- Timestamp:
- Aug 26, 2014 1:04:43 PM (11 years ago)
- svn:sync-xref-src-repo-rev:
- 95730
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/VBox/HostDrivers/Support/win/SUPHardenedVerifyImage-win.cpp
r52487 r52500 1684 1684 static bool supR3HardenedWinIsDesiredRootCA(PCRTCRX509CERTIFICATE pCert) 1685 1685 { 1686 char szSubject[512]; 1687 szSubject[sizeof(szSubject) - 1] = '\0'; 1688 RTCrX509Name_FormatAsString(&pCert->TbsCertificate.Subject, szSubject, sizeof(szSubject) - 1, NULL); 1689 1686 1690 /* 1687 1691 * Check that it's a plausible root certificate. 1688 1692 */ 1689 1693 if (!RTCrX509Certificate_IsSelfSigned(pCert)) 1694 { 1695 SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: skipping - not-self-signed: %s\n", szSubject)); 1690 1696 return false; 1697 } 1698 1691 1699 if (RTAsn1Integer_UnsignedCompareWithU32(&pCert->TbsCertificate.T0.Version, 3) > 0) 1692 1700 { 1693 1701 if ( !(pCert->TbsCertificate.T3.fExtKeyUsage & RTCRX509CERT_KEY_USAGE_F_KEY_CERT_SIGN) 1694 1702 && (pCert->TbsCertificate.T3.fFlags & RTCRX509TBSCERTIFICATE_F_PRESENT_KEY_USAGE) ) 1703 { 1704 SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: skipping - non-cert-sign: %s\n", szSubject)); 1695 1705 return false; 1706 } 1696 1707 if ( pCert->TbsCertificate.T3.pBasicConstraints 1697 1708 && !pCert->TbsCertificate.T3.pBasicConstraints->CA.fValue) 1709 { 1710 SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: skipping - non-CA: %s\n", szSubject)); 1698 1711 return false; 1712 } 1699 1713 } 1700 1714 if (pCert->TbsCertificate.SubjectPublicKeyInfo.SubjectPublicKey.cBits < 256) /* mostly for u64KeyId reading. */ 1715 { 1716 SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: skipping - key too small: %u bits %s\n", 1717 pCert->TbsCertificate.SubjectPublicKeyInfo.SubjectPublicKey.cBits, szSubject)); 1701 1718 return false; 1702 1703 /* 1704 * Array of names and key clues of the certificates we want. 1719 } 1720 uint64_t const u64KeyId = pCert->TbsCertificate.SubjectPublicKeyInfo.SubjectPublicKey.uBits.pu64[1]; 1721 1722 # if 0 1723 /* 1724 * Whitelist - Array of names and key clues of the certificates we want. 1705 1725 */ 1706 1726 static struct … … 1755 1775 1756 1776 1757 uint64_t const u64KeyId = pCert->TbsCertificate.SubjectPublicKeyInfo.SubjectPublicKey.uBits.pu64[1];1758 1777 uint32_t i = RT_ELEMENTS(s_aWanted); 1759 1778 while (i-- > 0) … … 1761 1780 || s_aWanted[i].u64KeyId == UINT64_MAX) 1762 1781 if (RTCrX509Name_MatchWithString(&pCert->TbsCertificate.Subject, s_aWanted[i].pszName)) 1782 { 1783 SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: Adding %#llx %s\n", u64KeyId, szSubject)); 1763 1784 return true; 1764 1765 #ifdef DEBUG_bird 1766 char szTmp[512]; 1767 szTmp[sizeof(szTmp) - 1] = '\0'; 1768 RTCrX509Name_FormatAsString(&pCert->TbsCertificate.Issuer, szTmp, sizeof(szTmp) - 1, NULL); 1769 SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: %#llx %s\n", u64KeyId, szTmp)); 1770 #endif 1785 } 1786 1787 SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: skipping %#llx %s\n", u64KeyId, szSubject)); 1771 1788 return false; 1789 # else 1790 /* 1791 * Blacklist approach. 1792 */ 1793 static struct 1794 { 1795 uint64_t u64KeyId; 1796 const char *pszName; 1797 } const s_aUnwanted[] = 1798 { 1799 { UINT64_C(0xffffffffffffffff), "C=US, O=U.S. Robots and Mechanical Men, Inc., OU=V.I.K.I." }, /* dummy entry */ 1800 }; 1801 1802 uint32_t i = RT_ELEMENTS(s_aUnwanted); 1803 while (i-- > 0) 1804 if ( s_aUnwanted[i].u64KeyId == u64KeyId 1805 || s_aUnwanted[i].u64KeyId == UINT64_MAX) 1806 if (RTCrX509Name_MatchWithString(&pCert->TbsCertificate.Subject, s_aUnwanted[i].pszName)) 1807 { 1808 SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: skipping - blacklisted: %#llx %s\n", u64KeyId, szSubject)); 1809 return false; 1810 } 1811 1812 SUP_DPRINTF(("supR3HardenedWinIsDesiredRootCA: Adding %#llx %s\n", u64KeyId, szSubject)); 1813 return true; 1814 # endif 1772 1815 } 1773 1816
Note:
See TracChangeset
for help on using the changeset viewer.
