VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/x509-sanity.cpp@ 72168

Last change on this file since 72168 was 69111, checked in by vboxsync, 7 years ago

(C) year

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 7.2 KB
Line 
1/* $Id: x509-sanity.cpp 69111 2017-10-17 14:26:02Z vboxsync $ */
2/** @file
3 * IPRT - Crypto - X.509, Sanity Checkers.
4 */
5
6/*
7 * Copyright (C) 2006-2017 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#include "internal/iprt.h"
32#include <iprt/crypto/x509.h>
33
34#include <iprt/err.h>
35#include <iprt/string.h>
36
37#include "x509-internal.h"
38
39
40
41static int rtCrX509Validity_CheckSanityExtra(PCRTCRX509VALIDITY pThis, uint32_t fFlags, PRTERRINFO pErrInfo, const char *pszErrorTag)
42{
43 RT_NOREF_PV(fFlags);
44
45 if (RTAsn1Time_Compare(&pThis->NotBefore, &pThis->NotAfter) > 0)
46 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_VALIDITY_SWAPPED, "%s: NotBefore is after NotAfter", pszErrorTag);
47 /** @todo check tag constraints? */
48 return VINF_SUCCESS;
49}
50
51
52static int rtCrX509Name_CheckSanityExtra(PCRTCRX509NAME pThis, uint32_t fFlags, PRTERRINFO pErrInfo, const char *pszErrorTag)
53{
54 RT_NOREF_PV(fFlags);
55
56 if (pThis->cItems == 0)
57 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_NAME_EMPTY_SET, "%s: Has no components.", pszErrorTag);
58
59 for (uint32_t i = 0; i < pThis->cItems; i++)
60 {
61 PCRTCRX509RELATIVEDISTINGUISHEDNAME const pRdn = pThis->papItems[i];
62 if (pRdn->cItems == 0)
63 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_NAME_EMPTY_SUB_SET,
64 "%s: Items[%u] has no sub components.", pszErrorTag, i);
65
66 for (uint32_t j = 0; j < pRdn->cItems; j++)
67 {
68 PCRTCRX509ATTRIBUTETYPEANDVALUE const pAttr = pRdn->papItems[j];
69
70 if (pAttr->Value.enmType != RTASN1TYPE_STRING)
71 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_NAME_NOT_STRING,
72 "%s: Items[%u].paItems[%u].enmType is %d instead of string (%d).",
73 pszErrorTag, i, j, pAttr->Value.enmType, RTASN1TYPE_STRING);
74 if (pAttr->Value.u.String.Asn1Core.cb == 0)
75 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_NAME_EMPTY_STRING,
76 "%s: Items[%u].paItems[%u] is an empty string", pszErrorTag, i, j);
77 switch (pAttr->Value.u.String.Asn1Core.uTag)
78 {
79 case ASN1_TAG_PRINTABLE_STRING:
80 case ASN1_TAG_UTF8_STRING:
81 break;
82 case ASN1_TAG_T61_STRING:
83 case ASN1_TAG_UNIVERSAL_STRING:
84 case ASN1_TAG_BMP_STRING:
85 break;
86 case ASN1_TAG_IA5_STRING: /* Used by "Microsoft Root Certificate Authority" in the "com" part of the Issuer. */
87 break;
88 default:
89 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_INVALID_NAME_STRING_TAG,
90 "%s: Items[%u].paItems[%u] invalid string type: %u", pszErrorTag, i, j,
91 pAttr->Value.u.String.Asn1Core.uTag);
92 }
93 }
94 }
95
96 return VINF_SUCCESS;
97}
98
99
100static int rtCrX509SubjectPublicKeyInfo_CheckSanityExtra(PCRTCRX509SUBJECTPUBLICKEYINFO pThis, uint32_t fFlags,
101 PRTERRINFO pErrInfo, const char *pszErrorTag)
102{
103 RT_NOREF_PV(fFlags);
104 if (pThis->SubjectPublicKey.cBits <= 32)
105 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_PUBLIC_KEY_TOO_SMALL,
106 "%s: SubjectPublicKey is too small, only %u bits", pszErrorTag, pThis->SubjectPublicKey.cBits);
107 return VINF_SUCCESS;
108}
109
110
111static int rtCrX509TbsCertificate_CheckSanityExtra(PCRTCRX509TBSCERTIFICATE pThis, uint32_t fFlags,
112 PRTERRINFO pErrInfo, const char *pszErrorTag)
113{
114 RT_NOREF_PV(fFlags);
115
116 if ( RTAsn1Integer_IsPresent(&pThis->T0.Version)
117 && RTAsn1Integer_UnsignedCompareWithU32(&pThis->T0.Version, RTCRX509TBSCERTIFICATE_V1) != 0
118 && RTAsn1Integer_UnsignedCompareWithU32(&pThis->T0.Version, RTCRX509TBSCERTIFICATE_V2) != 0
119 && RTAsn1Integer_UnsignedCompareWithU32(&pThis->T0.Version, RTCRX509TBSCERTIFICATE_V3) != 0)
120 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_TBSCERT_UNSUPPORTED_VERSION,
121 "%s: Unknown Version number: %llu",
122 pszErrorTag, pThis->T0.Version.uValue.u);
123
124 if ( pThis->SerialNumber.Asn1Core.cb < 1
125 || pThis->SerialNumber.Asn1Core.cb > 1024)
126 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_TBSCERT_SERIAL_NUMBER_OUT_OF_BOUNDS,
127 "%s: Bad SerialNumber length: %u", pszErrorTag, pThis->SerialNumber.Asn1Core.cb);
128
129 if ( ( RTAsn1BitString_IsPresent(&pThis->T1.IssuerUniqueId)
130 || RTAsn1BitString_IsPresent(&pThis->T2.SubjectUniqueId))
131 && RTAsn1Integer_UnsignedCompareWithU32(&pThis->T0.Version, RTCRX509TBSCERTIFICATE_V2) < 0)
132 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_TBSCERT_UNIQUE_IDS_REQ_V2,
133 "%s: IssuerUniqueId and SubjectUniqueId requires version 2", pszErrorTag);
134
135 if ( RTCrX509Extensions_IsPresent(&pThis->T3.Extensions)
136 && RTAsn1Integer_UnsignedCompareWithU32(&pThis->T0.Version, RTCRX509TBSCERTIFICATE_V3) < 0)
137 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_TBSCERT_EXTS_REQ_V3, "%s: Extensions requires version 3", pszErrorTag);
138
139 return VINF_SUCCESS;
140}
141
142
143static int rtCrX509Certificate_CheckSanityExtra(PCRTCRX509CERTIFICATE pThis, uint32_t fFlags,
144 PRTERRINFO pErrInfo, const char *pszErrorTag)
145{
146 RT_NOREF_PV(fFlags);
147
148 if (RTCrX509AlgorithmIdentifier_Compare(&pThis->SignatureAlgorithm, &pThis->TbsCertificate.Signature) != 0)
149 return RTErrInfoSetF(pErrInfo, VERR_CR_X509_CERT_TBS_SIGN_ALGO_MISMATCH,
150 "%s: SignatureAlgorithm (%s) does not match TbsCertificate.Signature (%s).", pszErrorTag,
151 pThis->SignatureAlgorithm.Algorithm.szObjId,
152 pThis->TbsCertificate.Signature.Algorithm.szObjId);
153 return VINF_SUCCESS;
154}
155
156
157/*
158 * Generate the code.
159 */
160#include <iprt/asn1-generator-sanity.h>
161
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette