Changeset 100491 in vbox

Timestamp:

Jul 10, 2023 10:05:12 PM (17 months ago)

Author:

vboxsync

Message:

Forward ported r158259 from 6.1: Support ECDSA for pre-3.0.0 OpenSSL versions. bugref:10479 ticketref:21621

Location:

trunk

Files:

: 4 edited

. (modified) (1 prop)
src/VBox (modified) (1 prop)
src/VBox/Runtime/common/crypto/key-openssl.cpp (modified) (7 diffs)
src/VBox/Runtime/common/crypto/pkix-signature-ossl.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk

Property svn:mergeinfo

old	new
10	10	/branches/VBox-5.2:119536,120083,120099,120213,120221,120239,123597-123598,123600-123601,123755,124260,124263,124271,124273,124277-124279,124284-124286,124288-124290,125768,125779-125780,125812
11	11	/branches/VBox-6.0:130474-130475,130477,130479,131352
12		/branches/VBox-6.1:139660,139797,141521,141567-141568,141588-141590,141592-141595,141652,141920,142071,158257-158258
	12	/branches/VBox-6.1:139660,139797,141521,141567-141568,141588-141590,141592-141595,141652,141920,142071,158257-158259
13	13	/branches/VBox-7.0:156229,156768
14	14	/branches/aeichner/vbox-chromium-cleanup:129816,129818-129851,129853-129861,129871-129872,129876,129880,129882,130013-130015,130036,130094-130095

trunk/src/VBox

Property svn:mergeinfo

old	new
10	10	/branches/VBox-5.2/src/VBox:119536,120083,120099,120213,120221,120239,123597-123598,123600-123601,123755,124263,124273,124277-124279,124284-124286,124288-124290,125768,125779-125780,125812,127158-127159,127162-127167,127180
11	11	/branches/VBox-6.0/src/VBox:130474-130475,130477,130479,131352
12		/branches/VBox-6.1/src/VBox:141521,141567-141568,141588-141590,141592-141595,141652,141920,158257-158258
	12	/branches/VBox-6.1/src/VBox:141521,141567-141568,141588-141590,141592-141595,141652,141920,158257-158259
13	13	/branches/VBox-7.0/src/VBox:156229,156768
14	14	/branches/aeichner/vbox-chromium-cleanup/src/VBox:129818-129851,129853-129861,129871-129872,129876,129880,129882,130013-130015,130094-130095

trunk/src/VBox/Runtime/common/crypto/key-openssl.cpp

-              r100447
+              r100491
 #include <iprt/string.h>
 #include <iprt/crypto/digest.h>
 #ifdef IPRT_WITH_OPENSSL
 …
 #  error "Missing OPENSSL_VERSION_NUMBER!"
 # endif
+# if OPENSSL_VERSION_NUMBER < 0x30000000 || defined(LIBRESSL_VERSION_NUMBER)
+#  include "openssl/x509.h"
+#  include <iprt/crypto/x509.h>
+# endif
 # include "key-internal.h"
 …
 /**
  * Helper that loads key parameters if present.
  */
 static int rtCrKeyToOpenSslKeyLoadParams(RTCRKEY hKey, int idKeyType, EVP_PKEY **ppEvpNewKey, PRTERRINFO pErrInfo)
+ * Helper that loads key parameters and the actual key bits if present.
+ */
+static int rtCrKeyToOpenSslKeyLoad(RTCRKEY hKey, int idKeyType, EVP_PKEY **ppEvpNewKey, bool fNeedPublic, PRTERRINFO pErrInfo)
+{
     int rc = VINF_SUCCESS;
 …
+        }
 #else
+        /** @todo d2i_KeyParams was introduced with 3.0.0, so ECDSA stuff won't work
+         *        with older openssl versions atm.  Fortunately we only really needs
+         *        it on Windows atm., so no problem. */
+        /*
+         * Cannot find any real suitable alternative to d2i_KeyParams in pre-3.0.x
+         * OpenSSL, so decided to use d2i_PUBKEY instead.  This means we need to
+         * encode the stuff a X.509 SubjectPublicKeyInfo ASN.1 sequence first.
+         */
+        if (hKey->enmType == RTCRKEYTYPE_ECDSA_PUBLIC)
+        {
+            RTCRX509SUBJECTPUBLICKEYINFO PubKeyInfo;
+            rc = RTCrX509SubjectPublicKeyInfo_Init(&PubKeyInfo, &g_RTAsn1DefaultAllocator);
+            AssertRCReturn(rc, rc);
+            rc = RTAsn1ObjId_SetFromString(&PubKeyInfo.Algorithm.Algorithm, RTCRX509ALGORITHMIDENTIFIERID_ECDSA,
+                                           &g_RTAsn1DefaultAllocator);
+            if (RT_SUCCESS(rc))
+                rc = RTAsn1DynType_SetToObjId(&PubKeyInfo.Algorithm.Parameters, &hKey->u.EcdsaPublic.NamedCurve,
+                                              &g_RTAsn1DefaultAllocator);
+            if (RT_SUCCESS(rc))
+            {
+                RTAsn1BitString_Delete(&PubKeyInfo.SubjectPublicKey);
+                rc = RTAsn1BitString_InitWithData(&PubKeyInfo.SubjectPublicKey, hKey->pbEncoded, hKey->cbEncoded * 8,
+                                                  &g_RTAsn1DefaultAllocator);
+                if (RT_SUCCESS(rc))
+                {
+                    /* Encode the whole shebang. */
+                    void          *pvFree = NULL;
+                    const uint8_t *pbRaw  = NULL;
+                    uint32_t       cbRaw  = 0;
+                    rc = RTAsn1EncodeQueryRawBits(&PubKeyInfo.SeqCore.Asn1Core, &pbRaw, &cbRaw, &pvFree, pErrInfo);
+                    if (RT_SUCCESS(rc))
+                    {
+                        const unsigned char *puchPubKey = pbRaw;
+                        EVP_PKEY *pRet = d2i_PUBKEY(ppEvpNewKey, &puchPubKey, cbRaw);
+                        if (pRet != NULL && pRet == *ppEvpNewKey)
+                            rc = VINF_SUCCESS;
+                        else
+                            rc = RTERRINFO_LOG_SET(pErrInfo, VERR_CR_PKIX_OSSL_D2I_KEY_PARAMS_FAILED, "d2i_KeyParams failed");
+                        RTMemTmpFree(pvFree);
+                    }
+                }
+            }
+            AssertRC(rc);
+            RTCrX509SubjectPublicKeyInfo_Delete(&PubKeyInfo);
+            return rc;
+        }
         rc = RTERRINFO_LOG_SET_F(pErrInfo, VERR_CR_OPENSSL_VERSION_TOO_OLD,
                                  "OpenSSL version %#x is too old for IPRTs ECDSA code", OPENSSL_VERSION_NUMBER);
 …
 #endif
+    }
+    if (RT_SUCCESS(rc))
+    {
+        /*
+         * Load the key into the structure.
+         */
+        const unsigned char *puchPublicKey = hKey->pbEncoded;
+        EVP_PKEY *pRet;
+        if (fNeedPublic)
+            pRet = d2i_PublicKey(idKeyType, ppEvpNewKey, &puchPublicKey, hKey->cbEncoded);
+        else
+            pRet = d2i_PrivateKey(idKeyType, ppEvpNewKey, &puchPublicKey, hKey->cbEncoded);
+        if (pRet != NULL && pRet == *ppEvpNewKey)
+            return VINF_SUCCESS;
+        /* Bail out: */
+        if (fNeedPublic)
+            rc = RTERRINFO_LOG_SET(pErrInfo, VERR_CR_PKIX_OSSL_D2I_PUBLIC_KEY_FAILED, "d2i_PublicKey failed");
+        else
+            rc = RTERRINFO_LOG_SET(pErrInfo, VERR_CR_PKIX_OSSL_D2I_PRIVATE_KEY_FAILED, "d2i_PrivateKey failed");
+    }
     return rc;
+}
-/**
- * Helper that loads key bits.
- */
-static int rtCrKeyToOpenSslKeyLoadKeyBits(RTCRKEY hKey, int idKeyType, EVP_PKEY **ppEvpNewKey,
-                                          bool fNeedPublic, PRTERRINFO pErrInfo)
+{
-    /*
-     * Load the key into the structure.
-     */
-    const unsigned char *puchPublicKey = hKey->pbEncoded;
-    EVP_PKEY *pRet;
-    if (fNeedPublic)
-        pRet = d2i_PublicKey(idKeyType, ppEvpNewKey, &puchPublicKey, hKey->cbEncoded);
-    else
-        pRet = d2i_PrivateKey(idKeyType, ppEvpNewKey, &puchPublicKey, hKey->cbEncoded);
-    if (pRet != NULL && pRet == *ppEvpNewKey)
-        return VINF_SUCCESS;
-    /* Bail out: */
-    if (fNeedPublic)
-        return RTERRINFO_LOG_SET(pErrInfo, VERR_CR_PKIX_OSSL_D2I_PUBLIC_KEY_FAILED, "d2i_PublicKey failed");
-    return RTERRINFO_LOG_SET(pErrInfo, VERR_CR_PKIX_OSSL_D2I_PRIVATE_KEY_FAILED, "d2i_PrivateKey failed");
+}
 …
      * Load key parameters and the key into the EVP structure.
      */
     int rc = rtCrKeyToOpenSslKeyLoadParams(hKey, idKeyType, &pEvpNewKey, pErrInfo);
+    int rc = rtCrKeyToOpenSslKeyLoad(hKey, idKeyType, &pEvpNewKey, fNeedPublic, pErrInfo);
     if (RT_SUCCESS(rc))
+    {
+        rc = rtCrKeyToOpenSslKeyLoadKeyBits(hKey, idKeyType, &pEvpNewKey, fNeedPublic, pErrInfo);
+        if (RT_SUCCESS(rc))
+        {
+            *ppEvpKey = pEvpNewKey;
+            return rc;
+        }
+        *ppEvpKey = pEvpNewKey;
+        return rc;
+    }
     EVP_PKEY_free(pEvpNewKey);
 …
              * Load key parameters and the key into the EVP structure.
              */
             rc = rtCrKeyToOpenSslKeyLoadParams(hKey, idKeyType, &pEvpNewKey, pErrInfo);
+            rc = rtCrKeyToOpenSslKeyLoad(hKey, idKeyType, &pEvpNewKey, fNeedPublic, pErrInfo);
             if (RT_SUCCESS(rc))
+            {
+                rc = rtCrKeyToOpenSslKeyLoadKeyBits(hKey, idKeyType, &pEvpNewKey, fNeedPublic, pErrInfo);
+                if (RT_SUCCESS(rc))
+                {
+                    *ppEvpKey = pEvpNewKey;
+                    return rc;
+                }
+                *ppEvpKey = pEvpNewKey;
+                return rc;
+            }
+        }

trunk/src/VBox/Runtime/common/crypto/pkix-signature-ossl.cpp

-              r100447
+              r100491
     RT_NOREF_PV(pThis);
 #if OPENSSL_VERSION_NUMBER >= 0x30000000 && !defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER >= 0x10000000
     PRTERRINFO const pErrInfo = NULL;
 …
     if (RT_SUCCESS(rc))
+    {
+# if OPENSSL_VERSION_NUMBER >= 0x30000000 && !defined(LIBRESSL_VERSION_NUMBER)
         EVP_PKEY_CTX * const pEvpPublickKeyCtx = EVP_PKEY_CTX_new_from_pkey(NULL, pEvpPublicKey, NULL);
+# else
+        EVP_PKEY_CTX * const pEvpPublickKeyCtx = EVP_PKEY_CTX_new(pEvpPublicKey, NULL);
+# endif
         if (pEvpPublickKeyCtx)
+        {

Note: See TracChangeset for help on using the changeset viewer.

Changeset 100491 in vbox

Legend:

trunk

trunk/src/VBox

trunk/src/VBox/Runtime/common/crypto/key-openssl.cpp

trunk/src/VBox/Runtime/common/crypto/pkix-signature-ossl.cpp

Download in other formats: