Changeset 52600 in vbox for trunk/include/iprt/crypto

Timestamp:

Sep 4, 2014 10:59:00 PM (10 years ago)

Author:

vboxsync

Message:

IPRT: Added support for microsoft timestamp counter signatures. This required making the PKCS #7 code accept some of the CMS (RFC-5652) stuff.

Location:

trunk/include/iprt/crypto

Files:

• pkcs7.h (modified) (11 diffs)
• x509.h (modified) (1 diff)

trunk/include/iprt/crypto/pkcs7.h

@@ -85 +85 @@
     /** Signing time (PKCS \#9), use pSigningTime. */
     RTCRPKCS7ATTRIBUTETYPE_SIGNING_TIME,
+    /** Microsoft timestamp info (RFC-3161) signed data, use pContentInfo. */
+    RTCRPKCS7ATTRIBUTETYPE_MS_TIMESTAMP,
     /** Blow the type up to 32-bits. */
     RTCRPKCS7ATTRIBUTETYPE_32BIT_HACK = 0x7fffffff
@@ -115 +117 @@
         /** Signing time(s) (RTCRPKCS7ATTRIBUTETYPE_SIGNING_TIME). */
         PRTASN1SETOFTIMES               pSigningTime;
+        /** Microsoft timestamp (RFC-3161 signed data). */
+        struct RTCRPKCS7SETOFCONTENTINFOS *pContentInfos;
     } uValues;
 } RTCRPKCS7ATTRIBUTE;
@@ -173 +177 @@
  * Value: SignerInfo. */
 #define RTCR_PKCS9_ID_COUNTER_SIGNATURE_OID "1.2.840.113549.1.9.6"
+/** Microsoft timestamp (RTF-3161) counter signature (SignedData).
+ * @remarks This isn't defined by PKCS \#9, but lumped in here for
+ *          convenience.  It's actually listed as SPC by MS. */
+#define RTCR_PKCS9_ID_MS_TIMESTAMP          "1.3.6.1.4.1.311.3.3.1"
 /** @} */
+
 
 /**
@@ -193 +202 @@
  */
 RTDECL(PCRTASN1TIME) RTCrPkcs7SignerInfo_GetSigningTime(PCRTCRPKCS7SIGNERINFO pThis, PCRTCRPKCS7SIGNERINFO *ppSignerInfo);
+
+
+/**
+ * Get the (first) timestamp from within a Microsoft timestamp server counter
+ * signature.
+ *
+ * @returns Pointer to the signing time if found, NULL if not.
+ * @param   pThis               The SignerInfo to search.
+ * @param   ppContentInfo       Where to return the pointer to the counter
+ *                              signature, optional.
+ */
+RTDECL(PCRTASN1TIME) RTCrPkcs7SignerInfo_GetMsTimestamp(PCRTCRPKCS7SIGNERINFO pThis,
+                                                        struct RTCRPKCS7CONTENTINFO const **ppContentInfo);
 
 
@@ -223 +245 @@
      */
     RTASN1OCTETSTRING                   Content;
+    /** Pointer to the CMS octet string that's inside the Content, NULL if PKCS \#7.
+     *
+     * Hack alert! When transitioning from PKCS \#7 to CMS, the designers decided to
+     * change things and add another wrapper.  This time we're talking about a real
+     * octet string, not like the one above which is really an explicit content tag.
+     * When constructing or decoding CMS content, this will be the same pointer as
+     * Content.pEncapsulated, while the union below will be holding the same pointer
+     * as pCmsContent->pEncapsulated.
+     */
+    PRTASN1OCTETSTRING                  pCmsContent;
     /** Same as Content.pEncapsulated, except a choice of known types. */
     union
@@ -230 +262 @@
         /** ContentType is RTCRSPCINDIRECTDATACONTENT_OID. */
         struct RTCRSPCINDIRECTDATACONTENT  *pIndirectDataContent;
+        /** ContentType is RTCRTSPTSTINFO_OID. */
+        struct RTCRTSPTSTINFO              *pTstInfo;
         /** Generic / Unknown / User. */
         PRTASN1CORE                         pCore;
@@ -238 +272 @@
 /** Pointer to the const IPRT representation of a PKCS \#7 ContentInfo. */
 typedef RTCRPKCS7CONTENTINFO const *PCRTCRPKCS7CONTENTINFO;
-
 RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7CONTENTINFO, RTDECL, RTCrPkcs7ContentInfo, SeqCore.Asn1Core);
+RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFCONTENTINFOS, RTCRPKCS7CONTENTINFO, RTDECL, RTCrPkcs7SetOfContentInfos);
 
 RTDECL(bool) RTCrPkcs7ContentInfo_IsSignedData(PCRTCRPKCS7CONTENTINFO pThis);
+
+
+/**
+ * PKCS \#7 Certificate choice.
+ */
+typedef enum RTCRPKCS7CERTCHOICE
+{
+    RTCRPKCS7CERTCHOICE_INVALID = 0,
+    RTCRPKCS7CERTCHOICE_X509,
+    RTCRPKCS7CERTCHOICE_EXTENDED_PKCS6,
+    RTCRPKCS7CERTCHOICE_AC_V1,
+    RTCRPKCS7CERTCHOICE_AC_V2,
+    RTCRPKCS7CERTCHOICE_OTHER,
+    RTCRPKCS7CERTCHOICE_END,
+    RTCRPKCS7CERTCHOICE_32BIT_HACK = 0x7fffffff
+} RTCRPKCS7CERTCHOICE;
+
+
+/**
+ * Common representation for PKCS \#7 ExtendedCertificateOrCertificate and the
+ * CMS CertificateChoices types.
+ */
+typedef struct RTCRPKCS7CERT
+{
+    /** Dummy ASN.1 record, not encoded. */
+    RTASN1DUMMY                         Dummy;
+    /** The value allocation. */
+    RTASN1ALLOCATION                    Allocation;
+    /** The choice of value.   */
+    RTCRPKCS7CERTCHOICE                 enmChoice;
+    /** The value union. */
+    union
+    {
+        /** Standard X.509 certificate (RTCRCMSCERTIFICATECHOICE_X509). */
+        PRTCRX509CERTIFICATE            pX509Cert;
+        /** Extended PKCS \#6 certificate (RTCRCMSCERTIFICATECHOICE_EXTENDED_PKCS6). */
+        PRTASN1CORE                     pExtendedCert;
+        /** Attribute certificate version 1 (RTCRCMSCERTIFICATECHOICE_AC_V1). */
+        PRTASN1CORE                     pAcV1;
+        /** Attribute certificate version 2 (RTCRCMSCERTIFICATECHOICE_AC_V2). */
+        PRTASN1CORE                     pAcV2;
+        /** Other certificate (RTCRCMSCERTIFICATECHOICE_OTHER). */
+        PRTASN1CORE                     pOtherCert;
+    } u;
+} RTCRPKCS7CERT;
+/** Pointer to the IPRT representation of PKCS \#7 or CMS certificate. */
+typedef RTCRPKCS7CERT *PRTCRPKCS7CERT;
+/** Pointer to the const IPRT representation of PKCS \#7 or CMS certificate. */
+typedef RTCRPKCS7CERT const *PCRTCRPKCS7CERT;
+RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7CERT, RTDECL, RTCrPkcs7Cert, Dummy.Asn1Core);
+RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFCERTS, RTCRPKCS7CERT, RTDECL, RTCrPkcs7SetOfCerts);
+
+RTDECL(PCRTCRX509CERTIFICATE) RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(PCRTCRPKCS7SETOFCERTS pCertificates,
+                                                                                  PCRTCRX509NAME pIssuer,
+                                                                                  PCRTASN1INTEGER pSerialNumber);
 
 
@@ -258 +347 @@
     RTCRPKCS7CONTENTINFO                ContentInfo;
     /** Certificates, optional, implicit tag 0. (Required by Authenticode.) */
-    RTCRX509CERTIFICATES                Certificates;
+    RTCRPKCS7SETOFCERTS                 Certificates;
     /** Certificate revocation lists, optional, implicit tag 1.
      * Not used by Authenticode, so currently stubbed. */
@@ -270 +359 @@
 typedef RTCRPKCS7SIGNEDDATA const *PCRTCRPKCS7SIGNEDDATA;
 RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7SIGNEDDATA, RTDECL, RTCrPkcs7SignedData, SeqCore.Asn1Core);
+RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFSIGNEDDATA, RTCRPKCS7SIGNEDDATA, RTDECL, RTCrPkcs7SetOfSignedData);
 
 /** PKCS \#7 SignedData object ID.  */
@@ -276 +366 @@
 /** PKCS \#7 SignedData version number 1.  */
 #define RTCRPKCS7SIGNEDDATA_V1    1
+/* No version 2 seems to exist. */
+/** CMS SignedData version number 3.
+ * This should only be used if there are version 1 attribute certificates
+ * present, or if there are version 3 SignerInfo items present, or if
+ * enmcCountInfo is not id-data (RFC-5652, section 5.1). */
+#define RTCRPKCS7SIGNEDDATA_V3    3
+/** CMS SignedData version number 4.
+ * This should only be used if there are version 2 attribute certificates
+ * present (RFC-5652, section 5.1). */
+#define RTCRPKCS7SIGNEDDATA_V4    4
+/** CMS SignedData version number 5.
+ * This should only be used if there are certificates or/and CRLs of the
+ * OTHER type present (RFC-5652, section 5.1). */
+#define RTCRPKCS7SIGNEDDATA_V5    5
 
 
@@ -384 +488 @@
  * signing time attributes and use the @a pValidationTime instead. */
 #define RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT     RT_BIT_32(0)
+/** Same as RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT for the MS
+ *  timestamp counter sigantures. */
+#define RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT     RT_BIT_32(1)
 /** Only use signging time attributes from counter signatures. */
-#define RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY    RT_BIT_32(1)
+#define RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY    RT_BIT_32(2)
 /** Don't validate the counter signature containing the signing time, just use
  * it unverified.  This is useful if we don't necessarily have the root
- * certificates for the timestamp server handy, but use with great care. */
-#define RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED            RT_BIT_32(2)
+ * certificates for the timestamp server handy, but use with great care.
+ * @sa RTCRPKCS7VERIFY_SD_F_USE_MS_TIMESTAMP_UNVERIFIED */
+#define RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED            RT_BIT_32(3)
+/** Don't validate the MS counter signature containing the signing timestamp.
+ * @sa RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED */
+#define RTCRPKCS7VERIFY_SD_F_USE_MS_TIMESTAMP_UNVERIFIED            RT_BIT_32(4)
+/** Do not consider timestamps in microsoft counter signatures. */
+#define RTCRPKCS7VERIFY_SD_F_IGNORE_MS_TIMESTAMP                    RT_BIT_32(5)
+/** The signed data requires certificates to have the timestamp extended
+ * usage bit present.  This is used for recursivly verifying MS timestamp
+ * signatures. */
+#define RTCRPKCS7VERIFY_SD_F_USAGE_TIMESTAMPING                     RT_BIT_32(6)
+
 /** Indicates internally that we're validating a counter signature and should
  * use different rules when checking out the authenticated attributes.

trunk/include/iprt/crypto/x509.h

@@ -1023 +1023 @@
 RTDECL(int) RTCrX509CertPathsSetUntrustedStore(RTCRX509CERTPATHS hCertPaths, RTCRSTORE hUntrustedStore);
 RTDECL(int) RTCrX509CertPathsSetUntrustedArray(RTCRX509CERTPATHS hCertPaths, PCRTCRX509CERTIFICATE paCerts, uint32_t cCerts);
+RTDECL(int) RTCrX509CertPathsSetUntrustedSet(RTCRX509CERTPATHS hCertPaths, struct RTCRPKCS7SETOFCERTS const *pSetOfCerts);
 RTDECL(int) RTCrX509CertPathsSetValidTime(RTCRX509CERTPATHS hCertPaths, PCRTTIME pTime);
 RTDECL(int) RTCrX509CertPathsSetValidTimeSpec(RTCRX509CERTPATHS hCertPaths, PCRTTIMESPEC pTimeSpec);