Changeset 100493 in vbox

Timestamp:

Jul 10, 2023 11:17:15 PM (17 months ago)

Author:

vboxsync

Message:

IPRT/PKCS8: Some corrections and adjustments (bugref:10299):

• Always put curly brackets around case bodies that declares variables.
• Removed copy & paste RTCRRSA_MAX_MODULUS_BITS define from pkcs8-internal.h.
• We don't need to compile the PKCS8 files for ring-0 libraries, since these does not include the key-file.cpp that needs them.
• Use RTCRX509ALGORITHMIDENTIFIERID_RSA instead of "1.2.840.113549.1.1.1".
• rTCrPkcs8PrivateKeyInfo should be RTCrPkcs8PrivateKeyInfo in pkcs8-templace.h.

Location:

trunk

Files:

• include/iprt/crypto/pkcs8.h (modified) (4 diffs)
• include/iprt/mangling.h (modified) (1 diff)
• src/VBox/Runtime/Makefile.kmk (modified) (2 diffs)
• src/VBox/Runtime/common/crypto/key-file.cpp (modified) (2 diffs)
• src/VBox/Runtime/common/crypto/pkcs8-internal.h (modified) (1 diff)
• src/VBox/Runtime/common/crypto/pkcs8-template.h (modified) (1 diff)

trunk/include/iprt/crypto/pkcs8.h

@@ -48 +48 @@
 
 /** @defgroup grp_rt_crpkcs8 RTCrPkcs8 - PKCS \#8, Private-Key Information Syntax Standard
+ *
+ * See RFC-5208 for details.
+ *
  * @ingroup grp_rt_crypto
  * @{
@@ -54 +57 @@
 /**
  * PKCS\#8 PrivateKeyInfo.
+ *
+ * See RFC-5208 section 5.
  */
-/** @todo bird: rename to RTCRPKCS8PRIVATEKEYINFO. Should eventually be moved
- *        into a new iprt/crypto/pkcs8.h header file. Ditto for the template
- *        and associated code instantiation/whatever. */
 typedef struct RTCRPKCS8PRIVATEKEYINFO
 {
@@ -66 +68 @@
     /** The private key algorithm. */
     RTCRX509ALGORITHMIDENTIFIER PrivateKeyAlgorithm;
-    /** The private key. */
+    /** The private key, according to PrivateKeyAlgorithm.
+     * For RSA there is RSAPrivateKey (in BER encoding) embedded in this string. */
     RTASN1OCTETSTRING           PrivateKey;
     /** Attributes, optional [0].
@@ -82 +85 @@
 /**
  * PKCS\#8 EncryptedPrivateKeyInfo.
+ *
+ * See RFC-5208 section 6.
  */
 typedef struct RTCRENCRYPTEDPRIVATEKEY

trunk/include/iprt/mangling.h

@@ -4321 +4321 @@
 # define g_aRTCrPkcs7Markers                            RT_MANGLER(g_aRTCrPkcs7Markers)
 # define g_cRTCrPkcs7Markers                            RT_MANGLER(g_cRTCrPkcs7Markers)
-# define g_rTCrPkcs8PrivateKeyInfo_Vtable               RT_MANGLER(g_rTCrPkcs8PrivateKeyInfo_Vtable)
+# define g_RTCrPkcs8PrivateKeyInfo_Vtable               RT_MANGLER(g_RTCrPkcs8PrivateKeyInfo_Vtable)
 # define g_aRTCrX509CertificateMarkers                  RT_MANGLER(g_aRTCrX509CertificateMarkers)
 # define g_cRTCrX509CertificateMarkers                  RT_MANGLER(g_cRTCrX509CertificateMarkers)

trunk/src/VBox/Runtime/Makefile.kmk

@@ -3719 +3719 @@
         common/crypto/pkcs7-sanity.cpp \
         common/crypto/pkcs7-verify.cpp \
-        common/crypto/pkcs8-asn1-decoder.cpp \
-        common/crypto/pkcs8-core.cpp \
-        common/crypto/pkcs8-init.cpp \
-        common/crypto/pkcs8-sanity.cpp \
         common/crypto/pkix-signature-builtin.cpp \
         common/crypto/pkix-signature-core.cpp \
@@ -3876 +3872 @@
         common/crypto/pkcs7-sanity.cpp \
         common/crypto/pkcs7-verify.cpp \
-        common/crypto/pkcs8-asn1-decoder.cpp \
-        common/crypto/pkcs8-core.cpp \
-        common/crypto/pkcs8-init.cpp \
-        common/crypto/pkcs8-sanity.cpp \
         common/crypto/pkix-signature-builtin.cpp \
         common/crypto/pkix-signature-core.cpp \

trunk/src/VBox/Runtime/common/crypto/key-file.cpp

@@ -471 +471 @@
 
         case kKeyFormat_PrivateKeyInfo:
+        {
             RTAsn1CursorInitPrimary(&PrimaryCursor, pSection->pbData, (uint32_t)pSection->cbData,
                                     pErrInfo, &g_RTAsn1DefaultAllocator, RTASN1CURSOR_FLAGS_DER, pszErrorTag);
@@ -479 +480 @@
             if (RT_SUCCESS(rc))
             {
-                /*
-                 * Check if the algorithm is pkcs1-RsaEncryption
+                /* 
+                 * Load the private key according to it's algorithm. 
+                 * We currently only support RSA (pkcs1-RsaEncryption).
                  */
-                if (strcmp(PrivateKeyInfo.PrivateKeyAlgorithm.Algorithm.szObjId,"1.2.840.113549.1.1.1") == 0)
-                {
-                    uint32_t cbContent = PrivateKeyInfo.PrivateKey.Asn1Core.cb;
-                    rc = rtCrKeyCreateRsaPrivate(phKey, PrivateKeyInfo.PrivateKey.Asn1Core.uData.pv, cbContent, pErrInfo, pszErrorTag);
-                }
+                if (RTAsn1ObjId_CompareWithString(&PrivateKeyInfo.PrivateKeyAlgorithm.Algorithm,
+                                                  RTCRX509ALGORITHMIDENTIFIERID_RSA) == 0)
+                    rc = rtCrKeyCreateRsaPrivate(phKey, PrivateKeyInfo.PrivateKey.Asn1Core.uData.pv,
+                                                 PrivateKeyInfo.PrivateKey.Asn1Core.cb, pErrInfo, pszErrorTag);
                 else
-                {
                     rc = RTErrInfoSet(pErrInfo, VERR_CR_KEY_FORMAT_NOT_SUPPORTED,
-                                    "Support for PKCS#8 PrivateKeyInfo (with no RSA encryption) is not yet implemented");
-                }
+                                      "Support for PKCS#8 PrivateKeyInfo for non-RSA keys is not yet implemented");
             }
             break;
+        }
 
         case kKeyFormat_EncryptedPrivateKeyInfo:

trunk/src/VBox/Runtime/common/crypto/pkcs8-internal.h

@@ -41 +41 @@
 #endif
 
-/** The max number of bits we support in the modulus. */
-#define RTCRRSA_MAX_MODULUS_BITS        16384
-
 #define RTASN1TMPL_TEMPLATE_FILE "../common/crypto/pkcs8-template.h"
 #include <iprt/asn1-generator-internal-header.h>

trunk/src/VBox/Runtime/common/crypto/pkcs8-template.h

@@ -42 +42 @@
 #define RTASN1TMPL_TYPE         RTCRPKCS8PRIVATEKEYINFO
 #define RTASN1TMPL_EXT_NAME     RTCrPkcs8PrivateKeyInfo
-#define RTASN1TMPL_INT_NAME     rTCrPkcs8PrivateKeyInfo
+#define RTASN1TMPL_INT_NAME     RTCrPkcs8PrivateKeyInfo
 RTASN1TMPL_BEGIN_SEQCORE();
 RTASN1TMPL_MEMBER(              Version,                RTASN1INTEGER,                  RTAsn1Integer);