Changeset 50832 in vbox

Timestamp:

Mar 21, 2014 6:08:32 AM (11 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

92911

Message:

pr6022. Support X509 certification during import OVF appliance.

Location:

trunk

Files:

• include/iprt/err.h (modified) (1 diff)
• include/iprt/mangling.h (modified) (2 diffs)
• src/VBox/Main/Makefile.kmk (modified) (1 diff)
• src/VBox/Main/include/ApplianceImpl.h (modified) (1 diff)
• src/VBox/Main/src-server/ApplianceImplImport.cpp (modified) (7 diffs)
• src/VBox/Runtime/Makefile.kmk (modified) (1 diff)

trunk/include/iprt/err.h

@@ -1879 +1879 @@
 /** @} */
 
+/** @name RTX509 status codes
+ * @{ */
+/** Error during reading a certificate in PEM format from BIO */
+#define VERR_READING_CERT_FROM_BIO                  (-22800)
+/** Error extract a public key from the certificate */
+#define VERR_EXTRACT_PUBKEY_FROM_CERT               (-22801)
+/** Error extract RSA from the public key */
+#define VERR_EXTRACT_RSA_FROM_PUBLIC_KEY            (-22802)
+/** Error the signature verification */
+#define VERR_RSA_VERIFICATION_FUILURE               (-22803)
+/** Error basic constraints were not found */
+#define VERR_NO_BASIC_CONSTARAINTS                  (-22804)
+/** Error getting extensions from the certificate */
+#define VERR_GETTING_EXTENSION_FROM_CERT            (-22805)
+/** Error getting a data from the extension */
+#define VERR_GETTING_DATA_FROM_EXTENSION            (-22806)
+/** Error print out an extension to BIO */
+#define VERR_PRINT_EXTENSION_TO_BIO                 (-22807)
+/** Error X509 certificate verification */
+#define VERR_X509_CERTIFICATE_VERIFICATION_FAILURE  (-22808)
+/** Error X509 certificate isn't self signed */
+#define VERR_NOT_SELFSIGNED_X509_CERTIFICATE        (-22809)
+/** @} */
 
 /* SED-END */

trunk/include/iprt/mangling.h

@@ -1199 +1199 @@
 # define RTReqRetain                                    RT_MANGLER(RTReqRetain)
 # define RTReqWait                                      RT_MANGLER(RTReqWait)
+# define RTRSAVerify                                    RT_MANGLER(RTRSAVerify)
 # define RTReqGetStatus                                 RT_MANGLER(RTReqGetStatus)
 # define RTS3BucketsDestroy                             RT_MANGLER(RTS3BucketsDestroy)
@@ -1882 +1883 @@
 # define RTVfsUtilDummyPollOne                          RT_MANGLER(RTVfsUtilDummyPollOne)
 # define RTVfsUtilPumpIoStreams                         RT_MANGLER(RTVfsUtilPumpIoStreams)
+# define RTX509PrepareOpenSSL                           RT_MANGLER(RTX509PrepareOpenSSL)
+# define RTX509CertificateVerify                        RT_MANGLER(RTX509CertificateVerify)
+# define RTX509GetErrorDescription                      RT_MANGLER(RTX509GetErrorDescription)
 # define RTZipBlockCompress                             RT_MANGLER(RTZipBlockCompress)
 # define RTZipBlockDecompress                           RT_MANGLER(RTZipBlockDecompress)

trunk/src/VBox/Main/Makefile.kmk

@@ -318 +318 @@
         $(PATH_STAGE_LIB)/SSMStandalone$(VBOX_SUFF_LIB) \
         $(LIB_DDU)
-VBoxSVC_SDKS = VBOX_LIBPNG VBOX_ZLIB
+
+VBoxSVC_SDKS = VBOX_LIBPNG VBOX_ZLIB VBOX_OPENSSL
 VBoxSVC_LIBS.solaris = \
         adm \

trunk/src/VBox/Main/include/ApplianceImpl.h

@@ -181 +181 @@
                                PSHASTORAGE pStorage);
     HRESULT i_verifyManifestFile(const Utf8Str &strFile, ImportStack &stack, void *pvBuf, size_t cbSize);
+
+    HRESULT i_verifyCertificateFile(void *pvBuf, size_t cbSize, PSHASTORAGE pStorage);
 
     void i_convertDiskAttachmentValues(const ovf::HardDiskController &hdc,

trunk/src/VBox/Main/src-server/ApplianceImplImport.cpp

@@ -47 +47 @@
 #include <VBox/settings.h>
 
+#include <iprt/x509.h>
 #include <set>
 
@@ -1517 +1518 @@
 
                 /* verify Certificate */
+                rc = i_verifyCertificateFile(pvCertBuf, cbCertFile, &storage);
+                if (FAILED(rc)) throw rc;
             }
         }
@@ -1588 +1591 @@
     void *pvCertBuf = NULL;
     Utf8Str OVFfilename;
+    void  *pSignatureRSA = NULL;
 
     writeLock.release();
@@ -1693 +1697 @@
                     if (pvCertBuf)
                     {
-                    /* verify the certificate */
+                        /* verify the certificate */
+                        rc = i_verifyCertificateFile(pvCertBuf, cbCertFile, pStorage);
+                        if (FAILED(rc)) throw rc;
                     }
                 }
@@ -1738 +1744 @@
                         if (pvCertBuf)
                         {
-                        /* verify the certificate */
+                            /* verify the certificate */
+                            rc = i_verifyCertificateFile(pvCertBuf, cbCertFile, pStorage);
+                            if (FAILED(rc)) throw rc;
                         }
                     }
@@ -2037 +2045 @@
 HRESULT Appliance::i_verifyManifestFile(const Utf8Str &strFile, ImportStack &stack, void *pvBuf, size_t cbSize)
 {
+    LogFlowFuncEnter();
+    LogFlowFunc(("Appliance %p\n", this));
     HRESULT rc = S_OK;
 
@@ -2064 +2074 @@
 
     RTMemFree(paTests);
-
+    LogFlowFuncLeave();
+
+    return rc;
+}
+
+HRESULT Appliance::i_verifyCertificateFile(void *pvBuf, size_t cbSize, PSHASTORAGE pStorage)
+{
+    LogFlowFuncEnter();
+    LogFlowFunc(("Appliance %p\n", this));
+    HRESULT rc = S_OK;
+
+    int vrc = 0;
+    RTDIGESTTYPE digestType;
+    void * pvCertBuf = pvBuf;
+    size_t cbCertSize = cbSize;
+    Utf8Str manifestDigest = pStorage->strDigest;
+
+    vrc = RTManifestVerifyDigestType(pvCertBuf, cbCertSize, &digestType);
+    if (RT_FAILURE(vrc))
+    {
+        rc = setError(VBOX_E_FILE_ERROR, tr("Digest type of certificate is unknown"));
+    }
+    else
+    {
+        RTX509PrepareOpenSSL();
+
+        vrc = RTRSAVerify(pvCertBuf, (unsigned int)cbCertSize, manifestDigest.c_str(), digestType);
+        if (RT_SUCCESS(vrc))
+        {
+            vrc = RTX509CertificateVerify(pvCertBuf, (unsigned int)cbCertSize);
+        }
+
+        /* After first unsuccessful operation */
+        if (RT_FAILURE(vrc))
+        {
+            {
+                /* first stage for getting possible error code and it's description using native openssl method */
+                char* errStrDesc = NULL;
+                unsigned long errValue = RTX509GetErrorDescription(&errStrDesc);
+
+                if(errValue != 0)
+                {
+                    rc = setError(VBOX_E_FILE_ERROR, tr(errStrDesc));
+                    LogFlowFunc(("Error during verifying X509 certificate(internal openssl description): %s\n", errStrDesc));
+                }
+
+                RTMemFree(errStrDesc);
+            }
+
+            {
+                /* second stage for getting possible error code using our defined errors codes. The original error description
+                   will be replaced by our description */
+
+                Utf8Str errStrDesc;
+                switch(vrc)
+                {
+                    case VERR_READING_CERT_FROM_BIO:
+                        errStrDesc = "Error during reading a certificate in PEM format from BIO ";
+                        break;
+                    case VERR_EXTRACT_PUBKEY_FROM_CERT:
+                        errStrDesc = "Error during extraction a public key from the certificate ";
+                        break;
+                    case VERR_EXTRACT_RSA_FROM_PUBLIC_KEY:
+                        errStrDesc = "Error during extraction RSA from the public key ";
+                        break;
+                    case VERR_RSA_VERIFICATION_FUILURE:
+                        errStrDesc = "RSA verification failure ";
+                        break;
+                    case VERR_NO_BASIC_CONSTARAINTS:
+                        errStrDesc = "Basic constraints were not found ";
+                        break;
+                    case VERR_GETTING_EXTENSION_FROM_CERT:
+                        errStrDesc = "Error during getting extensions from the certificate ";
+                        break;
+                    case VERR_GETTING_DATA_FROM_EXTENSION:
+                        errStrDesc = "Error during extraction data from the extension ";
+                        break;
+                    case VERR_PRINT_EXTENSION_TO_BIO:
+                        errStrDesc = "Error during print out an extension to BIO ";
+                        break;
+                    case VERR_X509_CERTIFICATE_VERIFICATION_FAILURE:
+                        errStrDesc = "X509 certificate verification failure ";
+                        break;
+                    case VERR_NOT_SELFSIGNED_X509_CERTIFICATE:
+                        errStrDesc = "Only self signed X509 certificates are supported at moment";
+                        break;
+                    default:
+                        errStrDesc = "Unknown error during X509 certificate verification";
+                }
+                rc = setError(VBOX_E_FILE_ERROR, tr(errStrDesc.c_str()));
+            }
+        }
+    }
+
+    LogFlowFuncLeave();
     return rc;
 }

trunk/src/VBox/Runtime/Makefile.kmk

@@ -282 +282 @@
         common/checksum/sha512.cpp \
         common/checksum/sha512str.cpp \
+        common/checksum/x509.cpp \
         common/dbg/dbg.cpp \
         common/dbg/dbgas.cpp \