VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/x509-certpaths.cpp@ 91982

Last change on this file since 91982 was 91982, checked in by vboxsync, 3 years ago

IPRT/RTCrX509CertPaths: Only ignore critical subject key IDs on end entities. Extended comment. Logging. bugref:10130
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 114.0 KB
Line 
1/* $Id: x509-certpaths.cpp 91982 2021-10-21 20:43:38Z vboxsync $ */
2/** @file
3 * IPRT - Crypto - X.509, Simple Certificate Path Builder & Validator.
4 */
5
6/*
7 * Copyright (C) 2006-2020 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#define LOG_GROUP RTLOGGROUP_CRYPTO
32#include "internal/iprt.h"
33#include <iprt/crypto/x509.h>
34
35#include <iprt/asm.h>
36#include <iprt/ctype.h>
37#include <iprt/err.h>
38#include <iprt/mem.h>
39#include <iprt/string.h>
40#include <iprt/list.h>
41#include <iprt/log.h>
42#include <iprt/time.h>
43#include <iprt/crypto/applecodesign.h> /* critical extension OIDs */
44#include <iprt/crypto/pkcs7.h> /* PCRTCRPKCS7SETOFCERTS */
45#include <iprt/crypto/store.h>
46
47#include "x509-internal.h"
48
49
50/*********************************************************************************************************************************
51* Structures and Typedefs *
52*********************************************************************************************************************************/
53/**
54 * X.509 certificate path node.
55 */
56typedef struct RTCRX509CERTPATHNODE
57{
58 /** Sibling list entry. */
59 RTLISTNODE SiblingEntry;
60 /** List of children or leaf list entry. */
61 RTLISTANCHOR ChildListOrLeafEntry;
62 /** Pointer to the parent node. NULL for root. */
63 struct RTCRX509CERTPATHNODE *pParent;
64
65 /** The distance between this node and the target. */
66 uint32_t uDepth : 8;
67 /** Indicates the source of this certificate. */
68 uint32_t uSrc : 3;
69 /** Set if this is a leaf node. */
70 uint32_t fLeaf : 1;
71 /** Makes sure it's a 32-bit bitfield. */
72 uint32_t uReserved : 20;
73
74 /** Leaf only: The result of the last path vertification. */
75 int rcVerify;
76
77 /** Pointer to the certificate. This can be NULL only for trust anchors. */
78 PCRTCRX509CERTIFICATE pCert;
79
80 /** If the certificate or trust anchor was obtained from a store, this is the
81 * associated certificate context (referenced of course). This is used to
82 * access the trust anchor information, if present.
83 *
84 * (If this is NULL it's from a certificate array or some such given directly to
85 * the path building code. It's assumed the caller doesn't free these until the
86 * path validation/whatever is done with and the paths destroyed.) */
87 PCRTCRCERTCTX pCertCtx;
88} RTCRX509CERTPATHNODE;
89/** Pointer to a X.509 path node. */
90typedef RTCRX509CERTPATHNODE *PRTCRX509CERTPATHNODE;
91
92/** @name RTCRX509CERTPATHNODE::uSrc values.
93 * The trusted and untrusted sources ordered in priority order, where higher
94 * number means high priority in case of duplicates.
95 * @{ */
96#define RTCRX509CERTPATHNODE_SRC_NONE 0
97#define RTCRX509CERTPATHNODE_SRC_TARGET 1
98#define RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET 2
99#define RTCRX509CERTPATHNODE_SRC_UNTRUSTED_ARRAY 3
100#define RTCRX509CERTPATHNODE_SRC_UNTRUSTED_STORE 4
101#define RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE 5
102#define RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT 6
103#define RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(uSrc) ((uSrc) >= RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE)
104/** @} */
105
106
107/**
108 * Policy tree node.
109 */
110typedef struct RTCRX509CERTPATHSPOLICYNODE
111{
112 /** Sibling list entry. */
113 RTLISTNODE SiblingEntry;
114 /** Tree depth list entry. */
115 RTLISTNODE DepthEntry;
116 /** List of children or leaf list entry. */
117 RTLISTANCHOR ChildList;
118 /** Pointer to the parent. */
119 struct RTCRX509CERTPATHSPOLICYNODE *pParent;
120
121 /** The policy object ID. */
122 PCRTASN1OBJID pValidPolicy;
123
124 /** Optional sequence of policy qualifiers. */
125 PCRTCRX509POLICYQUALIFIERINFOS pPolicyQualifiers;
126
127 /** The first policy ID in the exepcted policy set. */
128 PCRTASN1OBJID pExpectedPolicyFirst;
129 /** Set if we've already mapped pExpectedPolicyFirst. */
130 bool fAlreadyMapped;
131 /** Number of additional items in the expected policy set. */
132 uint32_t cMoreExpectedPolicySet;
133 /** Additional items in the expected policy set. */
134 PCRTASN1OBJID *papMoreExpectedPolicySet;
135} RTCRX509CERTPATHSPOLICYNODE;
136/** Pointer to a policy tree node. */
137typedef RTCRX509CERTPATHSPOLICYNODE *PRTCRX509CERTPATHSPOLICYNODE;
138
139
140/**
141 * Path builder and validator instance.
142 *
143 * The path builder creates a tree of certificates by forward searching from the
144 * end-entity towards a trusted source. The leaf nodes are inserted into list
145 * ordered by the source of the leaf certificate and the path length (i.e. tree
146 * depth).
147 *
148 * The path validator works the tree from the leaf end and validates each
149 * potential path found by the builder. It is generally happy with one working
150 * path, but may be told to verify all of them.
151 */
152typedef struct RTCRX509CERTPATHSINT
153{
154 /** Magic number. */
155 uint32_t u32Magic;
156 /** Reference counter. */
157 uint32_t volatile cRefs;
158
159 /** @name Input
160 * @{ */
161 /** The target certificate (end entity) to build a trusted path for. */
162 PCRTCRX509CERTIFICATE pTarget;
163
164 /** Lone trusted certificate. */
165 PCRTCRX509CERTIFICATE pTrustedCert;
166 /** Store of trusted certificates. */
167 RTCRSTORE hTrustedStore;
168
169 /** Store of untrusted certificates. */
170 RTCRSTORE hUntrustedStore;
171 /** Array of untrusted certificates, typically from the protocol. */
172 PCRTCRX509CERTIFICATE paUntrustedCerts;
173 /** Number of entries in paUntrusted. */
174 uint32_t cUntrustedCerts;
175 /** Set of untrusted PKCS \#7 / CMS certificatess. */
176 PCRTCRPKCS7SETOFCERTS pUntrustedCertsSet;
177
178 /** UTC time we're going to validate the path at, requires
179 * RTCRX509CERTPATHSINT_F_VALID_TIME to be set. */
180 RTTIMESPEC ValidTime;
181 /** Number of policy OIDs in the user initial policy set, 0 means anyPolicy. */
182 uint32_t cInitialUserPolicySet;
183 /** The user initial policy set. As with all other user provided data, we
184 * assume it's immutable and remains valid for the usage period of the path
185 * builder & validator. */
186 PCRTASN1OBJID *papInitialUserPolicySet;
187 /** Number of certificates before the user wants an explicit policy result.
188 * Set to UINT32_MAX no explicit policy restriction required by the user. */
189 uint32_t cInitialExplicitPolicy;
190 /** Number of certificates before the user wants policy mapping to be
191 * inhibited. Set to UINT32_MAX if no initial policy mapping inhibition
192 * desired by the user. */
193 uint32_t cInitialPolicyMappingInhibit;
194 /** Number of certificates before the user wants the anyPolicy to be rejected.
195 * Set to UINT32_MAX no explicit policy restriction required by the user. */
196 uint32_t cInitialInhibitAnyPolicy;
197 /** Initial name restriction: Permitted subtrees. */
198 PCRTCRX509GENERALSUBTREES pInitialPermittedSubtrees;
199 /** Initial name restriction: Excluded subtrees. */
200 PCRTCRX509GENERALSUBTREES pInitialExcludedSubtrees;
201
202 /** Flags RTCRX509CERTPATHSINT_F_XXX. */
203 uint32_t fFlags;
204 /** @} */
205
206 /** Sticky status for remembering allocation errors and the like. */
207 int32_t rc;
208 /** Where to store extended error info (optional). */
209 PRTERRINFO pErrInfo;
210
211 /** @name Path Builder Output
212 * @{ */
213 /** Pointer to the root of the tree. This will always be non-NULL after path
214 * building and thus can be reliably used to tell if path building has taken
215 * place or not. */
216 PRTCRX509CERTPATHNODE pRoot;
217 /** List of working leaf tree nodes. */
218 RTLISTANCHOR LeafList;
219 /** The number of paths (leafs). */
220 uint32_t cPaths;
221 /** @} */
222
223 /** Path Validator State. */
224 struct
225 {
226 /** Number of nodes in the certificate path we're validating (aka 'n'). */
227 uint32_t cNodes;
228 /** The current node (0 being the trust anchor). */
229 uint32_t iNode;
230
231 /** The root node of the valid policy tree. */
232 PRTCRX509CERTPATHSPOLICYNODE pValidPolicyTree;
233 /** An array of length cNodes + 1 which tracks all nodes at the given (index)
234 * tree depth via the RTCRX509CERTPATHSPOLICYNODE::DepthEntry member. */
235 PRTLISTANCHOR paValidPolicyDepthLists;
236
237 /** Number of entries in paPermittedSubtrees (name constraints).
238 * If zero, no permitted name constrains currently in effect. */
239 uint32_t cPermittedSubtrees;
240 /** The allocated size of papExcludedSubtrees */
241 uint32_t cPermittedSubtreesAlloc;
242 /** Array of permitted subtrees we've collected so far (name constraints). */
243 PCRTCRX509GENERALSUBTREE *papPermittedSubtrees;
244 /** Set if we end up with an empty set after calculating a name constraints
245 * union. */
246 bool fNoPermittedSubtrees;
247
248 /** Number of entries in paExcludedSubtrees (name constraints).
249 * If zero, no excluded name constrains currently in effect. */
250 uint32_t cExcludedSubtrees;
251 /** Array of excluded subtrees we've collected so far (name constraints). */
252 PCRTCRX509GENERALSUBTREES *papExcludedSubtrees;
253
254 /** Number of non-self-issued certificates to be processed before a non-NULL
255 * paValidPolicyTree is required. */
256 uint32_t cExplicitPolicy;
257 /** Number of non-self-issued certificates to be processed we stop processing
258 * policy mapping extensions. */
259 uint32_t cInhibitPolicyMapping;
260 /** Number of non-self-issued certificates to be processed before a the
261 * anyPolicy is rejected. */
262 uint32_t cInhibitAnyPolicy;
263 /** Number of non-self-issued certificates we're allowed to process. */
264 uint32_t cMaxPathLength;
265
266 /** The working issuer name. */
267 PCRTCRX509NAME pWorkingIssuer;
268 /** The working public key algorithm ID. */
269 PCRTASN1OBJID pWorkingPublicKeyAlgorithm;
270 /** The working public key algorithm parameters. */
271 PCRTASN1DYNTYPE pWorkingPublicKeyParameters;
272 /** A bit string containing the public key. */
273 PCRTASN1BITSTRING pWorkingPublicKey;
274 } v;
275
276 /** An object identifier initialized to anyPolicy. */
277 RTASN1OBJID AnyPolicyObjId;
278
279 /** Temporary scratch space. */
280 char szTmp[1024];
281} RTCRX509CERTPATHSINT;
282typedef RTCRX509CERTPATHSINT *PRTCRX509CERTPATHSINT;
283
284/** Magic value for RTCRX509CERTPATHSINT::u32Magic (Bruce Schneier). */
285#define RTCRX509CERTPATHSINT_MAGIC UINT32_C(0x19630115)
286
287/** @name RTCRX509CERTPATHSINT_F_XXX - Certificate path build flags.
288 * @{ */
289#define RTCRX509CERTPATHSINT_F_VALID_TIME RT_BIT_32(0)
290#define RTCRX509CERTPATHSINT_F_ELIMINATE_UNTRUSTED_PATHS RT_BIT_32(1)
291/** Whether checking the trust anchor signature (if self signed) and
292 * that it is valid at the verification time, also require it to be a CA if not
293 * leaf node. */
294#define RTCRX509CERTPATHSINT_F_CHECK_TRUST_ANCHOR RT_BIT_32(2)
295#define RTCRX509CERTPATHSINT_F_VALID_MASK UINT32_C(0x00000007)
296/** @} */
297
298
299/*********************************************************************************************************************************
300* Internal Functions *
301*********************************************************************************************************************************/
302static void rtCrX509CertPathsDestroyTree(PRTCRX509CERTPATHSINT pThis);
303static void rtCrX509CpvCleanup(PRTCRX509CERTPATHSINT pThis);
304
305
306/** @name Path Builder and Validator Config APIs
307 * @{
308 */
309
310RTDECL(int) RTCrX509CertPathsCreate(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget)
311{
312 AssertPtrReturn(phCertPaths, VERR_INVALID_POINTER);
313
314 PRTCRX509CERTPATHSINT pThis = (PRTCRX509CERTPATHSINT)RTMemAllocZ(sizeof(*pThis));
315 if (pThis)
316 {
317 int rc = RTAsn1ObjId_InitFromString(&pThis->AnyPolicyObjId, RTCRX509_ID_CE_CP_ANY_POLICY_OID, &g_RTAsn1DefaultAllocator);
318 if (RT_SUCCESS(rc))
319 {
320 pThis->u32Magic = RTCRX509CERTPATHSINT_MAGIC;
321 pThis->cRefs = 1;
322 pThis->pTarget = pTarget;
323 pThis->hTrustedStore = NIL_RTCRSTORE;
324 pThis->hUntrustedStore = NIL_RTCRSTORE;
325 pThis->cInitialExplicitPolicy = UINT32_MAX;
326 pThis->cInitialPolicyMappingInhibit = UINT32_MAX;
327 pThis->cInitialInhibitAnyPolicy = UINT32_MAX;
328 pThis->rc = VINF_SUCCESS;
329 RTListInit(&pThis->LeafList);
330 *phCertPaths = pThis;
331 return VINF_SUCCESS;
332 }
333 return rc;
334 }
335 return VERR_NO_MEMORY;
336}
337
338
339RTDECL(uint32_t) RTCrX509CertPathsRetain(RTCRX509CERTPATHS hCertPaths)
340{
341 PRTCRX509CERTPATHSINT pThis = hCertPaths;
342 AssertPtrReturn(pThis, UINT32_MAX);
343
344 uint32_t cRefs = ASMAtomicIncU32(&pThis->cRefs);
345 Assert(cRefs > 0 && cRefs < 64);
346 return cRefs;
347}
348
349
350RTDECL(uint32_t) RTCrX509CertPathsRelease(RTCRX509CERTPATHS hCertPaths)
351{
352 uint32_t cRefs;
353 if (hCertPaths != NIL_RTCRX509CERTPATHS)
354 {
355 PRTCRX509CERTPATHSINT pThis = hCertPaths;
356 AssertPtrReturn(pThis, UINT32_MAX);
357 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, UINT32_MAX);
358
359 cRefs = ASMAtomicDecU32(&pThis->cRefs);
360 Assert(cRefs < 64);
361 if (!cRefs)
362 {
363 /*
364 * No more references, destroy the whole thing.
365 */
366 ASMAtomicWriteU32(&pThis->u32Magic, ~RTCRX509CERTPATHSINT_MAGIC);
367
368 /* config */
369 pThis->pTarget = NULL; /* Referencing user memory. */
370 pThis->pTrustedCert = NULL; /* Referencing user memory. */
371 RTCrStoreRelease(pThis->hTrustedStore);
372 pThis->hTrustedStore = NIL_RTCRSTORE;
373 RTCrStoreRelease(pThis->hUntrustedStore);
374 pThis->hUntrustedStore = NIL_RTCRSTORE;
375 pThis->paUntrustedCerts = NULL; /* Referencing user memory. */
376 pThis->pUntrustedCertsSet = NULL; /* Referencing user memory. */
377 pThis->papInitialUserPolicySet = NULL; /* Referencing user memory. */
378 pThis->pInitialPermittedSubtrees = NULL; /* Referencing user memory. */
379 pThis->pInitialExcludedSubtrees = NULL; /* Referencing user memory. */
380
381 /* builder */
382 rtCrX509CertPathsDestroyTree(pThis);
383
384 /* validator */
385 rtCrX509CpvCleanup(pThis);
386
387 /* misc */
388 RTAsn1VtDelete(&pThis->AnyPolicyObjId.Asn1Core);
389
390 /* Finally, the instance itself. */
391 RTMemFree(pThis);
392 }
393 }
394 else
395 cRefs = 0;
396 return cRefs;
397}
398
399
400
401RTDECL(int) RTCrX509CertPathsSetTrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hTrustedStore)
402{
403 PRTCRX509CERTPATHSINT pThis = hCertPaths;
404 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
405 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
406 AssertReturn(pThis->pRoot == NULL, VERR_WRONG_ORDER);
407
408 if (pThis->hTrustedStore != NIL_RTCRSTORE)
409 {
410 RTCrStoreRelease(pThis->hTrustedStore);
411 pThis->hTrustedStore = NIL_RTCRSTORE;
412 }
413 if (hTrustedStore != NIL_RTCRSTORE)
414 {
415 AssertReturn(RTCrStoreRetain(hTrustedStore) != UINT32_MAX, VERR_INVALID_HANDLE);
416 pThis->hTrustedStore = hTrustedStore;
417 }
418 return VINF_SUCCESS;
419}
420
421
422RTDECL(int) RTCrX509CertPathsSetUntrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hUntrustedStore)
423{
424 PRTCRX509CERTPATHSINT pThis = hCertPaths;
425 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
426 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
427 AssertReturn(pThis->pRoot == NULL, VERR_WRONG_ORDER);
428
429 if (pThis->hUntrustedStore != NIL_RTCRSTORE)
430 {
431 RTCrStoreRelease(pThis->hUntrustedStore);
432 pThis->hUntrustedStore = NIL_RTCRSTORE;
433 }
434 if (hUntrustedStore != NIL_RTCRSTORE)
435 {
436 AssertReturn(RTCrStoreRetain(hUntrustedStore) != UINT32_MAX, VERR_INVALID_HANDLE);
437 pThis->hUntrustedStore = hUntrustedStore;
438 }
439 return VINF_SUCCESS;
440}
441
442
443RTDECL(int) RTCrX509CertPathsSetUntrustedArray(RTCRX509CERTPATHS hCertPaths, PCRTCRX509CERTIFICATE paCerts, uint32_t cCerts)
444{
445 PRTCRX509CERTPATHSINT pThis = hCertPaths;
446 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
447 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
448
449 pThis->paUntrustedCerts = paCerts;
450 pThis->cUntrustedCerts = cCerts;
451 return VINF_SUCCESS;
452}
453
454
455RTDECL(int) RTCrX509CertPathsSetUntrustedSet(RTCRX509CERTPATHS hCertPaths, PCRTCRPKCS7SETOFCERTS pSetOfCerts)
456{
457 PRTCRX509CERTPATHSINT pThis = hCertPaths;
458 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
459 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
460
461 pThis->pUntrustedCertsSet = pSetOfCerts;
462 return VINF_SUCCESS;
463}
464
465
466RTDECL(int) RTCrX509CertPathsSetValidTime(RTCRX509CERTPATHS hCertPaths, PCRTTIME pTime)
467{
468 PRTCRX509CERTPATHSINT pThis = hCertPaths;
469 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
470 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
471
472 /* Allow this after building paths, as it's only used during verification. */
473
474 if (pTime)
475 {
476 if (RTTimeImplode(&pThis->ValidTime, pTime))
477 return VERR_INVALID_PARAMETER;
478 pThis->fFlags |= RTCRX509CERTPATHSINT_F_VALID_TIME;
479 }
480 else
481 pThis->fFlags &= ~RTCRX509CERTPATHSINT_F_VALID_TIME;
482 return VINF_SUCCESS;
483}
484
485
486RTDECL(int) RTCrX509CertPathsSetValidTimeSpec(RTCRX509CERTPATHS hCertPaths, PCRTTIMESPEC pTimeSpec)
487{
488 PRTCRX509CERTPATHSINT pThis = hCertPaths;
489 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
490 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
491
492 /* Allow this after building paths, as it's only used during verification. */
493
494 if (pTimeSpec)
495 {
496 pThis->ValidTime = *pTimeSpec;
497 pThis->fFlags |= RTCRX509CERTPATHSINT_F_VALID_TIME;
498 }
499 else
500 pThis->fFlags &= ~RTCRX509CERTPATHSINT_F_VALID_TIME;
501 return VINF_SUCCESS;
502}
503
504
505RTDECL(int) RTCrX509CertPathsSetTrustAnchorChecks(RTCRX509CERTPATHS hCertPaths, bool fEnable)
506{
507 PRTCRX509CERTPATHSINT pThis = hCertPaths;
508 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
509 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
510
511 if (fEnable)
512 pThis->fFlags |= RTCRX509CERTPATHSINT_F_CHECK_TRUST_ANCHOR;
513 else
514 pThis->fFlags &= ~RTCRX509CERTPATHSINT_F_CHECK_TRUST_ANCHOR;
515 return VINF_SUCCESS;
516}
517
518
519RTDECL(int) RTCrX509CertPathsCreateEx(PRTCRX509CERTPATHS phCertPaths, PCRTCRX509CERTIFICATE pTarget, RTCRSTORE hTrustedStore,
520 RTCRSTORE hUntrustedStore, PCRTCRX509CERTIFICATE paUntrustedCerts, uint32_t cUntrustedCerts,
521 PCRTTIMESPEC pValidTime)
522{
523 int rc = RTCrX509CertPathsCreate(phCertPaths, pTarget);
524 if (RT_SUCCESS(rc))
525 {
526 PRTCRX509CERTPATHSINT pThis = *phCertPaths;
527
528 rc = RTCrX509CertPathsSetTrustedStore(pThis, hTrustedStore);
529 if (RT_SUCCESS(rc))
530 {
531 rc = RTCrX509CertPathsSetUntrustedStore(pThis, hUntrustedStore);
532 if (RT_SUCCESS(rc))
533 {
534 rc = RTCrX509CertPathsSetUntrustedArray(pThis, paUntrustedCerts, cUntrustedCerts);
535 if (RT_SUCCESS(rc))
536 {
537 rc = RTCrX509CertPathsSetValidTimeSpec(pThis, pValidTime);
538 if (RT_SUCCESS(rc))
539 {
540 return VINF_SUCCESS;
541 }
542 }
543 RTCrStoreRelease(pThis->hUntrustedStore);
544 }
545 RTCrStoreRelease(pThis->hTrustedStore);
546 }
547 RTMemFree(pThis);
548 *phCertPaths = NIL_RTCRX509CERTPATHS;
549 }
550 return rc;
551}
552
553/** @} */
554
555
556
557/** @name Path Builder and Validator Common Utility Functions.
558 * @{
559 */
560
561/**
562 * Checks if the certificate is self-issued.
563 *
564 * @returns true / false.
565 * @param pNode The path node to check..
566 */
567static bool rtCrX509CertPathsIsSelfIssued(PRTCRX509CERTPATHNODE pNode)
568{
569 return pNode->pCert
570 && RTCrX509Name_MatchByRfc5280(&pNode->pCert->TbsCertificate.Subject, &pNode->pCert->TbsCertificate.Issuer);
571}
572
573/**
574 * Helper for checking whether a certificate is in the trusted store or not.
575 */
576static bool rtCrX509CertPathsIsCertInStore(PRTCRX509CERTPATHNODE pNode, RTCRSTORE hStore)
577{
578 bool fRc = false;
579 PCRTCRCERTCTX pCertCtx = RTCrStoreCertByIssuerAndSerialNo(hStore, &pNode->pCert->TbsCertificate.Issuer,
580 &pNode->pCert->TbsCertificate.SerialNumber);
581 if (pCertCtx)
582 {
583 if (pCertCtx->pCert)
584 fRc = RTCrX509Certificate_Compare(pCertCtx->pCert, pNode->pCert) == 0;
585 RTCrCertCtxRelease(pCertCtx);
586 }
587 return fRc;
588}
589
590/** @} */
591
592
593
594/** @name Path Builder Functions.
595 * @{
596 */
597
598static PRTCRX509CERTPATHNODE rtCrX509CertPathsNewNode(PRTCRX509CERTPATHSINT pThis)
599{
600 PRTCRX509CERTPATHNODE pNode = (PRTCRX509CERTPATHNODE)RTMemAllocZ(sizeof(*pNode));
601 if (RT_LIKELY(pNode))
602 {
603 RTListInit(&pNode->SiblingEntry);
604 RTListInit(&pNode->ChildListOrLeafEntry);
605 pNode->rcVerify = VERR_CR_X509_NOT_VERIFIED;
606
607 return pNode;
608 }
609
610 pThis->rc = RTErrInfoSet(pThis->pErrInfo, VERR_NO_MEMORY, "No memory for path node");
611 return NULL;
612}
613
614
615static void rtCrX509CertPathsDestroyNode(PRTCRX509CERTPATHNODE pNode)
616{
617 if (pNode->pCertCtx)
618 {
619 RTCrCertCtxRelease(pNode->pCertCtx);
620 pNode->pCertCtx = NULL;
621 }
622 RT_ZERO(*pNode);
623 RTMemFree(pNode);
624}
625
626
627static void rtCrX509CertPathsAddIssuer(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pParent,
628 PCRTCRX509CERTIFICATE pCert, PCRTCRCERTCTX pCertCtx, uint8_t uSrc)
629{
630 /*
631 * Check if we've seen this certificate already in the current path or
632 * among the already gathered issuers.
633 */
634 if (pCert)
635 {
636 /* No duplicate certificates in the path. */
637 PRTCRX509CERTPATHNODE pTmpNode = pParent;
638 while (pTmpNode)
639 {
640 Assert(pTmpNode->pCert);
641 if ( pTmpNode->pCert == pCert
642 || RTCrX509Certificate_Compare(pTmpNode->pCert, pCert) == 0)
643 {
644 /* If target and the source it trusted, upgrade the source so we can successfully verify single node 'paths'. */
645 if ( RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(uSrc)
646 && pTmpNode == pParent
647 && pTmpNode->uSrc == RTCRX509CERTPATHNODE_SRC_TARGET)
648 {
649 AssertReturnVoid(!pTmpNode->pParent);
650 pTmpNode->uSrc = uSrc;
651 }
652 return;
653 }
654 pTmpNode = pTmpNode->pParent;
655 }
656
657 /* No duplicate tree branches. */
658 RTListForEach(&pParent->ChildListOrLeafEntry, pTmpNode, RTCRX509CERTPATHNODE, SiblingEntry)
659 {
660 if (RTCrX509Certificate_Compare(pTmpNode->pCert, pCert) == 0)
661 return;
662 }
663 }
664 else
665 Assert(pCertCtx);
666
667 /*
668 * Reference the context core before making the allocation.
669 */
670 if (pCertCtx)
671 AssertReturnVoidStmt(RTCrCertCtxRetain(pCertCtx) != UINT32_MAX,
672 pThis->rc = RTErrInfoSetF(pThis->pErrInfo, VERR_CR_X509_CPB_BAD_CERT_CTX,
673 "Bad pCertCtx=%p", pCertCtx));
674
675 /*
676 * We haven't see it, append it as a child.
677 */
678 PRTCRX509CERTPATHNODE pNew = rtCrX509CertPathsNewNode(pThis);
679 if (pNew)
680 {
681 pNew->pParent = pParent;
682 pNew->pCert = pCert;
683 pNew->pCertCtx = pCertCtx;
684 pNew->uSrc = uSrc;
685 pNew->uDepth = pParent->uDepth + 1;
686 RTListAppend(&pParent->ChildListOrLeafEntry, &pNew->SiblingEntry);
687 Log2Func(("pNew=%p uSrc=%u uDepth=%u\n", pNew, uSrc, pNew->uDepth));
688 }
689 else
690 RTCrCertCtxRelease(pCertCtx);
691}
692
693
694static void rtCrX509CertPathsGetIssuersFromStore(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode,
695 PCRTCRX509NAME pIssuer, RTCRSTORE hStore, uint8_t uSrc)
696{
697 RTCRSTORECERTSEARCH Search;
698 int rc = RTCrStoreCertFindBySubjectOrAltSubjectByRfc5280(hStore, pIssuer, &Search);
699 if (RT_SUCCESS(rc))
700 {
701 PCRTCRCERTCTX pCertCtx;
702 while ((pCertCtx = RTCrStoreCertSearchNext(hStore, &Search)) != NULL)
703 {
704 if ( pCertCtx->pCert
705 || ( RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(uSrc)
706 && pCertCtx->pTaInfo) )
707 rtCrX509CertPathsAddIssuer(pThis, pNode, pCertCtx->pCert, pCertCtx, uSrc);
708 RTCrCertCtxRelease(pCertCtx);
709 }
710 RTCrStoreCertSearchDestroy(hStore, &Search);
711 }
712}
713
714
715static void rtCrX509CertPathsGetIssuers(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
716{
717 Assert(RTListIsEmpty(&pNode->ChildListOrLeafEntry));
718 Assert(!pNode->fLeaf);
719 Assert(pNode->pCert);
720
721 /*
722 * Don't recurse infintely.
723 */
724 if (RT_UNLIKELY(pNode->uDepth >= 50))
725 return;
726
727 PCRTCRX509NAME const pIssuer = &pNode->pCert->TbsCertificate.Issuer;
728#if defined(LOG_ENABLED) && defined(IN_RING3)
729 if (LogIs2Enabled())
730 {
731 char szIssuer[128] = {0};
732 RTCrX509Name_FormatAsString(pIssuer, szIssuer, sizeof(szIssuer), NULL);
733 char szSubject[128] = {0};
734 RTCrX509Name_FormatAsString(&pNode->pCert->TbsCertificate.Subject, szSubject, sizeof(szSubject), NULL);
735 Log2Func(("pNode=%p uSrc=%u uDepth=%u Issuer='%s' (Subject='%s')\n", pNode, pNode->uSrc, pNode->uDepth, szIssuer, szSubject));
736 }
737#endif
738
739 /*
740 * Trusted certificate.
741 */
742 if ( pThis->pTrustedCert
743 && RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(pThis->pTrustedCert, pIssuer))
744 rtCrX509CertPathsAddIssuer(pThis, pNode, pThis->pTrustedCert, NULL, RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT);
745
746 /*
747 * Trusted certificate store.
748 */
749 if (pThis->hTrustedStore != NIL_RTCRSTORE)
750 rtCrX509CertPathsGetIssuersFromStore(pThis, pNode, pIssuer, pThis->hTrustedStore,
751 RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE);
752
753 /*
754 * Untrusted store.
755 */
756 if (pThis->hUntrustedStore != NIL_RTCRSTORE)
757 rtCrX509CertPathsGetIssuersFromStore(pThis, pNode, pIssuer, pThis->hTrustedStore,
758 RTCRX509CERTPATHNODE_SRC_UNTRUSTED_STORE);
759
760 /*
761 * Untrusted array.
762 */
763 if (pThis->paUntrustedCerts)
764 for (uint32_t i = 0; i < pThis->cUntrustedCerts; i++)
765 if (RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(&pThis->paUntrustedCerts[i], pIssuer))
766 rtCrX509CertPathsAddIssuer(pThis, pNode, &pThis->paUntrustedCerts[i], NULL,
767 RTCRX509CERTPATHNODE_SRC_UNTRUSTED_ARRAY);
768
769 /** @todo Rainy day: Should abstract the untrusted array and set so we don't get
770 * unnecessary PKCS7/CMS header dependencies. */
771
772 /*
773 * Untrusted set.
774 */
775 if (pThis->pUntrustedCertsSet)
776 {
777 uint32_t const cCerts = pThis->pUntrustedCertsSet->cItems;
778 PRTCRPKCS7CERT const *papCerts = pThis->pUntrustedCertsSet->papItems;
779 for (uint32_t i = 0; i < cCerts; i++)
780 {
781 PCRTCRPKCS7CERT pCert = papCerts[i];
782 if ( pCert->enmChoice == RTCRPKCS7CERTCHOICE_X509
783 && RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(pCert->u.pX509Cert, pIssuer))
784 rtCrX509CertPathsAddIssuer(pThis, pNode, pCert->u.pX509Cert, NULL, RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET);
785 }
786 }
787}
788
789
790static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetNextRightUp(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
791{
792 for (;;)
793 {
794 /* The root node has no siblings. */
795 PRTCRX509CERTPATHNODE pParent = pNode->pParent;
796 if (!pNode->pParent)
797 return NULL;
798
799 /* Try go to the right. */
800 PRTCRX509CERTPATHNODE pNext = RTListGetNext(&pParent->ChildListOrLeafEntry, pNode, RTCRX509CERTPATHNODE, SiblingEntry);
801 if (pNext)
802 return pNext;
803
804 /* Up. */
805 pNode = pParent;
806 }
807
808 RT_NOREF_PV(pThis);
809}
810
811
812static PRTCRX509CERTPATHNODE rtCrX509CertPathsEliminatePath(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
813{
814 for (;;)
815 {
816 Assert(RTListIsEmpty(&pNode->ChildListOrLeafEntry));
817
818 /* Don't remove the root node. */
819 PRTCRX509CERTPATHNODE pParent = pNode->pParent;
820 if (!pParent)
821 return NULL;
822
823 /* Before removing and deleting the node check if there is sibling
824 right to it that we should continue processing from. */
825 PRTCRX509CERTPATHNODE pNext = RTListGetNext(&pParent->ChildListOrLeafEntry, pNode, RTCRX509CERTPATHNODE, SiblingEntry);
826 RTListNodeRemove(&pNode->SiblingEntry);
827 rtCrX509CertPathsDestroyNode(pNode);
828
829 if (pNext)
830 return pNext;
831
832 /* If the parent node cannot be removed, do a normal get-next-rigth-up
833 to find the continuation point for the tree loop. */
834 if (!RTListIsEmpty(&pParent->ChildListOrLeafEntry))
835 return rtCrX509CertPathsGetNextRightUp(pThis, pParent);
836
837 pNode = pParent;
838 }
839}
840
841
842/**
843 * Destroys the whole path tree.
844 *
845 * @param pThis The path builder and verifier instance.
846 */
847static void rtCrX509CertPathsDestroyTree(PRTCRX509CERTPATHSINT pThis)
848{
849 PRTCRX509CERTPATHNODE pNode, pNextLeaf;
850 RTListForEachSafe(&pThis->LeafList, pNode, pNextLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
851 {
852 RTListNodeRemove(&pNode->ChildListOrLeafEntry);
853 RTListInit(&pNode->ChildListOrLeafEntry);
854
855 for (;;)
856 {
857 PRTCRX509CERTPATHNODE pParent = pNode->pParent;
858
859 RTListNodeRemove(&pNode->SiblingEntry);
860 rtCrX509CertPathsDestroyNode(pNode);
861
862 if (!pParent)
863 {
864 pThis->pRoot = NULL;
865 break;
866 }
867
868 if (!RTListIsEmpty(&pParent->ChildListOrLeafEntry))
869 break;
870
871 pNode = pParent;
872 }
873 }
874 Assert(!pThis->pRoot);
875}
876
877
878/**
879 * Adds a leaf node.
880 *
881 * This should normally be a trusted certificate, but the caller can also
882 * request the incomplete paths, in which case this will be an untrusted
883 * certificate.
884 *
885 * @returns Pointer to the next node in the tree to process.
886 * @param pThis The path builder instance.
887 * @param pNode The leaf node.
888 */
889static PRTCRX509CERTPATHNODE rtCrX509CertPathsAddLeaf(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
890{
891 pNode->fLeaf = true;
892
893 /*
894 * Priority insert by source and depth.
895 */
896 PRTCRX509CERTPATHNODE pCurLeaf;
897 RTListForEach(&pThis->LeafList, pCurLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
898 {
899 if ( pNode->uSrc > pCurLeaf->uSrc
900 || ( pNode->uSrc == pCurLeaf->uSrc
901 && pNode->uDepth < pCurLeaf->uDepth) )
902 {
903 RTListNodeInsertBefore(&pCurLeaf->ChildListOrLeafEntry, &pNode->ChildListOrLeafEntry);
904 pThis->cPaths++;
905 return rtCrX509CertPathsGetNextRightUp(pThis, pNode);
906 }
907 }
908
909 RTListAppend(&pThis->LeafList, &pNode->ChildListOrLeafEntry);
910 pThis->cPaths++;
911 return rtCrX509CertPathsGetNextRightUp(pThis, pNode);
912}
913
914
915
916RTDECL(int) RTCrX509CertPathsBuild(RTCRX509CERTPATHS hCertPaths, PRTERRINFO pErrInfo)
917{
918 /*
919 * Validate the input.
920 */
921 PRTCRX509CERTPATHSINT pThis = hCertPaths;
922 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
923 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
924 AssertReturn(!(pThis->fFlags & ~RTCRX509CERTPATHSINT_F_VALID_MASK), VERR_INVALID_PARAMETER);
925 AssertReturn( (pThis->paUntrustedCerts == NULL && pThis->cUntrustedCerts == 0)
926 || (pThis->paUntrustedCerts != NULL && pThis->cUntrustedCerts > 0),
927 VERR_INVALID_PARAMETER);
928 AssertReturn(RTListIsEmpty(&pThis->LeafList), VERR_INVALID_PARAMETER);
929 AssertReturn(pThis->pRoot == NULL, VERR_INVALID_PARAMETER);
930 AssertReturn(pThis->rc == VINF_SUCCESS, pThis->rc);
931 AssertPtrReturn(pThis->pTarget, VERR_INVALID_PARAMETER);
932 Assert(RT_SUCCESS(RTCrX509Certificate_CheckSanity(pThis->pTarget, 0, NULL, NULL)));
933
934 /*
935 * Set up the target.
936 */
937 PRTCRX509CERTPATHNODE pCur;
938 pThis->pRoot = pCur = rtCrX509CertPathsNewNode(pThis);
939 if (pThis->pRoot)
940 {
941 pCur->pCert = pThis->pTarget;
942 pCur->uDepth = 0;
943 pCur->uSrc = RTCRX509CERTPATHNODE_SRC_TARGET;
944
945 /* Check if the target is trusted and do the upgrade (this is outside the RFC,
946 but this simplifies the path validator usage a lot (less work for the caller)). */
947 if ( pThis->pTrustedCert
948 && RTCrX509Certificate_Compare(pThis->pTrustedCert, pCur->pCert) == 0)
949 pCur->uSrc = RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT;
950 else if ( pThis->hTrustedStore != NIL_RTCRSTORE
951 && rtCrX509CertPathsIsCertInStore(pCur, pThis->hTrustedStore))
952 pCur->uSrc = RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE;
953
954 pThis->pErrInfo = pErrInfo;
955
956 /*
957 * The tree construction loop.
958 * Walks down, up, and right as the tree is constructed.
959 */
960 do
961 {
962 /*
963 * Check for the two leaf cases first.
964 */
965 if (RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pCur->uSrc))
966 pCur = rtCrX509CertPathsAddLeaf(pThis, pCur);
967#if 0 /* This isn't right.*/
968 else if (rtCrX509CertPathsIsSelfIssued(pCur))
969 {
970 if (pThis->fFlags & RTCRX509CERTPATHSINT_F_ELIMINATE_UNTRUSTED_PATHS)
971 pCur = rtCrX509CertPathsEliminatePath(pThis, pCur);
972 else
973 pCur = rtCrX509CertPathsAddLeaf(pThis, pCur);
974 }
975#endif
976 /*
977 * Not a leaf, find all potential issuers and decend into these.
978 */
979 else
980 {
981 rtCrX509CertPathsGetIssuers(pThis, pCur);
982 if (RT_FAILURE(pThis->rc))
983 break;
984
985 if (!RTListIsEmpty(&pCur->ChildListOrLeafEntry))
986 pCur = RTListGetFirst(&pCur->ChildListOrLeafEntry, RTCRX509CERTPATHNODE, SiblingEntry);
987 else if (pThis->fFlags & RTCRX509CERTPATHSINT_F_ELIMINATE_UNTRUSTED_PATHS)
988 pCur = rtCrX509CertPathsEliminatePath(pThis, pCur);
989 else
990 pCur = rtCrX509CertPathsAddLeaf(pThis, pCur);
991 }
992 if (pCur)
993 Log2(("RTCrX509CertPathsBuild: pCur=%p fLeaf=%d pParent=%p pNext=%p pPrev=%p\n",
994 pCur, pCur->fLeaf, pCur->pParent,
995 pCur->pParent ? RTListGetNext(&pCur->pParent->ChildListOrLeafEntry, pCur, RTCRX509CERTPATHNODE, SiblingEntry) : NULL,
996 pCur->pParent ? RTListGetPrev(&pCur->pParent->ChildListOrLeafEntry, pCur, RTCRX509CERTPATHNODE, SiblingEntry) : NULL));
997 } while (pCur);
998
999 pThis->pErrInfo = NULL;
1000 if (RT_SUCCESS(pThis->rc))
1001 return VINF_SUCCESS;
1002 }
1003 else
1004 Assert(RT_FAILURE_NP(pThis->rc));
1005 return pThis->rc;
1006}
1007
1008
1009/**
1010 * Looks up path by leaf/path index.
1011 *
1012 * @returns Pointer to the leaf node of the path.
1013 * @param pThis The path builder & validator instance.
1014 * @param iPath The oridnal of the path to get.
1015 */
1016static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetLeafByIndex(PRTCRX509CERTPATHSINT pThis, uint32_t iPath)
1017{
1018 Assert(iPath < pThis->cPaths);
1019
1020 uint32_t iCurPath = 0;
1021 PRTCRX509CERTPATHNODE pCurLeaf;
1022 RTListForEach(&pThis->LeafList, pCurLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
1023 {
1024 if (iCurPath == iPath)
1025 return pCurLeaf;
1026 iCurPath++;
1027 }
1028
1029 AssertFailedReturn(NULL);
1030}
1031
1032
1033static void rtDumpPrintf(PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser, const char *pszFormat, ...)
1034{
1035 va_list va;
1036 va_start(va, pszFormat);
1037 pfnPrintfV(pvUser, pszFormat, va);
1038 va_end(va);
1039}
1040
1041
1042static void rtDumpIndent(PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser, uint32_t cchSpaces, const char *pszFormat, ...)
1043{
1044 static const char s_szSpaces[] = " ";
1045 while (cchSpaces > 0)
1046 {
1047 uint32_t cchBurst = RT_MIN(sizeof(s_szSpaces) - 1, cchSpaces);
1048 rtDumpPrintf(pfnPrintfV, pvUser, &s_szSpaces[sizeof(s_szSpaces) - cchBurst - 1]);
1049 cchSpaces -= cchBurst;
1050 }
1051
1052 va_list va;
1053 va_start(va, pszFormat);
1054 pfnPrintfV(pvUser, pszFormat, va);
1055 va_end(va);
1056}
1057
1058/** @name X.500 attribute types
1059 * See RFC-4519 among others.
1060 * @{ */
1061#define RTCRX500_ID_AT_OBJECT_CLASS_OID "2.5.4.0"
1062#define RTCRX500_ID_AT_ALIASED_ENTRY_NAME_OID "2.5.4.1"
1063#define RTCRX500_ID_AT_KNOWLDGEINFORMATION_OID "2.5.4.2"
1064#define RTCRX500_ID_AT_COMMON_NAME_OID "2.5.4.3"
1065#define RTCRX500_ID_AT_SURNAME_OID "2.5.4.4"
1066#define RTCRX500_ID_AT_SERIAL_NUMBER_OID "2.5.4.5"
1067#define RTCRX500_ID_AT_COUNTRY_NAME_OID "2.5.4.6"
1068#define RTCRX500_ID_AT_LOCALITY_NAME_OID "2.5.4.7"
1069#define RTCRX500_ID_AT_STATE_OR_PROVINCE_NAME_OID "2.5.4.8"
1070#define RTCRX500_ID_AT_STREET_ADDRESS_OID "2.5.4.9"
1071#define RTCRX500_ID_AT_ORGANIZATION_NAME_OID "2.5.4.10"
1072#define RTCRX500_ID_AT_ORGANIZATION_UNIT_NAME_OID "2.5.4.11"
1073#define RTCRX500_ID_AT_TITLE_OID "2.5.4.12"
1074#define RTCRX500_ID_AT_DESCRIPTION_OID "2.5.4.13"
1075#define RTCRX500_ID_AT_SEARCH_GUIDE_OID "2.5.4.14"
1076#define RTCRX500_ID_AT_BUSINESS_CATEGORY_OID "2.5.4.15"
1077#define RTCRX500_ID_AT_POSTAL_ADDRESS_OID "2.5.4.16"
1078#define RTCRX500_ID_AT_POSTAL_CODE_OID "2.5.4.17"
1079#define RTCRX500_ID_AT_POST_OFFICE_BOX_OID "2.5.4.18"
1080#define RTCRX500_ID_AT_PHYSICAL_DELIVERY_OFFICE_NAME_OID "2.5.4.19"
1081#define RTCRX500_ID_AT_TELEPHONE_NUMBER_OID "2.5.4.20"
1082#define RTCRX500_ID_AT_TELEX_NUMBER_OID "2.5.4.21"
1083#define RTCRX500_ID_AT_TELETEX_TERMINAL_IDENTIFIER_OID "2.5.4.22"
1084#define RTCRX500_ID_AT_FACIMILE_TELEPHONE_NUMBER_OID "2.5.4.23"
1085#define RTCRX500_ID_AT_X121_ADDRESS_OID "2.5.4.24"
1086#define RTCRX500_ID_AT_INTERNATIONAL_ISDN_NUMBER_OID "2.5.4.25"
1087#define RTCRX500_ID_AT_REGISTERED_ADDRESS_OID "2.5.4.26"
1088#define RTCRX500_ID_AT_DESTINATION_INDICATOR_OID "2.5.4.27"
1089#define RTCRX500_ID_AT_PREFERRED_DELIVERY_METHOD_OID "2.5.4.28"
1090#define RTCRX500_ID_AT_PRESENTATION_ADDRESS_OID "2.5.4.29"
1091#define RTCRX500_ID_AT_SUPPORTED_APPLICATION_CONTEXT_OID "2.5.4.30"
1092#define RTCRX500_ID_AT_MEMBER_OID "2.5.4.31"
1093#define RTCRX500_ID_AT_OWNER_OID "2.5.4.32"
1094#define RTCRX500_ID_AT_ROLE_OCCUPANT_OID "2.5.4.33"
1095#define RTCRX500_ID_AT_SEE_ALSO_OID "2.5.4.34"
1096#define RTCRX500_ID_AT_USER_PASSWORD_OID "2.5.4.35"
1097#define RTCRX500_ID_AT_USER_CERTIFICATE_OID "2.5.4.36"
1098#define RTCRX500_ID_AT_CA_CERTIFICATE_OID "2.5.4.37"
1099#define RTCRX500_ID_AT_AUTHORITY_REVOCATION_LIST_OID "2.5.4.38"
1100#define RTCRX500_ID_AT_CERTIFICATE_REVOCATION_LIST_OID "2.5.4.39"
1101#define RTCRX500_ID_AT_CROSS_CERTIFICATE_PAIR_OID "2.5.4.40"
1102#define RTCRX500_ID_AT_NAME_OID "2.5.4.41"
1103#define RTCRX500_ID_AT_GIVEN_NAME_OID "2.5.4.42"
1104#define RTCRX500_ID_AT_INITIALS_OID "2.5.4.43"
1105#define RTCRX500_ID_AT_GENERATION_QUALIFIER_OID "2.5.4.44"
1106#define RTCRX500_ID_AT_UNIQUE_IDENTIFIER_OID "2.5.4.45"
1107#define RTCRX500_ID_AT_DN_QUALIFIER_OID "2.5.4.46"
1108#define RTCRX500_ID_AT_ENHANCHED_SEARCH_GUIDE_OID "2.5.4.47"
1109#define RTCRX500_ID_AT_PROTOCOL_INFORMATION_OID "2.5.4.48"
1110#define RTCRX500_ID_AT_DISTINGUISHED_NAME_OID "2.5.4.49"
1111#define RTCRX500_ID_AT_UNIQUE_MEMBER_OID "2.5.4.50"
1112#define RTCRX500_ID_AT_HOUSE_IDENTIFIER_OID "2.5.4.51"
1113#define RTCRX500_ID_AT_SUPPORTED_ALGORITHMS_OID "2.5.4.52"
1114#define RTCRX500_ID_AT_DELTA_REVOCATION_LIST_OID "2.5.4.53"
1115#define RTCRX500_ID_AT_ATTRIBUTE_CERTIFICATE_OID "2.5.4.58"
1116#define RTCRX500_ID_AT_PSEUDONYM_OID "2.5.4.65"
1117/** @} */
1118
1119
1120static void rtCrX509NameDump(PCRTCRX509NAME pName, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
1121{
1122 for (uint32_t i = 0; i < pName->cItems; i++)
1123 {
1124 PCRTCRX509RELATIVEDISTINGUISHEDNAME const pRdn = pName->papItems[i];
1125 for (uint32_t j = 0; j < pRdn->cItems; j++)
1126 {
1127 PRTCRX509ATTRIBUTETYPEANDVALUE pAttrib = pRdn->papItems[j];
1128
1129 const char *pszType = pAttrib->Type.szObjId;
1130 if ( !strncmp(pAttrib->Type.szObjId, "2.5.4.", 6)
1131 && (pAttrib->Type.szObjId[8] == '\0' || pAttrib->Type.szObjId[9] == '\0'))
1132 {
1133 switch (RTStrToUInt8(&pAttrib->Type.szObjId[6]))
1134 {
1135 case 3: pszType = "cn"; break;
1136 case 4: pszType = "sn"; break;
1137 case 5: pszType = "serialNumber"; break;
1138 case 6: pszType = "c"; break;
1139 case 7: pszType = "l"; break;
1140 case 8: pszType = "st"; break;
1141 case 9: pszType = "street"; break;
1142 case 10: pszType = "o"; break;
1143 case 11: pszType = "ou"; break;
1144 case 13: pszType = "description"; break;
1145 case 15: pszType = "businessCategory"; break;
1146 case 16: pszType = "postalAddress"; break;
1147 case 17: pszType = "postalCode"; break;
1148 case 18: pszType = "postOfficeBox"; break;
1149 case 20: pszType = "telephoneNumber"; break;
1150 case 26: pszType = "registeredAddress"; break;
1151 case 31: pszType = "member"; break;
1152 case 41: pszType = "name"; break;
1153 case 42: pszType = "givenName"; break;
1154 case 43: pszType = "initials"; break;
1155 case 45: pszType = "x500UniqueIdentifier"; break;
1156 case 50: pszType = "uniqueMember"; break;
1157 }
1158 }
1159 rtDumpPrintf(pfnPrintfV, pvUser, "/%s=", pszType);
1160 if (pAttrib->Value.enmType == RTASN1TYPE_STRING)
1161 {
1162 if (pAttrib->Value.u.String.pszUtf8)
1163 rtDumpPrintf(pfnPrintfV, pvUser, "%s", pAttrib->Value.u.String.pszUtf8);
1164 else
1165 {
1166 const char *pch = pAttrib->Value.u.String.Asn1Core.uData.pch;
1167 uint32_t cch = pAttrib->Value.u.String.Asn1Core.cb;
1168 int rc = RTStrValidateEncodingEx(pch, cch, 0);
1169 if (RT_SUCCESS(rc) && cch)
1170 rtDumpPrintf(pfnPrintfV, pvUser, "%.*s", (size_t)cch, pch);
1171 else
1172 while (cch > 0)
1173 {
1174 if (RT_C_IS_PRINT(*pch))
1175 rtDumpPrintf(pfnPrintfV, pvUser, "%c", *pch);
1176 else
1177 rtDumpPrintf(pfnPrintfV, pvUser, "\\x%02x", *pch);
1178 cch--;
1179 pch++;
1180 }
1181 }
1182 }
1183 else
1184 rtDumpPrintf(pfnPrintfV, pvUser, "<not-string: uTag=%#x>", pAttrib->Value.u.Core.uTag);
1185 }
1186 }
1187}
1188
1189
1190static const char *rtCrX509CertPathsNodeGetSourceName(PRTCRX509CERTPATHNODE pNode)
1191{
1192 switch (pNode->uSrc)
1193 {
1194 case RTCRX509CERTPATHNODE_SRC_TARGET: return "target";
1195 case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_SET: return "untrusted_set";
1196 case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_ARRAY: return "untrusted_array";
1197 case RTCRX509CERTPATHNODE_SRC_UNTRUSTED_STORE: return "untrusted_store";
1198 case RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE: return "trusted_store";
1199 case RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT: return "trusted_cert";
1200 default: return "invalid";
1201 }
1202}
1203
1204
1205static void rtCrX509CertPathsDumpOneWorker(PRTCRX509CERTPATHSINT pThis, uint32_t iPath, PRTCRX509CERTPATHNODE pCurLeaf,
1206 uint32_t uVerbosity, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
1207{
1208 RT_NOREF_PV(pThis);
1209 rtDumpPrintf(pfnPrintfV, pvUser, "Path #%u: %s, %u deep, rcVerify=%Rrc\n",
1210 iPath, RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pCurLeaf->uSrc) ? "trusted" : "untrusted", pCurLeaf->uDepth,
1211 pCurLeaf->rcVerify);
1212
1213 for (uint32_t iIndent = 2; pCurLeaf; iIndent += 2, pCurLeaf = pCurLeaf->pParent)
1214 {
1215 if (pCurLeaf->pCert)
1216 {
1217 rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Issuer : ");
1218 rtCrX509NameDump(&pCurLeaf->pCert->TbsCertificate.Issuer, pfnPrintfV, pvUser);
1219 rtDumpPrintf(pfnPrintfV, pvUser, "\n");
1220
1221 rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Subject: ");
1222 rtCrX509NameDump(&pCurLeaf->pCert->TbsCertificate.Subject, pfnPrintfV, pvUser);
1223 rtDumpPrintf(pfnPrintfV, pvUser, "\n");
1224
1225 if (uVerbosity >= 4)
1226 RTAsn1Dump(&pCurLeaf->pCert->SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
1227 else if (uVerbosity >= 3)
1228 RTAsn1Dump(&pCurLeaf->pCert->TbsCertificate.T3.Extensions.SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
1229
1230 rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Valid : %s thru %s\n",
1231 RTTimeToString(&pCurLeaf->pCert->TbsCertificate.Validity.NotBefore.Time,
1232 pThis->szTmp, sizeof(pThis->szTmp) / 2),
1233 RTTimeToString(&pCurLeaf->pCert->TbsCertificate.Validity.NotAfter.Time,
1234 &pThis->szTmp[sizeof(pThis->szTmp) / 2], sizeof(pThis->szTmp) / 2) );
1235 }
1236 else
1237 {
1238 Assert(pCurLeaf->pCertCtx); Assert(pCurLeaf->pCertCtx->pTaInfo);
1239 rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Subject: ");
1240 rtCrX509NameDump(&pCurLeaf->pCertCtx->pTaInfo->CertPath.TaName, pfnPrintfV, pvUser);
1241
1242 if (uVerbosity >= 4)
1243 RTAsn1Dump(&pCurLeaf->pCertCtx->pTaInfo->SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
1244 }
1245
1246 const char *pszSrc = rtCrX509CertPathsNodeGetSourceName(pCurLeaf);
1247 rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Source : %s\n", pszSrc);
1248 }
1249}
1250
1251
1252RTDECL(int) RTCrX509CertPathsDumpOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t uVerbosity,
1253 PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
1254{
1255 /*
1256 * Validate the input.
1257 */
1258 PRTCRX509CERTPATHSINT pThis = hCertPaths;
1259 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
1260 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
1261 AssertPtrReturn(pfnPrintfV, VERR_INVALID_POINTER);
1262 int rc;
1263 if (iPath < pThis->cPaths)
1264 {
1265 PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
1266 if (pLeaf)
1267 {
1268 rtCrX509CertPathsDumpOneWorker(pThis, iPath, pLeaf, uVerbosity, pfnPrintfV, pvUser);
1269 rc = VINF_SUCCESS;
1270 }
1271 else
1272 rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR;
1273 }
1274 else
1275 rc = VERR_NOT_FOUND;
1276 return rc;
1277}
1278
1279
1280RTDECL(int) RTCrX509CertPathsDumpAll(RTCRX509CERTPATHS hCertPaths, uint32_t uVerbosity, PFNRTDUMPPRINTFV pfnPrintfV, void *pvUser)
1281{
1282 /*
1283 * Validate the input.
1284 */
1285 PRTCRX509CERTPATHSINT pThis = hCertPaths;
1286 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
1287 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
1288 AssertPtrReturn(pfnPrintfV, VERR_INVALID_POINTER);
1289
1290 /*
1291 * Dump all the paths.
1292 */
1293 rtDumpPrintf(pfnPrintfV, pvUser, "%u paths, rc=%Rrc\n", pThis->cPaths, pThis->rc);
1294 uint32_t iPath = 0;
1295 PRTCRX509CERTPATHNODE pCurLeaf, pNextLeaf;
1296 RTListForEachSafe(&pThis->LeafList, pCurLeaf, pNextLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
1297 {
1298 rtCrX509CertPathsDumpOneWorker(pThis, iPath, pCurLeaf, uVerbosity, pfnPrintfV, pvUser);
1299 iPath++;
1300 }
1301
1302 return VINF_SUCCESS;
1303}
1304
1305
1306/** @} */
1307
1308
1309/** @name Path Validator Functions.
1310 * @{
1311 */
1312
1313
1314static void *rtCrX509CpvAllocZ(PRTCRX509CERTPATHSINT pThis, size_t cb, const char *pszWhat)
1315{
1316 void *pv = RTMemAllocZ(cb);
1317 if (!pv)
1318 pThis->rc = RTErrInfoSetF(pThis->pErrInfo, VERR_NO_MEMORY, "Failed to allocate %zu bytes for %s", cb, pszWhat);
1319 return pv;
1320}
1321
1322
1323DECL_NO_INLINE(static, bool) rtCrX509CpvFailed(PRTCRX509CERTPATHSINT pThis, int rc, const char *pszFormat, ...)
1324{
1325 va_list va;
1326 va_start(va, pszFormat);
1327 pThis->rc = RTErrInfoSetV(pThis->pErrInfo, rc, pszFormat, va);
1328 va_end(va);
1329 return false;
1330}
1331
1332
1333/**
1334 * Adds a sequence of excluded sub-trees.
1335 *
1336 * Don't waste time optimizing the output if this is supposed to be a union.
1337 * Unless the path is very long, it's a lot more work to optimize and the result
1338 * will be the same anyway.
1339 *
1340 * @returns success indicator.
1341 * @param pThis The validator instance.
1342 * @param pSubtrees The sequence of sub-trees to add.
1343 */
1344static bool rtCrX509CpvAddExcludedSubtrees(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREES pSubtrees)
1345{
1346 if (((pThis->v.cExcludedSubtrees + 1) & 0xf) == 0)
1347 {
1348 void *pvNew = RTMemRealloc(pThis->v.papExcludedSubtrees,
1349 (pThis->v.cExcludedSubtrees + 16) * sizeof(pThis->v.papExcludedSubtrees[0]));
1350 if (RT_UNLIKELY(!pvNew))
1351 return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Error growing subtrees pointer array to %u elements",
1352 pThis->v.cExcludedSubtrees + 16);
1353 pThis->v.papExcludedSubtrees = (PCRTCRX509GENERALSUBTREES *)pvNew;
1354 }
1355 pThis->v.papExcludedSubtrees[pThis->v.cExcludedSubtrees] = pSubtrees;
1356 pThis->v.cExcludedSubtrees++;
1357 return true;
1358}
1359
1360
1361/**
1362 * Checks if a sub-tree is according to RFC-5280.
1363 *
1364 * @returns Success indiciator.
1365 * @param pThis The validator instance.
1366 * @param pSubtree The subtree to check.
1367 */
1368static bool rtCrX509CpvCheckSubtreeValidity(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREE pSubtree)
1369{
1370 if ( pSubtree->Base.enmChoice <= RTCRX509GENERALNAMECHOICE_INVALID
1371 || pSubtree->Base.enmChoice >= RTCRX509GENERALNAMECHOICE_END)
1372 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNEXP_GENERAL_SUBTREE_CHOICE,
1373 "Unexpected GeneralSubtree choice %#x", pSubtree->Base.enmChoice);
1374
1375 if (RTAsn1Integer_UnsignedCompareWithU32(&pSubtree->Minimum, 0) != 0)
1376 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNEXP_GENERAL_SUBTREE_MIN,
1377 "Unexpected GeneralSubtree Minimum value: %#llx",
1378 pSubtree->Minimum.uValue);
1379
1380 if (RTAsn1Integer_IsPresent(&pSubtree->Maximum))
1381 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNEXP_GENERAL_SUBTREE_MAX,
1382 "Unexpected GeneralSubtree Maximum value: %#llx",
1383 pSubtree->Maximum.uValue);
1384
1385 return true;
1386}
1387
1388
1389/**
1390 * Grows the array of permitted sub-trees.
1391 *
1392 * @returns success indiciator.
1393 * @param pThis The validator instance.
1394 * @param cAdding The number of subtrees we should grow by
1395 * (relative to the current number of valid
1396 * entries).
1397 */
1398static bool rtCrX509CpvGrowPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, uint32_t cAdding)
1399{
1400 uint32_t cNew = RT_ALIGN_32(pThis->v.cPermittedSubtrees + cAdding, 16);
1401 if (cNew > pThis->v.cPermittedSubtreesAlloc)
1402 {
1403 if (cNew >= _4K)
1404 return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Too many permitted subtrees: %u (cur %u)",
1405 cNew, pThis->v.cPermittedSubtrees);
1406 void *pvNew = RTMemRealloc(pThis->v.papPermittedSubtrees, cNew * sizeof(pThis->v.papPermittedSubtrees[0]));
1407 if (RT_UNLIKELY(!pvNew))
1408 return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY, "Error growing subtrees pointer array from %u to %u elements",
1409 pThis->v.cPermittedSubtreesAlloc, cNew);
1410 pThis->v.papPermittedSubtrees = (PCRTCRX509GENERALSUBTREE *)pvNew;
1411 }
1412 return true;
1413}
1414
1415
1416/**
1417 * Adds a sequence of permitted sub-trees.
1418 *
1419 * We store reference to each individual sub-tree because we must support
1420 * intersection calculation.
1421 *
1422 * @returns success indiciator.
1423 * @param pThis The validator instance.
1424 * @param cSubtrees The number of sub-trees to add.
1425 * @param papSubtrees Array of sub-trees to add.
1426 */
1427static bool rtCrX509CpvAddPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, uint32_t cSubtrees,
1428 PRTCRX509GENERALSUBTREE const *papSubtrees)
1429{
1430 /*
1431 * If the array is empty, assume no permitted names.
1432 */
1433 if (!cSubtrees)
1434 {
1435 pThis->v.fNoPermittedSubtrees = true;
1436 return true;
1437 }
1438
1439 /*
1440 * Grow the array if necessary.
1441 */
1442 if (!rtCrX509CpvGrowPermittedSubtrees(pThis, cSubtrees))
1443 return false;
1444
1445 /*
1446 * Append each subtree to the array.
1447 */
1448 uint32_t iDst = pThis->v.cPermittedSubtrees;
1449 for (uint32_t iSrc = 0; iSrc < cSubtrees; iSrc++)
1450 {
1451 if (!rtCrX509CpvCheckSubtreeValidity(pThis, papSubtrees[iSrc]))
1452 return false;
1453 pThis->v.papPermittedSubtrees[iDst] = papSubtrees[iSrc];
1454 iDst++;
1455 }
1456 pThis->v.cPermittedSubtrees = iDst;
1457
1458 return true;
1459}
1460
1461
1462/**
1463 * Adds a one permitted sub-tree.
1464 *
1465 * We store reference to each individual sub-tree because we must support
1466 * intersection calculation.
1467 *
1468 * @returns success indiciator.
1469 * @param pThis The validator instance.
1470 * @param pSubtree Array of sub-trees to add.
1471 */
1472static bool rtCrX509CpvAddPermittedSubtree(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREE pSubtree)
1473{
1474 return rtCrX509CpvAddPermittedSubtrees(pThis, 1, (PRTCRX509GENERALSUBTREE const *)&pSubtree);
1475}
1476
1477
1478/**
1479 * Calculates the intersection between @a pSubtrees and the current permitted
1480 * sub-trees.
1481 *
1482 * @returns Success indicator.
1483 * @param pThis The validator instance.
1484 * @param pSubtrees The sub-tree sequence to intersect with.
1485 */
1486static bool rtCrX509CpvIntersectionPermittedSubtrees(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALSUBTREES pSubtrees)
1487{
1488 /*
1489 * Deal with special cases first.
1490 */
1491 if (pThis->v.fNoPermittedSubtrees)
1492 {
1493 Assert(pThis->v.cPermittedSubtrees == 0);
1494 return true;
1495 }
1496
1497 uint32_t cRight = pSubtrees->cItems;
1498 PRTCRX509GENERALSUBTREE const *papRight = pSubtrees->papItems;
1499 if (cRight == 0)
1500 {
1501 pThis->v.cPermittedSubtrees = 0;
1502 pThis->v.fNoPermittedSubtrees = true;
1503 return true;
1504 }
1505
1506 uint32_t cLeft = pThis->v.cPermittedSubtrees;
1507 PCRTCRX509GENERALSUBTREE *papLeft = pThis->v.papPermittedSubtrees;
1508 if (!cLeft) /* first name constraint, no initial constraint */
1509 return rtCrX509CpvAddPermittedSubtrees(pThis, cRight, papRight);
1510
1511 /*
1512 * Create a new array with the intersection, freeing the old (left) array
1513 * once we're done.
1514 */
1515 bool afRightTags[RTCRX509GENERALNAMECHOICE_END] = { 0, 0, 0, 0, 0, 0, 0, 0, 0 };
1516
1517 pThis->v.cPermittedSubtrees = 0;
1518 pThis->v.cPermittedSubtreesAlloc = 0;
1519 pThis->v.papPermittedSubtrees = NULL;
1520
1521 for (uint32_t iRight = 0; iRight < cRight; iRight++)
1522 {
1523 if (!rtCrX509CpvCheckSubtreeValidity(pThis, papRight[iRight]))
1524 return false;
1525
1526 RTCRX509GENERALNAMECHOICE const enmRightChoice = papRight[iRight]->Base.enmChoice;
1527 afRightTags[enmRightChoice] = true;
1528
1529 bool fHaveRight = false;
1530 for (uint32_t iLeft = 0; iLeft < cLeft; iLeft++)
1531 if (papLeft[iLeft]->Base.enmChoice == enmRightChoice)
1532 {
1533 if (RTCrX509GeneralSubtree_Compare(papLeft[iLeft], papRight[iRight]) == 0)
1534 {
1535 if (!fHaveRight)
1536 {
1537 fHaveRight = true;
1538 rtCrX509CpvAddPermittedSubtree(pThis, papLeft[iLeft]);
1539 }
1540 }
1541 else if (RTCrX509GeneralSubtree_ConstraintMatch(papLeft[iLeft], papRight[iRight]))
1542 {
1543 if (!fHaveRight)
1544 {
1545 fHaveRight = true;
1546 rtCrX509CpvAddPermittedSubtree(pThis, papRight[iRight]);
1547 }
1548 }
1549 else if (RTCrX509GeneralSubtree_ConstraintMatch(papRight[iRight], papLeft[iLeft]))
1550 rtCrX509CpvAddPermittedSubtree(pThis, papLeft[iLeft]);
1551 }
1552 }
1553
1554 /*
1555 * Add missing types not specified in the right set.
1556 */
1557 for (uint32_t iLeft = 0; iLeft < cLeft; iLeft++)
1558 if (!afRightTags[papLeft[iLeft]->Base.enmChoice])
1559 rtCrX509CpvAddPermittedSubtree(pThis, papLeft[iLeft]);
1560
1561 /*
1562 * If we ended up with an empty set, no names are permitted any more.
1563 */
1564 if (pThis->v.cPermittedSubtrees == 0)
1565 pThis->v.fNoPermittedSubtrees = true;
1566
1567 RTMemFree(papLeft);
1568 return RT_SUCCESS(pThis->rc);
1569}
1570
1571
1572/**
1573 * Check if the given X.509 name is permitted by current name constraints.
1574 *
1575 * @returns true is permitteded, false if not (caller set error info).
1576 * @param pThis The validator instance.
1577 * @param pName The name to match.
1578 */
1579static bool rtCrX509CpvIsNamePermitted(PRTCRX509CERTPATHSINT pThis, PCRTCRX509NAME pName)
1580{
1581 uint32_t i = pThis->v.cPermittedSubtrees;
1582 if (i == 0)
1583 return !pThis->v.fNoPermittedSubtrees;
1584
1585 while (i-- > 0)
1586 {
1587 PCRTCRX509GENERALSUBTREE pConstraint = pThis->v.papPermittedSubtrees[i];
1588 if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(&pConstraint->Base)
1589 && RTCrX509Name_ConstraintMatch(&pConstraint->Base.u.pT4->DirectoryName, pName))
1590 return true;
1591 }
1592 return false;
1593}
1594
1595
1596/**
1597 * Check if the given X.509 general name is permitted by current name
1598 * constraints.
1599 *
1600 * @returns true is permitteded, false if not (caller sets error info).
1601 * @param pThis The validator instance.
1602 * @param pGeneralName The name to match.
1603 */
1604static bool rtCrX509CpvIsGeneralNamePermitted(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALNAME pGeneralName)
1605{
1606 uint32_t i = pThis->v.cPermittedSubtrees;
1607 if (i == 0)
1608 return !pThis->v.fNoPermittedSubtrees;
1609
1610 while (i-- > 0)
1611 if (RTCrX509GeneralName_ConstraintMatch(&pThis->v.papPermittedSubtrees[i]->Base, pGeneralName))
1612 return true;
1613 return false;
1614}
1615
1616
1617/**
1618 * Check if the given X.509 name is excluded by current name constraints.
1619 *
1620 * @returns true if excluded (caller sets error info), false if not explicitly
1621 * excluded.
1622 * @param pThis The validator instance.
1623 * @param pName The name to match.
1624 */
1625static bool rtCrX509CpvIsNameExcluded(PRTCRX509CERTPATHSINT pThis, PCRTCRX509NAME pName)
1626{
1627 uint32_t i = pThis->v.cExcludedSubtrees;
1628 while (i-- > 0)
1629 {
1630 PCRTCRX509GENERALSUBTREES pSubTrees = pThis->v.papExcludedSubtrees[i];
1631 uint32_t j = pSubTrees->cItems;
1632 while (j-- > 0)
1633 {
1634 PCRTCRX509GENERALSUBTREE const pSubTree = pSubTrees->papItems[j];
1635 if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(&pSubTree->Base)
1636 && RTCrX509Name_ConstraintMatch(&pSubTree->Base.u.pT4->DirectoryName, pName))
1637 return true;
1638 }
1639 }
1640 return false;
1641}
1642
1643
1644/**
1645 * Check if the given X.509 general name is excluded by current name
1646 * constraints.
1647 *
1648 * @returns true if excluded (caller sets error info), false if not explicitly
1649 * excluded.
1650 * @param pThis The validator instance.
1651 * @param pGeneralName The name to match.
1652 */
1653static bool rtCrX509CpvIsGeneralNameExcluded(PRTCRX509CERTPATHSINT pThis, PCRTCRX509GENERALNAME pGeneralName)
1654{
1655 uint32_t i = pThis->v.cExcludedSubtrees;
1656 while (i-- > 0)
1657 {
1658 PCRTCRX509GENERALSUBTREES pSubTrees = pThis->v.papExcludedSubtrees[i];
1659 uint32_t j = pSubTrees->cItems;
1660 while (j-- > 0)
1661 if (RTCrX509GeneralName_ConstraintMatch(&pSubTrees->papItems[j]->Base, pGeneralName))
1662 return true;
1663 }
1664 return false;
1665}
1666
1667
1668/**
1669 * Creates a new node and inserts it.
1670 *
1671 * @param pThis The path builder & validator instance.
1672 * @param pParent The parent node. NULL for the root node.
1673 * @param iDepth The tree depth to insert at.
1674 * @param pValidPolicy The valid policy of the new node.
1675 * @param pQualifiers The qualifiers of the new node.
1676 * @param pExpectedPolicy The (first) expected polcy of the new node.
1677 */
1678static bool rtCrX509CpvPolicyTreeInsertNew(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pParent, uint32_t iDepth,
1679 PCRTASN1OBJID pValidPolicy, PCRTCRX509POLICYQUALIFIERINFOS pQualifiers,
1680 PCRTASN1OBJID pExpectedPolicy)
1681{
1682 Assert(iDepth <= pThis->v.cNodes);
1683
1684 PRTCRX509CERTPATHSPOLICYNODE pNode;
1685 pNode = (PRTCRX509CERTPATHSPOLICYNODE)rtCrX509CpvAllocZ(pThis, sizeof(*pNode), "policy tree node");
1686 if (pNode)
1687 {
1688 pNode->pParent = pParent;
1689 if (pParent)
1690 RTListAppend(&pParent->ChildList, &pNode->SiblingEntry);
1691 else
1692 {
1693 Assert(pThis->v.pValidPolicyTree == NULL);
1694 pThis->v.pValidPolicyTree = pNode;
1695 RTListInit(&pNode->SiblingEntry);
1696 }
1697 RTListInit(&pNode->ChildList);
1698 RTListAppend(&pThis->v.paValidPolicyDepthLists[iDepth], &pNode->DepthEntry);
1699
1700 pNode->pValidPolicy = pValidPolicy;
1701 pNode->pPolicyQualifiers = pQualifiers;
1702 pNode->pExpectedPolicyFirst = pExpectedPolicy;
1703 pNode->cMoreExpectedPolicySet = 0;
1704 pNode->papMoreExpectedPolicySet = NULL;
1705 return true;
1706 }
1707 return false;
1708}
1709
1710
1711/**
1712 * Unlinks and frees a node in the valid policy tree.
1713 *
1714 * @param pThis The path builder & validator instance.
1715 * @param pNode The node to destroy.
1716 */
1717static void rtCrX509CpvPolicyTreeDestroyNode(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pNode)
1718{
1719 Assert(RTListIsEmpty(&pNode->ChildList));
1720 if (pNode->pParent)
1721 RTListNodeRemove(&pNode->SiblingEntry);
1722 else
1723 pThis->v.pValidPolicyTree = NULL;
1724 RTListNodeRemove(&pNode->DepthEntry);
1725 pNode->pParent = NULL;
1726
1727 if (pNode->papMoreExpectedPolicySet)
1728 {
1729 RTMemFree(pNode->papMoreExpectedPolicySet);
1730 pNode->papMoreExpectedPolicySet = NULL;
1731 }
1732 RTMemFree(pNode);
1733}
1734
1735
1736/**
1737 * Unlinks and frees a sub-tree in the valid policy tree.
1738 *
1739 * @param pThis The path builder & validator instance.
1740 * @param pNode The node that is the root of the subtree.
1741 */
1742static void rtCrX509CpvPolicyTreeDestroySubtree(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHSPOLICYNODE pNode)
1743{
1744 if (!RTListIsEmpty(&pNode->ChildList))
1745 {
1746 PRTCRX509CERTPATHSPOLICYNODE pCur = pNode;
1747 do
1748 {
1749 Assert(!RTListIsEmpty(&pCur->ChildList));
1750
1751 /* Decend until we find a leaf. */
1752 do
1753 pCur = RTListGetFirst(&pCur->ChildList, RTCRX509CERTPATHSPOLICYNODE, SiblingEntry);
1754 while (!RTListIsEmpty(&pCur->ChildList));
1755
1756 /* Remove it and all leafy siblings. */
1757 PRTCRX509CERTPATHSPOLICYNODE pParent = pCur->pParent;
1758 do
1759 {
1760 Assert(pCur != pNode);
1761 rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
1762 pCur = RTListGetFirst(&pParent->ChildList, RTCRX509CERTPATHSPOLICYNODE, SiblingEntry);
1763 if (!pCur)
1764 {
1765 pCur = pParent;
1766 pParent = pParent->pParent;
1767 }
1768 } while (RTListIsEmpty(&pCur->ChildList) && pCur != pNode);
1769 } while (pCur != pNode);
1770 }
1771
1772 rtCrX509CpvPolicyTreeDestroyNode(pThis, pNode);
1773}
1774
1775
1776
1777/**
1778 * Destroys the entire policy tree.
1779 *
1780 * @param pThis The path builder & validator instance.
1781 */
1782static void rtCrX509CpvPolicyTreeDestroy(PRTCRX509CERTPATHSINT pThis)
1783{
1784 uint32_t i = pThis->v.cNodes + 1;
1785 while (i-- > 0)
1786 {
1787 PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
1788 RTListForEachSafe(&pThis->v.paValidPolicyDepthLists[i], pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
1789 {
1790 rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
1791 }
1792 }
1793}
1794
1795
1796/**
1797 * Removes all leaf nodes at level @a iDepth and above.
1798 *
1799 * @param pThis The path builder & validator instance.
1800 * @param iDepth The depth to start pruning at.
1801 */
1802static void rtCrX509CpvPolicyTreePrune(PRTCRX509CERTPATHSINT pThis, uint32_t iDepth)
1803{
1804 do
1805 {
1806 PRTLISTANCHOR pList = &pThis->v.paValidPolicyDepthLists[iDepth];
1807 PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
1808 RTListForEachSafe(pList, pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
1809 {
1810 if (RTListIsEmpty(&pCur->ChildList))
1811 rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
1812 }
1813
1814 } while (iDepth-- > 0);
1815}
1816
1817
1818/**
1819 * Checks if @a pPolicy is the valid policy of a child of @a pNode.
1820 *
1821 * @returns true if in child node, false if not.
1822 * @param pNode The node which children to check.
1823 * @param pPolicy The valid policy to look for among the children.
1824 */
1825static bool rtCrX509CpvPolicyTreeIsChild(PRTCRX509CERTPATHSPOLICYNODE pNode, PCRTASN1OBJID pPolicy)
1826{
1827 PRTCRX509CERTPATHSPOLICYNODE pChild;
1828 RTListForEach(&pNode->ChildList, pChild, RTCRX509CERTPATHSPOLICYNODE, SiblingEntry)
1829 {
1830 if (RTAsn1ObjId_Compare(pChild->pValidPolicy, pPolicy) == 0)
1831 return true;
1832 }
1833 return true;
1834}
1835
1836
1837/**
1838 * Prunes the valid policy tree according to the specified user policy set.
1839 *
1840 * @returns Pointer to the policy object from @a papPolicies if found, NULL if
1841 * no match.
1842 * @param pObjId The object ID to locate at match in the set.
1843 * @param cPolicies The number of policies in @a papPolicies.
1844 * @param papPolicies The policy set to search.
1845 */
1846static PCRTASN1OBJID rtCrX509CpvFindObjIdInPolicySet(PCRTASN1OBJID pObjId, uint32_t cPolicies, PCRTASN1OBJID *papPolicies)
1847{
1848 uint32_t i = cPolicies;
1849 while (i-- > 0)
1850 if (RTAsn1ObjId_Compare(pObjId, papPolicies[i]) == 0)
1851 return papPolicies[i];
1852 return NULL;
1853}
1854
1855
1856/**
1857 * Prunes the valid policy tree according to the specified user policy set.
1858 *
1859 * @returns success indicator (allocates memory)
1860 * @param pThis The path builder & validator instance.
1861 * @param cPolicies The number of policies in @a papPolicies.
1862 * @param papPolicies The user initial policies.
1863 */
1864static bool rtCrX509CpvPolicyTreeIntersect(PRTCRX509CERTPATHSINT pThis, uint32_t cPolicies, PCRTASN1OBJID *papPolicies)
1865{
1866 /*
1867 * 4.1.6.g.i - NULL tree remains NULL.
1868 */
1869 if (!pThis->v.pValidPolicyTree)
1870 return true;
1871
1872 /*
1873 * 4.1.6.g.ii - If the user set includes anyPolicy, the whole tree is the
1874 * result of the intersection.
1875 */
1876 uint32_t i = cPolicies;
1877 while (i-- > 0)
1878 if (RTAsn1ObjId_CompareWithString(papPolicies[i], RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
1879 return true;
1880
1881 /*
1882 * 4.1.6.g.iii - Complicated.
1883 */
1884 PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
1885 PRTLISTANCHOR pList;
1886
1887 /* 1 & 2: Delete nodes which parent has valid policy == anyPolicy and which
1888 valid policy is neither anyPolicy nor a member of papszPolicies.
1889 While doing so, construct a set of unused user policies that
1890 we'll replace anyPolicy nodes with in step 3. */
1891 uint32_t cPoliciesLeft = 0;
1892 PCRTASN1OBJID *papPoliciesLeft = NULL;
1893 if (cPolicies)
1894 {
1895 papPoliciesLeft = (PCRTASN1OBJID *)rtCrX509CpvAllocZ(pThis, cPolicies * sizeof(papPoliciesLeft[0]), "papPoliciesLeft");
1896 if (!papPoliciesLeft)
1897 return false;
1898 for (i = 0; i < cPolicies; i++)
1899 papPoliciesLeft[i] = papPolicies[i];
1900 }
1901
1902 for (uint32_t iDepth = 1; iDepth <= pThis->v.cNodes; iDepth++)
1903 {
1904 pList = &pThis->v.paValidPolicyDepthLists[iDepth];
1905 RTListForEachSafe(pList, pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
1906 {
1907 Assert(pCur->pParent);
1908 if ( RTAsn1ObjId_CompareWithString(pCur->pParent->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0
1909 && RTAsn1ObjId_CompareWithString(pCur->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) != 0)
1910 {
1911 PCRTASN1OBJID pFound = rtCrX509CpvFindObjIdInPolicySet(pCur->pValidPolicy, cPolicies, papPolicies);
1912 if (!pFound)
1913 rtCrX509CpvPolicyTreeDestroySubtree(pThis, pCur);
1914 else
1915 for (i = 0; i < cPoliciesLeft; i++)
1916 if (papPoliciesLeft[i] == pFound)
1917 {
1918 cPoliciesLeft--;
1919 if (i < cPoliciesLeft)
1920 papPoliciesLeft[i] = papPoliciesLeft[cPoliciesLeft];
1921 papPoliciesLeft[cPoliciesLeft] = NULL;
1922 break;
1923 }
1924 }
1925 }
1926 }
1927
1928 /*
1929 * 4.1.5.g.iii.3 - Replace anyPolicy nodes on the final tree depth with
1930 * the policies in papPoliciesLeft.
1931 */
1932 pList = &pThis->v.paValidPolicyDepthLists[pThis->v.cNodes];
1933 RTListForEachSafe(pList, pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
1934 {
1935 if (RTAsn1ObjId_CompareWithString(pCur->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
1936 {
1937 for (i = 0; i < cPoliciesLeft; i++)
1938 rtCrX509CpvPolicyTreeInsertNew(pThis, pCur->pParent, pThis->v.cNodes - 1,
1939 papPoliciesLeft[i], pCur->pPolicyQualifiers, papPoliciesLeft[i]);
1940 rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
1941 }
1942 }
1943
1944 RTMemFree(papPoliciesLeft);
1945
1946 /*
1947 * 4.1.5.g.iii.4 - Prune the tree
1948 */
1949 rtCrX509CpvPolicyTreePrune(pThis, pThis->v.cNodes - 1);
1950
1951 return RT_SUCCESS(pThis->rc);
1952}
1953
1954
1955
1956/**
1957 * Frees the path validator state.
1958 *
1959 * @param pThis The path builder & validator instance.
1960 */
1961static void rtCrX509CpvCleanup(PRTCRX509CERTPATHSINT pThis)
1962{
1963 /*
1964 * Destroy the policy tree and all its nodes. We do this from the bottom
1965 * up via the depth lists, saving annoying tree traversal.
1966 */
1967 if (pThis->v.paValidPolicyDepthLists)
1968 {
1969 rtCrX509CpvPolicyTreeDestroy(pThis);
1970
1971 RTMemFree(pThis->v.paValidPolicyDepthLists);
1972 pThis->v.paValidPolicyDepthLists = NULL;
1973 }
1974
1975 Assert(pThis->v.pValidPolicyTree == NULL);
1976 pThis->v.pValidPolicyTree = NULL;
1977
1978 /*
1979 * Destroy the name constraint arrays.
1980 */
1981 if (pThis->v.papPermittedSubtrees)
1982 {
1983 RTMemFree(pThis->v.papPermittedSubtrees);
1984 pThis->v.papPermittedSubtrees = NULL;
1985 }
1986 pThis->v.cPermittedSubtrees = 0;
1987 pThis->v.cPermittedSubtreesAlloc = 0;
1988 pThis->v.fNoPermittedSubtrees = false;
1989
1990 if (pThis->v.papExcludedSubtrees)
1991 {
1992 RTMemFree(pThis->v.papExcludedSubtrees);
1993 pThis->v.papExcludedSubtrees = NULL;
1994 }
1995 pThis->v.cExcludedSubtrees = 0;
1996
1997 /*
1998 * Clear other pointers.
1999 */
2000 pThis->v.pWorkingIssuer = NULL;
2001 pThis->v.pWorkingPublicKey = NULL;
2002 pThis->v.pWorkingPublicKeyAlgorithm = NULL;
2003 pThis->v.pWorkingPublicKeyParameters = NULL;
2004}
2005
2006
2007/**
2008 * Initializes the state.
2009 *
2010 * Caller must check pThis->rc.
2011 *
2012 * @param pThis The path builder & validator instance.
2013 * @param pTrustAnchor The trust anchor node for the path that we're about
2014 * to validate.
2015 */
2016static void rtCrX509CpvInit(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pTrustAnchor)
2017{
2018 rtCrX509CpvCleanup(pThis);
2019
2020 /*
2021 * The node count does not include the trust anchor.
2022 */
2023 pThis->v.cNodes = pTrustAnchor->uDepth;
2024
2025 /*
2026 * Valid policy tree starts with an anyPolicy node.
2027 */
2028 uint32_t i = pThis->v.cNodes + 1;
2029 pThis->v.paValidPolicyDepthLists = (PRTLISTANCHOR)rtCrX509CpvAllocZ(pThis, i * sizeof(RTLISTANCHOR),
2030 "paValidPolicyDepthLists");
2031 if (RT_UNLIKELY(!pThis->v.paValidPolicyDepthLists))
2032 return;
2033 while (i-- > 0)
2034 RTListInit(&pThis->v.paValidPolicyDepthLists[i]);
2035
2036 if (!rtCrX509CpvPolicyTreeInsertNew(pThis, NULL, 0 /* iDepth*/, &pThis->AnyPolicyObjId, NULL, &pThis->AnyPolicyObjId))
2037 return;
2038 Assert(!RTListIsEmpty(&pThis->v.paValidPolicyDepthLists[0])); Assert(pThis->v.pValidPolicyTree);
2039
2040 /*
2041 * Name constrains.
2042 */
2043 if (pThis->pInitialPermittedSubtrees)
2044 rtCrX509CpvAddPermittedSubtrees(pThis, pThis->pInitialPermittedSubtrees->cItems,
2045 pThis->pInitialPermittedSubtrees->papItems);
2046 if (pThis->pInitialExcludedSubtrees)
2047 rtCrX509CpvAddExcludedSubtrees(pThis, pThis->pInitialExcludedSubtrees);
2048
2049 /*
2050 * Counters.
2051 */
2052 pThis->v.cExplicitPolicy = pThis->cInitialExplicitPolicy;
2053 pThis->v.cInhibitPolicyMapping = pThis->cInitialPolicyMappingInhibit;
2054 pThis->v.cInhibitAnyPolicy = pThis->cInitialInhibitAnyPolicy;
2055 pThis->v.cMaxPathLength = pThis->v.cNodes;
2056
2057 /*
2058 * Certificate info from the trust anchor.
2059 */
2060 if (pTrustAnchor->pCert)
2061 {
2062 PCRTCRX509TBSCERTIFICATE const pTbsCert = &pTrustAnchor->pCert->TbsCertificate;
2063 pThis->v.pWorkingIssuer = &pTbsCert->Subject;
2064 pThis->v.pWorkingPublicKey = &pTbsCert->SubjectPublicKeyInfo.SubjectPublicKey;
2065 pThis->v.pWorkingPublicKeyAlgorithm = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm;
2066 pThis->v.pWorkingPublicKeyParameters = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters;
2067 }
2068 else
2069 {
2070 Assert(pTrustAnchor->pCertCtx); Assert(pTrustAnchor->pCertCtx->pTaInfo);
2071
2072 PCRTCRTAFTRUSTANCHORINFO const pTaInfo = pTrustAnchor->pCertCtx->pTaInfo;
2073 pThis->v.pWorkingIssuer = &pTaInfo->CertPath.TaName;
2074 pThis->v.pWorkingPublicKey = &pTaInfo->PubKey.SubjectPublicKey;
2075 pThis->v.pWorkingPublicKeyAlgorithm = &pTaInfo->PubKey.Algorithm.Algorithm;
2076 pThis->v.pWorkingPublicKeyParameters = &pTaInfo->PubKey.Algorithm.Parameters;
2077 }
2078 if ( !RTASN1CORE_IS_PRESENT(&pThis->v.pWorkingPublicKeyParameters->u.Core)
2079 || pThis->v.pWorkingPublicKeyParameters->enmType == RTASN1TYPE_NULL)
2080 pThis->v.pWorkingPublicKeyParameters = NULL;
2081}
2082
2083
2084/**
2085 * This does basic trust anchor checks (similar to 6.1.3.a) before starting on
2086 * the RFC-5280 algorithm.
2087 */
2088static bool rtCrX509CpvMaybeCheckTrustAnchor(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pTrustAnchor)
2089{
2090 /*
2091 * This is optional (not part of RFC-5280) and we need a full certificate
2092 * structure to do it.
2093 */
2094 if (!(pThis->fFlags & RTCRX509CERTPATHSINT_F_CHECK_TRUST_ANCHOR))
2095 return true;
2096
2097 PCRTCRX509CERTIFICATE const pCert = pTrustAnchor->pCert;
2098 if (!pCert)
2099 return true;
2100
2101 /*
2102 * Verify the certificate signature if self-signed.
2103 */
2104 if (RTCrX509Certificate_IsSelfSigned(pCert))
2105 {
2106 int rc = RTCrX509Certificate_VerifySignature(pCert, pThis->v.pWorkingPublicKeyAlgorithm,
2107 pThis->v.pWorkingPublicKeyParameters, pThis->v.pWorkingPublicKey,
2108 pThis->pErrInfo);
2109 if (RT_FAILURE(rc))
2110 {
2111 pThis->rc = rc;
2112 return false;
2113 }
2114 }
2115
2116 /*
2117 * Verify that the certificate is valid at the specified time.
2118 */
2119 AssertCompile(sizeof(pThis->szTmp) >= 36 * 3);
2120 if ( (pThis->fFlags & RTCRX509CERTPATHSINT_F_VALID_TIME)
2121 && !RTCrX509Validity_IsValidAtTimeSpec(&pCert->TbsCertificate.Validity, &pThis->ValidTime))
2122 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_VALID_AT_TIME,
2123 "Certificate is not valid (ValidTime=%s Validity=[%s...%s])",
2124 RTTimeSpecToString(&pThis->ValidTime, &pThis->szTmp[0], 36),
2125 RTTimeToString(&pCert->TbsCertificate.Validity.NotBefore.Time, &pThis->szTmp[36], 36),
2126 RTTimeToString(&pCert->TbsCertificate.Validity.NotAfter.Time, &pThis->szTmp[2*36], 36) );
2127
2128 /*
2129 * Verified that the certficiate is not revoked.
2130 */
2131 /** @todo rainy day. */
2132
2133 /*
2134 * If non-leaf certificate CA must be set, if basic constraints are present.
2135 */
2136 if (pTrustAnchor->pParent)
2137 {
2138 if (RTAsn1Integer_UnsignedCompareWithU32(&pTrustAnchor->pCert->TbsCertificate.T0.Version, RTCRX509TBSCERTIFICATE_V3) != 0)
2139 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_V3_CERT,
2140 "Only version 3 TA certificates are supported (Version=%llu)",
2141 pTrustAnchor->pCert->TbsCertificate.T0.Version.uValue);
2142 PCRTCRX509BASICCONSTRAINTS pBasicConstraints = pTrustAnchor->pCert->TbsCertificate.T3.pBasicConstraints;
2143 if (pBasicConstraints && !pBasicConstraints->CA.fValue)
2144 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_CA_CERT,
2145 "Trust anchor certificate is not marked as a CA");
2146 }
2147
2148 return true;
2149}
2150
2151
2152/**
2153 * Step 6.1.3.a.
2154 */
2155static bool rtCrX509CpvCheckBasicCertInfo(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2156{
2157 /*
2158 * 6.1.3.a.1 - Verify the certificate signature.
2159 */
2160 int rc = RTCrX509Certificate_VerifySignature(pNode->pCert, pThis->v.pWorkingPublicKeyAlgorithm,
2161 pThis->v.pWorkingPublicKeyParameters, pThis->v.pWorkingPublicKey,
2162 pThis->pErrInfo);
2163 if (RT_FAILURE(rc))
2164 {
2165 pThis->rc = rc;
2166 return false;
2167 }
2168
2169 /*
2170 * 6.1.3.a.2 - Verify that the certificate is valid at the specified time.
2171 */
2172 AssertCompile(sizeof(pThis->szTmp) >= 36 * 3);
2173 if ( (pThis->fFlags & RTCRX509CERTPATHSINT_F_VALID_TIME)
2174 && !RTCrX509Validity_IsValidAtTimeSpec(&pNode->pCert->TbsCertificate.Validity, &pThis->ValidTime))
2175 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_VALID_AT_TIME,
2176 "Certificate is not valid (ValidTime=%s Validity=[%s...%s])",
2177 RTTimeSpecToString(&pThis->ValidTime, &pThis->szTmp[0], 36),
2178 RTTimeToString(&pNode->pCert->TbsCertificate.Validity.NotBefore.Time, &pThis->szTmp[36], 36),
2179 RTTimeToString(&pNode->pCert->TbsCertificate.Validity.NotAfter.Time, &pThis->szTmp[2*36], 36) );
2180
2181 /*
2182 * 6.1.3.a.3 - Verified that the certficiate is not revoked.
2183 */
2184 /** @todo rainy day. */
2185
2186 /*
2187 * 6.1.3.a.4 - Check the issuer name.
2188 */
2189 if (!RTCrX509Name_MatchByRfc5280(&pNode->pCert->TbsCertificate.Issuer, pThis->v.pWorkingIssuer))
2190 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_ISSUER_MISMATCH, "Issuer mismatch");
2191
2192 return true;
2193}
2194
2195
2196/**
2197 * Step 6.1.3.b-c.
2198 */
2199static bool rtCrX509CpvCheckNameConstraints(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2200{
2201 if (pThis->v.fNoPermittedSubtrees)
2202 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NO_PERMITTED_NAMES, "No permitted subtrees");
2203
2204 if ( pNode->pCert->TbsCertificate.Subject.cItems > 0
2205 && ( !rtCrX509CpvIsNamePermitted(pThis, &pNode->pCert->TbsCertificate.Subject)
2206 || rtCrX509CpvIsNameExcluded(pThis, &pNode->pCert->TbsCertificate.Subject)) )
2207 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NAME_NOT_PERMITTED,
2208 "Subject name is not permitted by current name constraints");
2209
2210 PCRTCRX509GENERALNAMES pAltSubjectName = pNode->pCert->TbsCertificate.T3.pAltSubjectName;
2211 if (pAltSubjectName)
2212 {
2213 uint32_t i = pAltSubjectName->cItems;
2214 while (i-- > 0)
2215 if ( !rtCrX509CpvIsGeneralNamePermitted(pThis, pAltSubjectName->papItems[i])
2216 || rtCrX509CpvIsGeneralNameExcluded(pThis, pAltSubjectName->papItems[i]))
2217 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_ALT_NAME_NOT_PERMITTED,
2218 "Alternative name #%u is is not permitted by current name constraints", i);
2219 }
2220
2221 return true;
2222}
2223
2224
2225/**
2226 * Step 6.1.3.d-f.
2227 */
2228static bool rtCrX509CpvWorkValidPolicyTree(PRTCRX509CERTPATHSINT pThis, uint32_t iDepth, PRTCRX509CERTPATHNODE pNode,
2229 bool fSelfIssued)
2230{
2231 PCRTCRX509CERTIFICATEPOLICIES pPolicies = pNode->pCert->TbsCertificate.T3.pCertificatePolicies;
2232 if (pPolicies)
2233 {
2234 /*
2235 * 6.1.3.d.1 - Work the certiciate policies into the tree.
2236 */
2237 PRTCRX509CERTPATHSPOLICYNODE pCur;
2238 PRTLISTANCHOR pListAbove = &pThis->v.paValidPolicyDepthLists[iDepth - 1];
2239 uint32_t iAnyPolicy = UINT32_MAX;
2240 uint32_t i = pPolicies->cItems;
2241 while (i-- > 0)
2242 {
2243 PCRTCRX509POLICYQUALIFIERINFOS const pQualifiers = &pPolicies->papItems[i]->PolicyQualifiers;
2244 PCRTASN1OBJID const pIdP = &pPolicies->papItems[i]->PolicyIdentifier;
2245 if (RTAsn1ObjId_CompareWithString(pIdP, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2246 {
2247 iAnyPolicy++;
2248 continue;
2249 }
2250
2251 /*
2252 * 6.1.3.d.1.i - Create children for matching policies.
2253 */
2254 uint32_t cMatches = 0;
2255 RTListForEach(pListAbove, pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2256 {
2257 bool fMatch = RTAsn1ObjId_Compare(pCur->pExpectedPolicyFirst, pIdP) == 0;
2258 if (!fMatch && pCur->cMoreExpectedPolicySet)
2259 for (uint32_t j = 0; !fMatch && j < pCur->cMoreExpectedPolicySet; j++)
2260 fMatch = RTAsn1ObjId_Compare(pCur->papMoreExpectedPolicySet[j], pIdP) == 0;
2261 if (fMatch)
2262 {
2263 if (!rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pIdP, pQualifiers, pIdP))
2264 return false;
2265 cMatches++;
2266 }
2267 }
2268
2269 /*
2270 * 6.1.3.d.1.ii - If no matches above do the same for anyPolicy
2271 * nodes, only match with valid policy this time.
2272 */
2273 if (cMatches == 0)
2274 {
2275 RTListForEach(pListAbove, pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2276 {
2277 if (RTAsn1ObjId_CompareWithString(pCur->pExpectedPolicyFirst, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2278 {
2279 if (!rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pIdP, pQualifiers, pIdP))
2280 return false;
2281 }
2282 }
2283 }
2284 }
2285
2286 /*
2287 * 6.1.3.d.2 - If anyPolicy present, make sure all expected policies
2288 * are propagated to the current depth.
2289 */
2290 if ( iAnyPolicy < pPolicies->cItems
2291 && ( pThis->v.cInhibitAnyPolicy > 0
2292 || (pNode->pParent && fSelfIssued) ) )
2293 {
2294 PCRTCRX509POLICYQUALIFIERINFOS pApQ = &pPolicies->papItems[iAnyPolicy]->PolicyQualifiers;
2295 RTListForEach(pListAbove, pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2296 {
2297 if (!rtCrX509CpvPolicyTreeIsChild(pCur, pCur->pExpectedPolicyFirst))
2298 rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pCur->pExpectedPolicyFirst, pApQ,
2299 pCur->pExpectedPolicyFirst);
2300 for (uint32_t j = 0; j < pCur->cMoreExpectedPolicySet; j++)
2301 if (!rtCrX509CpvPolicyTreeIsChild(pCur, pCur->papMoreExpectedPolicySet[j]))
2302 rtCrX509CpvPolicyTreeInsertNew(pThis, pCur, iDepth, pCur->papMoreExpectedPolicySet[j], pApQ,
2303 pCur->papMoreExpectedPolicySet[j]);
2304 }
2305 }
2306 /*
2307 * 6.1.3.d.3 - Prune the tree.
2308 */
2309 else
2310 rtCrX509CpvPolicyTreePrune(pThis, iDepth - 1);
2311 }
2312 else
2313 {
2314 /*
2315 * 6.1.3.e - No policy extension present, set tree to NULL.
2316 */
2317 rtCrX509CpvPolicyTreeDestroy(pThis);
2318 }
2319
2320 /*
2321 * 6.1.3.f - NULL tree check.
2322 */
2323 if ( pThis->v.pValidPolicyTree == NULL
2324 && pThis->v.cExplicitPolicy == 0)
2325 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NO_VALID_POLICY,
2326 "An explicit policy is called for but the valid policy tree is NULL.");
2327 return RT_SUCCESS(pThis->rc);
2328}
2329
2330
2331/**
2332 * Step 6.1.4.a-b.
2333 */
2334static bool rtCrX509CpvSoakUpPolicyMappings(PRTCRX509CERTPATHSINT pThis, uint32_t iDepth,
2335 PCRTCRX509POLICYMAPPINGS pPolicyMappings)
2336{
2337 /*
2338 * 6.1.4.a - The anyPolicy is not allowed in policy mappings as it would
2339 * allow an evil intermediate certificate to expand the policy
2340 * scope of a certiciate chain without regard to upstream.
2341 */
2342 uint32_t i = pPolicyMappings->cItems;
2343 while (i-- > 0)
2344 {
2345 PCRTCRX509POLICYMAPPING const pOne = pPolicyMappings->papItems[i];
2346 if (RTAsn1ObjId_CompareWithString(&pOne->IssuerDomainPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2347 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_INVALID_POLICY_MAPPING,
2348 "Invalid policy mapping %#u: IssuerDomainPolicy is anyPolicy.", i);
2349
2350 if (RTAsn1ObjId_CompareWithString(&pOne->SubjectDomainPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2351 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_INVALID_POLICY_MAPPING,
2352 "Invalid policy mapping %#u: SubjectDomainPolicy is anyPolicy.", i);
2353 }
2354
2355 PRTCRX509CERTPATHSPOLICYNODE pCur, pNext;
2356 if (pThis->v.cInhibitPolicyMapping > 0)
2357 {
2358 /*
2359 * 6.1.4.b.1 - Do the policy mapping.
2360 */
2361 i = pPolicyMappings->cItems;
2362 while (i-- > 0)
2363 {
2364 PCRTCRX509POLICYMAPPING const pOne = pPolicyMappings->papItems[i];
2365
2366 uint32_t cFound = 0;
2367 RTListForEach(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2368 {
2369 if (RTAsn1ObjId_Compare(pCur->pValidPolicy, &pOne->IssuerDomainPolicy))
2370 {
2371 if (!pCur->fAlreadyMapped)
2372 {
2373 pCur->fAlreadyMapped = true;
2374 pCur->pExpectedPolicyFirst = &pOne->SubjectDomainPolicy;
2375 }
2376 else
2377 {
2378 uint32_t iExpected = pCur->cMoreExpectedPolicySet;
2379 void *pvNew = RTMemRealloc(pCur->papMoreExpectedPolicySet,
2380 sizeof(pCur->papMoreExpectedPolicySet[0]) * (iExpected + 1));
2381 if (!pvNew)
2382 return rtCrX509CpvFailed(pThis, VERR_NO_MEMORY,
2383 "Error growing papMoreExpectedPolicySet array (cur %u, depth %u)",
2384 pCur->cMoreExpectedPolicySet, iDepth);
2385 pCur->papMoreExpectedPolicySet = (PCRTASN1OBJID *)pvNew;
2386 pCur->papMoreExpectedPolicySet[iExpected] = &pOne->SubjectDomainPolicy;
2387 pCur->cMoreExpectedPolicySet = iExpected + 1;
2388 }
2389 cFound++;
2390 }
2391 }
2392
2393 /*
2394 * If no mapping took place, look for an anyPolicy node.
2395 */
2396 if (!cFound)
2397 {
2398 RTListForEach(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2399 {
2400 if (RTAsn1ObjId_CompareWithString(pCur->pValidPolicy, RTCRX509_ID_CE_CP_ANY_POLICY_OID) == 0)
2401 {
2402 if (!rtCrX509CpvPolicyTreeInsertNew(pThis, pCur->pParent, iDepth,
2403 &pOne->IssuerDomainPolicy,
2404 pCur->pPolicyQualifiers,
2405 &pOne->SubjectDomainPolicy))
2406 return false;
2407 break;
2408 }
2409 }
2410 }
2411 }
2412 }
2413 else
2414 {
2415 /*
2416 * 6.1.4.b.2 - Remove matching policies from the tree if mapping is
2417 * inhibited and prune the tree.
2418 */
2419 uint32_t cRemoved = 0;
2420 i = pPolicyMappings->cItems;
2421 while (i-- > 0)
2422 {
2423 PCRTCRX509POLICYMAPPING const pOne = pPolicyMappings->papItems[i];
2424 RTListForEachSafe(&pThis->v.paValidPolicyDepthLists[iDepth], pCur, pNext, RTCRX509CERTPATHSPOLICYNODE, DepthEntry)
2425 {
2426 if (RTAsn1ObjId_Compare(pCur->pValidPolicy, &pOne->IssuerDomainPolicy))
2427 {
2428 rtCrX509CpvPolicyTreeDestroyNode(pThis, pCur);
2429 cRemoved++;
2430 }
2431 }
2432 }
2433 if (cRemoved)
2434 rtCrX509CpvPolicyTreePrune(pThis, iDepth - 1);
2435 }
2436
2437 return true;
2438}
2439
2440
2441/**
2442 * Step 6.1.4.d-f & 6.1.5.c-e.
2443 */
2444static void rtCrX509CpvSetWorkingPublicKeyInfo(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2445{
2446 PCRTCRX509TBSCERTIFICATE const pTbsCert = &pNode->pCert->TbsCertificate;
2447
2448 /*
2449 * 6.1.4.d - The public key.
2450 */
2451 pThis->v.pWorkingPublicKey = &pTbsCert->SubjectPublicKeyInfo.SubjectPublicKey;
2452
2453 /*
2454 * 6.1.4.e - The public key parameters. Use new ones if present, keep old
2455 * if the algorithm remains the same.
2456 */
2457 if ( RTASN1CORE_IS_PRESENT(&pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters.u.Core)
2458 && pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters.enmType != RTASN1TYPE_NULL)
2459 pThis->v.pWorkingPublicKeyParameters = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Parameters;
2460 else if ( pThis->v.pWorkingPublicKeyParameters
2461 && RTAsn1ObjId_Compare(pThis->v.pWorkingPublicKeyAlgorithm, &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm) != 0)
2462 pThis->v.pWorkingPublicKeyParameters = NULL;
2463
2464 /*
2465 * 6.1.4.f - The public algorithm.
2466 */
2467 pThis->v.pWorkingPublicKeyAlgorithm = &pTbsCert->SubjectPublicKeyInfo.Algorithm.Algorithm;
2468}
2469
2470
2471/**
2472 * Step 6.1.4.g.
2473 */
2474static bool rtCrX509CpvSoakUpNameConstraints(PRTCRX509CERTPATHSINT pThis, PCRTCRX509NAMECONSTRAINTS pNameConstraints)
2475{
2476 if (pNameConstraints->T0.PermittedSubtrees.cItems > 0)
2477 if (!rtCrX509CpvIntersectionPermittedSubtrees(pThis, &pNameConstraints->T0.PermittedSubtrees))
2478 return false;
2479
2480 if (pNameConstraints->T1.ExcludedSubtrees.cItems > 0)
2481 if (!rtCrX509CpvAddExcludedSubtrees(pThis, &pNameConstraints->T1.ExcludedSubtrees))
2482 return false;
2483
2484 return true;
2485}
2486
2487
2488/**
2489 * Step 6.1.4.i.
2490 */
2491static bool rtCrX509CpvSoakUpPolicyConstraints(PRTCRX509CERTPATHSINT pThis, PCRTCRX509POLICYCONSTRAINTS pPolicyConstraints)
2492{
2493 if (RTAsn1Integer_IsPresent(&pPolicyConstraints->RequireExplicitPolicy))
2494 {
2495 if (RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->RequireExplicitPolicy, pThis->v.cExplicitPolicy) < 0)
2496 pThis->v.cExplicitPolicy = pPolicyConstraints->RequireExplicitPolicy.uValue.s.Lo;
2497 }
2498
2499 if (RTAsn1Integer_IsPresent(&pPolicyConstraints->InhibitPolicyMapping))
2500 {
2501 if (RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->InhibitPolicyMapping, pThis->v.cInhibitPolicyMapping) < 0)
2502 pThis->v.cInhibitPolicyMapping = pPolicyConstraints->InhibitPolicyMapping.uValue.s.Lo;
2503 }
2504 return true;
2505}
2506
2507
2508/**
2509 * Step 6.1.4.j.
2510 */
2511static bool rtCrX509CpvSoakUpInhibitAnyPolicy(PRTCRX509CERTPATHSINT pThis, PCRTASN1INTEGER pInhibitAnyPolicy)
2512{
2513 if (RTAsn1Integer_UnsignedCompareWithU32(pInhibitAnyPolicy, pThis->v.cInhibitAnyPolicy) < 0)
2514 pThis->v.cInhibitAnyPolicy = pInhibitAnyPolicy->uValue.s.Lo;
2515 return true;
2516}
2517
2518
2519/**
2520 * Steps 6.1.4.k, 6.1.4.l, 6.1.4.m, and 6.1.4.n.
2521 */
2522static bool rtCrX509CpvCheckAndSoakUpBasicConstraintsAndKeyUsage(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode,
2523 bool fSelfIssued)
2524{
2525 /* 6.1.4.k - If basic constraints present, CA must be set. */
2526 if (RTAsn1Integer_UnsignedCompareWithU32(&pNode->pCert->TbsCertificate.T0.Version, RTCRX509TBSCERTIFICATE_V3) != 0)
2527 {
2528 /* Note! Add flags if support for older certificates is needed later. */
2529 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_V3_CERT,
2530 "Only version 3 certificates are supported (Version=%llu)",
2531 pNode->pCert->TbsCertificate.T0.Version.uValue);
2532 }
2533 PCRTCRX509BASICCONSTRAINTS pBasicConstraints = pNode->pCert->TbsCertificate.T3.pBasicConstraints;
2534 if (pBasicConstraints)
2535 {
2536 if (!pBasicConstraints->CA.fValue)
2537 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NOT_CA_CERT,
2538 "Intermediate certificate (#%u) is not marked as a CA", pThis->v.iNode);
2539 }
2540
2541 /* 6.1.4.l - Work cMaxPathLength. */
2542 if (!fSelfIssued)
2543 {
2544 if (pThis->v.cMaxPathLength > 0)
2545 pThis->v.cMaxPathLength--;
2546 else
2547 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_MAX_PATH_LENGTH,
2548 "Hit max path length at node #%u", pThis->v.iNode);
2549 }
2550
2551 /* 6.1.4.m - Update cMaxPathLength if basic constrain field is present and smaller. */
2552 if (pBasicConstraints)
2553 {
2554 if (RTAsn1Integer_IsPresent(&pBasicConstraints->PathLenConstraint))
2555 if (RTAsn1Integer_UnsignedCompareWithU32(&pBasicConstraints->PathLenConstraint, pThis->v.cMaxPathLength) < 0)
2556 pThis->v.cMaxPathLength = pBasicConstraints->PathLenConstraint.uValue.s.Lo;
2557 }
2558
2559 /* 6.1.4.n - Require keyCertSign in key usage if the extension is present. */
2560 PCRTCRX509TBSCERTIFICATE const pTbsCert = &pNode->pCert->TbsCertificate;
2561 if ( (pTbsCert->T3.fFlags & RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE)
2562 && !(pTbsCert->T3.fKeyUsage & RTCRX509CERT_KEY_USAGE_F_KEY_CERT_SIGN))
2563 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_MISSING_KEY_CERT_SIGN,
2564 "Node #%u does not have KeyCertSign set (keyUsage=%#x)",
2565 pThis->v.iNode, pTbsCert->T3.fKeyUsage);
2566
2567 return true;
2568}
2569
2570
2571/**
2572 * Step 6.1.4.o - check out critical extensions.
2573 */
2574static bool rtCrX509CpvCheckCriticalExtensions(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2575{
2576 uint32_t cLeft = pNode->pCert->TbsCertificate.T3.Extensions.cItems;
2577 PRTCRX509EXTENSION const *ppCur = pNode->pCert->TbsCertificate.T3.Extensions.papItems;
2578 while (cLeft-- > 0)
2579 {
2580 PCRTCRX509EXTENSION const pCur = *ppCur;
2581 if (pCur->Critical.fValue)
2582 {
2583 if ( RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_KEY_USAGE_OID) != 0
2584 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID) != 0
2585 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_ISSUER_ALT_NAME_OID) != 0
2586 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID) != 0
2587 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_NAME_CONSTRAINTS_OID) != 0
2588 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID) != 0
2589 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_POLICY_MAPPINGS_OID) != 0
2590 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID) != 0
2591 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_EXT_KEY_USAGE_OID) != 0
2592 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID) != 0
2593 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_APPLICATION_OID) != 0
2594 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_INSTALLER_OID) != 0
2595 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_KEXT_OID) != 0
2596 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_IPHONE_SW_DEV_OID) != 0
2597 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCR_APPLE_CS_DEVID_MAC_SW_DEV_OID) != 0
2598 )
2599 {
2600 /* @bugref{10130}: An IntelGraphicsPE2021 cert issued by iKG_AZSKGFDCS has a critical subjectKeyIdentifier
2601 which we quietly ignore here. RFC-5280 conforming CAs should not mark this as critical.
2602 On an end entity this extension can have relevance to path construction. */
2603 if ( pNode->uSrc == RTCRX509CERTPATHNODE_SRC_TARGET
2604 && RTAsn1ObjId_CompareWithString(&pCur->ExtnId, RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID) == 0)
2605 LogFunc(("Ignoring non-standard subjectKeyIdentifier on target certificate.\n"));
2606 else
2607 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_UNKNOWN_CRITICAL_EXTENSION,
2608 "Node #%u has an unknown critical extension: %s",
2609 pThis->v.iNode, pCur->ExtnId.szObjId);
2610 }
2611 }
2612
2613 ppCur++;
2614 }
2615
2616 return true;
2617}
2618
2619
2620/**
2621 * Step 6.1.5 - The wrapping up.
2622 */
2623static bool rtCrX509CpvWrapUp(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pNode)
2624{
2625 Assert(!pNode->pParent); Assert(pThis->pTarget == pNode->pCert);
2626
2627 /*
2628 * 6.1.5.a - Decrement explicit policy.
2629 */
2630 if (pThis->v.cExplicitPolicy > 0)
2631 pThis->v.cExplicitPolicy--;
2632
2633 /*
2634 * 6.1.5.b - Policy constraints and explicit policy.
2635 */
2636 PCRTCRX509POLICYCONSTRAINTS pPolicyConstraints = pNode->pCert->TbsCertificate.T3.pPolicyConstraints;
2637 if ( pPolicyConstraints
2638 && RTAsn1Integer_IsPresent(&pPolicyConstraints->RequireExplicitPolicy)
2639 && RTAsn1Integer_UnsignedCompareWithU32(&pPolicyConstraints->RequireExplicitPolicy, 0) == 0)
2640 pThis->v.cExplicitPolicy = 0;
2641
2642 /*
2643 * 6.1.5.c-e - Update working public key info.
2644 */
2645 rtCrX509CpvSetWorkingPublicKeyInfo(pThis, pNode);
2646
2647 /*
2648 * 6.1.5.f - Critical extensions.
2649 */
2650 if (!rtCrX509CpvCheckCriticalExtensions(pThis, pNode))
2651 return false;
2652
2653 /*
2654 * 6.1.5.g - Calculate the intersection between the user initial policy set
2655 * and the valid policy tree.
2656 */
2657 rtCrX509CpvPolicyTreeIntersect(pThis, pThis->cInitialUserPolicySet, pThis->papInitialUserPolicySet);
2658
2659 if ( pThis->v.cExplicitPolicy == 0
2660 && pThis->v.pValidPolicyTree == NULL)
2661 return rtCrX509CpvFailed(pThis, VERR_CR_X509_CPV_NO_VALID_POLICY, "No valid policy (wrap-up).");
2662
2663 return true;
2664}
2665
2666
2667/**
2668 * Worker that validates one path.
2669 *
2670 * This implements the algorithm in RFC-5280, section 6.1, with exception of
2671 * the CRL checks in 6.1.3.a.3.
2672 *
2673 * @returns success indicator.
2674 * @param pThis The path builder & validator instance.
2675 * @param pTrustAnchor The trust anchor node.
2676 */
2677static bool rtCrX509CpvOneWorker(PRTCRX509CERTPATHSINT pThis, PRTCRX509CERTPATHNODE pTrustAnchor)
2678{
2679 /*
2680 * Init.
2681 */
2682 rtCrX509CpvInit(pThis, pTrustAnchor);
2683 if (RT_SUCCESS(pThis->rc))
2684 {
2685 /*
2686 * Maybe do some trust anchor checks.
2687 */
2688 if (!rtCrX509CpvMaybeCheckTrustAnchor(pThis, pTrustAnchor))
2689 {
2690 AssertStmt(RT_FAILURE_NP(pThis->rc), pThis->rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR);
2691 return false;
2692 }
2693
2694 /*
2695 * Special case, target certificate is trusted.
2696 */
2697 if (!pTrustAnchor->pParent)
2698 return true; /* rtCrX509CpvWrapUp should not be needed here. */
2699
2700 /*
2701 * Normal processing.
2702 */
2703 PRTCRX509CERTPATHNODE pNode = pTrustAnchor->pParent;
2704 uint32_t iNode = pThis->v.iNode = 1; /* We count to cNode (inclusive). Same a validation tree depth. */
2705 while (pNode && RT_SUCCESS(pThis->rc))
2706 {
2707 /*
2708 * Basic certificate processing.
2709 */
2710 if (!rtCrX509CpvCheckBasicCertInfo(pThis, pNode)) /* Step 6.1.3.a */
2711 break;
2712
2713 bool const fSelfIssued = rtCrX509CertPathsIsSelfIssued(pNode);
2714 if (!fSelfIssued || !pNode->pParent) /* Step 6.1.3.b-c */
2715 if (!rtCrX509CpvCheckNameConstraints(pThis, pNode))
2716 break;
2717
2718 if (!rtCrX509CpvWorkValidPolicyTree(pThis, iNode, pNode, fSelfIssued)) /* Step 6.1.3.d-f */
2719 break;
2720
2721 /*
2722 * If it's the last certificate in the path, do wrap-ups.
2723 */
2724 if (!pNode->pParent) /* Step 6.1.5 */
2725 {
2726 Assert(iNode == pThis->v.cNodes);
2727 if (!rtCrX509CpvWrapUp(pThis, pNode))
2728 break;
2729 AssertRCBreak(pThis->rc);
2730 return true;
2731 }
2732
2733 /*
2734 * Preparations for the next certificate.
2735 */
2736 PCRTCRX509TBSCERTIFICATE const pTbsCert = &pNode->pCert->TbsCertificate;
2737 if ( pTbsCert->T3.pPolicyMappings
2738 && !rtCrX509CpvSoakUpPolicyMappings(pThis, iNode, pTbsCert->T3.pPolicyMappings)) /* Step 6.1.4.a-b */
2739 break;
2740
2741 pThis->v.pWorkingIssuer = &pTbsCert->Subject; /* Step 6.1.4.c */
2742
2743 rtCrX509CpvSetWorkingPublicKeyInfo(pThis, pNode); /* Step 6.1.4.d-f */
2744
2745 if ( pTbsCert->T3.pNameConstraints /* Step 6.1.4.g */
2746 && !rtCrX509CpvSoakUpNameConstraints(pThis, pTbsCert->T3.pNameConstraints))
2747 break;
2748
2749 if (!fSelfIssued) /* Step 6.1.4.h */
2750 {
2751 if (pThis->v.cExplicitPolicy > 0)
2752 pThis->v.cExplicitPolicy--;
2753 if (pThis->v.cInhibitPolicyMapping > 0)
2754 pThis->v.cInhibitPolicyMapping--;
2755 if (pThis->v.cInhibitAnyPolicy > 0)
2756 pThis->v.cInhibitAnyPolicy--;
2757 }
2758
2759 if ( pTbsCert->T3.pPolicyConstraints /* Step 6.1.4.j */
2760 && !rtCrX509CpvSoakUpPolicyConstraints(pThis, pTbsCert->T3.pPolicyConstraints))
2761 break;
2762
2763 if ( pTbsCert->T3.pInhibitAnyPolicy /* Step 6.1.4.j */
2764 && !rtCrX509CpvSoakUpInhibitAnyPolicy(pThis, pTbsCert->T3.pInhibitAnyPolicy))
2765 break;
2766
2767 if (!rtCrX509CpvCheckAndSoakUpBasicConstraintsAndKeyUsage(pThis, pNode, fSelfIssued)) /* Step 6.1.4.k-n */
2768 break;
2769
2770 if (!rtCrX509CpvCheckCriticalExtensions(pThis, pNode)) /* Step 6.1.4.o */
2771 break;
2772
2773 /*
2774 * Advance to the next certificate.
2775 */
2776 pNode = pNode->pParent;
2777 pThis->v.iNode = ++iNode;
2778 }
2779 AssertStmt(RT_FAILURE_NP(pThis->rc), pThis->rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR);
2780 }
2781 return false;
2782}
2783
2784
2785RTDECL(int) RTCrX509CertPathsValidateOne(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, PRTERRINFO pErrInfo)
2786{
2787 /*
2788 * Validate the input.
2789 */
2790 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2791 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
2792 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
2793 AssertReturn(!(pThis->fFlags & ~RTCRX509CERTPATHSINT_F_VALID_MASK), VERR_INVALID_PARAMETER);
2794 AssertPtrReturn(pThis->pTarget, VERR_INVALID_PARAMETER);
2795 AssertPtrReturn(pThis->pRoot, VERR_INVALID_PARAMETER);
2796 AssertReturn(pThis->rc == VINF_SUCCESS, VERR_INVALID_PARAMETER);
2797
2798 /*
2799 * Locate the path and validate it.
2800 */
2801 int rc;
2802 if (iPath < pThis->cPaths)
2803 {
2804 PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2805 if (pLeaf)
2806 {
2807 if (RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pLeaf->uSrc))
2808 {
2809 pThis->pErrInfo = pErrInfo;
2810 rtCrX509CpvOneWorker(pThis, pLeaf);
2811 pThis->pErrInfo = NULL;
2812 rc = pThis->rc;
2813 pThis->rc = VINF_SUCCESS;
2814 }
2815 else
2816 rc = RTErrInfoSetF(pErrInfo, VERR_CR_X509_NO_TRUST_ANCHOR, "Path #%u is does not have a trust anchor: uSrc=%s",
2817 iPath, rtCrX509CertPathsNodeGetSourceName(pLeaf));
2818 pLeaf->rcVerify = rc;
2819 }
2820 else
2821 rc = VERR_CR_X509_CERTPATHS_INTERNAL_ERROR;
2822 }
2823 else
2824 rc = VERR_NOT_FOUND;
2825 return rc;
2826}
2827
2828
2829RTDECL(int) RTCrX509CertPathsValidateAll(RTCRX509CERTPATHS hCertPaths, uint32_t *pcValidPaths, PRTERRINFO pErrInfo)
2830{
2831 /*
2832 * Validate the input.
2833 */
2834 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2835 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
2836 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
2837 AssertReturn(!(pThis->fFlags & ~RTCRX509CERTPATHSINT_F_VALID_MASK), VERR_INVALID_PARAMETER);
2838 AssertPtrReturn(pThis->pTarget, VERR_INVALID_PARAMETER);
2839 AssertPtrReturn(pThis->pRoot, VERR_INVALID_PARAMETER);
2840 AssertReturn(pThis->rc == VINF_SUCCESS, VERR_INVALID_PARAMETER);
2841 AssertPtrNullReturn(pcValidPaths, VERR_INVALID_POINTER);
2842
2843 /*
2844 * Validate the paths.
2845 */
2846 pThis->pErrInfo = pErrInfo;
2847
2848 int rcLastFailure = VINF_SUCCESS;
2849 uint32_t cValidPaths = 0;
2850 PRTCRX509CERTPATHNODE pCurLeaf;
2851 RTListForEach(&pThis->LeafList, pCurLeaf, RTCRX509CERTPATHNODE, ChildListOrLeafEntry)
2852 {
2853 if (RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pCurLeaf->uSrc))
2854 {
2855 rtCrX509CpvOneWorker(hCertPaths, pCurLeaf);
2856 if (RT_SUCCESS(pThis->rc))
2857 cValidPaths++;
2858 else
2859 rcLastFailure = pThis->rc;
2860 pCurLeaf->rcVerify = pThis->rc;
2861 pThis->rc = VINF_SUCCESS;
2862 }
2863 else
2864 pCurLeaf->rcVerify = VERR_CR_X509_NO_TRUST_ANCHOR;
2865 }
2866
2867 pThis->pErrInfo = NULL;
2868
2869 if (pcValidPaths)
2870 *pcValidPaths = cValidPaths;
2871 if (cValidPaths > 0)
2872 return VINF_SUCCESS;
2873 if (RT_SUCCESS_NP(rcLastFailure))
2874 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_CPV_NO_TRUSTED_PATHS,
2875 "None of the %u path(s) have a trust anchor.", pThis->cPaths);
2876 return rcLastFailure;
2877}
2878
2879
2880RTDECL(uint32_t) RTCrX509CertPathsGetPathCount(RTCRX509CERTPATHS hCertPaths)
2881{
2882 /*
2883 * Validate the input.
2884 */
2885 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2886 AssertPtrReturn(pThis, UINT32_MAX);
2887 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, UINT32_MAX);
2888 AssertPtrReturn(pThis->pRoot, UINT32_MAX);
2889
2890 /*
2891 * Return data.
2892 */
2893 return pThis->cPaths;
2894}
2895
2896
2897RTDECL(int) RTCrX509CertPathsQueryPathInfo(RTCRX509CERTPATHS hCertPaths, uint32_t iPath,
2898 bool *pfTrusted, uint32_t *pcNodes, PCRTCRX509NAME *ppSubject,
2899 PCRTCRX509SUBJECTPUBLICKEYINFO *ppPublicKeyInfo,
2900 PCRTCRX509CERTIFICATE *ppCert, PCRTCRCERTCTX *ppCertCtx,
2901 int *prcVerify)
2902{
2903 /*
2904 * Validate the input.
2905 */
2906 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2907 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
2908 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
2909 AssertPtrReturn(pThis->pRoot, VERR_WRONG_ORDER);
2910 AssertReturn(iPath < pThis->cPaths, VERR_NOT_FOUND);
2911
2912 /*
2913 * Get the data.
2914 */
2915 PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2916 AssertReturn(pLeaf, VERR_CR_X509_INTERNAL_ERROR);
2917
2918 if (pfTrusted)
2919 *pfTrusted = RTCRX509CERTPATHNODE_SRC_IS_TRUSTED(pLeaf->uSrc);
2920
2921 if (pcNodes)
2922 *pcNodes = pLeaf->uDepth + 1; /* Includes both trust anchor and target. */
2923
2924 if (ppSubject)
2925 *ppSubject = pLeaf->pCert ? &pLeaf->pCert->TbsCertificate.Subject : &pLeaf->pCertCtx->pTaInfo->CertPath.TaName;
2926
2927 if (ppPublicKeyInfo)
2928 *ppPublicKeyInfo = pLeaf->pCert ? &pLeaf->pCert->TbsCertificate.SubjectPublicKeyInfo : &pLeaf->pCertCtx->pTaInfo->PubKey;
2929
2930 if (ppCert)
2931 *ppCert = pLeaf->pCert;
2932
2933 if (ppCertCtx)
2934 {
2935 if (pLeaf->pCertCtx)
2936 {
2937 uint32_t cRefs = RTCrCertCtxRetain(pLeaf->pCertCtx);
2938 AssertReturn(cRefs != UINT32_MAX, VERR_CR_X509_INTERNAL_ERROR);
2939 }
2940 *ppCertCtx = pLeaf->pCertCtx;
2941 }
2942
2943 if (prcVerify)
2944 *prcVerify = pLeaf->rcVerify;
2945
2946 return VINF_SUCCESS;
2947}
2948
2949
2950RTDECL(uint32_t) RTCrX509CertPathsGetPathLength(RTCRX509CERTPATHS hCertPaths, uint32_t iPath)
2951{
2952 /*
2953 * Validate the input.
2954 */
2955 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2956 AssertPtrReturn(pThis, UINT32_MAX);
2957 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, UINT32_MAX);
2958 AssertPtrReturn(pThis->pRoot, UINT32_MAX);
2959 AssertReturn(iPath < pThis->cPaths, UINT32_MAX);
2960
2961 /*
2962 * Get the data.
2963 */
2964 PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2965 AssertReturn(pLeaf, UINT32_MAX);
2966 return pLeaf->uDepth + 1;
2967}
2968
2969
2970RTDECL(int) RTCrX509CertPathsGetPathVerifyResult(RTCRX509CERTPATHS hCertPaths, uint32_t iPath)
2971{
2972 /*
2973 * Validate the input.
2974 */
2975 PRTCRX509CERTPATHSINT pThis = hCertPaths;
2976 AssertPtrReturn(pThis, VERR_INVALID_HANDLE);
2977 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, VERR_INVALID_HANDLE);
2978 AssertPtrReturn(pThis->pRoot, VERR_WRONG_ORDER);
2979 AssertReturn(iPath < pThis->cPaths, VERR_NOT_FOUND);
2980
2981 /*
2982 * Get the data.
2983 */
2984 PRTCRX509CERTPATHNODE pLeaf = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2985 AssertReturn(pLeaf, VERR_CR_X509_INTERNAL_ERROR);
2986
2987 return pLeaf->rcVerify;
2988}
2989
2990
2991static PRTCRX509CERTPATHNODE rtCrX509CertPathsGetPathNodeByIndexes(PRTCRX509CERTPATHSINT pThis, uint32_t iPath, uint32_t iNode)
2992{
2993 PRTCRX509CERTPATHNODE pNode = rtCrX509CertPathsGetLeafByIndex(pThis, iPath);
2994 Assert(pNode);
2995 if (pNode)
2996 {
2997 if (iNode <= pNode->uDepth)
2998 {
2999 uint32_t uCertDepth = pNode->uDepth - iNode;
3000 while (pNode->uDepth > uCertDepth)
3001 pNode = pNode->pParent;
3002 Assert(pNode);
3003 Assert(pNode && pNode->uDepth == uCertDepth);
3004 return pNode;
3005 }
3006 }
3007
3008 return NULL;
3009}
3010
3011
3012RTDECL(PCRTCRX509CERTIFICATE) RTCrX509CertPathsGetPathNodeCert(RTCRX509CERTPATHS hCertPaths, uint32_t iPath, uint32_t iNode)
3013{
3014 /*
3015 * Validate the input.
3016 */
3017 PRTCRX509CERTPATHSINT pThis = hCertPaths;
3018 AssertPtrReturn(pThis, NULL);
3019 AssertReturn(pThis->u32Magic == RTCRX509CERTPATHSINT_MAGIC, NULL);
3020 AssertPtrReturn(pThis->pRoot, NULL);
3021 AssertReturn(iPath < pThis->cPaths, NULL);
3022
3023 /*
3024 * Get the data.
3025 */
3026 PRTCRX509CERTPATHNODE pNode = rtCrX509CertPathsGetPathNodeByIndexes(pThis, iPath, iNode);
3027 if (pNode)
3028 return pNode->pCert;
3029 return NULL;
3030}
3031
3032
3033/** @} */
3034
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette