x509-core.cpp@ 56290

Last change on this file since 56290 was 56290, checked in by vboxsync, 10 years ago
IPRT: Updated (C) year.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 55.1 KB

Line
1	/* $Id: x509-core.cpp 56290 2015-06-09 14:01:31Z vboxsync $ */
2	/** @file
3	* IPRT - Crypto - X.509, Core APIs.
4	*/
5
6	/*
7	* Copyright (C) 2006-2015 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*
17	* The contents of this file may alternatively be used under the terms
18	* of the Common Development and Distribution License Version 1.0
19	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20	* VirtualBox OSE distribution, in which case the provisions of the
21	* CDDL are applicable instead of those of the GPL.
22	*
23	* You may elect to license modified versions of this file under the
24	* terms and conditions of either the GPL or the CDDL or both.
25	*/
26
27
28	/*******************************************************************************
29	* Header Files *
30	*******************************************************************************/
31	#include "internal/iprt.h"
32	#include <iprt/crypto/x509.h>
33
34	#include <iprt/err.h>
35	#include <iprt/string.h>
36	#include <iprt/uni.h>
37
38	#include "x509-internal.h"
39
40
41	/*
42	* Generate the code.
43	*/
44	#include <iprt/asn1-generator-core.h>
45
46
47	/*
48	* X.509 Validity.
49	*/
50
51	RTDECL(bool) RTCrX509Validity_IsValidAtTimeSpec(PCRTCRX509VALIDITY pThis, PCRTTIMESPEC pTimeSpec)
52	{
53	if (RTAsn1Time_CompareWithTimeSpec(&pThis->NotBefore, pTimeSpec) > 0)
54	return false;
55	if (RTAsn1Time_CompareWithTimeSpec(&pThis->NotAfter, pTimeSpec) < 0)
56	return false;
57	return true;
58	}
59
60
61	/*
62	* One X.509 Algorithm Identifier.
63	*/
64
65	RTDECL(RTDIGESTTYPE) RTCrX509AlgorithmIdentifier_QueryDigestType(PCRTCRX509ALGORITHMIDENTIFIER pThis)
66	{
67	AssertPtrReturn(pThis, RTDIGESTTYPE_INVALID);
68	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
69	return RTDIGESTTYPE_MD5;
70	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
71	return RTDIGESTTYPE_SHA1;
72	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
73	return RTDIGESTTYPE_SHA256;
74	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
75	return RTDIGESTTYPE_SHA512;
76
77	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
78	return RTDIGESTTYPE_SHA384;
79	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
80	return RTDIGESTTYPE_SHA224;
81	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
82	return RTDIGESTTYPE_SHA512T224;
83	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
84	return RTDIGESTTYPE_SHA512T256;
85	return RTDIGESTTYPE_INVALID;
86	}
87
88
89	RTDECL(uint32_t) RTCrX509AlgorithmIdentifier_QueryDigestSize(PCRTCRX509ALGORITHMIDENTIFIER pThis)
90	{
91	AssertPtrReturn(pThis, UINT32_MAX);
92
93	/* common */
94	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
95	return 128 / 8;
96	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
97	return 160 / 8;
98	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
99	return 256 / 8;
100	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
101	return 512 / 8;
102
103	/* Less common. */
104	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD2))
105	return 128 / 8;
106	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD4))
107	return 128 / 8;
108	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
109	return 384 / 8;
110	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
111	return 224 / 8;
112	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
113	return 224 / 8;
114	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
115	return 256 / 8;
116	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
117	return 512 / 8;
118
119	return UINT32_MAX;
120	}
121
122
123	RTDECL(int) RTCrX509AlgorithmIdentifier_CompareWithString(PCRTCRX509ALGORITHMIDENTIFIER pThis, const char *pszObjId)
124	{
125	return strcmp(pThis->Algorithm.szObjId, pszObjId);
126	}
127
128
129	RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestAndEncryptedDigest(PCRTCRX509ALGORITHMIDENTIFIER pDigest,
130	PCRTCRX509ALGORITHMIDENTIFIER pEncryptedDigest)
131	{
132	/* common */
133	if (!strcmp(pDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
134	{
135	if (!strcmp(pEncryptedDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA))
136	return 0;
137	}
138	else if (!strcmp(pDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
139	{
140	if (!strcmp(pEncryptedDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA))
141	return 0;
142	}
143	else if (!strcmp(pDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
144	{
145	if (!strcmp(pEncryptedDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA))
146	return 0;
147	}
148	else if (!strcmp(pDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
149	{
150	if (!strcmp(pEncryptedDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA))
151	return 0;
152	}
153	/* Less common. */
154	else if (!strcmp(pDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD2))
155	{
156	if (!strcmp(pEncryptedDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA))
157	return 0;
158	}
159	else if (!strcmp(pDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD4))
160	{
161	if (!strcmp(pEncryptedDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA))
162	return 0;
163	}
164	else if (!strcmp(pDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
165	{
166	if (!strcmp(pEncryptedDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA))
167	return 0;
168	}
169	else if (!strcmp(pDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
170	{
171	if (!strcmp(pEncryptedDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA))
172	return 0;
173	}
174	else if (!strcmp(pDigest->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
175	{
176	/* ?? */
177	}
178	else
179	return -1;
180	return 1;
181	}
182
183
184	/*
185	* Set of X.509 Algorithm Identifiers.
186	*/
187
188
189	/*
190	* One X.509 AttributeTypeAndValue.
191	*/
192
193
194	/*
195	* Set of X.509 AttributeTypeAndValues / X.509 RelativeDistinguishedName.
196	*/
197
198	/**
199	* Slow code path of rtCrX509CanNameIsNothing.
200	*
201	* @returns true if @uc maps to nothing, false if not.
202	* @param uc The unicode code point.
203	*/
204	static bool rtCrX509CanNameIsNothingSlow(RTUNICP uc)
205	{
206	switch (uc)
207	{
208	/* 2.2 Map - Paragraph 1: */
209	case 0x00ad:
210	case 0x1806:
211	case 0x034f:
212	case 0x180b: case 0x180c: case 0x180d:
213
214	case 0xfe00: case 0xfe01: case 0xfe02: case 0xfe03:
215	case 0xfe04: case 0xfe05: case 0xfe06: case 0xfe07:
216	case 0xfe08: case 0xfe09: case 0xfe0a: case 0xfe0b:
217	case 0xfe0c: case 0xfe0d: case 0xfe0e: case 0xfe0f:
218
219	case 0xfffc:
220
221	/* 2.2 Map - Paragraph 3 (control code/function): */
222	case 0x0000: case 0x0001: case 0x0002: case 0x0003:
223	case 0x0004: case 0x0005: case 0x0006: case 0x0007:
224	case 0x0008:
225
226	case 0x000e: case 0x000f:
227	case 0x0010: case 0x0011: case 0x0012: case 0x0013:
228	case 0x0014: case 0x0015: case 0x0016: case 0x0017:
229	case 0x0018: case 0x0019: case 0x001a: case 0x001b:
230	case 0x001c: case 0x001d: case 0x001e: case 0x001f:
231
232	case 0x007f:
233	case 0x0080: case 0x0081: case 0x0082: case 0x0083:
234	case 0x0084: /case 0x0085:/ case 0x0086: case 0x0087:
235	case 0x0088: case 0x0089: case 0x008a: case 0x008b:
236	case 0x008c: case 0x008d: case 0x008e: case 0x008f:
237	case 0x0090: case 0x0091: case 0x0092: case 0x0093:
238	case 0x0094: case 0x0095: case 0x0096: case 0x0097:
239	case 0x0098: case 0x0099: case 0x009a: case 0x009b:
240	case 0x009c: case 0x009d: case 0x009e: case 0x009f:
241
242	case 0x06dd:
243	case 0x070f:
244	case 0x180e:
245	case 0x200c: case 0x200d: case 0x200e: case 0x200f:
246	case 0x202a: case 0x202b: case 0x202c: case 0x202d: case 0x202e:
247	case 0x2060: case 0x2061: case 0x2062: case 0x2063:
248	case 0x206a: case 0x206b: case 0x206c: case 0x206d: case 0x206e: case 0x206f:
249	case 0xfeff:
250	case 0xfff9: case 0xfffa: case 0xfffb:
251	case 0x1d173: case 0x1d174: case 0x1d175: case 0x1d176: case 0x1d177: case 0x1d178: case 0x1d179: case 0x1d17a:
252	case 0xe0001:
253	case 0xe0020: case 0xe0021: case 0xe0022: case 0xe0023:
254	case 0xe0024: case 0xe0025: case 0xe0026: case 0xe0027:
255	case 0xe0028: case 0xe0029: case 0xe002a: case 0xe002b:
256	case 0xe002c: case 0xe002d: case 0xe002e: case 0xe002f:
257	case 0xe0030: case 0xe0031: case 0xe0032: case 0xe0033:
258	case 0xe0034: case 0xe0035: case 0xe0036: case 0xe0037:
259	case 0xe0038: case 0xe0039: case 0xe003a: case 0xe003b:
260	case 0xe003c: case 0xe003d: case 0xe003e: case 0xe003f:
261	case 0xe0040: case 0xe0041: case 0xe0042: case 0xe0043:
262	case 0xe0044: case 0xe0045: case 0xe0046: case 0xe0047:
263	case 0xe0048: case 0xe0049: case 0xe004a: case 0xe004b:
264	case 0xe004c: case 0xe004d: case 0xe004e: case 0xe004f:
265	case 0xe0050: case 0xe0051: case 0xe0052: case 0xe0053:
266	case 0xe0054: case 0xe0055: case 0xe0056: case 0xe0057:
267	case 0xe0058: case 0xe0059: case 0xe005a: case 0xe005b:
268	case 0xe005c: case 0xe005d: case 0xe005e: case 0xe005f:
269	case 0xe0060: case 0xe0061: case 0xe0062: case 0xe0063:
270	case 0xe0064: case 0xe0065: case 0xe0066: case 0xe0067:
271	case 0xe0068: case 0xe0069: case 0xe006a: case 0xe006b:
272	case 0xe006c: case 0xe006d: case 0xe006e: case 0xe006f:
273	case 0xe0070: case 0xe0071: case 0xe0072: case 0xe0073:
274	case 0xe0074: case 0xe0075: case 0xe0076: case 0xe0077:
275	case 0xe0078: case 0xe0079: case 0xe007a: case 0xe007b:
276	case 0xe007c: case 0xe007d: case 0xe007e: case 0xe007f:
277
278	/* 2.2 Map - Paragraph 4. */
279	case 0x200b:
280	return true;
281	}
282	return false;
283	}
284
285
286	/**
287	* Checks if @a uc maps to nothing according to mapping rules of RFC-5280 and
288	* RFC-4518.
289	*
290	* @returns true if @uc maps to nothing, false if not.
291	* @param uc The unicode code point.
292	*/
293	DECLINLINE(bool) rtCrX509CanNameIsNothing(RTUNICP uc)
294	{
295	if (uc > 0x001f && uc < 0x00ad)
296	return false;
297	return rtCrX509CanNameIsNothingSlow(uc);
298	}
299
300
301	/**
302	* Slow code path of rtCrX509CanNameIsSpace.
303	*
304	* @returns true if space, false if not.
305	* @param uc The unicode code point.
306	*/
307	static bool rtCrX509CanNameIsSpaceSlow(RTUNICP uc)
308	{
309	switch (uc)
310	{
311	/* 2.2 Map - Paragraph 2. */
312	case 0x09:
313	case 0x0a:
314	case 0x0b:
315	case 0x0c:
316	case 0x0d:
317	case 0x20:
318	case 0x0085:
319	case 0x00a0:
320	case 0x1680:
321	case 0x2000: case 0x2001: case 0x2002: case 0x2003:
322	case 0x2004: case 0x2005: case 0x2006: case 0x2007:
323	case 0x2008: case 0x2009: case 0x200a:
324	case 0x2028: case 0x2029:
325	case 0x202f:
326	case 0x205f:
327	case 0x3000:
328	return true;
329	}
330	return false;
331	}
332
333
334	/**
335	* Checks if @a uc is a space character according to the mapping rules of
336	* RFC-5280 and RFC-4518.
337	*
338	* @returns true if space, false if not.
339	* @param uc The unicode code point.
340	*/
341	DECLINLINE(bool) rtCrX509CanNameIsSpace(RTUNICP uc)
342	{
343	if (uc < 0x0085)
344	{
345	if (uc > 0x0020)
346	return false;
347	if (uc == 0x0020) /* space */
348	return true;
349	}
350	return rtCrX509CanNameIsSpaceSlow(uc);
351	}
352
353
354	static const char rtCrX509CanNameStripLeft(const char psz, size_t *pcch)
355	{
356	/*
357	* Return space when we've encountered the first non-space-non-nothing code point.
358	*/
359	const char * const pszStart = psz;
360	const char *pszPrev;
361	for (;;)
362	{
363	pszPrev = psz;
364	RTUNICP uc;
365	int rc = RTStrGetCpEx(&psz, &uc);
366	AssertRCBreak(rc);
367	if (!uc)
368	{
369	if ((uintptr_t)(pszPrev - pszStart) >= *pcch)
370	break;
371	/* NUL inside the string, maps to nothing => ignore it. */
372	}
373	else if (!rtCrX509CanNameIsSpace(uc) && !rtCrX509CanNameIsNothing(uc))
374	break;
375	}
376	*pcch -= pszPrev - pszStart;
377	return pszPrev;
378	}
379
380
381	static RTUNICP rtCrX509CanNameGetNextCpWithMappingSlowSpace(const char *ppsz, size_t pcch)
382	{
383	/*
384	* Return space when we've encountered the first non-space-non-nothing code point.
385	*/
386	RTUNICP uc;
387	const char psz = ppsz;
388	const char * const pszStart = psz;
389	const char *pszPrev;
390	for (;;)
391	{
392	pszPrev = psz;
393	int rc = RTStrGetCpEx(&psz, &uc);
394	AssertRCBreakStmt(rc, uc = 0x20);
395	if (!uc)
396	{
397	if ((uintptr_t)(pszPrev - pszStart) >= *pcch)
398	{
399	uc = 0; /* End of string: Ignore trailing spaces. */
400	break;
401	}
402	/* NUL inside the string, maps to nothing => ignore it. */
403	}
404	else if (!rtCrX509CanNameIsSpace(uc) && !rtCrX509CanNameIsNothing(uc))
405	{
406	uc = 0x20; /* Return space before current char. */
407	break;
408	}
409	}
410
411	*ppsz = pszPrev;
412	*pcch -= pszPrev - pszStart;
413	return uc;
414	}
415
416
417	DECLINLINE(RTUNICP) rtCrX509CanNameGetNextCpIgnoreNul(const char *ppsz, size_t pcch)
418	{
419	while (*pcch > 0)
420	{
421	const char psz = ppsz;
422	RTUNICP uc = *psz;
423	if (uc < 0x80)
424	{
425	*pcch -= 1;
426	*ppsz = psz + 1;
427	}
428	else
429	{
430	int rc = RTStrGetCpEx(ppsz, &uc);
431	AssertRCReturn(rc, uc);
432	size_t cchCp = *ppsz - psz;
433	AssertReturn(cchCp <= *pcch, 0);
434	*pcch -= cchCp;
435	}
436	if (uc != 0)
437	return uc;
438	}
439	return 0;
440	}
441
442
443	static RTUNICP rtCrX509CanNameGetNextCpWithMappingSlowNothing(const char *ppsz, size_t pcch)
444	{
445	/*
446	* Return first code point which doesn't map to nothing. If we encounter
447	* a space, we defer to the mapping-after-space routine above.
448	*/
449	for (;;)
450	{
451	RTUNICP uc = rtCrX509CanNameGetNextCpIgnoreNul(ppsz, pcch);
452	if (rtCrX509CanNameIsSpace(uc))
453	return rtCrX509CanNameGetNextCpWithMappingSlowSpace(ppsz, pcch);
454	if (!rtCrX509CanNameIsNothing(uc) \|\| uc == 0)
455	return uc;
456	}
457	}
458
459
460	DECLINLINE(RTUNICP) rtCrX509CanNameGetNextCpWithMapping(const char *ppsz, size_t pcch)
461	{
462	RTUNICP uc = rtCrX509CanNameGetNextCpIgnoreNul(ppsz, pcch);
463	if (uc)
464	{
465	if (!rtCrX509CanNameIsSpace(uc))
466	{
467	if (!rtCrX509CanNameIsNothing(uc))
468	return uc;
469	return rtCrX509CanNameGetNextCpWithMappingSlowNothing(ppsz, pcch);
470	}
471	return rtCrX509CanNameGetNextCpWithMappingSlowSpace(ppsz, pcch);
472	}
473	return uc;
474	}
475
476
477	RTDECL(bool) RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(PCRTCRX509ATTRIBUTETYPEANDVALUE pLeft,
478	PCRTCRX509ATTRIBUTETYPEANDVALUE pRight)
479	{
480	if (RTAsn1ObjId_Compare(&pLeft->Type, &pRight->Type) == 0)
481	{
482	/*
483	* Try for perfect match in case we get luck.
484	*/
485	#ifdef DEBUG_bird /* Want to test the complicated code path first */
486	if (pLeft->Value.enmType != RTASN1TYPE_STRING \|\| pRight->Value.enmType != RTASN1TYPE_STRING)
487	#endif
488	if (RTAsn1DynType_Compare(&pLeft->Value, &pRight->Value) == 0)
489	return true;
490
491	/*
492	* If both are string types, we can compare them according to RFC-5280.
493	*/
494	if ( pLeft->Value.enmType == RTASN1TYPE_STRING
495	&& pRight->Value.enmType == RTASN1TYPE_STRING)
496	{
497	size_t cchLeft;
498	const char *pszLeft;
499	int rc = RTAsn1String_QueryUtf8(&pLeft->Value.u.String, &pszLeft, &cchLeft);
500	if (RT_SUCCESS(rc))
501	{
502	size_t cchRight;
503	const char *pszRight;
504	rc = RTAsn1String_QueryUtf8(&pRight->Value.u.String, &pszRight, &cchRight);
505	if (RT_SUCCESS(rc))
506	{
507	/*
508	* Perform a simplified RFC-5280 comparsion.
509	* The algorithm as be relaxed on the following counts:
510	* 1. No unicode normalization.
511	* 2. Prohibited characters not checked for.
512	* 3. Bidirectional characters are not ignored.
513	*/
514	pszLeft = rtCrX509CanNameStripLeft(pszLeft, &cchLeft);
515	pszRight = rtCrX509CanNameStripLeft(pszRight, &cchRight);
516	while (pszLeft && pszRight)
517	{
518	RTUNICP ucLeft = rtCrX509CanNameGetNextCpWithMapping(&pszLeft, &cchLeft);
519	RTUNICP ucRight = rtCrX509CanNameGetNextCpWithMapping(&pszRight, &cchRight);
520	if (ucLeft != ucRight)
521	{
522	ucLeft = RTUniCpToLower(ucLeft);
523	ucRight = RTUniCpToLower(ucRight);
524	if (ucLeft != ucRight)
525	return false;
526	}
527	}
528
529	return cchRight == 0 && cchLeft == 0;
530	}
531	}
532	}
533	}
534	return false;
535	}
536
537
538	RTDECL(bool) RTCrX509RelativeDistinguishedName_MatchByRfc5280(PCRTCRX509RELATIVEDISTINGUISHEDNAME pLeft,
539	PCRTCRX509RELATIVEDISTINGUISHEDNAME pRight)
540	{
541	/*
542	* No match if the attribute count differs.
543	*/
544	uint32_t const cItems = pLeft->cItems;
545	if (cItems == pRight->cItems)
546	{
547	/*
548	* Compare each attribute, but don't insist on the same order nor
549	* bother checking for duplicates (too complicated).
550	*/
551	for (uint32_t iLeft = 0; iLeft < cItems; iLeft++)
552	{
553	PCRTCRX509ATTRIBUTETYPEANDVALUE pLeftAttr = &pLeft->paItems[iLeft];
554	bool fFound = false;
555	for (uint32_t iRight = 0; iRight < cItems; iRight++)
556	if (RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(pLeftAttr, &pRight->paItems[iRight]))
557	{
558	fFound = true;
559	break;
560	}
561	if (!fFound)
562	return false;
563	}
564	return true;
565	}
566	return false;
567
568	}
569
570
571	/*
572	* X.509 Name.
573	*/
574
575	RTDECL(bool) RTCrX509Name_MatchByRfc5280(PCRTCRX509NAME pLeft, PCRTCRX509NAME pRight)
576	{
577	uint32_t const cItems = pLeft->cItems;
578	if (cItems == pRight->cItems)
579	{
580	/* Require exact order. */
581	for (uint32_t iRdn = 0; iRdn < cItems; iRdn++)
582	if (!RTCrX509RelativeDistinguishedName_MatchByRfc5280(&pLeft->paItems[iRdn], &pRight->paItems[iRdn]))
583	return false;
584	return true;
585	}
586	return false;
587	}
588
589
590	RTDECL(bool) RTCrX509Name_ConstraintMatch(PCRTCRX509NAME pConstraint, PCRTCRX509NAME pName)
591	{
592	/*
593	* Check that the constraint is a prefix of the name. This means that
594	* the name must have at least as many components and the constraint.
595	*/
596	if (pName->cItems >= pConstraint->cItems)
597	{
598	/*
599	* Parallel crawl of the two RDNs arrays.
600	*/
601	for (uint32_t i = 0; pConstraint->cItems; i++)
602	{
603	PCRTCRX509RELATIVEDISTINGUISHEDNAME pConstrRdns = &pConstraint->paItems[i];
604	PCRTCRX509RELATIVEDISTINGUISHEDNAME pNameRdns = &pName->paItems[i];
605
606	/*
607	* Walk the constraint attribute & value array.
608	*/
609	for (uint32_t iConstrAttrib = 0; iConstrAttrib < pConstrRdns->cItems; iConstrAttrib++)
610	{
611	PCRTCRX509ATTRIBUTETYPEANDVALUE pConstrAttrib = &pConstrRdns->paItems[iConstrAttrib];
612
613	/*
614	* Find matching attribute & value in the name.
615	*/
616	bool fFound = false;
617	for (uint32_t iNameAttrib = 0; iNameAttrib < pNameRdns->cItems; iNameAttrib++)
618	if (RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(pConstrAttrib, &pNameRdns->paItems[iNameAttrib]))
619	{
620	fFound = true;
621	break;
622	}
623	if (fFound)
624	return false;
625	}
626	}
627	return true;
628	}
629	return false;
630	}
631
632
633	/**
634	* Mapping between X.500 object IDs and short and long names.
635	*
636	* See RFC-1327, ...
637	*/
638	static struct
639	{
640	const char *pszOid;
641	const char *pszShortNm;
642	size_t cchShortNm;
643	const char *pszLongNm;
644	} const g_aRdnMap[] =
645	{
646	{ "0.9.2342.19200300.100.1.3", RT_STR_TUPLE("Mail"), "Rfc822Mailbox" },
647	{ "0.9.2342.19200300.100.1.25", RT_STR_TUPLE("DC"), "DomainComponent" },
648	{ "1.2.840.113549.1.9.1", RT_STR_TUPLE("Email"), "EmailAddress" },
649	{ "2.5.4.3", RT_STR_TUPLE("CN"), "CommonName" },
650	{ "2.5.4.4", RT_STR_TUPLE("S"), "Surname" },
651	{ "2.5.4.6", RT_STR_TUPLE("C"), "CountryName" },
652	{ "2.5.4.7", RT_STR_TUPLE("L"), "LocalityName" },
653	{ "2.5.4.8", RT_STR_TUPLE("ST"), "StatOrProviceName" },
654	{ "2.5.4.10", RT_STR_TUPLE("O"), "OrganizationName" },
655	{ "2.5.4.11", RT_STR_TUPLE("OU"), "OrganizationUnitName" },
656	{ "2.5.4.42", RT_STR_TUPLE("G"), "GivenName" },
657	{ "2.5.4.43", RT_STR_TUPLE("I"), "Initials" },
658	{ "2.5.4.44", RT_STR_TUPLE("GQ"), "GenerationQualifier" },
659	};
660
661
662	RTDECL(bool) RTCrX509Name_MatchWithString(PCRTCRX509NAME pThis, const char *pszString)
663	{
664	/* Keep track of the string length. */
665	size_t cchString = strlen(pszString);
666
667	/*
668	* The usual double loop for walking the components.
669	*/
670	for (uint32_t i = 0; i < pThis->cItems; i++)
671	{
672	PCRTCRX509RELATIVEDISTINGUISHEDNAME pRdn = &pThis->paItems[i];
673	for (uint32_t j = 0; j < pRdn->cItems; j++)
674	{
675	PCRTCRX509ATTRIBUTETYPEANDVALUE pComponent = &pRdn->paItems[j];
676
677	/*
678	* Must be a string.
679	*/
680	if (pComponent->Value.enmType != RTASN1TYPE_STRING)
681	return false;
682
683	/*
684	* Look up the component name prefix and check whether it's also in the string.
685	*/
686	uint32_t iName = RT_ELEMENTS(g_aRdnMap);
687	while (iName-- > 0)
688	if (RTAsn1ObjId_CompareWithString(&pComponent->Type, g_aRdnMap[iName].pszOid) == 0)
689	break;
690	AssertMsgReturn(iName != UINT32_MAX, ("Please extend g_aRdnMap with '%s'.\n", pComponent->Type.szObjId), false);
691
692	if ( strncmp(pszString, g_aRdnMap[iName].pszShortNm, g_aRdnMap[iName].cchShortNm) != 0
693	\|\| pszString[g_aRdnMap[iName].cchShortNm] != '=')
694	return false;
695
696	pszString += g_aRdnMap[iName].cchShortNm + 1;
697	cchString -= g_aRdnMap[iName].cchShortNm + 1;
698
699	/*
700	* Compare the component string.
701	*/
702	size_t cchComponent;
703	int rc = RTAsn1String_QueryUtf8Len(&pComponent->Value.u.String, &cchComponent);
704	AssertRCReturn(rc, false);
705
706	if (cchComponent > cchString)
707	return false;
708	if (RTAsn1String_CompareWithString(&pComponent->Value.u.String, pszString, cchComponent) != 0)
709	return false;
710
711	cchString -= cchComponent;
712	pszString += cchComponent;
713
714	/*
715	* Check separator comma + space and skip extra spaces before the next component.
716	*/
717	if (cchString)
718	{
719	if (pszString[0] != ',')
720	return false;
721	if (pszString[1] != ' ' && pszString[1] != '\t')
722	return false;
723	pszString += 2;
724	cchString -= 2;
725
726	while (pszString == ' ' \|\| pszString == '\t')
727	{
728	pszString++;
729	cchString--;
730	}
731	}
732	}
733	}
734
735	/*
736	* If we got thru the whole name and the whole string, we're good.
737	*/
738	return *pszString == '\0';
739	}
740
741
742	RTDECL(int) RTCrX509Name_FormatAsString(PCRTCRX509NAME pThis, char pszBuf, size_t cbBuf, size_t pcbActual)
743	{
744	/*
745	* The usual double loop for walking the components.
746	*/
747	size_t off = 0;
748	int rc = VINF_SUCCESS;
749	for (uint32_t i = 0; i < pThis->cItems; i++)
750	{
751	PCRTCRX509RELATIVEDISTINGUISHEDNAME pRdn = &pThis->paItems[i];
752	for (uint32_t j = 0; j < pRdn->cItems; j++)
753	{
754	PCRTCRX509ATTRIBUTETYPEANDVALUE pComponent = &pRdn->paItems[j];
755
756	/*
757	* Must be a string.
758	*/
759	if (pComponent->Value.enmType != RTASN1TYPE_STRING)
760	return VERR_CR_X509_NAME_NOT_STRING;
761
762	/*
763	* Look up the component name prefix.
764	*/
765	uint32_t iName = RT_ELEMENTS(g_aRdnMap);
766	while (iName-- > 0)
767	if (RTAsn1ObjId_CompareWithString(&pComponent->Type, g_aRdnMap[iName].pszOid) == 0)
768	break;
769	AssertMsgReturn(iName != UINT32_MAX, ("Please extend g_aRdnMap with '%s'.\n", pComponent->Type.szObjId),
770	VERR_CR_X509_NAME_MISSING_RDN_MAP_ENTRY);
771
772	/*
773	* Append the prefix.
774	*/
775	if (off)
776	{
777	if (off + 2 < cbBuf)
778	{
779	pszBuf[off] = ',';
780	pszBuf[off + 1] = ' ';
781	}
782	else
783	rc = VERR_BUFFER_OVERFLOW;
784	off += 2;
785	}
786
787	if (off + g_aRdnMap[iName].cchShortNm + 1 < cbBuf)
788	{
789	memcpy(&pszBuf[off], g_aRdnMap[iName].pszShortNm, g_aRdnMap[iName].cchShortNm);
790	pszBuf[off + g_aRdnMap[iName].cchShortNm] = '=';
791	}
792	else
793	rc = VERR_BUFFER_OVERFLOW;
794	off += g_aRdnMap[iName].cchShortNm + 1;
795
796	/*
797	* Add the component string.
798	*/
799	const char *pszUtf8;
800	size_t cchUtf8;
801	int rc2 = RTAsn1String_QueryUtf8(&pComponent->Value.u.String, &pszUtf8, &cchUtf8);
802	AssertRCReturn(rc2, rc2);
803	if (off + cchUtf8 < cbBuf)
804	memcpy(&pszBuf[off], pszUtf8, cchUtf8);
805	else
806	rc = VERR_BUFFER_OVERFLOW;
807	off += cchUtf8;
808	}
809	}
810
811	if (pcbActual)
812	*pcbActual = off + 1;
813	if (off < cbBuf)
814	pszBuf[off] = '\0';
815	return rc;
816	}
817
818
819
820	/*
821	* One X.509 GeneralName.
822	*/
823
824	/**
825	* Name constraint matching (RFC-5280): DNS Name.
826	*
827	* @returns true on match, false on mismatch.
828	* @param pConstraint The constraint name.
829	* @param pName The name to match against the constraint.
830	*/
831	static bool rtCrX509GeneralName_ConstraintMatchDnsName(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
832	{
833	/*
834	* Empty constraint string is taken to match everything.
835	*/
836	if (pConstraint->u.pT2_DnsName->Asn1Core.cb == 0)
837	return true;
838
839	/*
840	* Get the UTF-8 strings for the two.
841	*/
842	size_t cchConstraint;
843	char const *pszConstraint;
844	int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT2_DnsName, &pszConstraint, &cchConstraint);
845	if (RT_SUCCESS(rc))
846	{
847	size_t cchFull;
848	char const *pszFull;
849	rc = RTAsn1String_QueryUtf8(pName->u.pT2_DnsName, &pszFull, &cchFull);
850	if (RT_SUCCESS(rc))
851	{
852	/*
853	* No match if the constraint is longer.
854	*/
855	if (cchConstraint > cchFull)
856	return false;
857
858	/*
859	* No match if the constraint and name tail doesn't match
860	* in a case-insensitive compare.
861	*/
862	size_t offFull = cchFull - cchConstraint;
863	if (RTStrICmp(&pszFull[offFull], pszConstraint) != 0)
864	return false;
865	if (!offFull)
866	return true;
867
868	/*
869	* The matching constraint must be delimited by a dot in the full
870	* name. There seems to be some discussion whether ".oracle.com"
871	* should match "www..oracle.com". This implementation does choose
872	* to not succeed in that case.
873	*/
874	if ((pszFull[offFull - 1] == '.') ^ (pszFull[offFull] == '.'))
875	return true;
876
877	return false;
878	}
879	}
880
881	/* fall back. */
882	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
883	}
884
885
886	/**
887	* Name constraint matching (RFC-5280): RFC-822 (email).
888	*
889	* @returns true on match, false on mismatch.
890	* @param pConstraint The constraint name.
891	* @param pName The name to match against the constraint.
892	*/
893	static bool rtCrX509GeneralName_ConstraintMatchRfc822Name(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
894	{
895	/*
896	* Empty constraint string is taken to match everything.
897	*/
898	if (pConstraint->u.pT1_Rfc822->Asn1Core.cb == 0)
899	return true;
900
901	/*
902	* Get the UTF-8 strings for the two.
903	*/
904	size_t cchConstraint;
905	char const *pszConstraint;
906	int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT1_Rfc822, &pszConstraint, &cchConstraint);
907	if (RT_SUCCESS(rc))
908	{
909	size_t cchFull;
910	char const *pszFull;
911	rc = RTAsn1String_QueryUtf8(pName->u.pT1_Rfc822, &pszFull, &cchFull);
912	if (RT_SUCCESS(rc))
913	{
914	/*
915	* No match if the constraint is longer.
916	*/
917	if (cchConstraint > cchFull)
918	return false;
919
920	/*
921	* A lone dot matches everything.
922	*/
923	if (cchConstraint == 1 && *pszConstraint == '.')
924	return true;
925
926	/*
927	* If there is a '@' in the constraint, the entire address must match.
928	*/
929	const char pszConstraintAt = (const char )memchr(pszConstraint, '@', cchConstraint);
930	if (pszConstraintAt)
931	return cchConstraint == cchFull && RTStrICmp(pszConstraint, pszFull) == 0;
932
933	/*
934	* No match if the constraint and name tail doesn't match
935	* in a case-insensitive compare.
936	*/
937	size_t offFull = cchFull - cchConstraint;
938	if (RTStrICmp(&pszFull[offFull], pszConstraint) != 0)
939	return false;
940
941	/*
942	* If the constraint starts with a dot, we're supposed to be
943	* satisfied with a tail match.
944	*/
945	/** @todo Check if this should match even if offFull == 0. */
946	if (*pszConstraint == '.')
947	return true;
948
949	/*
950	* Otherwise, we require a hostname match and thus expect an '@'
951	* immediatly preceding the constraint match.
952	*/
953	if (pszFull[offFull - 1] == '@')
954	return true;
955
956	return false;
957	}
958	}
959
960	/* fall back. */
961	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
962	}
963
964
965	/**
966	* Extracts the hostname from an URI.
967	*
968	* @returns true if successfully extract, false if no hostname present.
969	* @param pszUri The URI.
970	* @param pchHostName .
971	* @param pcchHostName .
972	*/
973	static bool rtCrX509GeneralName_ExtractHostName(const char pszUri, const char pchHostName, size_t pcchHostName)
974	{
975	/*
976	* Skip the schema name.
977	*/
978	const char *pszStart = strchr(pszUri, ':');
979	while (pszStart && (pszStart[1] != '/' \|\| pszStart[2] != '/'))
980	pszStart = strchr(pszStart + 1, ':');
981	if (pszStart)
982	{
983	pszStart += 3;
984
985	/*
986	* The name ends with the first slash or ":port".
987	*/
988	const char *pszEnd = strchr(pszStart, '/');
989	if (!pszEnd)
990	pszEnd = strchr(pszStart, '\0');
991	if (memchr(pszStart, ':', pszEnd - pszStart))
992	do
993	pszEnd--;
994	while (*pszEnd != ':');
995	if (pszEnd != pszStart)
996	{
997	/*
998	* Drop access credentials at the front of the string if present.
999	*/
1000	const char pszAt = (const char )memchr(pszStart, '@', pszEnd - pszStart);
1001	if (pszAt)
1002	pszStart = pszAt + 1;
1003
1004	/*
1005	* If there is still some string left, that's the host name.
1006	*/
1007	if (pszEnd != pszStart)
1008	{
1009	*pcchHostName = pszEnd - pszStart;
1010	*pchHostName = pszStart;
1011	return true;
1012	}
1013	}
1014	}
1015
1016	*pcchHostName = 0;
1017	*pchHostName = NULL;
1018	return false;
1019	}
1020
1021
1022	/**
1023	* Name constraint matching (RFC-5280): URI.
1024	*
1025	* @returns true on match, false on mismatch.
1026	* @param pConstraint The constraint name.
1027	* @param pName The name to match against the constraint.
1028	*/
1029	static bool rtCrX509GeneralName_ConstraintMatchUri(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1030	{
1031	/*
1032	* Empty constraint string is taken to match everything.
1033	*/
1034	if (pConstraint->u.pT6_Uri->Asn1Core.cb == 0)
1035	return true;
1036
1037	/*
1038	* Get the UTF-8 strings for the two.
1039	*/
1040	size_t cchConstraint;
1041	char const *pszConstraint;
1042	int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT6_Uri, &pszConstraint, &cchConstraint);
1043	if (RT_SUCCESS(rc))
1044	{
1045	size_t cchFull;
1046	char const *pszFull;
1047	rc = RTAsn1String_QueryUtf8(pName->u.pT6_Uri, &pszFull, &cchFull);
1048	if (RT_SUCCESS(rc))
1049	{
1050	/*
1051	* Isolate the hostname in the name.
1052	*/
1053	size_t cchHostName;
1054	const char *pchHostName;
1055	if (rtCrX509GeneralName_ExtractHostName(pszFull, &pchHostName, &cchHostName))
1056	{
1057	/*
1058	* Domain constraint.
1059	*/
1060	if (*pszConstraint == '.')
1061	{
1062	if (cchHostName >= cchConstraint)
1063	{
1064	size_t offHostName = cchHostName - cchConstraint;
1065	if (RTStrICmp(&pchHostName[offHostName], pszConstraint) == 0)
1066	{
1067	/* "http://www..oracle.com" does not match ".oracle.com".
1068	It's debatable whether "http://.oracle.com/" should match. */
1069	if ( !offHostName
1070	\|\| pchHostName[offHostName - 1] != '.')
1071	return true;
1072	}
1073	}
1074	}
1075	/*
1076	* Host name constraint. Full match required.
1077	*/
1078	else if ( cchHostName == cchConstraint
1079	&& RTStrNICmp(pchHostName, pszConstraint, cchHostName) == 0)
1080	return true;
1081	}
1082	return false;
1083	}
1084	}
1085
1086	/* fall back. */
1087	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1088	}
1089
1090
1091	/**
1092	* Name constraint matching (RFC-5280): IP address.
1093	*
1094	* @returns true on match, false on mismatch.
1095	* @param pConstraint The constraint name.
1096	* @param pName The name to match against the constraint.
1097	*/
1098	static bool rtCrX509GeneralName_ConstraintMatchIpAddress(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1099	{
1100	uint8_t const *pbConstraint = pConstraint->u.pT7_IpAddress->Asn1Core.uData.pu8;
1101	uint8_t const *pbFull = pName->u.pT7_IpAddress->Asn1Core.uData.pu8;
1102
1103	/*
1104	* IPv4.
1105	*/
1106	if ( pConstraint->u.pT7_IpAddress->Asn1Core.cb == 8 /* ip+netmask*/
1107	&& pName->u.pT7_IpAddress->Asn1Core.cb == 4) /* ip */
1108	return ((pbFull[0] ^ pbConstraint[0]) & pbConstraint[4]) == 0
1109	&& ((pbFull[1] ^ pbConstraint[1]) & pbConstraint[5]) == 0
1110	&& ((pbFull[2] ^ pbConstraint[2]) & pbConstraint[6]) == 0
1111	&& ((pbFull[3] ^ pbConstraint[3]) & pbConstraint[7]) == 0;
1112
1113	/*
1114	* IPv6.
1115	*/
1116	if ( pConstraint->u.pT7_IpAddress->Asn1Core.cb == 32 /* ip+netmask*/
1117	&& pName->u.pT7_IpAddress->Asn1Core.cb == 16) /* ip */
1118	{
1119	for (uint32_t i = 0; i < 16; i++)
1120	if (((pbFull[i] ^ pbConstraint[i]) & pbConstraint[i + 16]) != 0)
1121	return false;
1122	return true;
1123	}
1124
1125	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1126	}
1127
1128
1129	RTDECL(bool) RTCrX509GeneralName_ConstraintMatch(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1130	{
1131	if (pConstraint->enmChoice == pName->enmChoice)
1132	{
1133	if (RTCRX509GENERALNAME_IS_DIRECTORY_NAME(pConstraint))
1134	return RTCrX509Name_ConstraintMatch(&pConstraint->u.pT4->DirectoryName, &pName->u.pT4->DirectoryName);
1135
1136	if (RTCRX509GENERALNAME_IS_DNS_NAME(pConstraint))
1137	return rtCrX509GeneralName_ConstraintMatchDnsName(pConstraint, pName);
1138
1139	if (RTCRX509GENERALNAME_IS_RFC822_NAME(pConstraint))
1140	return rtCrX509GeneralName_ConstraintMatchRfc822Name(pConstraint, pName);
1141
1142	if (RTCRX509GENERALNAME_IS_URI(pConstraint))
1143	return rtCrX509GeneralName_ConstraintMatchUri(pConstraint, pName);
1144
1145	if (RTCRX509GENERALNAME_IS_IP_ADDRESS(pConstraint))
1146	return rtCrX509GeneralName_ConstraintMatchIpAddress(pConstraint, pName);
1147
1148	AssertFailed();
1149	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1150	}
1151	return false;
1152	}
1153
1154
1155	/*
1156	* Sequence of X.509 GeneralNames.
1157	*/
1158
1159
1160	/*
1161	* X.509 UniqueIdentifier.
1162	*/
1163
1164
1165	/*
1166	* X.509 SubjectPublicKeyInfo.
1167	*/
1168
1169
1170	/*
1171	* X.509 AuthorityKeyIdentifier (IPRT representation).
1172	*/
1173
1174
1175	/*
1176	* One X.509 PolicyQualifierInfo.
1177	*/
1178
1179
1180	/*
1181	* Sequence of X.509 PolicyQualifierInfo.
1182	*/
1183
1184
1185	/*
1186	* One X.509 PolicyInformation.
1187	*/
1188
1189
1190	/*
1191	* Sequence of X.509 CertificatePolicies.
1192	*/
1193
1194
1195	/*
1196	* One X.509 PolicyMapping (IPRT representation).
1197	*/
1198
1199
1200	/*
1201	* Sequence of X.509 PolicyMappings (IPRT representation).
1202	*/
1203
1204
1205	/*
1206	* X.509 BasicConstraints (IPRT representation).
1207	*/
1208
1209
1210	/*
1211	* X.509 GeneralSubtree (IPRT representation).
1212	*/
1213
1214
1215	RTDECL(bool) RTCrX509GeneralSubtree_ConstraintMatch(PCRTCRX509GENERALSUBTREE pConstraint, PCRTCRX509GENERALSUBTREE pName)
1216	{
1217	return RTCrX509GeneralName_ConstraintMatch(&pConstraint->Base, &pName->Base);
1218	}
1219
1220
1221	/*
1222	* Sequence of X.509 GeneralSubtrees (IPRT representation).
1223	*/
1224
1225
1226	/*
1227	* X.509 NameConstraints (IPRT representation).
1228	*/
1229
1230
1231	/*
1232	* X.509 PolicyConstraints (IPRT representation).
1233	*/
1234
1235
1236	/*
1237	* One X.509 Extension.
1238	*/
1239
1240
1241	/*
1242	* Sequence of X.509 Extensions.
1243	*/
1244
1245
1246	/*
1247	* X.509 TbsCertificate.
1248	*/
1249
1250	static void rtCrx509TbsCertificate_AddKeyUsageFlags(PRTCRX509TBSCERTIFICATE pThis, PCRTCRX509EXTENSION pExtension)
1251	{
1252	AssertReturnVoid(pExtension->enmValue == RTCRX509EXTENSIONVALUE_BIT_STRING);
1253	AssertReturnVoid(pExtension->ExtnValue.pEncapsulated->cb <= 2);
1254	pThis->T3.fKeyUsage \|= (uint32_t)RTAsn1BitString_GetAsUInt64((PCRTASN1BITSTRING)pExtension->ExtnValue.pEncapsulated);
1255	}
1256
1257
1258	static void rtCrx509TbsCertificate_AddExtKeyUsageFlags(PRTCRX509TBSCERTIFICATE pThis, PCRTCRX509EXTENSION pExtension)
1259	{
1260	AssertReturnVoid(pExtension->enmValue == RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS);
1261	PCRTASN1SEQOFOBJIDS pObjIds = (PCRTASN1SEQOFOBJIDS)pExtension->ExtnValue.pEncapsulated;
1262	uint32_t i = pObjIds->cItems;
1263	while (i-- > 0)
1264	{
1265
1266	if (RTAsn1ObjId_CompareWithString(&pObjIds->paItems[i], RTCRX509_ANY_EXTENDED_KEY_USAGE_OID) == 0)
1267	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_ANY;
1268	else if (RTAsn1ObjId_StartsWith(&pObjIds->paItems[i], RTCRX509_ID_KP_OID))
1269	{
1270	if (RTAsn1ObjIdCountComponents(&pObjIds->paItems[i]) == 9)
1271	switch (RTAsn1ObjIdGetLastComponentsAsUInt32(&pObjIds->paItems[i]))
1272	{
1273	case 1: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_SERVER_AUTH; break;
1274	case 2: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_CLIENT_AUTH; break;
1275	case 3: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_CODE_SIGNING; break;
1276	case 4: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_EMAIL_PROTECTION; break;
1277	case 5: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_IPSEC_END_SYSTEM; break;
1278	case 6: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_IPSEC_TUNNEL; break;
1279	case 7: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_IPSEC_USER; break;
1280	case 8: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_TIMESTAMPING; break;
1281	case 9: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OCSP_SIGNING; break;
1282	case 10: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_DVCS; break;
1283	case 11: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_SBGP_CERT_AA_SERVICE_AUTH; break;
1284	case 13: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_EAP_OVER_PPP; break;
1285	case 14: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_EAP_OVER_LAN; break;
1286	default: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER; break;
1287	}
1288	else
1289	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER;
1290	}
1291	else if (RTAsn1ObjId_StartsWith(&pObjIds->paItems[i], RTCRX509_APPLE_EKU_APPLE_EXTENDED_KEY_USAGE_OID))
1292	{
1293	if (RTAsn1ObjId_CompareWithString(&pObjIds->paItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_OID) == 0)
1294	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING;
1295	else if (RTAsn1ObjId_CompareWithString(&pObjIds->paItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_DEVELOPMENT_OID) == 0)
1296	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_DEVELOPMENT;
1297	else if (RTAsn1ObjId_CompareWithString(&pObjIds->paItems[i], RTCRX509_APPLE_EKU_SOFTWARE_UPDATE_SIGNING_OID) == 0)
1298	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_SOFTWARE_UPDATE_SIGNING;
1299	else if (RTAsn1ObjId_CompareWithString(&pObjIds->paItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_THRID_PARTY_OID) == 0)
1300	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_THIRD_PARTY;
1301	else if (RTAsn1ObjId_CompareWithString(&pObjIds->paItems[i], RTCRX509_APPLE_EKU_RESOURCE_SIGNING_OID) == 0)
1302	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_RESOURCE_SIGNING;
1303	else if (RTAsn1ObjId_CompareWithString(&pObjIds->paItems[i], RTCRX509_APPLE_EKU_SYSTEM_IDENTITY_OID) == 0)
1304	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_SYSTEM_IDENTITY;
1305	else
1306	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER;
1307	}
1308	else if (RTAsn1ObjId_StartsWith(&pObjIds->paItems[i], "1.3.6.1.4.1.311"))
1309	{
1310	if (RTAsn1ObjId_CompareWithString(&pObjIds->paItems[i], RTCRX509_MS_EKU_TIMESTAMP_SIGNING_OID) == 0)
1311	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_TIMESTAMP_SIGNING;
1312	else if (RTAsn1ObjId_CompareWithString(&pObjIds->paItems[i], RTCRX509_MS_EKU_NT5_CRYPTO_OID) == 0)
1313	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_NT5_CRYPTO;
1314	else if (RTAsn1ObjId_CompareWithString(&pObjIds->paItems[i], RTCRX509_MS_EKU_OEM_WHQL_CRYPTO_OID) == 0)
1315	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_OEM_WHQL_CRYPTO;
1316	else if (RTAsn1ObjId_CompareWithString(&pObjIds->paItems[i], RTCRX509_MS_EKU_EMBEDDED_NT_CRYPTO_OID) == 0)
1317	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_EMBEDDED_NT_CRYPTO;
1318	else if (RTAsn1ObjId_CompareWithString(&pObjIds->paItems[i], RTCRX509_MS_EKU_KERNEL_MODE_CODE_SIGNING_OID) == 0)
1319	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_KERNEL_MODE_CODE_SIGNING;
1320	else if (RTAsn1ObjId_CompareWithString(&pObjIds->paItems[i], RTCRX509_MS_EKU_LIFETIME_SIGNING_OID) == 0)
1321	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_LIFETIME_SIGNING;
1322	else if (RTAsn1ObjId_CompareWithString(&pObjIds->paItems[i], RTCRX509_MS_EKU_DRM_OID) == 0)
1323	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_DRM;
1324	else if (RTAsn1ObjId_CompareWithString(&pObjIds->paItems[i], RTCRX509_MS_EKU_DRM_INDIVIDUALIZATION_OID) == 0)
1325	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_DRM_INDIVIDUALIZATION;
1326	else
1327	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER;
1328	}
1329	else
1330	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER;
1331	}
1332	}
1333
1334
1335	/**
1336	* (Re-)Process the certificate extensions.
1337	*
1338	* Will fail if duplicate extensions are encountered.
1339	*
1340	* @returns IPRT status code.
1341	* @param pThis The to-be-signed certificate part.
1342	* @param pErrInfo Where to return extended error details,
1343	* optional.
1344	*/
1345	RTDECL(int) RTCrX509TbsCertificate_ReprocessExtensions(PRTCRX509TBSCERTIFICATE pThis, PRTERRINFO pErrInfo)
1346	{
1347	/*
1348	* Clear all variables we will set.
1349	*/
1350	pThis->T3.fFlags = 0;
1351	pThis->T3.fKeyUsage = 0;
1352	pThis->T3.fExtKeyUsage = 0;
1353	pThis->T3.pAuthorityKeyIdentifier = NULL;
1354	pThis->T3.pSubjectKeyIdentifier = NULL;
1355	pThis->T3.pAltSubjectName = NULL;
1356	pThis->T3.pAltIssuerName = NULL;
1357	pThis->T3.pCertificatePolicies = NULL;
1358	pThis->T3.pPolicyMappings = NULL;
1359	pThis->T3.pBasicConstraints = NULL;
1360	pThis->T3.pNameConstraints = NULL;
1361	pThis->T3.pPolicyConstraints = NULL;
1362	pThis->T3.pInhibitAnyPolicy = NULL;
1363
1364	#define CHECK_SET_PRESENT_RET_ON_DUP(a_pThis, a_pErrInfo, a_fPresentFlag) \
1365	do { \
1366	if ((a_pThis)->T3.fFlags & (a_fPresentFlag)) \
1367	return RTErrInfoSet(a_pErrInfo, VERR_CR_X509_TBSCERT_DUPLICATE_EXTENSION, \
1368	"Duplicate extension " #a_fPresentFlag); \
1369	(a_pThis)->T3.fFlags \|= (a_fPresentFlag); \
1370	} while (0)
1371
1372	/*
1373	* Process all the extensions.
1374	*/
1375	for (uint32_t i = 0; i < pThis->T3.Extensions.cItems; i++)
1376	{
1377	PCRTASN1OBJID pExtnId = &pThis->T3.Extensions.paItems[i].ExtnId;
1378	PCRTASN1OCTETSTRING pExtValue = &pThis->T3.Extensions.paItems[i].ExtnValue;
1379	if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_KEY_USAGE_OID) == 0)
1380	{
1381	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE);
1382	rtCrx509TbsCertificate_AddKeyUsageFlags(pThis, &pThis->T3.Extensions.paItems[i]);
1383	Assert(pThis->T3.Extensions.paItems[i].enmValue == RTCRX509EXTENSIONVALUE_BIT_STRING);
1384	}
1385	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_EXT_KEY_USAGE_OID) == 0)
1386	{
1387	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE);
1388	rtCrx509TbsCertificate_AddExtKeyUsageFlags(pThis, &pThis->T3.Extensions.paItems[i]);
1389	Assert(pThis->T3.Extensions.paItems[i].enmValue == RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS);
1390	}
1391	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_AUTHORITY_KEY_IDENTIFIER_OID) == 0)
1392	{
1393	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_AUTHORITY_KEY_IDENTIFIER);
1394	pThis->T3.pAuthorityKeyIdentifier = (PCRTCRX509AUTHORITYKEYIDENTIFIER)pExtValue->pEncapsulated;
1395	Assert(pThis->T3.Extensions.paItems[i].enmValue == RTCRX509EXTENSIONVALUE_AUTHORITY_KEY_IDENTIFIER);
1396	}
1397	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_OLD_AUTHORITY_KEY_IDENTIFIER_OID) == 0)
1398	{
1399	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_OLD_AUTHORITY_KEY_IDENTIFIER);
1400	pThis->T3.pOldAuthorityKeyIdentifier = (PCRTCRX509OLDAUTHORITYKEYIDENTIFIER)pExtValue->pEncapsulated;
1401	Assert(pThis->T3.Extensions.paItems[i].enmValue == RTCRX509EXTENSIONVALUE_OLD_AUTHORITY_KEY_IDENTIFIER);
1402	}
1403	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID) == 0)
1404	{
1405	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_KEY_IDENTIFIER);
1406	pThis->T3.pSubjectKeyIdentifier = (PCRTASN1OCTETSTRING)pExtValue->pEncapsulated;
1407	Assert(pThis->T3.Extensions.paItems[i].enmValue == RTCRX509EXTENSIONVALUE_OCTET_STRING);
1408	}
1409	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID) == 0)
1410	{
1411	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_ALT_NAME);
1412	pThis->T3.pAltSubjectName = (PCRTCRX509GENERALNAMES)pExtValue->pEncapsulated;
1413	Assert(pThis->T3.Extensions.paItems[i].enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES);
1414	}
1415	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_ISSUER_ALT_NAME_OID) == 0)
1416	{
1417	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_ISSUER_ALT_NAME);
1418	pThis->T3.pAltIssuerName = (PCRTCRX509GENERALNAMES)pExtValue->pEncapsulated;
1419	Assert(pThis->T3.Extensions.paItems[i].enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES);
1420	}
1421	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID) == 0)
1422	{
1423	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_CERTIFICATE_POLICIES);
1424	pThis->T3.pCertificatePolicies = (PCRTCRX509CERTIFICATEPOLICIES)pExtValue->pEncapsulated;
1425	Assert(pThis->T3.Extensions.paItems[i].enmValue == RTCRX509EXTENSIONVALUE_CERTIFICATE_POLICIES);
1426	}
1427	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_POLICY_MAPPINGS_OID) == 0)
1428	{
1429	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_MAPPINGS);
1430	pThis->T3.pPolicyMappings = (PCRTCRX509POLICYMAPPINGS)pExtValue->pEncapsulated;
1431	Assert(pThis->T3.Extensions.paItems[i].enmValue == RTCRX509EXTENSIONVALUE_POLICY_MAPPINGS);
1432	}
1433	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID) == 0)
1434	{
1435	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_BASIC_CONSTRAINTS);
1436	pThis->T3.pBasicConstraints = (PCRTCRX509BASICCONSTRAINTS)pExtValue->pEncapsulated;
1437	Assert(pThis->T3.Extensions.paItems[i].enmValue == RTCRX509EXTENSIONVALUE_BASIC_CONSTRAINTS);
1438	}
1439	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_NAME_CONSTRAINTS_OID) == 0)
1440	{
1441	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_NAME_CONSTRAINTS);
1442	pThis->T3.pNameConstraints = (PCRTCRX509NAMECONSTRAINTS)pExtValue->pEncapsulated;
1443	Assert(pThis->T3.Extensions.paItems[i].enmValue == RTCRX509EXTENSIONVALUE_NAME_CONSTRAINTS);
1444	}
1445	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID) == 0)
1446	{
1447	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_CONSTRAINTS);
1448	pThis->T3.pPolicyConstraints = (PCRTCRX509POLICYCONSTRAINTS)pExtValue->pEncapsulated;
1449	Assert(pThis->T3.Extensions.paItems[i].enmValue == RTCRX509EXTENSIONVALUE_POLICY_CONSTRAINTS);
1450	}
1451	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID) == 0)
1452	{
1453	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_INHIBIT_ANY_POLICY);
1454	pThis->T3.pInhibitAnyPolicy = (PCRTASN1INTEGER)pExtValue->pEncapsulated;
1455	Assert(pThis->T3.Extensions.paItems[i].enmValue == RTCRX509EXTENSIONVALUE_INTEGER);
1456	}
1457	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_ACCEPTABLE_CERT_POLICIES_OID) == 0)
1458	pThis->T3.fFlags \|= RTCRX509TBSCERTIFICATE_F_PRESENT_ACCEPTABLE_CERT_POLICIES;
1459	else
1460	pThis->T3.fFlags \|= RTCRX509TBSCERTIFICATE_F_PRESENT_OTHER;
1461	}
1462
1463	if (!pThis->T3.fFlags)
1464	pThis->T3.fFlags \|= RTCRX509TBSCERTIFICATE_F_PRESENT_NONE;
1465
1466	#undef CHECK_SET_PRESENT_RET_ON_DUP
1467	return VINF_SUCCESS;
1468	}
1469
1470
1471
1472	/*
1473	* One X.509 Certificate.
1474	*/
1475
1476	RTDECL(bool) RTCrX509Certificate_MatchIssuerAndSerialNumber(PCRTCRX509CERTIFICATE pCertificate,
1477	PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber)
1478	{
1479	if ( RTAsn1Integer_UnsignedCompare(&pCertificate->TbsCertificate.SerialNumber, pSerialNumber) == 0
1480	&& RTCrX509Name_Compare(&pCertificate->TbsCertificate.Issuer, pIssuer) == 0)
1481	return true;
1482	return false;
1483	}
1484
1485
1486	RTDECL(bool) RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(PCRTCRX509CERTIFICATE pThis, PCRTCRX509NAME pName)
1487	{
1488	if (RTCrX509Name_MatchByRfc5280(&pThis->TbsCertificate.Subject, pName))
1489	return true;
1490
1491	if (RTCrX509Extensions_IsPresent(&pThis->TbsCertificate.T3.Extensions))
1492	for (uint32_t i = 0; i < pThis->TbsCertificate.T3.Extensions.cItems; i++)
1493	{
1494	PCRTCRX509EXTENSION pExt = &pThis->TbsCertificate.T3.Extensions.paItems[i];
1495	if ( pExt->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES
1496	&& RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID))
1497	{
1498	PCRTCRX509GENERALNAMES pGeneralNames = (PCRTCRX509GENERALNAMES)pExt->ExtnValue.pEncapsulated;
1499	for (uint32_t j = 0; j < pGeneralNames->cItems; j++)
1500	if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(&pGeneralNames->paItems[j])
1501	&& RTCrX509Name_MatchByRfc5280(&pGeneralNames->paItems[j].u.pT4->DirectoryName, pName))
1502	return true;
1503	}
1504	}
1505	return false;
1506	}
1507
1508
1509	RTDECL(bool) RTCrX509Certificate_IsSelfSigned(PCRTCRX509CERTIFICATE pCertificate)
1510	{
1511	if (RTCrX509Certificate_IsPresent(pCertificate))
1512	{
1513	return RTCrX509Name_MatchByRfc5280(&pCertificate->TbsCertificate.Subject,
1514	&pCertificate->TbsCertificate.Issuer);
1515	}
1516	return false;
1517	}
1518
1519
1520	/*
1521	* Set of X.509 Certificates.
1522	*/
1523
1524	RTDECL(PCRTCRX509CERTIFICATE)
1525	RTCrX509Certificates_FindByIssuerAndSerialNumber(PCRTCRX509CERTIFICATES pCertificates,
1526	PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber)
1527	{
1528	for (uint32_t i = 0; i < pCertificates->cItems; i++)
1529	if (RTCrX509Certificate_MatchIssuerAndSerialNumber(&pCertificates->paItems[i], pIssuer, pSerialNumber))
1530	return &pCertificates->paItems[i];
1531	return NULL;
1532	}
1533

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/Runtime/common/crypto/x509-core.cpp@ 56290

Download in other formats: