VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/x509-core.cpp@ 78306

Last change on this file since 78306 was 76553, checked in by vboxsync, 6 years ago

scm --update-copyright-year

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 59.9 KB
Line 
1/* $Id: x509-core.cpp 76553 2019-01-01 01:45:53Z vboxsync $ */
2/** @file
3 * IPRT - Crypto - X.509, Core APIs.
4 */
5
6/*
7 * Copyright (C) 2006-2019 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#include "internal/iprt.h"
32#include <iprt/crypto/x509.h>
33
34#include <iprt/err.h>
35#include <iprt/string.h>
36#include <iprt/uni.h>
37
38#include "x509-internal.h"
39
40
41/*
42 * Generate the code.
43 */
44#include <iprt/asn1-generator-core.h>
45
46
47/*
48 * X.509 Validity.
49 */
50
51RTDECL(bool) RTCrX509Validity_IsValidAtTimeSpec(PCRTCRX509VALIDITY pThis, PCRTTIMESPEC pTimeSpec)
52{
53 if (RTAsn1Time_CompareWithTimeSpec(&pThis->NotBefore, pTimeSpec) > 0)
54 return false;
55 if (RTAsn1Time_CompareWithTimeSpec(&pThis->NotAfter, pTimeSpec) < 0)
56 return false;
57 return true;
58}
59
60
61/*
62 * One X.509 Algorithm Identifier.
63 */
64
65RTDECL(RTDIGESTTYPE) RTCrX509AlgorithmIdentifier_QueryDigestType(PCRTCRX509ALGORITHMIDENTIFIER pThis)
66{
67 AssertPtrReturn(pThis, RTDIGESTTYPE_INVALID);
68 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
69 return RTDIGESTTYPE_MD5;
70 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
71 return RTDIGESTTYPE_SHA1;
72 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
73 return RTDIGESTTYPE_SHA256;
74 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
75 return RTDIGESTTYPE_SHA512;
76
77 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
78 return RTDIGESTTYPE_SHA384;
79 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
80 return RTDIGESTTYPE_SHA224;
81 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
82 return RTDIGESTTYPE_SHA512T224;
83 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
84 return RTDIGESTTYPE_SHA512T256;
85 return RTDIGESTTYPE_INVALID;
86}
87
88
89RTDECL(uint32_t) RTCrX509AlgorithmIdentifier_QueryDigestSize(PCRTCRX509ALGORITHMIDENTIFIER pThis)
90{
91 AssertPtrReturn(pThis, UINT32_MAX);
92
93 /* common */
94 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD5))
95 return 128 / 8;
96 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
97 return 160 / 8;
98 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
99 return 256 / 8;
100 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
101 return 512 / 8;
102
103 /* Less common. */
104 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD2))
105 return 128 / 8;
106 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_MD4))
107 return 128 / 8;
108 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
109 return 384 / 8;
110 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
111 return 224 / 8;
112 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T224))
113 return 224 / 8;
114 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_SHA512T256))
115 return 256 / 8;
116 if (!strcmp(pThis->Algorithm.szObjId, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
117 return 512 / 8;
118
119 return UINT32_MAX;
120}
121
122
123RTDECL(int) RTCrX509AlgorithmIdentifier_CompareWithString(PCRTCRX509ALGORITHMIDENTIFIER pThis, const char *pszObjId)
124{
125 return strcmp(pThis->Algorithm.szObjId, pszObjId);
126}
127
128
129RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(const char *pszDigestOid,
130 const char *pszEncryptedDigestOid)
131{
132 /* common */
133 if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5))
134 {
135 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA))
136 return 0;
137 }
138 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1))
139 {
140 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA))
141 return 0;
142 }
143 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256))
144 {
145 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA))
146 return 0;
147 }
148 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512))
149 {
150 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA))
151 return 0;
152 }
153 /* Less common. */
154 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2))
155 {
156 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA))
157 return 0;
158 }
159 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4))
160 {
161 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA))
162 return 0;
163 }
164 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384))
165 {
166 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA))
167 return 0;
168 }
169 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224))
170 {
171 if (!strcmp(pszEncryptedDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA))
172 return 0;
173 }
174 else if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
175 {
176 /* ?? */
177 }
178 else
179 return -1;
180 return 1;
181}
182
183RTDECL(int) RTCrX509AlgorithmIdentifier_CompareDigestAndEncryptedDigest(PCRTCRX509ALGORITHMIDENTIFIER pDigest,
184 PCRTCRX509ALGORITHMIDENTIFIER pEncryptedDigest)
185{
186 return RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(pDigest->Algorithm.szObjId,
187 pEncryptedDigest->Algorithm.szObjId);
188}
189
190
191RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(const char *pszEncryptionOid,
192 const char *pszDigestOid)
193{
194 /* RSA: */
195 if (!strcmp(pszEncryptionOid, RTCRX509ALGORITHMIDENTIFIERID_RSA))
196 {
197 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5)
198 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA))
199 return RTCRX509ALGORITHMIDENTIFIERID_MD5_WITH_RSA;
200 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1)
201 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA))
202 return RTCRX509ALGORITHMIDENTIFIERID_SHA1_WITH_RSA;
203 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256)
204 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA))
205 return RTCRX509ALGORITHMIDENTIFIERID_SHA256_WITH_RSA;
206 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512)
207 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA))
208 return RTCRX509ALGORITHMIDENTIFIERID_SHA512_WITH_RSA;
209 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2)
210 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA))
211 return RTCRX509ALGORITHMIDENTIFIERID_MD2_WITH_RSA;
212 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4)
213 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA))
214 return RTCRX509ALGORITHMIDENTIFIERID_MD4_WITH_RSA;
215 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384)
216 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA))
217 return RTCRX509ALGORITHMIDENTIFIERID_SHA384_WITH_RSA;
218 if ( !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224)
219 || !strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA))
220 return RTCRX509ALGORITHMIDENTIFIERID_SHA224_WITH_RSA;
221
222 /* if (!strcmp(pszDigestOid, RTCRX509ALGORITHMIDENTIFIERID_WHIRLPOOL))
223 return ???; */
224 }
225 else if (RTCrX509AlgorithmIdentifier_CompareDigestOidAndEncryptedDigestOid(pszDigestOid, pszEncryptionOid) == 0)
226 return pszEncryptionOid;
227
228 AssertMsgFailed(("enc=%s hash=%s\n", pszEncryptionOid, pszDigestOid));
229 return NULL;
230}
231
232
233RTDECL(const char *) RTCrX509AlgorithmIdentifier_CombineEncryptionAndDigest(PCRTCRX509ALGORITHMIDENTIFIER pEncryption,
234 PCRTCRX509ALGORITHMIDENTIFIER pDigest)
235{
236 return RTCrX509AlgorithmIdentifier_CombineEncryptionOidAndDigestOid(pEncryption->Algorithm.szObjId,
237 pDigest->Algorithm.szObjId);
238}
239
240
241/*
242 * Set of X.509 Algorithm Identifiers.
243 */
244
245
246/*
247 * One X.509 AttributeTypeAndValue.
248 */
249
250
251/*
252 * Set of X.509 AttributeTypeAndValues / X.509 RelativeDistinguishedName.
253 */
254
255/**
256 * Slow code path of rtCrX509CanNameIsNothing.
257 *
258 * @returns true if @uc maps to nothing, false if not.
259 * @param uc The unicode code point.
260 */
261static bool rtCrX509CanNameIsNothingSlow(RTUNICP uc)
262{
263 switch (uc)
264 {
265 /* 2.2 Map - Paragraph 1: */
266 case 0x00ad:
267 case 0x1806:
268 case 0x034f:
269 case 0x180b: case 0x180c: case 0x180d:
270
271 case 0xfe00: case 0xfe01: case 0xfe02: case 0xfe03:
272 case 0xfe04: case 0xfe05: case 0xfe06: case 0xfe07:
273 case 0xfe08: case 0xfe09: case 0xfe0a: case 0xfe0b:
274 case 0xfe0c: case 0xfe0d: case 0xfe0e: case 0xfe0f:
275
276 case 0xfffc:
277
278 /* 2.2 Map - Paragraph 3 (control code/function): */
279 case 0x0000: case 0x0001: case 0x0002: case 0x0003:
280 case 0x0004: case 0x0005: case 0x0006: case 0x0007:
281 case 0x0008:
282
283 case 0x000e: case 0x000f:
284 case 0x0010: case 0x0011: case 0x0012: case 0x0013:
285 case 0x0014: case 0x0015: case 0x0016: case 0x0017:
286 case 0x0018: case 0x0019: case 0x001a: case 0x001b:
287 case 0x001c: case 0x001d: case 0x001e: case 0x001f:
288
289 case 0x007f:
290 case 0x0080: case 0x0081: case 0x0082: case 0x0083:
291 case 0x0084: /*case 0x0085:*/ case 0x0086: case 0x0087:
292 case 0x0088: case 0x0089: case 0x008a: case 0x008b:
293 case 0x008c: case 0x008d: case 0x008e: case 0x008f:
294 case 0x0090: case 0x0091: case 0x0092: case 0x0093:
295 case 0x0094: case 0x0095: case 0x0096: case 0x0097:
296 case 0x0098: case 0x0099: case 0x009a: case 0x009b:
297 case 0x009c: case 0x009d: case 0x009e: case 0x009f:
298
299 case 0x06dd:
300 case 0x070f:
301 case 0x180e:
302 case 0x200c: case 0x200d: case 0x200e: case 0x200f:
303 case 0x202a: case 0x202b: case 0x202c: case 0x202d: case 0x202e:
304 case 0x2060: case 0x2061: case 0x2062: case 0x2063:
305 case 0x206a: case 0x206b: case 0x206c: case 0x206d: case 0x206e: case 0x206f:
306 case 0xfeff:
307 case 0xfff9: case 0xfffa: case 0xfffb:
308 case 0x1d173: case 0x1d174: case 0x1d175: case 0x1d176: case 0x1d177: case 0x1d178: case 0x1d179: case 0x1d17a:
309 case 0xe0001:
310 case 0xe0020: case 0xe0021: case 0xe0022: case 0xe0023:
311 case 0xe0024: case 0xe0025: case 0xe0026: case 0xe0027:
312 case 0xe0028: case 0xe0029: case 0xe002a: case 0xe002b:
313 case 0xe002c: case 0xe002d: case 0xe002e: case 0xe002f:
314 case 0xe0030: case 0xe0031: case 0xe0032: case 0xe0033:
315 case 0xe0034: case 0xe0035: case 0xe0036: case 0xe0037:
316 case 0xe0038: case 0xe0039: case 0xe003a: case 0xe003b:
317 case 0xe003c: case 0xe003d: case 0xe003e: case 0xe003f:
318 case 0xe0040: case 0xe0041: case 0xe0042: case 0xe0043:
319 case 0xe0044: case 0xe0045: case 0xe0046: case 0xe0047:
320 case 0xe0048: case 0xe0049: case 0xe004a: case 0xe004b:
321 case 0xe004c: case 0xe004d: case 0xe004e: case 0xe004f:
322 case 0xe0050: case 0xe0051: case 0xe0052: case 0xe0053:
323 case 0xe0054: case 0xe0055: case 0xe0056: case 0xe0057:
324 case 0xe0058: case 0xe0059: case 0xe005a: case 0xe005b:
325 case 0xe005c: case 0xe005d: case 0xe005e: case 0xe005f:
326 case 0xe0060: case 0xe0061: case 0xe0062: case 0xe0063:
327 case 0xe0064: case 0xe0065: case 0xe0066: case 0xe0067:
328 case 0xe0068: case 0xe0069: case 0xe006a: case 0xe006b:
329 case 0xe006c: case 0xe006d: case 0xe006e: case 0xe006f:
330 case 0xe0070: case 0xe0071: case 0xe0072: case 0xe0073:
331 case 0xe0074: case 0xe0075: case 0xe0076: case 0xe0077:
332 case 0xe0078: case 0xe0079: case 0xe007a: case 0xe007b:
333 case 0xe007c: case 0xe007d: case 0xe007e: case 0xe007f:
334
335 /* 2.2 Map - Paragraph 4. */
336 case 0x200b:
337 return true;
338 }
339 return false;
340}
341
342
343/**
344 * Checks if @a uc maps to nothing according to mapping rules of RFC-5280 and
345 * RFC-4518.
346 *
347 * @returns true if @uc maps to nothing, false if not.
348 * @param uc The unicode code point.
349 */
350DECLINLINE(bool) rtCrX509CanNameIsNothing(RTUNICP uc)
351{
352 if (uc > 0x001f && uc < 0x00ad)
353 return false;
354 return rtCrX509CanNameIsNothingSlow(uc);
355}
356
357
358/**
359 * Slow code path of rtCrX509CanNameIsSpace.
360 *
361 * @returns true if space, false if not.
362 * @param uc The unicode code point.
363 */
364static bool rtCrX509CanNameIsSpaceSlow(RTUNICP uc)
365{
366 switch (uc)
367 {
368 /* 2.2 Map - Paragraph 2. */
369 case 0x09:
370 case 0x0a:
371 case 0x0b:
372 case 0x0c:
373 case 0x0d:
374 case 0x20:
375 case 0x0085:
376 case 0x00a0:
377 case 0x1680:
378 case 0x2000: case 0x2001: case 0x2002: case 0x2003:
379 case 0x2004: case 0x2005: case 0x2006: case 0x2007:
380 case 0x2008: case 0x2009: case 0x200a:
381 case 0x2028: case 0x2029:
382 case 0x202f:
383 case 0x205f:
384 case 0x3000:
385 return true;
386 }
387 return false;
388}
389
390
391/**
392 * Checks if @a uc is a space character according to the mapping rules of
393 * RFC-5280 and RFC-4518.
394 *
395 * @returns true if space, false if not.
396 * @param uc The unicode code point.
397 */
398DECLINLINE(bool) rtCrX509CanNameIsSpace(RTUNICP uc)
399{
400 if (uc < 0x0085)
401 {
402 if (uc > 0x0020)
403 return false;
404 if (uc == 0x0020) /* space */
405 return true;
406 }
407 return rtCrX509CanNameIsSpaceSlow(uc);
408}
409
410
411static const char *rtCrX509CanNameStripLeft(const char *psz, size_t *pcch)
412{
413 /*
414 * Return space when we've encountered the first non-space-non-nothing code point.
415 */
416 const char * const pszStart = psz;
417 const char *pszPrev;
418 for (;;)
419 {
420 pszPrev = psz;
421 RTUNICP uc;
422 int rc = RTStrGetCpEx(&psz, &uc);
423 AssertRCBreak(rc);
424 if (!uc)
425 {
426 if ((uintptr_t)(pszPrev - pszStart) >= *pcch)
427 break;
428 /* NUL inside the string, maps to nothing => ignore it. */
429 }
430 else if (!rtCrX509CanNameIsSpace(uc) && !rtCrX509CanNameIsNothing(uc))
431 break;
432 }
433 *pcch -= pszPrev - pszStart;
434 return pszPrev;
435}
436
437
438static RTUNICP rtCrX509CanNameGetNextCpWithMappingSlowSpace(const char **ppsz, size_t *pcch)
439{
440 /*
441 * Return space when we've encountered the first non-space-non-nothing code point.
442 */
443 RTUNICP uc;
444 const char *psz = *ppsz;
445 const char * const pszStart = psz;
446 const char *pszPrev;
447 for (;;)
448 {
449 pszPrev = psz;
450 int rc = RTStrGetCpEx(&psz, &uc);
451 AssertRCBreakStmt(rc, uc = 0x20);
452 if (!uc)
453 {
454 if ((uintptr_t)(pszPrev - pszStart) >= *pcch)
455 {
456 uc = 0; /* End of string: Ignore trailing spaces. */
457 break;
458 }
459 /* NUL inside the string, maps to nothing => ignore it. */
460 }
461 else if (!rtCrX509CanNameIsSpace(uc) && !rtCrX509CanNameIsNothing(uc))
462 {
463 uc = 0x20; /* Return space before current char. */
464 break;
465 }
466 }
467
468 *ppsz = pszPrev;
469 *pcch -= pszPrev - pszStart;
470 return uc;
471}
472
473
474DECLINLINE(RTUNICP) rtCrX509CanNameGetNextCpIgnoreNul(const char **ppsz, size_t *pcch)
475{
476 while (*pcch > 0)
477 {
478 const char *psz = *ppsz;
479 RTUNICP uc = *psz;
480 if (uc < 0x80)
481 {
482 *pcch -= 1;
483 *ppsz = psz + 1;
484 }
485 else
486 {
487 int rc = RTStrGetCpEx(ppsz, &uc);
488 AssertRCReturn(rc, uc);
489 size_t cchCp = *ppsz - psz;
490 AssertReturn(cchCp <= *pcch, 0);
491 *pcch -= cchCp;
492 }
493 if (uc != 0)
494 return uc;
495 }
496 return 0;
497}
498
499
500static RTUNICP rtCrX509CanNameGetNextCpWithMappingSlowNothing(const char **ppsz, size_t *pcch)
501{
502 /*
503 * Return first code point which doesn't map to nothing. If we encounter
504 * a space, we defer to the mapping-after-space routine above.
505 */
506 for (;;)
507 {
508 RTUNICP uc = rtCrX509CanNameGetNextCpIgnoreNul(ppsz, pcch);
509 if (rtCrX509CanNameIsSpace(uc))
510 return rtCrX509CanNameGetNextCpWithMappingSlowSpace(ppsz, pcch);
511 if (!rtCrX509CanNameIsNothing(uc) || uc == 0)
512 return uc;
513 }
514}
515
516
517DECLINLINE(RTUNICP) rtCrX509CanNameGetNextCpWithMapping(const char **ppsz, size_t *pcch)
518{
519 RTUNICP uc = rtCrX509CanNameGetNextCpIgnoreNul(ppsz, pcch);
520 if (uc)
521 {
522 if (!rtCrX509CanNameIsSpace(uc))
523 {
524 if (!rtCrX509CanNameIsNothing(uc))
525 return uc;
526 return rtCrX509CanNameGetNextCpWithMappingSlowNothing(ppsz, pcch);
527 }
528 return rtCrX509CanNameGetNextCpWithMappingSlowSpace(ppsz, pcch);
529 }
530 return uc;
531}
532
533
534RTDECL(bool) RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(PCRTCRX509ATTRIBUTETYPEANDVALUE pLeft,
535 PCRTCRX509ATTRIBUTETYPEANDVALUE pRight)
536{
537 if (RTAsn1ObjId_Compare(&pLeft->Type, &pRight->Type) == 0)
538 {
539 /*
540 * Try for perfect match in case we get luck.
541 */
542#ifdef DEBUG_bird /* Want to test the complicated code path first */
543 if (pLeft->Value.enmType != RTASN1TYPE_STRING || pRight->Value.enmType != RTASN1TYPE_STRING)
544#endif
545 if (RTAsn1DynType_Compare(&pLeft->Value, &pRight->Value) == 0)
546 return true;
547
548 /*
549 * If both are string types, we can compare them according to RFC-5280.
550 */
551 if ( pLeft->Value.enmType == RTASN1TYPE_STRING
552 && pRight->Value.enmType == RTASN1TYPE_STRING)
553 {
554 size_t cchLeft;
555 const char *pszLeft;
556 int rc = RTAsn1String_QueryUtf8(&pLeft->Value.u.String, &pszLeft, &cchLeft);
557 if (RT_SUCCESS(rc))
558 {
559 size_t cchRight;
560 const char *pszRight;
561 rc = RTAsn1String_QueryUtf8(&pRight->Value.u.String, &pszRight, &cchRight);
562 if (RT_SUCCESS(rc))
563 {
564 /*
565 * Perform a simplified RFC-5280 comparsion.
566 * The algorithm as be relaxed on the following counts:
567 * 1. No unicode normalization.
568 * 2. Prohibited characters not checked for.
569 * 3. Bidirectional characters are not ignored.
570 */
571 pszLeft = rtCrX509CanNameStripLeft(pszLeft, &cchLeft);
572 pszRight = rtCrX509CanNameStripLeft(pszRight, &cchRight);
573 while (*pszLeft && *pszRight)
574 {
575 RTUNICP ucLeft = rtCrX509CanNameGetNextCpWithMapping(&pszLeft, &cchLeft);
576 RTUNICP ucRight = rtCrX509CanNameGetNextCpWithMapping(&pszRight, &cchRight);
577 if (ucLeft != ucRight)
578 {
579 ucLeft = RTUniCpToLower(ucLeft);
580 ucRight = RTUniCpToLower(ucRight);
581 if (ucLeft != ucRight)
582 return false;
583 }
584 }
585
586 return cchRight == 0 && cchLeft == 0;
587 }
588 }
589 }
590 }
591 return false;
592}
593
594
595RTDECL(bool) RTCrX509RelativeDistinguishedName_MatchByRfc5280(PCRTCRX509RELATIVEDISTINGUISHEDNAME pLeft,
596 PCRTCRX509RELATIVEDISTINGUISHEDNAME pRight)
597{
598 /*
599 * No match if the attribute count differs.
600 */
601 uint32_t const cItems = pLeft->cItems;
602 if (cItems == pRight->cItems)
603 {
604 /*
605 * Compare each attribute, but don't insist on the same order nor
606 * bother checking for duplicates (too complicated).
607 */
608 for (uint32_t iLeft = 0; iLeft < cItems; iLeft++)
609 {
610 PCRTCRX509ATTRIBUTETYPEANDVALUE pLeftAttr = pLeft->papItems[iLeft];
611 bool fFound = false;
612 for (uint32_t iRight = 0; iRight < cItems; iRight++)
613 if (RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(pLeftAttr, pRight->papItems[iRight]))
614 {
615 fFound = true;
616 break;
617 }
618 if (!fFound)
619 return false;
620 }
621 return true;
622 }
623 return false;
624
625}
626
627
628/*
629 * X.509 Name.
630 */
631
632RTDECL(bool) RTCrX509Name_MatchByRfc5280(PCRTCRX509NAME pLeft, PCRTCRX509NAME pRight)
633{
634 uint32_t const cItems = pLeft->cItems;
635 if (cItems == pRight->cItems)
636 {
637 /* Require exact order. */
638 for (uint32_t iRdn = 0; iRdn < cItems; iRdn++)
639 if (!RTCrX509RelativeDistinguishedName_MatchByRfc5280(pLeft->papItems[iRdn], pRight->papItems[iRdn]))
640 return false;
641 return true;
642 }
643 return false;
644}
645
646
647RTDECL(bool) RTCrX509Name_ConstraintMatch(PCRTCRX509NAME pConstraint, PCRTCRX509NAME pName)
648{
649 /*
650 * Check that the constraint is a prefix of the name. This means that
651 * the name must have at least as many components and the constraint.
652 */
653 if (pName->cItems >= pConstraint->cItems)
654 {
655 /*
656 * Parallel crawl of the two RDNs arrays.
657 */
658 for (uint32_t i = 0; pConstraint->cItems; i++)
659 {
660 PCRTCRX509RELATIVEDISTINGUISHEDNAME pConstrRdns = pConstraint->papItems[i];
661 PCRTCRX509RELATIVEDISTINGUISHEDNAME pNameRdns = pName->papItems[i];
662
663 /*
664 * Walk the constraint attribute & value array.
665 */
666 for (uint32_t iConstrAttrib = 0; iConstrAttrib < pConstrRdns->cItems; iConstrAttrib++)
667 {
668 PCRTCRX509ATTRIBUTETYPEANDVALUE pConstrAttrib = pConstrRdns->papItems[iConstrAttrib];
669
670 /*
671 * Find matching attribute & value in the name.
672 */
673 bool fFound = false;
674 for (uint32_t iNameAttrib = 0; iNameAttrib < pNameRdns->cItems; iNameAttrib++)
675 if (RTCrX509AttributeTypeAndValue_MatchAsRdnByRfc5280(pConstrAttrib, pNameRdns->papItems[iNameAttrib]))
676 {
677 fFound = true;
678 break;
679 }
680 if (fFound)
681 return false;
682 }
683 }
684 return true;
685 }
686 return false;
687}
688
689
690/**
691 * Mapping between X.500 object IDs and short and long names.
692 *
693 * See RFC-1327, RFC-4519 ...
694 */
695static struct
696{
697 const char *pszOid;
698 const char *pszShortNm;
699 size_t cchShortNm;
700 const char *pszLongNm;
701} const g_aRdnMap[] =
702{
703 { "0.9.2342.19200300.100.1.3", RT_STR_TUPLE("Mail"), "Rfc822Mailbox" },
704 { "0.9.2342.19200300.100.1.25", RT_STR_TUPLE("DC"), "DomainComponent" },
705 { "1.2.840.113549.1.9.1", RT_STR_TUPLE("Email") /*nonstandard*/,"EmailAddress" },
706 { "2.5.4.3", RT_STR_TUPLE("CN"), "CommonName" },
707 { "2.5.4.4", RT_STR_TUPLE("SN"), "Surname" },
708 { "2.5.4.5", RT_STR_TUPLE("SRN") /*nonstandard*/, "SerialNumber" },
709 { "2.5.4.6", RT_STR_TUPLE("C"), "CountryName" },
710 { "2.5.4.7", RT_STR_TUPLE("L"), "LocalityName" },
711 { "2.5.4.8", RT_STR_TUPLE("ST"), "StateOrProviceName" },
712 { "2.5.4.9", RT_STR_TUPLE("street"), "Street" },
713 { "2.5.4.10", RT_STR_TUPLE("O"), "OrganizationName" },
714 { "2.5.4.11", RT_STR_TUPLE("OU"), "OrganizationalUnitName" },
715 { "2.5.4.12", RT_STR_TUPLE("title"), "Title" },
716 { "2.5.4.13", RT_STR_TUPLE("desc"), "Description" },
717 { "2.5.4.15", RT_STR_TUPLE("BC") /*nonstandard*/, "BusinessCategory" },
718 { "2.5.4.17", RT_STR_TUPLE("ZIP") /*nonstandard*/, "PostalCode" },
719 { "2.5.4.18", RT_STR_TUPLE("POBox") /*nonstandard*/,"PostOfficeBox" },
720 { "2.5.4.20", RT_STR_TUPLE("PN") /*nonstandard*/, "TelephoneNumber" },
721 { "2.5.4.33", RT_STR_TUPLE("RO") /*nonstandard*/, "RoleOccupant" },
722 { "2.5.4.34", RT_STR_TUPLE("SA") /*nonstandard*/, "StreetAddress" },
723 { "2.5.4.41", RT_STR_TUPLE("N") /*nonstandard*/, "Name" },
724 { "2.5.4.42", RT_STR_TUPLE("GN"), "GivenName" },
725 { "2.5.4.43", RT_STR_TUPLE("I") /*nonstandard*/, "Initials" },
726 { "2.5.4.44", RT_STR_TUPLE("GQ") /*nonstandard*/, "GenerationQualifier" },
727 { "2.5.4.46", RT_STR_TUPLE("DNQ") /*nonstandard*/, "DNQualifier" },
728 { "2.5.4.51", RT_STR_TUPLE("HID") /*nonstandard*/, "HouseIdentifier" },
729};
730
731
732RTDECL(const char *) RTCrX509Name_GetShortRdn(PCRTASN1OBJID pRdnId)
733{
734 uint32_t iName = RT_ELEMENTS(g_aRdnMap);
735 while (iName-- > 0)
736 if (RTAsn1ObjId_CompareWithString(pRdnId, g_aRdnMap[iName].pszOid) == 0)
737 return g_aRdnMap[iName].pszShortNm;
738 return NULL;
739}
740
741
742RTDECL(bool) RTCrX509Name_MatchWithString(PCRTCRX509NAME pThis, const char *pszString)
743{
744 /* Keep track of the string length. */
745 size_t cchString = strlen(pszString);
746
747 /*
748 * The usual double loop for walking the components.
749 */
750 for (uint32_t i = 0; i < pThis->cItems; i++)
751 {
752 PCRTCRX509RELATIVEDISTINGUISHEDNAME pRdn = pThis->papItems[i];
753 for (uint32_t j = 0; j < pRdn->cItems; j++)
754 {
755 PCRTCRX509ATTRIBUTETYPEANDVALUE pComponent = pRdn->papItems[j];
756
757 /*
758 * Must be a string.
759 */
760 if (pComponent->Value.enmType != RTASN1TYPE_STRING)
761 return false;
762
763 /*
764 * Look up the component name prefix and check whether it's also in the string.
765 */
766 uint32_t iName = RT_ELEMENTS(g_aRdnMap);
767 while (iName-- > 0)
768 if (RTAsn1ObjId_CompareWithString(&pComponent->Type, g_aRdnMap[iName].pszOid) == 0)
769 break;
770 AssertMsgReturn(iName != UINT32_MAX, ("Please extend g_aRdnMap with '%s'.\n", pComponent->Type.szObjId), false);
771
772 if ( strncmp(pszString, g_aRdnMap[iName].pszShortNm, g_aRdnMap[iName].cchShortNm) != 0
773 || pszString[g_aRdnMap[iName].cchShortNm] != '=')
774 return false;
775
776 pszString += g_aRdnMap[iName].cchShortNm + 1;
777 cchString -= g_aRdnMap[iName].cchShortNm + 1;
778
779 /*
780 * Compare the component string.
781 */
782 size_t cchComponent;
783 int rc = RTAsn1String_QueryUtf8Len(&pComponent->Value.u.String, &cchComponent);
784 AssertRCReturn(rc, false);
785
786 if (cchComponent > cchString)
787 return false;
788 if (RTAsn1String_CompareWithString(&pComponent->Value.u.String, pszString, cchComponent) != 0)
789 return false;
790
791 cchString -= cchComponent;
792 pszString += cchComponent;
793
794 /*
795 * Check separator comma + space and skip extra spaces before the next component.
796 */
797 if (cchString)
798 {
799 if (pszString[0] != ',')
800 return false;
801 if (pszString[1] != ' ' && pszString[1] != '\t')
802 return false;
803 pszString += 2;
804 cchString -= 2;
805
806 while (*pszString == ' ' || *pszString == '\t')
807 {
808 pszString++;
809 cchString--;
810 }
811 }
812 }
813 }
814
815 /*
816 * If we got thru the whole name and the whole string, we're good.
817 */
818 return *pszString == '\0';
819}
820
821
822RTDECL(int) RTCrX509Name_FormatAsString(PCRTCRX509NAME pThis, char *pszBuf, size_t cbBuf, size_t *pcbActual)
823{
824 /*
825 * The usual double loop for walking the components.
826 */
827 size_t off = 0;
828 int rc = VINF_SUCCESS;
829 for (uint32_t i = 0; i < pThis->cItems; i++)
830 {
831 PCRTCRX509RELATIVEDISTINGUISHEDNAME pRdn = pThis->papItems[i];
832 for (uint32_t j = 0; j < pRdn->cItems; j++)
833 {
834 PCRTCRX509ATTRIBUTETYPEANDVALUE pComponent = pRdn->papItems[j];
835
836 /*
837 * Must be a string.
838 */
839 if (pComponent->Value.enmType != RTASN1TYPE_STRING)
840 return VERR_CR_X509_NAME_NOT_STRING;
841
842 /*
843 * Look up the component name prefix.
844 */
845 uint32_t iName = RT_ELEMENTS(g_aRdnMap);
846 while (iName-- > 0)
847 if (RTAsn1ObjId_CompareWithString(&pComponent->Type, g_aRdnMap[iName].pszOid) == 0)
848 break;
849 AssertMsgReturn(iName != UINT32_MAX, ("Please extend g_aRdnMap with '%s'.\n", pComponent->Type.szObjId),
850 VERR_CR_X509_NAME_MISSING_RDN_MAP_ENTRY);
851
852 /*
853 * Append the prefix.
854 */
855 if (off)
856 {
857 if (off + 2 < cbBuf)
858 {
859 pszBuf[off] = ',';
860 pszBuf[off + 1] = ' ';
861 }
862 else
863 rc = VERR_BUFFER_OVERFLOW;
864 off += 2;
865 }
866
867 if (off + g_aRdnMap[iName].cchShortNm + 1 < cbBuf)
868 {
869 memcpy(&pszBuf[off], g_aRdnMap[iName].pszShortNm, g_aRdnMap[iName].cchShortNm);
870 pszBuf[off + g_aRdnMap[iName].cchShortNm] = '=';
871 }
872 else
873 rc = VERR_BUFFER_OVERFLOW;
874 off += g_aRdnMap[iName].cchShortNm + 1;
875
876 /*
877 * Add the component string.
878 */
879 const char *pszUtf8;
880 size_t cchUtf8;
881 int rc2 = RTAsn1String_QueryUtf8(&pComponent->Value.u.String, &pszUtf8, &cchUtf8);
882 AssertRCReturn(rc2, rc2);
883 if (off + cchUtf8 < cbBuf)
884 memcpy(&pszBuf[off], pszUtf8, cchUtf8);
885 else
886 rc = VERR_BUFFER_OVERFLOW;
887 off += cchUtf8;
888 }
889 }
890
891 if (pcbActual)
892 *pcbActual = off + 1;
893 if (off < cbBuf)
894 pszBuf[off] = '\0';
895 return rc;
896}
897
898
899
900/*
901 * One X.509 GeneralName.
902 */
903
904/**
905 * Name constraint matching (RFC-5280): DNS Name.
906 *
907 * @returns true on match, false on mismatch.
908 * @param pConstraint The constraint name.
909 * @param pName The name to match against the constraint.
910 */
911static bool rtCrX509GeneralName_ConstraintMatchDnsName(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
912{
913 /*
914 * Empty constraint string is taken to match everything.
915 */
916 if (pConstraint->u.pT2_DnsName->Asn1Core.cb == 0)
917 return true;
918
919 /*
920 * Get the UTF-8 strings for the two.
921 */
922 size_t cchConstraint;
923 char const *pszConstraint;
924 int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT2_DnsName, &pszConstraint, &cchConstraint);
925 if (RT_SUCCESS(rc))
926 {
927 size_t cchFull;
928 char const *pszFull;
929 rc = RTAsn1String_QueryUtf8(pName->u.pT2_DnsName, &pszFull, &cchFull);
930 if (RT_SUCCESS(rc))
931 {
932 /*
933 * No match if the constraint is longer.
934 */
935 if (cchConstraint > cchFull)
936 return false;
937
938 /*
939 * No match if the constraint and name tail doesn't match
940 * in a case-insensitive compare.
941 */
942 size_t offFull = cchFull - cchConstraint;
943 if (RTStrICmp(&pszFull[offFull], pszConstraint) != 0)
944 return false;
945 if (!offFull)
946 return true;
947
948 /*
949 * The matching constraint must be delimited by a dot in the full
950 * name. There seems to be some discussion whether ".oracle.com"
951 * should match "www..oracle.com". This implementation does choose
952 * to not succeed in that case.
953 */
954 if ((pszFull[offFull - 1] == '.') ^ (pszFull[offFull] == '.'))
955 return true;
956
957 return false;
958 }
959 }
960
961 /* fall back. */
962 return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
963}
964
965
966/**
967 * Name constraint matching (RFC-5280): RFC-822 (email).
968 *
969 * @returns true on match, false on mismatch.
970 * @param pConstraint The constraint name.
971 * @param pName The name to match against the constraint.
972 */
973static bool rtCrX509GeneralName_ConstraintMatchRfc822Name(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
974{
975 /*
976 * Empty constraint string is taken to match everything.
977 */
978 if (pConstraint->u.pT1_Rfc822->Asn1Core.cb == 0)
979 return true;
980
981 /*
982 * Get the UTF-8 strings for the two.
983 */
984 size_t cchConstraint;
985 char const *pszConstraint;
986 int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT1_Rfc822, &pszConstraint, &cchConstraint);
987 if (RT_SUCCESS(rc))
988 {
989 size_t cchFull;
990 char const *pszFull;
991 rc = RTAsn1String_QueryUtf8(pName->u.pT1_Rfc822, &pszFull, &cchFull);
992 if (RT_SUCCESS(rc))
993 {
994 /*
995 * No match if the constraint is longer.
996 */
997 if (cchConstraint > cchFull)
998 return false;
999
1000 /*
1001 * A lone dot matches everything.
1002 */
1003 if (cchConstraint == 1 && *pszConstraint == '.')
1004 return true;
1005
1006 /*
1007 * If there is a '@' in the constraint, the entire address must match.
1008 */
1009 const char *pszConstraintAt = (const char *)memchr(pszConstraint, '@', cchConstraint);
1010 if (pszConstraintAt)
1011 return cchConstraint == cchFull && RTStrICmp(pszConstraint, pszFull) == 0;
1012
1013 /*
1014 * No match if the constraint and name tail doesn't match
1015 * in a case-insensitive compare.
1016 */
1017 size_t offFull = cchFull - cchConstraint;
1018 if (RTStrICmp(&pszFull[offFull], pszConstraint) != 0)
1019 return false;
1020
1021 /*
1022 * If the constraint starts with a dot, we're supposed to be
1023 * satisfied with a tail match.
1024 */
1025 /** @todo Check if this should match even if offFull == 0. */
1026 if (*pszConstraint == '.')
1027 return true;
1028
1029 /*
1030 * Otherwise, we require a hostname match and thus expect an '@'
1031 * immediatly preceding the constraint match.
1032 */
1033 if (pszFull[offFull - 1] == '@')
1034 return true;
1035
1036 return false;
1037 }
1038 }
1039
1040 /* fall back. */
1041 return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1042}
1043
1044
1045/**
1046 * Extracts the hostname from an URI.
1047 *
1048 * @returns true if successfully extract, false if no hostname present.
1049 * @param pszUri The URI.
1050 * @param pchHostName .
1051 * @param pcchHostName .
1052 */
1053static bool rtCrX509GeneralName_ExtractHostName(const char *pszUri, const char **pchHostName, size_t *pcchHostName)
1054{
1055 /*
1056 * Skip the schema name.
1057 */
1058 const char *pszStart = strchr(pszUri, ':');
1059 while (pszStart && (pszStart[1] != '/' || pszStart[2] != '/'))
1060 pszStart = strchr(pszStart + 1, ':');
1061 if (pszStart)
1062 {
1063 pszStart += 3;
1064
1065 /*
1066 * The name ends with the first slash or ":port".
1067 */
1068 const char *pszEnd = strchr(pszStart, '/');
1069 if (!pszEnd)
1070 pszEnd = strchr(pszStart, '\0');
1071 if (memchr(pszStart, ':', pszEnd - pszStart))
1072 do
1073 pszEnd--;
1074 while (*pszEnd != ':');
1075 if (pszEnd != pszStart)
1076 {
1077 /*
1078 * Drop access credentials at the front of the string if present.
1079 */
1080 const char *pszAt = (const char *)memchr(pszStart, '@', pszEnd - pszStart);
1081 if (pszAt)
1082 pszStart = pszAt + 1;
1083
1084 /*
1085 * If there is still some string left, that's the host name.
1086 */
1087 if (pszEnd != pszStart)
1088 {
1089 *pcchHostName = pszEnd - pszStart;
1090 *pchHostName = pszStart;
1091 return true;
1092 }
1093 }
1094 }
1095
1096 *pcchHostName = 0;
1097 *pchHostName = NULL;
1098 return false;
1099}
1100
1101
1102/**
1103 * Name constraint matching (RFC-5280): URI.
1104 *
1105 * @returns true on match, false on mismatch.
1106 * @param pConstraint The constraint name.
1107 * @param pName The name to match against the constraint.
1108 */
1109static bool rtCrX509GeneralName_ConstraintMatchUri(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1110{
1111 /*
1112 * Empty constraint string is taken to match everything.
1113 */
1114 if (pConstraint->u.pT6_Uri->Asn1Core.cb == 0)
1115 return true;
1116
1117 /*
1118 * Get the UTF-8 strings for the two.
1119 */
1120 size_t cchConstraint;
1121 char const *pszConstraint;
1122 int rc = RTAsn1String_QueryUtf8(pConstraint->u.pT6_Uri, &pszConstraint, &cchConstraint);
1123 if (RT_SUCCESS(rc))
1124 {
1125 size_t cchFull;
1126 char const *pszFull;
1127 rc = RTAsn1String_QueryUtf8(pName->u.pT6_Uri, &pszFull, &cchFull);
1128 if (RT_SUCCESS(rc))
1129 {
1130 /*
1131 * Isolate the hostname in the name.
1132 */
1133 size_t cchHostName;
1134 const char *pchHostName;
1135 if (rtCrX509GeneralName_ExtractHostName(pszFull, &pchHostName, &cchHostName))
1136 {
1137 /*
1138 * Domain constraint.
1139 */
1140 if (*pszConstraint == '.')
1141 {
1142 if (cchHostName >= cchConstraint)
1143 {
1144 size_t offHostName = cchHostName - cchConstraint;
1145 if (RTStrICmp(&pchHostName[offHostName], pszConstraint) == 0)
1146 {
1147 /* "http://www..oracle.com" does not match ".oracle.com".
1148 It's debatable whether "http://.oracle.com/" should match. */
1149 if ( !offHostName
1150 || pchHostName[offHostName - 1] != '.')
1151 return true;
1152 }
1153 }
1154 }
1155 /*
1156 * Host name constraint. Full match required.
1157 */
1158 else if ( cchHostName == cchConstraint
1159 && RTStrNICmp(pchHostName, pszConstraint, cchHostName) == 0)
1160 return true;
1161 }
1162 return false;
1163 }
1164 }
1165
1166 /* fall back. */
1167 return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1168}
1169
1170
1171/**
1172 * Name constraint matching (RFC-5280): IP address.
1173 *
1174 * @returns true on match, false on mismatch.
1175 * @param pConstraint The constraint name.
1176 * @param pName The name to match against the constraint.
1177 */
1178static bool rtCrX509GeneralName_ConstraintMatchIpAddress(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1179{
1180 uint8_t const *pbConstraint = pConstraint->u.pT7_IpAddress->Asn1Core.uData.pu8;
1181 uint8_t const *pbFull = pName->u.pT7_IpAddress->Asn1Core.uData.pu8;
1182
1183 /*
1184 * IPv4.
1185 */
1186 if ( pConstraint->u.pT7_IpAddress->Asn1Core.cb == 8 /* ip+netmask*/
1187 && pName->u.pT7_IpAddress->Asn1Core.cb == 4) /* ip */
1188 return ((pbFull[0] ^ pbConstraint[0]) & pbConstraint[4]) == 0
1189 && ((pbFull[1] ^ pbConstraint[1]) & pbConstraint[5]) == 0
1190 && ((pbFull[2] ^ pbConstraint[2]) & pbConstraint[6]) == 0
1191 && ((pbFull[3] ^ pbConstraint[3]) & pbConstraint[7]) == 0;
1192
1193 /*
1194 * IPv6.
1195 */
1196 if ( pConstraint->u.pT7_IpAddress->Asn1Core.cb == 32 /* ip+netmask*/
1197 && pName->u.pT7_IpAddress->Asn1Core.cb == 16) /* ip */
1198 {
1199 for (uint32_t i = 0; i < 16; i++)
1200 if (((pbFull[i] ^ pbConstraint[i]) & pbConstraint[i + 16]) != 0)
1201 return false;
1202 return true;
1203 }
1204
1205 return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1206}
1207
1208
1209RTDECL(bool) RTCrX509GeneralName_ConstraintMatch(PCRTCRX509GENERALNAME pConstraint, PCRTCRX509GENERALNAME pName)
1210{
1211 if (pConstraint->enmChoice == pName->enmChoice)
1212 {
1213 if (RTCRX509GENERALNAME_IS_DIRECTORY_NAME(pConstraint))
1214 return RTCrX509Name_ConstraintMatch(&pConstraint->u.pT4->DirectoryName, &pName->u.pT4->DirectoryName);
1215
1216 if (RTCRX509GENERALNAME_IS_DNS_NAME(pConstraint))
1217 return rtCrX509GeneralName_ConstraintMatchDnsName(pConstraint, pName);
1218
1219 if (RTCRX509GENERALNAME_IS_RFC822_NAME(pConstraint))
1220 return rtCrX509GeneralName_ConstraintMatchRfc822Name(pConstraint, pName);
1221
1222 if (RTCRX509GENERALNAME_IS_URI(pConstraint))
1223 return rtCrX509GeneralName_ConstraintMatchUri(pConstraint, pName);
1224
1225 if (RTCRX509GENERALNAME_IS_IP_ADDRESS(pConstraint))
1226 return rtCrX509GeneralName_ConstraintMatchIpAddress(pConstraint, pName);
1227
1228 AssertFailed();
1229 return RTCrX509GeneralName_Compare(pConstraint, pName) == 0;
1230 }
1231 return false;
1232}
1233
1234
1235/*
1236 * Sequence of X.509 GeneralNames.
1237 */
1238
1239
1240/*
1241 * X.509 UniqueIdentifier.
1242 */
1243
1244
1245/*
1246 * X.509 SubjectPublicKeyInfo.
1247 */
1248
1249
1250/*
1251 * X.509 AuthorityKeyIdentifier (IPRT representation).
1252 */
1253
1254
1255/*
1256 * One X.509 PolicyQualifierInfo.
1257 */
1258
1259
1260/*
1261 * Sequence of X.509 PolicyQualifierInfo.
1262 */
1263
1264
1265/*
1266 * One X.509 PolicyInformation.
1267 */
1268
1269
1270/*
1271 * Sequence of X.509 CertificatePolicies.
1272 */
1273
1274
1275/*
1276 * One X.509 PolicyMapping (IPRT representation).
1277 */
1278
1279
1280/*
1281 * Sequence of X.509 PolicyMappings (IPRT representation).
1282 */
1283
1284
1285/*
1286 * X.509 BasicConstraints (IPRT representation).
1287 */
1288
1289
1290/*
1291 * X.509 GeneralSubtree (IPRT representation).
1292 */
1293
1294
1295RTDECL(bool) RTCrX509GeneralSubtree_ConstraintMatch(PCRTCRX509GENERALSUBTREE pConstraint, PCRTCRX509GENERALSUBTREE pName)
1296{
1297 return RTCrX509GeneralName_ConstraintMatch(&pConstraint->Base, &pName->Base);
1298}
1299
1300
1301/*
1302 * Sequence of X.509 GeneralSubtrees (IPRT representation).
1303 */
1304
1305
1306/*
1307 * X.509 NameConstraints (IPRT representation).
1308 */
1309
1310
1311/*
1312 * X.509 PolicyConstraints (IPRT representation).
1313 */
1314
1315
1316/*
1317 * One X.509 Extension.
1318 */
1319
1320
1321/*
1322 * Sequence of X.509 Extensions.
1323 */
1324
1325
1326/*
1327 * X.509 TbsCertificate.
1328 */
1329
1330static void rtCrx509TbsCertificate_AddKeyUsageFlags(PRTCRX509TBSCERTIFICATE pThis, PCRTCRX509EXTENSION pExtension)
1331{
1332 AssertReturnVoid(pExtension->enmValue == RTCRX509EXTENSIONVALUE_BIT_STRING);
1333 /* 3 = 1 byte for unused bit count, followed by one or two bytes containing actual bits. RFC-5280 defines bits 0 thru 8. */
1334 AssertReturnVoid(pExtension->ExtnValue.pEncapsulated->cb <= 3);
1335 pThis->T3.fKeyUsage |= (uint32_t)RTAsn1BitString_GetAsUInt64((PCRTASN1BITSTRING)pExtension->ExtnValue.pEncapsulated);
1336}
1337
1338
1339static void rtCrx509TbsCertificate_AddExtKeyUsageFlags(PRTCRX509TBSCERTIFICATE pThis, PCRTCRX509EXTENSION pExtension)
1340{
1341 AssertReturnVoid(pExtension->enmValue == RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS);
1342 PCRTASN1SEQOFOBJIDS pObjIds = (PCRTASN1SEQOFOBJIDS)pExtension->ExtnValue.pEncapsulated;
1343 uint32_t i = pObjIds->cItems;
1344 while (i-- > 0)
1345 {
1346
1347 if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_ANY_EXTENDED_KEY_USAGE_OID) == 0)
1348 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_ANY;
1349 else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], RTCRX509_ID_KP_OID))
1350 {
1351 if (RTAsn1ObjIdCountComponents(pObjIds->papItems[i]) == 9)
1352 switch (RTAsn1ObjIdGetLastComponentsAsUInt32(pObjIds->papItems[i]))
1353 {
1354 case 1: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_SERVER_AUTH; break;
1355 case 2: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_CLIENT_AUTH; break;
1356 case 3: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_CODE_SIGNING; break;
1357 case 4: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_EMAIL_PROTECTION; break;
1358 case 5: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_IPSEC_END_SYSTEM; break;
1359 case 6: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_IPSEC_TUNNEL; break;
1360 case 7: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_IPSEC_USER; break;
1361 case 8: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_TIMESTAMPING; break;
1362 case 9: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OCSP_SIGNING; break;
1363 case 10: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_DVCS; break;
1364 case 11: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_SBGP_CERT_AA_SERVICE_AUTH; break;
1365 case 13: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_EAP_OVER_PPP; break;
1366 case 14: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_EAP_OVER_LAN; break;
1367 default: pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER; break;
1368 }
1369 else
1370 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER;
1371 }
1372 else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], RTCRX509_APPLE_EKU_APPLE_EXTENDED_KEY_USAGE_OID))
1373 {
1374 if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_OID) == 0)
1375 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING;
1376 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_DEVELOPMENT_OID) == 0)
1377 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_DEVELOPMENT;
1378 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_SOFTWARE_UPDATE_SIGNING_OID) == 0)
1379 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_SOFTWARE_UPDATE_SIGNING;
1380 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_CODE_SIGNING_THRID_PARTY_OID) == 0)
1381 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_CODE_SIGNING_THIRD_PARTY;
1382 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_RESOURCE_SIGNING_OID) == 0)
1383 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_RESOURCE_SIGNING;
1384 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_APPLE_EKU_SYSTEM_IDENTITY_OID) == 0)
1385 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_APPLE_SYSTEM_IDENTITY;
1386 else
1387 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER;
1388 }
1389 else if (RTAsn1ObjId_StartsWith(pObjIds->papItems[i], "1.3.6.1.4.1.311"))
1390 {
1391 if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_TIMESTAMP_SIGNING_OID) == 0)
1392 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_TIMESTAMP_SIGNING;
1393 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_NT5_CRYPTO_OID) == 0)
1394 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_NT5_CRYPTO;
1395 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_OEM_WHQL_CRYPTO_OID) == 0)
1396 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_OEM_WHQL_CRYPTO;
1397 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_EMBEDDED_NT_CRYPTO_OID) == 0)
1398 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_EMBEDDED_NT_CRYPTO;
1399 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_KERNEL_MODE_CODE_SIGNING_OID) == 0)
1400 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_KERNEL_MODE_CODE_SIGNING;
1401 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_LIFETIME_SIGNING_OID) == 0)
1402 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_LIFETIME_SIGNING;
1403 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_DRM_OID) == 0)
1404 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_DRM;
1405 else if (RTAsn1ObjId_CompareWithString(pObjIds->papItems[i], RTCRX509_MS_EKU_DRM_INDIVIDUALIZATION_OID) == 0)
1406 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_MS_DRM_INDIVIDUALIZATION;
1407 else
1408 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER;
1409 }
1410 else
1411 pThis->T3.fExtKeyUsage |= RTCRX509CERT_EKU_F_OTHER;
1412 }
1413}
1414
1415
1416/**
1417 * (Re-)Process the certificate extensions.
1418 *
1419 * Will fail if duplicate extensions are encountered.
1420 *
1421 * @returns IPRT status code.
1422 * @param pThis The to-be-signed certificate part.
1423 * @param pErrInfo Where to return extended error details,
1424 * optional.
1425 */
1426RTDECL(int) RTCrX509TbsCertificate_ReprocessExtensions(PRTCRX509TBSCERTIFICATE pThis, PRTERRINFO pErrInfo)
1427{
1428 /*
1429 * Clear all variables we will set.
1430 */
1431 pThis->T3.fFlags = 0;
1432 pThis->T3.fKeyUsage = 0;
1433 pThis->T3.fExtKeyUsage = 0;
1434 pThis->T3.pAuthorityKeyIdentifier = NULL;
1435 pThis->T3.pSubjectKeyIdentifier = NULL;
1436 pThis->T3.pAltSubjectName = NULL;
1437 pThis->T3.pAltIssuerName = NULL;
1438 pThis->T3.pCertificatePolicies = NULL;
1439 pThis->T3.pPolicyMappings = NULL;
1440 pThis->T3.pBasicConstraints = NULL;
1441 pThis->T3.pNameConstraints = NULL;
1442 pThis->T3.pPolicyConstraints = NULL;
1443 pThis->T3.pInhibitAnyPolicy = NULL;
1444
1445#define CHECK_SET_PRESENT_RET_ON_DUP(a_pThis, a_pErrInfo, a_fPresentFlag) \
1446 do { \
1447 if ((a_pThis)->T3.fFlags & (a_fPresentFlag)) \
1448 return RTErrInfoSet(a_pErrInfo, VERR_CR_X509_TBSCERT_DUPLICATE_EXTENSION, \
1449 "Duplicate extension " #a_fPresentFlag); \
1450 (a_pThis)->T3.fFlags |= (a_fPresentFlag); \
1451 } while (0)
1452
1453 /*
1454 * Process all the extensions.
1455 */
1456 for (uint32_t i = 0; i < pThis->T3.Extensions.cItems; i++)
1457 {
1458 PCRTASN1OBJID pExtnId = &pThis->T3.Extensions.papItems[i]->ExtnId;
1459 PCRTASN1OCTETSTRING pExtValue = &pThis->T3.Extensions.papItems[i]->ExtnValue;
1460 if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_KEY_USAGE_OID) == 0)
1461 {
1462 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE);
1463 rtCrx509TbsCertificate_AddKeyUsageFlags(pThis, pThis->T3.Extensions.papItems[i]);
1464 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_BIT_STRING);
1465 }
1466 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_EXT_KEY_USAGE_OID) == 0)
1467 {
1468 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_EXT_KEY_USAGE);
1469 rtCrx509TbsCertificate_AddExtKeyUsageFlags(pThis, pThis->T3.Extensions.papItems[i]);
1470 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_SEQ_OF_OBJ_IDS);
1471 }
1472 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_AUTHORITY_KEY_IDENTIFIER_OID) == 0)
1473 {
1474 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_AUTHORITY_KEY_IDENTIFIER);
1475 pThis->T3.pAuthorityKeyIdentifier = (PCRTCRX509AUTHORITYKEYIDENTIFIER)pExtValue->pEncapsulated;
1476 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_AUTHORITY_KEY_IDENTIFIER);
1477 }
1478 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_OLD_AUTHORITY_KEY_IDENTIFIER_OID) == 0)
1479 {
1480 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_OLD_AUTHORITY_KEY_IDENTIFIER);
1481 pThis->T3.pOldAuthorityKeyIdentifier = (PCRTCRX509OLDAUTHORITYKEYIDENTIFIER)pExtValue->pEncapsulated;
1482 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_OLD_AUTHORITY_KEY_IDENTIFIER);
1483 }
1484 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_SUBJECT_KEY_IDENTIFIER_OID) == 0)
1485 {
1486 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_KEY_IDENTIFIER);
1487 pThis->T3.pSubjectKeyIdentifier = (PCRTASN1OCTETSTRING)pExtValue->pEncapsulated;
1488 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_OCTET_STRING);
1489 }
1490 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID) == 0)
1491 {
1492 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_SUBJECT_ALT_NAME);
1493 pThis->T3.pAltSubjectName = (PCRTCRX509GENERALNAMES)pExtValue->pEncapsulated;
1494 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES);
1495 }
1496 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_ISSUER_ALT_NAME_OID) == 0)
1497 {
1498 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_ISSUER_ALT_NAME);
1499 pThis->T3.pAltIssuerName = (PCRTCRX509GENERALNAMES)pExtValue->pEncapsulated;
1500 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES);
1501 }
1502 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_CERTIFICATE_POLICIES_OID) == 0)
1503 {
1504 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_CERTIFICATE_POLICIES);
1505 pThis->T3.pCertificatePolicies = (PCRTCRX509CERTIFICATEPOLICIES)pExtValue->pEncapsulated;
1506 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_CERTIFICATE_POLICIES);
1507 }
1508 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_POLICY_MAPPINGS_OID) == 0)
1509 {
1510 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_MAPPINGS);
1511 pThis->T3.pPolicyMappings = (PCRTCRX509POLICYMAPPINGS)pExtValue->pEncapsulated;
1512 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_POLICY_MAPPINGS);
1513 }
1514 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_BASIC_CONSTRAINTS_OID) == 0)
1515 {
1516 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_BASIC_CONSTRAINTS);
1517 pThis->T3.pBasicConstraints = (PCRTCRX509BASICCONSTRAINTS)pExtValue->pEncapsulated;
1518 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_BASIC_CONSTRAINTS);
1519 }
1520 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_NAME_CONSTRAINTS_OID) == 0)
1521 {
1522 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_NAME_CONSTRAINTS);
1523 pThis->T3.pNameConstraints = (PCRTCRX509NAMECONSTRAINTS)pExtValue->pEncapsulated;
1524 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_NAME_CONSTRAINTS);
1525 }
1526 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_POLICY_CONSTRAINTS_OID) == 0)
1527 {
1528 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_POLICY_CONSTRAINTS);
1529 pThis->T3.pPolicyConstraints = (PCRTCRX509POLICYCONSTRAINTS)pExtValue->pEncapsulated;
1530 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_POLICY_CONSTRAINTS);
1531 }
1532 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_INHIBIT_ANY_POLICY_OID) == 0)
1533 {
1534 CHECK_SET_PRESENT_RET_ON_DUP(pThis, pErrInfo, RTCRX509TBSCERTIFICATE_F_PRESENT_INHIBIT_ANY_POLICY);
1535 pThis->T3.pInhibitAnyPolicy = (PCRTASN1INTEGER)pExtValue->pEncapsulated;
1536 Assert(pThis->T3.Extensions.papItems[i]->enmValue == RTCRX509EXTENSIONVALUE_INTEGER);
1537 }
1538 else if (RTAsn1ObjId_CompareWithString(pExtnId, RTCRX509_ID_CE_ACCEPTABLE_CERT_POLICIES_OID) == 0)
1539 pThis->T3.fFlags |= RTCRX509TBSCERTIFICATE_F_PRESENT_ACCEPTABLE_CERT_POLICIES;
1540 else
1541 pThis->T3.fFlags |= RTCRX509TBSCERTIFICATE_F_PRESENT_OTHER;
1542 }
1543
1544 if (!pThis->T3.fFlags)
1545 pThis->T3.fFlags |= RTCRX509TBSCERTIFICATE_F_PRESENT_NONE;
1546
1547#undef CHECK_SET_PRESENT_RET_ON_DUP
1548 return VINF_SUCCESS;
1549}
1550
1551
1552
1553/*
1554 * One X.509 Certificate.
1555 */
1556
1557RTDECL(bool) RTCrX509Certificate_MatchIssuerAndSerialNumber(PCRTCRX509CERTIFICATE pCertificate,
1558 PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber)
1559{
1560 if ( RTAsn1Integer_UnsignedCompare(&pCertificate->TbsCertificate.SerialNumber, pSerialNumber) == 0
1561 && RTCrX509Name_Compare(&pCertificate->TbsCertificate.Issuer, pIssuer) == 0)
1562 return true;
1563 return false;
1564}
1565
1566
1567RTDECL(bool) RTCrX509Certificate_MatchSubjectOrAltSubjectByRfc5280(PCRTCRX509CERTIFICATE pThis, PCRTCRX509NAME pName)
1568{
1569 if (RTCrX509Name_MatchByRfc5280(&pThis->TbsCertificate.Subject, pName))
1570 return true;
1571
1572 if (RTCrX509Extensions_IsPresent(&pThis->TbsCertificate.T3.Extensions))
1573 for (uint32_t i = 0; i < pThis->TbsCertificate.T3.Extensions.cItems; i++)
1574 {
1575 PCRTCRX509EXTENSION pExt = pThis->TbsCertificate.T3.Extensions.papItems[i];
1576 if ( pExt->enmValue == RTCRX509EXTENSIONVALUE_GENERAL_NAMES
1577 && RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCRX509_ID_CE_SUBJECT_ALT_NAME_OID))
1578 {
1579 PCRTCRX509GENERALNAMES pGeneralNames = (PCRTCRX509GENERALNAMES)pExt->ExtnValue.pEncapsulated;
1580 for (uint32_t j = 0; j < pGeneralNames->cItems; j++)
1581 if ( RTCRX509GENERALNAME_IS_DIRECTORY_NAME(pGeneralNames->papItems[j])
1582 && RTCrX509Name_MatchByRfc5280(&pGeneralNames->papItems[j]->u.pT4->DirectoryName, pName))
1583 return true;
1584 }
1585 }
1586 return false;
1587}
1588
1589
1590RTDECL(bool) RTCrX509Certificate_IsSelfSigned(PCRTCRX509CERTIFICATE pCertificate)
1591{
1592 if (RTCrX509Certificate_IsPresent(pCertificate))
1593 {
1594 return RTCrX509Name_MatchByRfc5280(&pCertificate->TbsCertificate.Subject,
1595 &pCertificate->TbsCertificate.Issuer);
1596 }
1597 return false;
1598}
1599
1600
1601/*
1602 * Set of X.509 Certificates.
1603 */
1604
1605RTDECL(PCRTCRX509CERTIFICATE)
1606RTCrX509Certificates_FindByIssuerAndSerialNumber(PCRTCRX509CERTIFICATES pCertificates,
1607 PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNumber)
1608{
1609 for (uint32_t i = 0; i < pCertificates->cItems; i++)
1610 if (RTCrX509Certificate_MatchIssuerAndSerialNumber(pCertificates->papItems[i], pIssuer, pSerialNumber))
1611 return pCertificates->papItems[i];
1612 return NULL;
1613}
1614
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette