Changeset 57665 in vbox for trunk/src/VBox/Frontends/VirtualBox
- Timestamp:
- Sep 9, 2015 1:15:21 PM (9 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/VBox/Frontends/VirtualBox/src/net/UINetworkReply.cpp
r57655 r57665 86 86 typedef struct CERTINFO 87 87 { 88 /** Gives the s_aCerts index this certificate is an alternative edition of,89 * UINT8_MAX if no alternative. This is a complication caused by VeriSign90 * reissuing certificates signed with md2WithRSAEncryption using91 * sha1WithRSAEncryption, since MD2 is comprimised. (Public key unmodified.)92 * It has no practical meaning for the trusted root anchor use we put it to. */93 uint8_t iAlternativeTo;94 88 /** Set if mandatory. */ 95 89 bool fMandatory; … … 107 101 static unsigned countCertsFound(bool const *pafFoundCerts); 108 102 static bool areAllCertsFound(bool const *pafFoundCerts, bool fOnlyMandatory); 109 static int adjustCertsFound(int rc, bool *pafFoundCerts);110 103 static void refreshCertificates(RTHTTP hHttp, RTCRSTORE hOldStore, bool *pafFoundCerts, const char *pszCaCertFile); 111 104 static void downloadMissingCertificates(RTCRSTORE hNewStore, bool *pafNewFoundCerts, RTHTTP hHttp, … … 127 120 static const QString s_strCertificateFileName; 128 121 static const RTCRCERTWANTED s_aCerts[3]; 129 static const CERTINFO s_CertInfoPcaCls3Gen1Md2;130 static const CERTINFO s_CertInfoPcaCls3Gen1Sha1;131 122 static const CERTINFO s_CertInfoPcaCls3Gen5; 132 123 }; 133 124 134 /*static*/ const UINetworkReplyPrivateThread::CERTINFO UINetworkReplyPrivateThread::s_CertInfoPcaCls3Gen1Sha1 =135 {136 /*.iAlternativeTo =*/ 1,137 /*.fMandatory =*/ false,138 /*.pszZipFile =*/139 "VeriSign Root Certificates/Generation 1 (G1) PCAs/Class 3 Public Primary Certification Authority.pem",140 /*.apszUrls[3] =*/141 {142 "http://www.symantec.com/content/en/us/enterprise/verisign/roots/Class-3-Public-Primary-Certification-Authority.pem",143 "http://www.verisign.com/repository/roots/root-certificates/PCA-3.pem", /* dead */144 NULL,145 "http://update.virtualbox.org/cacerts-symantec-PCA-3-pem-has-gone-missing-again" /* attention getter */146 }147 };148 149 /*static*/ const UINetworkReplyPrivateThread::CERTINFO UINetworkReplyPrivateThread::s_CertInfoPcaCls3Gen1Md2 =150 {151 /*.iAlternativeTo =*/ 0,152 /*.fMandatory =*/ false,153 /*.pszZipFile =*/ NULL,154 /*.apszUrls[3] =*/ { NULL, NULL, NULL },155 };156 157 125 /*static*/ const UINetworkReplyPrivateThread::CERTINFO UINetworkReplyPrivateThread::s_CertInfoPcaCls3Gen5 = 158 126 { 159 /*.iAlternativeTo =*/ UINT8_MAX,160 127 /*.fMandatory =*/ true, 161 128 /*.pszZipFile =*/ … … 177 144 /* static */ const RTCRCERTWANTED UINetworkReplyPrivateThread::s_aCerts[3] = 178 145 { 179 /*[0] =*/ /* The reissued version with the SHA-1 signature. */ 180 /** @todo r=bird: Why do we need this certificate? Neither update.virtualbox.org nor www.virtualbox.org uses it... ElCapitan doesn't ship this. */ 181 { 182 /*.pszSubject =*/ "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", 183 /*.cbEncoded =*/ 0x240, 184 /*.Sha1Fingerprint =*/ true, 185 /*.Sha512Fingerprint =*/ true, 186 /*.abSha1 =*/ 187 { 188 0xa1, 0xdb, 0x63, 0x93, 0x91, 0x6f, 0x17, 0xe4, 0x18, 0x55, 189 0x09, 0x40, 0x04, 0x15, 0xc7, 0x02, 0x40, 0xb0, 0xae, 0x6b 190 }, 191 /*.abSha512 =*/ 192 { 193 0xbb, 0xf7, 0x8a, 0x19, 0x9f, 0x37, 0xee, 0xa2, 194 0xce, 0xc8, 0xaf, 0xe3, 0xd6, 0x22, 0x54, 0x20, 195 0x74, 0x67, 0x6e, 0xa5, 0x19, 0xb7, 0x62, 0x1e, 196 0xc1, 0x2f, 0xd5, 0x08, 0xf4, 0x64, 0xc4, 0xc6, 197 0xbb, 0xc2, 0xf2, 0x35, 0xe7, 0xbe, 0x32, 0x0b, 198 0xde, 0xb2, 0xfc, 0x44, 0x92, 0x5b, 0x8b, 0x9b, 199 0x77, 0xa5, 0x40, 0x22, 0x18, 0x12, 0xcb, 0x3d, 200 0x0a, 0x67, 0x83, 0x87, 0xc5, 0x45, 0xc4, 0x99 201 }, 202 /*.pvUser */ &UINetworkReplyPrivateThread::s_CertInfoPcaCls3Gen1Sha1 203 }, 204 /*[1] =*/ /* The original version with the MD2 signature. */ 205 { 206 /*.pszSubject =*/ "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority", 207 /*.cbEncoded =*/ 0x240, 208 /*.Sha1Fingerprint =*/ true, 209 /*.Sha512Fingerprint =*/ true, 210 /*.abSha1 =*/ 211 { 212 0x74, 0x2c, 0x31, 0x92, 0xe6, 0x07, 0xe4, 0x24, 0xeb, 0x45, 213 0x49, 0x54, 0x2b, 0xe1, 0xbb, 0xc5, 0x3e, 0x61, 0x74, 0xe2 214 }, 215 /*.abSha512 =*/ 216 { 217 0x7c, 0x2f, 0x94, 0x22, 0x5f, 0x67, 0x98, 0x89, 218 0xb9, 0xde, 0xd7, 0x41, 0xa0, 0x0d, 0xb1, 0x5c, 219 0xc6, 0xca, 0x28, 0x12, 0xbf, 0xbc, 0xa8, 0x2b, 220 0x22, 0x53, 0x7a, 0xf8, 0x32, 0x41, 0x2a, 0xbb, 221 0xc1, 0x05, 0xe0, 0x0c, 0xd0, 0xa3, 0x97, 0x9d, 222 0x5f, 0xcd, 0xe9, 0x9b, 0x68, 0x06, 0xe8, 0xe6, 223 0xce, 0xef, 0xb2, 0x71, 0x8e, 0x91, 0x60, 0xa2, 224 0xc8, 0x0c, 0x5a, 0xe7, 0x8b, 0x33, 0xf2, 0xaa 225 }, 226 /*.pvUser */ &UINetworkReplyPrivateThread::s_CertInfoPcaCls3Gen1Md2 227 }, 228 /*[2] =*/ 146 /*[0] =*/ 229 147 { 230 148 /*.pszSubject =*/ … … 358 276 */ 359 277 rc = RTCrStoreCertCheckWanted(hCurStore, s_aCerts, RT_ELEMENTS(s_aCerts), afCertsFound); 360 rc = adjustCertsFound(rc, afCertsFound);361 278 AssertRC(rc); 362 279 RTTIMESPEC RefreshAge; … … 488 405 /* Apply HTTP headers: */ 489 406 return RTHttpSetHeaders(hHttp, formattedHeaderPointers.size(), ppFormattedHeaders); 490 }491 492 /**493 * Adjusts the set of found certificates by marking all alternatives found if494 * one is.495 *496 * @returns Adjusted rc (VINF_SUCCESS instead of VWRN_NOT_FOUND if all found).497 * @param rc The status code.498 * @param pafFoundCerts Array parallel to s_aCerts with the status of499 * each wanted certificate.500 */501 /*static*/ int502 UINetworkReplyPrivateThread::adjustCertsFound(int rc, bool *pafFoundCerts)503 {504 for (uint32_t i = 0; i < RT_ELEMENTS(s_aCerts); i++)505 if (pafFoundCerts[i])506 {507 uint8_t iAlt = i;508 for (;;)509 {510 const CERTINFO *pCertInfo = (const CERTINFO *)s_aCerts[iAlt].pvUser;511 iAlt = pCertInfo->iAlternativeTo;512 if (iAlt >= RT_ELEMENTS(s_aCerts) || iAlt == i)513 {514 Assert(iAlt == UINT8_MAX || iAlt < RT_ELEMENTS(s_aCerts));515 break;516 }517 if (!pafFoundCerts[iAlt])518 pafFoundCerts[iAlt] = true;519 }520 }521 522 if (rc == VINF_SUCCESS || rc == VWRN_NOT_FOUND)523 rc = countCertsFound(pafFoundCerts) == RT_ELEMENTS(s_aCerts) ? VINF_SUCCESS : VWRN_NOT_FOUND;524 return rc;525 407 } 526 408 … … 598 480 599 481 rc = RTCrStoreCertCheckWanted(hNewStore, s_aCerts, RT_ELEMENTS(s_aCerts), afNewFoundCerts); 600 rc = adjustCertsFound(rc, afNewFoundCerts);601 482 AssertLogRelRC(rc); 602 483 Assert(rc != VINF_SUCCESS || areAllCertsFound(afNewFoundCerts, false /*fOnlyMandatory*/)); … … 606 487 RTCRCERTCTX_F_ADD_IF_NOT_FOUND | RTCRCERTCTX_F_ADD_CONTINUE_ON_ERROR, 607 488 hOldStore, s_aCerts, RT_ELEMENTS(s_aCerts), afNewFoundCerts); 608 rc = adjustCertsFound(rc, afNewFoundCerts);609 489 AssertLogRelRC(rc); 610 490 Assert(rc != VINF_SUCCESS || areAllCertsFound(afNewFoundCerts, false /*fOnlyMandatory*/)); … … 622 502 s_aCerts, RT_ELEMENTS(s_aCerts), afNewFoundCerts, 623 503 RTErrInfoInitStatic(&StaticErrInfo)); 624 rc = adjustCertsFound(rc, afNewFoundCerts);625 504 if (RTErrInfoIsSet(&StaticErrInfo.Core)) 626 505 LogRel(("refreshCertificates/#2: %s\n", StaticErrInfo.Core.pszMsg)); … … 704 583 */ 705 584 pafNewFoundCerts[i] = true; 706 if (a djustCertsFound(VWRN_NOT_FOUND, pafNewFoundCerts) == VINF_SUCCESS)585 if (areAllCertsFound(pafNewFoundCerts, false /*fOnlyMandator*/) == VINF_SUCCESS) 707 586 { 708 587 RTHttpFreeResponse(pvRootsZip); … … 737 616 { 738 617 pafNewFoundCerts[i] = true; 739 adjustCertsFound(VWRN_NOT_FOUND, pafNewFoundCerts);740 618 break; 741 619 }
Note:
See TracChangeset
for help on using the changeset viewer.
