Changeset 57572 in vbox

Timestamp:

Aug 28, 2015 1:31:29 AM (10 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

102396

Message:

IPRT: Started on accessing system certificate stores to get SSL roots for cURL.

Location:

trunk

Files:

• include/iprt/cdefs.h (modified) (1 diff)
• include/iprt/crypto/pem.h (modified) (2 diffs)
• include/iprt/crypto/store.h (modified) (3 diffs)
• include/iprt/crypto/x509.h (modified) (1 diff)
• include/iprt/mangling.h (modified) (9 diffs)
• include/iprt/path.h (modified) (1 diff)
• include/iprt/sha.h (modified) (5 diffs)
• include/iprt/types.h (modified) (1 diff)
• src/VBox/Runtime/Makefile.kmk (modified) (9 diffs)
• src/VBox/Runtime/common/checksum/alt-sha1.cpp (modified) (3 diffs)
• src/VBox/Runtime/common/checksum/alt-sha256.cpp (modified) (2 diffs)
• src/VBox/Runtime/common/checksum/alt-sha512.cpp (modified) (4 diffs)
• src/VBox/Runtime/common/checksum/openssl-sha1.cpp (modified) (3 diffs)
• src/VBox/Runtime/common/checksum/openssl-sha256.cpp (modified) (3 diffs)
• src/VBox/Runtime/common/checksum/openssl-sha512.cpp (modified) (3 diffs)
• src/VBox/Runtime/common/crypto/RTCrStoreCertAddFromDir.cpp (added)
• src/VBox/Runtime/common/crypto/RTCrStoreCertAddFromFile.cpp (modified) (3 diffs)
• src/VBox/Runtime/common/crypto/RTCrStoreCertAddFromStore.cpp (added)
• src/VBox/Runtime/common/crypto/RTCrStoreCertExportAsPem.cpp (added)
• src/VBox/Runtime/common/crypto/pemfile.cpp (modified) (7 diffs)
• src/VBox/Runtime/common/crypto/store-inmem.cpp (modified) (3 diffs)
• src/VBox/Runtime/common/crypto/store-internal.h (modified) (1 diff)
• src/VBox/Runtime/common/crypto/store.cpp (modified) (1 diff)
• src/VBox/Runtime/common/path/RTPathEnsureTrailingSeparator.cpp (added)
• src/VBox/Runtime/generic/RTCrStoreCreateSnapshotById-generic.cpp (added)
• src/VBox/Runtime/r3/win/RTCrStoreCreateSnapshotById-win.cpp (added)
• src/VBox/Runtime/tools/RTSignTool.cpp (modified) (1 diff)

trunk/include/iprt/cdefs.h

@@ -1452 +1452 @@
  *
  * @param   a_szConst   String constant.
+ * @sa      RTSTRTUPLE
  */
 #define RT_STR_TUPLE(a_szConst)  a_szConst, (sizeof(a_szConst) - 1)

trunk/include/iprt/crypto/pem.h

@@ -117 +117 @@
  * @returns IPRT status code.
  * @param   pszFilename     The path to the file to read.
- * @param   fFlags          Flags reserved for future hacks.
+ * @param   fFlags          RTCRPEMREADFILE_F_XXX.
  * @param   paMarkers       Array of one or more section markers to look for.
  * @param   cMarkers        Number of markers in the array.
@@ -125 +125 @@
 RTDECL(int) RTCrPemReadFile(const char *pszFilename, uint32_t fFlags, PCRTCRPEMMARKER paMarkers, size_t cMarkers,
                             PCRTCRPEMSECTION *ppSectionHead, PRTERRINFO pErrInfo);
+/** @name RTCRPEMREADFILE_F_XXX - Flags for RTCrPemReadFile
+ * @{ */
+/** Continue on encoding error. */
+#define RTCRPEMREADFILE_F_CONTINUE_ON_ENCODING_ERROR    RT_BIT(0)
+/** @} */
 
 /** @} */

trunk/include/iprt/crypto/store.h

@@ -58 +58 @@
 
 
+/**
+ * Standard store identifiers.
+ *
+ * This is a least common denominator approach to system specific certificate
+ * stores, could be extended to include things other than certificates later if
+ * we need it.
+ *
+ * Windows has lots of different stores, they'll be combined by the
+ * implementation, possibly leading to duplicates.  The user stores on Windows
+ * seems to be unioned with the system (machine) stores.
+ *
+ * Linux may have different stores depending on the distro/version/installation,
+ * in which case we'll combine them, which will most likely lead to
+ * duplicates just like on windows.  Haven't found any easily accessible
+ * per-user certificate stores on linux yet, so they'll all be empty.
+ *
+ * Mac OS X seems a lot simpler, at least from the GUI point of view.  Each
+ * keychains as a "Certificates" folder (the "My Certificates" folder seems to
+ * only be a matching of "Keys" and "Certificates"). However, there are two
+ * system keychains that we need to combine, "System" and "System Roots".  As
+ * with Windows and Linux, there is a possibility for duplicates here.
+ *
+ * On solaris we have currently no idea where to look for a certificate store,
+ * so that doesn't yet work.
+ *
+ * Because of the OS X setup, we do not provide any purpose specific
+ */
+typedef enum RTCRSTOREID
+{
+    /** Mandatory invalid zero value. */
+    RTCRSTOREID_INVALID = 0,
+    /** Open the certificate store of the current user containing trusted
+     * CAs and certificates.
+     * @remarks This may or may not include all the certificates in the system
+     *          store, that's host dependent.  So, you better look in both. */
+    RTCRSTOREID_USER_TRUSTED_CAS_AND_CERTIFICATES,
+    /** Open the certificate store of the system containg trusted CAs
+     * and certificates. */
+    RTCRSTOREID_SYSTEM_TRUSTED_CAS_AND_CERTIFICATES,
+    /** End of valid values. */
+    RTCRSTOREID_END,
+    /** Traditional enum type compression prevention hack. */
+    RTCRSTOREID_32BIT_HACK = 0x7fffffff
+} RTCRSTOREID;
+
+/**
+ * Creates a snapshot of a standard store.
+ *
+ * This will return an in-memory store containing all data from the given store.
+ * There will be no duplicates in this one.
+ *
+ * @returns IPRT status code.
+ * @retval  VWRN_ALREADY_EXISTS if the certificate is already present and
+ *          RTCRCERTCTX_F_ADD_IF_NOT_FOUND was specified.
+ * @param   phStore             Where to return the store handle. Use
+ *                              RTCrStoreRelease to release it.
+ * @param   enmStoreId          The store to snapshot.
+ * @param   pErrInfo            Where to return additional error/warning info.
+ *                              Optional.
+ */
+RTDECL(int) RTCrStoreCreateSnapshotById(PRTCRSTORE phStore, RTCRSTOREID enmStoreId, PRTERRINFO pErrInfo);
+
 RTDECL(int) RTCrStoreCreateInMem(PRTCRSTORE phStore, uint32_t cSizeHint);
 
@@ -63 +125 @@
 RTDECL(uint32_t) RTCrStoreRelease(RTCRSTORE hStore);
 RTDECL(PCRTCRCERTCTX) RTCrStoreCertByIssuerAndSerialNo(RTCRSTORE hStore, PCRTCRX509NAME pIssuer, PCRTASN1INTEGER pSerialNo);
+
+/**
+ * Add a certificate to the store.
+ *
+ * @returns IPRT status code.
+ * @retval  VWRN_ALREADY_EXISTS if the certificate is already present and
+ *          RTCRCERTCTX_F_ADD_IF_NOT_FOUND was specified.
+ * @retval  VERR_WRITE_PROTECT if the store doesn't support adding.
+ * @param   hStore              The store to add the certificate to.
+ * @param   fFlags              RTCRCERTCTX_F_XXX. Encoding must be specified.
+ *                              RTCRCERTCTX_F_ADD_IF_NOT_FOUND is supported.
+ * @param   pvSrc               The encoded certificate bytes.
+ * @param   cbSrc               The size of the encoded certificate.
+ * @param   pErrInfo            Where to return additional error/warning info.
+ *                              Optional.
+ */
 RTDECL(int) RTCrStoreCertAddEncoded(RTCRSTORE hStore, uint32_t fFlags, void const *pvSrc, size_t cbSrc, PRTERRINFO pErrInfo);
+
+/**
+ * Adds certificates from the specified file.
+ *
+ * @returns IPRT status code.  Even when RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR is
+ *          used, an error is returned as an error (and not a warning).
+ *
+ * @param   hStore              The store to add the certificate(s) to.
+ * @param   fFlags              RTCRCERTCTX_F_ADD_IF_NOT_FOUND and/or
+ *                              RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR.
+ * @param   pszFilename         The filename.
+ * @param   pErrInfo            Where to return additional error/warning info.
+ *                              Optional.
+ */
 RTDECL(int) RTCrStoreCertAddFromFile(RTCRSTORE hStore, uint32_t fFlags, const char *pszFilename, PRTERRINFO pErrInfo);
+
+/**
+ * Adds certificates from files in the specified directory.
+ *
+ * @returns IPRT status code.  Even when RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR is
+ *          used, an error is returned as an error (and not a warning).
+ *
+ * @param   hStore              The store to add the certificate(s) to.
+ * @param   fFlags              RTCRCERTCTX_F_ADD_IF_NOT_FOUND and/or
+ *                              RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR.
+ * @param   pszDir              The path to the directory.
+ * @param   paSuffixes          List of suffixes of files to process.
+ * @param   cSuffixes           Number of suffixes.  If this is 0, all files are
+ *                              processed.
+ * @param   pErrInfo            Where to return additional error/warning info.
+ *                              Optional.
+ */
+RTDECL(int) RTCrStoreCertAddFromDir(RTCRSTORE hStore, uint32_t fFlags, const char *pszDir,
+                                    PCRTSTRTUPLE paSuffixes, size_t cSuffixes, PRTERRINFO pErrInfo);
+
+/**
+ * Adds all certificates from @a hStoreSrc into @a hStore.
+ *
+ * @returns IPRT status code.  Even when RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR is
+ *          used, an error is returned as an error (and not a warning).
+ *
+ * @param   hStore              The destination store.
+ * @param   fFlags              RTCRCERTCTX_F_ADD_IF_NOT_FOUND and/or
+ *                              RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR.
+ * @param   hStoreSrc           The source store.
+ */
+RTDECL(int) RTCrStoreCertAddFromStore(RTCRSTORE hStore, uint32_t fFlags, RTCRSTORE hStoreSrc);
+
+/**
+ * Exports the certificates in the store to a PEM file
+ *
+ * @returns IPRT status code.
+ * @param   hStore              The store which certificates should be exported.
+ * @param   fFlags              Reserved for the future, MBZ.
+ * @param   pszFilename         The name of the destination PEM file.  This will
+ *                              be truncated.
+ */
+RTDECL(int) RTCrStoreCertExportAsPem(RTCRSTORE hStore, uint32_t fFlags, const char *pszFilename);
 
 RTDECL(int) RTCrStoreCertFindAll(RTCRSTORE hStore, PRTCRSTORECERTSEARCH pSearch);
@@ -119 +254 @@
 #define RTCRCERTCTX_F_ENC_PKCS6_DER    UINT32_C(0x00000002)
 #endif
+/** Mask containing the flags that ends up in the certificate context. */
+#define RTCRCERTCTX_F_MASK             UINT32_C(0x000000ff)
+
+/** Add APIs: Add the certificate if not found. */
+#define RTCRCERTCTX_F_ADD_IF_NOT_FOUND          UINT32_C(0x00010000)
+/** Add APIs: Continue on error when possible. */
+#define RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR     UINT32_C(0x00020000)
 /** @} */
 

trunk/include/iprt/crypto/x509.h

@@ -165 +165 @@
 
 /**
- * Matches the directory name against a comma separated list of the comonent
+ * Matches the directory name against a comma separated list of the component
  * strings (case sensitive).
  *

trunk/include/iprt/mangling.h

@@ -1050 +1050 @@
 # define RTPathCopyComponents                           RT_MANGLER(RTPathCopyComponents)
 # define RTPathCountComponents                          RT_MANGLER(RTPathCountComponents)
+# define RTPathEnsureTrailingSeparator                  RT_MANGLER(RTPathEnsureTrailingSeparator)
 # define RTPathExecDir                                  RT_MANGLER(RTPathExecDir)
 # define RTPathExists                                   RT_MANGLER(RTPathExists)
@@ -1344 +1345 @@
 # define RTSgBufGetNextSegment                          RT_MANGLER(RTSgBufGetNextSegment)
 # define RTSha1                                         RT_MANGLER(RTSha1)
+# define RTSha1Check                                    RT_MANGLER(RTSha1Check)
 # define RTSha1Digest                                   RT_MANGLER(RTSha1Digest)
 # define RTSha1DigestFromFile                           RT_MANGLER(RTSha1DigestFromFile)
@@ -1352 +1354 @@
 # define RTSha1Update                                   RT_MANGLER(RTSha1Update)
 # define RTSha224                                       RT_MANGLER(RTSha224)
+# define RTSha224Check                                  RT_MANGLER(RTSha224Check)
 # define RTSha224Final                                  RT_MANGLER(RTSha224Final)
 # define RTSha224FromString                             RT_MANGLER(RTSha224FromString)
@@ -1360 +1363 @@
 # define RTSha224DigestFromFile                         RT_MANGLER(RTSha224DigestFromFile)
 # define RTSha256                                       RT_MANGLER(RTSha256)
+# define RTSha256Check                                  RT_MANGLER(RTSha256Check)
 # define RTSha256Final                                  RT_MANGLER(RTSha256Final)
 # define RTSha256FromString                             RT_MANGLER(RTSha256FromString)
@@ -1368 +1372 @@
 # define RTSha256DigestFromFile                         RT_MANGLER(RTSha256DigestFromFile)
 # define RTSha384                                       RT_MANGLER(RTSha384)
+# define RTSha384Check                                  RT_MANGLER(RTSha384Check)
 # define RTSha384Final                                  RT_MANGLER(RTSha384Final)
 # define RTSha384FromString                             RT_MANGLER(RTSha384FromString)
@@ -1374 +1379 @@
 # define RTSha384Update                                 RT_MANGLER(RTSha384Update)
 # define RTSha512                                       RT_MANGLER(RTSha512)
+# define RTSha512Check                                  RT_MANGLER(RTSha512Check)
 # define RTSha512Final                                  RT_MANGLER(RTSha512Final)
 # define RTSha512FromString                             RT_MANGLER(RTSha512FromString)
@@ -1380 +1386 @@
 # define RTSha512Update                                 RT_MANGLER(RTSha512Update)
 # define RTSha512t224                                   RT_MANGLER(RTSha512t224)
+# define RTSha512t224Check                              RT_MANGLER(RTSha512t224Check)
 # define RTSha512t224Final                              RT_MANGLER(RTSha512t224Final)
 # define RTSha512t224FromString                         RT_MANGLER(RTSha512t224FromString)
@@ -1386 +1393 @@
 # define RTSha512t224Update                             RT_MANGLER(RTSha512t224Update)
 # define RTSha512t256                                   RT_MANGLER(RTSha512t256)
+# define RTSha512t256Check                              RT_MANGLER(RTSha512t256Check)
 # define RTSha512t256Final                              RT_MANGLER(RTSha512t256Final)
 # define RTSha512t256FromString                         RT_MANGLER(RTSha512t256FromString)
@@ -2892 +2900 @@
 # define RTCrStoreRetain                                RT_MANGLER(RTCrStoreRetain)
 # define RTCrStoreCreateInMem                           RT_MANGLER(RTCrStoreCreateInMem)
+# define RTCrStoreCreateSnapshotById                    RT_MANGLER(RTCrStoreCreateSnapshotById)
 # define RTCrStoreCertAddFromFile                       RT_MANGLER(RTCrStoreCertAddFromFile)
+# define RTCrStoreCertAddFromDir                        RT_MANGLER(RTCrStoreCertAddFromDir)
+# define RTCrStoreCertAddFromStore                      RT_MANGLER(RTCrStoreCertAddFromStore)
+# define RTCrStoreCertExportAsPem                       RT_MANGLER(RTCrStoreCertExportAsPem)
 # define RTErrInfoAdd                                   RT_MANGLER(RTErrInfoAdd)
 # define RTErrInfoAddF                                  RT_MANGLER(RTErrInfoAddF)

trunk/include/iprt/path.h

@@ -357 +357 @@
  */
 RTDECL(size_t) RTPathStripTrailingSlash(char *pszPath);
+
+/**
+ * Ensures that the path has a trailing path separator such that file names can
+ * be appended without further work.
+ *
+ * This can be helpful when preparing for efficiently combining a directory path
+ * with the filenames returned by RTDirRead.  The return value gives you the
+ * position at which you copy the RTDIRENTRY::szName to construct a valid path
+ * to it.
+ *
+ * @returns The length of the path, 0 on buffer overflow.
+ * @param   pszPath     The path.
+ * @param   cbPath      The length of the path buffer @a pszPath points to.
+ */
+RTDECL(size_t) RTPathEnsureTrailingSeparator(char *pszPath, size_t cbPath);
 
 /**

trunk/include/iprt/sha.h

@@ -69 +69 @@
 
 /**
+ * Computes the SHA-1 hash for the given data comparing it with the one given.
+ *
+ * @returns true on match, false on mismatch.
+ * @param   pvBuf       Pointer to the data.
+ * @param   cbBuf       The amount of data (in bytes).
+ * @param   pabHash     The hash to verify. (What is passed is a pointer to the
+ *                      caller's buffer.)
+ */
+RTDECL(bool) RTSha1Check(const void *pvBuf, size_t cbBuf, uint8_t const pabDigest[RTSHA1_HASH_SIZE]);
+
+/**
  * Initializes the SHA-1 context.
  *
@@ -177 +188 @@
 
 /**
+ * Computes the SHA-256 hash for the given data comparing it with the one given.
+ *
+ * @returns true on match, false on mismatch.
+ * @param   pvBuf       Pointer to the data.
+ * @param   cbBuf       The amount of data (in bytes).
+ * @param   pabHash     The hash to verify. (What is passed is a pointer to the
+ *                      caller's buffer.)
+ */
+RTDECL(bool) RTSha256Check(const void *pvBuf, size_t cbBuf, uint8_t const pabDigest[RTSHA256_HASH_SIZE]);
+
+/**
  * Initializes the SHA-256 context.
  *
@@ -275 +297 @@
 
 /**
+ * Computes the SHA-224 hash for the given data comparing it with the one given.
+ *
+ * @returns true on match, false on mismatch.
+ * @param   pvBuf       Pointer to the data.
+ * @param   cbBuf       The amount of data (in bytes).
+ * @param   pabHash     The hash to verify. (What is passed is a pointer to the
+ *                      caller's buffer.)
+ */
+RTDECL(bool) RTSha224Check(const void *pvBuf, size_t cbBuf, uint8_t const pabDigest[RTSHA224_HASH_SIZE]);
+
+/**
  * Initializes the SHA-224 context.
  *
@@ -383 +416 @@
 
 /**
+ * Computes the SHA-512 hash for the given data comparing it with the one given.
+ *
+ * @returns true on match, false on mismatch.
+ * @param   pvBuf       Pointer to the data.
+ * @param   cbBuf       The amount of data (in bytes).
+ * @param   pabHash     The hash to verify. (What is passed is a pointer to the
+ *                      caller's buffer.)
+ */
+RTDECL(bool) RTSha512Check(const void *pvBuf, size_t cbBuf, uint8_t const pabDigest[RTSHA512_HASH_SIZE]);
+
+/**
  * Initializes the SHA-512 context.
  *
@@ -438 +482 @@
     typedef RTSHA512CONTEXT *RT_CONCAT3(PRTSHA,a_UName,CONTEXT); \
     RTDECL(void) RT_CONCAT(RTSha,a_Name)(const void *pvBuf, size_t cbBuf, uint8_t pabDigest[RT_CONCAT3(RTSHA,a_UName,_HASH_SIZE)]); \
+    RTDECL(bool) RT_CONCAT3(RTSha,a_Name,Check)(const void *pvBuf, size_t cbBuf, uint8_t const pabDigest[RT_CONCAT3(RTSHA,a_UName,_HASH_SIZE)]); \
     RTDECL(void) RT_CONCAT3(RTSha,a_Name,Init)(RT_CONCAT3(PRTSHA,a_UName,CONTEXT) pCtx); \
     RTDECL(void) RT_CONCAT3(RTSha,a_Name,Update)(RT_CONCAT3(PRTSHA,a_UName,CONTEXT) pCtx, const void *pvBuf, size_t cbBuf); \

trunk/include/iprt/types.h

@@ -2176 +2176 @@
 
 /**
+ * String tuple to go with the RT_STR_TUPLE macro.
+ */
+typedef struct RTSTRTUPLE
+{
+    /** The string. */
+    const char *psz;
+    /** The string length. */
+    size_t      cch;
+} RTSTRTUPLE;
+/** Pointer to a string tuple. */
+typedef RTSTRTUPLE *PRTSTRTUPLE;
+/** Pointer to a const string tuple. */
+typedef RTSTRTUPLE const *PCRTSTRTUPLE;
+
+/**
  * Wait for ever if we have to.
  */

trunk/src/VBox/Runtime/Makefile.kmk

@@ -369 +369 @@
         common/crypto/store-inmem.cpp \
         common/crypto/RTCrStoreCertAddFromFile.cpp \
+        common/crypto/RTCrStoreCertAddFromDir.cpp \
+        common/crypto/RTCrStoreCertAddFromStore.cpp \
+        common/crypto/RTCrStoreCertExportAsPem.cpp \
         common/dbg/dbg.cpp \
         common/dbg/dbgas.cpp \
@@ -458 +461 @@
         common/path/RTPathCopyComponents.cpp \
         common/path/RTPathCountComponents.cpp \
+        common/path/RTPathEnsureTrailingSeparator.cpp \
         common/path/RTPathExt.cpp \
         common/path/RTPathFilename.cpp \
@@ -735 +739 @@
         r3/nt/RTProcQueryParent-r3-nt.cpp \
         r3/win/env-win.cpp \
+        r3/win/RTCrStoreCreateSnapshotById-win.cpp \
         r3/win/RTHandleGetStandard-win.cpp \
         r3/win/RTSystemQueryOSInfo-win.cpp \
@@ -779 +784 @@
 RuntimeR3_SOURCES.linux = \
         generic/cdrom-generic.cpp \
+        generic/RTCrStoreCreateSnapshotById-generic.cpp \
         generic/RTDirQueryInfo-generic.cpp \
         generic/RTDirSetTimes-generic.cpp \
@@ -865 +871 @@
 RuntimeR3_SOURCES.os2   = \
         generic/cdrom-generic.cpp \
+        generic/RTCrStoreCreateSnapshotById-generic.cpp \
         generic/RTDirQueryInfo-generic.cpp \
         generic/RTDirSetTimes-generic.cpp \
@@ -939 +946 @@
         darwin/RTErrConvertFromDarwinKern.cpp \
         generic/cdrom-generic.cpp \
+        generic/RTCrStoreCreateSnapshotById-generic.cpp \
         generic/RTDirQueryInfo-generic.cpp \
         generic/RTDirSetTimes-generic.cpp \
@@ -1008 +1016 @@
 RuntimeR3_SOURCES.freebsd = \
         generic/cdrom-generic.cpp \
+        generic/RTCrStoreCreateSnapshotById-generic.cpp \
         generic/RTDirQueryInfo-generic.cpp \
         generic/RTDirSetTimes-generic.cpp \
@@ -1079 +1088 @@
 RuntimeR3_SOURCES.solaris = \
         generic/cdrom-generic.cpp \
+        generic/RTCrStoreCreateSnapshotById-generic.cpp \
         generic/RTDirQueryInfo-generic.cpp \
         generic/RTDirSetTimes-generic.cpp \
@@ -1153 +1163 @@
 
 RuntimeR3_SOURCES.haiku = \
+        generic/RTCrStoreCreateSnapshotById-generic.cpp \
         generic/RTDirQueryInfo-generic.cpp \
         generic/RTDirSetTimes-generic.cpp \

trunk/src/VBox/Runtime/common/checksum/alt-sha1.cpp

@@ -442 +442 @@
 
 
-RTDECL(void) RTSha1Final(PRTSHA1CONTEXT pCtx, uint8_t pabDigest[RTSHA1_HASH_SIZE])
+static void rtSha1FinalInternal(PRTSHA1CONTEXT pCtx)
 {
     Assert(pCtx->AltPrivate.cbMessage < UINT64_MAX / 2);
@@ -481 +481 @@
     pCtx->AltPrivate.auH[3] = RT_H2BE_U32(pCtx->AltPrivate.auH[3]);
     pCtx->AltPrivate.auH[4] = RT_H2BE_U32(pCtx->AltPrivate.auH[4]);
-
-    memcpy(pabDigest, &pCtx->AltPrivate.auH[0], RTSHA1_HASH_SIZE);
-
+}
+
+
+DECLINLINE(void) rtSha1WipeCtx(PRTSHA1CONTEXT pCtx)
+{
     RT_ZERO(pCtx->AltPrivate);
     pCtx->AltPrivate.cbMessage = UINT64_MAX;
+}
+
+
+RTDECL(void) RTSha1Final(PRTSHA1CONTEXT pCtx, uint8_t pabDigest[RTSHA1_HASH_SIZE])
+{
+    rtSha1FinalInternal(pCtx);
+    memcpy(pabDigest, &pCtx->AltPrivate.auH[0], RTSHA1_HASH_SIZE);
+    rtSha1WipeCtx(pCtx);
 }
 RT_EXPORT_SYMBOL(RTSha1Final);
@@ -499 +509 @@
 RT_EXPORT_SYMBOL(RTSha1);
 
+
+RTDECL(bool) RTSha1Check(const void *pvBuf, size_t cbBuf, uint8_t const pabHash[RTSHA1_HASH_SIZE])
+{
+    RTSHA1CONTEXT Ctx;
+    RTSha1Init(&Ctx);
+    RTSha1Update(&Ctx, pvBuf, cbBuf);
+    rtSha1FinalInternal(&Ctx);
+
+    bool fRet = memcmp(pabHash, &Ctx.AltPrivate.auH[0], RTSHA1_HASH_SIZE) == 0;
+
+    rtSha1WipeCtx(&Ctx);
+    return fRet;
+}
+RT_EXPORT_SYMBOL(RTSha1Check);
+

trunk/src/VBox/Runtime/common/checksum/alt-sha256.cpp

@@ -607 +607 @@
 
 
+RTDECL(bool) RTSha256Check(const void *pvBuf, size_t cbBuf, uint8_t const pabHash[RTSHA256_HASH_SIZE])
+{
+    RTSHA256CONTEXT Ctx;
+    RTSha256Init(&Ctx);
+    RTSha256Update(&Ctx, pvBuf, cbBuf);
+    rtSha256FinalInternal(&Ctx);
+
+    bool fRet = memcmp(pabHash, &Ctx.AltPrivate.auH[0], RTSHA256_HASH_SIZE) == 0;
+
+    RT_ZERO(Ctx.AltPrivate.auH);
+    return fRet;
+}
+RT_EXPORT_SYMBOL(RTSha256Check);
+
+
 
 /*
@@ -652 +667 @@
 RT_EXPORT_SYMBOL(RTSha224);
 
+
+RTDECL(bool) RTSha224Check(const void *pvBuf, size_t cbBuf, uint8_t const pabHash[RTSHA224_HASH_SIZE])
+{
+    RTSHA224CONTEXT Ctx;
+    RTSha224Init(&Ctx);
+    RTSha224Update(&Ctx, pvBuf, cbBuf);
+    rtSha256FinalInternal(&Ctx);
+
+    bool fRet = memcmp(pabHash, &Ctx.AltPrivate.auH[0], RTSHA224_HASH_SIZE) == 0;
+
+    RT_ZERO(Ctx.AltPrivate.auH);
+    return fRet;
+}
+RT_EXPORT_SYMBOL(RTSha224Check);
+

trunk/src/VBox/Runtime/common/checksum/alt-sha512.cpp

@@ -596 +596 @@
 
 
+RTDECL(bool) RTSha512Check(const void *pvBuf, size_t cbBuf, uint8_t const pabHash[RTSHA512_HASH_SIZE])
+{
+    RTSHA512CONTEXT Ctx;
+    RTSha512Init(&Ctx);
+    RTSha512Update(&Ctx, pvBuf, cbBuf);
+    rtSha512FinalInternal(&Ctx);
+
+    bool fRet = memcmp(pabHash, &Ctx.AltPrivate.auH[0], RTSHA512_HASH_SIZE) == 0;
+
+    RT_ZERO(Ctx.AltPrivate.auH);
+    return fRet;
+}
+RT_EXPORT_SYMBOL(RTSha512Check);
+
+
 
 /*
@@ -643 +658 @@
 
 
+RTDECL(bool) RTSha384Check(const void *pvBuf, size_t cbBuf, uint8_t const pabHash[RTSHA384_HASH_SIZE])
+{
+    RTSHA384CONTEXT Ctx;
+    RTSha384Init(&Ctx);
+    RTSha384Update(&Ctx, pvBuf, cbBuf);
+    rtSha512FinalInternal(&Ctx);
+
+    bool fRet = memcmp(pabHash, &Ctx.AltPrivate.auH[0], RTSHA384_HASH_SIZE) == 0;
+
+    RT_ZERO(Ctx.AltPrivate.auH);
+    return fRet;
+}
+RT_EXPORT_SYMBOL(RTSha384Check);
+
+
 /*
  * SHA-512/224 is just SHA-512 with different initial values an a truncated result.
@@ -689 +719 @@
 
 
+RTDECL(bool) RTSha512t224Check(const void *pvBuf, size_t cbBuf, uint8_t const pabHash[RTSHA512T224_HASH_SIZE])
+{
+    RTSHA512T224CONTEXT Ctx;
+    RTSha512t224Init(&Ctx);
+    RTSha512t224Update(&Ctx, pvBuf, cbBuf);
+    rtSha512FinalInternal(&Ctx);
+
+    bool fRet = memcmp(pabHash, &Ctx.AltPrivate.auH[0], RTSHA512T224_HASH_SIZE) == 0;
+
+    RT_ZERO(Ctx.AltPrivate.auH);
+    return fRet;
+}
+RT_EXPORT_SYMBOL(RTSha512t224Check);
+
+
 /*
  * SHA-512/256 is just SHA-512 with different initial values an a truncated result.
@@ -734 +779 @@
 RT_EXPORT_SYMBOL(RTSha512t256);
 
+
+RTDECL(bool) RTSha512t256Check(const void *pvBuf, size_t cbBuf, uint8_t const pabHash[RTSHA512T256_HASH_SIZE])
+{
+    RTSHA512T256CONTEXT Ctx;
+    RTSha512t256Init(&Ctx);
+    RTSha512t256Update(&Ctx, pvBuf, cbBuf);
+    rtSha512FinalInternal(&Ctx);
+
+    bool fRet = memcmp(pabHash, &Ctx.AltPrivate.auH[0], RTSHA512T256_HASH_SIZE) == 0;
+
+    RT_ZERO(Ctx.AltPrivate.auH);
+    return fRet;
+}
+RT_EXPORT_SYMBOL(RTSha512t256Check);
+

trunk/src/VBox/Runtime/common/checksum/openssl-sha1.cpp

@@ -37 +37 @@
 
 #include <iprt/assert.h>
+#include <iprt/string.h>
+
 
 AssertCompile(RT_SIZEOFMEMB(RTSHA1CONTEXT, abPadding) >= RT_SIZEOFMEMB(RTSHA1CONTEXT, Private));
@@ -49 +51 @@
 }
 RT_EXPORT_SYMBOL(RTSha1);
+
+
+RTDECL(bool) RTSha1Check(const void *pvBuf, size_t cbBuf, uint8_t const pabDigest[RTSHA1_HASH_SIZE])
+{
+    RTSHA1CONTEXT Ctx;
+    RTSha1Init(&Ctx);
+    RTSha1Update(&Ctx, pvBuf, cbBuf);
+    uint8_t abActualDigest[RTSHA1_HASH_SIZE];
+    RTSha1Final(&Ctx, abActualDigest);
+    bool fRet = memcmp(pabDigest, abActualDigest, RTSHA1_HASH_SIZE) == 0;
+    RT_ZERO(abActualDigest);
+    return fRet;
+}
+RT_EXPORT_SYMBOL(RTSha1Check);
 
 
@@ -65 +81 @@
 
 
-RTDECL(void) RTSha1Final(PRTSHA1CONTEXT pCtx, uint8_t pabDigest[32])
+RTDECL(void) RTSha1Final(PRTSHA1CONTEXT pCtx, uint8_t pabDigest[RTSHA1_HASH_SIZE])
 {
     SHA1_Final((unsigned char *)&pabDigest[0], &pCtx->Private);

trunk/src/VBox/Runtime/common/checksum/openssl-sha256.cpp

@@ -37 +37 @@
 
 #include <iprt/assert.h>
+#include <iprt/string.h>
+
 
 AssertCompile(RT_SIZEOFMEMB(RTSHA256CONTEXT, abPadding) >= RT_SIZEOFMEMB(RTSHA256CONTEXT, Private));
@@ -49 +51 @@
 }
 RT_EXPORT_SYMBOL(RTSha256);
+
+
+RTDECL(bool) RTSha256Check(const void *pvBuf, size_t cbBuf, uint8_t const pabDigest[RTSHA256_HASH_SIZE])
+{
+    RTSHA256CONTEXT Ctx;
+    RTSha256Init(&Ctx);
+    RTSha256Update(&Ctx, pvBuf, cbBuf);
+    uint8_t abActualDigest[RTSHA256_HASH_SIZE];
+    RTSha256Final(&Ctx, abActualDigest);
+    bool fRet = memcmp(pabDigest, abActualDigest, RTSHA256_HASH_SIZE) == 0;
+    RT_ZERO(abActualDigest);
+    return fRet;
+}
+RT_EXPORT_SYMBOL(RTSha256Check);
 
 
@@ -87 +103 @@
 
 
+RTDECL(bool) RTSha224Check(const void *pvBuf, size_t cbBuf, uint8_t const pabDigest[RTSHA224_HASH_SIZE])
+{
+    RTSHA224CONTEXT Ctx;
+    RTSha224Init(&Ctx);
+    RTSha224Update(&Ctx, pvBuf, cbBuf);
+    uint8_t abActualDigest[RTSHA224_HASH_SIZE];
+    RTSha224Final(&Ctx, abActualDigest);
+    bool fRet = memcmp(pabDigest, abActualDigest, RTSHA224_HASH_SIZE) == 0;
+    RT_ZERO(abActualDigest);
+    return fRet;
+}
+RT_EXPORT_SYMBOL(RTSha224Check);
+
+
 RTDECL(void) RTSha224Init(PRTSHA224CONTEXT pCtx)
 {

trunk/src/VBox/Runtime/common/checksum/openssl-sha512.cpp

@@ -37 +37 @@
 
 #include <iprt/assert.h>
+#include <iprt/string.h>
+
 
 AssertCompile(RT_SIZEOFMEMB(RTSHA512CONTEXT, abPadding) >= RT_SIZEOFMEMB(RTSHA512CONTEXT, Private));
@@ -49 +51 @@
 }
 RT_EXPORT_SYMBOL(RTSha512);
+
+
+RTDECL(bool) RTSha512Check(const void *pvBuf, size_t cbBuf, uint8_t const pabDigest[RTSHA512_HASH_SIZE])
+{
+    RTSHA512CONTEXT Ctx;
+    RTSha512Init(&Ctx);
+    RTSha512Update(&Ctx, pvBuf, cbBuf);
+    uint8_t abActualDigest[RTSHA512_HASH_SIZE];
+    RTSha512Final(&Ctx, abActualDigest);
+    bool fRet = memcmp(pabDigest, abActualDigest, RTSHA512_HASH_SIZE) == 0;
+    RT_ZERO(abActualDigest);
+    return fRet;
+}
+RT_EXPORT_SYMBOL(RTSha512Check);
 
 
@@ -88 +104 @@
 
 
+RTDECL(bool) RTSha384Check(const void *pvBuf, size_t cbBuf, uint8_t const pabDigest[RTSHA384_HASH_SIZE])
+{
+    RTSHA384CONTEXT Ctx;
+    RTSha384Init(&Ctx);
+    RTSha384Update(&Ctx, pvBuf, cbBuf);
+    uint8_t abActualDigest[RTSHA384_HASH_SIZE];
+    RTSha384Final(&Ctx, abActualDigest);
+    bool fRet = memcmp(pabDigest, abActualDigest, RTSHA384_HASH_SIZE) == 0;
+    RT_ZERO(abActualDigest);
+    return fRet;
+}
+RT_EXPORT_SYMBOL(RTSha384Check);
+
+
 RTDECL(void) RTSha384Init(PRTSHA384CONTEXT pCtx)
 {

trunk/src/VBox/Runtime/common/crypto/RTCrStoreCertAddFromFile.cpp

@@ -100 +100 @@
 RTDECL(int) RTCrStoreCertAddFromFile(RTCRSTORE hStore, uint32_t fFlags, const char *pszFilename, PRTERRINFO pErrInfo)
 {
-    AssertReturn(!fFlags, VERR_INVALID_FLAGS);
-#if 0
-    RTCRX509CERTIFICATES Certs;
-    int rc = RTCrX509Certificates_ReadFromFile(pszFilename, 0, &Certs, pErrInfo);
-    if (RT_SUCCESS(rc))
-    {
-        for (uint32_t i = 0; i < Certs.cCerts; i++)
-        {
-            int rc2 = RTCrStoreCertAddEncoded(hStore, RTCRCERTCTX_F_ENC_X509_DER,
-                                              RTASN1CORE_GET_RAW_ASN1_PTR(&Certs.paCerts[i].SeqCore.Asn1Core),
-                                              RTASN1CORE_GET_RAW_ASN1_SIZE(&Certs.paCerts[i].SeqCore.Asn1Core),
-                                              RT_SUCCESS(rc) ? pErrInfo : NULL);
-            if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
-                rc = rc2;
-        }
-
-        RTAsn1Destroy(&Certs.SetCore.Asn1Core);
-    }
-    return rc;
-#else
+    AssertReturn(!(fFlags & ~(RTCRCERTCTX_F_ADD_IF_NOT_FOUND | RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR)), VERR_INVALID_FLAGS);
 
     PCRTCRPEMSECTION pSectionHead;
-    int rc = RTCrPemReadFile(pszFilename, 0, g_aCertificateMarkers, RT_ELEMENTS(g_aCertificateMarkers), &pSectionHead, pErrInfo);
+    int rc = RTCrPemReadFile(pszFilename,
+                             fFlags & RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR ? RTCRPEMREADFILE_F_CONTINUE_ON_ENCODING_ERROR : 0,
+                             g_aCertificateMarkers, RT_ELEMENTS(g_aCertificateMarkers), &pSectionHead, pErrInfo);
     if (RT_SUCCESS(rc))
     {
@@ -128 +111 @@
         while (pCurSec)
         {
-            int rc2 = RTCrStoreCertAddEncoded(hStore, RTCRCERTCTX_F_ENC_X509_DER, pCurSec->pbData, pCurSec->cbData,
-                                              RT_SUCCESS(rc) ? pErrInfo : NULL);
+            int rc2 = RTCrStoreCertAddEncoded(hStore, RTCRCERTCTX_F_ENC_X509_DER | (fFlags & ~RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR),
+                                              pCurSec->pbData, pCurSec->cbData, !RTErrInfoIsSet(pErrInfo) ? pErrInfo : NULL);
             if (RT_FAILURE(rc2) && RT_SUCCESS(rc))
+            {
                 rc = rc2;
+                if (!(fFlags & RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR))
+                    break;
+            }
             pCurSec = pCurSec->pNext;
         }
@@ -138 +125 @@
     }
     return rc;
-#endif
 }
 

trunk/src/VBox/Runtime/common/crypto/pemfile.cpp

@@ -125 +125 @@
                 uint8_t const  *pbSavedContent = pbContent;
                 size_t  const   cbSavedContent = cbContent;
-                uint32_t        iMarker = 0;
-                while (iMarker < cMarkers)
+                for (uint32_t iMarker = 0; iMarker < cMarkers; iMarker++)
                 {
                     pbContent = pbSavedContent;
@@ -143 +142 @@
                         cbContent -= cchWord;
 
-                        if (!cbContent || !RT_C_IS_BLANK(*pbContent))
-                            break;
-                        do
-                        {
-                            pbContent++;
-                            cbContent--;
-                        } while (cbContent > 0 && RT_C_IS_BLANK(*pbContent));
+                        if (!cbContent)
+                            break;
+                        if (RT_C_IS_BLANK(*pbContent))
+                            do
+                            {
+                                pbContent++;
+                                cbContent--;
+                            } while (cbContent > 0 && RT_C_IS_BLANK(*pbContent));
+                        else if (cWords > 1 || pbContent[0] != '-')
+                            break;
 
                         cWords--;
@@ -175 +177 @@
                                 if (poffEnd)
                                     *poffEnd = pbContent - pbStart;
-                                if (*ppMatch)
+                                if (ppMatch)
                                     *ppMatch = &paMarkers[iMarker];
                                 return true;
@@ -265 +267 @@
 {
     /*
-     * Assume a well formed PEM file contains only 7-bit ASCII and restricts
-     * itself to the following control characters:
+     * Well formed PEM files should probably only contain 7-bit ASCII and
+     * restrict thenselfs to the following control characters:
      *      tab, newline, return, form feed
+     *
+     * However, if we wan't to read PEM files which contains human readable
+     * certificate details before or after each base-64 section, we can't stick
+     * to 7-bit ASCII.  We could say it must be UTF-8, but that's probably to
+     * limited too.  So, we'll settle for detecting binary files by control
+     * characters alone (safe enough for DER encoded stuff, I think).
      */
     while (cbFile-- > 0)
     {
         uint8_t const b = *pbFile++;
-        if (   b >= 0x7f
-            || (b < 32 && b != '\t' && b != '\n' && b != '\r' && b != '\f') )
+        if (b < 32 && b != '\t' && b != '\n' && b != '\r' && b != '\f')
         {
             /* Ignore EOT (4), SUB (26) and NUL (0) at the end of the file. */
@@ -280 +287 @@
                     || (   cbFile == 1
                         && *pbFile == '\0')))
-                return true;
+                return false;
+
             if (b == 0 && cbFile == 0)
-                return true;
-            return false;
-        }
-    }
-    return true;
+                return false;
+
+            return true;
+        }
+    }
+    return false;
 }
 
@@ -328 +337 @@
                             PCRTCRPEMSECTION *ppSectionHead, PRTERRINFO pErrInfo)
 {
-    AssertReturn(!fFlags, VERR_INVALID_FLAGS);
+    AssertReturn(!(fFlags & ~RTCRPEMREADFILE_F_CONTINUE_ON_ENCODING_ERROR), VERR_INVALID_FLAGS);
 
     size_t      cbContent;
@@ -362 +371 @@
                     /* Decode the section. */
                     /** @todo copy the preamble as well. */
-                    rc = rtCrPemDecodeBase64(pbContent + offBegin, offEnd - offBegin,
-                                             (void **)&pSection->pbData, &pSection->cbData);
-                    if (RT_FAILURE(rc))
+                    int rc2 = rtCrPemDecodeBase64(pbContent + offBegin, offEnd - offBegin,
+                                                  (void **)&pSection->pbData, &pSection->cbData);
+                    if (RT_FAILURE(rc2))
                     {
                         pSection->pbData = NULL;
                         pSection->cbData = 0;
-                        break;
+                        if (   rc2 == VERR_INVALID_BASE64_ENCODING
+                            && (fFlags & RTCRPEMREADFILE_F_CONTINUE_ON_ENCODING_ERROR))
+                            rc = -rc2;
+                        else
+                        {
+                            rc = rc2;
+                            break;
+                        }
                     }
 

trunk/src/VBox/Runtime/common/crypto/store-inmem.cpp

@@ -282 +282 @@
     int rc;
 
-    AssertMsgReturn(   fFlags == RTCRCERTCTX_F_ENC_X509_DER
-                    || fFlags == RTCRCERTCTX_F_ENC_TAF_DER
+    AssertMsgReturn(   (fFlags & RTCRCERTCTX_F_ENC_MASK) == RTCRCERTCTX_F_ENC_X509_DER
+                    || (fFlags & RTCRCERTCTX_F_ENC_MASK) == RTCRCERTCTX_F_ENC_TAF_DER
                     , ("Only X.509 and TAF DER are supported: %#x\n", fFlags), VERR_INVALID_FLAGS);
 
-    if (pThis->cCerts + 1 > pThis->cCertsAlloc)
+    /*
+     * Check for duplicates if specified.
+     */
+    if (fFlags & RTCRCERTCTX_F_ADD_IF_NOT_FOUND)
+    {
+        uint32_t iCert = pThis->cCerts;
+        while (iCert-- > 0)
+        {
+            PRTCRSTOREINMEMCERT pCert = pThis->papCerts[iCert];
+            if (   pCert->Core.Public.cbEncoded == cbEncoded
+                && pCert->Core.Public.fFlags == (fFlags & RTCRCERTCTX_F_ENC_MASK)
+                && memcmp(pCert->Core.Public.pabEncoded, pbEncoded, cbEncoded) == 0)
+                return VWRN_ALREADY_EXISTS;
+        }
+    }
+
+    /*
+     * Add it.
+     */
+    if (pThis->cCerts + 1 <= pThis->cCertsAlloc)
+    { /* likely */ }
+    else
     {
         rc = rtCrStoreInMemGrow(pThis, pThis->cCerts + 1);
@@ -293 +314 @@
     }
 
-    rc = rtCrStoreInMemCreateCertEntry(pThis, fFlags, pbEncoded, cbEncoded, pErrInfo, &pThis->papCerts[pThis->cCerts]);
+    rc = rtCrStoreInMemCreateCertEntry(pThis, fFlags & RTCRCERTCTX_F_ENC_MASK, pbEncoded, cbEncoded,
+                                       pErrInfo, &pThis->papCerts[pThis->cCerts]);
     if (RT_SUCCESS(rc))
     {
@@ -360 +382 @@
     return rc;
 }
-
+RT_EXPORT_SYMBOL(RTCrStoreCreateInMem);
+

trunk/src/VBox/Runtime/common/crypto/store-internal.h

@@ -125 +125 @@
      * Adds a certificate to the store.
      *
+     * @returns IPRT status.
+     * @retval  VWRN_ALREADY_EXISTS if the certificate is already present and
+     *          RTCRCERTCTX_F_ADD_IF_NOT_FOUND was specified.
      * @param   pvProvider      The provider specific data.
      * @param   fFlags          RTCRCERTCTX_F_XXX.

trunk/src/VBox/Runtime/common/crypto/store.cpp

@@ -174 +174 @@
     AssertPtrReturn(pvSrc, VERR_INVALID_POINTER);
     AssertReturn(cbSrc > 16 && cbSrc < _1M, VERR_OUT_OF_RANGE);
-    AssertMsgReturn(   fFlags == RTCRCERTCTX_F_ENC_X509_DER
-                    || fFlags == RTCRCERTCTX_F_ENC_TAF_DER
+    AssertReturn(!(fFlags & ~(RTCRCERTCTX_F_ADD_IF_NOT_FOUND | RTCRCERTCTX_F_ENC_MASK)), VERR_INVALID_FLAGS);
+    AssertMsgReturn(   (fFlags & RTCRCERTCTX_F_ENC_MASK) == RTCRCERTCTX_F_ENC_X509_DER
+                    || (fFlags & RTCRCERTCTX_F_ENC_MASK) == RTCRCERTCTX_F_ENC_TAF_DER
                     , ("Only X.509 and TAF DER supported: %#x\n", fFlags), VERR_INVALID_FLAGS);
 

trunk/src/VBox/Runtime/tools/RTSignTool.cpp

@@ -496 +496 @@
         {
             case 'r': case 'a':
-                rc = RTCrStoreCertAddFromFile(ch == 'r' ? State.hRootStore : State.hAdditionalStore,  0, ValueUnion.psz,
-                                              RTErrInfoInitStatic(&StaticErrInfo));
+                rc = RTCrStoreCertAddFromFile(ch == 'r' ? State.hRootStore : State.hAdditionalStore,
+                                              RTCRCERTCTX_F_ADD_IF_NOT_FOUND | RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR,
+                                              ValueUnion.psz, RTErrInfoInitStatic(&StaticErrInfo));
                 if (RT_FAILURE(rc))
                     return RTMsgErrorExit(RTEXITCODE_FAILURE, "Error loading certificate '%s': %Rrc - %s",
                                           ValueUnion.psz, rc, StaticErrInfo.szMsg);
+                if (RTErrInfoIsSet(&StaticErrInfo.Core))
+                    RTMsgWarning("Warnings loading certificate '%s': %s", ValueUnion.psz, StaticErrInfo.szMsg);
                 break;