store.cpp@ 74352

Last change on this file since 74352 was 69111, checked in by vboxsync, 7 years ago
(C) year
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 15.0 KB

Line
1	/* $Id: store.cpp 69111 2017-10-17 14:26:02Z vboxsync $ */
2	/** @file
3	* IPRT - Cryptographic (Certificate) Store.
4	*/
5
6	/*
7	* Copyright (C) 2006-2017 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*
17	* The contents of this file may alternatively be used under the terms
18	* of the Common Development and Distribution License Version 1.0
19	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20	* VirtualBox OSE distribution, in which case the provisions of the
21	* CDDL are applicable instead of those of the GPL.
22	*
23	* You may elect to license modified versions of this file under the
24	* terms and conditions of either the GPL or the CDDL or both.
25	*/
26
27
28	/*********************************************************************************************************************************
29	* Header Files *
30	*********************************************************************************************************************************/
31	#include "internal/iprt.h"
32	#include <iprt/crypto/store.h>
33
34	#include <iprt/asm.h>
35	#include <iprt/err.h>
36	#include <iprt/mem.h>
37	#include <iprt/string.h>
38
39	#include <iprt/crypto/x509.h>
40
41	#ifdef IPRT_WITH_OPENSSL
42	# include <openssl/x509.h>
43	#endif
44
45	#include "store-internal.h"
46
47
48	/*********************************************************************************************************************************
49	* Structures and Typedefs *
50	*********************************************************************************************************************************/
51	/**
52	* Internal representation of a (certificate,++) store.
53	*/
54	typedef struct RTCRSTOREINT
55	{
56	/** Magic number (RTCRSTOREINT_MAGIC). */
57	uint32_t u32Magic;
58	/** Reference counter. */
59	uint32_t volatile cRefs;
60	/** Pointer to the store provider. */
61	PCRTCRSTOREPROVIDER pProvider;
62	/** Provider specific data. */
63	void *pvProvider;
64	} RTCRSTOREINT;
65	/** Pointer to the internal representation of a store. */
66	typedef RTCRSTOREINT *PRTCRSTOREINT;
67
68	/** Magic value for RTCRSTOREINT::u32Magic (Alfred Dillwyn "Dilly" Knox). */
69	#define RTCRSTOREINT_MAGIC UINT32_C(0x18840723)
70	/** Dead magic value for RTCRSTOREINT::u32Magic. */
71	#define RTCRSTOREINT_MAGIC_DEAD UINT32_C(0x19430227)
72
73
74
75	/**
76	* Internal method a store provider uses to create a store handle.
77	*
78	* @returns IPRT status code
79	* @param pProvider Pointer to the store provider callback table.
80	* @param pvProvider Pointer to the provider specific instance data.
81	* @param phStore Where to return the store handle.
82	*/
83	DECLHIDDEN(int) rtCrStoreCreate(PCRTCRSTOREPROVIDER pProvider, void *pvProvider, PRTCRSTORE phStore)
84	{
85	PRTCRSTOREINT pThis = (PRTCRSTOREINT)RTMemAlloc(sizeof(*pThis));
86	if (pThis)
87	{
88	pThis->pvProvider = pvProvider;
89	pThis->pProvider = pProvider;
90	pThis->cRefs = 1;
91	pThis->u32Magic = RTCRSTOREINT_MAGIC;
92	*phStore = pThis;
93	return VINF_SUCCESS;
94	}
95	return VERR_NO_MEMORY;
96	}
97
98
99
100	RTDECL(uint32_t) RTCrStoreRetain(RTCRSTORE hStore)
101	{
102	PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
103	AssertPtrReturn(pThis, UINT32_MAX);
104	AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, UINT32_MAX);
105
106	uint32_t cRet = ASMAtomicIncU32(&pThis->cRefs);
107	Assert(cRet < 8192);
108	return cRet;
109	}
110
111
112	RTDECL(uint32_t) RTCrStoreRelease(RTCRSTORE hStore)
113	{
114	if (hStore == NIL_RTCRSTORE)
115	return 0;
116
117	PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
118	AssertPtrReturn(pThis, UINT32_MAX);
119	AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, UINT32_MAX);
120
121	uint32_t cStore = ASMAtomicDecU32(&pThis->cRefs);
122	if (!cStore)
123	{
124	ASMAtomicWriteU32(&pThis->u32Magic, RTCRSTOREINT_MAGIC_DEAD);
125	pThis->pProvider->pfnDestroyStore(pThis->pvProvider);
126	RTMemFree(pThis);
127	}
128	return cStore;
129	}
130
131
132	RTDECL(PCRTCRCERTCTX) RTCrStoreCertByIssuerAndSerialNo(RTCRSTORE hStore, PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNo)
133	{
134	PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
135	AssertPtrReturn(pThis, NULL);
136	AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, NULL);
137	AssertPtrReturn(pIssuer, NULL);
138
139	int rc;
140	RTCRSTORECERTSEARCH Search;
141	if (pThis->pProvider->pfnCertFindByIssuerAndSerialNo)
142	rc = pThis->pProvider->pfnCertFindByIssuerAndSerialNo(pThis->pvProvider, pIssuer, pSerialNo, &Search);
143	else
144	rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, &Search);
145
146	PCRTCRCERTCTX pCertCtx = NULL;
147	if (RT_SUCCESS(rc))
148	{
149	for (;;)
150	{
151	pCertCtx = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, &Search);
152	if (!pCertCtx)
153	break;
154
155	if ( pCertCtx->pCert
156	&& RTCrX509Certificate_MatchIssuerAndSerialNumber(pCertCtx->pCert, pIssuer, pSerialNo))
157	break;
158	RTCrCertCtxRelease(pCertCtx);
159	}
160
161	pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, &Search);
162	}
163	else
164	AssertMsg(rc == VERR_NOT_FOUND, ("%Rrc\n", rc));
165	return pCertCtx;
166	}
167
168
169	RTDECL(int) RTCrStoreCertAddEncoded(RTCRSTORE hStore, uint32_t fFlags, void const *pvSrc, size_t cbSrc, PRTERRINFO pErrInfo)
170	{
171	PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
172	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
173	AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
174	AssertPtrReturn(pvSrc, VERR_INVALID_POINTER);
175	AssertReturn(cbSrc > 16 && cbSrc < _1M, VERR_OUT_OF_RANGE);
176	AssertReturn(!(fFlags & ~(RTCRCERTCTX_F_ADD_IF_NOT_FOUND \| RTCRCERTCTX_F_ENC_MASK)), VERR_INVALID_FLAGS);
177	AssertMsgReturn( (fFlags & RTCRCERTCTX_F_ENC_MASK) == RTCRCERTCTX_F_ENC_X509_DER
178	\|\| (fFlags & RTCRCERTCTX_F_ENC_MASK) == RTCRCERTCTX_F_ENC_TAF_DER
179	, ("Only X.509 and TAF DER supported: %#x\n", fFlags), VERR_INVALID_FLAGS);
180
181	int rc;
182	if (pThis->pProvider->pfnCertAddEncoded)
183	rc = pThis->pProvider->pfnCertAddEncoded(pThis->pvProvider, fFlags, (uint8_t const *)pvSrc, (uint32_t)cbSrc, pErrInfo);
184	else
185	rc = VERR_WRITE_PROTECT;
186
187	return rc;
188	}
189
190
191
192	/*
193	* Searching.
194	* Searching.
195	* Searching.
196	*/
197
198	RTDECL(int) RTCrStoreCertFindAll(RTCRSTORE hStore, PRTCRSTORECERTSEARCH pSearch)
199	{
200	PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
201	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
202	AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
203	AssertPtrReturn(pSearch, VERR_INVALID_POINTER);
204
205	return pThis->pProvider->pfnCertFindAll(pThis->pvProvider, pSearch);
206	}
207
208
209	/** Indicator for RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280 searches
210	* implemented by this front-end code. */
211	#define RTCRSTORECERTSEARCH_BY_SUBECT_OR_ALT_SUBJECT_BY_RFC5280 UINT32_C(0x5be9145d)
212
213	RTDECL(int) RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280(RTCRSTORE hStore, PCRTCRX509NAME pSubject,
214	PRTCRSTORECERTSEARCH pSearch)
215	{
216	PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
217	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
218	AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
219	AssertPtrReturn(pSearch, VERR_INVALID_POINTER);
220
221	int rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, pSearch);
222	if (RT_SUCCESS(rc))
223	{
224	pSearch->auOpaque[2] = RTCRSTORECERTSEARCH_BY_SUBECT_OR_ALT_SUBJECT_BY_RFC5280;
225	pSearch->auOpaque[3] = (uintptr_t)pSubject;
226	}
227	return rc;
228	}
229
230
231	RTDECL(PCRTCRCERTCTX) RTCrStoreCertSearchNext(RTCRSTORE hStore, PRTCRSTORECERTSEARCH pSearch)
232	{
233	PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
234	AssertPtrReturn(pThis, NULL);
235	AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, NULL);
236	AssertPtrReturn(pSearch, NULL);
237
238	PCRTCRCERTCTX pRet;
239	switch (pSearch->auOpaque[2])
240	{
241	default:
242	pRet = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, pSearch);
243	break;
244
245	case RTCRSTORECERTSEARCH_BY_SUBECT_OR_ALT_SUBJECT_BY_RFC5280:
246	{
247	PCRTCRX509NAME pSubject = (PCRTCRX509NAME)pSearch->auOpaque[3];
248	AssertPtrReturn(pSubject, NULL);
249
250	for (;;)
251	{
252	pRet = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, pSearch);
253	if (!pRet)
254	break;
255	if (pRet->pCert)
256	{
257	if (RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(pRet->pCert, pSubject))
258	break;
259	}
260	else if (pRet->pTaInfo)
261	{
262	if ( RTCrTafCertPathControls_IsPresent(&pRet->pTaInfo->CertPath)
263	&& RTCrX509Name_MatchByRfc5280(&pRet->pTaInfo->CertPath.TaName, pSubject))
264	break;
265	}
266	RTCrCertCtxRelease(pRet);
267	}
268	break;
269	}
270	}
271	return pRet;
272	}
273
274
275	RTDECL(int) RTCrStoreCertSearchDestroy(RTCRSTORE hStore, PRTCRSTORECERTSEARCH pSearch)
276	{
277	PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
278	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
279	AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
280	if (pSearch)
281	{
282	AssertPtrReturn(pSearch, VERR_INVALID_POINTER);
283	pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, pSearch);
284	}
285	return VINF_SUCCESS;
286	}
287
288
289
290	RTDECL(uint32_t) RTCrStoreCertCount(RTCRSTORE hStore)
291	{
292	PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
293	AssertPtrReturn(pThis, UINT32_MAX);
294	AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, UINT32_MAX);
295
296	RTCRSTORECERTSEARCH Search;
297	int rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, &Search);
298	AssertRCReturn(rc, UINT32_MAX);
299
300
301	uint32_t cCerts = 0;
302	PCRTCRCERTCTX pCur;
303	while ((pCur = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, &Search)) != NULL)
304	{
305	RTCrCertCtxRelease(pCur);
306	cCerts++;
307	}
308
309	return cCerts;
310	}
311
312
313	#ifdef IPRT_WITH_OPENSSL
314	/*
315	* OpenSSL helper.
316	* OpenSSL helper.
317	* OpenSSL helper.
318	*/
319
320	RTDECL(int) RTCrStoreConvertToOpenSslCertStore(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStore)
321	{
322	PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
323	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
324	AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
325	RT_NOREF_PV(fFlags);
326
327	/*
328	* Use the pfnCertFindAll method to add all certificates to the store we're returning.
329	*/
330	int rc;
331	X509_STORE *pOsslStore = X509_STORE_new();
332	if (pOsslStore)
333	{
334	RTCRSTORECERTSEARCH Search;
335	rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, &Search);
336	if (RT_SUCCESS(rc))
337	{
338	do
339	{
340	PCRTCRCERTCTX pCertCtx = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, &Search);
341	if (!pCertCtx)
342	break;
343
344	if (pCertCtx->fFlags & RTCRCERTCTX_F_ENC_X509_DER)
345	{
346	X509 *pOsslCert = NULL;
347	const unsigned char pabEncoded = (const unsigned char )pCertCtx->pabEncoded;
348	if (d2i_X509(&pOsslCert, &pabEncoded, pCertCtx->cbEncoded) == pOsslCert)
349	{
350	if (!X509_STORE_add_cert(pOsslStore, pOsslCert))
351	rc = VERR_NO_MEMORY;
352	X509_free(pOsslCert);
353	}
354	}
355
356	RTCrCertCtxRelease(pCertCtx);
357	} while (RT_SUCCESS(rc));
358
359	pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, &Search);
360	if (RT_SUCCESS(rc))
361	{
362	*ppvOpenSslStore = pOsslStore;
363	return VINF_SUCCESS;
364	}
365	}
366	X509_STORE_free(pOsslStore);
367	}
368	else
369	rc = VERR_NO_MEMORY;
370	return rc;
371	}
372
373
374	RTDECL(int) RTCrStoreConvertToOpenSslCertStack(RTCRSTORE hStore, uint32_t fFlags, void **ppvOpenSslStack)
375	{
376	PRTCRSTOREINT pThis = (PRTCRSTOREINT)hStore;
377	AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
378	AssertReturn(pThis->u32Magic == RTCRSTOREINT_MAGIC, VERR_INVALID_HANDLE);
379	RT_NOREF_PV(fFlags);
380
381	/*
382	* Use the pfnCertFindAll method to add all certificates to the store we're returning.
383	*/
384	int rc;
385	STACK_OF(X509) *pOsslStack = sk_X509_new_null();
386	if (pOsslStack)
387	{
388	RTCRSTORECERTSEARCH Search;
389	rc = pThis->pProvider->pfnCertFindAll(pThis->pvProvider, &Search);
390	if (RT_SUCCESS(rc))
391	{
392	do
393	{
394	PCRTCRCERTCTX pCertCtx = pThis->pProvider->pfnCertSearchNext(pThis->pvProvider, &Search);
395	if (!pCertCtx)
396	break;
397
398	if (pCertCtx->fFlags & RTCRCERTCTX_F_ENC_X509_DER)
399	{
400	X509 *pOsslCert = NULL;
401	const unsigned char pabEncoded = (const unsigned char )pCertCtx->pabEncoded;
402	if (d2i_X509(&pOsslCert, &pabEncoded, pCertCtx->cbEncoded) == pOsslCert)
403	{
404	if (!sk_X509_push(pOsslStack, pOsslCert))
405	{
406	rc = VERR_NO_MEMORY;
407	X509_free(pOsslCert);
408	}
409	}
410	}
411
412	RTCrCertCtxRelease(pCertCtx);
413	} while (RT_SUCCESS(rc));
414
415	pThis->pProvider->pfnCertSearchDestroy(pThis->pvProvider, &Search);
416	if (RT_SUCCESS(rc))
417	{
418	*ppvOpenSslStack = pOsslStack;
419	return VINF_SUCCESS;
420	}
421	}
422	sk_X509_pop_free(pOsslStack, X509_free);
423	}
424	else
425	rc = VERR_NO_MEMORY;
426	return rc;
427	}
428
429	#endif /* IPRT_WITH_OPENSSL */
430
431
432	/*
433	* Certificate context.
434	* Certificate context.
435	* Certificate context.
436	*/
437
438
439	RTDECL(uint32_t) RTCrCertCtxRetain(PCRTCRCERTCTX pCertCtx)
440	{
441	AssertPtrReturn(pCertCtx, UINT32_MAX);
442	PRTCRCERTCTXINT pThis = RT_FROM_MEMBER(pCertCtx, RTCRCERTCTXINT, Public);
443	AssertReturn(pThis->u32Magic == RTCRCERTCTXINT_MAGIC, UINT32_MAX);
444	uint32_t cRet = ASMAtomicIncU32(&pThis->cRefs);
445	Assert(cRet < 64);
446	return cRet;
447	}
448
449
450	RTDECL(uint32_t) RTCrCertCtxRelease(PCRTCRCERTCTX pCertCtx)
451	{
452	if (!pCertCtx)
453	return 0;
454
455	AssertPtrReturn(pCertCtx, UINT32_MAX);
456	PRTCRCERTCTXINT pThis = RT_FROM_MEMBER(pCertCtx, RTCRCERTCTXINT, Public);
457	AssertReturn(pThis->u32Magic == RTCRCERTCTXINT_MAGIC, UINT32_MAX);
458	uint32_t cRet = ASMAtomicDecU32(&pThis->cRefs);
459	if (!cRet)
460	{
461	ASMAtomicWriteU32(&pThis->u32Magic, RTCRCERTCTXINT_MAGIC_DEAD);
462	pThis->pfnDtor(pThis);
463	}
464	return cRet;
465	}
466

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/Runtime/common/crypto/store.cpp@ 74352

Download in other formats: