSearch);
222 if (RT_SUCCESS(rc))
223 {
224 pSearch->auOpaque[2] = RTCRSTORECERTSEARCH_BY_SUBECT_OR_ALT_SUBJECT_BY_RFC5280;
225 pSearch->auOpaque[3] = (uintptr_t)pSubject;
226 }
227 return rc;
228}
229
230
231RTDECL(PCRTCRCERTCTX) RTCrStoreCertSearchNext(RTCRSTORE hStore, PRTCRSTORECERTSEARCH pSearch)
232{
233 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
234 AssertPtrReturn(pThis, NULL);
235 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, NULL);
236 AssertPtrReturn(pSearch, NULL);
237
238 PCRTCRCERTCTX pRet;
239 switch (pSearch->auOpaque[2])
240 {
241 default:
242 pRet = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, pSearch);
243 break;
244
245 case RTCRSTORECERTSEARCH_BY_SUBECT_OR_ALT_SUBJECT_BY_RFC5280:
246 {
247 PCRTCRX509NAME pSubject = (PCRTCRX509NAME)pSearch->auOpaque[3];
248 AssertPtrReturn(pSubject, NULL);
249
250 for (;;)
251 {
252 pRet = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, pSearch);
253 if (!pRet)
254 break;
255 if (pRet->pCert)
256 {
257 if (RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(pRet->pCert, pSubject))
258 break;
259 }
260 else if (pRet->pTaInfo)
261 {
262 if ( RTCrTafCertPathControls_IsPresent(&pRet->pTaInfo->CertPath)
263 && RTCrX509Name_MatchByRfc5280(&pRet->pTaInfo->CertPath.TaName, pSubject))
264 break;
265 }
266 RTCrCertCtxRelease(pRet);
267 }
268 break;
269 }
270 }
271 return pRet;
272}
273
274
275RTDECL(int) RTCrStoreCertSearchDestroy(RTCRSTORE hStore, PRTCRSTORECERTSEARCH pSearch)
276{
277 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
278 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
279 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
280 if (pSearch)
281 {
282 AssertPtrReturn(pSearch, VERR_INVALID_POINTER);
283 pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, pSearch);
284 }
285 return VINF_SUCCESS;
286}
287
288
289
290#ifdef IPRT_WITH_OPENSSL
291/*
292 * OpenSSL helper.
293 * OpenSSL helper.
294 * OpenSSL helper.
295 */
296
297RTDECL(int) RTCrStoreConvertToOpenSslCertStore(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStore)
298{
299 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
300 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
301 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
302
303 /*
304 * Use the pfnCertFindAll method to add all certificates to the store we're returning.
305 */
306 int rc;
307 X509_STORE *pOsslStore = X509_STORE_new();
308 if (pOsslStore)
309 {
310 RTCRSTORECERTSEARCH Search;
311 rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, &Search);
312 if (RT_SUCCESS(rc))
313 {
314 do
315 {
316 PCRTCRCERTCTX pCertCtx = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, &Search);
317 if (!pCertCtx)
318 break;
319
320 if (pCertCtx->fFlags & RTCRCERTCTX_F_ENC_X509_DER)
321 {
322 X509 *pOsslCert = NULL;
323 const unsigned char *pabEncoded = (const unsigned char *)pCertCtx->pabEncoded;
324 if (d2i_X509(&pOsslCert, &pabEncoded, pCertCtx->cbEncoded) == pOsslCert)
325 {
326 if (!X509_STORE_add_cert(pOsslStore, pOsslCert))
327 rc = VERR_NO_MEMORY;
328 X509_free(pOsslCert);
329 }
330 }
331
332 RTCrCertCtxRelease(pCertCtx);
333 } while (RT_SUCCESS(rc));
334
335 pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, &Search);
336 if (RT_SUCCESS(rc))
337 {
338 *ppvOpenSslStore = pOsslStore;
339 return VINF_SUCCESS;
340 }
341 }
342 X509_STORE_free(pOsslStore);
343 }
344 else
345 rc = VERR_NO_MEMORY;
346 return rc;
347}
348
349
350RTDECL(int) RTCrStoreConvertToOpenSslCertStack(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStack)
351{
352 PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
353 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
354 AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
355
356 /*
357 * Use the pfnCertFindAll method to add all certificates to the store we're returning.
358 */
359 int rc;
360 STACK_OF(X509) *pOsslStack = sk_X509_new_null();
361 if (pOsslStack)
362 {
363 RTCRSTORECERTSEARCH Search;
364 rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, &Search);
365 if (RT_SUCCESS(rc))
366 {
367 do
368 {
369 PCRTCRCERTCTX pCertCtx = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, &Search);
370 if (!pCertCtx)
371 break;
372
373 if (pCertCtx->fFlags & RTCRCERTCTX_F_ENC_X509_DER)
374 {
375 X509 *pOsslCert = NULL;
376 const unsigned char *pabEncoded = (const unsigned char *)pCertCtx->pabEncoded;
377 if (d2i_X509(&pOsslCert, &pabEncoded, pCertCtx->cbEncoded) == pOsslCert)
378 {
379 if (!sk_X509_push(pOsslStack, pOsslCert))
380 {
381 rc = VERR_NO_MEMORY;
382 X509_free(pOsslCert);
383 }
384 }
385 }
386
387 RTCrCertCtxRelease(pCertCtx);
388 } while (RT_SUCCESS(rc));
389
390 pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, &Search);
391 if (RT_SUCCESS(rc))
392 {
393 *ppvOpenSslStack = pOsslStack;
394 return VINF_SUCCESS;
395 }
396 }
397 sk_X509_pop_free(pOsslStack, X509_free);
398 }
399 else
400 rc = VERR_NO_MEMORY;
401 return rc;
402}
403
404#endif /* IPRT_WITH_OPENSSL */
405
406
407/*
408 * Certificate context.
409 * Certificate context.
410 * Certificate context.
411 */
412
413
414RTDECL(uint32_t) RTCrCertCtxRetain(PCRTCRCERTCTX pCertCtx)
415{
416 AssertPtrReturn(pCertCtx, UINT32_MAX);
417 PRTCRCERTCTXINT pThis = RT_FROM_MEMBER(pCertCtx, RTCRCERTCTXINT, Public);
418 AssertReturn(pThis->u32Magic == RTCRCERTCTXINT_MAGIC, UINT32_MAX);
419 uint32_t cRet = ASMAtomicIncU32(&pThis->cRefs);
420 Assert(cRet < 64);
421 return cRet;
422}
423
424
425RTDECL(uint32_t) RTCrCertCtxRelease(PCRTCRCERTCTX pCertCtx)
426{
427 if (!pCertCtx)
428 return 0;
429
430 AssertPtrReturn(pCertCtx, UINT32_MAX);
431 PRTCRCERTCTXINT pThis = RT_FROM_MEMBER(pCertCtx, RTCRCERTCTXINT, Public);
432 AssertReturn(pThis->u32Magic == RTCRCERTCTXINT_MAGIC, UINT32_MAX);
433 uint32_t cRet = ASMAtomicDecU32(&pThis->cRefs);
434 if (!cRet)
435 {
436 ASMAtomicWriteU32(&pThis->u32Magic, RTCRCERTCTXINT_MAGIC_DEAD);
437 pThis->pfnDtor(pThis);
438 }
439 return cRet;
440}
441
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette