x509-core.cpp@ 76553

Last change on this file since 76553 was 76553, checked in by vboxsync, 6 years ago
scm --update-copyright-year
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 59.9 KB

Line
1	/* $Id: x509-core.cpp 76553 2019-01-01 01:45:53Z vboxsync $ */
2	/** @file
3	* IPRT - Crypto - X.509, Core APIs.
4	*/
5
6	/*
7	* Copyright (C) 2006-2019 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*
17	* The contents of this file may alternatively be used under the terms
18	* of the Common Development and Distribution License Version 1.0
19	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20	* VirtualBox OSE distribution, in which case the provisions of the
21	* CDDL are applicable instead of those of the GPL.
22	*
23	* You may elect to license modified versions of this file under the
24	* terms and conditions of either the GPL or the CDDL or both.
25	*/
26
27
28	/*********************************************************************************************************************************
29	* Header Files *
30	*********************************************************************************************************************************/
31	#include "internal/iprt.h"
32	#include <iprt/crypto/x509.h>
33
34	#include <iprt/err.h>
35	#include <iprt/string.h>
36	#include <iprt/uni.h>
37
38	#include "x509-internal.h"
39
40
41	/*
42	* Generate the code.
43	*/
44	#include <iprt/asn1-generator-core.h>
45
46
47	/*
48	* X.509 Validity.
49	*/
50
51	RTDECL(bool) RTCrX509Validity_IsValidAtTimeSpec(PCRTCRX509VALIDITY pThis, PCRTTIMESPEC pTimeSpec)
52	{
53	if (RTAsn1Time_CompareWithTimeSpec(&pThis->NotBefore, pTimeSpec) > 0)
54	return false;
55	if (RTAsn1Time_CompareWithTimeSpec(&pThis->NotAfter, pTimeSpec) < 0)
56	return false;
57	return true;
58	}
59
60
61	/*
62	* One X.509 Algorithm Identifier.
63	*/
64
65	RTDECL(RTDIGESTTYPE) RTCrX509AlgorithmIdentifier_QueryDigestType(PCRTCRX509ALGORITHMIDENTIFIER pThis)
66	{
67	AssertPtrReturn(pThis, RTDIGESTTYPE_INVALID);
68	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
69	return RTDIGESTTYPE_MD5;
70	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
71	return RTDIGESTTYPE_SHA1;
72	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
73	return RTDIGESTTYPE_SHA256;
74	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
75	return RTDIGESTTYPE_SHA512;
76
77	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
78	return RTDIGESTTYPE_SHA384;
79	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
80	return RTDIGESTTYPE_SHA224;
81	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
82	return RTDIGESTTYPE_SHA512T224;
83	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
84	return RTDIGESTTYPE_SHA512T256;
85	return RTDIGESTTYPE_INVALID;
86	}
87
88
89	RTDECL(uint32_t) RTCrX509AlgorithmIdentifier_QueryDigestSize(PCRTCRX509ALGORITHMIDENTIFIER pThis)
90	{
91	AssertPtrReturn(pThis, UINT32_MAX);
92
93	/* common */
94	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
95	return 128 / 8;
96	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
97	return 160 / 8;
98	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
99	return 256 / 8;
100	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
101	return 512 / 8;
102
103	/* Less common. */
104	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD2))
105	return 128 / 8;
106	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD4))
107	return 128 / 8;
108	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
109	return 384 / 8;
110	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
111	return 224 / 8;
112	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
113	return 224 / 8;
114	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
115	return 256 / 8;
116	if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
117	return 512 / 8;
118
119	return UINT32_MAX;
120	}
121
122
123	RTDECL(int) RTCrX509AlgorithmIdentifier_CompareWithString(PCRTCRX509ALGORITHMIDENTIFIER pThis, const char *pszObjId)
124	{
125	return strcmp(pThis->Algorithm.szObjId, pszObjId);
126	}
127
128
129	RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(const char *pszDigestOid,
130	const char *pszEncryptedDigestOid)
131	{
132	/* common */
133	if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5))
134	{
135	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA))
136	return 0;
137	}
138	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
139	{
140	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA))
141	return 0;
142	}
143	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
144	{
145	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA))
146	return 0;
147	}
148	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
149	{
150	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA))
151	return 0;
152	}
153	/* Less common. */
154	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2))
155	{
156	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA))
157	return 0;
158	}
159	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4))
160	{
161	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA))
162	return 0;
163	}
164	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
165	{
166	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA))
167	return 0;
168	}
169	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
170	{
171	if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA))
172	return 0;
173	}
174	else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
175	{
176	/* ?? */
177	}
178	else
179	return -1;
180	return 1;
181	}
182
183	RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestAndEncryptedDigest(PCRTCRX509ALGORITHMIDENTIFIER pDigest,
184	PCRTCRX509ALGORITHMIDENTIFIER pEncryptedDigest)
185	{
186	return RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(pDigest->Algorithm.szObjId,
187	pEncryptedDigest->Algorithm.szObjId);
188	}
189
190
191	RTDECL(const char ) RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(const char pszEncryptionOid,
192	const char *pszDigestOid)
193	{
194	/* RSA: */
195	if (!strcmp(pszEncryptionOid, RTCRX509ALGORITHMIDENTIFIERID_RSA))
196	{
197	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5)
198	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA))
199	return RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA;
200	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1)
201	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA))
202	return RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA;
203	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256)
204	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA))
205	return RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA;
206	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512)
207	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA))
208	return RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA;
209	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2)
210	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA))
211	return RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA;
212	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4)
213	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA))
214	return RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA;
215	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384)
216	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA))
217	return RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA;
218	if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224)
219	\|\| !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA))
220	return RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA;
221
222	/* if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
223	return ???; */
224	}
225	else if (RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(pszDigestOid, pszEncryptionOid) == 0)
226	return pszEncryptionOid;
227
228	AssertMsgFailed(("enc=%s hash=%s\n", pszEncryptionOid, pszDigestOid));
229	return NULL;
230	}
231
232
233	RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionAndDigest(PCRTCRX509ALGORITHMIDENTIFIER pEncryption,
234	PCRTCRX509ALGORITHMIDENTIFIER pDigest)
235	{
236	return RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(pEncryption->Algorithm.szObjId,
237	pDigest->Algorithm.szObjId);
238	}
239
240
241	/*
242	* Set of X.509 Algorithm Identifiers.
243	*/
244
245
246	/*
247	* One X.509 AttributeTypeAndValue.
248	*/
249
250
251	/*
252	* Set of X.509 AttributeTypeAndValues / X.509 RelativeDistinguishedName.
253	*/
254
255	/**
256	* Slow code path of rtCrX509CanNameIsNothing.
257	*
258	* @returns true if @uc maps to nothing, false if not.
259	* @param uc The unicode code point.
260	*/
261	static bool rtCrX509CanNameIsNothingSlow(RTUNICP uc)
262	{
263	switch (uc)
264	{
265	/* 2.2 Map - Paragraph 1: */
266	case 0x00ad:
267	case 0x1806:
268	case 0x034f:
269	case 0x180b: case 0x180c: case 0x180d:
270
271	case 0xfe00: case 0xfe01: case 0xfe02: case 0xfe03:
272	case 0xfe04: case 0xfe05: case 0xfe06: case 0xfe07:
273	case 0xfe08: case 0xfe09: case 0xfe0a: case 0xfe0b:
274	case 0xfe0c: case 0xfe0d: case 0xfe0e: case 0xfe0f:
275
276	case 0xfffc:
277
278	/* 2.2 Map - Paragraph 3 (control code/function): */
279	case 0x0000: case 0x0001: case 0x0002: case 0x0003:
280	case 0x0004: case 0x0005: case 0x0006: case 0x0007:
281	case 0x0008:
282
283	case 0x000e: case 0x000f:
284	case 0x0010: case 0x0011: case 0x0012: case 0x0013:
285	case 0x0014: case 0x0015: case 0x0016: case 0x0017:
286	case 0x0018: case 0x0019: case 0x001a: case 0x001b:
287	case 0x001c: case 0x001d: case 0x001e: case 0x001f:
288
289	case 0x007f:
290	case 0x0080: case 0x0081: case 0x0082: case 0x0083:
291	case 0x0084: /case 0x0085:/ case 0x0086: case 0x0087:
292	case 0x0088: case 0x0089: case 0x008a: case 0x008b:
293	case 0x008c: case 0x008d: case 0x008e: case 0x008f:
294	case 0x0090: case 0x0091: case 0x0092: case 0x0093:
295	case 0x0094: case 0x0095: case 0x0096: case 0x0097:
296	case 0x0098: case 0x0099: case 0x009a: case 0x009b:
297	case 0x009c: case 0x009d: case 0x009e: case 0x009f:
298
299	case 0x06dd:
300	case 0x070f:
301	case 0x180e:
302	case 0x200c: case 0x200d: case 0x200e: case 0x200f:
303	case 0x202a: case 0x202b: case 0x202c: case 0x202d: case 0x202e:
304	case 0x2060: case 0x2061: case 0x2062: case 0x2063:
305	case 0x206a: case 0x206b: case 0x206c: case 0x206d: case 0x206e: case 0x206f:
306	case 0xfeff:
307	case 0xfff9: case 0xfffa: case 0xfffb:
308	case 0x1d173: case 0x1d174: case 0x1d175: case 0x1d176: case 0x1d177: case 0x1d178: case 0x1d179: case 0x1d17a:
309	case 0xe0001:
310	case 0xe0020: case 0xe0021: case 0xe0022: case 0xe0023:
311	case 0xe0024: case 0xe0025: case 0xe0026: case 0xe0027:
312	case 0xe0028: case 0xe0029: case 0xe002a: case 0xe002b:
313	case 0xe002c: case 0xe002d: case 0xe002e: case 0xe002f:
314	case 0xe0030: case 0xe0031: case 0xe0032: case 0xe0033:
315	case 0xe0034: case 0xe0035: case 0xe0036: case 0xe0037:
316	case 0xe0038: case 0xe0039: case 0xe003a: case 0xe003b:
317	case 0xe003c: case 0xe003d: case 0xe003e: case 0xe003f:
318	case 0xe0040: case 0xe0041: case 0xe0042: case 0xe0043:
319	case 0xe0044: case 0xe0045: case 0xe0046: case 0xe0047:
320	case 0xe0048: case 0xe0049: case 0xe004a: case 0xe004b:
321	case 0xe004c: case 0xe004d: case 0xe004e: case 0xe004f:
322	case 0xe0050: case 0xe0051: case 0xe0052: case 0xe0053:
323	case 0xe0054: case 0xe0055: case 0xe0056: case 0xe0057:
324	case 0xe0058: case 0xe0059: case 0xe005a: case 0xe005b:
325	case 0xe005c: case 0xe005d: case 0xe005e: case 0xe005f:
326	case 0xe0060: case 0xe0061: case 0xe0062: case 0xe0063:
327	case 0xe0064: case 0xe0065: case 0xe0066: case 0xe0067:
328	case 0xe0068: case 0xe0069: case 0xe006a: case 0xe006b:
329	case 0xe006c: case 0xe006d: case 0xe006e: case 0xe006f:
330	case 0xe0070: case 0xe0071: case 0xe0072: case 0xe0073:
331	case 0xe0074: case 0xe0075: case 0xe0076: case 0xe0077:
332	case 0xe0078: case 0xe0079: case 0xe007a: case 0xe007b:
333	case 0xe007c: case 0xe007d: case 0xe007e: case 0xe007f:
334
335	/* 2.2 Map - Paragraph 4. */
336	case 0x200b:
337	return true;
338	}
339	return false;
340	}
341
342
343	/**
344	* Checks if @a uc maps to nothing according to mapping rules of RFC-5280 and
345	* RFC-4518.
346	*
347	* @returns true if @uc maps to nothing, false if not.
348	* @param uc The unicode code point.
349	*/
350	DECLINLINE(bool) rtCrX509CanNameIsNothing(RTUNICP uc)
351	{
352	if (uc > 0x001f && uc < 0x00ad)
353	return false;
354	return rtCrX509CanNameIsNothingSlow(uc);
355	}
356
357
358	/**
359	* Slow code path of rtCrX509CanNameIsSpace.
360	*
361	* @returns true if space, false if not.
362	* @param uc The unicode code point.
363	*/
364	static bool rtCrX509CanNameIsSpaceSlow(RTUNICP uc)
365	{
366	switch (uc)
367	{
368	/* 2.2 Map - Paragraph 2. */
369	case 0x09:
370	case 0x0a:
371	case 0x0b:
372	case 0x0c:
373	case 0x0d:
374	case 0x20:
375	case 0x0085:
376	case 0x00a0:
377	case 0x1680:
378	case 0x2000: case 0x2001: case 0x2002: case 0x2003:
379	case 0x2004: case 0x2005: case 0x2006: case 0x2007:
380	case 0x2008: case 0x2009: case 0x200a:
381	case 0x2028: case 0x2029:
382	case 0x202f:
383	case 0x205f:
384	case 0x3000:
385	return true;
386	}
387	return false;
388	}
389
390
391	/**
392	* Checks if @a uc is a space character according to the mapping rules of
393	* RFC-5280 and RFC-4518.
394	*
395	* @returns true if space, false if not.
396	* @param uc The unicode code point.
397	*/
398	DECLINLINE(bool) rtCrX509CanNameIsSpace(RTUNICP uc)
399	{
400	if (uc < 0x0085)
401	{
402	if (uc > 0x0020)
403	return false;
404	if (uc == 0x0020) /* space */
405	return true;
406	}
407	return rtCrX509CanNameIsSpaceSlow(uc);
408	}
409
410
411	static const char rtCrX509CanNameStripLeft(const char psz, size_t *pcch)
412	{
413	/*
414	* Return space when we've encountered the first non-space-non-nothing code point.
415	*/
416	const char * const pszStart = psz;
417	const char *pszPrev;
418	for (;;)
419	{
420	pszPrev = psz;
421	RTUNICP uc;
422	int rc = RTStrGetCpEx(&psz, &uc);
423	AssertRCBreak(rc);
424	if (!uc)
425	{
426	if ((uintptr_t)(pszPrev - pszStart) >= *pcch)
427	break;
428	/* NUL inside the string, maps to nothing => ignore it. */
429	}
430	else if (!rtCrX509CanNameIsSpace(uc) && !rtCrX509CanNameIsNothing(uc))
431	break;
432	}
433	*pcch -= pszPrev - pszStart;
434	return pszPrev;
435	}
436
437
438	static RTUNICP rtCrX509CanNameGetNextCpWithMappingSlowSpace(const char *ppsz, size_t pcch)
439	{
440	/*
441	* Return space when we've encountered the first non-space-non-nothing code point.
442	*/
443	RTUNICP uc;
444	const char psz = ppsz;
445	const char * const pszStart = psz;
446	const char *pszPrev;
447	for (;;)
448	{
449	pszPrev = psz;
450	int rc = RTStrGetCpEx(&psz, &uc);
451	AssertRCBreakStmt(rc, uc = 0x20);
452	if (!uc)
453	{
454	if ((uintptr_t)(pszPrev - pszStart) >= *pcch)
455	{
456	uc = 0; /* End of string: Ignore trailing spaces. */
457	break;
458	}
459	/* NUL inside the string, maps to nothing => ignore it. */
460	}
461	else if (!rtCrX509CanNameIsSpace(uc) && !rtCrX509CanNameIsNothing(uc))
462	{
463	uc = 0x20; /* Return space before current char. */
464	break;
465	}
466	}
467
468	*ppsz = pszPrev;
469	*pcch -= pszPrev - pszStart;
470	return uc;
471	}
472
473
474	DECLINLINE(RTUNICP) rtCrX509CanNameGetNextCpIgnoreNul(const char *ppsz, size_t pcch)
475	{
476	while (*pcch > 0)
477	{
478	const char psz = ppsz;
479	RTUNICP uc = *psz;
480	if (uc < 0x80)
481	{
482	*pcch -= 1;
483	*ppsz = psz + 1;
484	}
485	else
486	{
487	int rc = RTStrGetCpEx(ppsz, &uc);
488	AssertRCReturn(rc, uc);
489	size_t cchCp = *ppsz - psz;
490	AssertReturn(cchCp <= *pcch, 0);
491	*pcch -= cchCp;
492	}
493	if (uc != 0)
494	return uc;
495	}
496	return 0;
497	}
498
499
500	static RTUNICP rtCrX509CanNameGetNextCpWithMappingSlowNothing(const char *ppsz, size_t pcch)
501	{
502	/*
503	* Return first code point which doesn't map to nothing. If we encounter
504	* a space, we defer to the mapping-after-space routine above.
505	*/
506	for (;;)
507	{
508	RTUNICP uc = rtCrX509CanNameGetNextCpIgnoreNul(ppsz, pcch);
509	if (rtCrX509CanNameIsSpace(uc))
510	return rtCrX509CanNameGetNextCpWithMappingSlowSpace(ppsz, pcch);
511	if (!rtCrX509CanNameIsNothing(uc) \|\| uc == 0)
512	return uc;
513	}
514	}
515
516
517	DECLINLINE(RTUNICP) rtCrX509CanNameGetNextCpWithMapping(const char *ppsz, size_t pcch)
518	{
519	RTUNICP uc = rtCrX509CanNameGetNextCpIgnoreNul(ppsz, pcch);
520	if (uc)
521	{
522	if (!rtCrX509CanNameIsSpace(uc))
523	{
524	if (!rtCrX509CanNameIsNothing(uc))
525	return uc;
526	return rtCrX509CanNameGetNextCpWithMappingSlowNothing(ppsz, pcch);
527	}
528	return rtCrX509CanNameGetNextCpWithMappingSlowSpace(ppsz, pcch);
529	}
530	return uc;
531	}
532
533
534	RTDECL(bool) RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(PCRTCRX509ATTRIBUTETYPEANDVALUE pLeft,
535	PCRTCRX509ATTRIBUTETYPEANDVALUE pRight)
536	{
537	if (RTAsn1ObjId_Compare(&pLeft->Type, &pRight->Type) == 0)
538	{
539	/*
540	* Try for perfect match in case we get luck.
541	*/
542	#ifdef DEBUG_bird /* Want to test the complicated code path first */
543	if (pLeft->Value.enmType != RTASN1TYPE_STRING \|\| pRight->Value.enmType != RTASN1TYPE_STRING)
544	#endif
545	if (RTAsn1DynType_Compare(&pLeft->Value, &pRight->Value) == 0)
546	return true;
547
548	/*
549	* If both are string types, we can compare them according to RFC-5280.
550	*/
551	if ( pLeft->Value.enmType == RTASN1TYPE_STRING
552	&& pRight->Value.enmType == RTASN1TYPE_STRING)
553	{
554	size_t cchLeft;
555	const char *pszLeft;
556	int rc = RTAsn1String_QueryUtf8(&pLeft->Value.u.String, &pszLeft, &cchLeft);
557	if (RT_SUCCESS(rc))
558	{
559	size_t cchRight;
560	const char *pszRight;
561	rc = RTAsn1String_QueryUtf8(&pRight->Value.u.String, &pszRight, &cchRight);
562	if (RT_SUCCESS(rc))
563	{
564	/*
565	* Perform a simplified RFC-5280 comparsion.
566	* The algorithm as be relaxed on the following counts:
567	* 1. No unicode normalization.
568	* 2. Prohibited characters not checked for.
569	* 3. Bidirectional characters are not ignored.
570	*/
571	pszLeft = rtCrX509CanNameStripLeft(pszLeft, &cchLeft);
572	pszRight = rtCrX509CanNameStripLeft(pszRight, &cchRight);
573	while (pszLeft && pszRight)
574	{
575	RTUNICP ucLeft = rtCrX509CanNameGetNextCpWithMapping(&pszLeft, &cchLeft);
576	RTUNICP ucRight = rtCrX509CanNameGetNextCpWithMapping(&pszRight, &cchRight);
577	if (ucLeft != ucRight)
578	{
579	ucLeft = RTUniCpToLower(ucLeft);
580	ucRight = RTUniCpToLower(ucRight);
581	if (ucLeft != ucRight)
582	return false;
583	}
584	}
585
586	return cchRight == 0 && cchLeft == 0;
587	}
588	}
589	}
590	}
591	return false;
592	}
593
594
595	RTDECL(bool) RTCrX509RelativeDistinguishedName_MatchByRfc5280(PCRTCRX509RELATIVEDISTINGUISHEDNAME pLeft,
596	PCRTCRX509RELATIVEDISTINGUISHEDNAME pRight)
597	{
598	/*
599	* No match if the attribute count differs.
600	*/
601	uint32_t const cItems = pLeft->cItems;
602	if (cItems == pRight->cItems)
603	{
604	/*
605	* Compare each attribute, but don't insist on the same order nor
606	* bother checking for duplicates (too complicated).
607	*/
608	for (uint32_t iLeft = 0; iLeft < cItems; iLeft++)
609	{
610	PCRTCRX509ATTRIBUTETYPEANDVALUE pLeftAttr = pLeft->papItems[iLeft];
611	bool fFound = false;
612	for (uint32_t iRight = 0; iRight < cItems; iRight++)
613	if (RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(pLeftAttr, pRight->papItems[iRight]))
614	{
615	fFound = true;
616	break;
617	}
618	if (!fFound)
619	return false;
620	}
621	return true;
622	}
623	return false;
624
625	}
626
627
628	/*
629	* X.509 Name.
630	*/
631
632	RTDECL(bool) RTCrX509Name_MatchByRfc5280(PCRTCRX509NAME pLeft, PCRTCRX509NAME pRight)
633	{
634	uint32_t const cItems = pLeft->cItems;
635	if (cItems == pRight->cItems)
636	{
637	/* Require exact order. */
638	for (uint32_t iRdn = 0; iRdn < cItems; iRdn++)
639	if (!RTCrX509RelativeDistinguishedName_MatchByRfc5280(pLeft->papItems[iRdn], pRight->papItems[iRdn]))
640	return false;
641	return true;
642	}
643	return false;
644	}
645
646
647	RTDECL(bool) RTCrX509Name_ConstraintMatch(PCRTCRX509NAME pConstraint, PCRTCRX509NAME pName)
648	{
649	/*
650	* Check that the constraint is a prefix of the name. This means that
651	* the name must have at least as many components and the constraint.
652	*/
653	if (pName->cItems >= pConstraint->cItems)
654	{
655	/*
656	* Parallel crawl of the two RDNs arrays.
657	*/
658	for (uint32_t i = 0; pConstraint->cItems; i++)
659	{
660	PCRTCRX509RELATIVEDISTINGUISHEDNAME pConstrRdns = pConstraint->papItems[i];
661	PCRTCRX509RELATIVEDISTINGUISHEDNAME pNameRdns = pName->papItems[i];
662
663	/*
664	* Walk the constraint attribute & value array.
665	*/
666	for (uint32_t iConstrAttrib = 0; iConstrAttrib < pConstrRdns->cItems; iConstrAttrib++)
667	{
668	PCRTCRX509ATTRIBUTETYPEANDVALUE pConstrAttrib = pConstrRdns->papItems[iConstrAttrib];
669
670	/*
671	* Find matching attribute & value in the name.
672	*/
673	bool fFound = false;
674	for (uint32_t iNameAttrib = 0; iNameAttrib < pNameRdns->cItems; iNameAttrib++)
675	if (RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(pConstrAttrib, pNameRdns->papItems[iNameAttrib]))
676	{
677	fFound = true;
678	break;
679	}
680	if (fFound)
681	return false;
682	}
683	}
684	return true;
685	}
686	return false;
687	}
688
689
690	/**
691	* Mapping between X.500 object IDs and short and long names.
692	*
693	* See RFC-1327, RFC-4519 ...
694	*/
695	static struct
696	{
697	const char *pszOid;
698	const char *pszShortNm;
699	size_t cchShortNm;
700	const char *pszLongNm;
701	} const g_aRdnMap[] =
702	{
703	{ "0.9.2342.19200300.100.1.3", RT_STR_TUPLE("Mail"), "Rfc822Mailbox" },
704	{ "0.9.2342.19200300.100.1.25", RT_STR_TUPLE("DC"), "DomainComponent" },
705	{ "1.2.840.113549.1.9.1", RT_STR_TUPLE("Email") /nonstandard/,"EmailAddress" },
706	{ "2.5.4.3", RT_STR_TUPLE("CN"), "CommonName" },
707	{ "2.5.4.4", RT_STR_TUPLE("SN"), "Surname" },
708	{ "2.5.4.5", RT_STR_TUPLE("SRN") /nonstandard/, "SerialNumber" },
709	{ "2.5.4.6", RT_STR_TUPLE("C"), "CountryName" },
710	{ "2.5.4.7", RT_STR_TUPLE("L"), "LocalityName" },
711	{ "2.5.4.8", RT_STR_TUPLE("ST"), "StateOrProviceName" },
712	{ "2.5.4.9", RT_STR_TUPLE("street"), "Street" },
713	{ "2.5.4.10", RT_STR_TUPLE("O"), "OrganizationName" },
714	{ "2.5.4.11", RT_STR_TUPLE("OU"), "OrganizationalUnitName" },
715	{ "2.5.4.12", RT_STR_TUPLE("title"), "Title" },
716	{ "2.5.4.13", RT_STR_TUPLE("desc"), "Description" },
717	{ "2.5.4.15", RT_STR_TUPLE("BC") /nonstandard/, "BusinessCategory" },
718	{ "2.5.4.17", RT_STR_TUPLE("ZIP") /nonstandard/, "PostalCode" },
719	{ "2.5.4.18", RT_STR_TUPLE("POBox") /nonstandard/,"PostOfficeBox" },
720	{ "2.5.4.20", RT_STR_TUPLE("PN") /nonstandard/, "TelephoneNumber" },
721	{ "2.5.4.33", RT_STR_TUPLE("RO") /nonstandard/, "RoleOccupant" },
722	{ "2.5.4.34", RT_STR_TUPLE("SA") /nonstandard/, "StreetAddress" },
723	{ "2.5.4.41", RT_STR_TUPLE("N") /nonstandard/, "Name" },
724	{ "2.5.4.42", RT_STR_TUPLE("GN"), "GivenName" },
725	{ "2.5.4.43", RT_STR_TUPLE("I") /nonstandard/, "Initials" },
726	{ "2.5.4.44", RT_STR_TUPLE("GQ") /nonstandard/, "GenerationQualifier" },
727	{ "2.5.4.46", RT_STR_TUPLE("DNQ") /nonstandard/, "DNQualifier" },
728	{ "2.5.4.51", RT_STR_TUPLE("HID") /nonstandard/, "HouseIdentifier" },
729	};
730
731
732	RTDECL(const char *) RTCrX509Name_GetShortRdn(PCRTASN1OBJID pRdnId)
733	{
734	uint32_t iName = RT_ELEMENTS(g_aRdnMap);
735	while (iName-- > 0)
736	if (RTAsn1ObjId_CompareWithString(pRdnId, g_aRdnMap[iName].pszOid) == 0)
737	return g_aRdnMap[iName].pszShortNm;
738	return NULL;
739	}
740
741
742	RTDECL(bool) RTCrX509Name_MatchWithString(PCRTCRX509NAME pThis, const char *pszString)
743	{
744	/* Keep track of the string length. */
745	size_t cchString = strlen(pszString);
746
747	/*
748	* The usual double loop for walking the components.
749	*/
750	for (uint32_t i = 0; i < pThis->cItems; i++)
751	{
752	PCRTCRX509RELATIVEDISTINGUISHEDNAME pRdn = pThis->papItems[i];
753	for (uint32_t j = 0; j < pRdn->cItems; j++)
754	{
755	PCRTCRX509ATTRIBUTETYPEANDVALUE pComponent = pRdn->papItems[j];
756
757	/*
758	* Must be a string.
759	*/
760	if (pComponent->Value.enmType != RTASN1TYPE_STRING)
761	return false;
762
763	/*
764	* Look up the component name prefix and check whether it's also in the string.
765	*/
766	uint32_t iName = RT_ELEMENTS(g_aRdnMap);
767	while (iName-- > 0)
768	if (RTAsn1ObjId_CompareWithString(&pComponent->Type, g_aRdnMap[iName].pszOid) == 0)
769	break;
770	AssertMsgReturn(iName != UINT32_MAX, ("Please extend g_aRdnMap with '%s'.\n", pComponent->Type.szObjId), false);
771
772	if ( strncmp(pszString, g_aRdnMap[iName].pszShortNm, g_aRdnMap[iName].cchShortNm) != 0
773	\|\| pszString[g_aRdnMap[iName].cchShortNm] != '=')
774	return false;
775
776	pszString += g_aRdnMap[iName].cchShortNm + 1;
777	cchString -= g_aRdnMap[iName].cchShortNm + 1;
778
779	/*
780	* Compare the component string.
781	*/
782	size_t cchComponent;
783	int rc = RTAsn1String_QueryUtf8Len(&pComponent->Value.u.String, &cchComponent);
784	AssertRCReturn(rc, false);
785
786	if (cchComponent > cchString)
787	return false;
788	if (RTAsn1String_CompareWithString(&pComponent->Value.u.String, pszString, cchComponent) != 0)
789	return false;
790
791	cchString -= cchComponent;
792	pszString += cchComponent;
793
794	/*
795	* Check separator comma + space and skip extra spaces before the next component.
796	*/
797	if (cchString)
798	{
799	if (pszString[0] != ',')
800	return false;
801	if (pszString[1] != ' ' && pszString[1] != '\t')
802	return false;
803	pszString += 2;
804	cchString -= 2;
805
806	while (pszString == ' ' \|\| pszString == '\t')
807	{
808	pszString++;
809	cchString--;
810	}
811	}
812	}
813	}
814
815	/*
816	* If we got thru the whole name and the whole string, we're good.
817	*/
818	return *pszString == '\0';
819	}
820
821
822	RTDECL(int) RTCrX509Name_FormatAsString(PCRTCRX509NAME pThis, char pszBuf, size_t cbBuf, size_t pcbActual)
823	{
824	/*
825	* The usual double loop for walking the components.
826	*/
827	size_t off = 0;
828	int rc = VINF_SUCCESS;
829	for (uint32_t i = 0; i < pThis->cItems; i++)
830	{
831	PCRTCRX509RELATIVEDISTINGUISHEDNAME pRdn = pThis->papItems[i];
832	for (uint32_t j = 0; j < pRdn->cItems; j++)
833	{
834	PCRTCRX509ATTRIBUTETYPEANDVALUE pComponent = pRdn->papItems[j];
835
836	/*
837	* Must be a string.
838	*/
839	if (pComponent->Value.enmType != RTASN1TYPE_STRING)
840	return VERR_CR_X509_NAME_NOT_STRING;
841
842	/*
843	* Look up the component name prefix.
844	*/
845	uint32_t iName = RT_ELEMENTS(g_aRdnMap);
846	while (iName-- > 0)
847	if (RTAsn1ObjId_CompareWithString(&pComponent->Type, g_aRdnMap[iName].pszOid) == 0)
848	break;
849	AssertMsgReturn(iName != UINT32_MAX, ("Please extend g_aRdnMap with '%s'.\n", pComponent->Type.szObjId),
850	VERR_CR_X509_NAME_MISSING_RDN_MAP_ENTRY);
851
852	/*
853	* Append the prefix.
854	*/
855	if (off)
856	{
857	if (off + 2 < cbBuf)
858	{
859	pszBuf[off] = ',';
860	pszBuf[off + 1] = ' ';
861	}
862	else
863	rc = VERR_BUFFER_OVERFLOW;
864	off += 2;
865	}
866
867	if (off + g_aRdnMap[iName].cchShortNm + 1 < cbBuf)
868	{
869	memcpy(&pszBuf[off], g_aRdnMap[iName].pszShortNm, g_aRdnMap[iName].cchShortNm);
870	pszBuf[off + g_aRdnMap[iName].cchShortNm] = '=';
871	}
872	else
873	rc = VERR_BUFFER_OVERFLOW;
874	off += g_aRdnMap[iName].cchShortNm + 1;
875
876	/*
877	* Add the component string.
878	*/
879	const char *pszUtf8;
880	size_t cchUtf8;
881	int rc2 = RTAsn1String_QueryUtf8(&pComponent->Value.u.String, &pszUtf8, &cchUtf8);
882	AssertRCReturn(rc2, rc2);
883	if (off + cchUtf8 < cbBuf)
884	memcpy(&pszBuf[off], pszUtf8, cchUtf8);
885	else
886	rc = VERR_BUFFER_OVERFLOW;
887	off += cchUtf8;
888	}
889	}
890
891	if (pcbActual)
892	*pcbActual = off + 1;
893	if (off < cbBuf)
894	pszBuf[off] = '\0';
895	return rc;
896	}
897
898
899
900	/*
901	* One X.509 GeneralName.
902	*/
903
904	/**
905	* Name constraint matching (RFC-5280): DNS Name.
906	*
907	* @returns true on match, false on mismatch.
908	* @param pConstraint The constraint name.
909	* @param pName The name to match against the constraint.
910	*/
911	static bool rtCrX509GeneralName_ConstraintMatchDnsName(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
912	{
913	/*
914	* Empty constraint string is taken to match everything.
915	*/
916	if (pConstraint->u.pT2_DnsName->Asn1Core.cb == 0)
917	return true;
918
919	/*
920	* Get the UTF-8 strings for the two.
921	*/
922	size_t cchConstraint;
923	char const *pszConstraint;
924	int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT2_DnsName, &pszConstraint, &cchConstraint);
925	if (RT_SUCCESS(rc))
926	{
927	size_t cchFull;
928	char const *pszFull;
929	rc = RTAsn1String_QueryUtf8(pName->u.pT2_DnsName, &pszFull, &cchFull);
930	if (RT_SUCCESS(rc))
931	{
932	/*
933	* No match if the constraint is longer.
934	*/
935	if (cchConstraint > cchFull)
936	return false;
937
938	/*
939	* No match if the constraint and name tail doesn't match
940	* in a case-insensitive compare.
941	*/
942	size_t offFull = cchFull - cchConstraint;
943	if (RTStrICmp(&pszFull[offFull], pszConstraint) != 0)
944	return false;
945	if (!offFull)
946	return true;
947
948	/*
949	* The matching constraint must be delimited by a dot in the full
950	* name. There seems to be some discussion whether ".oracle.com"
951	* should match "www..oracle.com". This implementation does choose
952	* to not succeed in that case.
953	*/
954	if ((pszFull[offFull - 1] == '.') ^ (pszFull[offFull] == '.'))
955	return true;
956
957	return false;
958	}
959	}
960
961	/* fall back. */
962	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
963	}
964
965
966	/**
967	* Name constraint matching (RFC-5280): RFC-822 (email).
968	*
969	* @returns true on match, false on mismatch.
970	* @param pConstraint The constraint name.
971	* @param pName The name to match against the constraint.
972	*/
973	static bool rtCrX509GeneralName_ConstraintMatchRfc822Name(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
974	{
975	/*
976	* Empty constraint string is taken to match everything.
977	*/
978	if (pConstraint->u.pT1_Rfc822->Asn1Core.cb == 0)
979	return true;
980
981	/*
982	* Get the UTF-8 strings for the two.
983	*/
984	size_t cchConstraint;
985	char const *pszConstraint;
986	int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT1_Rfc822, &pszConstraint, &cchConstraint);
987	if (RT_SUCCESS(rc))
988	{
989	size_t cchFull;
990	char const *pszFull;
991	rc = RTAsn1String_QueryUtf8(pName->u.pT1_Rfc822, &pszFull, &cchFull);
992	if (RT_SUCCESS(rc))
993	{
994	/*
995	* No match if the constraint is longer.
996	*/
997	if (cchConstraint > cchFull)
998	return false;
999
1000	/*
1001	* A lone dot matches everything.
1002	*/
1003	if (cchConstraint == 1 && *pszConstraint == '.')
1004	return true;
1005
1006	/*
1007	* If there is a '@' in the constraint, the entire address must match.
1008	*/
1009	const char pszConstraintAt = (const char )memchr(pszConstraint, '@', cchConstraint);
1010	if (pszConstraintAt)
1011	return cchConstraint == cchFull && RTStrICmp(pszConstraint, pszFull) == 0;
1012
1013	/*
1014	* No match if the constraint and name tail doesn't match
1015	* in a case-insensitive compare.
1016	*/
1017	size_t offFull = cchFull - cchConstraint;
1018	if (RTStrICmp(&pszFull[offFull], pszConstraint) != 0)
1019	return false;
1020
1021	/*
1022	* If the constraint starts with a dot, we're supposed to be
1023	* satisfied with a tail match.
1024	*/
1025	/** @todo Check if this should match even if offFull == 0. */
1026	if (*pszConstraint == '.')
1027	return true;
1028
1029	/*
1030	* Otherwise, we require a hostname match and thus expect an '@'
1031	* immediatly preceding the constraint match.
1032	*/
1033	if (pszFull[offFull - 1] == '@')
1034	return true;
1035
1036	return false;
1037	}
1038	}
1039
1040	/* fall back. */
1041	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1042	}
1043
1044
1045	/**
1046	* Extracts the hostname from an URI.
1047	*
1048	* @returns true if successfully extract, false if no hostname present.
1049	* @param pszUri The URI.
1050	* @param pchHostName .
1051	* @param pcchHostName .
1052	*/
1053	static bool rtCrX509GeneralName_ExtractHostName(const char pszUri, const char pchHostName, size_t pcchHostName)
1054	{
1055	/*
1056	* Skip the schema name.
1057	*/
1058	const char *pszStart = strchr(pszUri, ':');
1059	while (pszStart && (pszStart[1] != '/' \|\| pszStart[2] != '/'))
1060	pszStart = strchr(pszStart + 1, ':');
1061	if (pszStart)
1062	{
1063	pszStart += 3;
1064
1065	/*
1066	* The name ends with the first slash or ":port".
1067	*/
1068	const char *pszEnd = strchr(pszStart, '/');
1069	if (!pszEnd)
1070	pszEnd = strchr(pszStart, '\0');
1071	if (memchr(pszStart, ':', pszEnd - pszStart))
1072	do
1073	pszEnd--;
1074	while (*pszEnd != ':');
1075	if (pszEnd != pszStart)
1076	{
1077	/*
1078	* Drop access credentials at the front of the string if present.
1079	*/
1080	const char pszAt = (const char )memchr(pszStart, '@', pszEnd - pszStart);
1081	if (pszAt)
1082	pszStart = pszAt + 1;
1083
1084	/*
1085	* If there is still some string left, that's the host name.
1086	*/
1087	if (pszEnd != pszStart)
1088	{
1089	*pcchHostName = pszEnd - pszStart;
1090	*pchHostName = pszStart;
1091	return true;
1092	}
1093	}
1094	}
1095
1096	*pcchHostName = 0;
1097	*pchHostName = NULL;
1098	return false;
1099	}
1100
1101
1102	/**
1103	* Name constraint matching (RFC-5280): URI.
1104	*
1105	* @returns true on match, false on mismatch.
1106	* @param pConstraint The constraint name.
1107	* @param pName The name to match against the constraint.
1108	*/
1109	static bool rtCrX509GeneralName_ConstraintMatchUri(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1110	{
1111	/*
1112	* Empty constraint string is taken to match everything.
1113	*/
1114	if (pConstraint->u.pT6_Uri->Asn1Core.cb == 0)
1115	return true;
1116
1117	/*
1118	* Get the UTF-8 strings for the two.
1119	*/
1120	size_t cchConstraint;
1121	char const *pszConstraint;
1122	int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT6_Uri, &pszConstraint, &cchConstraint);
1123	if (RT_SUCCESS(rc))
1124	{
1125	size_t cchFull;
1126	char const *pszFull;
1127	rc = RTAsn1String_QueryUtf8(pName->u.pT6_Uri, &pszFull, &cchFull);
1128	if (RT_SUCCESS(rc))
1129	{
1130	/*
1131	* Isolate the hostname in the name.
1132	*/
1133	size_t cchHostName;
1134	const char *pchHostName;
1135	if (rtCrX509GeneralName_ExtractHostName(pszFull, &pchHostName, &cchHostName))
1136	{
1137	/*
1138	* Domain constraint.
1139	*/
1140	if (*pszConstraint == '.')
1141	{
1142	if (cchHostName >= cchConstraint)
1143	{
1144	size_t offHostName = cchHostName - cchConstraint;
1145	if (RTStrICmp(&pchHostName[offHostName], pszConstraint) == 0)
1146	{
1147	/* "http://www..oracle.com" does not match ".oracle.com".
1148	It's debatable whether "http://.oracle.com/" should match. */
1149	if ( !offHostName
1150	\|\| pchHostName[offHostName - 1] != '.')
1151	return true;
1152	}
1153	}
1154	}
1155	/*
1156	* Host name constraint. Full match required.
1157	*/
1158	else if ( cchHostName == cchConstraint
1159	&& RTStrNICmp(pchHostName, pszConstraint, cchHostName) == 0)
1160	return true;
1161	}
1162	return false;
1163	}
1164	}
1165
1166	/* fall back. */
1167	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1168	}
1169
1170
1171	/**
1172	* Name constraint matching (RFC-5280): IP address.
1173	*
1174	* @returns true on match, false on mismatch.
1175	* @param pConstraint The constraint name.
1176	* @param pName The name to match against the constraint.
1177	*/
1178	static bool rtCrX509GeneralName_ConstraintMatchIpAddress(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1179	{
1180	uint8_t const *pbConstraint = pConstraint->u.pT7_IpAddress->Asn1Core.uData.pu8;
1181	uint8_t const *pbFull = pName->u.pT7_IpAddress->Asn1Core.uData.pu8;
1182
1183	/*
1184	* IPv4.
1185	*/
1186	if ( pConstraint->u.pT7_IpAddress->Asn1Core.cb == 8 /* ip+netmask*/
1187	&& pName->u.pT7_IpAddress->Asn1Core.cb == 4) /* ip */
1188	return ((pbFull[0] ^ pbConstraint[0]) & pbConstraint[4]) == 0
1189	&& ((pbFull[1] ^ pbConstraint[1]) & pbConstraint[5]) == 0
1190	&& ((pbFull[2] ^ pbConstraint[2]) & pbConstraint[6]) == 0
1191	&& ((pbFull[3] ^ pbConstraint[3]) & pbConstraint[7]) == 0;
1192
1193	/*
1194	* IPv6.
1195	*/
1196	if ( pConstraint->u.pT7_IpAddress->Asn1Core.cb == 32 /* ip+netmask*/
1197	&& pName->u.pT7_IpAddress->Asn1Core.cb == 16) /* ip */
1198	{
1199	for (uint32_t i = 0; i < 16; i++)
1200	if (((pbFull[i] ^ pbConstraint[i]) & pbConstraint[i + 16]) != 0)
1201	return false;
1202	return true;
1203	}
1204
1205	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1206	}
1207
1208
1209	RTDECL(bool) RTCrX509GeneralName_ConstraintMatch(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1210	{
1211	if (pConstraint->enmChoice == pName->enmChoice)
1212	{
1213	if (RTCRX509GENERALNAME_IS_DIRECTORY_NAME(pConstraint))
1214	return RTCrX509Name_ConstraintMatch(&pConstraint->u.pT4->DirectoryName, &pName->u.pT4->DirectoryName);
1215
1216	if (RTCRX509GENERALNAME_IS_DNS_NAME(pConstraint))
1217	return rtCrX509GeneralName_ConstraintMatchDnsName(pConstraint, pName);
1218
1219	if (RTCRX509GENERALNAME_IS_RFC822_NAME(pConstraint))
1220	return rtCrX509GeneralName_ConstraintMatchRfc822Name(pConstraint, pName);
1221
1222	if (RTCRX509GENERALNAME_IS_URI(pConstraint))
1223	return rtCrX509GeneralName_ConstraintMatchUri(pConstraint, pName);
1224
1225	if (RTCRX509GENERALNAME_IS_IP_ADDRESS(pConstraint))
1226	return rtCrX509GeneralName_ConstraintMatchIpAddress(pConstraint, pName);
1227
1228	AssertFailed();
1229	return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1230	}
1231	return false;
1232	}
1233
1234
1235	/*
1236	* Sequence of X.509 GeneralNames.
1237	*/
1238
1239
1240	/*
1241	* X.509 UniqueIdentifier.
1242	*/
1243
1244
1245	/*
1246	* X.509 SubjectPublicKeyInfo.
1247	*/
1248
1249
1250	/*
1251	* X.509 AuthorityKeyIdentifier (IPRT representation).
1252	*/
1253
1254
1255	/*
1256	* One X.509 PolicyQualifierInfo.
1257	*/
1258
1259
1260	/*
1261	* Sequence of X.509 PolicyQualifierInfo.
1262	*/
1263
1264
1265	/*
1266	* One X.509 PolicyInformation.
1267	*/
1268
1269
1270	/*
1271	* Sequence of X.509 CertificatePolicies.
1272	*/
1273
1274
1275	/*
1276	* One X.509 PolicyMapping (IPRT representation).
1277	*/
1278
1279
1280	/*
1281	* Sequence of X.509 PolicyMappings (IPRT representation).
1282	*/
1283
1284
1285	/*
1286	* X.509 BasicConstraints (IPRT representation).
1287	*/
1288
1289
1290	/*
1291	* X.509 GeneralSubtree (IPRT representation).
1292	*/
1293
1294
1295	RTDECL(bool) RTCrX509GeneralSubtree_ConstraintMatch(PCRTCRX509GENERALSUBTREE pConstraint, PCRTCRX509GENERALSUBTREE pName)
1296	{
1297	return RTCrX509GeneralName_ConstraintMatch(&pConstraint->Base, &pName->Base);
1298	}
1299
1300
1301	/*
1302	* Sequence of X.509 GeneralSubtrees (IPRT representation).
1303	*/
1304
1305
1306	/*
1307	* X.509 NameConstraints (IPRT representation).
1308	*/
1309
1310
1311	/*
1312	* X.509 PolicyConstraints (IPRT representation).
1313	*/
1314
1315
1316	/*
1317	* One X.509 Extension.
1318	*/
1319
1320
1321	/*
1322	* Sequence of X.509 Extensions.
1323	*/
1324
1325
1326	/*
1327	* X.509 TbsCertificate.
1328	*/
1329
1330	static void rtCrx509TbsCertificate_AddKeyUsageFlags(PRTCRX509TBSCERTIFICATE pThis, PCRTCRX509EXTENSION pExtension)
1331	{
1332	AssertReturnVoid(pExtension->enmValue == RTCRX509EXTENSIONVALUE_BIT_STRING);
1333	/* 3 = 1 byte for unused bit count, followed by one or two bytes containing actual bits. RFC-5280 defines bits 0 thru 8. */
1334	AssertReturnVoid(pExtension->ExtnValue.pEncapsulated->cb <= 3);
1335	pThis->T3.fKeyUsage \|= (uint32_t)RTAsn1BitString_GetAsUInt64((PCRTASN1BITSTRING)pExtension->ExtnValue.pEncapsulated);
1336	}
1337
1338
1339	static void rtCrx509TbsCertificate_AddExtKeyUsageFlags(PRTCRX509TBSCERTIFICATE pThis, PCRTCRX509EXTENSION pExtension)
1340	{
1341	AssertReturnVoid(pExtension->enmValue == RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS);
1342	PCRTASN1SEQOFOBJIDS pObjIds = (PCRTASN1SEQOFOBJIDS)pExtension->ExtnValue.pEncapsulated;
1343	uint32_t i = pObjIds->cItems;
1344	while (i-- > 0)
1345	{
1346
1347	if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_ANY_EXTENDED_KEY_USAGE_OID) == 0)
1348	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_ANY;
1349	else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], RTCRX509_ID_KP_OID))
1350	{
1351	if (RTAsn1ObjIdCountComponents(pObjIds->papItems[i]) == 9)
1352	switch (RTAsn1ObjIdGetLastComponentsAsUInt32(pObjIds->papItems[i]))
1353	{
1354	case 1: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_SERVER_AUTH; break;
1355	case 2: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_CLIENT_AUTH; break;
1356	case 3: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_CODE_SIGNING; break;
1357	case 4: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_EMAIL_PROTECTION; break;
1358	case 5: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_IPSEC_END_SYSTEM; break;
1359	case 6: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_IPSEC_TUNNEL; break;
1360	case 7: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_IPSEC_USER; break;
1361	case 8: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_TIMESTAMPING; break;
1362	case 9: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OCSP_SIGNING; break;
1363	case 10: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_DVCS; break;
1364	case 11: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_SBGP_CERT_AA_SERVICE_AUTH; break;
1365	case 13: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_EAP_OVER_PPP; break;
1366	case 14: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_EAP_OVER_LAN; break;
1367	default: pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER; break;
1368	}
1369	else
1370	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER;
1371	}
1372	else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], RTCRX509_APPLE_EKU_APPLE_EXTENDED_KEY_USAGE_OID))
1373	{
1374	if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_OID) == 0)
1375	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING;
1376	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_DEVELOPMENT_OID) == 0)
1377	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_DEVELOPMENT;
1378	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_SOFTWARE_UPDATE_SIGNING_OID) == 0)
1379	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_SOFTWARE_UPDATE_SIGNING;
1380	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_THRID_PARTY_OID) == 0)
1381	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_THIRD_PARTY;
1382	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_RESOURCE_SIGNING_OID) == 0)
1383	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_RESOURCE_SIGNING;
1384	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_SYSTEM_IDENTITY_OID) == 0)
1385	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_APPLE_SYSTEM_IDENTITY;
1386	else
1387	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER;
1388	}
1389	else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], "1.3.6.1.4.1.311"))
1390	{
1391	if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_TIMESTAMP_SIGNING_OID) == 0)
1392	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_TIMESTAMP_SIGNING;
1393	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_NT5_CRYPTO_OID) == 0)
1394	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_NT5_CRYPTO;
1395	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_OEM_WHQL_CRYPTO_OID) == 0)
1396	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_OEM_WHQL_CRYPTO;
1397	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_EMBEDDED_NT_CRYPTO_OID) == 0)
1398	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_EMBEDDED_NT_CRYPTO;
1399	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_KERNEL_MODE_CODE_SIGNING_OID) == 0)
1400	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_KERNEL_MODE_CODE_SIGNING;
1401	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_LIFETIME_SIGNING_OID) == 0)
1402	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_LIFETIME_SIGNING;
1403	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_DRM_OID) == 0)
1404	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_DRM;
1405	else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_DRM_INDIVIDUALIZATION_OID) == 0)
1406	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_MS_DRM_INDIVIDUALIZATION;
1407	else
1408	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER;
1409	}
1410	else
1411	pThis->T3.fExtKeyUsage \|= RTCRX509CERT_EKU_F_OTHER;
1412	}
1413	}
1414
1415
1416	/**
1417	* (Re-)Process the certificate extensions.
1418	*
1419	* Will fail if duplicate extensions are encountered.
1420	*
1421	* @returns IPRT status code.
1422	* @param pThis The to-be-signed certificate part.
1423	* @param pErrInfo Where to return extended error details,
1424	* optional.
1425	*/
1426	RTDECL(int) RTCrX509TbsCertificate_ReprocessExtensions(PRTCRX509TBSCERTIFICATE pThis, PRTERRINFO pErrInfo)
1427	{
1428	/*
1429	* Clear all variables we will set.
1430	*/
1431	pThis->T3.fFlags = 0;
1432	pThis->T3.fKeyUsage = 0;
1433	pThis->T3.fExtKeyUsage = 0;
1434	pThis->T3.pAuthorityKeyIdentifier = NULL;
1435	pThis->T3.pSubjectKeyIdentifier = NULL;
1436	pThis->T3.pAltSubjectName = NULL;
1437	pThis->T3.pAltIssuerName = NULL;
1438	pThis->T3.pCertificatePolicies = NULL;
1439	pThis->T3.pPolicyMappings = NULL;
1440	pThis->T3.pBasicConstraints = NULL;
1441	pThis->T3.pNameConstraints = NULL;
1442	pThis->T3.pPolicyConstraints = NULL;
1443	pThis->T3.pInhibitAnyPolicy = NULL;
1444
1445	#define CHECK_SET_PRESENT_RET_ON_DUP(a_pThis, a_pErrInfo, a_fPresentFlag) \
1446	do { \
1447	if ((a_pThis)->T3.fFlags & (a_fPresentFlag)) \
1448	return RTErrInfoSet(a_pErrInfo, VERR_CR_X509_TBSCERT_DUPLICATE_EXTENSION, \
1449	"Duplicate extension " #a_fPresentFlag); \
1450	(a_pThis)->T3.fFlags \|= (a_fPresentFlag); \
1451	} while (0)
1452
1453	/*
1454	* Process all the extensions.
1455	*/
1456	for (uint32_t i = 0; i < pThis->T3.Extensions.cItems; i++)
1457	{
1458	PCRTASN1OBJID pExtnId = &pThis->T3.Extensions.papItems[i]->ExtnId;
1459	PCRTASN1OCTETSTRING pExtValue = &pThis->T3.Extensions.papItems[i]->ExtnValue;
1460	if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_KEY_USAGE_OID) == 0)
1461	{
1462	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE);
1463	rtCrx509TbsCertificate_AddKeyUsageFlags(pThis, pThis->T3.Extensions.papItems[i]);
1464	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_BIT_STRING);
1465	}
1466	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_EXT_KEY_USAGE_OID) == 0)
1467	{
1468	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE);
1469	rtCrx509TbsCertificate_AddExtKeyUsageFlags(pThis, pThis->T3.Extensions.papItems[i]);
1470	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS);
1471	}
1472	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_AUTHORITY_KEY_IDENTIFIER_OID) == 0)
1473	{
1474	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_AUTHORITY_KEY_IDENTIFIER);
1475	pThis->T3.pAuthorityKeyIdentifier = (PCRTCRX509AUTHORITYKEYIDENTIFIER)pExtValue->pEncapsulated;
1476	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_AUTHORITY_KEY_IDENTIFIER);
1477	}
1478	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_OLD_AUTHORITY_KEY_IDENTIFIER_OID) == 0)
1479	{
1480	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_OLD_AUTHORITY_KEY_IDENTIFIER);
1481	pThis->T3.pOldAuthorityKeyIdentifier = (PCRTCRX509OLDAUTHORITYKEYIDENTIFIER)pExtValue->pEncapsulated;
1482	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_OLD_AUTHORITY_KEY_IDENTIFIER);
1483	}
1484	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID) == 0)
1485	{
1486	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_KEY_IDENTIFIER);
1487	pThis->T3.pSubjectKeyIdentifier = (PCRTASN1OCTETSTRING)pExtValue->pEncapsulated;
1488	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_OCTET_STRING);
1489	}
1490	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID) == 0)
1491	{
1492	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_ALT_NAME);
1493	pThis->T3.pAltSubjectName = (PCRTCRX509GENERALNAMES)pExtValue->pEncapsulated;
1494	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES);
1495	}
1496	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_ISSUER_ALT_NAME_OID) == 0)
1497	{
1498	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_ISSUER_ALT_NAME);
1499	pThis->T3.pAltIssuerName = (PCRTCRX509GENERALNAMES)pExtValue->pEncapsulated;
1500	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES);
1501	}
1502	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID) == 0)
1503	{
1504	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_CERTIFICATE_POLICIES);
1505	pThis->T3.pCertificatePolicies = (PCRTCRX509CERTIFICATEPOLICIES)pExtValue->pEncapsulated;
1506	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_CERTIFICATE_POLICIES);
1507	}
1508	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_POLICY_MAPPINGS_OID) == 0)
1509	{
1510	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_MAPPINGS);
1511	pThis->T3.pPolicyMappings = (PCRTCRX509POLICYMAPPINGS)pExtValue->pEncapsulated;
1512	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_POLICY_MAPPINGS);
1513	}
1514	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID) == 0)
1515	{
1516	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_BASIC_CONSTRAINTS);
1517	pThis->T3.pBasicConstraints = (PCRTCRX509BASICCONSTRAINTS)pExtValue->pEncapsulated;
1518	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_BASIC_CONSTRAINTS);
1519	}
1520	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_NAME_CONSTRAINTS_OID) == 0)
1521	{
1522	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_NAME_CONSTRAINTS);
1523	pThis->T3.pNameConstraints = (PCRTCRX509NAMECONSTRAINTS)pExtValue->pEncapsulated;
1524	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_NAME_CONSTRAINTS);
1525	}
1526	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID) == 0)
1527	{
1528	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_CONSTRAINTS);
1529	pThis->T3.pPolicyConstraints = (PCRTCRX509POLICYCONSTRAINTS)pExtValue->pEncapsulated;
1530	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_POLICY_CONSTRAINTS);
1531	}
1532	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID) == 0)
1533	{
1534	CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_INHIBIT_ANY_POLICY);
1535	pThis->T3.pInhibitAnyPolicy = (PCRTASN1INTEGER)pExtValue->pEncapsulated;
1536	Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_INTEGER);
1537	}
1538	else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_ACCEPTABLE_CERT_POLICIES_OID) == 0)
1539	pThis->T3.fFlags \|= RTCRX509TBSCERTIFICATE_F_PRESENT_ACCEPTABLE_CERT_POLICIES;
1540	else
1541	pThis->T3.fFlags \|= RTCRX509TBSCERTIFICATE_F_PRESENT_OTHER;
1542	}
1543
1544	if (!pThis->T3.fFlags)
1545	pThis->T3.fFlags \|= RTCRX509TBSCERTIFICATE_F_PRESENT_NONE;
1546
1547	#undef CHECK_SET_PRESENT_RET_ON_DUP
1548	return VINF_SUCCESS;
1549	}
1550
1551
1552
1553	/*
1554	* One X.509 Certificate.
1555	*/
1556
1557	RTDECL(bool) RTCrX509Certificate_MatchIssuerAndSerialNumber(PCRTCRX509CERTIFICATE pCertificate,
1558	PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber)
1559	{
1560	if ( RTAsn1Integer_UnsignedCompare(&pCertificate->TbsCertificate.SerialNumber, pSerialNumber) == 0
1561	&& RTCrX509Name_Compare(&pCertificate->TbsCertificate.Issuer, pIssuer) == 0)
1562	return true;
1563	return false;
1564	}
1565
1566
1567	RTDECL(bool) RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(PCRTCRX509CERTIFICATE pThis, PCRTCRX509NAME pName)
1568	{
1569	if (RTCrX509Name_MatchByRfc5280(&pThis->TbsCertificate.Subject, pName))
1570	return true;
1571
1572	if (RTCrX509Extensions_IsPresent(&pThis->TbsCertificate.T3.Extensions))
1573	for (uint32_t i = 0; i < pThis->TbsCertificate.T3.Extensions.cItems; i++)
1574	{
1575	PCRTCRX509EXTENSION pExt = pThis->TbsCertificate.T3.Extensions.papItems[i];
1576	if ( pExt->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES
1577	&& RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID))
1578	{
1579	PCRTCRX509GENERALNAMES pGeneralNames = (PCRTCRX509GENERALNAMES)pExt->ExtnValue.pEncapsulated;
1580	for (uint32_t j = 0; j < pGeneralNames->cItems; j++)
1581	if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(pGeneralNames->papItems[j])
1582	&& RTCrX509Name_MatchByRfc5280(&pGeneralNames->papItems[j]->u.pT4->DirectoryName, pName))
1583	return true;
1584	}
1585	}
1586	return false;
1587	}
1588
1589
1590	RTDECL(bool) RTCrX509Certificate_IsSelfSigned(PCRTCRX509CERTIFICATE pCertificate)
1591	{
1592	if (RTCrX509Certificate_IsPresent(pCertificate))
1593	{
1594	return RTCrX509Name_MatchByRfc5280(&pCertificate->TbsCertificate.Subject,
1595	&pCertificate->TbsCertificate.Issuer);
1596	}
1597	return false;
1598	}
1599
1600
1601	/*
1602	* Set of X.509 Certificates.
1603	*/
1604
1605	RTDECL(PCRTCRX509CERTIFICATE)
1606	RTCrX509Certificates_FindByIssuerAndSerialNumber(PCRTCRX509CERTIFICATES pCertificates,
1607	PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber)
1608	{
1609	for (uint32_t i = 0; i < pCertificates->cItems; i++)
1610	if (RTCrX509Certificate_MatchIssuerAndSerialNumber(pCertificates->papItems[i], pIssuer, pSerialNumber))
1611	return pCertificates->papItems[i];
1612	return NULL;
1613	}
1614

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/Runtime/common/crypto/x509-core.cpp@ 76553

Download in other formats: